configuration guide basic configurations (v200r001c01_03)

ATN 910 Multi - service Access EquipmentV200R001C01

Configuration Guide - BasicConfigurations

Issue 03

Date 2012-03-19

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 03 (2012-03-19) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

Related VersionThe following table lists the product version related to this document.

Product Name Version

ATN 910 V200R001C01

Intended AudienceThis document provides the basic concepts, configuration procedures, and configurationexamples in different application scenarios of the VRP Overview, Establishment of theConfiguration Environment, CLI Overview, Basic Configuration, User Management, FileSystem, Management of Configuration Files, FTP, TFTP, Telnet and SSH, Upgrade andMaintenance features supported by the ATN 910 device.

This document is intended for:

l Commissioning Engineer

l Data Configuration Engineer

l Network Monitoring Engineer

l System Maintenance Engineer

Symbol ConventionsSymbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations About This Document


ii

Symbol Description

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Command ConventionsConvention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

GUI ConventionsConvention Description

Boldface Buttons, menus, parameters, tabs, window, and dialog titlesare in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">"signs. For example, choose File > Create > Folder.



iii

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 03 (2012-03-19)Known bugs are fixed.

Changes in Issue 02 (2012-01-06)Known bugs are fixed.

Changes in Issue 01 (2011-10-28)This document is the first release of the V200R001C01 version.



iv

Contents

About This Document.....................................................................................................................ii

1 Establishment of the Configuration Environment.................................................................11.1 Introduction to Establishment of the Configuration Environment.....................................................................2

1.1.1 Login Through the Console.......................................................................................................................21.1.2 Login Through Telnet................................................................................................................................2

1.2 Logging In to the Device Through the Console Port..........................................................................................21.2.1 Establishing the Configuration Task.........................................................................................................31.2.2 Establishing the Physical Connection........................................................................................................31.2.3 Configuring Terminals..............................................................................................................................41.2.4 Logging In to the Device...........................................................................................................................4

1.3 Logging In to Device Through Telnet................................................................................................................51.3.1 Establishing the Configuration Task.........................................................................................................51.3.2 Establishing the Physical Connection........................................................................................................51.3.3 Configuring Login User Parameters..........................................................................................................61.3.4 Logging In from the Telnet Client.............................................................................................................6

1.4 Configuration Examples.....................................................................................................................................61.4.1 Example for Logging In Through the Console Port..................................................................................71.4.2 Example for Logging In Through Telnet..................................................................................................9

2 CLI Overview...............................................................................................................................122.1 CLI Introduction...............................................................................................................................................13

2.1.1 Command Line Interface.........................................................................................................................132.1.2 Command Levels.....................................................................................................................................132.1.3 Command Line Views.............................................................................................................................16

2.2 Online Help.......................................................................................................................................................172.2.1 Full Help..................................................................................................................................................172.2.2 Partial Help..............................................................................................................................................182.2.3 Error Messages of the Command Line Interface.....................................................................................18

2.3 Features of Command Line Interface...............................................................................................................192.3.1 Editing.....................................................................................................................................................192.3.2 Displaying................................................................................................................................................192.3.3 Regular Expressions................................................................................................................................202.3.4 History Commands..................................................................................................................................23

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations Contents


v

2.3.5 Batch Command Execution.....................................................................................................................242.4 Shortcut Keys...................................................................................................................................................24

2.4.1 Classifying Shortcut Keys.......................................................................................................................252.4.2 Defining Shortcut Keys...........................................................................................................................262.4.3 Use of Shortcut Keys...............................................................................................................................26

2.5 Configuration Examples...................................................................................................................................272.5.1 Example for Running Commands in Batches..........................................................................................272.5.2 Example for Using Tab............................................................................................................................282.5.3 Example for Using Shortcut Keys...........................................................................................................292.5.4 Copying Commands Using Shortcut Keys..............................................................................................29

3 Basic Configuration.....................................................................................................................313.1 Basic Configuration Introduction.....................................................................................................................323.2 Configuring the Basic System Environment....................................................................................................32

3.2.1 Establishing the Configuration Task.......................................................................................................323.2.2 Switching the Language Mode................................................................................................................333.2.3 Configuring the Equipment Name...........................................................................................................333.2.4 Setting the System Clock.........................................................................................................................343.2.5 Configuring a Header..............................................................................................................................353.2.6 Configuring Command Levels................................................................................................................353.2.7 Configuring the Undo Command to Match in the Previous View Automatically..................................36

3.3 Configuring Basic User Environment..............................................................................................................373.3.1 Establishing the Configuration Task.......................................................................................................373.3.2 Configuring the Password for Switching User Levels............................................................................383.3.3 Switching User Levels.............................................................................................................................383.3.4 Locking User Interfaces...........................................................................................................................39

3.4 Displaying System Status Messages.................................................................................................................393.4.1 Displaying System Configuration...........................................................................................................403.4.2 Displaying System Status........................................................................................................................403.4.3 Collecting System Diagnostic Information.............................................................................................40

4 User Management........................................................................................................................424.1 User Management Introduction........................................................................................................................44

4.1.1 User Interface View.................................................................................................................................444.1.2 User Management....................................................................................................................................45

4.2 Configuring Console User Interface.................................................................................................................464.2.1 Establishing the Configuration Task.......................................................................................................474.2.2 Configuring Console Interface Attributes...............................................................................................474.2.3 Setting Console Terminal Attributes.......................................................................................................484.2.4 Configuring User Priority........................................................................................................................494.2.5 Configuring User Authentication............................................................................................................494.2.6 Checking the Configuration.....................................................................................................................50

4.3 Configuring VTY User Interface......................................................................................................................514.3.1 Establishing the Configuration Task.......................................................................................................51



vi

4.3.2 Configuring Maximum VTY User Interfaces.........................................................................................514.3.3 (Optional)Configuring Limits for Incoming Calls and Outgoing Calls..................................................524.3.4 Configuring VTY Terminal Attributes....................................................................................................534.3.5 Configuring User Authentication............................................................................................................544.3.6 Checking the Configuration.....................................................................................................................55

4.4 Managing User Interfaces.................................................................................................................................554.4.1 Establishing the Configuration Task.......................................................................................................564.4.2 Sending Messages to Other User Interfaces............................................................................................564.4.3 Clearing Online User...............................................................................................................................564.4.4 Checking the Configuration.....................................................................................................................57

4.5 Configuring User Authentication.....................................................................................................................574.5.1 Establishing the Configuration Task.......................................................................................................574.5.2 Configuring Authentication Mode...........................................................................................................584.5.3 Configuring Authentication Password.....................................................................................................584.5.4 Setting Username and Password for AAA Local Authentication...........................................................594.5.5 Configuring Non-Authentication.............................................................................................................604.5.6 Configuring User Priority........................................................................................................................604.5.7 Checking the Configuration.....................................................................................................................61

4.6 Configuring Exclusive Configuration Access..................................................................................................614.6.1 (Optional) Viewing the Current Locked Configuration Set....................................................................614.6.2 Enabling Exclusive Configuration Access..............................................................................................614.6.3 (Optional) Setting the Unlocking Time...................................................................................................62

4.7 Configuring Local User Management..............................................................................................................624.7.1 Establishing the Configuration Task.......................................................................................................624.7.2 Creating a Local User Account...............................................................................................................634.7.3 Configuring the Type of the Service That the Local User Accesses.......................................................644.7.4 Configuring the Local User Authority of Accessing the FTP Directory.................................................644.7.5 Configuring Local User Status................................................................................................................654.7.6 Configuring the Local User Level...........................................................................................................664.7.7 Setting the Maximum Number of Access Users with the Same User Name...........................................664.7.8 Configuring a ATN equipment to Cut off Idle Access Users..................................................................674.7.9 Local Users Changing the Passwords......................................................................................................674.7.10 Checking the Configuration...................................................................................................................68

4.8 Configuring an NM User to Log in to a Device in VTY Mode.......................................................................684.8.1 Establishing the Configuration Task.......................................................................................................684.8.2 Configuring an NM User.........................................................................................................................694.8.3 Configuring the Authentication Mode of an NM User............................................................................694.8.4 Switching to Machine-to-Machine Mode................................................................................................704.8.5 Checking the Configuration.....................................................................................................................70

4.9 Configuration Examples...................................................................................................................................714.9.1 Example for Configuring Logging In to the ATN Through Password....................................................714.9.2 Example for Logging In to the Device Through AAA............................................................................72



vii

4.9.3 Example for Configuring an NMS User to Manage Devices in Machine-to-machine Mode.................73

5 File System....................................................................................................................................765.1 File System Introduction..................................................................................................................................77

5.1.1 File System..............................................................................................................................................775.1.2 File System Supported by the ATN 910..................................................................................................775.1.3 File...........................................................................................................................................................775.1.4 Directory..................................................................................................................................................78

