Configuration Guide - Basic Configuration (V100R006C01 - 01) PDF

Quidway S9300 Terabit Routing Switch
V100R006C01
Configuration Guide - Basic

Configuration
Issue
01
Date
2011-10-26
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2011-10-26)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

Configuration Guide - Basic Configuration
About This Document
About This Document

Intended Audience
This document provides the basic concepts, basic configuration procedures, and configuration
examples supported by the S9300.
This document is intended for:
l
Data configuration engineers
Commissioning engineers
Network monitoring engineers
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 01 (2011-10-26)
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP
Indicates a tip that may help you solve a problem or save

time.
NOTE
Provides additional information to emphasize or supplement

important points of the main text.

ii

About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 01 (2011-10-26)

Initial commercial release.
Issue 01 (2011-10-26)

iii

Contents
Contents
About This Document.....................................................................................................................ii
1 Logging In to Switch.....................................................................................................................1
1.1 Introduction........................................................................................................................................................2
1.1.1 Login Through the Console.......................................................................................................................2
1.1.2 Login Through Telnet................................................................................................................................2
1.2 Logging In to the Device Through the Console Port..........................................................................................2
1.2.1 Establishing the Configuration Task.........................................................................................................3
1.2.2 Establishing the Physical Connection........................................................................................................3
1.2.3 Configuring Terminals..............................................................................................................................4
1.2.4 Logging In to the Device...........................................................................................................................4
1.3 Logging In to Device Through Telnet................................................................................................................4
1.3.1 Establishing the Configuration Task.........................................................................................................5
1.3.2 Establishing the Physical Connection........................................................................................................5
1.3.3 Configuring Login User Parameters..........................................................................................................6
1.3.4 Logging In from the Telnet Client.............................................................................................................6
1.4 Configuration Examples.....................................................................................................................................6
1.4.1 Example for Logging In Through the Console Port..................................................................................6
1.4.2 Example for Logging In Through Telnet..................................................................................................9
2 CLI Overview...............................................................................................................................11
2.1 CLI Introduction...............................................................................................................................................12
2.1.1 Command Line Interface.........................................................................................................................12
2.1.2 Command Levels.....................................................................................................................................12
2.1.3 Command Views.....................................................................................................................................13
2.2 Online Help.......................................................................................................................................................15
2.2.1 Full Help..................................................................................................................................................16
2.2.2 Partial Help..............................................................................................................................................16
2.2.3 Error Messages of the Command Line Interface.....................................................................................17
2.3 Features of Command Line Interface...............................................................................................................17
2.3.1 Editing.....................................................................................................................................................17
2.3.2 Displaying................................................................................................................................................18
2.3.3 Regular Expressions................................................................................................................................19
2.3.4 History Commands..................................................................................................................................22
Issue 01 (2011-10-26)

iv

Contents
2.3.5 Batch Command Execution.....................................................................................................................23

2.4 Shortcut Keys...................................................................................................................................................23
2.4.1 Classifying Shortcut Keys.......................................................................................................................23
2.4.2 Defining Shortcut Keys...........................................................................................................................25
2.4.3 Use of Shortcut Keys...............................................................................................................................25
2.5 Configuration Examples...................................................................................................................................25
2.5.1 Example for Running Commands in Batches..........................................................................................26
2.5.2 Example for Using the Tab Key..............................................................................................................26
2.5.3 Example for Defining Hotkeys................................................................................................................27
2.5.4 Example for Copying a Command by Using Hotkeys............................................................................28
3 How to Use Interfaces.................................................................................................................29

3.1 Introduction to Interfaces..................................................................................................................................30
3.2 Setting Basic Parameters of an Interface..........................................................................................................33
3.2.1 Establishing the Configuration Task.......................................................................................................33
3.2.2 Entering the Interface View.....................................................................................................................34
3.2.3 Viewing All the Commands in the Interface View.................................................................................34
3.2.4 Configuring the Description for an Interface...........................................................................................35
3.2.5 Starting and Shutting Down an Interface................................................................................................35
3.2.6 Further Configuration an Interface..........................................................................................................36
3.2.7 Checking the Configuration.....................................................................................................................36
3.3 Configuring the Loopback Interface.................................................................................................................37
3.3.2 Configuring IPv4 Parameters of the Loopback Interface........................................................................37
3.4 Maintaining the Interface..................................................................................................................................38
3.4.1 Clearing Statistics Information on the Interface......................................................................................38
3.4.2 Debugging the Interface..........................................................................................................................39
4 Basic Configuration.....................................................................................................................40
4.1 Basic Configuration Introduction.....................................................................................................................41
4.2 Configuring the Basic System Environment....................................................................................................41
4.2.2 Switching the Language Mode................................................................................................................42
4.2.3 Configuring the Equipment Name...........................................................................................................42
4.2.4 Setting the System Clock.........................................................................................................................43
4.2.5 Configuring a Header..............................................................................................................................44
4.2.6 Configuring Command Levels................................................................................................................44
4.2.7 Configuring the Undo Command to Match in the Previous View Automatically..................................45
4.3 Configuring Basic User Environment..............................................................................................................46
4.3.2 Configuring the Password for Switching User Levels............................................................................47
4.3.3 Switching User Levels.............................................................................................................................47
4.3.4 Locking User Interfaces...........................................................................................................................48
Issue 01 (2011-10-26)


Contents
4.4 Displaying System Status Messages.................................................................................................................48

4.4.1 Displaying System Configuration...........................................................................................................49
4.4.2 Displaying System Status........................................................................................................................49
4.4.3 Collecting System Diagnostic Information.............................................................................................49
5 User Management........................................................................................................................51
5.1 User Management Introduction........................................................................................................................52
5.1.1 User Interface..........................................................................................................................................52
5.1.2 User Authentication.................................................................................................................................53
5.2 Logging In to the S9300 Through the Console Port.........................................................................................55
5.2.2 Logging In to the S9300 Through the Console Interface........................................................................56
5.3 Configuring Console User Interface.................................................................................................................59
5.3.2 Configuring Console Interface Attributes...............................................................................................60
5.3.3 Setting Console Terminal Attributes.......................................................................................................61
5.3.4 Configuring User Priority........................................................................................................................62
5.3.5 Configuring User Authentication............................................................................................................63
5.4 Configuring VTY User Interface......................................................................................................................64
5.4.2 Configuring Maximum VTY User Interfaces.........................................................................................65
5.4.3 (Optional)Configuring Limits for Incoming Calls and Outgoing Calls..................................................66
5.4.4 Configuring VTY Terminal Attributes....................................................................................................66
5.4.5 Configuring User Authentication............................................................................................................67
5.5 Managing User Interfaces.................................................................................................................................69
5.5.2 Sending Messages to Other User Interfaces............................................................................................70
5.5.3 Clearing Online User...............................................................................................................................70
5.6 Configuring User Management........................................................................................................................71
5.6.2 Configuring Authentication Mode...........................................................................................................72
5.6.3 Configuring Authentication Password.....................................................................................................72
5.6.4 Setting Username and Password for AAA Local Authentication...........................................................73
5.6.5 Configuring Non-Authentication.............................................................................................................73
5.6.6 Configuring User Priority........................................................................................................................74
5.7.1 Example for Configuring Logging In to the Switch Through Password.................................................75
5.7.2 Example for Logging In to the Device Through AAA............................................................................76
6 File System Management...........................................................................................................78

Issue 01 (2011-10-26)

vi

Contents
6.1 Overview of the File System............................................................................................................................79

6.2 Managing a Storage Device..............................................................................................................................79
6.2.2 Restoring Storage Devices with File System Troubles...........................................................................80
6.2.3 (Optional) Formatting a Storage Device.................................................................................................80
6.3 Managing the Directory....................................................................................................................................80
6.3.2 Viewing the Current Directory................................................................................................................81
6.3.3 Switching a Directory..............................................................................................................................81
6.3.4 Displaying a Directory or File.................................................................................................................82
6.3.5 Creating a Directory................................................................................................................................82
6.3.6 Deleting a Directory................................................................................................................................82
6.4 Managing Files.................................................................................................................................................83
6.4.2 Displaying Contents of Files...................................................................................................................84
6.4.3 Copying Files...........................................................................................................................................84
6.4.4 Moving Files............................................................................................................................................84
6.4.5 Renaming Files........................................................................................................................................85
6.4.6 Compressing Files...................................................................................................................................85
6.4.7 Deleting Files...........................................................................................................................................85
6.4.8 Deleting Files in the Recycle Bin............................................................................................................86
6.4.9 Undeleting Files.......................................................................................................................................86
6.4.10 Running Files in Batch..........................................................................................................................87
6.4.11 Configuring Prompt Modes...................................................................................................................87
6.5.1 Example for Managing Files...................................................................................................................88
7 Management of Configuration Files........................................................................................90

7.1 Management of Configuration Files Introduction............................................................................................91
7.1.1 Configuration Files..................................................................................................................................91
7.1.2 Configuration Files and Current Configurations.....................................................................................91
7.2 Managing Configuration Files..........................................................................................................................91
7.2.2 Configuring System Software for a switch to Load for the Next Startup...............................................92
7.2.3 Configuring the Configuration File for Switch to Load for the Next Startup.........................................93
7.2.4 Saving Configuration Files......................................................................................................................93
7.2.5 Clearing a Configuration File..................................................................................................................95
7.2.6 Comparing Configuration Files...............................................................................................................95
8 FTP and TFTP...............................................................................................................................98

8.1 FTP and TFTP Introduction.............................................................................................................................99
8.1.1 FTP..........................................................................................................................................................99
8.1.2 TFTP........................................................................................................................................................99
Issue 01 (2011-10-26)

vii

Contents
8.2 Configuring the Switch to be the FTP Server...................................................................................................99

8.2.1 Establishing the Configuration Task.....................................................................................................100
8.2.2 (Optional) Specifying a Port Number for the FTP Server.....................................................................100
8.2.3 Enabling the FTP Server........................................................................................................................101
8.2.4 Configuring the Source IP Address of the FTP Server.........................................................................101
8.2.5 (Optional) Configuring the Timeout Period..........................................................................................102
8.2.6 Configuring the Local Username and the Password.............................................................................102
8.2.7 Configuring the Service Type and Authorization Information..............................................................103
8.2.8 Checking the Configuration...................................................................................................................103
8.3 Configuring FTP ACL....................................................................................................................................104
8.3.2 Enabling the FTP Server........................................................................................................................105
8.3.3 Configuring a Basic ACL......................................................................................................................105
8.3.4 Configuring the Basic FTP ACL...........................................................................................................105
8.4 Configuring the Switch to Be the FTP Client.................................................................................................106
8.4.2 (Optional) Configuring Source IP Address and Interface of the FTP Client........................................108
8.4.3 Logging In to the FTP Server................................................................................................................108
8.4.4 Configuring Data Type and Transmission Mode for the File...............................................................109
8.4.5 (Optional) Viewing Online Help of the FTP Command.......................................................................110
8.4.6 Uploading or Downloading Files..........................................................................................................110
8.4.7 Managing Directories............................................................................................................................110
8.4.8 Managing Files......................................................................................................................................111
8.4.9 (Optional) Changing Login Users.........................................................................................................112
8.4.10 Disconnecting from the FTP Server....................................................................................................112
8.4.11 Checking the Configuration.................................................................................................................113
8.5 Configuring the Switch to Be the TFTP Client..............................................................................................113
8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................114
8.5.3 Downloading Files Through TFTP........................................................................................................114
8.5.4 Uploading Files Through TFTP............................................................................................................115
8.6 Limiting the Access to the TFTP Server........................................................................................................115
8.6.2 Configuring the Basic ACL...................................................................................................................116
8.6.3 Configuring the Basic TFTP ACL.........................................................................................................116
8.7 Configuration Examples.................................................................................................................................117
8.7.1 Example for Configuring the FTP Server..............................................................................................117
8.7.2 Example for Configuring an ACL of the FTP Server...........................................................................119
8.7.3 Example for Configuring the FTP Client..............................................................................................121
8.7.4 Example for Configuring the TFTP Client............................................................................................123
9 Telnet and SSH..........................................................................................................................126

Issue 01 (2011-10-26)

viii

Contents
9.1 Telnet and SSH Introduction..........................................................................................................................127

9.1.1 Overview of User Login........................................................................................................................127
9.1.2 Telnet Terminal Services.......................................................................................................................127
9.1.3 SSH Terminal Services..........................................................................................................................128
9.2 Configuring Telnet Terminal Services...........................................................................................................129
9.2.2 Enabling the Telnet Service...................................................................................................................130
9.2.3 Establishing a Telnet Connection..........................................................................................................131
9.2.4 (Optional) Configuring a Telnet Server Port Number...........................................................................132
9.2.5 (Optional) Scheduled Telnet Disconnection..........................................................................................132
9.3 Configuring SSH Users..................................................................................................................................133
9.3.2 Creating SSH User.................................................................................................................................134
9.3.3 Configuring SSH for the VTY User Interface.......................................................................................135
9.3.4 Generating a Local RSA Key Pair.........................................................................................................136
9.3.5 Configuring the Authentication Mode for SSH Users...........................................................................136
9.3.6 (Optional) Configuring the Basic Authentication Information for SSH Users.....................................138
9.3.7 (Optional) Authorizing SSH Users Through the Command Line.........................................................138
9.3.8 Configuring the Service Type of SSH Users.........................................................................................139
9.3.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users.......................139
9.4 Configuring the SSH Server Function............................................................................................................140
9.4.2 Enabling the STelnet Service................................................................................................................141
9.4.3 Enabling the SFTP Service....................................................................................................................141
9.4.4 Enabling SCP Services..........................................................................................................................142
9.4.5 (Optional) Enabling the Earlier Version - Compatible Function...........................................................142
9.4.6 (Optional) Configuring the Number of the Port Monitored by the SSH Server....................................143
9.4.7 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server..............................143
9.5 Configuring the STelnet Client Function.......................................................................................................144
9.5.2 Enabling the First-Time Authentication on the SSH Client..................................................................145
9.5.3 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................146
9.5.4 Enabling the STelnet Client...................................................................................................................147
9.6 Configuring the SFTP Client Function...........................................................................................................149
9.6.2 (Optional) Configuring a Source IP Address for an SFTP Client.........................................................150
9.6.3 Configuring the First-Time Authentication on the SSH Client.............................................................150
9.6.4 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................151
Issue 01 (2011-10-26)

ix

Contents
9.6.5 Enabling the SFTP Client......................................................................................................................152

9.6.6 (Optional) Managing the Directory.......................................................................................................153
9.6.7 (Optional) Managing the File................................................................................................................154
9.6.8 (Optional) Displaying the SFTP Client Command Help.......................................................................155
9.7 Configuring the SCP Client............................................................................................................................157
9.7.2 (Optional) Configuring a Source IP Address for the SCP Client..........................................................158
9.7.3 Copying Files.........................................................................................................................................158
9.8 Configuration Examples.................................................................................................................................159
9.8.1 Example for Configuring the Telnet Terminal Service.........................................................................159
9.8.2 Example for Configuring the PC as the STelnet Client to Connect to the SSH Server........................162
9.8.3 Example for Configuring the Switch as the STelnet Client to Connect to the SSH Server .................165
9.8.4 Example for Connecting the SFTP Clinet and the SSH Server.............................................................171
9.8.5 Example for Configuring the SSH Server to Support the Access from Another Port...........................177
9.8.6 Example for Authenticating SSH Through RADIUS............................................................................184
9.8.7 Example for Configuring the SCP Client..............................................................................................189
10 Web System Configuration...................................................................................................192

10.1 Overview of Web System.............................................................................................................................193
10.2 Starting Web System....................................................................................................................................193
10.2.1 Logging In to the S9300 Through the Console Interface....................................................................193
10.2.2 Setting the Management IP Address of the S9300..............................................................................197
10.2.3 Uploading Web Page Files..................................................................................................................198
10.2.4 Loading a Web Page File.....................................................................................................................199
10.2.5 Creating a Web Account......................................................................................................................199
10.2.6 Logging In to the Web System............................................................................................................200
11 SSL Configuration...................................................................................................................202
11.1 SSL...............................................................................................................................................................203
11.2 SSL Features Supported by the S9300.........................................................................................................204
11.3 Configuring Login to an FTPS Server from a User Terminal......................................................................205
11.3.1 Establishing the Configuration Task...................................................................................................205
11.3.2 Configuring an SSL Policy and Loading a Digital Certificate............................................................206
11.3.3 Enabling the FTPS Function................................................................................................................207
11.3.4 Accessing an FTPS Server..................................................................................................................208
11.4 Configuring Login to an FTPS Server from an FTPS Client.......................................................................209
11.4.2 Configuring the FTPS Client...............................................................................................................210
11.4.3 Configuring the FTPS Server..............................................................................................................212
11.4.4 Accessing an FTPS Server..................................................................................................................213
Issue 01 (2011-10-26)


Contents
11.5 Configuring Secure Web Network Management.........................................................................................216

11.5.2 Configuring an SSL Policy and Loading a Digital Certificate............................................................218
11.5.3 Loading a Web Page File.....................................................................................................................219
11.5.4 Enabling the HTTPS Function............................................................................................................219
11.5.5 Creating a Web Account......................................................................................................................220
11.5.6 Logging In to the Web System............................................................................................................221
11.6 Configuration Examples...............................................................................................................................222
11.6.1 Example for Configuring Login to an FTPS Server from a User Terminal........................................222
11.6.2 Example for Configuring Login to an FTPS Server from an FTPS Client.........................................226
11.6.3 Example for Configuring Secure Web Network Management............................................................234
Issue 01 (2011-10-26)

xi

1 Logging In to Switch
Logging In to Switch
About This Chapter

Before configuring switches, you need to log in to the switch.
1.1 Introduction
You can log in to switches through console port or Telnet.
1.2 Logging In to the Device Through the Console Port
This section describes how to connect a terminal to a switch through the console port to establish
the configuration environment.
1.3 Logging In to Device Through Telnet
This section describes how to connect a terminal to a switch through Telnet to establish the
configuration environment.
1.4 Configuration Examples
This section provides examples for configuring users to log in to the switch through the console
port or Telnet together with the configuration flowchart. The configuration examples explain
networking requirements, configuration notes, and configuration roadmap.
Issue 01 (2011-10-26)


1.1 Introduction
You can log in to switches through console port or Telnet.
1.1.1 Login Through the Console

When a switch is powered on for the first time or a switch needs to be locally configured, you
can log in to the switch through the console port.
In the following cases, a switch can be configured only through the console port:
l
The switch is powered on for the first time.
The subscriber cannot login through Telnet.
1.1.2 Login Through Telnet

If you know the IP address of a switch, you can log in to the switch through Telnet to perform
local or remote configurations.
YYou need to pre-configure the IP addresses of interfaces, the user account, the authentication
mode, and the incoming and outgoing call restriction through the console interface on the
switch. Also, ensure that directly-connected or reachable switch exist between terminals and the
switch.
The destination switch authenticates the user based on the configured parameters in three modes:
l
Password authentication: indicates that the login user should enter the correct password.
AAA local authentication: indicates that the login user should enter the correct user name
and password.
None authentication: indicates that the login user need not enter the user name or password.
If the login succeeds, a command line prompt such as <Quidway> appears on the Telnet client
interface.
Enter a command to check the running status of the switch or to configure the switch.
Enter "?" for help.
NOTE
Do not modify the IP address of the switch when you configure the switch through Telnet because the
modification may terminate Telnet connection. Otherwise, set up the connection again after entering a new
IP address.
1.2 Logging In to the Device Through the Console Port

This section describes how to connect a terminal to a switch through the console port to establish
the configuration environment.
Issue 01 (2011-10-26)


1.2.1 Establishing the Configuration Task

Before configuring login to the switch through the console port, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.
Applicable Environment
If you log in to the switch for the first time or perform the local configuration, you need to log
in to the switch through the console port.
NOTE
If you cannot log in to the switch through the telnet, you need to log in to the switch through the console
port.
Pre-configuration Tasks
Before configuring login to the switch through the console port, complete the following tasks:
l
Preparing the PC/terminal (including serial port and RS-232 cable)
Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)
Data Preparation
To login the switch through the console port, you need the following data.
NOTE
If the AAA authentication mode is configured for users to log in to the switch through the console interface,
the correct user name and password must be entered for a successful login.
No.
Data
Terminal communication parameters

l Baud rate
l Data bit
l Parity
l Stop bit
l Flow-control mode
(Optional) User name and password to be entered for a successful login in AAA
authentication mode
1.2.2 Establishing the Physical Connection

This part describes how to physically connect a terminal to a switch before login to the switch
through the console port.
Context
Do as follows on the switch:
Issue 01 (2011-10-26)


Procedure
Step 1 Connect the COM port on the PC and the console port on the switch by a cable.
Step 2 Power on all devices to perform a self-check.
----End
1.2.3 Configuring Terminals

This part describes how to configure the terminal before login to the switch through the console
port.
Context
Do as follows on the PC:
Procedure
Step 1 Run the terminal emulation program on the PC, setting the communication parameters as
follows:
l Baud rate: 9600 bps
l Data bit: 8
l Stop bit: 1
l Parity: none
l Flow control: none
----End
1.2.4 Logging In to the Device

This part describes how to log in to the switch through the console port.
Context
Procedure
Step 1 Press Enter until a command line prompt such as <Quidway> appears. Now the user view is
displayed for you to configure the switch.
NOTE
If the AAA or Password authentication mode is configured for users to log in to the switch through the
console interface, the correct user name and password must be entered for a successful login.
----End
1.3 Logging In to Device Through Telnet

This section describes how to connect a terminal to a switch through Telnet to establish the
configuration environment.
Issue 01 (2011-10-26)



Before configuring login to the switch through Telnet, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
If you know the IP address of the switch, you can log in to the switch through Telnet for local
or remote configuration.
Before configuring the switch through Telnet, complete the following tasks:
l
Powering on devices and performing a self-check
Preparing the PC (including the serial port and Ethernet crossover/direct cable)
Data Preparation
To log in to the switch through Telnet, you need the following data.
No.
Data
IP address of the PC
IP address of the Ethernet interface on the switch
User information accessed through Telnet:

l User name
l Password
l Authentication mode
1.3.2 Establishing the Physical Connection

This part describes how to physically connect a terminal to a switch before login to the switch
through Telnet.
Prerequisite
Establishing the Physical Connection are complete.
Procedure
Step 1 Connect the switch and the PC directly or connect the switch and the PC to the network through
cables.
----End
Issue 01 (2011-10-26)


1.3.3 Configuring Login User Parameters

This part describes how to configure user parameters for login to the switch through Telnet.
Context
Procedure
Step 1 Configure the authentication mode of login users.
Step 2 Configure the authority limitation of login user.
For details, see 5.4 Configuring VTY User Interface and 5.6 Configuring User
Management.
----End
1.3.4 Logging In from the Telnet Client

This part describes how to log in to the switch through Telnet.
Context
Procedure
Step 1 Run the Telnet program on the PC that functions as a client, and enter the IP address of the
interface on the destination switch that provides the Telnet service.
Step 2 Enter the user name and password in the login window. After authentication, a command line
prompt such as <Quidway> appears. Now enter the configuration environment in the user view.
----End

This section provides examples for configuring users to log in to the switch through the console
port or Telnet together with the configuration flowchart. The configuration examples explain
networking requirements, configuration notes, and configuration roadmap.
1.4.1 Example for Logging In Through the Console Port

In this example, you can configure the PC so as to log in to the switch through the console port.
Networking Requirements
Initialize the configuration of the switch when the switch is powered on for the first time.
Issue 01 (2011-10-26)


Figure 1-1 Networking diagram of logging in through the console port
PC
Switch
Configuration Roadmap
The configuration roadmap is as follows:
1.
Connect the PC and the switch through the console port.
2.
Configure the login on the PC end.
3.
Log in to the switch.
Data Preparation
To complete the configuration, you need the terminal communication parameters (including
baud rate, data bit, parity, stop bit, and flow control).
Procedure
Step 1 Connect the serial port of the PC (or terminal) to the console port of the switch through a standard
RS-232 cable. The local configuration environment is established.
Step 2 Run the terminal emulation program on the PC. Set the terminal communication parameters to
be 9600 bps, data bit to be 8, stop bit to be 1. Specify no parity and no flow control as shown
from Figure 1-2 to Figure 1-4.
Figure 1-2 New connection
Issue 01 (2011-10-26)


Figure 1-3 Setting the port
Figure 1-4 Setting the port communication parameters
Issue 01 (2011-10-26)


Step 3 Power on the switch to perform a self-check and the system performs automatic configuration.
When the self-check ends, you are prompted to press Enter until a command line prompt such
as <Quidway> appears.
Enter the command to check the running status of the switch or configure the switch.
Enter "?" for help.
----End
1.4.2 Example for Logging In Through Telnet

In this example, you can configure user parameters so as to log in to the switch from the PC or
other terminals through Telnet.
You can log in to the switch on other network segments through the PC or other terminals to
perform remote maintenance.
Figure 1-5 Establishing the configuration environment through WAN
IP
Network
PC
Switch
Target
Switch
1.
Establish the physical connection.
2.
Configure user login parameters.
3.
Log in to the switch from the client side.
Data Preparation
To complete the configuration, you need the following data
l
IP address of the PC
IP address of the Ethernet interface on the switch
User information accessed through Telnet (including the user name, password, and
authentication mode)
Procedure
Step 1 Connect the PC and the switch to the network.
Issue 01 (2011-10-26)


Step 2 Configure login user parameters on the target switch.

# Configure the login address
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] port link-type hybrid
[Quidway-GigabitEthernet1/0/0] port hybrid pvid vlan 10
[Quidway-GigabitEthernet1/0/0] port untagged vlan 10
[Quidway-GigabitEthernet1/0/0] quit
[Quidway]interface vlanif 10
[Quidway-vlanif10] ip address 202.38.160.92 255.255.0.0
[Quidway-vlanif10] quit
# Configure login authentication mode

[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher hello
[Quidway-aaa] local-user huawei service-type telnet
[Quidway-aaa] local-user huawei level 3
[Quidway-aaa] quit
[Quidway] user-interface vty 0 4
[Quidway-ui-vty0-14] authentication-mode aaa
Step 3 Configure the client login.

Run the Telnet on the PC, as shown in Figure 1-6.
Figure 1-6 Running the Telnet program on the PC
Click OK.
Enter the user name and password in the login window. After authentication, a command line
prompt such as <Quidway> appears. Now enter the configuration environment in the user view.
NOTE
Before logging in to the switch, ensure that the PC and switch can ping each other.
----End
Issue 01 (2011-10-26)

10

2 CLI Overview
CLI Overview
About This Chapter

Users operate devices, that is, configure the device and perform routine maintenance, by entering
command lines.
2.1 CLI Introduction
The command line interface (CLI) is the common tool for running commands.
2.2 Online Help
When you enter command lines or configure services, online help offers real-time help in
addition to the configuration guide.
2.3 Features of Command Line Interface
You can edit command lines, display command lines, use the regular expression for command
lines, and invoke historical commands.
2.4 Shortcut Keys
Using the system or user-defined shortcut keys makes it easier to enter commands.
This section provides several examples for using command lines.
Issue 01 (2011-10-26)

11

2 CLI Overview
2.1 CLI Introduction

The command line interface (CLI) is the common tool for running commands.
2.1.1 Command Line Interface

You can configure and manage a switch by using the CLI commands.
When a prompt appears, you enter the command line interface (CLI) and interact with switch
through CLI.
The system provides a series of configuration commands. You can configure and manage the
switch by entering commands on CLI.
The characteristics of CLI are as follows:
l
Local configuration through console port.
Local or remote configuration through Telnet or Secure Shell (SSH).
A user interface view for specific configuration management.
Hierarchical command protection for users of different levels, that is, running the
commands of the corresponding level.
None authentication, password authentication and Authentication, Authorization and

Accounting (AAA) to prevent the unauthorized user from accessing the switch.
Entering "?" for online help at any time.
Network testing commands such as tracert and ping for rapidly diagnosing a network.
Abundant debugging information to help in diagnosing the network.
The telnet command for directly logging in to and manage other switch.
FTP service for file uploading and downloading.
Running a history command, like DosKey.
A command line interpreter provides intelligent command resolution methods such as key
word fuzzy match and context conjunction. These methods make it easy for users to enter
their commands.
NOTE
l The system supports the command with up to 512 characters. The command can be incomplete.
l The system saves the incomplete command to the configuration files in the complete form; therefore,
the command may have more than 512 characters. When the system is restarted, however, the
incomplete command cannot be restored. Therefore, pay attention to the length of the incomplete
command.
2.1.2 Command Levels

The system adopts a hierarchical protection mode that has 16 command levels.
The default command levels are as follows:
l
Issue 01 (2011-10-26)
Level 0-Visit level: Commands of this level include commands of network diagnosis tool
(such as ping and tracert) and commands that start from the local device and visit external
device (such as Telnet client side).
12

2 CLI Overview
Level 1-Monitoring level: Commands of this level, including the display commands, are
used for system maintenance and fault diagnosis.
Level 2-Configuration level: Commands of this level are service configuration commands
that provide direct network service to the user, including routing and network layer
commands.
Level 3-Management level: Commands of this level are commands that influence the basic
operation of the system and provide support to the service. They include file system
commands, FTP commands, TFTP commands, XModem downloading commands,
configuration file switching commands, power supply control commands, backup board
control commands, user management commands, level setting commands, system internal
parameter setting commands, and debugging commands that are used for fault diagnosis.
CAUTION
Not all display commands are of the monitoring level. For example, the display currentconfiguration and display saved-configuration commands are of the management level. For
the level of a command, see the Quidway S9300 Command Reference.
To implement efficient management, you can increase the command levels to 0-15. For the
increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring
Command Levels in the Quidway S9300 Configuration Guide - Basic Configurations.
NOTE
l The default command level may be higher than the command level defined according to the command
rules in application.
l Login users have the same 16 levels as the command levels. The login users can use only the command
of the levels that are equal to or lower than their own levels. For details of login user levels, refer to
User Management.
2.1.3 Command Views

The command line interface has different command views. All the commands must register in
one or more command views. You can run a command only when you enter the corresponding
command view.
Basic Concepts of Command Views

# Establish connection with the switch. If the switch adopts the default configuration, you can
enter the user view with the prompt of <Quidway>.
<Quidway>
# Type system-view, and you can enter the system view.

[Quidway]
# Type aaa in the system view, and you can enter the AAA view.
[Quidway] aaa
[Quidway-aaa]
Issue 01 (2011-10-26)

13

2 CLI Overview
NOTE
The prompt <Quidway> indicates the default switch name. The prompt <> indicates the user view and the
prompt [] indicates other views.
Some commands that are implemented in the system view can also be implemented in the other
views; however, the functions that can be implemented are command view-specific.
Common Views
The S9300 provides various command line views. For the methods of entering the command
line views except the following views, see the Quidway S9300 Command Reference.
l
User View
Item
Description
Function
Displays the running status and statistics of the S9300.
Entry command
Enters the user view after the connection is set up.
Prompt upon
entry
<Quidway>
Quit command
<Quidway>quit
Prompt upon
quit
None.
System View
Item
Description
Function
Sets the system parameters of the S9300, and enters other function
views from this view.
Entry command
Prompt upon
entry
[Quidway]
Quit command
[Quidway] quit
Prompt upon
quit
<Quidway>
Ethernet Interface View

Fast Ethernet (FE) interface view
Issue 01 (2011-10-26)
Item
Description
Function
Sets parameters related to FE interfaces of the S9300 and manages

the FE interfaces.
Entry
command
[Quidway] interface ethernet X/Y/Z

14

2 CLI Overview
Item
Description
Prompt upon
entry
[Quidway-EthernetX/Y/Z]
Quit command
[Quidway-EthernetX/Y/Z] quit
Prompt upon
quit
[Quidway]
NOTE
X/Y/Z indicates the number of an FE interface that needs to be configured. It is in the format of
slot number/sub card number/interface sequence number.
GE interface view
Item
Description
Function
Configures related parameters about the GE interfaces of the

S9300 and manages the GE interfaces.
Entry
command
[Quidway] interface GigabitEthernet X/Y/Z
Prompt upon
entry
[Quidway-GigabitEthernetX/Y/Z]
Quit command
[Quidway-GigabitEthernetX/Y/Z] quit
Prompt upon
quit
[Quidway]
NOTE
X/Y/Z indicates the number of a GE interface that needs to be configured. It is in the format of
slot number/sub card number/interface sequence number.
If an LPU provides GE interfaces and 10GE interfaces, the difference lies in the subcard where
the 10GE interfaces reside. Generally, the sequence number of a 10GE interface is 1. If an LPU
provides only 10GE interfaces, the method of entering the 10GE interface view is the same as
the method of entering the GE interface view.
2.2 Online Help

When you enter command lines or configure services, online help offers real-time help in
addition to the configuration guide.
Context
The command line of S9300 provides three types of online help:
l
Issue 01 (2011-10-26)
Full help
15

Partial help
Error Messages of the Command Line Interface
2 CLI Overview
2.2.1 Full Help

When you enter a command line, you can view the description of keywords or parameters in the
command line through the Full Help.
Context
You can obtain the full help of the command line in the following ways.
Procedure
l
Enter "?" in any command line view to display all the commands and their simple
descriptions.
<Quidway> ?
Enter a command and "?" separated by a space. If the key word is at this position, all key
words and their simple descriptions are displayed. For example:
<Quidway> language-mode ?
Chinese Chinese environment
English English environment
Chinese and English are keywords; Chinese environment and English environment
describe the keywords respectively.
l
Enter a command and "?" separated by a space, and if a parameter is at this position, the
related parameter names and parameter descriptions are displayed. For example:
[Quidway] ftp timeout ?
INTEGER<1-35791> The value of FTP timeout (in minutes)
[Quidway] ftp timeout 35 ?
<cr>
In the preceding display, INTEGER<1-35791> describes the parameter value; The value
of FTP timeout (in minutes) is a simple description of the parameter usage; <cr> indicates
that no parameter is at this position. The command is repeated in the next command line.
You can press Enter to run the command.
----End
2.2.2 Partial Help

When you enter a command line, you can obtain prompts on the keywords or parameters at the
beginning of the string through the Partial Help.
Context
You can obtain the partial help of the command line in the following ways.
Procedure
l
Enter a character string with a "?" closely following it to display all commands that begin
with this character string.
<Quidway> d?
debugging
dir
Issue 01 (2011-10-26)
delete
display

16

Enter a command and a character string with "?" closely following it to display all the key
words that begin with this character string.
<Quidway> display b?
bfd
bpdu
buffer
2 CLI Overview
bgp
bpdu-tunnel
bulk-stat
Enter the first several letters of a key word in the command and then press Tab to display
the complete key word on the condition that the letters uniquely identify the key word.
Otherwise, if you continue to press Tab, different key words are displayed. You can select
the needed key word.
----End
2.2.3 Error Messages of the Command Line Interface

If an entered command passes the syntax check, the system executes it. Otherwise, the system
prompts an error message.
All the commands entered by the user are run correctly, if the grammar check has been passed.
Otherwise, error messages are reported to the user. See Table 2-1 for the common error
messages.
Table 2-1 Common error messages of the command line
Error messages
Cause of the error
Unrecognized command
The command cannot be found

The key word cannot be found
Wrong parameter
Parameter type error

The parameter value exceeds the limit
Incomplete command
Incomplete command entered
Too many parameters
Too many parameters entered
Ambiguous command
Indefinite parameters entered
2.3 Features of Command Line Interface

You can edit command lines, display command lines, use the regular expression for command
lines, and invoke historical commands.
2.3.1 Editing
The editing function of command lines helps you edit command lines or obtain help by using
certain keys.
The command line supports multi-line edition. The maximum length of each command is 512
characters.
Keys for editing that are often used are shown in Table 2-2.
Issue 01 (2011-10-26)

17

2 CLI Overview
Table 2-2 Keys for editing

Key
Function
Common key
Inserts a character in the current position of the cursor if the editing

buffer is not full and the cursor moves to the right. Otherwise, an
alarm is generated.
Backspace
Deletes the character on the left of the cursor that moves to the
left. When the cursor reaches the head of the command, an alarm
is generated.
Left cursor key or

Ctrl_B
Moves the cursor to the left by the space of a character. When the
cursor reaches the head of the command, an alarm is generated.
Right cursor key or

Ctrl_F
Moves the cursor to the right by the space of a character. When

the cursor reaches the end of the command, an alarm is generated.
Tab
Press Tab after typing the incomplete key word and the system
runs the partial help:
l If the matching key word is unique, the system replaces the
typed one with the complete key word and displays it in a new
line with the cursor a space behind.
l If there are several matches or no match at all, the system
displays the prefix first. Then you can press Tab to view the
matching key word one by one. In this case, the cursor closely
follows the end of the word and you can type a space to enter
the next word.
l If a wrong key word is entered, press Tab and the word is
displayed in a new line.
2.3.2 Displaying
All command lines have the same displaying feature. You can construct the displaying mode as
required.
You can control the display of information on CLI as follows:
l
Display prompt and help information in both Chinese and English.
When the information displayed exceeds a full screen, it provides the pause function. In
this case, the user has three choices as shown in Table 2-3.
Table 2-3 Keys for displaying

Key
Function
Ctrl_C
Stops the display and running of the command.

NOTE
You can also press any of the keys except the spacebar and Enter key
to stop the display and running of the command.
Space
Issue 01 (2011-10-26)
Continues to display the information on the next screen.

18

2 CLI Overview
Key
Function
Enter
Continues to display the information on the next line.
2.3.3 Regular Expressions

The regular expression is a mode matching tool. You can construct the matching mode based
on certain rules, and then match the mode with the target object.
The regular expression is an expression that describes a set of strings. It consists of common
characters (such as letters from "a" to "z") and particular characters (also named metacharacters).
The regular expression is a template according to which you can search for the required string.
A regular expression can provide the following functions:
l
Searching for and obtaining a sub-string that matches a rule in the string.
Substituting a string according to a certain matching rule.
Formal Language Theory of the Regular Expression

The regular expression consists of common characters and particular characters.
l
Common characters
Common characters are used to match themselves in a string, including all upper-case and
lower-case letters, digits, punctuations, and special symbols. For example, a matches the
letter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches the
symbol "@" in "xxx@xxx.com".
Particular characters
Particular characters are used together with common characters to match the complex or
particular string combination. Table 2-4 describes particular characters and their syntax.
Table 2-4 Description of particular characters
Issue 01 (2011-10-26)
Particul
ar
characte
r
Syntax
Example
Defines an escape character, which

is used to mark the next character
(common or particular) as the
common character.
\* matches "*".
Matches the starting position of the

string.
^10 matches "10.10.10.1" instead of

"20.10.10.1".
Matches the ending position of the

string.
1$ matches "10.10.10.1" instead of

"10.10.10.2".

19

2 CLI Overview
Particul
ar
characte
r
Syntax
Example
Matches the preceding element zero

or more times.
10* matches "1", "10", "100", and

"1000".
(10)* matches "null", "10", "1010",
and "101010".
Matches the preceding element one

or more times
10+ matches "10", "100", and

"1000".
(10)+ matches "10", "1010", and
"101010".
Matches the preceding element zero

or one time.
10? matches "1" and "10".
Matches any single character.
0.0 matches "0x0" and "020".
(10)? matches "null" and "10".
.oo matches "book", "look", and

"tool".
()
Defines a subexpression, which can

be null. Both the expression and the
subexpression should be matched.
100(200)+ matches "100200" and

"100200200".
x|y
Matches x or y.
100|200 matches "100" or "200".

1(2|3)4 matches "124" or "134",
instead of "1234", "14", "1224", and
"1334".
[xyz]
Matches any single character in the

regular expression.
[123] matches the character 2 in

"255".
[^xyz]
Matches any character that is not

contained within the brackets.
[^123] matches any character except

for "1", "2", and "3".
[a-z]
Matches any character within the

specified range.
[0-9] matches any character ranging

from 0 to 9.
[^a-z]
Matches any character beyond the

specified range.
[^0-9] matches all non-numeric

characters.
Matches a comma "," left brace "{",

right brace "}", left parenthesis "(",
and right parenthesis ")".
_2008_ matches "2008", "space

2008 space", "space 2008", "2008
space", ",2008,", "{2008}",
"(2008)", "{2008", and "(2008}".
Matches the starting position of the

input string.
Matches the ending position of the
input string.
Matches a space.
Issue 01 (2011-10-26)

20

2 CLI Overview
NOTE
Unless otherwise specified, all characters in the preceding table are displayed on the screen.
Degeneration of particular characters

Certain particular characters, when being placed at the following positions in the regular
expression, degenerate to common characters.
The particular characters following "\" is transferred to match particular characters
themselves.
The particular characters "*", "+", and "?" placed at the starting position of the regular
expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".
The particular character "^" placed at any position except for the start of the regular
expression. For example, abc^ matches "abc^".
The particular character "$" placed at any position except for the end of the regular
expression. For example, 12$2 matches "12$2".
The right bracket such as ")" or "]" being not paired with its corresponding left bracket
"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules are applicable when preceding regular expressions
serve as subexpressions within parentheses.
Combination of common and particular characters

In actual application, a regular expression combines multiple common and particular
characters to match certain strings.
Specifying a Filtering Mode in Command
CAUTION
The Quidway S9300 uses a regular expression to implement the filtering function of the pipe
character. A display command supports the pipe character only when there is excessive output
information.
When the output information is queried according to the filtering conditions, the first line of the
command output starts with the information containing the regular expression.
The command can carry the parameter | count to display the number of matching entries. The
parameter | count can be used together with other parameters.
For the commands supporting regular expressions, the three filtering methods are as follows:
l
| begin regular-expression: displays the information that begins with the line that matches
regular expression.
| exclude regular-expression: displays the information that excludes the lines that match
regular expression.
| include regular-expression: displays the information that includes the lines that match
regular expression.
NOTE
The value of regular-expression is a string of 1 to 255 characters.
Issue 01 (2011-10-26)

21

2 CLI Overview
Specify a Filtering Mode when Information is Displayed

When a lot of information is displayed, you can specify a filtering mode in the prompt "---- More
----".
l
/regular-expression: displays the information that begins with the line that matches regular
expression.
-regular-expression: displays the information that excludes lines that match regular
expression.
+regular-expression: displays the information that includes lines that match regular
expression.
2.3.4 History Commands

The command line interface provides a function similar to DosKey, which can automatically
save historical commands. You can invoke the historical commands saved on the command line
interface at any time and run them again.
By default, the system saves 10 history commands at most for each user. The operations are as
shown in Table 2-5.
Table 2-5 Access the history commands
Action
Key or Command
Result
Display the
history
commands.
display historycommand
Display the history commands entered by users.
Access the last

history
command.
Up cursor key or
Ctrl_P
Display the last history command if there is an

earlier history command. Otherwise, a bell is
generated.
Access the next

history
command.
Down cursor key

or Ctrl_N
Display the next history command if there is a later

history command. Otherwise, the command is
cleared and a bell is generated.
NOTE
On the HyperTerminal of Windows 9X, cursor key is invalid as the HyperTerminals of Windows 9X
define the keys differently. In this case, you can replace the cursor key with Ctrl_P.
When you use the history commands, note the following:

l
The saved history commands are the same as that those entered by users. For example, if
the user enters an incomplete command, the saved command also is incomplete.
If the user runs the same command several times, the earliest command is saved. If the
command is entered in different forms, they are considered as different commands.
For example, if the display ip routing-table command is run several times, only one history
command is saved. If the disp ip routing command and the display ip routing-table
command are run, two history commands are saved.
Issue 01 (2011-10-26)

22

2 CLI Overview
2.3.5 Batch Command Execution

By running pre-defined command lines in batches, you can simplify the operation of entering
common commands and improve efficiency.
Context
Log in to the switch from the client and do as follows:
Procedure
Step 1 Run the batch-cmd edit to edit commands to be run in batches.
The batch-cmd edit command can be used by only one user at a time.
The maximum length of a command (including the incomplete command) to be entered is 512
characters.
When editing commands, press Enter to complete the editing of each command.
NOTE
After running the batch-cmd edit command to successfully edit the commands to be executed in batches,
the system deletes the original commands to be run in batches.
The commands that are already edited are saved in memory and are deleted for ever when the system is
restarted.
Step 2 After all commands are edited, you can press the shortcut buttons Ctrl+Z to exit the editing state
and return to the user view.
Step 3 Run the batch-cmd execute to execute commands in batches.
The batch-cmd execute command can be used by only one user at a time.
The sequence of running commands is the same as the sequence of editing commands.
----End
2.4 Shortcut Keys

Using the system or user-defined shortcut keys makes it easier to enter commands.
2.4.1 Classifying Shortcut Keys

There are two types of shortcut keys, namely, system shortcut keys and user-defined shortcut
keys. Familiarize yourself with shortcut keys so as to use them accurately.
The shortcut keys in the system are classified into the following types:
l
User-oriented and user-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, and

CTRL_U. The user can correlate these shortcut keys with any commands. When the
shortcut keys are pressed, the system automatically runs the corresponding command. For
details of defining the shortcut keys, see 2.4.2 Defining Shortcut Keys.
System-defined shortcut keys: These shortcut keys with fixed functions are defined by the
system. Table 2-6 lists the system-defined shortcut keys.
Issue 01 (2011-10-26)

23

2 CLI Overview
NOTE
Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal may
be different from those listed in this section.
Table 2-6 System-defined shortcut keys
Issue 01 (2011-10-26)
Key
Function
CTRL_A
The cursor moves to the beginning of the current line.
CTRL_B
The cursor moves to the left by the space of a character.
CTRL_C
Terminates the running function.
CTRL_D
Deletes the character where the cursor lies.
CTRL_E
The cursor moves to the end of the current line.
CTRL_F
The cursor moves to the right by the space of a character.
CTRL_H
Deletes one character on the left of the cursor.
CTRL_K
Stops the creation of the outbound connection.
CTRL_N
Displays the next command in the history command buffer.
CTRL_P
Displays the previous command in the history command buffer.
CTRL_R
Repeats the display of the information of the current line.
CTRL_T
Terminates the outbound connection.
CTRL_V
Pastes the contents on the clipboard.
CTRL_W
Deletes a character string or character on the left of the cursor.
CTRL_X
Deletes all the characters on the left of the cursor.
CTRL_Y
Deletes all the characters on the right of the cursor.
CTRL_Z
Returns to the user view.
CTRL_]
Terminates the inbound or redirection connections.
ESC_B
The cursor moves to the left by the space of a word.
ESC_D
Deletes a word on the right of the cursor.
ESC_F
The cursor moves to the right to the end of next word.
ESC_N
The cursor moves downward to the next line.
ESC_P
The cursor moves upward to the previous line.
ESC_SHIFT_<
Sets the position of the cursor to the beginning of the content to

be pasted into the clipboard.
ESC_SHIFT_>
Sets the position of the cursor to the end of the content to be

pasted into the clipboard.

24

2 CLI Overview
2.4.2 Defining Shortcut Keys

Only management-level users have the rights to define shortcut keys.
NOTE
When defining the shortcut keys, use double quotation marks to define the command if this command
contains several commands words, that is, if spaces exist in the command.
Configure as follows in the system view.

Action
Command
Define shortcut keys
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }

command-text
By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commands

respectively:
l
CTRL_G: display current-configuration
CTRL_L: display ip routing-table
CTRL_O: undo debugging all
The default commands of the other shortcut keys are null.
2.4.3 Use of Shortcut Keys

You can use the shortcut key at any position that allows a command to be entered. The system
executes an entered shortcut key and displays the corresponding command on the screen in the
same way as you enter a complete command.
l
If you have typed part of a command and have not pressed Enter, you can press the shortcut
keys to clear the entered command and display the full corresponding command. This
operation has the same effect as that of deleting all commands and then re-entering the
complete command.
The shortcut keys are run as the commands, the syntax is recorded to the command buffer
and log for fault location and querying.
NOTE
The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcut
keys of the terminal conflict with those of the switch, the input shortcut keys are captured by the terminal
program and hence the shortcut keys do not function.
Run the following command in any view to display the use of shortcut keys.
Action
Command
Check the usage of shortcut keys.
display hotkey

This section provides several examples for using command lines.
Issue 01 (2011-10-26)

25

2 CLI Overview
2.5.1 Example for Running Commands in Batches

This part provides an example for running commands in batches. In this example, by editing the
commands to be run in batches, you can configure the system to automatically run the commands
in batches.
Context
Log in to the switch and do as follows:
Procedure
Step 1 Edit the display users, display startup, and display clock commands to be run in batches.
<Quidway> batch-cmd edit
Info: Begin editing batch commands. Press CTRL+Z to abort this session.
display users
display startup
display clock
<Quidway>
Step 2 Run the commands in batches.

<Quidway> batch-cmd execute
<Quidway>batch-cmd execute command: display users
User-Intf
Delay
Type
Network Address
AuthenStatus
AuthorcmdFlag
0
CON 0
00:00:00
Username : Unspecified
<Quidway>batch-cmd execute command: display startup
MainBoard:
Configured startup system software:
cfcard:/s9300v100r006c02b118.cc
Startup system software:
Next startup system software:
Startup saved-configuration file:
cfcard:/vrpcfg.zip
Next startup saved-configuration file:
cfcard:/vrpcfg.zip
Startup paf file:
default
Next startup paf file:
default
Startup license file:
default
Next startup license file:
default
Startup patch package:
NULL
Next startup patch package:
NULL
<Quidway>batch-cmd execute command: display clock
2009-11-23 14:27:20-08:00
Monday
Time Zone(China Standard Time) : UTC-08:00
<Quidway>batch-cmd execute finished.
----End
2.5.2 Example for Using the Tab Key

You can obtain prompts on keywords or check whether the entered keywords are correct by
pressing Tab.
Procedure
l
Issue 01 (2011-10-26)
If only one keyword contains the incomplete keyword,

26

2 CLI Overview
do as follows on the S9300.

1.
Enter an incomplete keyword.

[Quidway] info-
2.
Press Tab.
The system replaces the incomplete keyword with a complete keyword and displays
the complete keyword in another line. There is only one space between the cursor and
the end of the keyword.
[Quidway] info-center
If more than one keyword contains the incomplete keyword,

do as follows on the S9300.
# The keyword info-center can be followed by the following keywords.
[Quidway] info-center log?
logbuffer
loghost
1.
logfile
Enter an incomplete keyword.

[Quidway] info-center l
2.
Press Tab.
The system displays the prefix of all the matched keywords. The prefix in this example
is log.
[Quidway] info-center log
3.
Continue to press Tab to display all the keywords. There is no space between the
cursor and the end of the keywords.
[Quidway] info-center loghost
[Quidway] info-center logbuffer
[Quidway] info-center logfile
Stop pressing Tab when you find the required keyword logfile.
4.
Enter a space and enter the next keyword channel.

[Quidway] info-center logfile channel
----End
2.5.3 Example for Defining Hotkeys

If the login switch is defined with shortcut keys, the shortcut keys can be used by any user
regardless of the user level.
Procedure
Step 1 Define the hotkeys CTRL_U on the S9300 and assign the display ip routing-table command
to the hotkeys. Then, run the command.
[Quidway] hotkey ctrl_u "display ip routing-table"
Step 2 Type Ctrl+U following [Quidway] to display the display ip routing-table command.
[Quidway] display ip routing-table
Route Flags: R - relied, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 9
Routes : 9
Destination/Mask
Proto Pre Cost Flags NextHop
Interface
Issue 01 (2011-10-26)

27

1.1.1.1/32
10.1.1.1/32
44.0.0.0/24
44.0.0.1/32
127.0.0.0/8
127.0.0.1/32
192.168.0.0/16
192.168.32.9/32
2 CLI Overview
Direct
Direct
Direct
Direct
Direct
Direct
Direct
Direct
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
D
D
D
D
D
D
D
D
127.0.0.1
127.0.0.1
44.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
192.168.32.9
127.0.0.1
InLoopBack0
InLoopBack0
Vlanif44
InLoopBack0
InLoopBack0
InLoopBack0
Ethernet0/0/0
InLoopBack0
----End
2.5.4 Example for Copying a Command by Using Hotkeys

You can copy commands by using shortcut keys in any view.
Procedure
Step 1 Enter a command in any view on the S9300. Move the cursor to the beginning of the command,
and then press ESC_SHIFT_<. Move the cursor to the end of the command, and then press
ESC_SHIFT_>. Then, the contents are written to the clipboard.
<Quidway> display ip routing-table
Step 2 After the command is copied, run the display clipboard command to view the contents of the
clipboard.
<Quidway> display clipboard
---------------- CLIPBOARD----------------display ip routing-table
Step 3 Press CTRL_SHIFT_V to view the contents of the clipboard in any view.
<Quidway> display ip routing-table
----End
Issue 01 (2011-10-26)

28

3 How to Use Interfaces
How to Use Interfaces
About This Chapter

This chapter describes the concept of the interface and the basic configuration about the interface.
3.1 Introduction to Interfaces
This section describes different types of interfaces. The interfaces are provided by the S9300 to
receive and send data.
3.2 Setting Basic Parameters of an Interface
This section describes how to set the basic parameters of an interface.
3.3 Configuring the Loopback Interface
This section describes how to configure the loopback interface.
3.4 Maintaining the Interface
This section describes how to maintain the interface.
Issue 01 (2011-10-26)

29

3.1 Introduction to Interfaces

This section describes different types of interfaces. The interfaces are provided by the S9300 to
receive and send data.
Interfaces are classified into management interfaces and service interfaces based on their
functions; interfaces are classified into physical interfaces and logical interfaces based on their
physical forms.
NOTE
A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are called
interfaces in this document.
Management Interface
Management interfaces are used to manage and configure a device. You can log in to the
S9300 through a management interface to configure and manage the S9300. Management
interfaces do not transmit service data.
The S9300 provides the following management interfaces:
l
Console interface
Eth interface
Table 3-1 Description of management interfaces

Name
Usage
Console interface
It is connected to the COM port of a configuration terminal and used

to set up an onsite configuration environment.
Eth interface
The Eth interface is connected to the network interface of a

configuration terminal or network management workstation to establish
the configuration environment onsite or remotely.
The S9300 series consist of three models: S9303, S9306, and S9312. The console interface and
Eth interface are on the main control board.
The following table shows the rule for numbering management interfaces.
Table 3-2 Management interface numbers
Issue 01 (2011-10-26)
Name
Number
Console interface
Console 0.
Eth interface
Ethernet 0/0/0.

30

Classification of Service Interfaces

Service interfaces are used to transmit service data. They are classified into 100 Mbit/s interfaces,
1 Gbit/s interfaces and 10 Gbit/s interfaces according to their rates; they are classified into
electrical interfaces and optical interfaces according to their electrical properties.
On the S9300, all the service interfaces are located on the Line Processing Units (LPUs).
The rules for numbering service interfaces are as follows:
The interfaces of the S9300 are numbered in the format slot ID/subcard ID/interface sequence
number when the stacking function is disabled.
After the stacking function is enabled, interfaces are numbered in the format frame ID/slot ID/
subcard ID/interface sequence number.
l
Frame ID: indicates the ID of a switch in a stack system. The value is 1 or 2.
Slot ID: indicates the ID of the slot where an LPU is located.
Subcard ID: indicates the ID of a subcard. The value is 0.
Interface sequence number: indicates the sequence number of an interface on an LPU.
Table 3-3 Service interface numbering rule

Interf
ace
Row
No.
1
Figure of Interface Numbering
The left most interface is

numbered 1. and the other
interfaces are numbered in
ascending order from left to right.
...
...
...
Description
...
The LPU has two rows of

interfaces with the upper-left
interface numbered 0. The other
interfaces are numbered in
ascending order from up to bottom,
and then from left to right.
For example: If an LPU is installed in slot 3 of the S9300, the fifth interface on the LPU from
bottom to up and from left to right is numbered GE 3/0/4. If the stacking function is enabled and
the frame ID of the S9300 is 1, the interface is numbered Ethernet 1/3/0/4.
Physical Interfaces
Physical interfaces are interfaces that actually exist on the S9300.
Physical interfaces include management interfaces and service interfaces.
The S9300 supports the following physical interfaces:
l
Issue 01 (2011-10-26)
Console interface
31

Eth interface
POS interface
EPON interface
Fast Ethernet interface
Gigabit Ethernet interface
10 Gigabit Ethernet interface
Physical interfaces are located on the main control board and LPUs of the S9300.
Logical Interfaces
Logical interfaces do not exist and are set up by configurations.
The S9300 supports the following logical interfaces:
l
Eth-Trunk
The Eth-Trunk consists of Ethernet links only.
The Eth-Trunk technique has the following advantages:
Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all
member interfaces.
Improved reliability: When a link fails, traffic is automatically switched to other
available links. This ensures link reliability.
For details about the Eth-Trunk configuration, see "Configuring the Eth-Trunk" in the
Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet.
IP-Trunk
The IP-Trunk consists of POS links only.
The IP-Trunk technique has the following advantages:
Increased bandwidth: The bandwidth of an IP-Trunk is the total bandwidth of all
member interfaces.
Improved reliability: When a link fails, traffic is automatically switched to other
available links. This ensures link reliability.
For details about the IP-Trunk configuration, see "Configuring an IP-Trunk Interface" in
the Quidway S9300 Terabit Routing Switch Configuration Guide - WAN.
Loopback interface
A loopback interface is a virtual interface. The TCP/IP protocol suite defines IP address
127.0.0.0 as a loopback address. When the system starts, it automatically creates an
interface using the loopback address 127.0.0.1 to receive all data packets sent to the local
device.
Some applications such as mutual access between virtual private networks need a local
interface with a specified IP address without affecting the configuration of physical
interfaces. This IP address has a 32-bit mask (to save IP addresses) and can be advertised
by routing protocols.
The status of a loopback interface is always Up; therefore, the IP address of the loopback
interface can be used as the router ID, the label switching router (LSR) ID, or be land to a
tunnel.
For details, see 3.3 Configuring the Loopback Interface.
l
Issue 01 (2011-10-26)
Null interface
32

Null interfaces are similar to null devices supported by certain operating systems. Any data
packets sent to a null interface are discarded. Null interfaces are used for route selection
and policy-based routing (PBR). For example, if a packet matches no route during route
selection, the packet is sent to the null interface.
l
Tunnel interface
A tunnel interface can be used as the backup interface of other interfaces and used to set
up Generic Routing Encapsulation (GRE) tunnels or Multiprotocol Label Switching
(MPLS) Traffic Engineering (TE) tunnels.
For details about the configuration, see "Configuring the Tunnel Interface" in the Quidway
S9300 Terabit Routing Switch Configuration Guide - IP Service.
MTunnel interface
An MTunnel interface (MTI) is the ingress or egress of a multicast tunnel (MT). The local
provider edge (PE) sends data of the private network through the MTI, and the remote PE
receives data of the private network through MTI.
For details about the configuration, see "Configuring the MTI" in the Quidway S9300
Terabit Routing Switch Configuration Guide - Multicast.
Sub-interface
The sub-interface provides a solution to creating multiple logical interfaces or network
interconnections on a physical interface. Several logical interfaces are associated with a
physical interface and use the same parameter values. The link-layer parameters and
network-layer parameters of the logical interfaces are different. For the configuration of
sub-interfaces, see "Configuring the sub-interface" in the Quidway S9300 Terabit Routing
Switch Configuration Guide - Ethernet.
VLANIF interface
When the S9300 needs to communicate with devices at the network layer, you can create
a logical interface of the Virtual Local Area Network (VLAN) on the S9300, namely, a
VLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIF
interfaces work at the network layer. The S9300 then communicates with devices at the
network layer through VLANIF interfaces.
For details about the configuration, see "Configuring the VLANIF Interface" in the
Quidway S9300 Terabit Routing Switch Configuration Guide - Ethernet.
3.2 Setting Basic Parameters of an Interface

This section describes how to set the basic parameters of an interface.

Before configuring advanced functions of an interface such as the working mode and routes,
you need to complete the basic configuration of the interface.
To facilitate the configuration and maintenance of an interface, the S9300 provides interface
views. The commands related to the interface are valid only in the interface views.
The basic interface configurations include entering an interface view, configuring interface
description, enabling an interface, and disabling an interface.
Issue 01 (2011-10-26)

33

Installing the LPU on the S9300
Data Preparation
To set parameters of an interface, you need the following data.
No.
Data
Type and number of the interface to be configured
Description of the interface
3.2.2 Entering the Interface View

To configure an interface, you need to enter the interface view.
Context
Do as follows on the S9300.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
interface interface-type interface-number
The view of a specified interface is displayed.

interface-type specifies the type of the interface and interface-number specifies the number of
the interface.
----End
3.2.3 Viewing All the Commands in the Interface View

After entering the interface view, you can view all the commands in the interface view.
Context
Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-26)

34

Step 2 Run:

Step 3 Run:
?
All the commands in the view of the specified interface are displayed.
----End
3.2.4 Configuring the Description for an Interface

The description configured for an interface on the S9300 helps you identify and memorize the
usage of the interface, which facilitates the management.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
description description
The description is configured for the interface.

----End
3.2.5 Starting and Shutting Down an Interface

When a physical interface is idle and is not connected to a cable, shut down this interface to
protect the interface against interference. To use a shutdown interface, you need to start the
interface.
Context
NOTE
l A null interface is always Up and cannot be shut down by command.

l A loopback interface is always Up and cannot be shut down by command.
Procedure
l
Shutting down the interface

1.
Run:
system-view
Issue 01 (2011-10-26)

35


2.
Run:

3.
Run:
shutdown
The interface is shut down.

NOTE
By default, an interface is enabled.
Starting an interface
1.
Run:
system-view

2.
Run:

3.
Run:
undo shutdown
The interface is started.

----End
3.2.6 Further Configuration an Interface

After configuring basic parameters, configure the interface as required.
Context
When you access a network through an interface, you need to further setting multiple parameters
of the interface based on the networking requirements in addition to performing basic
configurations on the interface.
Further configurations of an interface include:
l
Configuring the operation mode of an interface
Configuring routes
For the detailed Configuration, please see the other configuration manuals of S9300.
For the detailed Configuration, please see Quidway S9300 Terabit Routing Switch
Configuration Guide - Ethernet and Quidway S9300 Terabit Routing Switch Configuration
Guide - IP Routing.
3.2.7 Checking the Configuration

After completing the basic configuration of an interface, you can use the display commands to
check the configuration.
Issue 01 (2011-10-26)

36

Procedure
Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the running
status of the interface and the statistics on the interface.
Step 2 Run the display interface description command to check the brief information about the
interface
Step 3 Run the display ip interface [ interface-type interface-number ] command to check the main
configurations of the interface.
Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check the
brief state of the interface.
----End
3.3 Configuring the Loopback Interface

This section describes how to configure the loopback interface.

The users can create or delete a loopback interface. When being created, the loopback interface
remains in the Up state until you delete it.
Some applications such as mutual access between virtual private networks need to be configured
with a local interface with a specified IP address when the configuration of a physical interface
is not affected. In this case, the IP address of the local interface needs to be advertised by routing
protocols. Loopback interfaces are used to improve the reliability of the configuration.
Before configuring the loopback interface, complete the following task:
l
Switching on the S9300
Data Preparation
To configure the loopback interface, you need the following data.
No.
Data
Number of the loopback interface
IP address of the loopback interface
3.3.2 Configuring IPv4 Parameters of the Loopback Interface

A loopback interface can be assigned an IPv4 address, bound to a VPN instance, and configured
to check the source IPv4 addresses of packets.
Issue 01 (2011-10-26)

37

Procedure
Step 1 Run:
system-view

Step 2 Run:
interface loopback interface-number
A loopback interface is created.

The value of interface-number ranges from 0 to 1023. A maximum of 1024 loopback interfaces
can be created.
Step 3 (Optional) Run:
ip binding vpn-instance vpn-instance-name
The loopback interface is bound to the VPN instance.

Step 4 Run:
ip address ip-address { mask | mask-length } [ sub ]
An IPv4 address is assigned to the loopback interface.

ip verify source-address
The loopback interface is configured to check the source IPv4 addresses of packets.
----End

After configuring a loopback interface, run the following commands to check the configuration.
Procedure
Step 1 Run the display interface loopback [ number ] command to check the status of the loopback
interface.
----End
3.4 Maintaining the Interface

This section describes how to maintain the interface.
3.4.1 Clearing Statistics Information on the Interface

The statistics on the interface cannot be restored after you clear them. So, confirm the action
before you use the command.
Issue 01 (2011-10-26)

38

Procedure
Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user
view to clear the statistics on the interface.
----End
3.4.2 Debugging the Interface

When an interface works abnormally, you can debug the interface.
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
For the description about debugging commands, see the Quidway S9300 Terabit Routing Switch
Debugging Reference.
For details about debugging commands on an interface, see the following chapters.
Issue 01 (2011-10-26)

39

4 Basic Configuration
Basic Configuration
About This Chapter

This chapter describes how to configure the basic system environment and the basic user
environment.
4.1 Basic Configuration Introduction
This section describes the meaning and scope of the basic configuration.
4.2 Configuring the Basic System Environment
This section describes how to configure the basic system environment according to user habits
or the requirements of the actual environment.
4.3 Configuring Basic User Environment
This section describes the configuration of the basic user environment for user level switching.
4.4 Displaying System Status Messages
This section describes the display commands that are used for displaying basic system
configurations.
Issue 01 (2011-10-26)

40

4.1 Basic Configuration Introduction

This section describes the meaning and scope of the basic configuration.
Before configuring services, users often need to perform basic configurations for actual
operation and maintenance.
The S9300 provides configurations of two kinds of basic environments:
l
Basic system environment: includes the language mode, host name, system name, system
time, header text, and command level for actual environment.
Basic user environment: includes password for changing levels and the terminal lock.
4.2 Configuring the Basic System Environment

This section describes how to configure the basic system environment according to user habits
or the requirements of the actual environment.