5.2 Managing Storage Devices...............................................................................................................................785.2.1 Establishing the Configuration Task.......................................................................................................785.2.2 Restoring Storage Devices with File System Troubles...........................................................................785.2.3 Formatting Storage Devices....................................................................................................................79

5.3 Managing the Directory....................................................................................................................................795.3.1 Establishing the Configuration Task.......................................................................................................795.3.2 Viewing the Current Directory................................................................................................................805.3.3 Switching a Directory..............................................................................................................................805.3.4 Displaying a Directory or File.................................................................................................................815.3.5 Creating a Directory................................................................................................................................815.3.6 Deleting a Directory................................................................................................................................81

5.4 Managing Files.................................................................................................................................................825.4.1 Establishing the Configuration Task.......................................................................................................825.4.2 Displaying Contents of Files...................................................................................................................825.4.3 Copying Files...........................................................................................................................................835.4.4 Moving Files............................................................................................................................................845.4.5 Renaming Files........................................................................................................................................845.4.6 Compressing Files...................................................................................................................................855.4.7 Deleting Files...........................................................................................................................................855.4.8 Deleting Files in the Recycle Bin............................................................................................................855.4.9 Undeleting Files.......................................................................................................................................865.4.10 Running Files in Batch..........................................................................................................................865.4.11 Configuring Prompt Modes...................................................................................................................86

5.5 Example for Managing Files............................................................................................................................87

6 Management of Configuration Files........................................................................................896.1 Management of Configuration Files Introduction............................................................................................90

6.1.1 Configuration Files..................................................................................................................................906.1.2 Configuration Files and Current Configurations.....................................................................................90

6.2 Managing Configuration Files..........................................................................................................................906.2.1 Establishing the Configuration Task.......................................................................................................916.2.2 Configuring System Software for a ATN equipment to Load for the Next Startup................................916.2.3 Configuring the Configuration File for ATN to Load for the Next Startup............................................926.2.4 Saving Configuration Files......................................................................................................................926.2.5 Clearing a Configuration File..................................................................................................................946.2.6 Comparing Configuration Files...............................................................................................................94



viii

6.2.7 Checking the Configuration.....................................................................................................................95

7 FTP and TFTP...............................................................................................................................967.1 FTP and TFTP Introduction.............................................................................................................................97

7.1.1 FTP..........................................................................................................................................................977.1.2 TFTP........................................................................................................................................................97

7.2 Configuring the ATN to be the FTP Server.....................................................................................................977.2.1 Establishing the Configuration Task.......................................................................................................987.2.2 (Optional) Specifying a Port Number for the FTP Server.......................................................................987.2.3 Enabling the FTP Server..........................................................................................................................997.2.4 Configuring the Source IP Address of the FTP Server...........................................................................997.2.5 (Optional) Configuring the Timeout Period..........................................................................................1007.2.6 Configuring the Local Username and the Password.............................................................................1007.2.7 Configuring the Service Type and Authorization Information..............................................................1017.2.8 Checking the Configuration...................................................................................................................101

7.3 Configuring FTP ACL....................................................................................................................................1027.3.1 Establishing the Configuration Task.....................................................................................................1027.3.2 Enabling the FTP Server........................................................................................................................1027.3.3 Configuring a Basic ACL......................................................................................................................1037.3.4 Configuring the Basic FTP ACL...........................................................................................................1037.3.5 Checking the Configuration...................................................................................................................104

7.4 Configuring the ATN to Be the FTP Client...................................................................................................1047.4.1 Establishing the Configuration Task.....................................................................................................1047.4.2 (Optional) Configuring Source IP Address and Interface of the FTP Client........................................1057.4.3 Logging In to the FTP Server................................................................................................................1067.4.4 Configuring Data Type and Transmission Mode for the File...............................................................1067.4.5 (Optional) Viewing Online Help of the FTP Command.......................................................................1077.4.6 Uploading or Downloading Files..........................................................................................................1077.4.7 Managing Directories............................................................................................................................1087.4.8 Managing Files......................................................................................................................................1087.4.9 (Optional) Changing Login Users.........................................................................................................1097.4.10 Disconnecting from the FTP Server....................................................................................................1097.4.11 Checking the Configuration.................................................................................................................110

7.5 Configuring the ATN to Be the TFTP Client.................................................................................................1107.5.1 Establishing the Configuration Task.....................................................................................................1107.5.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................1117.5.3 Downloading Files Through TFTP........................................................................................................1117.5.4 Uploading Files Through TFTP............................................................................................................112

7.6 Limiting the Access to the TFTP Server........................................................................................................1127.6.1 Establishing the Configuration Task.....................................................................................................1127.6.2 Configuring the Basic ACL...................................................................................................................1137.6.3 Configuring the Basic TFTP ACL.........................................................................................................114

7.7 Configuration Examples.................................................................................................................................114



ix

7.7.1 Example for Configuring FTP...............................................................................................................1147.7.2 Example for Configuring the FTP Client..............................................................................................1167.7.3 Example for Configuring TFTP............................................................................................................117

8 Telnet and SSH..........................................................................................................................1208.1 Telnet and SSH Introduction..........................................................................................................................121

8.1.1 Overview of User Login........................................................................................................................1218.1.2 Telnet Terminal Services.......................................................................................................................1218.1.3 SSH Terminal Services..........................................................................................................................123

8.2 Configuring Telnet Terminal Services...........................................................................................................1258.2.1 Establishing the Configuration Task.....................................................................................................1258.2.2 Enabling the Telnet Service...................................................................................................................1268.2.3 (Optional) Configuring a Source IP Address for an Telnet Client........................................................1278.2.4 Establishing a Telnet Connection..........................................................................................................1278.2.5 (Optional) Configuring a Telnet Server Port Number...........................................................................1278.2.6 (Optional) Scheduled Telnet Disconnection..........................................................................................1288.2.7 Checking the Configuration...................................................................................................................128

8.3 Configuring SSH Users..................................................................................................................................1298.3.1 Establishing the Configuration Task.....................................................................................................1298.3.2 Creating SSH User.................................................................................................................................1308.3.3 Configuring SSH for the VTY User Interface.......................................................................................1308.3.4 Generating a Local RSA Key Pair.........................................................................................................1318.3.5 Configuring the Authentication Mode for SSH Users...........................................................................1318.3.6 (Optional) Configuring the Basic Authentication Information for SSH Users.....................................1338.3.7 (Optional) Authorizing SSH Users Through the Command Line.........................................................1348.3.8 Configuring the Service Type of SSH Users.........................................................................................1348.3.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users.......................1358.3.10 Checking the Configuration.................................................................................................................135

8.4 Configuring the SSH Server Function............................................................................................................1358.4.1 Establishing the Configuration Task.....................................................................................................1368.4.2 Enabling the STelnet Service................................................................................................................1368.4.3 Enabling the SFTP Service....................................................................................................................1378.4.4 (Optional) Enabling the Earlier Version - Compatible Function...........................................................1378.4.5 (Optional) Configuring the Number of the Port Monitored by the SSH Server....................................1388.4.6 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server..............................1388.4.7 Checking the Configuration...................................................................................................................139

8.5 Configuring the STelnet Client Function.......................................................................................................1398.5.1 Establishing the Configuration Task.....................................................................................................1398.5.2 Enabling the First-Time Authentication on the SSH Client..................................................................1408.5.3 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................1418.5.4 Enabling the STelnet Client...................................................................................................................1428.5.5 Checking the Configuration...................................................................................................................143

8.6 Configuring the SFTP Client Function...........................................................................................................143



x

8.6.1 Establishing the Configuration Task.....................................................................................................1438.6.2 (Optional) Configuring a Source IP Address for an SFTP Client.........................................................1448.6.3 Configuring the First-Time Authentication on the SSH Client.............................................................1448.6.4 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................1458.6.5 Enabling the SFTP Client......................................................................................................................1468.6.6 (Optional) Managing the Directory.......................................................................................................1478.6.7 (Optional) Managing the File................................................................................................................1488.6.8 (Optional) Displaying the SFTP Client Command Help.......................................................................1498.6.9 Checking the Configuration...................................................................................................................149

8.7 Configuration Examples.................................................................................................................................1508.7.1 Example for Configuring Telnet Services.............................................................................................150

9 Device Maintenance..................................................................................................................1539.1 Introduction of Device Maintenance..............................................................................................................154

9.1.1 Overview of Device Maintenance.........................................................................................................1549.1.2 Maintenance Features Supported by the ATN 910...............................................................................154

9.2 Monitoring the Device Status.........................................................................................................................1549.2.1 Displaying the System Version Information.........................................................................................1549.2.2 Displaying Basic Information About the Router...................................................................................1559.2.3 Displaying the Electronic Label............................................................................................................1559.2.4 Displaying the Threshold of the Memory Usage...................................................................................1569.2.5 Displaying the Threshold of CPU Usage..............................................................................................1569.2.6 Displaying Alarm Information..............................................................................................................1569.2.7 Displaying the Board Temperature........................................................................................................1579.2.8 Displaying the Board Voltage...............................................................................................................1579.2.9 Displaying the Power Supply Status.....................................................................................................1589.2.10 Displaying the Sequence Number of the MPU...................................................................................158