Before configuring the basic system environment, familiarize yourself with the applicable
Before configuring the services, you need to configure the basic system environments to meet
the requirements of the actual environments.
By default, the S9300 supports commands of Level 0 to Level 3, namely, visit level, monitoring
level, configuration level, and management level.
If the user needs to define more levels, or refine management privileges on the device, the user
can extend the range of command line level from the range of Level 0 to Level 3 to the range of
Level 0 to Level 15.
Before configuring basic system environment, complete the following task:
l
Powering on the switch
Data Preparation
To configure basic system environment, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Language mode
System time
41

No.
Data
Host name
Login information
Command level
4.2.2 Switching the Language Mode

You can switch between the Chinese mode and the English mode as required.
Context
Procedure
Step 1 Run:
language-mode language-name
The language mode is switched.

By default, the English mode is used.
The help information on the switch can be in English and in Chinese. The language mode is
stored in the system software and need not be loaded.
----End
4.2.3 Configuring the Equipment Name

You can change the equipment name as required. The new equipment name takes effect
immediately.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
sysname host-name
The equipment name is set.

You can change the name of the switch that appears in the command prompt.
Issue 01 (2011-10-26)

42

By default, the host name of the switch is Quidway.

----End
4.2.4 Setting the System Clock

To ensure that devices on the network work with the same clock, you need to set or change the
system clock.
Context
You need to set the system time properly to ensure the cooperation between the S9300 and other
devices. The S9300 supports the configurations of the time zone and the daylight saving time.
NOTE
UTC indicates the Universal Time Coordinated.
Procedure
Step 1 Run:
clock datetime
HH:MM:SS YYYY-MM-DD
The current date and time is set.

Step 2 Run:
clock timezone time-zone-name { add | minus } offset
The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the default
UTC time plus offset is equal to the time of time-zone-name.
l If minus is configured, the current time is the UTC time minus the time offset. That is, the
default UTC time minus offset is equal to the time of time-zone-name.
Step 3 Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time
end-date offset
or
clock daylight-saving-time time-zone-name repeating start-time { { first | second
| third | fourth | last } weekday month | start-date } end-time { { first |
second | third | fourth | last } weekday month | end-date } offset [ start-year
[ end-year ] ]
The daylight saving time is set.

During the configuration of the daylight saving time, you can configure the start time and end
time in one of the following modes: date+date, week+week, date+week, and week+date. For
details, see clock daylight-saving-time.
Issue 01 (2011-10-26)

43

NOTE
When the current time is within the daylight saving time, running the clock timezone time-zone-name
{ add | minus } offset command can successfully set the time zone name. If the display clock command
is run to view the time zone name at the moment, the time zone name, however, is displayed as the name
of the daylight saving time. After the daylight saving time ends, the set time zone name can be displayed.
----End
4.2.5 Configuring a Header

If you need to provide information for login users, you can configure a header that the system
displays during login or after login.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
header login { information text | file file-name }
The header displayed during login is set.

Run:
header shell { information text | file file-name }
The header displayed after login is set.

A header is a system prompt displayed when a user logs in to the switch or starts interactive
configuration with the switch. The header provides detailed instruction.
NOTE
l If a user logs in to the switch by using SSH1.X, the login header is not displayed during login, but the
shell header is displayed after login.
l If a user logs in to the switch by using SSH2.0, both login and shell headers are displayed.
----End
4.2.6 Configuring Command Levels

By default, commands are registered in the sequence of Level 0 to Level 3. If refined rights
management is required, you can divide commands in to 16 levels, that is, from Level 0 to Level
15.
Context
If the user does not adjust a command level separately, after the command level is updated, all
originally-registered command lines adjust automatically according to the following rules:
l
Issue 01 (2011-10-26)
The commands of Level 0 and Level 1 remain unchanged.

44

The command Level 2 is updated to Level 10 and Level 3 is updated to Level 15.
No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust
the command lines to these levels separately to refine the management of privilege.
NOTE
The updation of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step process but onestep by batch.
Procedure
Step 1 Run:
system-view

Step 2 Run:
command-privilege level rearrange
Update the command level in batch.

When no password is configured for a Level 15 user, the system prompts the user to set a superpassword for the level 15 user. At the same time, the system asks if the user wants to continue
to update the command line level. Then, just select "N" to set a password. If you select "Y", the
command level can be updated in batch directly. This results in the user not logging in through
the Console port and failing to update the level.
Step 3 Run:
command-privilege level level view view-name command-key
The command level is configured. With the command, you can specify the level and view
multiple commands at one time (command-key).
All commands have default command views and levels. You need not reconfigure them.
----End
4.2.7 Configuring the Undo Command to Match in the Previous

View Automatically
You can run the undo command in the current view and thus the system automatically matches
the previous view.
Context
If the user allows the undo command to automatically match the previous view and the user
runs the undo command that is not registered in the current view, the system searches the
undo command in the previous view.
The undo command has disadvantages due to automatically matching. For example, when the
user runs the undo ospf command in the interface view where the command is not registered,
the system searches in system view automatically. This may lead to global deletion of the OSPF
feature.
Issue 01 (2011-10-26)

45

NOTE
l By default, the undo command does not automatically match the upper level view.
l The matched upper-view command is valid for current login users who run this command.
l It is not recommended that you configure the undo command to automatically match the upper level
view, unless necessary.
Procedure
Step 1 Run:
system-view

Step 2 Run:
matched upper-view
The undo command is configured to match the upper level view.

By default, the undo command does not match the previous view automatically.
----End
4.3 Configuring Basic User Environment

This section describes the configuration of the basic user environment for user level switching.

Before configuring the basic user environment, familiarize yourself with the applicable
The user can log in to a switch with lower level to perform simple configurations or view
configurations. When the configuration is complicated, the user needs to switch to a high level.
Thus, it requires the user to configure the basic environment for switching levels.
Before configuring the basic environment for the user, complete the following task:
l
Powering on the switch properly
Data Preparation
To configure the basic environment for the user, you need the following data:
Issue 01 (2011-10-26)
No.
Data
Password for the user level switching

46

4.3.2 Configuring the Password for Switching User Levels

Passwords need to be set for users that are switched from lower levels to higher levels.
Context
When users log in to the switch with a lower user level, they switch to a higher user level to
perform advanced operations by entering the corresponding password. The password needs to
be configured in advance.
CAUTION
When simple is used, the password is saved in the configuration files in simple text. Login users
with lower level can obtain the password by viewing the configuration. This may cause security
problems. Therefore, cipher is used to save the password in encrypted text.
If the pass word is set in cipher mode, the password cannot be resumed from the system. Save
the password to avoid oblivion or miss.
Procedure
Step 1 Run:
system-view

Step 2 Run:
super password [ level user-level ] { simple | cipher } password
The password for switching user levels is configured.

----End
4.3.3 Switching User Levels

You need to enter the set password when being switched from a lower level to a higher level.
Context
An accurate password must be entered when the user is switched from a lower level to a higher
level.
Procedure
Step 1 Run:
super [ level ]
Issue 01 (2011-10-26)

47

User levels are switched.

Step 2 Follow the prompt and enter a password.
If the password entered is correct, the user can switch to a higher level. If the user enters a
password incorrectly for three consecutive times, the user remains at the current login level and
returns to the user view.
NOTE
When the login user of lower level is switched to the user of higher level through the super command, the
system automatically sends trap messages and records the switchover in a log. When the switched level
is lower than that of the current level, the system only records the switchover in a log.
----End
4.3.4 Locking User Interfaces

You can enter the set password to unlock the locked user interface.
Context
When you leave the operation terminals for a moment, you can lock the user interface to prevent
unauthorized users from operating the interface.
Procedure
Step 1 Run:
lock
The user interface is locked.

Step 2 Follow the system prompt and input an unlock password, and then confirm.
<Quidway> lock
Enter Password:
Confirm Password:
If the locking is successful, the system prompts that the user interface is locked.
You must enter a correct password to unlock the user interface.
----End
4.4 Displaying System Status Messages

This section describes the display commands that are used for displaying basic system
configurations.
Context
You can use the display commands to collect information about the system status. The display
commands are classified according to the following functions:
l
Displays system configurations.
Displays the running status of the system.
Issue 01 (2011-10-26)

48

Displays the diagnostic information about a system.
Displays the restart information about the main control board.
See the related sections for display commands for protocols and interfaces. The following only
shows the system display commands.
Run the following commands in any view.
4.4.1 Displaying System Configuration

You can view information about the system version, system time, original configuration, and
current configuration.
Prerequisite
Basic Configuration are complete.
Procedure
l
Run the display version command to display the system version.
Run the display clock command to display the system time.
Run the display saved-configuration command to display the original configuration.
Run the display current-configuration command to display the current configuration.
----End
4.4.2 Displaying System Status

You can view the configuration of the current view.
Prerequisite
Basic configuration are complete.
Procedure
l
Run the display this command to display the configuration of the current view.
----End
4.4.3 Collecting System Diagnostic Information

You can view the system diagnosis information.
Context
Basic configuration is complete.
Procedure
Step 1 Run:
display diagnostic-information [ file-name ]
The system diagnosis information is displayed.

Issue 01 (2011-10-26)

49

When the system fails or performs the routine maintenance, you need to collect a lot of
information to locate faults. Then, you have to run different display commands to collect all
information. In this case, you can use the display diagnostic-information command to collect
all information about the current running modules in the system.
The display diagnostic-information command collects all information collected by running
the following commands, including display clock, display version, display cpu-usage, display
interface, display current-configuration, display saved-configuration, display historycommand, and so on.
----End
Issue 01 (2011-10-26)

50

5 User Management
User Management
About This Chapter

This chapter describes user interfaces and the configuration of users' login.
5.1 User Management Introduction
This section describes basic concepts of user interfaces and user management.
5.2 Logging In to the S9300 Through the Console Port
This section describes how to log in to the S9300 through the console port.
5.3 Configuring Console User Interface
You can configure the console user interface so as to maintain a switch on the local device.
5.4 Configuring VTY User Interface
You can configure the VTY user interface to maintain a remote switch.
5.5 Managing User Interfaces
You need to configure user management to ensure that the operator manages switchs safely.
5.6 Configuring User Management
Through user management, you can create users for switchs, set user passwords, and manage
users.
This section provides examples for configuring users to log in to a switch in different modes.
These configuration examples explain networking requirements, configuration roadmap, and
configuration notes.
Issue 01 (2011-10-26)

51

5 User Management
5.1 User Management Introduction

This section describes basic concepts of user interfaces and user management.
5.1.1 User Interface

A user interface (UI) enables users to log in to the S9300. Through a user interface, you can
configure the parameters on all physical and logical interfaces that work in asynchronous and
interactive modes. In this manner, you can manage, authenticate, and authorize the login users.
Types of User Interfaces

Table 5-1 describes the types of user interfaces supported by the S9300.
Table 5-1 Types of user interfaces
Type
Purpose
Description
CON
Local login through the

console interface
It is a linear interface conforming to the EIA/TIA-232

standard. The type of the interface is DCE. Each main
control board provides a console interface.
VTY
Local or remote login

through Telnet or SSH
It is a virtual interface and indicates a logical terminal

line. When you log in to the S9300 through Telnet,
FTP, or SSH, a VTY connection is set up.
Numbering of User Interfaces

You can number a user interface in the following ways:
l
Relative numbering
Relative numbering indicates that the interfaces of the same type are numbered. The relative
numbering uniquely specifies a user interface of a specified type.
The format of the relative numbering is: user interface type + number. It must comply with
the following rules:
Number of the CON interface: console0
Default number of the VTY: vty0, vty1, vty2, vty3, and vty4
Absolute numbering
The S9300 uniquely specifies the default numbers of 0, 34~38 for the user interfaces of
CON and VTY. You can enter a specific user interface view by entering any of these
numbers.
Mapping between relative numbering and absolute numbering

Figure 5-1 shows the mapping between relative and absolute numbering of a user interface.
Issue 01 (2011-10-26)

52

5 User Management
Figure 5-1 Numbering of user interfaces on the S9300

Types ofset
interface
CON
Relative
numbering
Obsolute
numbering
console0
VTY
vty0
34
vty1
35
vty2
36
vty3
37
vty4
38
In the figure, console 0 and 0 indicate the same user interface; vty1 and 35 indicate the
same user interface.
NOTE
On the S9300, the absolute number can be 0 or 34 to 48.
5.1.2 User Authentication

When a user logs in to the S9300, the S9300 authenticates the user according to the configuration
to ensure system security.
When the S9300 is switched on for the first time, no authentication information for login is
available in the system. In this case, you can log in to the S9300 through the console interface
without being authenticated.
If a user logs in to the S9300 through Telnet on an Ethernet interface, the login user must be
authenticated for the sake of security. If the authentication succeeds, the user can log in to the
S9300 to configure and maintain the S9300.
To manage users that try to log in to the S9300, these users are assigned with passwords and
classified into different levels.
Classifying Login Users

Login users on the S9300 are classified according to service types and assigned rights assigned,
as shown in Table 5-2.
Table 5-2 Types of login users
Issue 01 (2011-10-26)
User Type
Description
Authentication
Super users
Logs in to the S9300 through the console interface

and have all rights.
Not authenticated for

the first login but
recommended later

53

5 User Management
User Type
Description
Authentication
Telnet users
Logs in to the S9300 through the Ethernet interface

using Telnet and have limited rights. A Telnet
connection is set up between the user terminal and the
S9300.
Recommended
SSH users
Logs in to the S9300 through the Ethernet interface

using SSH and have limited rights. An SSH
connection is set up between the user terminal and the
S9300.
Recommended
FTP users
Logs in to the S9300 through FTP on the Ethernet

interface and have limited rights. An FTP connection
is set up between the user terminal and the S9300.
Recommended
The rights that can be obtained by users logging in to the S9300 through Telnet, SSH, and FTP
depend on the priorities of the user interfaces through which they log in to. The S9300 provides
multiple services for a user. To ensure login convenience and security, login users must be
classified, and then assigned levels.
Priorities of Users
The system manages super users and Telnet users according to user levels.
Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greater
the number, the higher the user level.
NOTE
If the user levels are not set, the four default user levels are used, namely, levels 0 to 3.
The level of the command that a user can run is determined by the level of this user.
l
In the case of non-authentication or password authentication, the level of the command that
the user can run depends on the level of the user interface.
In the case of AAA authentication, the command that the user can run depends on the level
of the local user specified in AAA configuration.
Users of a level can access the commands of this level or lower levels.
Assuming that user levels 0 to 3 are used in the system, users of level 2 can access commands
of levels 0, 1, and 2, and users of level 3 can access commands at all levels.
Authenticating Login Users

After users are configured on the S9300, the system authenticates the users when they log in to
the S9300. The S9300 provides three authentication modes, as shown in Table 5-3.
Issue 01 (2011-10-26)

54

5 User Management
Table 5-3 Authentication modes of login users

Authenticatio
n Mode
Description
Nonauthentication
Users can log in to the S9300 without entering the user name and password.
There is a great potential security risk.
Password
authentication
Users can log in to the S9300 by entering only the password. In this
manner, security is ensured.
AAA
authentication
Users need to enter both the user name and password to log in to the
S9300. The S9300 then authenticates the users according to the configured
user information. This further improves security. It applies to the users
logging in to the S9300 through the console interface and Telnet users.
5.2 Logging In to the S9300 Through the Console Port

This section describes how to log in to the S9300 through the console port.

You need to log in to the S9300 through the console interface, as shown in Figure 5-2. In the
figure, Switch is an S9300.
Figure 5-2 Logging in to the S9300 through the console interface
RS-232 serial interface
PC
Console interface
Switch
NOTE
If the S9300 is switched on for the first time and you need to manage and configure the S9300, you can
log in to the S9300 through the console interface only.
Before logging in to the S9300 through the console interface, complete the following tasks:
l
Connecting the PC and the S9300 correctly
Starting the S9300 normally
Data Preparation
None.
Issue 01 (2011-10-26)

55

5 User Management
5.2.2 Logging In to the S9300 Through the Console Interface

Context
When setting up a local configuration environment through the console interface, you can
connect the PC and the S9300 through the Windows HyperTerminal.
Procedure
Step 1 Enable the HyperTerminal on the PC.
Choose Start > All Programs > Accessories > Communications > HyperTerminal to start
the HyperTerminal.
Step 2 Set up a new connection.
As shown in Figure 5-3, enter the name of the new connection in the Name text box and choose
an icon. Click OK.
Figure 5-3 Setting up a new connection
Step 3 Set the connection port.

After entering the Connect window as shown in Figure 5-4, select a serial port from the
Connect drop-down list box according to the port used by the PC or the configuration terminal.
Select COM1 in this case, and click OK.
Issue 01 (2011-10-26)

56

5 User Management
Figure 5-4 Setting the connection port
Step 4 Set communication parameters.

After entering the COM1 Properties window as shown in Figure 5-5, set the communication
parameters according to the description in Table 5-4.
NOTE
In other Windows operating systems, Bits per second may be described as Baud rate; Flow control may
be described as Traffic control.
Issue 01 (2011-10-26)

57

5 User Management
Figure 5-5 Setting communication parameters for the port
Table 5-4 Communication parameters

Parameter
Value
Bit per second (Baud rate)
9600
Data bit
Parity check
None
Stop bit
Flow control (Traffic control)
None
Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Properties
window as shown in Figure 5-6. Choose the Setting tab, select Auto detect or VT100 from the
Emulation drop-down list box. Click OK to complete the setting.
Issue 01 (2011-10-26)

58

5 User Management
Figure 5-6 Selecting a terminal type
After the preceding steps are complete, press Enter. If the prompt <Quidway> is displayed, it
indicates that you have logged in to the S9300. At this time, you can enter the command to
configure and manage the S9300.
----End
5.3 Configuring Console User Interface

You can configure the console user interface so as to maintain a switch on the local device.

Before configuring a console interface, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the required data. This can help you complete
the configuration task quickly and accurately.
A console user interface is required for maintaining the local switch.
Before configuring a console interface, complete the following tasks:
Issue 01 (2011-10-26)

59

Connecting a PC to the switch
5 User Management
Data Preparation
To configure a console interface, you need the following data.
No.
Data
Baud rate, flow-control mode, parity, stop bit, and data bit
Idle timeout period, number of lines displayed in a terminal screen, number of

characters in each line displayed in a terminal screen,and the size of history command
buffer
User priority
User authentication method, user name, and password
NOTE
All the configuration items of the switch, excluding the user name and password, have default values and
do not need to be configured additionally.
5.3.2 Configuring Console Interface Attributes

You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console
port.
Context
Do as follows on the switch that the user logs in to:
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface console interface-number
The console user interface view is displayed.

speed speed-value
The baud rate is set.

By default, the baud rate is 9600 bit/s.
flow-control { hardware | none | software }
Issue 01 (2011-10-26)

60

5 User Management
The flow control mode is set. By default, the flow-control mode is none.
parity { even | mark | none | odd | space }
The parity mode is set.

By default, the value is none.
stopbits { 1.5 | 1 | 2 }
The stop bit is set.

By default, the value is 1 bit.
databits { 5 | 6 | 7 | 8 }
The data bit is set.

By default, the data bit is 8.
NOTE
When the user logs in to a switch through a console port, the configured attributes for the console port on
the HyperTerminal should be in accordance with the attributes of the interface on the switch. Otherwise,
the user cannot log in to the switch.
----End
5.3.3 Setting Console Terminal Attributes

You can configure the timeout period for idle users, maximum number of lines to displayed on
each screenor the maximum number of characters in each line, and the size of historical command
buffer for the console interface.
Context
Do as follows on the switch to which a user logs in:
Procedure
Step 1 Run:
system-view

Step 2 Run:
The console interface view is displayed.

Step 3 Run:
shell
The terminal service is started.

Step 4 Run:
idle-timeout minutes [ seconds ]
Issue 01 (2011-10-26)

61

5 User Management
The timeout period for idle users is set.

By default, the timeout period for idle users is 10 minutes.
Step 5 Run:
screen-length screen-length
The number of lines to be displayed on each screen is set.

By default, a terminal displays 24 lines on each screen.
You can run the screen-length screen-length temporary command to specify the number of
lines that a terminal displays on each screen.
Step 6 Run:
screen-width screen-width
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
The buffer of the history command is set.

By default,the history command buffer on a user interface can cache a maximum of 10
commands.
----End
5.3.4 Configuring User Priority

You can set the priority for a user who logs in through the console port.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
user privilege level level
The priority of the user is set.

This process is to set the priority for a user who logs in through the console port. A user can only
use the command of the level corresponding to the user level.
Issue 01 (2011-10-26)

62

5 User Management
For more information about the command priority, see "Command Level" in Chapter 3 "CLI
Overview".
----End
5.3.5 Configuring User Authentication

The system provides three authentication modes, namely, AAA, password, and none.
Procedure
l
Configuring AAA Authentication

1.
Run:
system-view

2.
Run:

3.
Run:
authentication-mode aaa
The authentication mode is set to AAA.

4.
Run:
quit
Exit from the console user interface view.

5.
Run:
aaa
The AAA view is displayed.

6.
Run:
local-user user-name password { simple | cipher } password
Name and password of the local user are created.

l
Configuring Password Authentication

1.
Run:
system-view

2.
Run:

3.
Run:
authentication-mode password
You can set the authentication mode as password authentication.

4.
Run:
set authentication password { cipher | simple } password
A password for authentication is set.

Issue 01 (2011-10-26)

63

5 User Management
Configuring Non-Authentication
1.
Run:
system-view

2.
Run:

3.
Run:
authentication-mode none
The authentication mode is set to non-authentication.

----End

After configuring the console user interface, you can view the usage information of the user
interface, physical attributes and configurations of the user interface, local user list, and online
users.
Prerequisite
The configurations of the User Management function are complete.
Procedure
l
Run the display users [ all ] command to check information about user interface.
Run the display user-interface console ui-number1 [ summary ] command to check

physical attributes and configurations of the user interface.
Run the display local-user command to check the local user list.
Run the display access-user command to check online users.
----End
5.4 Configuring VTY User Interface

You can configure the VTY user interface to maintain a remote switch.

Before configuring a VTY interface, familiarize yourself with the applicable environment,
If you want to log in to the switch using Telnet or SSH to perform management or configuration
operations, .a VTY interface is required.
Issue 01 (2011-10-26)

64

5 User Management
Before configuring a VTY user interface, complete the following tasks:
l
Connecting a PC to the switch correctly
Data Preparation
To configure a VTY user interface, you need the following data.
No.
Data
Maximum VTY user interfaces
(Optional) Number of the ACL for limiting incoming and outgoing calls of users
logging in using VTY user interfaces
Timeout period for idle users, maximum number of lines to be displayed on each
screen , maximum number of characters in each line, and the size of the history
command buffer
User authentication mode, user name, and password
5.4.2 Configuring Maximum VTY User Interfaces

You can configure the maximum number of VTY user interfaces through which users log in to
a switch.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface maximum-vty number
The maximum VTY user interfaces that can log in to the switch is set.
NOTE
When the maximum number of VTY user interfaces is set to zero, any user including the NMS user cannot
log in to a switch.
If the maximum number of VTY user interfaces to be configured is smaller than the maximum
number of current interfaces, other parameters need not be configured.
Issue 01 (2011-10-26)

65

5 User Management
If the maximum number of VTY user interfaces to be configured is larger than the maximum
number of current interfaces, the authentication mode and password need to be configured for
newly added user interfaces.
For newly added user interfaces, the system applies password authentication by default.
For example, a maximum of five users are allowed online. To allow 15 VTY users online at the
same time, you need to run the authentication-mode command and the set authentication
password command to configure authentication modes and passwords for user interfaces from
VTY 5 to VTY 14. The command is run as follows:
[Quidway] user-interface maximum-vty 15
[Quidway-ui-vty5-14] authentication-mode password
[Quidway-ui-vty5-14] set authentication password cipher huawei
----End
5.4.3 (Optional)Configuring Limits for Incoming Calls and

Outgoing Calls
You can set the limit on incoming and outgoing calls for VTY user interfaces.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.

Step 3 Run:
acl acl-number { inbound | outbound }
The limits to calling in/out of VTY are configured.

When you need to prevent a user of certain address or segment address from logging in to the
switch, use the inbound command; when you need to prevent a user who logs in to a switch
from accessing other switchs, use the outbound command.
----End
5.4.4 Configuring VTY Terminal Attributes

You can configure the timeout period for idle users, maximum number of lines to be displayed
on each screenor the maximum number of characters in each line, and the size of the historical
command buffer for a VTY interface.
Issue 01 (2011-10-26)

66

5 User Management
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface vty number1 [ number2 ]
The VTY interface view is displayed.

Step 3 Run:
shell
Terminal services are enabled.

Step 4 Run:
The timeout period for idle users is set.

Step 5 Run:
screen-length screen-length
The maximum number of lines to be displayed on each screen is set.

By default, a maximum of 24 lines are displayed on each screen.
You can run the screen-length screen-length temporary command to specify the maximum
number of lines to be temporarily displayed on each terminal screen.
Step 6 Run:
screen-width screen-width
The maximum number of characters in each line displayed on a terminal screen is set.
By default, each line displayed on a terminal screen has a maximum of 80 characters.
Step 7 Run:
history-command max-size size-value
The size of the history command buffer is set.

By default, the history command buffer on a user interface can cache a maximum of 10
commands.
----End
5.4.5 Configuring User Authentication

The system provides three authentication modes, namely, AAA, password, and none.
Context
The switch supports user authentication of three types:
Issue 01 (2011-10-26)

67

5 User Management
AAA authentication: requires the user name and password.
Password authentication: requires no user name but a password must be set. Otherwise, the
user can log in to the switch only through the console interface.
None: requires neither user name nor password. No authentication is needed when the user
logs in to the switch.
Configuring AAA Authentication
Procedure
1.
Run:
system-view

2.
Run:

3.
Run:

4.
Run:
quit
Exit from the VTY user interface view.

5.
Run:
aaa

6.
Run:

l
Configuring Password Authentication

1.
Run:
system-view

2.
Run:

3.
Run:
Set the authentication mode as password.

4.
Run:
A password for this authentication mode is set.

l
Configuring Non-Authentication
1.
Issue 01 (2011-10-26)
Do as follows on the switch, run:

68

5 User Management
system-view

2.
Run:

3.
Run:
The authentication mode is set to none.

----End

After configuring the VTY user interface, you can view the usage information of the user
interface, the maximum number of VTY user interfaces, and physical attributes and
configurations of the user interface.
Prerequisite
The configuration of VTY User Interface are complete.
Procedure
l
Run the display users [ all ] command to check the usage information of the user interface.
Run the display user-interface maximum-vty command to check the number of maximum
VTY user interfaces.
Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]

command to check the physical attributes and configurations of the user interface.
----End
5.5 Managing User Interfaces

You need to configure user management to ensure that the operator manages switchs safely.

Before configuring user management interfaces, familiarize yourself with the applicable
To ensure that the operator managesswitchs safely, you need to send messages between user
interfaces and clear designated user.
Before managing the user interface, complete the following tasks:
Issue 01 (2011-10-26)

69

Connecting the PC with the switch properly
5 User Management
Data Preparations
To manage the user interface, you need the following data:
No.
Data
Type and number of the user interface
Contents of the message to be sent
5.5.2 Sending Messages to Other User Interfaces

You can configure messaging between user interfaces.
Context
Procedure
Step 1 Run:
send { all | ui-type ui-number | ui-number1 }
You can enable message sending between user interfaces.

Step 2 Following the prompt, you can enter the message to be sent. You can press Ctrl_Z or Enter to
end, and press Ctrl_C to abort.
----End
5.5.3 Clearing Online User

You can clear specified online users.
Context
Procedure
Step 1 Run:
free user-interface { ui-number | ui-type ui-number1 }
Online users are cleared.

Step 2 On receiving the prompts, you can confirm whether the designated online users have to be
cleared.
----End
Issue 01 (2011-10-26)

70

5 User Management

After configuring user management interfaces, you can view the usage information of user
interfaces.
Prerequisite
The configuration of User Interfaces are complete.
Procedure
Step 1 Run the display users [ all ] command to check the usage information of the user interface.
----End
5.6 Configuring User Management

Through user management, you can create users for switchs, set user passwords, and manage
users.

Before configuring user management, familiarize yourself with the applicable environment,
After the IP address is assigned to the main control board or the interface board, any remote user
can use Telnet to log in to the switch, or connect the switch through PPP to access networks.
This compromises the security. To ensure network security and ease user management, configure
a user name and the user password for the switch.
Before configuring a user, complete the following tasks:
l
Connecting the PC with the switch properly
Data Preparation
To configure a user, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Authentication mode
User name and password
User priority

71

5 User Management
5.6.2 Configuring Authentication Mode

The system provides three authentication modes, namely, AAA local authentication, password
authentication, and none authentication.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface [ ui-type ] first-ui-number [ last-ui-number ]
The user interface view is displayed.

Step 3 Run:
authentication-mode { aaa | password | none }
The user authentication mode is configured.

----End
5.6.3 Configuring Authentication Password

You can configure a plain or cipher text password for authentication.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
The authentication mode is set to Password.

Step 4 Run:
The authentication password is configured.

Issue 01 (2011-10-26)

72

5 User Management
NOTE
The default authentication mode is the password authentication.
----End
5.6.4 Setting Username and Password for AAA Local

Authentication
You can configure a plain or cipher text password for AAA local authentication.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Step 4 Run:
quit
Return to the system view.

Step 5 Run:
aaa

Step 6 Run:
The local username and the password are configured.

----End
5.6.5 Configuring Non-Authentication

You can configure users to log in to a switch without being authenticated.
Issue 01 (2011-10-26)

73

5 User Management
Context
CAUTION
Configuring the non-authentication mode may cause security problems of the switch.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
The non-authentication mode is configured.

NOTE
l If the authentication mode is non-authentication or password authentication, the priority of the userinterface determines the command level that the users can access.
l If the authentication mode needs the username and the password, the priority of the user determines
the command level that the users can access.
----End
5.6.6 Configuring User Priority

You can configure the user priority.
Context
Refer to the Quidway S9300 Configuration Guide - Security.

After configuring user management, you can view the usage information of user interfaces, local
user list, and online users.
Prerequisite
The configuration of User Management are complete.
Procedure
l
Issue 01 (2011-10-26)
Run the display users [ all ] command to check the user information.
74

Run the display local-user command to check the local user list.
Run the display access-user command to check online users.
5 User Management
----End

This section provides examples for configuring users to log in to a switch in different modes.
These configuration examples explain networking requirements, configuration roadmap, and
configuration notes.
Context
CAUTION
After the first and second configuration examples are complete, the commands with priorities
higher than 2 cannot be run if the current user is VTY0. Ensure that users can log in to
theswitch in other methods to delete configurations.
5.7.1 Example for Configuring Logging In to the Switch Through

Password
In this example, the VTY0 priority, authentication mode, and disconnection time are configured,
which enables users to log in to the switch through a password.
The COM port of the PC is connected with the Console port. Set the priority of VTY0 to 2 and
authenticate the passwords of users. Users need to enter the password Huawei to log in
successfully.
After login, if the operations are not carried out in 30 minutes, it means that the user-interface
is disconnected from the switch.
1.
Enter the user interface, and configure the priority of VTY0 as 2.
2.
Configure the simple authentication and the disconnect time.
Data Preparation
To complete the configuration, you need the following data:
l
The password of the authentication mode
The disconnect time
Issue 01 (2011-10-26)

75

5 User Management
Procedure
Step 1 Configure the priority of VTY0 to be 2 on the Switch.
[Quidway] user-interface vty0
[Quidway-ui-vty0] user privilege level 2
Step 2 Configuring password and disconnect time.

[Quidway-ui-vty0] authentication-mode password
[Quidway-ui-vty0] set authentication password simple huawei
[Quidway-ui-vty0] idle-timeout 30
----End
Configuration Files
#
sysname Quidway
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
#
user-interface vty 0
user privilege level 2
set authentication password simple huawei
idle-timeout 30
#
return
5.7.2 Example for Logging In to the Device Through AAA

In this example, the VTY0 priority and disconnection time are configured and the idle-out
function is enabled for local users, which enables users to log in to the switch through AAA
authentication.
The COM port of the PC and the console port of the switch are connected.
Configure the priority of VTY0 to be 2, perform AAA authentication on the user that logs in
through VTY0. The login user must enter the username "huawei" and the password "huawei".
After login, if the user does not operate the switch within 30 minutes, the connection with the
switch is disabled.
1.
Enter the user interface view to configure the priority of VTY0 to be 2 and the disconnection
time.
2.
Enter the AAA view to configure the username, the password, and the user level.
3.
Switch on the idle timeout for the local user in the AAA view.
Data Preparation
Issue 01 (2011-10-26)

76

Username and password for authentication
Disconnect time
5 User Management
Procedure
Step 1 Configure the priority of VTY0 to be 2 and the disconnection time within 30 minutes.
[Quidway] user-interface vty0
[Quidway-ui-vty0] user privilege level 2
[Quidway-ui-vty0] authentication-mode aaa
[Quidway-ui-vty0] idle-timeout 30
[Quidway-ui-vty0] quit
Step 2 Configuring the local username, the password, and user level.
[Quidway] aaa
[Quidway-aaa] local-user huawei password cipher huawei
[Quidway-aaa] local-user huawei privilege level 2
----End
Configuration Files
#
sysname Quidway
#
aaa
local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user huawei privilege level 2
local-user huawei idle-cut
#
#
#
domain default
#
user-interface vty 0
user privilege level 2
idle-timeout 30
#
return
Issue 01 (2011-10-26)

77

6 File System Management
File System Management
About This Chapter

This chapter describes the basic knowledge of the file system, including the methods of managing
files, directories, and storage devices.
6.1 Overview of the File System
This section describes the concepts of the file system.
6.2 Managing a Storage Device
This section describes how to format a storage device.
6.3 Managing the Directory
You can manage directories to logically store files in hierarchy.
6.4 Managing Files
You can view, create, delete, and rename files.
This section provides several configuration examples of the file system.
Issue 01 (2011-10-26)

78

6.1 Overview of the File System

This section describes the concepts of the file system.
Basic Concepts of the File System

A file system allows you to manage files and directories on the storage devices. In the file system,
you can create, delete, modify, and rename a file or a directory, and view contents of a file.
The file system provides the following functions:
l
Managing the files that are stored on the storage devices
Managing the storage devices
Storage Device
A storage device is a hardware device used to store data.
Different products support different storage devices. Currently, the S9300 supports the flash
memory and the Compact Flash (CF) card.
File
A file stores and manages information.
Directory
A directory collects and organizes files. It is a logical container of files.
6.2 Managing a Storage Device

This section describes how to format a storage device.

Before managing a storage device, complete the following tasks:
l
Installing the S9300 and switching it on properly
Client logging in to the S9300
Data Preparation
To manage a storage device, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Device name

79

6.2.2 Restoring Storage Devices with File System Troubles

When the file system on a storage device fails, the terminal of the switch prompts you to rectify
the fault.
Context
Procedure
Step 1 Run:
fixdisk device-name
The storage devices with file system troubles is repaired.

NOTE
After this command is run, if the prompt that the system should be repaired is still received, it indicates
that the physical medium may be damaged.
----End
6.2.3 (Optional) Formatting a Storage Device

Context
CAUTION
After the format device-name command is run, the files and directories in the specified storage
device are cleared and cannot be restored. So, confirm the action before you use the command.
Procedure
Step 1 Run the following command in the user view:
format device-name
A storage device is formatted.

----End
6.3 Managing the Directory

You can manage directories to logically store files in hierarchy.

Before managing directories, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
Issue 01 (2011-10-26)

80

When you need to transfer files between the client and the server, configure the directory by
using the file system.
Before configuring the management directory, complete the following tasks:
l
Connecting the client with the server correctly
Data Preparation
To configure a management directory, you need the following data.
No.
Data
Directory name to be created
Directory name to be deleted
6.3.2 Viewing the Current Directory

You can view the current directory to know its information.
Context
Do as follows on the switch.
Procedure
Step 1 Run:
pwd
The current directory is displayed.

----End
6.3.3 Switching a Directory

You can switch the current directory to another directory.
Context
Procedure
Step 1 Run:
cd directory
Issue 01 (2011-10-26)

81

A directory is specified.
Step 2 Run:
pwd
The current directory is displayed.

----End
6.3.4 Displaying a Directory or File

You can view a directory or files in the directory.
Context
Procedure
Step 1 Run:
cd directory
A directory is specified and the specified directory is displayed.

Step 2 Run:
dir [ /all ] [ filename | cfcard: | flash: | slave#cfcard: | slave#flash: ]
The file and sub-directory list in the directory is displayed.

Either the absolute path or relative path is applicable.
----End
6.3.5 Creating a Directory

You can create a directory in the specified directory on a specified storage device.
Context
Procedure
Step 1 Run:
cd directory
The parent directory of the directory to be created is displayed.

Step 2 Run:
mkdir directory
The directory is created.

----End
6.3.6 Deleting a Directory

You can delete an unneeded directory.
Issue 01 (2011-10-26)

82

Context
Procedure
Step 1 Run:
cd directory
The parent directory of the directory to be deleted is displayed.

Step 2 Run:
rmdir directory
The directory is deleted.

----End
6.4 Managing Files

You can view, create, delete, and rename files.

Before managing files, familiarize yourself with the applicable environment, complete the preconfiguration tasks, and obtain the required data. This can help you complete the configuration
task quickly and accurately.
To view, delete, or rename files on the switch, you need to configure files using the file system.
Before configuring the file system, complete the following tasks:
l
Connecting the client with the server correctly
Data Preparation
To configure a file system, you need the following data.
Issue 01 (2011-10-26)
No.
Data
File name to be viewed
File name to be deleted
File name to be renamed

83

6.4.2 Displaying Contents of Files

You can view the contents of a file, which are displayed in texts.
Context
Procedure
Step 1 Run:
cd directory
The directory of the file is displayed.

Step 2 Run:
more filename
The content of the file is displayed.

----End
6.4.3 Copying Files

You can copy files.
Context
Procedure
Step 1 Run:
cd directory

Step 2 Run:
copy source-filename destination-filename
The file is copied.

NOTE
The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.
----End
6.4.4 Moving Files

You can move files to a specified directory.
Context
Issue 01 (2011-10-26)

84

Procedure
Step 1 Run:
cd directory

Step 2 Run:
move source-filename destination-filename
The file is moved.

----End
6.4.5 Renaming Files

You can rename files.
Context
Procedure
Step 1 Run:
cd directory

Step 2 Run:
rename source-filename destination-filename
The file is renamed.

----End
6.4.6 Compressing Files

You can compress files to reduce the size of the files.
Context
Do as follows on the switch.
Procedure
Step 1 Run:
zip source-filename destination-filename
The file is compressed.

----End
6.4.7 Deleting Files

You can delete unneeded files.
Issue 01 (2011-10-26)

85

Context
Procedure
Step 1 Run:
cd directory

Step 2 Run:
delete [ /unreserved ] filename
The file is deleted.

----End
6.4.8 Deleting Files in the Recycle Bin

You can permanently delete files in the recycle bin.
Context
Procedure
Step 1 Run:
reset recycle-bin [ filename ]
The file is deleted.

----End
6.4.9 Undeleting Files

You can undelete files.
Context
Procedure
Step 1 Run:
undelete filename
The deleted file is recovered.

NOTE
l If the current directory is not the parent directory, you must operate the file by using the absolute path.
l If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored after being
deleted.
----End
Issue 01 (2011-10-26)

86

6.4.10 Running Files in Batch

You can upload the files and then process the files in batches.
Prerequisite
Uploading the batched files on the client end to the switch.
Context
When the batch file is created, you can run the batch file to implement routine tasks
automatically.
Procedure
Step 1 Run:
system-view

Step 2 Run:
execute filename
The batched file is executed.

----End
6.4.11 Configuring Prompt Modes

The system displays prompts or warning messages when you operate the device. If you need to
change the prompt mode for file operations, you can configure the prompt mode of the file
system.
Prerequisite
Before configuring a file system, complete the following tasks:
l
Logging in to the switchfrom the client end
Context
The data may be lost or damaged during the process, and the prompt is required.
Procedure
Step 1 Run:
system-view

Step 2 Run:
file prompt { alert | quiet }
The prompt mode of the file system is configured.

Issue 01 (2011-10-26)

87

By default, the prompt mode is alert.
CAUTION
If the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.
----End

This section provides several configuration examples of the file system.
6.5.1 Example for Managing Files

This section describes how to manage files.
After configuring the file system of the S9300, you can copy files to the specified directory
through the console interface on the S9300. The path of a file in the storage device must be
correct. If the destination file name is not specified, the source file name is used by default. That
is, the name of the destination file is the same as that of the source file.
1.
Check the files in a certain directory.
2.
Copy the files to the directory.
3.
Check the directory, and find that the files in the directory are copied to a specified directory.
Data Preparation
l
Names of the source file and destination file
Paths of the source file and destination file
Procedure
Step 1 Display information about the files in the current directory.
<Quidway> dir
Directory of cfcard:/
Idx
0
1
2
3
4
5
Issue 01 (2011-10-26)
Attr
-rw-rwdrw-rw-rw-rw-
Size(Byte)
2,210
198
4
4,309
0
Date
Mar 25
May 20
May 22
May 25
May 20
Apr 03
2009
2009
2009
2009
2009
2009
Time(LMT)
10:24:30
10:10:08
15:28:48
11:34:20
16:51:42
17:49:04
FileName
vrpcfg.zip
$_patchstate_a
logfile
snmpnotilog.txt
private-data.txt
stickymac.txt

88

6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-
140,708
198
22,064,779
10,405
2,449
5,344
11,077
9,893
10,021
10,605
13,717
1,481
0
16,981
3,249
12,885
1,664

Apr
Mar
Mar
Mar
Mar
Mar
Apr
Apr
Apr
Apr
Apr
Nov
Nov
Apr
May
Apr
Feb
03
30
11
31
19
25
02
02
02
02
02
27
28
02
20
03
20
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2008
2008
2009
2009
2009
2009
18:06:56
18:42:28
18:26:08
14:17:52
15:20:10
16:20:28
16:13:18
17:11:16
17:19:32
19:11:38
19:52:36
12:02:52
11:39:28
20:17:32
16:51:42
18:06:14
09:14:50
patchhistory
$_patchstate_a.backup
s9300v100r006c02b118.cc
bfd.pat
vrpcfg0319.zip
vrrp0320.zip
bfd_slave0402.pat
bfd_slave0402_1.pat
bfd_slave0402_2.pat
bfd_slave111.pat
bfd_slave112.pat
backupvrpcfg.zip
epon.zip
bfd_slave113.pat
vrpcfg0325.zip
bfd_slave22.pat
on1018399.dat
506,744 KB total (446,192 KB free)
Step 2 Copy the files from flash:/hostkey to cfcard:/hostkey.

<Quidway> copy flash:/hostkey cfcard:/hostkey
Copy flash:/hostkey to cfcard:/hostkey?[Y/N]:
y
100% complete\
Info: Copied file flash:/hostkey to cfcard:/hostkey...Done.
Step 3 Display information about the files in the current directory, and you can view that the files are
copied to the specified directory.
<Quidway> dir
Idx
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Attr
-rw-rwdrw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-
Size(Byte)
2,210
198
4
4,309
0
140,708
198
22,064,779
10,405
2,449
5,344
11,077
9,893
10,021
10,605
13,717
1,481
0
16,981
3,249
12,885
1,664
684
Date
Mar 25
May 20
May 22
May 25
May 20
Apr 03
Apr 03
Mar 30
Mar 11
Mar 31
Mar 19
Mar 25
Apr 02
Apr 02
Apr 02
Apr 02
Apr 02
Nov 27
Nov 28
Apr 02
May 20
Apr 03
Feb 20
May 25
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2009
2008
2008
2009
2009
2009
2009
2009
Time
10:24:30
10:10:08
15:28:48
11:34:20
16:51:42
17:49:04
18:06:56
18:42:28
18:26:08
14:17:52
15:20:10
16:20:28
16:13:18
17:11:16
17:19:32
19:11:38
19:52:36
12:02:52
11:39:28
20:17:32
16:51:42
18:06:14
09:14:50
17:53:38
FileName
vrpcfg.zip
$_patchstate_a
logfile
snmpnotilog.txt
private-data.txt
stickymac.txt
patchhistory
$_patchstate_a.backup
s9300v100r006c02b118.cc
bfd.pat
vrpcfg0319.zip
vrrp0320.zip
bfd_slave0402.pat
bfd_slave0402_1.pat
bfd_slave0402_2.pat
bfd_slave111.pat
bfd_slave112.pat
backupvrpcfg.zip
epon.zip
bfd_slave113.pat
vrpcfg0325.zip
bfd_slave22.pat
on1018399.dat
hostkey
506,744 KB total (445,508 KB free)
----End
Configuration Files
None.
Issue 01 (2011-10-26)

89

7 Management of Configuration Files
Management of Configuration Files
About This Chapter

This chapter describes current configurations, configuration files, detection of master/slave
configuration consistency, and configuration recovery.
7.1 Management of Configuration Files Introduction
The configuration file is the add-in configuration item when restarting the switch this time or
next time.
7.2 Managing Configuration Files
You can manage configuration files to ensure that the switch starts normally.
Issue 01 (2011-10-26)

90

7.1 Management of Configuration Files Introduction

next time.
7.1.1 Configuration Files

This part describes basic concepts of configuration files.
next time.
The configuration file is a text file in the following formats:
l
It is saved in the command format.
To save space, default parameters are not saved. For the default values of the configuration
parameters, see following sections.
Commands are organized on the basis of the command view. All commands of the identical
command view are grouped into a section. Every two command sections are separated by
one or several blank lines or comment lines (beginning with "#").
The sequence of command sections is global configuration, logic interface configuration,

physical interface configuration, routing protocol configuration and so on.
NOTE
l The system can run the command with the maximum length of 512 characters, including the command
in an incomplete form.
l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, the
command length in the configuration file may exceed 512 characters. When the system restarts, these
commands cannot be restored.
7.1.2 Configuration Files and Current Configurations

The part describes basic concepts of configuration files and current configurations.
l
Initial configurations: On powering on, the switch retrieves the configuration files from a
default save path to initiate itself. If configuration files do not exist in the default save path,
the switch uses the default parameters.
Current configurations: indicates the effective configurations of the currently running

switch.
Users can modify the current configurations of the switch through the command line
interface. Use the save command to save the current configuration to the configuration file
of the default storage devices, and the current configuration becomes the initial
configuration of the switch when the switch is powered on next time.
7.2 Managing Configuration Files

You can manage configuration files to ensure that the switch starts normally.
Issue 01 (2011-10-26)

91


Before managing configuration files, familiarize yourself with the applicable environment,
In one of the following situations, you need to manage configuration files:
l
To start the switch normally, you need to select the correct S9300 system software and
configuration file for the switch to load.
After modifying current configurations, you need to save the modified contents.
You need to view the configuration of the switch.
Before managing configuration files, complete the following task:
l
Installing the switch and starting it properly
Data Preparation
To manage configuration files, you need the following data.
No.
Data
S9300 System software and its file name
Configuration file and its name
The number of the start line from which the comparison of the configuration files
begins
7.2.2 Configuring System Software for a switch to Load for the Next
Startup
To upgrade the system software of a switch, you can specify the S9300 system software to be
loaded for the next startup.
Context
Procedure
Step 1 Run:
startup system-software system-file [ slave-board ]
The S9300 system software for the switch to load next time when it starts is configured.
The filename extension of the system software must be .cc and must be stored in the root directory
of a storage device.
Issue 01 (2011-10-26)

92

You can specify the system-file and use the system software for the next startup that is saved on
the device.
slave-board is valid only on the switch with dual main control boards.
----End
7.2.3 Configuring the Configuration File for Switch to Load for the
Next Startup
Before restarting a switch, you can specify the configuration files that are loaded for the next
startup.
Context
Procedure
Step 1 Run:
startup saved-configuration configuration-file
Configuration file is saved for the switch to load next time on startup.
The filename extension of the configuration file must be .cfg or .zip, and must be stored in the
root directory of a storage device.
When the switch turns on, it initiates by reading the configuration file from the cfcard memory
by default. Thus, the configuration in this configuration file is called initial configuration. If no
configuration file is saved in the cfcard, the switch initiates with default parameters.
The effective configuration when a switch is working is called current configuration.
----End
7.2.4 Saving Configuration Files

You can save configuration files periodically or immediately.
Context
The system can save the configuration files periodically or in real time to prevent data loss when
the switch is powered off or accidentally restarted.
Run one of the following commands to save configuration files.
Procedure
l
Run:
1.
system-view

2.
set save-configuration [ interval interval | cpu-limit cpu-usage | delay

delay-interval ] *
The configuration file is saved at intervals.

Issue 01 (2011-10-26)

93

After the parameter interval interval is specified, the device saves the configuration
file at specified intervals regardless of whether the configuration file is changed.
If the set save-configuration command is not run, the system does not
automatically save configurations.
If the set save-configuration command without specified interval is run, the
system automatically saves configurations at 30-minute intervals.
When you configure the automatic saving function, to prevent that function from
affecting system performance, you can set the upper limit of the CPU usage for the
system during automatic saving. When automatic saving is triggered by the expiry of
the timer, the CPU usage is checked. If the CPU usage is higher than the set upper
limit, automatic saving will be canceled.
After delay delay-interval is specified, if the configuration is changed, the device
automatically saves the configuration after the specified delay.
After automatic saving of configurations is configured, the system automatically saves
the changed configurations to the configuration file for the next startup and
configuration files are changed accordingly with the saved configurations.
Before configuring the automatic configure file saving on the server, you need to run
the set save-configuration backup-to-server server server-ip [ transport-type
{ ftp | sftp } ] user user-name password password [ path folder ] or set saveconfiguration backup-to-server server server-ip transport-type tftp [ path
folder ] command to configure the server, including the IP address, user name,
password of the server, destination path, and mode of transporting the configuration
file to the server.
NOTE
If configuration files transmitted in TFTP mode are saved, the tftp client-source command
can be run to configure the address of a loopback interface of the switch as a source address of
a client to ensure security.
WARNING
When the automatic saving function is enabled and the LPU is not properly installed,
corresponding configurations may be lost.
l
Run:
save [ all ] [ configuration-file ]
The current configurations are saved.

The filename extension of the configuration file must be .cfg or .zip. The system startup
configuration file must be saved in the root directory of a storage device.
The user can modify the current configuration through the command line interface. To set
the current configuration as initial configuration when the switch starts next time, you can
use the save command to save the current configuration in the cfcard memory.
You can use the save all command to save all the current configurations, including the
configurations of the boards that are not inserted, to the default directory.
----End
Issue 01 (2011-10-26)

94

7.2.5 Clearing a Configuration File

You can clear the configuration file that has been loaded to a device, or clear the inactive
configurations of the boards that are not installed in slots.
Context
The configuration file stored in cfcard memory needs to be cleared in the following cases:
l
The system software does not match the configuration file after the switch has been
upgraded.
The configuration file is destroyed or an incorrect configuration file has been loaded.
Clear the currently loaded configuration file.
Procedure
Run the reset saved-configuration command to clear the currently loaded configuration
file.
If the configuration file of the switch used for the current startup is the same as that used
for the next startup, running the reset saved-configuration command will clear both
the configuration files. The switch will uses the default configuration file for the next
startup.
If the configuration file of the switch used for the current startup is different from that
used at the next startup, running the reset saved-configuration command will clear the
configuration file used for the current startup.
If the configuration file of the switch used for the current startup is empty, the system
will prompt you that the configuration file does not exist after you run the reset savedconfiguration command.
If you do not run the startup saved-configuration configuration-file command to specify
a new correct configuration file, or do not run the save command to save the configuration
file after the configuration file is cleared, the switch will use the default configuration file
at the next startup.
l
Clear the inactive configurations of the boards that are not installed in slots.
1.
Run the system-view command to enter the system view.
2.
Run the clear inactive-configuration slot command to clear the inactive

configurations of the boards that are not installed in slots.
----End
7.2.6 Comparing Configuration Files

You can compare the current configuration with the initial configuration.
Context
Procedure
Step 1 Run:
Issue 01 (2011-10-26)

95

compare configuration [ configuration-file ] [ current-line-number save-linenumber ]
The current configuration is compared with the configuration file for next startup.
If no parameter is set, the comparison begins with the first lines of configuration files. currentline-number and save-line-number are used to continue the comparison by ignoring the
differences between the configuration files.
When comparing differences between the configuration files, the system displays the contents
of the current configuration file and saved configuration file from the first different line. By
default, 150 characters are displayed for each configuration file. If the number of characters from
the first different line to the end is less than 150, the contents after the first different line are all
displayed.
In comparing the current configurations with the configuration file for next startup, if the
configuration file for next startup is unavailable or its contents are null, the system prompts that
reading files fails.
----End

After managing configuration files has been configured, you can view the current configuration
files, configuration files to be loaded at the next startup, files for the device startup, and files
saved in the storage device.
Prerequisite
The configuration of managing configuration files are complete.
Procedure
l
Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ]
[ feature feature-name [ filter filter-expression ] | filter filter-expression ] or display
current-configuration [ all | inactive ] command to view the current configuration files.
Run the display saved-configuration [ last | time | configuration ] command to view

configuration files to be loaded at the next startup.
Run the display startup command to view files for the device startup.
Run the dir [ /all ] [ filename ] command to view files saved in the storage device.
Run the display default-parameter servicename command to view default configurations

in the system.
----End
Example
After the configurations succeed, run the preceding commands, and you can find the following
results:
l
The current configuration of the switch is correct without any redundant configuration.
The current configuration of the switch is saved in the storage device.
Issue 01 (2011-10-26)

96

Issue 01 (2011-10-26)
The S9300 system software and configuration file to be loaded at the next startup are correct
and saved in the root directory of the storage device.

97

8 FTP and TFTP
FTP and TFTP
About This Chapter

This chapter describes the fundamentals, configuration procedures and configuration examples
of FTP and TFTP.
8.1 FTP and TFTP Introduction
This section describes the basic concepts of FTP and TFTP.
8.2 Configuring the Switch to be the FTP Server
After a switch is configured with basic functions of the FTP server, you can run the FTP client
application to log in to the switch, and then access files on the switch.
8.3 Configuring FTP ACL
You can configure the FTP ACL on a switch to allow only specified users to log in to the
switch.
8.4 Configuring the Switch to Be the FTP Client
You can configure a switch to be an FTP client and then log in to the FTP server.
8.5 Configuring the Switch to Be the TFTP Client
8.6 Limiting the Access to the TFTP Server
You can configure the maximum number of TFTP servers that a TFTP client can access to
determine which TFTP servers the TFTP client can log in to.
This section provides several configuration examples for FTP and TFTP together with the
configuration flowchart. The configuration examples explain networking requirements,
configuration notes, and configuration roadmap.
Issue 01 (2011-10-26)

98

8 FTP and TFTP
8.1 FTP and TFTP Introduction

This section describes the basic concepts of FTP and TFTP.
8.1.1 FTP
You can transfer files between local and remote hosts through FTP. FTP is commonly used in
version upgrade, log downloading, file transfer, and configuration saving.
File Transfer Protocol (FTP) is an application layer protocol in the TCP/IP protocol suite. It
implements file transfer between local and remote hosts based on related file systems. The FTP
protocol is implemented based on corresponding file system.
The switch provides the following FTP services:
l
FTP server service. Users can run the FTP client program to log in to the switch and access
the files on the switch.
FTP client service. Users can establish a connection with the switch by running a terminal
emulation program or a Telnet program on a PC. Enter an FTP command to connect with
the remote FTP server and access the files on the remote host.
8.1.2 TFTP
TFTP does not have a complex interactive access interface and authentication control. TFTP is
applicable when there is no complex interaction between the client and server.
The Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.
Compared with FTP, TFTP does not have a complex interactive access interface and
authentication control. TFTP is applicable in an environment where there is no complex
interaction between the client and the server. For example, TFTP is used to obtain the memory
image of the system when the system starts up.
TFTP is implemented based on the User Datagram Protocol (UDP).
The client initiates the TFTP transfer. To download files, the client sends a read request packet
to the TFTP server, receives packets from the server, and sends acknowledgement to the server.
To upload files, the client sends a write request packet to the TFTP server, sends packets to the
server, and receives acknowledgement from the server.
TFTP transfers the files in two formats:
l
The binary format: transfers program files.
The ASCII format: transfers text files.
At present, the S9300 serves only as the TFTP client and transfers files in the binary format.
8.2 Configuring the Switch to be the FTP Server

After a switch is configured with basic functions of the FTP server, you can run the FTP client
application to log in to the switch, and then access files on the switch.
Issue 01 (2011-10-26)

99

8 FTP and TFTP

Before configuring a switch to be the FTP server, familiarize yourself with the applicable
When the switch serves as the FTP server, after the client logs in to the switch through FTP, the
user can transfer files between the client and the server.
Before configuring the switch as the FTP server, complete the following tasks:
l
Connecting the FTP client to the server
Data Preparation
To configure the switch as the FTP server, you need the following data.
NOTE
For FTP secure server connection, perform step 2.
No.
Data
(Optional) Listening port number specified on the FTP server
Configuring FTP Server Certificate-key and Chain-key
Enabling FTP Server
(Optional) Source IP address or source interface of the FTP server
(Optional) Timeout period of the disconnection from the FTP server
FTP username and password
File directory authorized to the FTP user
8.2.2 (Optional) Specifying a Port Number for the FTP Server

You can configure or change the monitoring port number of the FTP server. After the port
number is changed, only the user knows the current port number, which guarantees the security.
Context
If the FTP is not enabled, change the FTP port as required.
If the FTP service is enabled, run the undo ftp server command to disable the FTP service, and
then change the FTP port.
Issue 01 (2011-10-26)

100

8 FTP and TFTP
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp [ ipv6 ] server port port-number
The port number of the FTP server is configured.

If a new number of a monitored port is configured, the FTP server interrupts all the FTP
connections and monitors the port of the new number. By default, the number of the port
monitored by the FTP server is 21.
----End
8.2.3 Enabling the FTP Server

This section describes how to enable FTP server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp [ ipv6 ] server enable
The FTP server is enabled.

NOTE
When the file operation between clients and the switch ends, run the undo ftp [ ipv6 ] server command
to disable the FTP server function. This ensures the security of the switch.
----End
8.2.4 Configuring the Source IP Address of the FTP Server

The source address of the FTP server can be specified to allow only authorized users to access
the FTP server. This ensures security.
Context
Do as follows on the switch that functions as an FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 01 (2011-10-26)

101

8 FTP and TFTP
ftp server-source -a source-ip-address
The source IP address of an FTP server is configured.

After the source address is configured, the address specified in the ftp command for login to the
FTP server must be the configured source address. Otherwise, the login fails.
----End
8.2.5 (Optional) Configuring the Timeout Period

This section describes how to configure the timeout period of the FTP server.
Context
If the client is idle for the configured time, the connection is removed from the FTP server.
By default, the timeout value is 10 minutes.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp timeout minutes
The timeout period of the FTP server is configured.

----End
8.2.6 Configuring the Local Username and the Password

You can configure the authentication information for FTP users, which prevents unauthorized
users from performing operations on the device and thus guarantees the security.
Context
Do as follows on the switch that serves as the FTP server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
Issue 01 (2011-10-26)

102

8 FTP and TFTP
The local username and the password are configured.

----End
8.2.7 Configuring the Service Type and Authorization Information

You can configure the authorization mode and authorization directory for FTP users. In this
case, unauthorized users cannot access the restricted directory, which guarantees the security.
Context
Procedure
Step 1 Run:
system-view

set default ftp-directory directory
The default FTP working directory is configured.

Step 3 Run:
aaa

Step 4 Run:
local-user user-name service-type ftp
The FTP service type is configured.

Step 5 Run:
local-user user-name ftp-directory directory
The authorization directory about the FTP user is configured.

----End

After configuring a switch to be the FTP server, you can view the configuration and status of
the FTP server as well as information about login FTP users.
Prerequisite
The configuration of the Switch to be the FTP Server are complete.
Procedure
l
Run the display [ ipv6 ] ftp-server the configuration and running information about the
FTP server.
Run the display ftp-users command to check the login FTP user.
----End
Issue 01 (2011-10-26)

103

8 FTP and TFTP
Example
After configuring the FTP server, run the display [ ipv6 ] ftp-server command. You can view
that the parameters of the current FTP server.
<Quidway> display ftp-server
FTP server is running
Max user number
User count
Timeout value(in minute)
Listening Port
Acl number
FTP server's source address
5
0
30
1080
0
1.1.1.1
Run the display ftp-users command to view the user name, port number, authorization directory
of the FTP user configured presently.
<Quidway> display ftp-users
username host
zll
100.2.150.226
port
1383
idle
3
topdir
cfcard:
8.3 Configuring FTP ACL

You can configure the FTP ACL on a switch to allow only specified users to log in to the
switch.

Before configuring the FTP ACL, familiarize yourself with the applicable environment,
When the switch serves as the FTP server, for security, you can configure the switch by the
access control list (ACL) to be accessed by only those clients that meet the matching conditions.
Before configuring the FTP ACL, complete the following tasks:
l
Connecting the FTP client with the server
Data Preparation
To configure the FTP ACL, you need the following data.
Issue 01 (2011-10-26)
No.
Data
ACL number

104

8 FTP and TFTP
8.3.2 Enabling the FTP Server

The FTP server is disabled by default. You need to enable the FTP server before using FTP
functions.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp [ ipv6 ] server enable
The FTP server is started.

----End
8.3.3 Configuring a Basic ACL

You can configure a basic ACL and define rules by specifying the source IP address.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *
The ACL rule is configured.

NOTE
FTP supports only the basic ACL.
----End
8.3.4 Configuring the Basic FTP ACL

You can configure the basic FTP ACL.
Issue 01 (2011-10-26)

105

8 FTP and TFTP
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp [ ipv6 ] acl acl-number
The basic FTP ACL is configured.

----End

After configuring the FTP ACL, you can view the configuration and status of the FTP server as
well as information about login FTP users.
Prerequisite
The configuration of FTP ACL are complete.
Procedure
l
Run the display ftp-server [ ] command to check the configuration and status of the FTP
server.
----End
Example
After configuring an FTP server, you can run the display ftp-server command and view that
the ACL number allocated for the FTP server is 2345.
FTP server is running
Max user number
User count
Listening Port
Acl number
SSL security status
5
0
30
1080
2345
1.1.1.1
Disabled
8.4 Configuring the Switch to Be the FTP Client

Issue 01 (2011-10-26)

106

8 FTP and TFTP

Before configuring a switch to be an FTP client, familiarize yourself with the applicable
When a switch serves as an FTP client, you can log in to the FTP server through the switch and
then transmit files or manage server directory.
Before configuring the switch as an FTP client, complete the following tasks:
l
Connecting the FTP client to the server
Data Preparation
To configure the switch as an FTP client, you need the following data.
NOTE
For FTP secure server connection, perform step 2, 3 and 4.
Issue 01 (2011-10-26)
No.
Data
(Optional) Source IP address or source interface of the device functioning as an FTP

client
Configuring FTP Client Trusted-CA
(Optional) Configuring FTP Client CRL
(Optional) Configuring FTP Client Set Verify Depth
Logging into the FTP Server
Host name or IP address of the FTP server
Port number of connecting FTP
FTP protocol command
Local file name and file name on the remote FTP server
10
Working directory name of the remote FTP server, local working directory of the
FTP client, or directory name of the remote FTP server
11
Login username and password

107

8 FTP and TFTP
8.4.2 (Optional) Configuring Source IP Address and Interface of the

FTP Client
This section describes how to configure the source IP address and interface of FTP client to
establish the connection with FTP server.
Prerequisite
The interface configuration is possible, only if the system has a loopback interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp client-source { -a ip-address }
The source IP address of the FTP client is configured.

or
ftp client-source { -i interface-type interface-number }
The loopback addresses of the FTP client is configured.

NOTE
Then, run the display ftp-client command on the switch to view the current configuration of the FTP client.
----End
8.4.3 Logging In to the FTP Server

You can log in to the FTP server in the user view or the FTP view.
Context
Do as follows on the switch that serves as the client:
Procedure
Step 1 Run the following commands according to types of the server IP address.
l If the IP address of the server is an IPv4 address, do as follows:
In the user view, establish a connection to the FTP server.
Run:
ftp [ [ -a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ public-net | vpn-instance vpn-instace-name ]
The switch is connected to the FTP server.

In the FTP view, establish a connection to the FTP server.
1.
Run:
ftp
Issue 01 (2011-10-26)

108

8 FTP and TFTP
The FTP view is displayed.

2.
Run:
open [-a source-ip-address | -i interface-type interface-number ] host
[ port-number ] [ vpn-instance vpn-instance-name ]

NOTE
Before logging in to the FTP server, you can run the set net-manager vpn-instance
command to configure a default VPN instance. After that, the default VPN instance is used
in the FTP operation.
l If the IP address of the server is an IPv6 address, do as follows:

In the user view, establish a connection to the FTP server.
Run:
ftp ipv6 host [ port-number ]

In the FTP view, establish a connection to the FTP server.
1.
Run:
ftp
The FTP view is displayed.

2.
Run:
open ipv6 host [ port-number ]

----End
8.4.4 Configuring Data Type and Transmission Mode for the File
This section describes how to configure the data type and transmission mode for the file.
Context
Procedure
Step 1 Run:
ascii | binary
The data type of the file to be transmitted is ascii or binary mode.

NOTE
FTP server supports ascii mode for data transmission. But in Quidway S9300, user has to switch to binary mode
for data transfer.
Step 2 Run:
passive
The passive file transfer mode is configured.

Step 3 Run:
verbose
The verbose mode for FTP is enabled.

Issue 01 (2011-10-26)

109

8 FTP and TFTP
When verbose is enabled, all FTP responses are displayed. After file transmission, the statistics
about transmission efficiency will be displayed.
----End
8.4.5 (Optional) Viewing Online Help of the FTP Command

This section describes how to view the online help of the FTP command.
Context
This configuration provides help information for protocol commands.
Procedure
Step 1 Run:
remotehelp command
The online help of the FTP command is displayed.