9.3 Board Maintence ............................................................................................................................................1589.3.1 Resetting a Board...................................................................................................................................158

10 Patch Management..................................................................................................................16010.1 Introduction of Patch Management..............................................................................................................161

10.1.1 Overview of Patch Management.........................................................................................................16110.1.2 Patches Supported by the ATN 910....................................................................................................162

10.2 Checking the Running of Patch in the System.............................................................................................16310.2.1 Establishing the Configuration Task...................................................................................................16310.2.2 Checking the Running of Patch in the System....................................................................................16410.2.3 (Optional) Deleting a Patch.................................................................................................................164

10.3 Loading a Patch............................................................................................................................................16510.3.1 Establishing the Configuration Task...................................................................................................16510.3.2 Loading a Patch...................................................................................................................................16510.3.3 Checking the Configuration.................................................................................................................166

10.4 Installing a Patch..........................................................................................................................................16610.4.1 Establishing the Configuration Task...................................................................................................166



xi

10.4.2 Loading a Patch...................................................................................................................................16710.4.3 Activating a Patch................................................................................................................................16710.4.4 Running a Patch...................................................................................................................................16710.4.5 Checking the Configuration.................................................................................................................168

10.5 (Optional) Unactivating the activating of Patch...........................................................................................16810.5.1 Establishing the Configuration Task...................................................................................................16810.5.2 Deactivating a Patch............................................................................................................................16910.5.3 Checking the Configuration.................................................................................................................169

10.6 Configuration Examples of the Patch Management.....................................................................................16910.6.1 Example for Installing a Patch.............................................................................................................169

A Acronyms and Abbreviations................................................................................................172



xii

1 Establishment of the ConfigurationEnvironment

About This Chapter

Before configuring ATN equipments, you need to establish the configuration environment.

1.1 Introduction to Establishment of the Configuration EnvironmentYou can log in to ATN equipments through console port, or Telnet.

1.2 Logging In to the Device Through the Console PortThis section describes how to connect a terminal to a ATN equipment through the console portto establish the configuration environment.

1.3 Logging In to Device Through TelnetThis section describes how to connect a terminal to a ATN equipment through Telnet to establishthe configuration environment.

1.4 Configuration ExamplesThis section provides examples for configuring users to log in to the ATN equipment throughthe console port or Telnet together with the configuration flowchart. The configuration examplesexplain networking requirements, configuration notes, and configuration roadmap.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 1 Establishment of the Configuration Environment


1

1.1 Introduction to Establishment of the ConfigurationEnvironment

You can log in to ATN equipments through console port, or Telnet.

1.1.1 Login Through the ConsoleWhen a ATN equipment is powered on for the first time or a ATN equipment needs to be locallyconfigured, you can log in to the ATN equipment through the console port.

In the following cases, a ATN equipment can be configured only through the console port:

l The ATN equipment is powered on for the first time.l The subscriber cannot login through Telnet.

1.1.2 Login Through TelnetIf you know the IP address of a ATN equipment, you can log in to the ATN equipment throughTelnet to perform local or remote configurations.

YYou need to pre-configure the IP addresses of interfaces, the user account, the authenticationmode, and the incoming and outgoing call restriction through the console interface on the ATNequipment. Also, ensure that directly-connected or reachable ATN equipment exist betweenterminals and the ATN equipment.

The destination ATN equipment authenticates the user based on the configured parameters inthree modes:

l Password authentication: indicates that the login user should enter the correct password.l AAA local authentication: indicates that the login user should enter the correct username

and password.l None authentication: indicates that the login user need not enter the username or password.

If the login succeeds, a command line prompt such as <HUAWEI> appears on the Telnet clientinterface.

Enter a command to check the running status of the ATN equipment or to configure the ATNequipment.

Enter "?" for help.

NOTE

Do not modify the IP address of the ATN equipment when you configure the ATN equipment throughTelnet because the modification may terminate Telnet connection. Otherwise, set up the connection againafter entering a new IP address.

1.2 Logging In to the Device Through the Console PortThis section describes how to connect a terminal to a ATN equipment through the console portto establish the configuration environment.



2

1.2.1 Establishing the Configuration TaskBefore configuring log in to the ATN equipment through the console port, familiarize yourselfwith the applicable environment, complete the pre-configuration tasks, and obtain any datarequired for the configuration. This will help you complete the configuration task quickly andcorrectly.

Applicable Environment

If you log in to the ATN equipment for the first time or perform the local configuration, youneed to log in to the ATN equipment through the console port.

NOTE

If you cannot use Telnet to log in to the ATN equipment, you need to log in to the ATN equipment throughthe console port.

Pre-configuration Tasks

Before configuring login to the ATN equipment through the console port, complete the followingtasks:

l Preparing the PC/terminal (including serial port and RS-232 cables)

l Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)

Data Preparation

To log in to the ATN equipment through the console port, you need the following data.

NOTE

If the AAA authentication mode is configured for users to log in to the ATN equipment through the consoleport, the correct username and password must be entered for a successful login.

No. Data

1 Terminal communication parametersl Baud ratel Data bitl Parityl Stop bitl Flow-control mode

2 (Optional) Username and password to be entered for a successful login in AAAauthentication mode

1.2.2 Establishing the Physical ConnectionThis part describes how to physically connect a terminal to a ATN equipment before login tothe ATN equipment through the console port.



3

Context

Do as follows on the ATN equipment:

Procedure

Step 1 Connect the COM port on the PC and the console port on the ATN equipment by a cable.

Step 2 Power on all devices to perform a self-check.

----End

1.2.3 Configuring TerminalsThis part describes how to configure the terminal before login to the ATN equipment throughthe console port.

Context

Do as follows on the PC:

Procedure

Step 1 Run the terminal emulation program on the PC, setting the communication parameters asfollows:l Baud rate: 38400 bpsl Data bit: 8l Stop bit: 1l Parity: nonel Flow control: none

----End

1.2.4 Logging In to the DeviceThis part describes how to log in to the ATN equipment through the console port.

Context


Procedure

Step 1 Press Enter until a command line prompt such as <HUAWEI> appears. Now the user view isdisplayed for you to configure the ATN equipment.

NOTE

If the AAA or Password authentication mode is configured for users to log in to the ATN equipment throughthe console interface, the correct user name and password must be entered for a successful login.

----End



4

1.3 Logging In to Device Through TelnetThis section describes how to connect a terminal to a ATN equipment through Telnet to establishthe configuration environment.

1.3.1 Establishing the Configuration TaskBefore configuring login to the ATN equipment through Telnet, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data. Thiscan help you complete the configuration task quickly and accurately.


If you know the IP address of the ATN equipment, you can log in to the ATN equipment throughTelnet for local or remote configuration.


Before configuring the ATN equipment through Telnet, complete the following tasks:

l Powering on devices and performing a self-check

l Preparing the PC (including the serial port and Ethernet crossover/direct cable)

Data Preparation

To log in to the ATN equipment through Telnet, you need the following data.

No. Data

1 IP address of the PC

2 IP address of the Ethernet interface on the ATN equipment

3 User information accessed through Telnet:l User namel Passwordl Authentication mode

1.3.2 Establishing the Physical ConnectionThis part describes how to physically connect a terminal to a ATN equipment before login tothe ATN equipment through Telnet.

PrerequisitesEstablishing the Physical Connection are complete.



5

Procedure

Step 1 Connect the ATN equipment and the PC directly or connect the ATN equipment and the PC tothe network through cables.

----End

1.3.3 Configuring Login User ParametersThis part describes how to configure user parameters for login to the ATN equipment throughTelnet.

Context


Procedure

Step 1 Configure the authentication mode of login users.

Step 2 Configure the authority limitation of login user.

----End

Follow-up Procedure

For details, refer to Chapter 5 "User Management".

1.3.4 Logging In from the Telnet ClientThis part describes how to log in to the ATN equipment through Telnet.

Context


Procedure

Step 1 Run the Telnet program on the PC that functions as a client, and enter the IP address of theinterface on the destination ATN equipment that provides the Telnet service.

Step 2 Enter the user name and password in the login window. After authentication, a command lineprompt such as <HUAWEI> appears. Now enter the configuration environment in the user view.

----End

1.4 Configuration ExamplesThis section provides examples for configuring users to log in to the ATN equipment throughthe console port or Telnet together with the configuration flowchart. The configuration examplesexplain networking requirements, configuration notes, and configuration roadmap.



6

1.4.1 Example for Logging In Through the Console PortIn this example, you can configure the PC so as to log in to the ATN equipment through theconsole port.