----End
8.4.6 Uploading or Downloading Files

You can upload local files to a remote FTP server, download files of the FTP server, and save
the files on the local device.
Context
Procedure
Step 1 Upload or download files.
l Run:
put local-filename [ remote-filename ]
The local file is uploaded to the remote FTP server.

l Run:
get remote-filename [ local-filename ]
The FTP file is downloaded from the FTP server and saved to the local file.
----End
8.4.7 Managing Directories

You can perform management operations, such as creating and deleting directories, on the FTP
server.
Context
Issue 01 (2011-10-26)

110

8 FTP and TFTP
Procedure
Step 1 Run one or more commands in the following order to manage directories.
l Run:
cd pathname
The working path of the remote FTP server is specified.

l Run:
cdup
The working path of the FTP server is switched to the upper-level directory.
l Run:
pwd
The specified directory of the FTP server is displayed.

l Run:
lcd [ local-directory ]
The directory of the FTP client is displayed or changed.

l Run:
mkdir remote-directory
A directory is created on the FTP server.

l Run:
rmdir remote-directory
A directory is removed from the FTP server.

NOTE
l The directory to be created can comprise letters and digits, but not special characters such as <,
>, ?, \ and :.
l When running the mkdir /abc command, you create a sub-directory named "abc".
----End
8.4.8 Managing Files

You can view a specified directory or file on the remote FTP server or delete a specified file
from the FTP server.
Context
Procedure
Step 1 Run one or more commands in the following to manage directories.
l Run:
ls [ remote-filename ] [ local-filename ]
The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected, the system
searches the working directory for the specific file.
l Run:
dir [ remote-filename ] [ local-filename ]
Issue 01 (2011-10-26)

111

8 FTP and TFTP
The specified directory or file on the local FTP server is displayed.

l Run:
delete remote-filename
The specified file on the FTP server is deleted.

When local-filename is set, related information about the file can be downloaded locally.
----End
8.4.9 (Optional) Changing Login Users

This section describes how to change the username and password for remote login.
Prerequisite
This configuration must be performed in FTP view.
Context
The username and password are of string data type. The string length for username must be in
the range of 1 to 85 case-insensitive characters and password must be in the range of 1 to 16
case-insensitive characters.
Procedure
Step 1 Run:
user username [ password ]
The current login user is changed and the user logs in again.
----End
8.4.10 Disconnecting from the FTP Server

This section describes how the client switch disconnects from FTP server.
Prerequisite
The configurations must be performed in the FTP view.
Procedure
Step 1 Run:
bye
or
quit
The client switch is disconnected from the FTP server.

Issue 01 (2011-10-26)

112

8 FTP and TFTP
Return to the user view.

Step 2 Run:
close
or
disconnect
The client switch is disconnected from the FTP server.

This command terminates the FTP session.
----End

This section describes how to check the FTP client configuration.
Prerequisite
The FTP client must be configured before running the below mentioned command. Otherwise
the system does not display any data.
Procedure
l
Run the display ftp-client command to check the configuration status of FTP client.
----End
Example
l
Run the display ftp-client command to view the source parameters of the FTP client.
<Quidway> display ftp-client
The source address of FTP client is 1.1.1.1.
8.5 Configuring the Switch to Be the TFTP Client


Before configuring TFTP, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
You can transfer files through TFTP between the server and the client in a simple interaction
environment.
Before configuring TFTP, complete the following tasks:
Issue 01 (2011-10-26)

113

Connecting the TFTP client with the server
8 FTP and TFTP
Data Preparation
To configure TFTP, you need the following data.
No.
Data
IP address of the TFTP server
Name of the specific file in the TFTP server
File directory
8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client

You can configure a source IP address for a TFTP client. Then, you can set up a TFTP connection
from the TFTP client to the server through a specific route by using this source IP address.
Context
Do as follows on a switch that functions as a TFTP client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP server
must be the same as the configured one.
----End
8.5.3 Downloading Files Through TFTP

You can download files from the TFTP server to the TFTP client.
Context
Do as follows on the switch that serves as the TFTP client:
Procedure
Step 1 Run the following commands according to the type of the server IP addresses.
Issue 01 (2011-10-26)

114

8 FTP and TFTP
l The IP address of the server is IPv4 address, run:

tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server
[ public-net | vpn-instance vpn-instance-name ] get source-filename
[ destination-filename ]
The switch is configured to download files through TFTP.

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type
interface-number ] get source-filename [ destination-filename ]
The switch is configured to download files through TFTP.

----End
8.5.4 Uploading Files Through TFTP

You can upload files from the TFTP client to the TFTP server.
Context
Procedure
Step 1 Run the following commands according to the type of the server IP addresses.
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server
[ public-net | vpn-instance vpn-instance-name ] put source-filename
[ destination-filename ]
The switch is configured to upload files through TFTP.

tftp ipv6 [ -a source-ip-address ] tftp-server-ipv6 [ -i interface-type
interface-number ] put source-filename [ destination-filename ]
The switch is configured to upload files through TFTP.

----End
8.6 Limiting the Access to the TFTP Server

You can configure the maximum number of TFTP servers that a TFTP client can access to
determine which TFTP servers the TFTP client can log in to.

Before configuring a limit to access TFTP servers, familiarize yourself with the applicable
When the switch serves as the TFTP client, you can configure the ACL on the switch. After the
configuration, you can control the TFTP server to which the device can log in through TFTP.
Issue 01 (2011-10-26)

115

8 FTP and TFTP
Before configuring a limit to access the TFTP server, complete the following tasks:
l
Connecting the TFTP client to the server
Data Preparation
To configure a limit to access to the TFTP server, you need the following data.
No.
Data
Source IP address of the TFTP client
IP address of the TFTP server
ACL number
8.6.2 Configuring the Basic ACL

You can configure ACL rules.
Context
NOTE
TFTP supports only the basic ACL.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number
The ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-address
source-wildcard | any } | time-range time-name ] *
The ACL rule is configured.

----End
8.6.3 Configuring the Basic TFTP ACL

You can configure the basic TFTP ACL.
Issue 01 (2011-10-26)

116

8 FTP and TFTP
Context
Procedure
Step 1 Run:
system-view

Step 2 According to the address type of the TFTP server, select and run one of the following two
commands.
l For IPv4 addresses,
Run the tftp-server acl acl-number command. You can use the ACL to limit the access to
the TFTP server.
Run the tftp-server ipv6 acl acl6-number command. You can use the ACL to limit the access
to the TFTP server.
----End

This section provides several configuration examples for FTP and TFTP together with the
configuration flowchart. The configuration examples explain networking requirements,
configuration notes, and configuration roadmap.
8.7.1 Example for Configuring the FTP Server

In this example, a PC connected to a switch logs in to the FTP server by entering the correct
user name and password through FTP, and then downloads files to the memory of the switch.
As shown in Figure 8-1, the local PC functions as the FTP client of which the IP address is
10.1.1.1/24.
The Switch acts as the FTP server. VLAN 10 is created on the Switch and
GigabitEthernet3/0/1 is added to VLAN 10. The IP address 10.1.1.2/24 is assigned to VLANIF
10.
The PC uploads files to the Switch.
Issue 01 (2011-10-26)

117

8 FTP and TFTP
Figure 8-1 Networking diagram of the Switch functioning as the FTP server
VLAN10
FTP Client FTP Session
PC
Ethernet
FTP Server
L2 Switch
Ethernet
Switch
Switch
Interface
VLANIF interface
IP address
FTP Server
GigabitEthernet3/0/1
VLANIF 10
10.1.1.2/24
1.
Set the correct FTP user name and password on the Switch that functions as the FTP server.
2.
Log in to the Switch through FTP from the PC.
3.
Upload files to the FTP server.
Data Preparation
l
IP address of the FTP server
Name of the FTP user set as u1 and the password set as ftppwd on the server
Correct path of the source file on the PC
Name of the destination file and position where the destination files are located on the
Switch
Procedure
Step 1 Create VLAN 10 on the Switch and assign the IP address 10.1.1.2/24 to VLANIF 10.
[Quidway] vlan 10
[Quidway-GigabitEthernet3/0/1] port hybrid untagged vlan 10
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.2 24
Step 2 Start the FTP server on the Switch, and set the FTP user name to u1 and password to ftpwd.
[Quidway] ftp
[Quidway] aaa
[Quidway-aaa]
[Quidway-aaa]
[Quidway-aaa]
[Quidway-aaa]
Issue 01 (2011-10-26)
server enable
local-user u1 password simple ftppwd
local-user u1 service-type ftp
local-user u1 ftp-directory cfcard:/
return

118

8 FTP and TFTP
Step 3 On the PC, initiate a connection to the Switch with the user name u1 and the password
ftppwd.
Use Windows XP on the FTP client to illustrate the preceding operations.
C:\WINDOWS\Desktop> ftp 10.1.1.2
Connected to 10.1.1.2.
220 FTP service ready.
User (10.1.1.1:(none)): u1
331 Password required for u1
Password:
230 User logged in.
ftp>
Step 4 Set the mode of transferring files to binary and the local directory on the PC.
ftp> binary
200 Type set to I.
ftp> lcd c:\temp
Local directory now C:\temp.
Step 5 Upload d006.cc and vrpcfg.cfg to the Switch on the PC.

ftp> put d006.cc d006.cc
200 Port command okay.
150 Opening BINARY mode data connection for d006.cc.
ftp> put vrpcfg.cfg vrpcfg.cfg
150 Opening BINARY mode data connection for vrpcfg.cfg.
ftp> quit
C:\WINDOWS\Desktop>
----End
Configuration Files
#
sysname Quidway
#
FTP server enable
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet3/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
aaa
local-user u1 password simple ftppwd
#
Return
8.7.2 Example for Configuring an ACL of the FTP Server

In this example, an ACL is configured to allow only a certain host to log in to the FTP server.
As shown in Figure 8-2, the IP address of the FTP server is 172.16.104.110/24.
The routes between PC1, PC2, and FTP server are reachable. On the S9300 that functions as the
FTP server, it is required that the FTP server should permit only PC1 with the IP address as
Issue 01 (2011-10-26)

119

8 FTP and TFTP
172.16.104.111 to download and upload files through FTP, and PC2 should not connect to the
FTP server after the ACL is configured.
Figure 8-2 Networking diagram for configuring an ACL of the FTP server
FTP Server
172.16.104.110/24
172.16.104.111/24
172.16.105.111/24
PC1
PC2
1.
Perform basic configurations on the FTP server.
2.
Configure the ACL on the FTP server.
Data Preparation
l
Name of the FTP user set as u1 and password set as huawei on the server
Number of the ACL
Procedure
Step 1 Configure basic FTP functions.
For details, see 8.7.1 Example for Configuring the FTP Server.
Step 2 Configure an ACL.
[Quidway] acl number 2001
[Quidway-acl-basic-2001] rule permit source 172.16.104.111 0.0.0.0
[Quidway-acl-basic-2001] quit
Step 3 Configure the ACL supported by the FTP server.

[Quidway] ftp acl 2001
Step 4 Connect PC1 to the FTP server.

This step needs to be performed on the DOS of the PC.
c:\ ftp 172.16.104.110
Connected to 172.16.104.110.
User (100.2.150.40:(none)):u1
Issue 01 (2011-10-26)

120

8 FTP and TFTP
331 Password required for u1

Password:
230 User logged in.
ftp>
Step 5 Connect PC2 to the FTP server.

This step needs to be performed on the DOS of the PC.
c:\ ftp 172.16.104.110
Connected to 172.16.104.110.
Info:Connection was denied by remote host according to ACL!
Connection closed by remote host.
----End
Configuration Files
Configuration file of the FTP server
#
sysname Quidway
#
FTP server enable
FTP acl 2001
#
acl number 2001
rule 5 permit source 172.16.104.111 0
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
aaa
domain default
local-user u1 password simple huawei
#
return
8.7.3 Example for Configuring the FTP Client

In this example, a switch is configured to be an FTP client. Then, the switch logs in to the FTP
server and downloads system software and configuration software.
As shown in Figure 8-3, the remote server at 10.1.1.2 serves as the FTP server. The Switch and
the FTP server are directly connected and on the same network segment. The Switch has a
reachable route to the FTP server.
The Switch acts as the FTP client. Interfaces ranging from GigabitEthernet3/0/1 to
GigabitEthernet3/0/4 can be used to set up FTP connections and they share the IP address
10.1.1.1.
The Switch downloads files from the FTP server.
Issue 01 (2011-10-26)

121

8 FTP and TFTP
Figure 8-3 Networking diagram of the Switch functioning as the FTP client
FTP session
PC
configuration
cable
FTP Client
FTP Server
1.
Log in to the FTP server from the FTP client.
2.
Download files from the server to the storage device of the client.
Data Preparation
l
Name of the destination file and position where the destination files are located on the
Switch
Name of the FTP user set as u1 and the password set as ftppwd on the client
Procedure
Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password to
ftppwd.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1 to VLANIF10.
[Quidway] vlan 10
[Quidway-GigabitEthernet3/0/1] port hybrid
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
Step 3 On the Switch, initiate a connection to the FTP server with the user name tpuser and the password
ftppwd.
<Quidway>
Issue 01 (2011-10-26)
ftp
10.1.1.2

122

8 FTP and TFTP
Trying 10.1.1.2 ...

Press CTRL+K to abort
User(10.1.1.2:(none)):u1
331 Password required for u1.
Enter password:
230 User logged in.
[ftp]
Step 4 On the Switch, set the mode of transferring files to binary and the flash directory.
[ftp] binary
200 Type set to I.
[ftp] lcd flash:/
The current local directory is flash:.
Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch.
[ftp] get vrpcfg.cfg vrpcfg.cfg
150 Opening BINARY mode data connection for vrpcfg.cfg.
226 Transfer complete.
FTP: 9124 byte(s) received in 3.100 second(s) 2.94Kbyte(s)/sec.
[ftp] quit
<Quidway>
----End
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
#
#
#
#
#
return
8.7.4 Example for Configuring the TFTP Client

In this example, the TFTP application is run on the TFTP server and the location of the source
file on the server is set. After that, you can upload and download files.
As shown in Figure 8-4, the Switch cannot function as the TFTP server. The remote server at
10.1.1.2 functions as the TFTP server.
Issue 01 (2011-10-26)

123

8 FTP and TFTP
The Switch acts as a TFTP client. VLAN 10 is created on the Switch, and
GigabitEthernet3/0/1 is added to VLAN 10. The IP address 10.1.1.1/24 is assigned to VLANIF
10.
The Switch downloads files from the TFTP server.
Figure 8-4 Networking diagram for configuring TFTP
TFTP session
PC
configuration
cable
TFTP Client
TFTP Server
1.
Run the TFTP software on the TFTP server and set the position where the source file is
located on the Switch.
2.
Download files through TFTP commands on the Switch.
Data Preparation
l
TFTP software installed on the TFTP server
Path of the source file on the TFTP server
Name of the destination file and position where the destination file is located on the Switch
Procedure
Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started.
Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1/24 to VLANIF 10.
[Quidway] vlan 10
Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc file.
<Quidway> tftp 10.1.1.2 get 8031.cc 8031new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote tftp server, please wait...
----End
Issue 01 (2011-10-26)

124

8 FTP and TFTP
Configuration Files
#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
Return
Issue 01 (2011-10-26)

125

9 Telnet and SSH
Telnet and SSH
About This Chapter

Telnet and SSH can provide a terminal which enables users to remotely log in to and access a
server.
9.1 Telnet and SSH Introduction
This section explains basic concepts of user login by means of Telnet and SSH.
9.2 Configuring Telnet Terminal Services
This section explains how to log in to a switch by means of Telnet and configure the switch.
9.3 Configuring SSH Users
SSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSH
servers.
9.4 Configuring the SSH Server Function
This section describes how to configure the SSH server. STelnet or SFTP must first be enabled
on the SSH server.
9.5 Configuring the STelnet Client Function
This section describes how to configure the STelnet client. A secure connection between the
client and server can be established through negotiation, and the client will be able to log in to
the server similarly to using Telnet services.
9.6 Configuring the SFTP Client Function
This section explains how to configure the SFTP client. The authentication and bidirectional
data encryption of the SFTP client can be manually configured, which will ensure secure file
transmission on the network.
9.7 Configuring the SCP Client
This section describes how to configure the SCP client. The SCP client sets up a secure
connection with the SCP server so that the client can upload files to the server or download files
from the server.
This section provides configuration examples for Telnet and SSH along with a configuration
flowchart. The configuration examples explain networking requirements, configuration notes,
and configuration roadmap.
Issue 01 (2011-10-26)

126

9 Telnet and SSH
9.1 Telnet and SSH Introduction

This section explains basic concepts of user login by means of Telnet and SSH.
9.1.1 Overview of User Login

You can locally or remotely log in to a switch through the console port, Telnet, or SSH.
To configure, monitor, and maintain the local or remote S9300, you need to configure the user
interface, the user management, and the terminal service.
The user interface provides a login plane. The user management guarantees the login security
and the terminal service provides related processes of login protocol.
The S9300 supports the following login methods:
l
Login through the console port
Local or remote login through Telnet or SSH
9.1.2 Telnet Terminal Services

The S9300 provides Telnet services including Telnet server and Telnet client.
Telnet Services
Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and
a virtual terminal service through the network.
The S9300 provides the following Telnet services:
l
Telnet server: You can run the Telnet client program on a PC to log in to the switch,
configure and manage it. The switch acts as a Telnet server.
Telnet client: You can run the terminal emulation program or the Telnet client program on
a PC to connect with the switch. With the telnet command, you can log in to other
switchs to configure and manage them. As shown in Figure 9-1, Switch A serves as both
the Telnet server and the Telnet client.
Figure 9-1 Telnet client services
Telnet Session2
Telnet Session 1
Telnet
Server
PC
Issue 01 (2011-10-26)
SwitchA

SwitchB
127

9 Telnet and SSH
9.1.3 SSH Terminal Services

The S9300 supports the basic SSH protocol, client function, SFTP protocol, STelnet protocol
and SCP.
Introduction to SSH
SSH works at the application layer in the TCP/IP protocol suite. SSH provides remote login and
virtual terminal on the network where security is guaranteed. Based on TCP connections, SSH
guarantees security and provides authentication for transmitted information, preventing the
following attacks shown in Figure 9-2:
l
IP spoofing
Interception of the password in plain text
Denial of Service (DoS)
In the figure, Switch is an S9300.

Figure 9-2 Establishing a local SSH connection between the PC and the S9300
VLAN1
SSH
Client
PC
Telnet Session
Ethernet
SSH
Server
L2 Switch Ethernet
Switch
SSH adopts the client/server model and sets up multiple secure transmission channels. The
Switch, as the SSH server, can be connected to multiple PCs that function as SSH clients. A
Layer 2 switch may exist between the PC and the SSH server. In the actual networking, a route
is required to be reachable between the PC and the Switch.
Advantages of SSH
The applications of SSH include STelnet and SFTP.
Different from Telnet and FTP terminal services, SSH provides secure remote access on the
network without security guaranteed. The advantages of SSH are described as follows:
l
STelnet client functions

There is a potential risk on security for login through Telnet because there is no
authentication and the data transmitted through TCP is in plain text. The insecure access
results in malicious attacks including DoS attacks, IP spoofing attacks, and route spoofing
attacks.
SSH provides secure remote access on an insecure network by supporting the following
functions:
Supporting Revest-Shamir-Adleman Algorithm (RSA) authentication
Issue 01 (2011-10-26)

128

9 Telnet and SSH
Supporting Data Encryption Standard (DES) and 3DES

Supporting the encrypted transfer of the user name or password
Supporting the encrypted transfer of interactive data
SSH adopts RSA. After the public key and the private key are generated according to the
encryption principle of the asymmetric encryption system, the following information is
transmitted with security between the SSH client and the SSH server:
Key
User name or password
Interactive data
l
SFTP client functions

SFTP provides the following types of applications:
By using SFTP, you can securely log in to the S9300 to manage files from the remote
device. In this manner, the security of data transmission is improved when files need to
be transferred during the upgrade of the remote system.
The S9300 can function as the client to log in to the remote device through FTP to
transfer files with security.
SCP client
SCP enables you to log in to the device securely from a remote device to upload or download
files. Data transfer in this mode is much safer for remote system update. In addition, SCP
provides the client function so that a local device can log in to a remote device for secure
data transfer.
Unlike SFTP, SCP simplifies the file transfer process by combing user authentication and
file transfer, thus improving the configuration efficiency.
Setting Up an SSH Connection

The procedure for setting up an SSH connection is as follows:
1.
Negotiating the SSH version
2.
Negotiating the key
3.
Authenticating the user identity
4.
Initiating a session request
5.
Performing the interactive session
9.2 Configuring Telnet Terminal Services

This section explains how to log in to a switch by means of Telnet and configure the switch.

Before configuring Telnet terminal services, familiarize yourself with the applicable
Issue 01 (2011-10-26)

129

9 Telnet and SSH
To remotely log in to the switch through the Telnet protocol for maintenance and management,
you need to configure Telnet terminal services.
Before configuring Telnet terminal services, complete the following tasks:
l
Ensuring that the switch runs normally
Ensuring that the IP addresses of interfaces on the switch are configured correctly
Configuring the user account, correct login authentication mode, and call-in and call-out
restriction
Ensuring that reachable routes exist between the terminal and the switch
Data Preparation
To configure Telnet terminal services, you need the following data.
No.
Data
IP address of the switch
Name of the VPN instance
IPv4/IPv6 address or host name of the remote switch
Number of the TCP port that is used by the remote switch to provide Telnet services
(Optional) Timeout period after which the server terminates the connection with the
user interface
(Optional) Source IP address or source interface of the device functioning as an Telnet

client
9.2.2 Enabling the Telnet Service

Before establishing a Telnet connection with the server, you need to enable the Telnet service.
Context
Do as follows on the switch that serves as an Telnet server.
Select and perform one of the following two steps for IPv4 or IPv6.
Procedure
l
For the IPv4 network

1.
Run:
system-view

Issue 01 (2011-10-26)

130

2.
9 Telnet and SSH
Run:
telnet server enable
The Telnet service is enabled.

NOTE
l By default, the function of the Telnet server is enabled.

l If the undo telnet server enable command is run when Telnet login is in progress, the
command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only through SSH
or an asynchronous serial interface rather than through Telnet.
For the IPv6 network

1.
Run:
system-view

2.
Run:
telnet ipv6 server enable
The Telnet service is enabled.

NOTE
l By default, the function of the Telnet server is enabled.

l If the telnet ipv6 server enable command is run when Telnet login is in progress, the
command does not take effect.
l After the Telnet server function is disabled, you can log in to the device only through SSH
or an asynchronous serial interface rather than through Telnet.
----End
9.2.3 Establishing a Telnet Connection

You can log in to and manage a switch through Telnet.
Context
Do as follows on the switch that serves as a Telnet client:
Select and perform one of the following two steps for IPv4 or IPv6.
Procedure
l
Run:
telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] host-name
[ port-number ]
Log in to the switch and manage other switchs.

l
Run:
telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ] hostname [ -i interface-type interface-number ] [ port-number ]
Log in to the switch and manage other switchs.

----End
Issue 01 (2011-10-26)

131

9 Telnet and SSH
9.2.4 (Optional) Configuring a Telnet Server Port Number

A user can configure or change the Telnet server port number. After the port number is changed,
only the user knows the port number, improving security.
Context
Do as follows on the switch that functions as a Telnet server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
telnet server port port-number
A Telnet server port number is set.

If a new port number is set, the Telnet server terminates all established Telnet connections, and
then uses the new port number to listen to new requests for Telnet connections. By default, the
Telnet server port number is 23.
----End
9.2.5 (Optional) Scheduled Telnet Disconnection

You can set the idle-timeout period for Telnet connections. In this manner, if the Telnet
connections keep idle during the specified period, the system automatically terminates the Telnet
connections.
Context
Do as follows on the switch that serves as a Telnet client:
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
The scheduled Telnet disconnection is enabled.

----End
Issue 01 (2011-10-26)

132

9 Telnet and SSH

After configuring Telnet terminal services, you can view the connection status of the current
user interface, connection status of each user interface, and status of all established TCP
connections.
Prerequisite
The configuration of Telnet Terminal Services are complete.
Procedure
l
Run the display users command to check information about connected users.
Run the display users all command to check information about all users, including
connected and disconnected users.
Run the display tcp status command to check TCP connections.
Run the display telnet-client command to check the source address or source interface of
the device that functions as a Telnet client.
Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display tcp status command to view TCP connections. In the command output,
Established indicates that a TCP connection has been established.
<Quidway> display tcp status
TCPCB
Tid/Soid
Local Add:port
39952df8
36 /1509
0.0.0.0:0
Closed
32af9074
59 /1
0.0.0.0:21
Listening
34042c80
73 /17
10.164.39.99:23
Established
Foreign Add:port
0.0.0.0:0
VPNID
0
0.0.0.0:0
14849
10.164.6.13:1147
State
Run the display telnet-client command, and you can view source IP address or source interface
of the Telnet client.
<Quidway> display telnet-client
The source address of telnet client is 1.1.1.1.
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<Quidway> display telnet server status
TELNET IPV4 server
TELNET IPV6 server
TELNET server port
:Enable
:Enable
:23
9.3 Configuring SSH Users

SSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSH
servers.
Issue 01 (2011-10-26)

133

9 Telnet and SSH

Before configuring SSH users, familiarize yourself with the applicable environment, complete
the pre-configuration tasks, and obtain the required data. This can help you complete the
The STelnet or SFTP client can log in to the SSH server to perform operations only after SSH
users are correctly configured on the SSH server.
Before configuring SSH users, complete the following tasks:
l
Creating a local user
Configuring an RSA public key for the SSH client on the SSH server
Data Preparation
To configure SSH users, you need the following data.
No.
Data
Name and password of SSH users
Authentication mode of SSH users
Service type of SSH users
Name of the peer RSA public key assigned to SSH users
Operating directory of the SFTP service for SSH users
9.3.2 Creating SSH User

AAA does not support RSA authentication. Therefore, when RSA authentication or passwordrsa authentication is adopted, you need to create an SSH user. When password authentication is
adopted, you need to create a local user with the same name in the AAA view.
Context
NOTE
Besides creating an SSH user separately, you can also create an SSH user when you configure the following.
l Configuring the Authentication Mode for SSH Users
l Configuring the Service Type of SSH Users
Do as follows on the switch that serves as an SSH server:
Issue 01 (2011-10-26)

134

9 Telnet and SSH
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name
If you want to create an SSH user in the password authentication mode, you need to create a
local user with the same name in the AAA view.
1.
Run:
aaa

2.
Run:

----End
9.3.3 Configuring SSH for the VTY User Interface

You can configure SSH for the VTY user interface.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
user-interface [ vty ] first-ui-number [ last-ui-number ]
The VTY user interface is displayed.

Step 3 Run:
The AAA authentication mode is configured.

Step 4 Run:
protocol inbound ssh
The VTY is configured to support SSH.

NOTE
The authentication mode of the VTY user interface must be set to AAA. Otherwise, the protocol
inbound ssh command cannot be configured successfully.
----End
Issue 01 (2011-10-26)

135

9 Telnet and SSH
9.3.4 Generating a Local RSA Key Pair

You need to create an RSA key before configuring SSH.
Context
Do as follows on the switchs that serve as a client or a server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
rsa local-key-pair create
A local RSA key pair is generated.

NOTE
To log in to an SSH server, the local RSA key pair must be configured and generated first. Before performing
the other SSH configurations, you must configure the rsa local-key-pair create command to generate a
local key pair.
----End
9.3.5 Configuring the Authentication Mode for SSH Users

You can configure the password or RSA authentication mode for SSH users.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name authentication-type { password | rsa | password-rsa | all }
The authentication mode for SSH users is configured.

Perform the following as required:
l Authenticate the SSH user through the password.
Run:
ssh user user-name authentication-type password
The password authentication is configured for the SSH user.

Run:
ssh authentication-type default password
Issue 01 (2011-10-26)

136

9 Telnet and SSH
The default password authentication is configured for the SSH user.

For the local authentication or HWTACACS authentication, if the number of SSH users
is small, you can adopt the former command; if the number of SSH users is large, adoptthe
later command to simplify the configuration.
l Authenticate the SSH user through RSA.
1.
Run:
ssh user user-name authentication-type rsa
The RSA authentication is configured for the SSH user.

2.
Run:
rsa peer-public-key key-name
The public key view is displayed.

3.
Run:
public-key-code begin
The public key editing view is displayed.

4.
Run:
hex-data
The public key is edited.

The public key must be a string of hexadecimal alphanumeric characters. It is automatically
generated by an SSH client. You can run the display rsa local-key-pair public command
to view a generated public key.
5.
Run:
public-key-code end
Quit the public key editing view.

If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system
prompts that the key does not exist after the peer-public-key end command is run and the
system view is displayed.
6.
Run:
peer-public-key end
Return to the system view from the public key view.

7.
Run:
ssh user user-name assign rsa-key key-name
The public key is assigned to the SSH user.

NOTE
l After the public key editing view is displayed, the RSA public key generated on the client can be sent
to the server. Copy the RSA public key to the switch that serves as the SSH server.
l Before the peer RSA public key is assigned to the SSH users, the SSH server must be configured and
the peer RSA public key must be the RSA public key of the SSH client.
----End
Issue 01 (2011-10-26)

137

9 Telnet and SSH
9.3.6 (Optional) Configuring the Basic Authentication Information

for SSH Users
You can configure the interval for updating the server key pair, timeout period of the SSH
authentication, and retry times of the SSH authentication.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh server rekey-interval interval
The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates no updating.
Step 3 Run:
ssh server timeout seconds
The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.
Step 4 Run:
ssh server authentication-retries times
The number of retry times of the SSH authentication is set.

By default, the retry times is 3.
----End
9.3.7 (Optional) Authorizing SSH Users Through the Command

Line
If RSA authentication is adopted, you need to configure command line authorization for SSH
users.
Context
NOTE
There are four authentication modes for an SSH user, namely, password, rsa, password-rsa, and all. For
details of the configuration of the command line authorization for password authentication, refer to the
chapter "AAA and User Management" in the Quidway S9300 Configuration Guide - Security. This section
describes how to configure the command line authorization for RSA authentication.

Issue 01 (2011-10-26)

138

9 Telnet and SSH
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user user-name authorization-cmd aaa
The command line authorization is configured for the specified SSH user.
----End
Follow-up Procedure
After configuring the authorization through command lines for the SSH user to perform RSA
authentication, you have to configure the AAA authorization. Otherwise, the command line
authorization for the SSH user does not take effect.
9.3.8 Configuring the Service Type of SSH Users

You can set the service type of SSH users to SFTP, STelnet, or all.
Context
Do as follows on the switch that functions as an SSH server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user username service-type { sftp | stelnet | all }
The service type for the SSH user is configured.

By default, the service type of the SSH user is not configured.
----End
9.3.9 (Optional) Configuring the Authorized Directory of the SFTP

Service for SSH Users
You can configure a directory as an authorized directory to allow SSH users to use SFTP services.
Context
Issue 01 (2011-10-26)

139

9 Telnet and SSH
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh user username sftp-directory directoryname
The authorized directory of the SFTP service for SSH users is configured.
By default, the authorized directory of the SFTP service for the SSH user is cfcard:.
----End

After configuring SSH users, you can view SSH user information.
Prerequisite
The configuration of SSH Users are complete.
Procedure
l
Run the display ssh user-information command to check the information about the SSH
client on the SSH server.
Run the display ssh user-information username command to check the information about
the specified SSH client on the SSH server.
----End
Example
Run the display ssh user-information username command. It shows that the SSH user named
clinet001 is authenticated by password, and its service type is sftp.
[Quidway] display ssh user-information client001
User Name
: client001
Authentication-type
: password
User-public-key-name
: Sftp-directory
: Service-type
: sftp
Authorization-cmd
: No
9.4 Configuring the SSH Server Function

This section describes how to configure the SSH server. STelnet or SFTP must first be enabled
on the SSH server.

Before configuring the SSH server, familiarize yourself with the applicable environment,
Issue 01 (2011-10-26)

140

9 Telnet and SSH
Before configuring the SSH server, you must enable STelnet, SFTP, or SCP on the SSH server.
You can change the number of the port monitored by the SSH server to other port numbers. This
can prevent attackers from accessing standard ports of the SSH server and thus save bandwidth
and system resources.
Before configuring the SSH server, complete the following tasks:
l
Connecting the SSH client to the SSH server correctly
Ensuring that the SSH client and the SSH server are routable
Configuring the VTY interface on the SSH server to support SSH
Configuring the SSH client on the SSH server
Creating the local RSA key pair on the SSH server
Data Preparation
To configure the SSH server, you need the following data.
No.
Data
Number of the port monitored by the SSH server
9.4.2 Enabling the STelnet Service

Before enjoying the STelnet service, you need to enable it.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
stelnet server enable
The STelnet service is enabled.