Networking RequirementsInitialize the configuration of the ATN equipment when the ATN equipment is powered on forthe first time.

Figure 1-1 Networking diagram of logging in through the console port

ATNPC

Configuration RoadmapThe configuration roadmap is as follows:

1. Connect the PC and the ATN equipment through the console port.2. Configure the login on the PC end.3. Log in to the ATN equipment.

Data PreparationTo complete the configuration, you need the terminal communication parameters (includingbaud rate, data bit, parity, stop bit, and flow control).

Procedure

Step 1 Connect the serial port of the PC (or terminal) to the console port of the ATN equipment througha standard RS-232 cable. The local configuration environment is established.

Step 2 Run the terminal emulation program on the PC. Set the terminal communication parameters tobe 38400 bps, data bit to be 8, stop bit to be 1. Specify no parity and no flow control as shownfrom Figure 1-2 to Figure 1-4.



7

Figure 1-2 New connection

Figure 1-3 Setting the port



8

Figure 1-4 Setting the port communication parameters

Step 3 Power on the ATN equipment to perform a self-check and the system performs automaticconfiguration. When the self-check ends, you are prompted to press Enter until a command lineprompt such as <HUAWEI> appears.

Enter the command to check the running status of the ATN equipment or configure the ATNequipment.

Enter "?" for help.

For details, refer to the following chapters.

----End

1.4.2 Example for Logging In Through TelnetIn this example, you can configure user parameters so as to log in to the ATN equipment fromthe PC or other terminals through Telnet.

Networking RequirementsYou can log in to the ATN equipment on other network segments through the PC or otherterminals to perform remote maintenance.



9

Figure 1-5 Establishing the configuration environment through WAN

WAN

ATN TargetATN

PC

Configuration Roadmap

The configuration roadmap is as follows:

1. Establish the physical connection.

2. Configure user login parameters.

3. Log in to the ATN equipment from the client side.

Data Preparation

To complete the configuration, you need the following data

l IP address of the PC

l IP address of the Ethernet interface on the ATN equipment

l User information accessed through Telnet (including the user name, password, andauthentication mode)

Procedure

Step 1 Connect the PC and the ATN equipment to the network.

Step 2 Configure login user parameters on the target ATN equipment.

# Configure the login address

<HUAWEI> system-view[HUAWEI] interface ethernet 0/0/0[HUAWEI-Ethernet0/0/0] undo shutdown[HUAWEI-Ethernet0/0/0] ip address 202.38.160.92 255.255.0.0[HUAWEI-Ethernet0/0/0] quit

# Configure login authentication mode

[HUAWEI] aaa[HUAWEI-aaa] local-user huawei password cipher hello[HUAWEI-aaa] local-user huawei service-type telnet[HUAWEI-aaa] local-user huawei level 3[HUAWEI-aaa] quit[HUAWEI] user-interface vty 0 4[HUAWEI-ui-vty0-14] authentication-mode aaa

Step 3 Configure the client login.

Run the Telnet on the PC, as shown in Figure 1-6.



10

Figure 1-6 Running the Telnet program on the PC

Click OK.

Enter the user name and password in the login window. After authentication, a command lineprompt such as <HUAWEI> appears. Now enter the configuration environment in the user view.

----End



11

2 CLI Overview

About This Chapter

Users operate devices, that is, configure the device and perform routine maintenance, by enteringcommand lines.

2.1 CLI IntroductionThe command line interface (CLI) is the common tool for running commands.

2.2 Online HelpWhen you enter command lines or configure services, online help offers real-time help inaddition to the configuration guide.

2.3 Features of Command Line InterfaceYou can edit command lines, display command lines, use the regular expression for commandlines, and invoke historical commands.

2.4 Shortcut KeysUsing the system or user-defined shortcut keys makes it easier to enter commands.

2.5 Configuration ExamplesThis section provides several examples for using command lines.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 2 CLI Overview


12

2.1 CLI IntroductionThe command line interface (CLI) is the common tool for running commands.

2.1.1 Command Line InterfaceYou can configure and manage a ATN equipment by using the CLI commands.

When a prompt appears, you enter the command line interface (CLI) and interact with ATNequipment through CLI.

The system provides a series of configuration commands. You can configure and manage theATN equipment by entering commands on CLI.

The characteristics of CLI are as follows:

l Local or remote configuration through AUX port.

l Local configuration through console port.

l Local or remote configuration through Telnet or Secure Shell (SSH).

l A user interface view for specific configuration management.

l Hierarchical command protection for users of different levels, that is, running thecommands of the corresponding level.

l None authentication, password authentication and Authentication, Authorization andAccounting (AAA) to prevent the unauthorized user from accessing the ATN equipment.

l Entering "?" for online help at any time.

l Network testing commands such as tracert and ping for rapidly diagnosing a network.

l Abundant debugging information to help in diagnosing the network.

l The telnet command for directly logging in to and manage other ATN equipment.

l FTP service for file uploading and downloading.

l Running a history command, like DosKey.

l A command line interpreter provides intelligent command resolution methods such as keyword fuzzy match and context conjunction. These methods make it easy for users to entertheir commands.

NOTE

l The system supports the command with up to 512 characters. The command can be incomplete.

l The system saves the incomplete command to the configuration files in the complete form; therefore,the command may have more than 512 characters. When the system is restarted, however, theincomplete command cannot be restored. Therefore, pay attention to the length of the incompletecommand.

2.1.2 Command LevelsThe system adopts a hierarchical protection mode that has 16 command levels.

The default command levels are as follows:



13

l Level 0-Visit level: Commands of this level include commands of network diagnosis tool(such as ping and tracert) and commands that start from the local device and visit externaldevice (such as Telnet client side).

l Level 1-Monitoring level: Commands of this level, including the display commands, areused for system maintenance and fault diagnosis.

l Level 2-Configuration level: Commands of this level are service configuration commandsthat provide direct network service to the user, including routing and network layercommands.

l Level 3-Management level: Commands of this level are commands that influence the basicoperation of the system and provide support to the service. They include file systemcommands, FTP commands, TFTP commands, configuration file switching commands,power supply control commands, backup board control commands, user managementcommands, level setting commands, system internal parameter setting commands, anddebugging commands that are used for fault diagnosis.

CAUTIONNot all display commands are of the monitoring level. For example, the display current-configuration and display saved-configuration commands are of the management level. Forthe level of a command, see the ATN 910 Command Reference.

To implement efficient management, you can increase the command levels to 0-15. For theincrease in the command levels, refer to Chapter 4 "Basic Configuration" Configuring CommandLevels in the ATN 910 Configuration Guide - Basic Configurations.

NOTE

l The default command level may be higher than the command level defined according to the commandrules in application.

l Login users have the same 16 levels as the command levels. The login users can use only the commandof the levels that are equal to or lower than their own levels. For details of login user levels, refer toChapter 5 "User Login."

Searching Commands Based on Command LevelsYou can search for all commands of a specific level simultaneously. The procedure is as follows:

1. Open the command reference (.chm.) file.2. Click the "Search" tab. The search window will be displayed as shown in Figure 2-1.



14

Figure 2-1 Entering the search window

3. Enter a desired command level in the "Type in the word(s) to search for" textbox and click"List Topics". All commands of the specified level will be displayed as shown in Figure2-2.



15

Figure 2-2 Searching commands based on a specific level

2.1.3 Command Line ViewsThe command line interface has different command views. All the commands are registered inone or more command views. You can run a command only when you enter the correspondingcommand view.

# Establish connection with the ATN equipment. If the ATN equipment adopts the defaultconfiguration, you can enter the user view with the prompt of <HUAWEI>.

<HUAWEI>

# Type system-view, and you can enter the system view.

<HUAWEI> system-view[HUAWEI]

# Type aaa in the system view, and you can enter the AAA view.

[HUAWEI] aaa[HUAWEI-aaa]

NOTE

The prompt <HUAWEI> indicates the default ATN equipment name. The prompt <> indicates the userview and the prompt [] indicates other views.



16

Some commands that are implemented in the system view can also be implemented in the otherviews; however, the functions that can be implemented are command view-specific. Forexample, the mpls command (for enabling MPLS) can be run in the system view to enable theMPLS capability globally. Although it can also be run in the interface view, the MPLS capabilityis enabled only on the interface.

2.2 Online HelpWhen you enter command lines or configure services, online help offers real-time help inaddition to the configuration guide.

ContextThe command line of ATN 910 provides three types of online help:

l Full helpl Partial helpl Error Messages of the Command Line Interface

2.2.1 Full HelpWhen you enter a command line, you can view the description of keywords or parameters in thecommand line through the Full Help.

ContextYou can obtain the full help of the command line in the following ways.