By default, STelnet services are disabled.
----End
9.4.3 Enabling the SFTP Service

Before enjoying the STelnet service, you need to enable it.
Issue 01 (2011-10-26)

141

9 Telnet and SSH
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp server enable
The SFTP service is enabled.

By default, the SFTP service is disabled.
----End
9.4.4 Enabling SCP Services

SCP services become available only after being enabled.
Context
Do as follows on the S9300 functioning as the SCP server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
scp server enable
SCP services are enabled.

By default, SCP services are disabled.
----End
9.4.5 (Optional) Enabling the Earlier Version - Compatible Function

You can configure whether SSH of earlier versions are compatible.
Context
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)

142

9 Telnet and SSH

Step 2 Run:
ssh server compatible-ssh1x enable
The earlier version-compatible function is enabled.

By default, the server configured with the SSH2.0 protocol is compatible with the server
configured with SSH1.X. If the client of SSH1.3 to SSH1.99 (protocol version ranges from 1.3
to 1.99) is denied access to log in, you can run the undo ssh server compatible-ssh1x enable
command to disable the switch to be compatible with the earlier protocol version.
NOTE
l Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes and key
exchange modes with higher service capability, such as SFTP.
l The S9300 supports the SSH protocol of version 1.3 to version 2.0.
----End
9.4.6 (Optional) Configuring the Number of the Port Monitored by

the SSH Server
You can configure or change the monitoring port number of the SSH server. After the port
number is changed, only the user knows the current port number, which guarantees the security.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh server port port-number
The number of the port monitored by the SSH server is configured.

If a new number of a monitored port is configured, the SSH server interrupts all the STelnet and
SFTP connections and monitors the port of the new number. By default, the number of the port
monitored by the SSH server is 22.
----End
9.4.7 (Optional) Configuring the Interval for Updating the Key Pair
on the SSH Server
You can configure the interval for updating the key pair of the SSH server, which can guarantee
the security.
Context
Issue 01 (2011-10-26)

143

9 Telnet and SSH
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh server rekey-interval interval
The interval for updating the key pair is set.

By default, the interval for updating the key pair of the SSH server is 0, which means that the
key pair is never updated.
----End

After configuring the SSH server, you can view the global configuration of the SSH server.
Prerequisite
The configurations of the SSH server are complete.
Procedure
Step 1 Run the display ssh server status command to view the global configuration of the SSH server.
----End
Example
Run the display ssh server status command, and you can view that the SSH version of the SSH
session is 1.99, and the times for re-establishing the SSH session is 5.
<Quidway> display ssh server status
SSH version
SSH connection timeout
SSH server key generating interval
SSH Authentication retries
SFTP server
Stelnet server
Scp server
SSH server port
:
:
:
:
:
:
:
:
1.99
60 seconds
2 hours
5 times
Enable
Enable
Enable
55535
NOTE
If the number of the monitored port is the default number, information about the currently monitored port
will not be displayed.
9.5 Configuring the STelnet Client Function

This section describes how to configure the STelnet client. A secure connection between the
client and server can be established through negotiation, and the client will be able to log in to
the server similarly to using Telnet services.
Issue 01 (2011-10-26)

144

9 Telnet and SSH

Before configuring an STelnet client, familiarize yourself with the applicable environment,
STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manner
as using the Telnet service.
Before connecting the STelnet client to the SSH server, complete the following tasks:
l
Generating the local RSA key pair on the SSH server
Configuring the STelnet user on the SSH server
Enabling the STelnet service on the SSH server
Data Preparation
To connect the STelnet client to the SSH server, you need the following data:
No.
Data
Name of the SSH server
Preferred encrypted algorithm from the STelnet client to the SSH server
Preferred encrypted algorithm from the SSH server to the STelnet client
Preferred HMAC algorithm from the STelnet client to the SSH server
Preferred HMAC algorithm from the SSH server to the STelnet client
Preferred algorithm of key exchange
Name of the outgoing interface
Source address
9.5.2 Enabling the First-Time Authentication on the SSH Client

After the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time.
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time. After
Issue 01 (2011-10-26)

145

9 Telnet and SSH
the login, the system automatically allocates the RSA public key and saves it for authentication
in next login.
To simplify user operations, you are recommended to enable the first-time authentication on the
SSH client.
Do as follows on the switch that serves as an SSH client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssh client first-time enable
The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.
NOTE
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity
of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first
time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH
server.
l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the
SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity
and cannot log in to the server.
TIP
To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA
public key in advance to the SSH server on the SSH client in addition to enabling the first-time
authentication on the SSH client.
----End
9.5.3 (Optional) Assigning an RSA Public Key to the SSH Server

You can assign an RSA public key to the SSH server.
Context
If the first-time authentication on the SSH client is disabled, you need to allocate an RSA public
key to the SSH server before the STelnet client logs in to the SSH server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 01 (2011-10-26)

146

9 Telnet and SSH

Step 3 Run:

Step 4 Run:
hex-data

generated by an SSH client. You can run the display rsa local-key-pair public command to
view a generated public key.
Step 5 Run:
public-key-code end

If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system prompts
that the key does not exist after the peer-public-key end command is run and the system view
is displayed.
Step 6 Run:
peer-public-key end

Step 7 Run:
ssh client servername assign rsa-key keyname
The RSA public key is assigned to the SSH server.

NOTE
l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the
SSH server and must be configured on the SSH client. Then, the STelnet client client can successfully
undergo the validity check on the RSA public key of the SSH server.
l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then,
run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to
the SSH server.
----End
9.5.4 Enabling the STelnet Client

You can log in to the SSH server from the SSH client through STelnet.
Context
NOTE
When accessing an SSH server, the STelnet client can carry the source address and the VPN instance name
and choose the key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure the
keepalive function..

Issue 01 (2011-10-26)

147

9 Telnet and SSH
Procedure
Step 1 Run:
system-view

Step 2 According to the address type of the SSH server, select and run one of the following two
commands.
Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instancename ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher
{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. You
can log in to the SSH server through STelnet.
Run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interface-number ]
[ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher
{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. You
can log in to the SSH server through STelnet.
----End

After configuring the STelnet client, you can view the global configuration of the SSH server.
Prerequisite
The configuration of the STelnet Client Function are complete.
Procedure
l
Run the display ssh server-info command to check the mapping between the RSA public
key and the SSH client on the SSH client.
Run the display ssh server session command to check the session of the SSH client on the
SSH server.
----End
Example
When running the display ssh server session command, you can view that the client logs in
from VTY3, with Stelent service by password authentication.
<Quidway> display ssh server session
Session 1:
Conn
: VTY 3
Version
: 2.0
State
: started
Username
: client001
Retry
: 1
CTOS Cipher
: aes128-cbc
Issue 01 (2011-10-26)

148

STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
9 Telnet and SSH

:
:
:
:
:
:
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
stelnet
password
9.6 Configuring the SFTP Client Function

This section explains how to configure the SFTP client. The authentication and bidirectional
data encryption of the SFTP client can be manually configured, which will ensure secure file
transmission on the network.

Before configuring the SFTP client, familiarize yourself with the applicable environment,
SFTP enables users to log in to the device from a secure remote end to manage files. This
improves the security of data transmission for the remote end to update its system. The SFTP
client function also enables you to log in to the remote device through SFTP for the secure file
transmission.
Before connecting the SFTP client to the SSH server, complete the following tasks:
l
Creating a local RSA key pair on an SSH server
Configuring an SFTP client on the SSH server
Enabling the SFTP service on the SSH server
Data Preparation
To connect an SFTP client to an SSH server, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Preferred encrypted algorithm from the SFTP client to the SSH server
Preferred encrypted algorithm from the SFTP server to the SSH client
Preferred HMAC algorithm from the SFTP client to the SSH server
Preferred HMAC algorithm from the SFTP server to the SSH client
Preferred algorithm of key exchange

149

No.
Data
Name of the outgoing interface
Source address
10
Directory name
11
File name
9 Telnet and SSH
9.6.2 (Optional) Configuring a Source IP Address for an SFTP Client

You can configure a source IP address for an SFTP client. Then, you can set up an SFTP
connection from the SFTP client to the server through a specific route by using this source IP
address.
Context
Do as follows on a switch that functions as an SFTP client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
sftp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address is configured for an SFTP client.

----End
9.6.3 Configuring the First-Time Authentication on the SSH Client

After the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time.
Context
If the first-time authentication on the SSH client is enabled, the STelnet client does not check
the validity of the RSA public key when logging in to the SSH server for the first time. After
the login, the system automatically allocates the RSA public key and saves it for authentication
in next login.
To simplify user operations, you are recommended to enable the first-time authentication on the
SSH client.
Issue 01 (2011-10-26)

150

9 Telnet and SSH
Procedure
Step 1 Run:
system-view

Step 2 Run:
Enable the SSH client with the first authentication.

By default, first-time authentication is disabled on SSH clients.
NOTE
l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity
of the RSA public key of the SSH server when the SFTP client logs in to the SSH server for the first
time. The check is skipped because the SFTP server has not saved the RSA public key of the SSH
server.
l If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to the
SSH server for the first time, the SFTP client fails to pass the check on the RSA public key validity
and cannot log in to the server.
TIP
Except for enabling the first-time authentication on the SSH client, the SFTP client can assign the RSA
public key in advance to the SSH server on the SSH client to log in to the server successfully for the first
time.
----End
9.6.4 (Optional) Assigning an RSA Public Key to the SSH Server

You can assign an RSA public key on the SSH client to the SSH server.
Context
If the first-time authentication on the SSH client is disabled, you need to assign an RSA public
key to the SSH server before the STelnet client logs in to the SSH server.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

Issue 01 (2011-10-26)

151

9 Telnet and SSH
Step 4 Run:
hex-data

generated by an SSH client. You can run the display rsa local-key-pair public command to
view a generated public key.
Step 5 Run:
public-key-code end

If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system prompts
that the key does not exist after the peer-public-key end command is run and the system view
is displayed.
Step 6 Run:
peer-public-key end

Step 7 Run:
ssh client servername assign rsa-key keyname
Assign a public key to the SSH server.

NOTE
l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the
SSH server and must be configured on the SSH client. Then, the SFTP client can successfully undergo
the validity check on the RSA public key of the SSH server.
l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername
assign rsa-key command to cancel the association between the SSH client and the SSH server. Then,
run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to
the SSH server.
----End
9.6.5 Enabling the SFTP Client

You can log in to the SSH server from the SSH client through SFTP.
Context
NOTE
The command of enabling the SFTP client is similar to that of the STelnet. When accessing the SSH server,
the SFTP can carry the source address and the name of the VPN instance and choose the key exchange
algorithm, encrypted algorithm and HMAC algorithm, and configure the keepalive function.
Do as follows on the switch that serves as an SSH client.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)

152

9 Telnet and SSH

Step 2 According to the address type of the SSH server, select and perform one of the two configurations
below.
Run:
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4
[ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex
{ dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des |
aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |
[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc
alivecountmax ] ]
You can log in to the SSH server through SFTP.

Run:
sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interfacenumber ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] |
[ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des |
3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] |
[ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval
[ -kc alivecountmax ] ]
----End
9.6.6 (Optional) Managing the Directory

On the SFTP client, you can log in to the SSH server to create or delete directories on the SSH
server.
Context
NOTE
After the SFTP client logs in to the SSH server, the SFTP client can create or delete the directory on the
SSH server, display the current operating directory and information about a specified directory and its files.
Procedure
Step 1 Run:
system-view

below.
Run:
alivecountmax ] ]
Issue 01 (2011-10-26)

153

9 Telnet and SSH

Run:
Step 3 Perform the following as required:

l Run:
cd [ remote-directory ]
The current operating directory of users is changed.

l Run:
cdup
The operating directory of users is switched to the upper-level directory.

l Run:
pwd
The current operating directory of users is displayed.

l Run:
dir / ls [ remote-directory ]
The file list in the specified directory is displayed.

l Run:
rmdir remote-directory & <1-10>
l The directory on the server is deleted.

l Run:
mkdir remote-directory
A directory is created on the server.

----End
9.6.7 (Optional) Managing the File

On the SFTP client, you can view specified remote directories or files on the SFTP server or
delete specified files on the SFTP server.
Context
NOTE
After the SFTP client logs in to the SSH server, SFTP client can change file names, delete files, display
the file list, upload and download files on the SFTP server.
Do as follows on the login switch.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)

154

9 Telnet and SSH

below.
Run:
alivecountmax ] ]

Run:
Step 3 Run the command.

l Run:
rename old-name new-name
The name of the specified file on the server is changed.

l Run:
get remote-filename [local-filename]
The file on the remote server is downloaded.

l Run:
put local-filename [remote-filename]
The local file is uploaded to the remote server.

l Run:
remove remote-filename
The file on the server is removed.

----End
9.6.8 (Optional) Displaying the SFTP Client Command Help

You can view the SFTP client command help.
Context
Do as follows on the login switch:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)

155

9 Telnet and SSH

below.
Run:
alivecountmax ] ]

Run:
Step 3 Run:
help [all | command-name ]
The SFTP client command help is displayed.

----End

After configuring the SFTP client, you can view the global configuration of the SSH server.
Prerequisite
The configuration of the SFTP Client Function are complete.
Procedure
l
Run the display sftp-client command to check the source IP address of the SFTP client on
the SSH client.
Run the display ssh server-info command to check the mapping between the SSH server
and the RSA public key on the SSH client.
Run the display ssh server session command to check the session of the SSH client on the
SSH server.
----End
Example
Run the display ssh server session command, and you can view that the client logs in from the
VTY4 through the sftp service in rsa authentication mode.
[Quidway] display ssh server session
Session 2:
Conn
: VTY 4
Issue 01 (2011-10-26)

156

Version
State
Username
Retry
CTOS Cipher
STOC Cipher
CTOS Hmac
STOC Hmac
Kex
Service Type
Authentication Type
9 Telnet and SSH

:
:
:
:
:
:
:
:
:
:
:
2.0
started
client002
1
aes128-cbc
aes128-cbc
hmac-sha1-96
hmac-sha1-96
diffie-hellman-group1-sha1
sftp
rsa
9.7 Configuring the SCP Client

This section describes how to configure the SCP client. The SCP client sets up a secure
connection with the SCP server so that the client can upload files to the server or download files
from the server.

Before configuring the SCP client, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and accurately.
SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file uploading
or downloading without user authentication and public key assignment, and also supports file
uploading or downloading in batches.
Before configuring the SCP client, complete the following tasks:
l
Generating a local RSA key pair on the SCP server
Configuring SCP users on the SCP server
Enabling SCP services on the SCP server
Data Preparation
To configure the SCP client, you need the following data.
Issue 01 (2011-10-26)
No.
Data
(Optional) Source IPv4 or IPv6 address and source interface of the local switch
Port number of the remote SCP server, VPN instance name, encryption algorithm for
uploading or downloading files, source files to be uploaded or downloaded, and
destination files to be uploaded or downloaded

157

9 Telnet and SSH
9.7.2 (Optional) Configuring a Source IP Address for the SCP Client

It is more secure to configure a source IP address for the SCP client, and use the specified source
IP address to set up an SCP connection between the client and server.
Context
Do as follows on the switch functioning as the SCP client:
Procedure
Step 1 Run:
system-view

Step 2 Run:
scp client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address or a source interface is configured for the SCP client.

At present, the available source interface must be a loobpack interface. A loopback interface is
recommended to improve network security.
----End
9.7.3 Copying Files

You can use SCP to upload files from the client to the server or download files from the server
to the client.
Context
NOTE
When logging in to the SCP server, the SCP client can carry source IP address and VPN instance name,
and select an encryption algorithm.
Do as follows on the switch functioning as the SCP client:
Procedure
Step 1 Run:
system-view

Step 2 Files are uploaded from the SCP client to the remote SCP server or downloaded from the remote
SCP server to the SCP client.
l Basing on IPv4 address
scp [ -port port-number | public-net | vpn-instance vpn-instance-name | -a sourceaddress
| -i interface-type interface-number | -r | -cipher { des | 3des | aes128 } | -c ]* sourcefile
destinationfile
l Basing on IPv6 address
Issue 01 (2011-10-26)

158

9 Telnet and SSH
scp ipv6 [ -port port-number | public-net | vpn-instance vpn-instance-name | -a

sourceipv6address | -r | -cipher { des | 3des | aes128 } | -c ]* sourcefile destinationfile [ -i
interface-type interface-number ]
----End

After the SCP client is successfully configured, you can view configurations of the SCP
connection.
Prerequisite
The configurations of the SCP client are complete.
Context
l
Run the display scp-client command to view the source IP address or source interface of
the SCP client.
Example
Run the display scp-client command, and you can view the source IP address of the SCP client.
<Quidway> display scp-client
The source of SCP ipv4 client: 1.1.1.1
The source of SCP ipv6 client: --

This section provides configuration examples for Telnet and SSH along with a configuration
flowchart. The configuration examples explain networking requirements, configuration notes,
and configuration roadmap.
9.8.1 Example for Configuring the Telnet Terminal Service

In this example, the authentication mode and password are configured for users to log in to the
switch through Telnet.
As shown in Figure 9-3, after logging in to Switch A, the user logs in to Switch B through Telnet
by using the default interface 23.
Issue 01 (2011-10-26)

159

9 Telnet and SSH
Figure 9-3 Networking diagram of the remote login of the Ethernet user
PC
SwitchA
10.10.10.8/24
SwitchB
10.10.10.9/24
Switch
Interface
VLANIF interface
IP address
SwitchA
VLANIF 2
10.10.10.8/24
SwitchB
VLANIF 2
10.10.10.9/24
1.
Assign IP addresses to Switch A and Switch B.
2.
Configure an authentication mode and password on Switch B.
3.
Log in to Switch B from Switch A.
Data Preparation
l
ID of the VLAN
IP address and number of the interface on the Switch A that functions as the Telnet client
IP address and number of the interface on the Switch B that functions as the Telnet server
Authentication mode and the password for a user to log in to Switch B through Telnet
Procedure
Step 1 Assign IP addresses.
# Assign IP address to Switch A that functions as the Telnet client.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 2
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.10.10.8 255.255.255.0
[SwitchA-Vlanif2] quit
[SwitchA]
# Assign an IP address to Switch B that functions as the Telnet server.

<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] quit
Issue 01 (2011-10-26)

160

9 Telnet and SSH
[SwitchB] interface gigabitethernet 1/0/1

[SwitchB-GigabitEthernet1/0/1] port hybrid pvid vlan 2
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface vlanif 2
[SwitchB-Vlanif2] ip address 10.10.10.9 255.255.255.0
[SwitchB-Vlanif2] quit
[SwitchB]
Step 2 Configure the authentication mode and password for Switch B.

[SwitchB] user-interface vty 0 4
[SwitchB-ui-vty0-4] authentication-mode password
[SwitchB-ui-vty0-4] set authentication password simple 123456
[SwitchB-ui-vty0-4] quit
[SwitchB]
Step 3 Verify the configuration.

# Log in to Switch B on Switch A through Telnet.
<SwitchA> telnet 10.10.10.9
Trying 10.10.10.9 ...
Connected to 10.10.10.9 ...
Login authentication
Password:
info: The max number of VTY users is 20, and the current number
of VTY users on line is 1.
<SwitchB>
----End
Configuration Files
l
Configuration file of Switch A

#
sysname SwitchA
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.8 255.255.255.0
#
#
return
Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.9 255.255.255.0
#
#
user-interface vty 0 4
set authentication password simple 123456
#
return
Issue 01 (2011-10-26)

161

9 Telnet and SSH
9.8.2 Example for Configuring the PC as the STelnet Client to

Connect to the SSH Server
This part provides an example for configuring the PC as the STelnet client to connect to the SSH
server. In this example, after generating the local key pair on the SSH server, configuring the
name and password of the SSH user on the SSH server, and enabling the STelnet service on the
SSH server, you can connect the Stelnet client to the SSH server.
As shown in Figure 9-4, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server with the password, RSA, password-rsa, or all authentication
mode.
Configure Client001 with the password as huawei and adopt the password authentication.
The IP address of the SSH server is 192.168.1.1.
The user interface supports only SSH.
Figure 9-4 Networking diagram of configuring the PC as the STelnet client to connect to the
SSH server
IP Network
SSH Client
SSH Server
1.
Configure Client001 on the SSH server.
2.
Enable STelnet service on the SSH server.
3.
Configure password authentication as the default authentication mode on the SSH server.
Data Preparation
l
Name and the authentication mode of the SSH user
Password of the SSH user
Procedure
Step 1 Generate a local key pair on the server.
Issue 01 (2011-10-26)

162

9 Telnet and SSH
[Quidway] sysname SSH Server

[SSH Server] rsa local-key-pair create
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]: 768
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure the VTY user interface.

[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4

Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the S9300 automatically disables Telnet.
Step 3 Configure the password of the SSH user Client001 to huawei.

[SSH
[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa]
Server-aaa]
Server-aaa]
Server-aaa]
local-user client001 password cipher huawei

local-user client001 privilege level 3
local-user client001 service-type ssh
quit
Step 4 Enable the STelnet service on the SSH server.

[SSH Server] stelnet server enable
[SSH Server] ssh authentication-type default password

# Log in to the device through the software putty, and specify the IP address of the device being
192.168.1.1 and the login protocol being SSH.
Issue 01 (2011-10-26)

163

9 Telnet and SSH
# Log in to the device through the software putty, and enter the user name client001 and the
password huawei.
Issue 01 (2011-10-26)

164

9 Telnet and SSH
----End
Configuration Files
l
Configuration file of the SSH server

#
sysname SSH Server
#
aaa
local-user client001 password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user client001 privilege level 3
#
ssh authentication-type default password
#
#
return
9.8.3 Example for Configuring the Switch as the STelnet Client to

Connect to the SSH Server
In this example, the local key pairs are generated on the STelnet client and the SSH server; the
public RSA key is generated on the SSH server and then bound to the STelnet client. In this
manner, the STelnet client can connect to the SSH server.
When you need to log in from a switch to other switches to configure the switches, you can
configure the switch as an STelnet client.
As shown in Figure 9-5, after the STelnet service is enabled on the SSH server, the STelnet
client can log in to the SSH server in the authentication mode of password, RSA, password-rsa,
or all.
The following login users need to be configured.
l
Client001, with the password as huawei and the authentication mode as password
Client002, with the password as rsakey001 and the authentication mode as RSA
The user interface supports only the SSH protocol.
Issue 01 (2011-10-26)

165

9 Telnet and SSH
Figure 9-5 Networking diagram of connecting the STelnet client and the SSH server
SSH Server
10.164.39.222/24
10.164.39.221/24
10.164.39.220/24
Client001 Client002
Switch
Interface
VLANIF interface IP address
SSH server
VLANIF 10
10.164.39.222/24
Client001
VLANIF 10
10.164.39.220/24
Client002
VLANIF 10
10.164.39.221/24
1.
Create a VLAN that each interface belongs to and assign an IP address to each VLANIF
interface.
2.
Configure Client001 and Client002 on the SSH server.
3.
Create a local key pair on the STelnet client and SSH server separately.
4.
Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5.
Enable the STelnet service on the SSH server.
6.
Client001 and Client002 log in to the SSH server through STelnet.
Data Preparation
l
IP addresses of the FTP server and client, as shown in Figure 9-5
SSH user name and authentication mode
Password or RSA public key
SSH server name
Procedure
Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to interface VLANIF10.
[Quidway] vlan 10
Issue 01 (2011-10-26)

166

9 Telnet and SSH

Assigning an IP address to the Switch that functions as Client001 or Client002 is the same as
assigning an IP address to VLANIF 10, and is not mentioned here.
Step 2 Create a local key pair on the SSH server.
[Quidway] rsa local-key-pair create
NOTES:If the key modulus is greater than 512,
Input the bits in the modulus[default = 512]:
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 3 Create an SSH user on the server.

NOTE
SSH users can be authenticated in four modes: password, RSA, password-rsa, and all.
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.
# Configure a VTY user interface.

[Quidway-ui-vty0-4] protocol inbound ssh
[Quidway-ui-vty0-4] quit
l Create an SSH user named Client001.

# Create an SSH user named Client001 and configure the authentication mode as
password for the user.
[Quidway] ssh user client001
[Quidway] ssh user client001 authentication-type password
# Set the password of Client001 to huawei.

[Quidway] aaa
[Quidway-aaa] local-user client001 password simple huawei
[Quidway-aaa] local-user client001 service-type ssh
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.
[Quidway] ssh user client002 authentication-type rsa
Step 4 Configure the RSA public key on the server.

# Create a local key pair on the client.
[Quidway] sysname client002
[client002] rsa local-key-pair create
# Check the RSA public key generated on the client.

Issue 01 (2011-10-26)

167

9 Telnet and SSH
[client002] display rsa local-key-pair public

=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]
# Send the RSA public key generated on the client to the server.
[Quidway] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Quidway-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Quidway-rsa-key-code] 3047
[Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[Quidway-rsa-key-code] 1D7E3E1B
[Quidway-rsa-key-code] public-key-code end
[Quidway-rsa-public-key] peer-public-key end
Step 5 Bind the RSA public key of the SSH client to Client002.
[Quidway] ssh user client002 assign rsa-key RsaKey001
Step 6 Enable the STelnet service on the SSH server.

# Enable the STelnet service.
[Quidway] stelnet server enable
Step 7 Set the service type of Client001 and Client002 to STelnet.

Issue 01 (2011-10-26)

168

9 Telnet and SSH
[Quidway] ssh user client001 service-type stelnet

Step 8 Connect the STelnet and the SSH server.

# You must enable the initial authentication on the SSH client for the first login.
[client001] ssh client first-time enable
# Client001 logs in to the SSH server in password authentication mode by entering the user
name and password.
<client001> system-view
[client001] stelnet 10.164.39.222
Please input the username:client001
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
<Quidway>
# Client002 logs in to the SSH server in RSA authentication mode.

[client002] stelnet 10.164.39.222
Please input the username: client002
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
***********************************************************
<Quidway>

After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can view that the STelnet service is enabled, and that the STelnet
client logs in to the server successfully.
# Check the status of the SSH server.
[Quidway] display ssh server status
SSH version
SFTP server
Stelnet server
Scp server
:1.99
:60 seconds
:0 hours
:3 times
:Disable
:Enable
:Disable
# Check the connection of the SSH server.

Session 1:
Conn: VTY 3
Version: 2.0
State: started
Issue 01 (2011-10-26)

169

9 Telnet and SSH
Username: client001
Retry: 1
CTOS Cipher: aes128-cbc
STOC Cipher: aes128-cbc
CTOS Hmac: hmac-sha1-96
STOC Hmac: hmac-sha1-96
Kex: diffie-hellman-group1-sha1
Service Type: stelnet
Authentication Type: password
Session 1:
Conn: VTY 4
Version: 2.0
State: started
Username: client002
Retry: 1
Authentication Type: rsa
# Check information about the SSH user.

[Quidway] display ssh user-information
User 1:
User Name: client001
Authentication-type: password
User-public-key-name: Sftp-directory: Service-type: stelnet
Authorization-cmd: No
User 2:
Authentication-type: rsa
User-public-key-name: RsaKey001
Sftp-directory: Service-type: stelnet
----End
Configuration Files
l
Configuration file of the Quidway, the SSH server

#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
rsa peer-public-key rsakey001
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E
519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password simple huawei
#
Issue 01 (2011-10-26)

170

9 Telnet and SSH

ssh user client001
ssh user client002
ssh user client001 authentication-type password
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key RsaKey001
ssh user client001 service-type stelnet
#
#
#
return
Configuration file of Client001, the SSH client

#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return

#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
#
#
return
9.8.4 Example for Connecting the SFTP Clinet and the SSH Server
In this example, the local key pairs are generated on the SFTP client and the SSH server
respectively; the public RSA key is generated on the SSH server and bind the RSA public key
to the SFTP client. In this manner, the SFTP client can connect to the SSH server.
As shown in Figure 9-6, after the SFTP service is enabled on the SSH server, the SFTP client
can log in to the SSH server in the authentication mode of password, RSA, password-rsa, or all.
Issue 01 (2011-10-26)

171

9 Telnet and SSH
Figure 9-6 Networking diagram for connecting the SFTP client and the SSH server
SSH Server
10.164.39.222/24
10.164.39.220/24
10.164.39.221/24
Client001 Client002
Switch
Interface
VLANIF interface
IP address
SSH server
VLANIF 10
10.164.39.222/24
Client001
VLANIF 10
10.164.39.220/24
Client002
VLANIF 10
10.164.39.221/24
1.
interface.
2.
3.
Create a local key pair on the SFTP client and SSH server separately.
4.
Create an RSA public key on the SSH server and bind the RSA public key of the SSH client
to Client002.
5.
Enable the SFTP service on the SSH server.
6.
Configure the type of service and authenticated directory for the SSH user.
7.
Client001 and Client002 log in to the SSH server through SFTP.
Data Preparation
l
Password or RSA public key of the SSH user
SSH server name
Procedure
Create VLAN 10 on the S9300 that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
[Quidway] vlan 10
Issue 01 (2011-10-26)

172

9 Telnet and SSH
[Quidway] quit
Assigning an IP address to the S9300 that functions as Client001 or Client002 is the same as
Step 2 Create a local key pair on the SSH server.
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++

NOTE
l In password or password-rsa authentication mode, you must configure a local user.
l In RSA or all authentication mode, you must copy the RSA public key of the SSH client to the server.

l Create an SSH user named Client001.

# Create an SSH user named Client001 and configure the authentication mode as
password for the user.

[Quidway] aaa
l # Create an SSH user named Client002 and configure the authentication mode as RSA for
the user.

# Check the RSA public key created on the client.

Issue 01 (2011-10-26)

173

9 Telnet and SSH
=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
# Send the RSA public key created on the client to the server.
Step 5 Bind the RSA public key of the SSH client to Client002.
Step 6 Enable the SFTP service on the SSH server.

# Enable the SFTP service.
[Quidway] sftp server enable
Step 7 On the SSH server, set the type of service for the SSH user and the authorized directory.
Two SSH users are configured on the SSH server: Client001 in the password authentication
mode and Client002 in the RSA authentication mode.
Issue 01 (2011-10-26)

174

[Quidway]
[Quidway]
[Quidway]
[Quidway]
ssh
ssh
ssh
ssh
user
user
user
user
9 Telnet and SSH

client001
client001
client002
client002
service-type sftp
sftp-directory cfcard:/
service-type sftp
sftp-directory cfcard:/
Step 8 Connect the SFTP client and the SSH server.

# Client001 logs in to the SSH server in password authentication mode.

[client001] sftp 10.164.39.222
Input Username:client001
Trying 10.164.39.222 ...
Enter password:
sftp-client>
# Client002 logs in to the SSH server in RSA authentication mode.

[client002] sftp 10.164.39.222
Input Username: client002
Trying 10.164.39.222 ...
sftp-client>

After the configuration, run the display ssh server status and display ssh server session
commands on the SSH server. You can view that the SFTP service is enabled, and that the SFTP
client logs in to the server successfully.
SSH version
SFTP server
Stelnet server
Scp server
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Disable
:Disable

Session 1:
Conn: VTY 3
Version: 2.0
State: started
Username: client001
Retry: 1
Service Type: sftp
Session 2:
Conn: VTY 4
Version: 2.0
State: started
Username: client002
Issue 01 (2011-10-26)

175

9 Telnet and SSH
Retry: 1
Service Type: sftp
# Check information about the SSH user.

[Quidway] display ssh user-information
User 1:
Authentication-type: password
User-public-key-name: Sftp-directory: flash:
Service-type: sftp
User 2:
Authentication-type: rsa
User-public-key-name: RsaKey001
Sftp-directory: flash:
Service-type: sftp
----End
Configuration Files
l

#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
3047
0240
C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325
A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
sftp server enable
ssh user client001
ssh user client002
ssh user client001 service-type sftp
ssh user client001 sftp-directory cfcard:/
#
Issue 01 (2011-10-26)

176

9 Telnet and SSH

#
#
return

#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return

#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
#
#
return
9.8.5 Example for Configuring the SSH Server to Support the Access
from Another Port
In this example, the monitoring port number of the SSH server is set to a port number other than
the standard monitoring port number so that only valid users can set up connections with the
SSH server.
The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access
the standard port continuously, the bandwidth is consumed and the performance of the server is
degraded. As a result, other valid users cannot access the port.
If the listening port on the SSH server is changed to a non-default one, attackers will not aware
of this change and continue to send a request for the socket connection to port 22. In this case,
the SSH server detects that it is not the listening port, and then denies the the request for
establishing the socket connection.
Therefore, only valid users can use the specified listening port to set up a socket connection
through the following procedures:
Issue 01 (2011-10-26)

177

9 Telnet and SSH
Negotiating the version of the SSH protocol
Negotiating the algorithm
Generating the session key
Authenticating
Sending a request for a session
Performing the interactive session
Figure 9-7 Networking diagram for configuring the SSH server to support the access from
another port
SSH Server
10.164.39.222/24
10.164.39.220/24
10.164.39.221/24
Client001 Client002
Switch
Interface
VLANIF interface
IP address
SSH server
VLANIF 10
10.164.39.222/24
Client001
VLANIF 10
10.164.39.220/24
Client002
VLANIF 10
10.164.39.221/24
1.
interface.
2.
3.
Create a local key pair on the SFTP client and SSH server separately.
4.
Generate an RSA public key on the SSH server and bind the RSA public key of the SSH
client to Client002.
5.
Enable the STelnet and SFTP services on the SSH server.
6.
Configure the type of the service and authenticated directory for the SSH user.
7.
Set the listening port number on the SSH server.
8.
Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.
Data Preparation
l
Issue 01 (2011-10-26)

178

Password or RSA public key of the SSH user
Server name
Listening port number on the SSH server
9 Telnet and SSH
Procedure
Create VLAN 10 on the Switch that functions as the server and assign IP address
10.164.39.222/24 to VLANIF 10.
[Quidway] vlan 10
Assigning an IP address to theSwitch that functions as Client001 or Client002 is the same as

Step 2 A local key pair generated on the SSH server
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++

# Check the RSA public key generated on the client.

=====================================================
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
Issue 01 (2011-10-26)

179

9 Telnet and SSH

=====================================================
=====================================================
Key code:
3067
0260
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client002]

NOTE
l Before configuring the authentication mode of password or password-rsa, you must configure a local
user.
l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA
public key of the SSH client to the server.

# Create an SSH user named Client001, and configure the authentication mode as password
for the user.

Issue 01 (2011-10-26)

180

9 Telnet and SSH
[Quidway] aaa
[Quidway-aaa] quit
# Set the type of service of Client001 to STelnet.

# Create an SSH user named Client002, and configure the authentication mode as RSA for the
user. Bind the RSA public key of the SSH client to Client002.
# Set the type of service of Client002 to SFTP and the authorized directory as cfcard:/.
[Quidway] ssh user client002 service-type sftp
[Quidway] ssh user client002 sftp-directory cfcard:/
Step 5 Enable the STelnet and SFTP services on the SSH server.
Step 6 Configure the new listening port number on the SSH server.
[Quidway] ssh server port 1025
Step 7 Connect the SSH client and the SSH server.

# The STelnet client logs in to the SSH server by using the new listening port.
[client001] stelnet 10.164.39.222 1025
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password huawei, and information indicating that the login succeeds is displayed as
follows:
<Quidway>
# The SFTP client logs in to the SSH server by using the new listening port.
[client002]sftp 10.164.39.222 1025
Trying 10.164.39.222 ...
The server's public key does not match the one we cached.
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to update the server's public key we cached?(Y/N):y
sftp-client>

Attackers fail to log in to the SSH server by using port 22.
Issue 01 (2011-10-26)

181

9 Telnet and SSH
[client002] sftp 10.164.39.222

Trying 10.164.39.222 ...
Can't establish tcp connection to server
After the configuration, run the commands of display ssh server status and display ssh server
session on the SSH server. You can check the current listening port number on the SSH server,
and that the STelnet or SFTP client logs in to the server successfully.
SSH version
SFTP server
Stelnet server
Scp server
SSH server port
:1.99
:60 seconds
:0 hours
:3 times
:Enable
:Enable
:Disable
:1025

Session 1:
Conn: VTY 3
Version: 2.0
State: started
Username: client001
Retry: 1
Session 2:
Conn: VTY 4
Version: 2.0
State: started
Username: client002
Retry: 1
Service Type: sftp
----End
Configuration Files
l

#
sysname Quidway
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.222 255.255.255.0
#
3047
Issue 01 (2011-10-26)

182

9 Telnet and SSH
0240
0203
010001
public-key-code end
peer-public-key end
#
aaa
#
sftp server enable
ssh server port 1025
ssh user client001
ssh user client002
#
#
#
return

#
sysname client001
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.220 255.255.255.0
#
#
#
return

#
sysname client002
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.39.221 255.255.255.0
#
#
#
return
Issue 01 (2011-10-26)

183

9 Telnet and SSH
9.8.6 Example for Authenticating SSH Through RADIUS

In this example, a user that attempts to access the SSH server is authenticated by the RADIUS
server, and the SSH server determines whether to set up a connection with the user according
to the authentication result.
When an RADIUS user is connected to an SSH server, the SSH server sends the user name and
password of the SSH client to the RADIUS server (compatible with the TACACS server) for
authentication.
The RADIUS server authenticates the user and sends the result (passed or failed) back to the
SSH server. If the authentication is successful, the user level is sent along with the result. The
SSH server determines whether the SSH client is allowed to set up a connection according to
the authentication result.
Figure 9-8 shows the networking diagram.
Figure 9-8 Networking diagram of authenticating the SSH through RADIUS
10.164.39.221/24
SSH Client
10.164.39.222/24
SSH Server
10.164.6.49/24
Radius Server
1.
Configure the RADIUS template on the SSH server.
2.
Configure a domain on the SSH server.
3.
Create a user on the RADIUS server.
4.
Generate the local key pair on STelnet client and SSH server respectively. The SSH server
monitors the port number.
5.
Generate the local key pair on the client and SSH server .
6.
Generate the RSA public key on SSH server and bind the RSA public key of the SSH client
to ssh2@ssh.com.
7.
Enable the STelnet and SFTP services on the SSH server.
8.
Configure the service mode and authorization directory of the SSH user.
9.
Users ssh1@ssh.com and ssh2@ssh.com log in to the SSH server through STelnet and
SFTP respectively.
Data Preparation
Issue 01 (2011-10-26)

184

Configure the password authentication for the two SSH users .
RADIUS authentication
Name of the RADIUS template
Name of the RADIUS domain
Name and password of the RADIUS user
9 Telnet and SSH
Procedure
Step 1 Generate a local key pair on the SSH server.
Generating keys...
.......++++++++++++
..........++++++++++++
...................................++++++++
......++++++++
Step 2 Configure the RSA public key of the server.

# Generate a local key pair of client on the client.
[Quidway] sysname client
[client] rsa local-key-pair create
# View the RSA public key generated on the client.

[client] display rsa local-key-pair public
=====================================================
Key name: Quidway_Host
=====================================================
Key code:
3047
0240
1D7E3E1B
0203
010001
=====================================================
Key name: Quidway_Server
=====================================================
Key code:
3067
0260
Issue 01 (2011-10-26)

185

9 Telnet and SSH
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27

BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
[client]
Step 3 Create the SSH user.

On the RADIUS server, add two users named ssh1@ssh.com and ssh2@ssh.com ; in addition,
designate the NAS address 10.164.39.222 and the key huawei. The NAS address refers to the
address of the SSH server that connects to the RADIUS server.
# Configure the VTY user interface on the SSH server.
# Create SSH users asssh1@ssh.com and ssh2@ssh.com on the SSH server.

[Quidway]
[Quidway]
[Quidway]
[Quidway]
[Quidway]
[Quidway]
[Quidway]
ssh
ssh
ssh
ssh
ssh
ssh
ssh
user
user
user
user
user
user
user
ssh1@ssh.com
ssh1@ssh.com authentication-type password
ssh1@ssh.com service-type stelnet
ssh2@ssh.com
ssh2@ssh.com authentication-type password
ssh2@ssh.com service-type sftp
client001 sftp-directory cfcard:/
Step 4 Configure the RADIUS template.

# Configure the authentication scheme newscheme and authentication mode RADIUS.
[Quidway] aaa
[Quidway-aaa] authentication-scheme newscheme
[Quidway-aaa-authen-newscheme] authentication-mode radius
[Quidway-aaa-authen-newscheme] quit
# Configure the RADIUS template of SSH server as ssh.

[Quidway] radius-server template ssh
# Configure the IP address as 10.164.6.49 and port of the RADIUS authentication server as 1812.
[Quidway-radius-ssh] radius-server authentication 10.164.6.49 1812
# Configure the key of RADIUS server as huawei.

[Quidway-radius-ssh] radius-server shared-key huawei
[Quidway-radius-ssh] quit
Issue 01 (2011-10-26)

186

9 Telnet and SSH
Step 5 Configure RADIUS domain name.

# Configure the RADIUS domain of SSH server as ssh.com, applying authentication scheme
newscheme and RADIUS template ssh.
[Quidway] aaa
[Quidway-aaa] domain ssh.com
[Quidway-aaa-domain-ssh.com] authentication-scheme newscheme
[Quidway-aaa-domain-ssh.com] radius-server ssh
[Quidway-aaa-domain-ssh.com] quit
[Quidway-aaa] quit
Step 6 Connect the SSH client and the SSH server.

# Enable STelnet and SFTP services on the SSH server.
# For the first login, you need to enable the first authentication on SSH client.
[client] ssh client first-time enable
[client] quit
# Connect the STelnet client to the SSH server in the RADIUS authentication.
<client> system-view
[client] stelnet 10.164.39.222
Please input the username: ssh1@ssh.com
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
he server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
he server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:
Enter the password Huawei and view as follows:

Info: The max number of VTY users is 10, and the current number
<Quidway>
# Connect the SFTP client to the SSH server in the RADIUS authentication.
<client> system-view
[client] sftp 10.164.39.222
Please input the username: ssh2@ssh.com
Trying 10.164.39.222 ...
Connected to 10.164.39.222 ...
Enter password:
sftp-client>

After the configuration, run the display radius-server configuration and display ssh server
session commands on the SSH server. You can view the configuration of the RADIUS server
on the SSH server. You can also view that the STelnet or SFTP client is connected to the SSH
server successfully with RADIUS authentication.
# Display the configuration of the RADIUS server.
[Quidway-aaa] display radius-server configuration
------------------------------------------------------------------Server-template-name
: ssh
Protocol-version
: standard
Traffic-unit
: B
Issue 01 (2011-10-26)

187

9 Telnet and SSH
Shared-secret-key
: huawei
Timeout-interval(in second)
: 5
Primary-authentication-server
: 10.164.6.49
:1812
LoopBack:NULL
Primary-accounting-server
: 0.0.0.0
:0
LoopBack:NULL
Secondary-authentication-server : 0.0.0.0
:0
LoopBack:NULL
Secondary-accounting-server
: 0.0.0.0
:0
LoopBack:NULL
Retransmission
: 3
Domain-included
: YES
Calling-station-id MAC-format
: xxxx-xxxx-xxxx
------------------------------------------------------------------Total of radius template :1
# Display the connection of the SSH server.

Session 1:
Conn
: VTY 0
Version
: 2.0
State
: started
Username
: ssh1@ssh.com
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: stelnet
Authentication Type : password
Session 2:
Conn
: VTY 1
Version
: 2.0
State
: started
Username
: ssh2@ssh.com
Retry
: 1
CTOS Cipher
: aes128-cbc
STOC Cipher
: aes128-cbc
CTOS Hmac
: hmac-sha1-96
STOC Hmac
: hmac-sha1-96
Kex
: diffie-hellman-group1-sha1
Service Type
: sftp
Authentication Type : password
----End
Configuration Files
Configuration file of the SSH server
#
sysname Quidway
#
radius-server template ssh
radius-server authentication 10.164.6.49 1812
#
3047
0240
0203
010001
public-key-code end
peer-public-key end
#
aaa
authentication-scheme newscheme
authentication-mode radius
#
Issue 01 (2011-10-26)

188

9 Telnet and SSH
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
#
sftp server enable
ssh user ssh1@ssh.com
ssh user ssh2@ssh.com
ssh user ssh1@ssh.com authentication-type password
ssh user ssh2@ssh.com authentication-type password
ssh user ssh2@ssh.com assign rsa-key RsaKey001
ssh user ssh1@ssh.com service-type stelnet
ssh user ssh2@ssh.com service-type sftp
#
#
Return
9.8.7 Example for Configuring the SCP Client

This section provides an example for configuring the SCP client. In this example, the SCP client
accesses the SCP server to download files.
As shown in Figure 9-9, the switch functioning as the SCP client has a reachable route to the
SCP server, and can download files from the SCP server.
Figure 9-9 Networking diagram of the SCP client
SCP Server
172.16.104.110/24
1.1.1.1/32
SCP Client
1.
Create a local RSA key pair on the SSH server.
2.
Create an SSH user on the SSH server.
3.
Enable SCP services on the SSH server.
4.
Enable first-time authentication on the SSH client.
Issue 01 (2011-10-26)

189

5.
Configure an IP address of the source interface on the SCP client.
6.
Download files from the SSH server to the SCP client.
9 Telnet and SSH
Data Preparation
l
SSH user name, authentication mode, and authentication password
IP address of the source interface on the SCP client
The name and path of the destination files and the source files.
Procedure
Step 1 Create a local RSA key pair on the SSH server.
[Quidway] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
Generating keys...
.....++++++++++++
....++++++++++++
......++++++++
................................++++++++
Step 2 Create an SSH user on the SCP server.

# Configure the VTY user interface.
[SSH
[SSH
[SSH
[SSH
Server] user-interface vty 0 4

Server-ui-vty0-4] authentication-mode aaa
Server-ui-vty0-4] protocol inbound ssh
Server-ui-vty0-4] quit
# Configure the password authentication for the SSH user Client001.

[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
# Configure the password of the SSH user Client001 to huawei.

[SSH
[SSH
[SSH
[SSH
Server] aaa
Server-aaa] local-user client001 password cipher huawei
Server-aaa] local-user client001 service-type ssh
Server-aaa] quit
# Configure the service type for the SSH users Client001 to all.
[SSH Server] ssh user client001 service-type all
Step 3 Enable SCP services on the SCP server.

[SSH Server] scp server enable
Step 4 Download files from the SCP server to the SCP client.
# For the first login, you need to enable the first authentication on SSH client.
[Quidway] sysname SCP Client
[SCP Client] ssh client first-time enable
Issue 01 (2011-10-26)

190

9 Telnet and SSH
# Configure the IP address 1.1.1.1 of a loopback interface as the source IP address for the SCP
client.
[SCP Client] scp client-source -a 1.1.1.1
# Use 3des to encrypt the file license.txt, and then download the file to the local working
directory from the remote SCP server with the IP address of 172.16.104.110.
[SCP Client] scp -a 1.1.1.1 -cipher 3des client001@172.16.104.110:license.txt
license.txt

Run the display scp-client command on the SCP client. The command output is as follows:
<Quidway> display scp-client
The source of SCP ipv4 client: 1.1.1.1
The IP address of the source interface on the SCP client is 1.1.1.1.

----End
Configuration Files
l
Configuration file of the SCP server

#
sysname SSH Server
#
aaa
#
scp server enable
ssh user client001
ssh user client001 service-type all
#
#
return
Configuration file of the SCP client

#
sysname SCP Client
#
scp client-source 1.1.1.1
#
return
Issue 01 (2011-10-26)

191

10
10 Web System Configuration
Web System Configuration
About This Chapter

Before configuring the S9300 in Web mode, you need to configure the S9300 as the Web server.
10.1 Overview of Web System
Through the Web system, users can manage and maintain the S9300 in the graphical user
interface (GUI).
10.2 Starting Web System
This topic describes how to load the Web system and create an account of the Web system.
Issue 01 (2011-10-26)

192

10.1 Overview of Web System

Through the Web system, users can manage and maintain the S9300 in the graphical user
interface (GUI).
To facilitates the use and maintenance of the S9300 , Huawei develops the Web system for
S9300.
The S9300 is installed with a built-in Web server. Thus, the terminal (such as a PC) connected
to the S9300 can access the S9300 through the Web browser.
Figure 10-1 shows the running environment of the Web system.
Figure 10-1 Running environment of the Web System
Switch
HTTP
Connection
PC
10.2 Starting Web System

This topic describes how to load the Web system and create an account of the Web system.
10.2.1 Logging In to the S9300 Through the Console Interface

Context
When setting up a local configuration environment through the console interface, you can
connect the PC and the S9300 through the Windows HyperTerminal.
Procedure
Step 1 Enable the HyperTerminal on the PC.
Issue 01 (2011-10-26)

193

Choose Start > All Programs > Accessories > Communications > HyperTerminal to start
the HyperTerminal.
Step 2 Set up a new connection.
As shown in Figure 10-2, enter the name of the new connection in the Name text box and choose
an icon. Click OK.
Figure 10-2 Setting up a new connection
Step 3 Set the connection port.

After entering the Connect window as shown in Figure 10-3, select a serial port from the
Connect drop-down list box according to the port used by the PC or the configuration terminal.
Select COM1 in this case, and click OK.
Issue 01 (2011-10-26)

194

Figure 10-3 Setting the connection port
Step 4 Set communication parameters.

After entering the COM1 Properties window as shown in Figure 10-4, set the communication
parameters according to the description in Table 10-1.
NOTE
In other Windows operating systems, Bits per second may be described as Baud rate; Flow control may
be described as Traffic control.
Issue 01 (2011-10-26)

195

Figure 10-4 Setting communication parameters for the port
Table 10-1 Communication parameters

Parameter
Value
Bit per second (Baud rate)
9600
Data bit
Parity check
None
Stop bit
Flow control (Traffic control)
None
Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Properties
window as shown in Figure 10-5. Choose the Setting tab, select Auto detect or VT100 from
the Emulation drop-down list box. Click OK to complete the setting.
Issue 01 (2011-10-26)

196

Figure 10-5 Selecting a terminal type
After the preceding steps are complete, press Enter. If the prompt <Quidway> is displayed, it
indicates that you have logged in to the S9300. At this time, you can enter the command to
configure and manage the S9300.
----End
10.2.2 Setting the Management IP Address of the S9300

This section describes how to configure the management IP address of the S9300.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface ethernet 0/0/0
The Ethernet interface view is displayed.

Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
Issue 01 (2011-10-26)

197

The IP address of the interface is configured.

----End
10.2.3 Uploading Web Page Files

This section describes how to obtain the Web page files and upload them to the S9300 through
FTP.
Prerequisite
To obtain the Web page file of the S9300, log in to http://support.huawei.com, and then choose
Software Center > Version Software > Data Communication Product Line > Ethernet
Switch > Quidway S9300. Download the software package of the current version. The Web
page file is contained in the software package. The file name is Product Name + the Version
of Software.web.zip.
Before uploading the Web page file, copy the Web page file to the client from which you log in
to the S9300.
Context
NOTE
You can also download Web files through TFTP. In this case, the S9300 functions as the TFTP client, and
the terminal that stores the Web files functions as the TFTP server. For details, see 8.5.3 Downloading
Files Through TFTP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp server enable
The FTP server is enabled.

Step 3 Run:
aaa

Step 4 Run:
local-user user-name
password { simple | cipher } password
An FTP client is configured and the password is set to huawei.

Step 5 Run:
ftp-directory directory
The directory is set for the FTP client.

Step 6 Run:
service-type ftp
The service type of an FTP login user is set.

Issue 01 (2011-10-26)

198

Step 7 Run the following command in the cmd view of the PC:
ftp ip-address
The user name and password are displayed. The PC can log in to the S9300.
C:\>ftp 10.1.1.132
User (10.1.1.132:(none)): client
331 Password required for client.
Password:
230 User logged in.
ftp>
Step 8 Run the following command in the FTP view:

put local-filename
The web.zip file is uploaded from the PC to the S9300.

ftp> put web.zip
150 Opening ASCII mode data connection for web.zip.
226 Transfer complete.
ftp: 251047 bytes sent in 3.36Seconds 74.74Kbytes/sec.
ftp>
----End
10.2.4 Loading a Web Page File

This section describes how to load a Web file.
Context
Before loading the Web page file, upload it to the S9300.
Procedure
Step 1 Run:
system-view

Step 2 Run:
http server load file-name
The Web page file is loaded to the S9300.

----End
10.2.5 Creating a Web Account

Before logging in to the S9300 in Web mode, you need to create a Web account on the S9300.
Context
Before enabling the HTTP server,load the Web Page File to S9300.
Issue 01 (2011-10-26)

199

Procedure
Step 1 Run:
system-view

Step 2 Run:
http server enable
The HTTP server is enabled.

Step 3 Run:
aaa

Step 4 Run:
password { simple | cipher } password
An HTTP client is configured and the password of the client is set.

NOTE
You are recommended to set the password in the cipher text. Simple user name and password should not
be used for the sake of security.
Step 5 Run:
service-type http
The access type of the user named admin is set to HTTP.

Step 6 Run:
quit
Return to the system view.

http timeout timeout
The timeout period of an HTTP connection is set.

By default, the timeout period of an HTTP connection is 20 minutes.
----End
10.2.6 Logging In to the Web System

This section describes how to log in to the S9300 in Web mode.
Procedure
Step 1 Open the Web browser on the PC, and then enter the management address of the S9300 in the
address bar (the PC and the S9300 have reachable routes to each other). Then, press Enter to
display the Login dialog box. As shown in Figure 10-6, enter the pre-set Web user name,
password and verify code, and then choice the language.
Issue 01 (2011-10-26)

200

Figure 10-6 Login
NOTE
If you select Save my password before clicking Login, you do not need to enter the password at next
login.
Step 2 Click Login or press enter to display the homepage of the Web system.
You can configure the S9300 after logging in to the Web system. For details on how to configure
the S9300 on the Web system, see the Quidway S9300 Terabit Routing Switch Web Network
Management System Client Operation Guide.
----End
Issue 01 (2011-10-26)

201

11 SSL Configuration
11
SSL Configuration
About This Chapter

The Secure Sockets Layer (SSL) protocol is used to authenticate the identities of a client and a
server and encrypt data transmitted between the client and the server. SSL ensures that only
authorized users can log in to the server.
11.1 SSL
Currently, SSL is only used for the File Transfer Protocol-SSL (FTPS) and the Hypertext
Transfer Protocol-SSL (HTTPS) applications (secure Web network management is an HTTPS
application).
11.2 SSL Features Supported by the S9300
Currently, SSL is only used for FTPS and HTTPS applications (secure Web network
management is an HTTPS application).
11.3 Configuring Login to an FTPS Server from a User Terminal
FTPS that adds support for SSL is an extension to the commonly used FTP. Using SSL to
authenticate the identities of the client and server and encrypt data to be transmitted, FTPS
implements security management of devices.
11.4 Configuring Login to an FTPS Server from an FTPS Client
The FTPS client and FTPS server authenticate each other's identities to ensure that only
authorized users can access the FTPS server, improving access security.
11.5 Configuring Secure Web Network Management
An SSL policy is configured on and a digital certificate is loaded to an HTTP server. The digital
certificate is used by a client to verify the identity of the server.
Issue 01 (2011-10-26)

202

11.1 SSL
Currently, SSL is only used for the File Transfer Protocol-SSL (FTPS) and the Hypertext
Transfer Protocol-SSL (HTTPS) applications (secure Web network management is an HTTPS
application).
Overview
SSL is a cryptographic protocol that provides communication security over the Internet. It allows
a client and a server to communicate across a network in a way designed to prevent
eavesdropping by authenticating the server or the client. SSL has the following advantages:
l
Provides high security assurance. It uses data encryption, authentication, and a message
integrity check to ensure secure data transmission over the network.
Supports various application layer protocols. SSL is originally designed for securing World
Wide Web traffic. As SSL functions between the application layer and the transport layer,
it secures data transmission based on TCP connections for any application layer protocol.
Is easy to deploy. Currently, SSL has become a world-wide communications standard for
authenticating Web site and Web page users and encrypting data transmitted between
browser users and Web servers.
SSL improves device security from the following aspects:

l
Helps authorized users to securely access servers and prevents unauthorized users from
accessing servers.
Encrypts data transmitted between a client and a server for data transmission security and
computes a digest for data integrity, which implements security management for devices.
Defines an access control policy on a device based on certificate attributes to control the
access rights of clients, which prevents unauthorized users from attacking the device.
Basic Concepts
l
Certificate Authority (CA)

A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks the
validity of digital certificate owners, signs digital certificates to prevent eavesdropping and
tampering, and manages certificates and keys. The world-wide trusted CA is called a root
CA. The root CA can authorize other CAs as subordinate CAs. The CA identity is described
in a trusted-CA file.
For example, CA1 functions as the root CA and issues a certificate for CA2, CA2 then
issues a certificate for CA3 and so on, until CAn issues the final server certificate.
If CA3 issues the server certificate, certificate authentication on the client starts from server
certificate authentication. The CA3 certificate is used to authenticate the server certificate.
If authentication succeeds, the CA2 certificate is used to authenticate the CA3 certificate.
Finally, the CA1 certificate is used to authenticate the CA2 certificate. Server certificate
authentication succeeds only when the CA2 certificate has been authenticated by the CA1
certificate.
Figure 11-1 shows the certificate issuing and authentication processes.
Issue 01 (2011-10-26)

203

Figure 11-1 Schematic diagram for certificate issuing and authentication

Certificate issuing
CA1
CA2
CAn
Server's
certificate
Certificate authentication
Digital certificate
A digital certificate is an electronic document which uses a digital signature to bind a public
key with an identity. The digital certificate includes information such as the name of a
person or an organization that applies for the certificate, public key, digital-signed signature
of the CA that issues the digital certificate, and validity period of the digital certificate. A
digital certificate validates the identities of two communicating parties, improving
communication reliability.
A user must obtain the public key certificate of the information sender in advance to decrypt
and authenticate information in the certificate. In addition, the user also needs the CA
certificate of the information sender to verify the identity of the information sender.
Certificate Revocation List (CRL)

A CRL is a list of certificates that have been revoked, and therefore should not be relied
upon. The CRL is issued by a CA.
The lifetime of a digital certificate is limited. A CA can revoke a digital certificate to shorten
its lifetime. The lifetime of a CRL is usually shorter than the lifetime of certificates in the
CRL. If a CA revokes a digital certificate, the key pair defined in the certificate can no
longer be used even if the digital certificate does not expire. After a certificate in a CRL
expires, the certificate is deleted from the CRL to shorten the CRL.
Before using a digital certificate, the client checks the CRL. If the digital certificate is in
the CRL, the corresponding CA marks the digital certificate as expired, and adds a
certificate expiration list (CEL) when issuing a new CRL. After the CEL expires, it is
automatically deleted from the CRL.
11.2 SSL Features Supported by the S9300

Currently, SSL is only used for FTPS and HTTPS applications (secure Web network
management is an HTTPS application).
FTPS
FTPS that adds support for SSL is an extension to the commonly used FTP.
Using SSL to authenticate the identities of the client and server, encrypt data to be transmitted,
and check message integrity, FTPS provides a secure FTP server access.
l
Login to an FTPS server from a user terminal

an SSL policy is configured on the FTP server. After a digital certificate is loaded and the
FTPS server function is enabled on the server, you can log in to the server from a terminal
on which the SSL-capable FTP client software is installed to securely operate files
transmitted between the terminal and the server.
Issue 01 (2011-10-26)

204

Login to an FTPS server from an FTPS client

An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an
FTP client to verify the identify of the certificate owner, sign a digital certificate to
prevent eavesdropping and tampering, and manage the certificate and key.
An SSL policy needs to be configured on and a digital certificate needs to be loaded to
an FTP server to verify the validity of the trusted-CA file. This ensures that only
authorized clients can log in to the server.
HTTPS
HTTPS that adds support for SSL is an extension to the commonly used HTTP.
and check message integrity, HTTPS provides a secure Web access.
an SSL policy is configured on the device that functions as an HTTP server. After a digital
certificate is loaded to and the HTTPS server function is enabled on the server, users can log in
to the server to remotely manage the server using Web pages.
11.3 Configuring Login to an FTPS Server from a User

Terminal

Before configuring login to an FTPS server from a user terminal, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the data required for
the configuration. This will help you complete the configuration task quickly and accurately.
Traditional FTP does not have a security mechanism. It transmits data in plain text. If the FTP
server is configured with login user names and passwords, the FTP server can authenticate
clients, but the clients cannot authenticate the server. Transmitted data is easy to be tampered,
bringing security threats.An SSL policy can be configured on the FTP server to improve security.
SSL allows data encryption, identity authentication, and message integrity verification,
improving data transmission security. In addition, SSL provides secure connections for the FTP
server, greatly improving security of the FTP server.
As shown in Figure 11-2, an SSL policy is configured on the FTP server. After a digital
certificate is loaded and the FTPS server function is enabled on the server, you can log in to the
server from a terminal on which the SSL-capable FTP client software is installed to securely
operate files transmitted between the terminal and the server.
Issue 01 (2011-10-26)

205

Figure 11-2 Networking diagram for a PC to log in to an FTPS server
Network
VLANIF10
192.168.0.1/24
FTP-Server
PC
Before configuring login to an FTPS server from a user terminal, complete the following tasks:
l
Loading a digital certificate to the sub-directory named security of the system directory
on the FTPS server
Installing the SSL-capable FTP client software on the PC
Data Preparation
To configure login to an FTPS server from a user terminal, you need the following data.
No.
Data
SSL policy name and digital certificate
IP address of the FTPS server
11.3.2 Configuring an SSL Policy and Loading a Digital Certificate

A client uses a digital certificate to authenticate the identity of a server for secure communication.
Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
A CA is responsible for issuing and managing digital certificates. The digital certificate to be loaded to the
FTPS server must be obtained from a corresponding CA.
A digital certificate can be in the PEM, ASN1, or PFX format. Details are as follows:
l
The PEM format is most commonly used. The file name extension of a PEM digital
certificate is .pem.
The PEM format is applicable to text transmission between systems.
The ASN1 format is a universal digital certificate format. The file name extension of an
ASN1 digital certificate is .der.
The ASN1 format is the default format for most browsers.
Issue 01 (2011-10-26)
The PFX format is a universal digital certificate format. The file name extension of a PFX
digital certificate is .pfx.
206

The PFX format is a binary format that can be converted into the PEM or ASN1 format.
Perform the following steps on the device that functions as an FTPS server:
Procedure
Step 1 Run:
system-view

Step 2 Run:
ssl policy policy-name
An SSL policy is configured and the SSL policy view is displayed.

Step 3 Load a digital certificate.
Run one of the following commands as required:
l Run:
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file keyfilename auth-code auth-code
A PEM digital certificate is loaded.

l Run:
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file keyfilename
An ASN1 digital certificate is loaded.

l Run:
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code |
key-file key-filename } auth-code auth-code
A PFX digital certificate is loaded.

l Run:
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file keyfilename auth-code auth-code
A PEM digital certificate chain is loaded.

NOTE
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain
has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate
chain.
----End
11.3.3 Enabling the FTPS Function

After a device is configured with an SSL policy and enabled with the FTPS server function, the
device functions as an FTPS server to provide SSL-based FTP services.
Context
NOTE
Before enabling the FTPS server function, disable the FTP server function.
Issue 01 (2011-10-26)

207

Procedure
Step 1 Run:
system-view

Step 2 Run:
ftp secure-server ssl-policy policy-name
An SSL policy is configured for the device.

Step 3 Run:
ftp secure-server enable
The FTPS server function is enabled.

By default, the FTPS server function is disabled.
----End
11.3.4 Accessing an FTPS Server

You can use a PC with the SSL-capable FTP client software or an FTPS client to access an FTPS
server for secure management of files on the FTPS server.
Before accessing an FTPS server, install the SSL-capable FTP client software on a PC, and then
use a third-party software to log in to the FTPS server from the PC to securely manage files on
the FTPS server.

After the configuration of login to an FTPS server from a user terminal is complete, you can
view the SSL policy, digital certificate, and status of the FTPS server.
Prerequisite
The configurations of login to an FTPS server from a user terminal are complete.
Procedure
l
Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
<Quidway> display ssl policy
SSL Policy Name: ftp_server
Policy Applicants: FTP secure-server
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Issue 01 (2011-10-26)

208

Certificate Filename: 1_servercert_pem_rsa.pem

Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
FTP server is stopped
Max user number
User count
Listening port
Acl number
FTP SSL policy
FTP Secure-server is running
5
1
30
21
0
0.0.0.0
ftp_server
11.4 Configuring Login to an FTPS Server from an FTPS

Client
The FTPS client and FTPS server authenticate each other's identities to ensure that only
authorized users can access the FTPS server, improving access security.

Before configuring login to an FTPS server from an FTPS client, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the data required for
the configuration. This will help you complete the configuration task quickly and accurately.
bringing security threats. To improve security, perform the following steps on the FTP client
and server:
l
Configure an SSL policy on the FTP client and load a trusted-CA file to the client.
Configure an SSL policy on the FTP server and load a digital certificate to the server.
The client uses the trusted-CA file and digital certificate to authenticate the server so that the
authorized client can access the correct server.
As shown in Figure 11-3,
l
An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identify of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
An SSL policy needs to be configured on and a digital certificate needs to be loaded to an

FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.
Issue 01 (2011-10-26)

209

Figure 11-3 Accessing an FTPS server from an FTPS client

FTP-Client
VLANIF20
1.1.1.1/24
Network
VLANIF40
192.168.0.2/24
FTP-Server
VLANIF30
1.1.1.2/24
VLANIF10
192.168.0.1/24
PC1
PC2
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
Before configuring login to an FTPS server from an FTPS client, complete the following tasks:
l
Loading a trusted-CA file to the sub-directory named security of the system directory on
the FTPS client
Loading a digital certificate to the sub-directory named security of the system directory
on the FTPS server
Data Preparation
To configure login to an FTPS server from an FTPS client, you need the following data.
No.
Data
SSL policy name, trusted-CA file, (optional) CRL file, and IP address of the FTPS
client
Digital certificate and IP address of the FTPS server
11.4.2 Configuring the FTPS Client

An SSL policy needs to be configured on and a trusted-CA file needs to be loaded to an FTP
client. The FTPS client can use the trusted-CA file to authenticate an FTPS server to ensure that
only authorized users can log in to the FTPS server.
Context
A trusted-CA file can be in the PEM, ASN1, or PFX format. Details are as follows:
l
Issue 01 (2011-10-26)
210

A CRL file can be in either the ASN1 or PEM format. These two formats represent the same
contents.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Load a trusted-CA file.
l Run:
trusted-ca load pem-ca ca-filename
A PEM trusted-CA file is loaded.

l Run:
trusted-ca load asn1-ca ca-filename
An ASN1 trusted-CA file is loaded.

l Run:
trusted-ca load pfx-ca ca-filename auth-code auth-code
A PFX trusted-CA file is loaded.