Procedurel Enter "?" in any command line view to display all the commands and their simple

descriptions.<HUAWEI> ?

l Enter a command and "?" separated by a space. If the key word is at this position, all keywords and their simple descriptions are displayed. For example:<HUAWEI> language-mode ?Chinese Chinese environmentEnglish English environment

Chinese and English are keywords; Chinese environment and English environmentdescribe the keywords respectively.

l Enter a command and "?" separated by a space, and if a parameter is at this position, therelated parameter names and parameter descriptions are displayed. For example:[HUAWEI] ftp timeout ? INTEGER<1-35791> The value of FTP timeout, the default value is 30 minutes[HUAWEI] ftp timeout 35 ?<cr>

In the preceding display, INTEGER<1-35791> describes the parameter value; The valueof FTP timeout, the default value is 30 minutes is a simple description of the parameterusage; <cr> indicates that no parameter is at this position. The command is repeated in thenext command line. You can press Enter to run the command.

----End



17

2.2.2 Partial HelpWhen you enter a command line, you can obtain prompts on the keywords or parameters at thebeginning of the string through the Partial Help.

ContextYou can obtain the partial help of the command line in the following ways.

Procedurel Enter a character string with a "?" closely following it to display all commands that begin

with this character string.<HUAWEI> d? debugging delete dir display

l Enter a command and a character string with "?" closely following it to display all the keywords that begin with this character string.<HUAWEI> display b? bfd bgp bootrom buffer bulk-stat

l Enter the first several letters of a key word in the command and then press Tab to displaythe complete key word on the condition that the letters uniquely identify the key word.Otherwise, if you continue to press Tab, different key words are displayed. You can selectthe needed key word.

----End

2.2.3 Error Messages of the Command Line InterfaceIf an entered command passes the syntax check, the system executes it. Otherwise, the systemprompts an error message.

All the commands entered by the user are run correctly, if the grammar check has been passed.Otherwise, error messages are reported to the user. See Table 2-1 for the common errormessages.

Table 2-1 Common error messages of the command line

Error messages Cause of the error

Unrecognized command The command cannot be found

The key word cannot be found

Wrong parameter Parameter type error

The parameter value exceeds the limit

Incomplete command Incomplete command entered

Too many parameters Too many parameters entered

Ambiguous command Indefinite parameters entered



18

2.3 Features of Command Line InterfaceYou can edit command lines, display command lines, use the regular expression for commandlines, and invoke historical commands.

2.3.1 EditingThe editing function of command lines helps you edit command lines or obtain help by usingcertain keys.

The command line supports multi-line edition. The maximum length of each command is 512characters.

Keys for editing that are often used are shown in Table 2-2.

Table 2-2 Keys for editing

Key Function

Common key Inserts a character in the current position of the cursor if the editingbuffer is not full and the cursor moves to the right. Otherwise, analarm is generated.

Backspace Deletes the character on the left of the cursor that moves to theleft. When the cursor reaches the head of the command, an alarmis generated.

Left cursor key ← orCtrl_B

Moves the cursor to the left by the space of a character. When thecursor reaches the head of the command, an alarm is generated.

Right cursor key → orCtrl_F

Moves the cursor to the right by the space of a character. Whenthe cursor reaches the end of the command, an alarm is generated.

Tab Press Tab after typing the incomplete key word and the systemruns the partial help:l If the matching key word is unique, the system replaces the

typed one with the complete key word and displays it in a newline with the cursor a space behind.

l If there are several matches or no match at all, the systemdisplays the prefix first. Then you can press Tab to view thematching key word one by one. In this case, the cursor closelyfollows the end of the word and you can type a space to enterthe next word.

l If a wrong key word is entered, press Tab and the word isdisplayed in a new line.

2.3.2 DisplayingAll command lines have the same displaying feature. You can construct the displaying mode asrequired.



19

You can control the display of information on CLI as follows:

l Display prompt and help information in both Chinese and English.l When the information displayed exceeds a full screen, it provides the pause function. In

this case, the user has three choices as shown in Table 2-3.

Table 2-3 Keys for displaying

Key Function

Ctrl_C Stops the display and running of the command.

Space Continues to display the information on the next screen.

Enter Continues to display the information on the next line.

2.3.3 Regular ExpressionsThe regular expression is a mode matching tool. You can construct the matching mode basedon certain rules, and then match the mode with the target object.

The regular expression is an expression that describes a set of strings. It consists of commoncharacters (such as letters from "a" to "z") and particular characters (also named metacharacters).The regular expression is a template according to which you can search for the required string.

A regular expression can provide the following functions:l Searching for and obtaining a sub-string that matches a rule in the string.l Substituting a string according to a certain matching rule.

Formal Language Theory of the Regular ExpressionThe regular expression consists of common characters and particular characters.

l Common charactersCommon characters are used to match themselves in a string, including all upper-case andlower-case letters, digits, punctuations, and special symbols. For example, a matches theletter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches thesymbol "@" in "[email protected]".

l Particular charactersParticular characters are used together with common characters to match the complex orparticular string combination. Table 2-4 describes particular characters and their syntax.



20

Table 2-4 Description of particular characters

Particularcharacter

Syntax Example

\ Defines an escape character, whichis used to mark the next character(common or particular) as thecommon character.

\* matches "*".

^ Matches the starting position of thestring.

^10 matches "10.10.10.1" instead of"20.10.10.1".

$ Matches the ending position of thestring.

1$ matches "10.10.10.1" instead of"10.10.10.2".

* Matches the preceding element zeroor more times.

10* matches "1", "10", "100", and"1000".(10)* matches "null", "10", "1010",and "101010".

+ Matches the preceding element oneor more times

10+ matches "10", "100", and"1000".(10)+ matches "10", "1010", and"101010".

? Matches the preceding element zeroor one time.

10? matches "1" and "10".(10)? matches "null" and "10".

. Matches any single character. 0.0 matches "0x0" and "020"..oo matches "book", "look", and"tool".

() Defines a subexpression, which canbe null. Both the expression and thesubexpression should be matched.

100(200)+ matches "100200" and"100200200".

x|y Matches x or y. 100|200 matches "100" or "200".1(2|3)4 matches "124" or "134",instead of "1234", "14", "1224", and"1334".

[xyz] Matches any single character in theregular expression.

[123] matches the character 2 in"255".

[^xyz] Matches any character that is notcontained within the brackets.

[^123] matches any character exceptfor "1", "2", and "3".

[a-z] Matches any character within thespecified range.

[0-9] matches any character rangingfrom 0 to 9.

[^a-z] Matches any character beyond thespecified range.

[^0-9] matches all non-numericcharacters.



21

Particularcharacter

Syntax Example

_ Matches a comma "," left brace "{",right brace "}", left parenthesis "(",and right parenthesis ")".Matches the starting position of theinput string.Matches the ending position of theinput string.Matches a space.

_2008_ matches "2008", "space2008 space", "space 2008", "2008space", ",2008,", "{2008}","(2008)", "{2008", and "(2008}".

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.

l Degeneration of particular charactersCertain particular characters, when being placed at the following positions in the regularexpression, degenerate to common characters.– The particular characters following "\" is transferred to match particular characters

themselves.– The particular characters "*", "+", and "?" placed at the starting position of the regular

expression. For example, +45 matches "+45" and abc(*def) matches "abc*def".– The particular character "^" placed at any position except for the start of the regular

expression. For example, abc^ matches "abc^".– The particular character "$" placed at any position except for the end of the regular

expression. For example, 12$2 matches "12$2".– The right bracket such as ")" or "]" being not paired with its corresponding left bracket

"(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]".NOTE

Unless otherwise specified, degeneration rules are applicable when preceding regular expressionsserve as subexpressions within parentheses.

l Combination of common and particular charactersIn actual application, a regular expression combines multiple common and particularcharacters to match certain strings.

Specifying a Filtering Mode in Command

CAUTIONThe ATN 910 uses a regular expression to implement the filtering function of the pipe character.A display command supports the pipe character only when there is excessive output information.When the output information is queried according to the filtering conditions, the first line of thecommand output starts with the information containing the regular expression.



22

The command can carry the parameter | count to display the number of matching entries. Theparameter | count can be used together with other parameters.

For the commands supporting regular expressions, the three filtering methods are as follows:

l | begin regular-expression: displays the information that begins with the line that matchesregular expression.

l | exclude regular-expression: displays the information that excludes the lines that matchregular expression.

l | include regular-expression: displays the information that includes the lines that matchregular expression.

NOTE

The value of regular-expression is a string of 1 to 255 characters.

Specify a Filtering Mode when Information is Displayed

When a lot of information is displayed, you can specify a filtering mode in the prompt "---- More----".

l /regular-expression: displays the information that begins with the line that matches regularexpression.

l -regular-expression: displays the information that excludes lines that match regularexpression.

l +regular-expression: displays the information that includes lines that match regularexpression.

2.3.4 History CommandsThe command line interface provides a function similar to DosKey, which can automaticallysave historical commands. You can invoke the historical commands saved on the command lineinterface at any time and run them again.

By default, the system saves 10 history commands at most for each user. The operations are asshown in Table 2-5.

Table 2-5 Access the history commands

Action Key or Command Result

Display thehistorycommands.

display history-command

Display the history commands entered by users.

Access the lasthistorycommand.

Up cursor key↑ orCtrl_P

Display the last history command if there is anearlier history command. Otherwise, a bell isgenerated.

Access the nexthistorycommand.

Down cursor key ↓or Ctrl_N

Display the next history command if there is a laterhistory command. Otherwise, the command iscleared and a bell is generated.



23

NOTE

On the HyperTerminal of Windows 9X, cursor key ↑ is invalid as the HyperTerminals of Windows 9Xdefine the keys differently. In this case, you can replace the cursor key ↑ with Ctrl_P.

When you use the history commands, note the following:

l The saved history commands are the same as that those entered by users. For example, ifthe user enters an incomplete command, the saved command also is incomplete.

l If the user runs the same command several times, the earliest command is saved. If thecommand is entered in different forms, they are considered as different commands.For example, if the display ip routing-table command is run several times, only one historycommand is saved. If the disp ip routing command and the display ip routing-tablecommand are run, two history commands are saved.

2.3.5 Batch Command ExecutionBy running pre-defined command lines in batches, you can simplify the operation of enteringcommon commands and improve efficiency.

ContextLog in to the ATN equipment from the client and do as follows:

Procedure

Step 1 Run the batch-cmd edit to edit commands to be run in batches.

The batch-cmd edit command can be used by only one user at a time.

The maximum length of a command (including the incomplete command) to be entered is 512characters.

When editing commands, press Enter to complete the editing of each command.

NOTE

After running the batch-cmd edit command to successfully edit the commands to be executed in batches,the system deletes the original commands to be run in batches.

The commands that are already edited are saved in memory and are deleted for ever when the system isrestarted.

Step 2 After all commands are edited, you can press the shortcut buttons Ctrl+Z to exit the editing stateand return to the user view.

Step 3 Run the batch-cmd execute to execute commands in batches.

The batch-cmd execute command can be used by only one user at a time.

The sequence of running commands is the same as the sequence of editing commands.

----End

2.4 Shortcut KeysUsing the system or user-defined shortcut keys makes it easier to enter commands.



24

2.4.1 Classifying Shortcut KeysThere are two types of shortcut keys, namely, system shortcut keys and user-defined shortcutkeys. Familiarize yourself with shortcut keys so as to use them accurately.

The shortcut keys in the system are classified into the following types:

l User-oriented and user-defined shortcut keys: CTRL_G, CTRL_L, CTRL_O, andCTRL_U. The user can correlate these shortcut keys with any commands. When theshortcut keys are pressed, the system automatically runs the corresponding command. Fordetails of defining the shortcut keys, see 2.4.2 Defining Shortcut Keys.

l System-defined shortcut keys: These shortcut keys with fixed functions are defined by thesystem. Table 2-6 lists the system-defined shortcut keys.

NOTE

Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal maybe different from those listed in this section.

Table 2-6 System-defined shortcut keys

Key Function

CTRL_A The cursor moves to the beginning of the current line.

CTRL_B The cursor moves to the left by the space of a character.

CTRL_C Terminates the running function.

CTRL_D Deletes the character where the cursor lies.

CTRL_E The cursor moves to the end of the current line.

CTRL_F The cursor moves to the right by the space of a character.

CTRL_H Deletes one character on the left of the cursor.

CTRL_K Stops the creation of the outbound connection.

CTRL_N Displays the next command in the history command buffer.

CTRL_P Displays the previous command in the history command buffer.

CTRL_R Repeats the display of the information of the current line.

CTRL_T Terminates the outbound connection.

CTRL_V Pastes the contents on the clipboard.

CTRL_W Deletes a character string or character on the left of the cursor.

CTRL_X Deletes all the characters on the left of the cursor.

CTRL_Y Deletes all the characters on the right of the cursor.

CTRL_Z Returns to the user view.

CTRL_] Terminates the inbound or redirection connections.

ESC_B The cursor moves to the left by the space of a word.



25

Key Function

ESC_D Deletes a word on the right of the cursor.

ESC_F The cursor moves to the right to the end of next word.

ESC_N The cursor moves downward to the next line.

ESC_P The cursor moves upward to the previous line.

ESC_SHIFT_< Sets the position of the cursor to the beginning of the content tobe pasted into the clipboard.

ESC_SHIFT_> Sets the position of the cursor to the end of the content to bepasted into the clipboard.

2.4.2 Defining Shortcut KeysOnly management-level users have the rights to define shortcut keys.

NOTE

When defining the shortcut keys, use double quotation marks to define the command if this commandcontains several commands words, that is, if spaces exist in the command.

Configure as follows in the system view.

Action Command

Define shortcut keys hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }command-text

By default, CTRL_G, CTRL_L and CTRL_O correspond to the following commandsrespectively:

l CTRL_G: display current-configurationl CTRL_L: display ip routing-tablel CTRL_O: undo debugging all

The default commands of the other shortcut keys are null.

2.4.3 Use of Shortcut KeysYou can use the shortcut key at any position that allows a command to be entered. The systemexecutes an entered shortcut key and displays the corresponding command on the screen in thesame way as you enter a complete command.

l If you have typed part of a command and have not pressed Enter, you can press the shortcutkeys to clear the entered command and display the full corresponding command. Thisoperation has the same effect as that of deleting all commands and then re-entering thecomplete command.



26

l The shortcut keys are run as the commands, the syntax is recorded to the command bufferand log for fault location and querying.

NOTE

The terminal in use may affect the functions of the shortcut keys. For example, if the customized shortcutkeys of the terminal conflict with those of the ATN equipment, the input shortcut keys are captured by theterminal program and hence the shortcut keys do not function.

Run the following command in any view to display the use of shortcut keys.

Action Command

Check the usage of shortcut keys. display hotkey

2.5 Configuration ExamplesThis section provides several examples for using command lines.

2.5.1 Example for Running Commands in BatchesThis part provides an example for running commands in batches. In this example, by editing thecommands to be run in batches, you can configure the system to automatically run the commandsin batches.

ContextDuring the preventive maintenance inspection (PMI), you can run commands in batches. Thatis, enter all PMI commands once and then send all the command output information to the PMItool, which can improve the PMI efficiency.

Log in to the ATN equipment and do as follows:

Procedure

Step 1 Edit the display users, display startup, and display clock commands to be run in batches.

<HUAWEI> batch-cmd editInfo: Begin editing batch commands. Press "Ctrl+Z" to abort this session.display usersdisplay startupdisplay clock<HUAWEI>

Step 2 Run the commands in batches.<HUAWEI> batch-cmd execute<HUAWEI>batch-cmd execute command: display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag

0 CON 0 00:00:44 pass noUsername : Unspecified

<HUAWEI>batch-cmd execute command: display startup

MainBoard: Configured startup system software: NULL



27

Startup system software: Next startup system software: NULL Startup saved-configuration file: flash:/vrpcfg.zip Next startup saved-configuration file: flash:/vrpcfg.zip Startup paf file: NULL Next startup paf file: NULL Startup license file: NULL Next startup license file: NULL Startup patch package: NULL Next startup patch package: NULL<HUAWEI>batch-cmd execute command: display clock

2009-11-23 14:27:20-08:00MondayTime Zone(China Standard Time) : UTC-08:00<HUAWEI>batch-cmd execute finished.

----End

2.5.2 Example for Using TabYou can obtain prompts on keywords or check whether the entered keywords are correct bypressing Tab.

ContextTab can be used in three ways as shown in the following example.

The matching key word is unique after the incomplete key word is typed.1. Type the incomplete key word.

[HUAWEI] info-

2. Press Tab.The system replaces the typed one with the complete key word and displays it in a new linewith the cursor leaving a space behind[HUAWEI] info-center

There are several matches or no match after the incomplete key word is typed.info-center can be followed by three key words.

[HUAWEI] info-center log? logbuffer logfile loghost

1. Type the incomplete key word.[HUAWEI] info-center l

2. Press Tab.[HUAWEI] info-center log

The system displays the prefix first. The prefix in this example is "log".Continue to press Tab. The cursor is closely following the end of the word.[HUAWEI] info-center loghost[HUAWEI] info-center logbuffer[HUAWEI] info-center logfile

Stop pressing Tab after the key word logfile that you need is displayed.3. Type a space to enter the next word "channel".

[HUAWEI] info-center logfile channel



28

A wrong key word is typed.1. Type a wrong key word "loglog".

[HUAWEI] info-center loglog

2. Press Tab.[HUAWEI] info-center loglog

The incorrect input "loglog" is displayed in a new line.