A maximum of four trusted-CA files can be loaded to an SSL policy. If multiple trusted-CA
files are loaded, these files will be added to the existing trusted-CA file list.
NOTE
l If the trusted-CA file configured on the FTPS server contains only one certificate, configure all the
trusted-CA certificates of upper levels to the root CA certificate on the client.
l If a certificate chain is configured on the FTPS server, configure only the root CA certificate on the
client.

crl load { pem-crl | asn1-crl } crl-filename
A CRL is loaded.
A maximum of two CRL files can be loaded to an SSL policy. If multiple CRL files are loaded,
these files will be added to the existing CRL file list.
----End
Issue 01 (2011-10-26)

211

11.4.3 Configuring the FTPS Server

Context
The FTPS server needs to obtain a digital certificate from a CA. The client that will access the
server needs the CA certificate from the CA to verify the validity of the digital certificate of the
server.
NOTE
FTPS server must be obtained from a corresponding CA.
l
Procedure
Step 1 Run:
system-view

Step 2 Run:

l Run:

l Run:

Issue 01 (2011-10-26)

212

l Run:

l Run:

NOTE
chain.
Step 4 Run:
ftp secure-server ssl-policy policy-name
An SSL policy is configured for the device.

Step 5 Run:
ftp secure-server enable
The FTPS server function is enabled.

By default, the FTPS server function is disabled.
NOTE
----End
11.4.4 Accessing an FTPS Server

You can use specified commands to log in to an FTPS server from an FTPS client to remotely
manage the FTPS server.
Procedure
l
On an IPv4 network:
In the user view, run:
ftp ssl-policy policy-name [ [ -a source-ip-address | -i interface-type
interface-number ] host [ port-number ] [ public-net | vpn-instance vpninstance-name ] ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.
l
On an IPv6 network:
In the user view, run:
ftp ssl-policy policy-name ipv6 host [ port-number ]
A control connection is established with a remote FTPS server and the FTP client view is
displayed.
----End
Issue 01 (2011-10-26)

213

Follow-up Procedure
The client can log in to the server only after the entered user name and password are authenticated
by the server. After logging in to the FTPS server, you can operate files on the FTPS server in
the same way as that on an FTP server. Table 11-1 lists file operations on an FTP server.
Table 11-1 File operations
File Operation
Operation
Managin
g files
l Run the ascii command to set the file type to ASCII.
Configuring the
file type
l Run the binary command to set the file type to binary.

The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the
data connection
mode
l Run the passive command to set the data connection

mode to PASV.
l Run the undo passive command to set the data
connection mode to PORT.
By default, the PASV mode is used.
Uploading files
l Run the put local-filename [ remote-filename ]

command to upload a file from the local device to a
remote server.
l Run the mput local-filenames command to upload files
from the local device to a remote server.
Downloading
files
l Run the get remote-filename [ local-filename ] command

to download a file from a remote server and save the file
on the local device.
l Run the mget remote-filenames command to download
files from a remote server and save the files on the local
device.
Enabling the file

transfer prompt
function
l If the prompt command is run in the FTP client view to

enable the file transfer prompt function, the system
prompts you to confirm the uploading or downloading
operation during file uploading or downloading.
l If the prompt command is run again in the FTP client
view, the file transfer prompt function is disabled.
NOTE
The prompt command is applicable to the scenario where the
mput or mget command is used to upload or download files. If the
local device has the files to be downloaded by running the mget
command, the system prompts you whether to override the existing
ones regardless of whether the file transfer prompt function is
enabled.
Enabling the FTP

verbose function
Issue 01 (2011-10-26)
Run the verbose command.

After the verbose function is enabled, all FTP response
information is displayed. After file transfer is complete,
statistics about the transmission rate are displayed.

214

File Operation
Operation
Managin
g
directori
es
Changing the
working path of a
remote FTP server
Run the cd pathname command.
Changing the
working path of an
FTP server to the
parent directory
Run the cdup command.
Displaying the
working path of an
FTP server
Run the pwd command.
Displaying files in
the directory and
the list of subdirectories
Run the dir [ remote-directory [ local-filename ] ] command.
Displaying a
specified remote
directory or file on
an FTP server
Run the ls [ remote-directory [ local-filename ] ] command.
Displaying or
changing the
working path of an
FTP client
Run the lcd [ directory ] command.
Creating a
directory on an
FTP server
Run the mkdir remote-directory command.
Deleting a
directory from an
FTP server
Run the rmdir remote-directory command.
If no path name is specified for a specified remote file, the

system will search the file in the authorized directory of the
user.
The lcd command displays the local working path of the FTP
client, whereas the pwd command displays the working path
of the remote FTP server.
The directory can be a combination of letters and numbers,

excluding special characters such as "<", ">", "?", "\", or ":".
Displaying online help for an

FTP command
Run the remotehelp [ command ] command.
Changing an FTP user
Run the user username [ password ] command.

After the configuration of login to an FTPS server from an FTPS client is complete, you can
view the FTPS client, SSL policy configured on the FTPS server, trusted-CA file loaded to the
FTPS client, and digital certificate loaded to the FTPS server.
Prerequisite
The configurations of login to an FTPS server from an FTPS client are complete.
Issue 01 (2011-10-26)

215

Procedure
l
Run the display ssl policy command to check the SSL policy configured on and trustedCA certificate loaded to the FTPS client as well as the SSL policy configured on and digital
certificate loaded to the FTPS server.
Run the display ftp-server command to check the SSL policy name and the FTPS server
status.
----End
Example
Run the display ssl policy command on the FTPS client. The command output shows detailed
information about the configured SSL policy and loaded trusted-CA file.
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the configured SSL policy and loaded digital certificate.
Key-pair Type: RSA
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display ftp-server command on the FTP server. The command output shows that the
SSL policy name is ftp_server and the FTPS server is running.
Max user number
User count
Listening port
Acl number
FTP SSL policy
5
1
30
21
0
0.0.0.0
ftp_server
11.5 Configuring Secure Web Network Management

An SSL policy is configured on and a digital certificate is loaded to an HTTP server. The digital
certificate is used by a client to verify the identity of the server.
Issue 01 (2011-10-26)

216


Before configuring an HTTPS server, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration. This
will help you complete the configuration task quickly and efficiently.
After a device that supports Web network management is enabled with the HTTP function, the
device can function as a Web server. Users can log in to the device using HTTP and use Web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a Web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.
As shown in Figure 11-4, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using Web pages.
Figure 11-4 Networking diagram for accessing another device by using HTTPS
Network
VLANIF10
192.168.0.1/24
HTTP-Server
PC
Before configuring an HTTPS server, complete the following tasks:
l
Uploading a digital certificate to a device that will function as an HTTPS server and copying
the certificate to the sub-directory named security of the system directory on the HTTPS
server
Installing a Web browser on a PC
Data Preparation
To configure an HTTPS server, you need the following data.
Issue 01 (2011-10-26)
No.
Data
SSL policy name and digital certificate
IP address, Web page file, and Web account of the HTTPS server

217

11.5.2 Configuring an SSL Policy and Loading a Digital Certificate

A digital certificate is used to authenticate the identities of both the user terminal and the HTTPS
server to ensure secure communication.
Context
Before using HTTPS to securely manage files, the HTTPS server needs to obtain a digital
certificate from a CA. The digital certificate is used to authenticate clients. This ensures that
only authorized clients can log in to the HTTPS server.
NOTE
HTTPS server can be generated using a third-party tool such as OpenSSL. OpenSSL can be considered as
a CA. For the procedure for generating a digital certificate, see the OpenSSL usage guide.
The digital certificate includes information such as the name of a person or an organization that
applies for the certificate, public key, digital-signed signature of the CA that issues the digital
certificate, and validity period of the digital certificate. A CA can issue a certificate chain along
with a digital certificate. After receiving a certificate chain, the receiver owns all the certificates
on the chain.
l
certificate is .pem. A PEM certificate contains only a public key but not a private key, and
the public key is usually encrypted.
ASN1 digital certificate is .der. An ANS1 certificate contains only a public key but not a
private key, and the public key is not encrypted.
digital certificate is .pfx. A PFX certificate can contain a private key, and the key is usually
encrypted.
Procedure
Step 1 Run:
system-view

Step 2 Run:
An SSL policy is configured.

l Run:
Issue 01 (2011-10-26)

218


l Run:

l Run:

l Run:

NOTE
chain.
----End
11.5.3 Loading a Web Page File

To manage and maintain a device on a graphical user interface (GUI), you can configure the
Web network management function. Before using the Web network management function, load
the related Web page file.
Procedure
Step 1 Run:
system-view

Step 2 Run:
http server load file-name
A Web page file is loaded.

----End
11.5.4 Enabling the HTTPS Function

After a device is configured with an SSL policy and enabled with the HTTPS function, the device
functions as an HTTPS server to provide SSL-based HTTP services.
Context
NOTE
Before enabling the HTTPS server function, disable the HTTP server function.
Issue 01 (2011-10-26)

219

Procedure
Step 1 Run:
system-view

Step 2 Run:
http secure-server ssl-policy policy-name
An SSL policy is configured for a device.

Step 3 Run:
http secure-server enable
The HTTPS server function is enabled.

By default, the HTTPS server function is disabled.
http secure-server port port-number
The listening port number is configured for the HTTPS server.

The default listening port number of the HTTPS server is 443. When using the default listening
port number to access and control the HTTPS server, you do not need to specify the port number
in commands. Attackers may access the default listening port, consuming bandwidth, affecting
performance of the server, and causing authorized users unable to access the server. To improve
security, run this command to change the listening port number of the HTTPS server. After that,
attackers are deprived of information about the newly configured listening port number, and the
HTTPS server is thus well protected.
----End
11.5.5 Creating a Web Account

Setting the HTTP user name and password is recommended for secure login to a Web server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
aaa

Step 3 Run:
The HTTP user name and password are set.

NOTE
Setting the password in cipher text is recommended. Simple user names and passwords are insecure.
Step 4 Run:
Issue 01 (2011-10-26)

220

local-user user-name service-type http
HTTP is configured as the service type.

----End
11.5.6 Logging In to the Web System

After logging in to the Web system, you can manage and maintain a device on a GUI.
Open the Web browser on the PC. Enter the IP address of the HTTPS server in the address bar.
Press Enter and the dialog box shown in Figure 11-5 is displayed.
Figure 11-5 Login GUI
Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.

After secure Web network management is configured, you can view the configured SSL policy
and loaded digital certificate on the HTTPS server as well as the HTTPS server status.
Prerequisite
The configurations of secure Web network management are complete.
Procedure
l
Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
Run the display http server command to check the SSL policy name and the HTTPS server
status.
----End
Issue 01 (2011-10-26)

221

Example
Run the display ssl policy command. The command output shows detailed information about
the configured SSL policy and loaded digital certificate.
SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Run the display http server command. The command output shows the SSL policy name and
the HTTPS server status.
<Quidway> display http server
HTTP Server Status
HTTP Server Port
HTTP Timeout Interval
Current Online Users
Maximum Users Allowed
HTTP Secure-server Status
HTTP Secure-server Port
HTTP SSL Policy
:
:
:
:
:
:
:
:
disabled
80(80)
20
0
5
enabled
443(443)
http_server

11.6.1 Example for Configuring Login to an FTPS Server from a User
Terminal
You can use a terminal on which the SSL-capable FTP client software is installed to log in to
an FTPS server to securely operate files transmitted between the terminal and the server.
As shown in Figure 11-6, an SSL policy is configured on the FTP server. After a digital
certificate is loaded and the FTPS server function is enabled on the server, you can log in to the
server from a terminal on which the SSL-capable FTP client software is installed to securely
operate files transmitted between the terminal and the server.
Issue 01 (2011-10-26)

222

Figure 11-6 Operating files using FTPS
Network
VLANIF10
192.168.0.1/24
FTP-Server
PC
1.
Upload a digital certificate.

Upload the digital certificate saved on the PC to the FTP server.
2.
Load the digital certificate.

Copy the digital certificate from the system directory of the FTP server to the sub-directory
named security, configure an SSL policy, and load the digital certificate.
3.
Enable the FTPS server function.
4.
Install the SSL-capable FTP client software on the PC
Data Preparation
l
FTP user name and password
SSL digital certificate
Procedure
Step 1 Upload a digital certificate.
# Configure an IP address for the FTP server so that the PC and FTP server are routable.
[Quidway] sysname FTP-Server
[FTP-Server] interface gigabitethernet1/0/1
[FTP-Server-GigabitEthernet1/0/1] port link-type access
[FTP-Server-GigabitEthernet1/0/1] quit
[FTP-Server] vlan 10
[FTP-Server-vlan10] port gigabitethernet1/0/1
[FTP-Server-vlan10] quit
[FTP-Server] interface vlanif 10
[FTP-Server-Vlanif10] ip address 192.168.0.1 24
[FTP-Server-Vlanif10] quit
# Enable the FTP server function.

[FTP-Server] ftp server enable
# Configure the authentication information, authorization mode, and authorized directory for an
FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password simple huawei
[FTP-Server-aaa] local-user huawei service-type ftp
Issue 01 (2011-10-26)

223

[FTP-Server-aaa] local-user huawei ftp-directory cfcard:

[FTP-Server-aaa] quit
[FTP-Server] quit
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the correct
user name and password to set up an FTP connection to the FTP server, as shown in Figure
11-7.
Figure 11-7 Logging in to an FTP server from a user terminal
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
11-8.
Figure 11-8 Uploading a digital certificate
Issue 01 (2011-10-26)

224

After the preceding configurations are complete, run the dir command on the FTP server. The
command output shows that the digital certificate has been successfully uploaded to the server.
<FTP-Server> dir
Idx
Attr
0 drw1 -rw2 -rw3 -rw4 -rw-
Size(Byte)
Date
May
May
May
May
May
524,575
446
1,302
951
10
10
10
10
10
Time(LMT) FileName
2011 05:05:40
src
2011 05:05:53
private-data.txt
2011 05:05:51
vrpcfg.zip
2011 05:32:05
1_servercert_pem_rsa.pem
2011 05:32:44
1_serverkey_pem_rsa.pem
304,292 KB total (303,770 KB free)
Step 2 Configure an SSL policy and load the digital certificate.

# Create a sub-directory named security and copy the digital certificate to this sub-directory.
<FTP-Server> mkdir security/
<FTP-Server> copy 1_servercert_pem_rsa.pem security/
<FTP-Server> copy 1_serverkey_pem_rsa.pem security/
After the preceding configurations are complete, run the dir command in the security subdirectory on the FTP server. The command output shows that the digital certificate has been
successfully uploaded to the server.
<FTP-Server> cd security/
<FTP-Server> dir
Directory of cfcard:/security/
Idx
0
1
Attr
-rw-rw-
Size(Byte)
1,302
951
Date
Time(LMT)
May 10 2011 05:44:34
May 10 2011 05:45:22
FileName
304,292 KB total (303,766 KB free)
# Create an SSL policy and load the PEM digital certificate.

<FTP-Server> system-view
[FTP-Server] ssl policy ftp_server
[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
123456
[FTP-Server-ssl-policy-ftp_server] quit
Step 3 Enable the FTPS server function.

NOTE
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Step 4 Install the SSL-capable FTP client software on the PC.

For details about the operation procedure, see the help document about the third-party software.
# Run the display ssl policy command on the FTPS server. The command output shows detailed
information about the loaded certificate.
[FTP-Server] display ssl policy
Key-pair Type: RSA
Issue 01 (2011-10-26)

225


Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
Max user number
User count
Listening port
Acl number
FTP SSL policy
5
1
30
21
0
0.0.0.0
ftp_server
You can establish a connection with the FTPS server using the SSL-capable FTP client software
and upload files to and download files from the server.
----End
Configuration Files
Configuration file of the FTPS server
#
sysname FTP-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
vlan batch 10
#
ssl policy ftp_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code 123456
#
aaa
local-user huawei password simple huawei
local-user huawei service-type ftp
local-user huawei ftp-directory cfcard:/
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
port link-type access
port default vlan 10
#
return
11.6.2 Example for Configuring Login to an FTPS Server from an

FTPS Client
You can log in to an FTPS server from an FTPS client to operate files transmitted between the
server and the client.
Issue 01 (2011-10-26)

226

As shown in Figure 11-9,
l
An SSL policy needs to be configured and a trusted-CA file needs to be loaded to an FTP
client to verify the identify of the certificate owner, sign a digital certificate to prevent
eavesdropping and tampering, and manage the certificate and key.
An SSL policy needs to be configured on and a digital certificate needs to be loaded to an

FTP server to verify the validity of the trusted-CA file. This ensures that only authorized
clients can log in to the server.
Figure 11-9 Accessing an FTPS server from an FTPS client

FTP-Client
VLANIF20
1.1.1.1/24
Network
VLANIF40
192.168.0.2/24
FTP-Server
VLANIF30
1.1.1.2/24
VLANIF10
192.168.0.1/24
PC1
PC2
If the FTPS client and server are routable, you can log in to the FTPS server from the FTPS
client to remotely manage files.
1.
Upload certificates.
l Upload the digital certificate saved on PC2 to the FTP server.
l Upload the trusted-CA file saved on PC1 to the FTP client.
2.
Load the certificates and configure SSL policies.

l Copy the digital certificate from the system directory of the FTP server to the
security sub-directory, configure an SSL policy, and load the digital certificate.
l Copy the trusted-CA file from the system directory of the FTP client to the security
sub-directory, configure an SSL policy, and load the trusted-CA file.
3.
Issue 01 (2011-10-26)
Enable the FTPS server function on the FTP server.

227

4.
Configure IP addresses for the interfaces that interconnect the FTP client and server to
ensure that the client and server are routable.
5.
Run the ftp command on the FTP client to log in to the FTPS server to remotely manage
files.
Data Preparation
l
IP addresses of the FTP client and server
FTP user name and password
SSL trusted-CA file and digital certificate
Procedure
Step 1 Upload certificates.
l Perform the following steps on the FTP server:
# Configure an IP address for the FTP server so that the PC and FTP server are routable.
[Quidway] sysname FTP-Server
[FTP-Server] interface gigabitethernet1/0/1
[FTP-Server-vlan10] port gigabitethernet1/0/1

[FTP-Server] ftp server enable
# Configure the authentication information, authorization mode, and authorized directory for
an FTP user on the FTP server.
[FTP-Server] aaa
[FTP-Server-aaa] local-user huawei password simple huawei
[FTP-Server-aaa] local-user huawei service-type ftp
[FTP-Server-aaa] local-user huawei ftp-directory cfcard:
[FTP-Server-aaa] quit
[FTP-Server] quit
# Run the ftp ftp-server-address commands at the Windows command prompt. Enter the
correct user name and password to set up an FTP connection to the FTP server, as shown in
Figure 11-10.
Issue 01 (2011-10-26)

228

Figure 11-10 Logging in to an FTP server from a user terminal
Upload the digital certificate saved on the user terminal to the FTP server, as shown in Figure
11-11.
After the preceding configurations are complete, run the dir command on the FTP server.
The command output shows that the digital certificate has been successfully uploaded to the
server.
<FTP-Server> dir
Idx
0
1
2
Issue 01 (2011-10-26)
Attr
drw-rw-rw-
Size(Byte)
524,575
446
Date
Time(LMT)
May 10 2011 05:05:40
May 10 2011 05:05:53
May 10 2011 05:05:51

FileName
src
private-data.txt
vrpcfg.zip
229

3
4
5
-rw-rwdrw-
1,302
951
-
May 10 2011 05:32:05

May 10 2011 05:32:44
May 10 2011 05:43:39
security
304,292 KB total (303,766 KB free)
l Perform the following steps on the FTP client:

The procedure for uploading the trusted-CA file to the FTP client is similar to the procedure
for uploading the digital certificate to the FTP server. For detailed configurations, see the
configuration file of the FTP client in this example.
After the trusted-CA file is uploaded to the FTP client, run the dir command on the FTP
client. The command output shows that the trusted-CA file has been successfully uploaded
to the FTP client.
<FTP-Client> dir
Idx
0
1
2
3
4
5
6
7
8
9
Attr
-rw-rw-rwdrw-rw-rwdrw-rwdrwdrw-
Size(Byte)
524,558
1,237
1,241
421
1,308,478
4
-
Date
May 10
May 10
May 10
Apr 09
Apr 09
Apr 14
Apr 10
Apr 19
Apr 11
Apr 13
2011
2011
2011
2011
2011
2011
2011
2011
2011
2011
Time(LMT)
04:50:39
05:55:33
05:55:44
19:46:14
19:46:14
19:22:45
01:35:54
04:24:28
16:18:53
11:37:40
FileName
private-data.txt
1_cacert_pem_rsa.pem
1_rootcert_pem_rsa.pem
src
vrpcfg.zip
web.zip
logfile
snmpnotilog.txt
security
lam
304,292 KB total (300,270 KB free)
Step 2 Load the certificates and configure SSL policies.

l Perform the following steps on the FTP server:
<FTP-Server> mkdir security/
<FTP-Server> copy 1_servercert_pem_rsa.pem security/
<FTP-Server> copy 1_serverkey_pem_rsa.pem security/
After the preceding configurations are complete, run the dir command in the security subdirectory on the FTP server. The command output shows that the digital certificate has been
<FTP-Server> cd security/
<FTP-Server> dir
Idx
0
1
Attr
-rw-rw-
Size(Byte)
1,302
951
Date
Time(LMT)
May 10 2011 05:44:34
May 10 2011 05:45:22
FileName
304,292 KB total (303,766 KB free)

<FTP-Server> system-view
[FTP-Server] ssl policy ftp_server
[FTP-Server-ssl-policy-ftp_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem authcode 123456
[FTP-Server-ssl-policy-ftp_server] quit
After the preceding configurations are complete, run the display ssl policy command on the
FTP server. The command output shows detailed information about the loaded certificate.
[FTP-Server] display ssl policy
Key-pair Type: RSA
Issue 01 (2011-10-26)

230

Certificate Type:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
certificate
123456
l Configure the FTP client.

# Create a sub-directory named security and copy the trusted-CA file to this sub-directory.
The configuration procedure is similar to that on the FTP server. For detailed configurations,
see the configuration file of the FTP client in this example.
After the trusted-CA file is copied to the security sub-directory, run the dir command in this
sub-directory. The command output shows that the trusted-CA file has been successfully
copied to this sub-directory.
<FTP-Client> cd security/
<FTP-Client> dir
Idx
0
1
Attr
-rw-rw-
Size(Byte)
1,237
1,241
Date
Time(LMT)
May 10 2011 05:57:15
May 10 2011 05:57:29
FileName
1_cacert_pem_rsa.pem
1_rootcert_pem_rsa.pem
304,292 KB total (300,266 KB free)
# Create an SSL policy and load the trusted-CA file.

<FTP-Client> system-view
[FTP-Client] ssl policy ftp_client
[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_cacert_pem_rsa.pem
[FTP-Client-ssl-policy-ftp_client] trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
[FTP-Client-ssl-policy-ftp_client] quit
FTP client. The command output shows detailed information about the trusted-CA file.
[FTP-Client] display ssl policy
SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem
Step 3 Enable the FTPS server function.

NOTE
[FTP-Server] undo ftp server
[FTP-Server] ftp secure-server ssl-policy ftp_server
[FTP-Server] ftp secure-server enable
Step 4 Configure IP addresses for the interfaces that interconnect the FTP client and server.
# Configure the FTP server.
[FTP-Server] interface gigabitethernet 1/0/2
Issue 01 (2011-10-26)

231

[FTP-Server-vlan30] port gigabitethernet 1/0/2

# Configure the FTP client.

[FTP-Client] interface gigabitethernet 1/0/2
[FTP-Client-GigabitEthernet1/0/2] port link-type access
[FTP-Client-GigabitEthernet1/0/2] quit
[FTP-Client] vlan 20
[FTP-Client-vlan20] port gigabitethernet 1/0/2
[FTP-Client-vlan20] quit
[FTP-Client] interface vlanif 20
[FTP-Client-Vlanif20] ip address 1.1.1.1 24
[FTP-Client-Vlanif20] quit
[FTP-Client] quit
Step 5 Run the ftp command on the FTP client to log in to the FTPS server to remotely manage files.
<FTP-Client> ftp ssl-policy ftp_client 1.1.1.2
Trying 1.1.1.2 ...
234 AUTH command successfully, Security mechanism accepted.
200 PBSZ is ok.
200 Data channel security level is changed to private.
User(1.1.1.2:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
The client can log in to the FTP server only after the correct user name and password are entered.
# Run the display ftp-server command on the FTPS server. The command output shows that
the configured SSL policy name is ftp_server and the FTPS server is running.
[FTP-Server] display ftp-server
Max user number
User count
Listening port
Acl number
FTP SSL policy
5
1
30
21
0
0.0.0.0
ftp_server
You can use the FTP client to remotely manage files on the FTPS server.
----End
Configuration Files
l
Configuration file of the FTP server

#
sysname FTP-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
vlan batch 10 30
Issue 01 (2011-10-26)

232

#
ssl policy ftp_server
#
aaa
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif30
ip address 1.1.1.2 255.255.255.0
#
#
#
return
Configuration file of the FTP client

#
sysname FTP-Client
#
FTP server enable
#
vlan batch 20 40
#
ssl policy ftp_client
trusted-ca load pem-ca 1_cacert_pem_rsa.pem
trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
#
aaa
#
interface Vlanif20
ip address 1.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.0.2 255.255.255.0
#
#
#
return
Issue 01 (2011-10-26)

233

11.6.3 Example for Configuring Secure Web Network Management

and check message integrity, secure Web network management provides a secure Web access.
After a device that supports Web network management is enabled with the HTTP function, the
device can function as a Web server. Users can log in to the device using HTTP and use Web
pages to access and control the device. HTTP does not provide a mechanism that allows users
to authenticate a Web server or protects privacy of data transmission. To address this problem,
you can configure HTTPS on the device. HTTPS that adds support for SSL is an extension to
the commonly used HTTP. SSL allows the client and server to authenticate each other and
encrypts data to be transmitted.
As shown in Figure 11-12, an SSL policy is configured on the device that functions as an HTTP
server. After a digital certificate is loaded to and the HTTPS server function is enabled on the
server, users can log in to the server to remotely manage the server using Web pages.
Figure 11-12 Networking diagram for accessing another device by using HTTPS
Network
VLANIF10
192.168.0.1/24
HTTP-Server
PC
1.
Upload a digital certificate and a Web page file.

Upload the digital certificate and Web page file saved on the PC to the device that functions
as an HTTP server.
2.
Load the digital certificate.

Copy the digital certificate from the system directory of the HTTP server to the security
sub-directory, configure an SSL policy, and load the digital certificate.
3.
Load the Web page file.
4.
Create a Web account.
5.
Log in to the Web system.
Data Preparation
l
IP addresses of the HTTP server
HTTP user name and password
SSL digital certificate
Issue 01 (2011-10-26)

234

l
l
Web account
Web page file
Procedure
Step 1 Upload the digital certificate and Web page file.
# Configure an IP address for the device that functions as an HTTP server so that the PC and
HTTP server are routable.
[Quidway] sysname HTTP-Server
[HTTP-Server] interface gigabitethernet1/0/1
[HTTP-Server-GigabitEthernet1/0/1] port link-type access
[HTTP-Server-GigabitEthernet1/0/1] quit
[HTTP-Server] vlan 10
[HTTP-Server-vlan10] port gigabitethernet1/0/1
[HTTP-Server-vlan10] quit
[HTTP-Server] interface vlanif 10
[HTTP-Server-Vlanif10] ip address 192.168.0.1 24
[HTTP-Server-Vlanif10] quit

[HTTP-Server] ftp server enable
# Configure the authentication information, authorization mode, and authorized directory for
FTP users.
[HTTP-Server] aaa
[HTTP-Server-aaa] local-user huawei password simple huawei
[HTTP-Server-aaa] local-user huawei service-type ftp
[HTTP-Server-aaa] local-user huawei ftp-directory cfcard:
[HTTP-Server-aaa] quit
[HTTP-Server] quit
# Upload the digital certificate and Web page file from the PC to the HTTP server, as shown in
Figure 11-13.
Issue 01 (2011-10-26)

235

After the preceding configurations are complete, run the dir command on the HTTP server. The
command output shows that the digital certificate and Web page file have been successfully
uploaded to the server.
<HTTP-Server> dir
Idx
0
1
2
3
4
5
6
7
8
9
Attr
-rw-rw-rwdrw-rw-rwdrw-rwdrwdrw-
Size(Byte)
524,558
1,302
951
421
1,308,478
4
-
Date
Apr 14
Apr 14
Apr 14
Apr 09
Apr 09
Apr 14
Apr 10
Apr 14
Apr 11
Apr 13
2011
2011
2011
2011
2011
2011
2011
2011
2011
2011
Time(LMT)
16:24:39
19:22:30
19:22:35
19:46:14
19:46:14
19:22:45
01:35:54
04:56:35
16:18:53
11:37:40
FileName
private-data.txt
src
vrpcfg.zip
web.zip
logfile
snmpnotilog.txt
security
lam
304,292 KB total (300,782 KB free)
Step 2 Configure an SSL policy and load the digital certificate.

<HTTP-Server> mkdir security/
<HTTP-Server> copy 1_servercert_pem_rsa.pem
<HTTP-Server> copy 1_serverkey_pem_rsa.pem security/
After the preceding configurations are complete, run the dir command in the security subdirectory on the HTTP server. The command output shows that the digital certificate has been
<HTTP-Server> cd security/
<HTTP-Server> dir
Idx
1
2
Attr
-rw-rw-
Size(Byte)
1,302
951
Date
Time(LMT)
Apr 13 2011 14:29:31
Apr 13 2011 14:29:49
FileName
304,292 KB total (303,404 KB free)

<HTTP-Server> system-view
[HTTP-Server] ssl policy http_server
[HTTP-Server-ssl-policy-http_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
123456
[HTTP-Server-ssl-policy-http_server] quit
HTTP server. The command output shows detailed information about the loaded certificate.
[HTTP-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants: WEB secure-server
Key-pair Type: RSA
Auth-code: 123456
MAC:
Issue 01 (2011-10-26)

236

CRL File:
Trusted-CA File:
Step 3 Load the Web page file.

[HTTP-Server] http server load web.zip
Step 4 Create a Web account.

# Enable the HTTPS server function.
NOTE
Before enabling the HTTPS server function, disable the HTTP server function.
[HTTP-Server] undo http server enable
[HTTP-Server] http secure-server ssl-policy http_server
[HTTP-Server] http secure-server enable
# Configure authentication information and authorization mode for HTTP users.

[HTTP-Server] aaa
[HTTP-Server-aaa] local-user http password simple http
[HTTP-Server-aaa] local-user http service-type http
[HTTP-Server-aaa] quit
Step 5 Log in to the Web system.

Open the Web browser on the PC. Enter the IP address of the HTTP server in the address bar.
Press Enter and the dialog box shown in Figure 11-14 is displayed.
Figure 11-14 Login GUI
Enter the HTTP user name, password, and verification code. Click Login or press Enter to enter
the Web system.
# Run the display http server command on the HTTPS server. The command output shows the
SSL policy name and the HTTPS server status.
[HTTP-Server] display http-server
HTTP Server Status
HTTP Server Port
Issue 01 (2011-10-26)
: disabled
: 80(80)

237

HTTP Timeout Interval
Current Online Users
Maximum Users Allowed
HTTP Secure-server Status
HTTP Secure-server Port
HTTP SSL Policy
:
:
:
:
:
:
20
0
5
enabled
443(443)
http_server
----End
Configuration Files
Configuration file of the HTTPS server
#
sysname FTP-Server
#
FTP server enable
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
vlan batch 10
#
ssl policy http_server
#
aaa
local-user http password simple http
local-user http service-type http
local-user huawei ftp-directory cfcard:
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
#
return
Issue 01 (2011-10-26)

238

Configuration Guide - Basic Configuration (V100R006C01 - 01) PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Configuration Guide - Basic Configuration (V100R006C01 - 01) PDF

Caricato da

Copyright:

Formati disponibili

Quidway S9300 Terabit Routing Switch