2.5.3 Example for Using Shortcut KeysIf the login ATN equipment is defined with shortcut keys, the shortcut keys can be used by anyuser regardless of the user level.

Context

Do as follows on the login ATN equipment:

Procedure

Step 1 Correlate Ctrl_U with the display ip routing-table command and run the shortcut keys.<HUAWEI> system-view[HUAWEI] hotkey ctrl_u "display ip routing-table"

Step 2 Press Ctrl+U when the prompt [HUAWEI] appears.[HUAWEI] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8Destination/Mask Proto Pre Cost Flags NextHop Interface 51.51.51.9/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.0.0/16 Direct 0 0 D 100.2.150.51 Ethernet0/0/0 100.2.150.51/32 Direct 0 0 D 127.0.0.1 InLoopBack0 100.2.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0---------------------------------------------------------------------

----End

2.5.4 Copying Commands Using Shortcut KeysYou can copy commands by using shortcut keys in any view.

Context

Do as follows on the login ATN equipment:

Procedure

Step 1 Move the cursor to the beginning of the command and press ESC_Shift_<. Move the cursor tothe end and press ESC_Shift_>.

<HUAWEI> display ip routing-table



29

Step 2 Run the display clipboard command to view the contents on the clipboard.

<HUAWEI> display clipboard---------------- CLIPBOARD-----------------display ip routing-table

Step 3 Enter the command in any view, and press Ctrl_V to paste the contents of clipboard.

<HUAWEI> display ip routing-table

----End



30

3 Basic Configuration

About This Chapter

This chapter describes how to configure the basic system environment and the basic userenvironment.

3.1 Basic Configuration IntroductionThis section describes the meaning and scope of the basic configuration.

3.2 Configuring the Basic System EnvironmentThis section describes how to configure the basic system environment according to user habitsor the requirements of the actual environment.

3.3 Configuring Basic User EnvironmentThis section describes the configuration of the basic user environment for user level switching.

3.4 Displaying System Status MessagesThis section describes the display commands that are used for displaying basic systemconfigurations.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 3 Basic Configuration


31

3.1 Basic Configuration IntroductionThis section describes the meaning and scope of the basic configuration.

Before configuring services, users often need to perform basic configurations for actualoperation and maintenance.

The ATN 910 provides configurations of two kinds of basic environments:

l Basic system environment: includes the language mode, host name, system name, systemtime, header text, and command level for actual environment.

l Basic user environment: includes password for changing levels and the terminal lock.

3.2 Configuring the Basic System EnvironmentThis section describes how to configure the basic system environment according to user habitsor the requirements of the actual environment.

3.2.1 Establishing the Configuration TaskBefore configuring the basic system environment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentBefore configuring the services, you need to configure the basic system environments to meetthe requirements of the actual environments.

By default, the ATN 910 supports commands of Level 0 to Level 3, namely, visit level,monitoring level, configuration level, and management level.

If the user needs to define more levels, or refine management privileges on the device, the usercan extend the range of command line level from the range of Level 0 to Level 3 to the range ofLevel 0 to Level 15.

Pre-configuration TasksBefore configuring basic system environment, complete the following task:

l Powering on the ATN equipment

Data PreparationTo configure basic system environment, you need the following data.

No. Data

1 Language mode

2 System time



32

No. Data

3 Host name

4 Login information

5 Command level

3.2.2 Switching the Language ModeYou can switch between the Chinese mode and the English mode as required.

Context


Procedure

Step 1 Run:language-mode language-name

The language mode is switched.

By default, the English mode is used.

The help information on the ATN equipment can be in English and in Chinese. The languagemode is stored in the system software and need not be loaded.

----End

3.2.3 Configuring the Equipment NameYou can change the equipment name as required. The new equipment name takes effectimmediately.

Context


Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:sysname host-name

The equipment name is set.

You can change the name of the ATN equipment that appears in the command prompt.



33

By default, the host name of the ATN equipment is HUAWEI.

----End

3.2.4 Setting the System ClockTo ensure that devices on the network work with the same clock, you need to set or change thesystem clock.

ContextYou need to set the system time properly to ensure the cooperation between the ATN 910 andother devices. The ATN 910 supports the configurations of the time zone and the daylight savingtime.

NOTE

UTC indicates the Universal Time Coordinated.


Procedure

Step 1 Run:clock datetime [ utc ] HH:MM:SS YYYY-MM-DD

The current date and time is set.

Step 2 Run:clock timezone time-zone-name { add | minus } offset

The time zone is set.

l If add is configured, the current time is the UTC time plus the time offset. That is, the defaultUTC time plus offset is equal to the time of time-zone-name.

l If minus is configured, the current time is the UTC time minus the time offset. That is, thedefault UTC time minus offset is equal to the time of time-zone-name.

Step 3 Run:clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset

or

clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first | second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ]

The daylight saving time is set.

During the configuration of the daylight saving time, you can configure the start time and endtime in one of the following modes: date+date, week+week, date+week, and week+date. Fordetails, see clock daylight-saving-time.

NOTEWhen the current time is within the daylight saving time, running the clock timezone time-zone-name{ add | minus } offset command can successfully set the time zone name. If the display clock commandis run to view the time zone name at the moment, the time zone name, however, is displayed as the nameof the daylight saving time. After the daylight saving time ends, the set time zone name can be displayed.



34

CAUTIONWhen the device is upgraded from an earlier version to the V200R001C01 version, theconfigured daylight saving time does not take effect and needs to be reconfigured.

----End

3.2.5 Configuring a HeaderIf you need to provide information for login users, you can configure a header that the systemdisplays during login or after login.

ContextDo as follows on the ATN equipment:

Procedure



Step 2 Run:header login { information text | file file-name }

The header displayed during login is set.

Step 3 Run:header shell { information text | file file-name }

The header displayed after login is set.

A header is a system prompt displayed when a user logs in to the ATN equipment or startsinteractive configuration with the ATN equipment. The header provides detailed instruction.

NOTE

l If a user logs in to the ATN equipment by using SSH1.X, the login header is not displayed during login,but the shell header is displayed after login.

l If a user logs in to the ATN equipment by using SSH2.0, both login and shell headers are displayed.

----End

3.2.6 Configuring Command LevelsBy default, commands are registered in the sequence of Level 0 to Level 3. If refined rightsmanagement is required, you can divide commands in to 16 levels, that is, from Level 0 to Level15.

ContextIf the user does not adjust a command level separately, after the command level is updated, alloriginally-registered command lines adjust automatically according to the following rules:



35

l The commands of Level 0 and Level 1 remain unchanged.l The command Level 2 is updated to Level 10 and Level 3 is updated to Level 15.l No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust

the command lines to these levels separately to refine the management of privilege.

NOTE

The updation of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step process but one-step by batch.


Procedure



Step 2 Run:command-privilege level rearrange

Update the command level in batch.

When no password is configured for a Level 15 user, the system prompts the user to set a super-password for the level 15 user. At the same time, the system asks if the user wants to continueto update the command line level. Then, just select "N" to set a password. If you select "Y", thecommand level can be updated in batch directly. This results in the user not logging in throughthe Console port and failing to update the level.

Step 3 Run:command-privilege level level view view-name command-key

The command level is configured. With the command, you can specify the level and viewmultiple commands at one time (command-key).

All commands have default command views and levels. You need not reconfigure them.

----End

3.2.7 Configuring the Undo Command to Match in the PreviousView Automatically

You can run the undo command in the current view and thus the system automatically matchesthe previous view.

ContextIf the user allows the undo command to automatically match the previous view and the userruns the undo command that is not registered in the current view, the system searches theundo command in the previous view.

The undo command has disadvantages due to automatically matching. For example, when theuser runs the undo ospf command in the interface view where the command is not registered,the system searches in system view automatically. This may lead to global deletion of the OSPFfeature.



36

NOTE

l By default, the undo command does not automatically match the upper level view.

l The matched upper-view command is valid for current login users who run this command.

l It is not recommended that you configure the undo command to automatically match the upper levelview, unless necessary.


Procedure



Step 2 Run:matched upper-view

The undo command is configured to match the upper level view.

By default, the undo command does not match the previous view automatically.

----End

3.3 Configuring Basic User EnvironmentThis section describes the configuration of the basic user environment for user level switching.

3.3.1 Establishing the Configuration TaskBefore configuring the basic user environment, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentThe user can log in to a ATN equipment with lower level to perform simple configurations orview configurations. When the configuration is complicated, the user needs to switch to a highlevel. Thus, it requires the user to configure the basic environment for switching levels.

Pre-configuration TasksBefore configuring the basic environment for the user, complete the following task:

l Powering on the ATN equipment properly

Data PreparationTo configure the basic environment for the user, you need the following data:

No. Data

1 Password for the user level switching



37

3.3.2 Configuring the Password for Switching User LevelsPasswords need to be set for users that are switched from lower levels to higher levels.

Context

When users log in to the ATN equipment with a lower user level, they switch to a higher userlevel to perform advanced operations by entering the corresponding password. The passwordneeds to be configured in advance.

CAUTIONWhen simple is used, the password is saved in the configuration files in simple text. Login userswith lower level can obtain the password by viewing the configuration. This may cause securityproblems. Therefore, cipher is used to save the password in encrypted text.If the pass word is set in cipher mode, the password cannot be resumed from the system. Savethe password to avoid oblivion or miss.


Procedure



Step 2 Run:super password [ level user-level ] { simple | cipher } password

The password for switching user levels is configured.

----End

3.3.3 Switching User LevelsYou need to enter the set password when being switched from a lower level to a higher level.

Context

An accurate password must be entered when the user is switched from a lower level to a higherlevel.

When configuring the switchover of user levels on the ATN equipment, users can performHWTACACS Authentication. For detailed configurations, refer to the ATN 910 ATNequipment Configuration Guide - Security.




38

Procedure

Step 1 Run:super [ level ]

User levels are switched.

Step 2 Follow the prompt and enter a password.

If the password entered is correct, the user can switch to a higher level. If the user enters apassword incorrectly for three consecutive times, the user remains at the current login level andreturns to the user view.

NOTE

When the login user of lower level is switched to the user of higher level through the super command, thesystem automatically sends trap messages and records the switchover in a log. When the switched levelis lower than that of the current level, the system only records the switchover in a log.

----End

3.3.4 Locking User InterfacesYou can enter the set password to unlock the locked user interface.

Context

When you leave the operation terminals for a moment, you can lock the user interface to preventunauthorized users from operating the interface.


Procedure

Step 1 Run:lock

The user interface is locked.

Step 2 Follow the system prompt and input an unlock password, and then confirm.<HUAWEI> lockEnter Password:Confirm Password:

If the locking is successful, the system prompts that the user interface is locked.

You must enter a correct password to unlock the user interface.

----End

3.4 Displaying System Status MessagesThis section describes the display commands that are used for displaying basic systemconfigurations.



39

ContextYou can use the display commands to collect information about the system status. The displaycommands are classified according to the following functions:

l Displays system configurations.l Displays the running status of the system.l Displays the diagnostic information about a system.l Displays the restart information about the main control board.

See the related sections for display commands for protocols and interfaces. The following onlyshows the system display commands.

Run the following commands in any view.

3.4.1 Displaying System ConfigurationYou can view information about the system version, system time, original configuration, andcurrent configuration.

PrerequisitesBasic Configuration are complete.

Procedurel Run the display version command to display the system version.l Run the display clock [ utc ] command to display the system time.l Run the display calendar command to display system calendar.l Run the display saved-configuration command to display the original configuration.l Run the display current-configuration command to display the current configuration.

----End

3.4.2 Displaying System StatusYou can view the configuration of the current view.

PrerequisitesBasic configuration are complete.

Procedurel Run the display this command to display the configuration of the current view.

----End

3.4.3 Collecting System Diagnostic InformationYou can view the system diagnosis information.

ContextBasic configuration is complete.



40

Procedure

Step 1 Run:display diagnostic-information [ file-name ]

The system diagnosis information is displayed.

When the system fails or performs the routine maintenance, you need to collect a lot ofinformation to locate faults. Then, you have to run different display commands to collect allinformation. In this case, you can use the display diagnostic-information command to collectall information about the current running modules in the system.

The display diagnostic-information command collects all information collected by runningthe following commands, including display clock, display version, display cpu-usage, displayinterface, display current-configuration, display saved-configuration, display history-command, and so on.

----End



41

4 User Management

About This Chapter

This chapter describes user interfaces and the configuration of users' login.

4.1 User Management IntroductionThis section describes basic concepts of user interfaces and user management.

4.2 Configuring Console User InterfaceYou can configure the console user interface so as to maintain a ATN equipment on the localdevice.

4.3 Configuring VTY User InterfaceYou can configure the VTY user interface to maintain a remote ATN equipment.

4.4 Managing User InterfacesYou need to configure user management to ensure that the operator manages ATN equipmentssafely.

4.5 Configuring User AuthenticationThrough user management, you can create users for ATN equipments, set user passwords, andmanage users.

4.6 Configuring Exclusive Configuration AccessWhen multiple users log in to a device to simultaneously configure services, the configurationsmay conflict and thus the services become abnormal on the device. To prevent the problem, youcan provide exclusive configuration access to ensure that only one user performs configurationat a time.

4.7 Configuring Local User ManagementAfter configuring attributes of a local user on an access device, you can enable the access deviceto function as a local AAA server.

4.8 Configuring an NM User to Log in to a Device in VTY ModeYou can configure an Network Management System (NMS) user to log in to a device in VTYmode to set parameters of the device.

4.9 Configuration Examples

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 4 User Management


42

This section provides examples for configuring users to log in to a ATN equipment in differentmodes. These configuration examples explain networking requirements, configuration roadmap,and configuration notes.



43

4.1 User Management IntroductionThis section describes basic concepts of user interfaces and user management.

4.1.1 User Interface ViewThe system supports console, and VTY user interfaces.

The user interface view is a command line view provided by the system. It is used to configureand manage all the physical and logical interfaces in the asynchronous mode.

User Interfaces Supported by the Systeml Console port (CON)

The console port is a serial port provided by the main control board of the ATNequipment.

The main control board provides one EIA/TIA-232 DCE console port for localconfiguration by directly connecting a terminal to a ATN equipment.

l Virtual type terminal (VTY)

The virtual port is a logical terminal line. A VTY connection is set up when a ATNequipment connects to a terminal through Telnet. It is used for local or remote access to aATN equipment.

User Interface Numbering

The following are user interface numbering methods:

l Relative numbering

The relative numbering is in the format of user interface type + number.

The relative numbering is available for interfaces of a specific type. It is used only to specifyone or a group of user interfaces of a specified type. It must comply with the followingrules:

– Number of the console port: CON 0

– Number of the VTY: VTY 0 for the first line, VTY 1 for the second line and so on.

l Absolute numbering

The absolute numbering is used to uniquely specify a user interface or a group of userinterfaces.

The number starts with 0. The ports are numbered in the sequence of CON → VTY. Thereis only one console port and 0-15 VTY interfaces. You can use the user-interfacemaximum-vty command to set the maximum number of user interfaces. The defaultnumber is five.

By default, the system supports three types of user interfaces: CON, and VTY.

Table 4-1 shows the absolute numbers of the user interfaces in this system.



44

Table 4-1 Example for the absolute numbering

Absolute number User-interface

0 CON0

34 The first virtual interface (VTY0)

35 The second virtual interface (VTY1)

36 The third virtual interface (VTY2)

37 The fourth virtual interface (VTY3)

38 The fifth virtual interface (VTY4)

NOTE

The absolute numbers allocated for VTY interfaces are device-specific.

The numbers from 1 to 32 are reserved for the TTY user interfaces.

Run the display user-interface command to view the absolute number of user interfaces.

4.1.2 User ManagementThe system supports operations such as user authentication and user planning.

The user name and the password are not configured when a ATN equipment is started for thefirst time.

In such a condition, any user can configure the ATN equipment through the console port byconnecting a PC to the port.

The remote user can login to the ATN equipment through Telnet if the ATN equipment isconfigured with an IP address on the main control board or interface board. In addition, theremote user can access the network by establishing a PPP connection with the ATNequipment.

Thus, the user names and passwords are required for the ATN equipment to ensure networksecurity and to manage users.

User ClassificationBased on the services obtained, users of a ATN equipment are classified as follows:

l HyperTerminal users: The users access the ATN equipment through the console port.l Telnet users: The users access the ATN equipment through Telnet.l File Transfer Protocol (FTP) users: The users establish FTP connections with the ATN

equipment to transfer files.l Secure Shell (SSH) users: The users establish SSH connections with the ATN

equipment to access the network.l Network Management System (NMS) users: The users establish connections with ATN

equipments through SNMP or Telnet to manage ATN equipments in machine-to-machinemode.

One user can obtain multiple services simultaneously and perform multiple functions.



45

User LevelThe system provides hierarchical management to HyperTerminal users and Telnet users.

The login users are classified into 16 levels corresponding to the commands, marked from Level0 to Level 15. The higher the level, the higher the priority .

A user can access a command depending on the user level.

l In the case of non-authentication or password authentication, the level of the command thatcan be accessed by the login user depends on the level of the login user interface.

l In the case of AAA authentication, the level of the command that can be accessed by thelogin user depends on the level of the local user in the AAA configuration.

The user can access the commands with the level equal to or lower than the user level. Forexample, for a user of Level 2, the user can access the commands of Level 0, Level 1, and Level2.

NOTE

For details of the command level, refer to "Command Level" in Chapter 3 "Command Line Introduction."

User AuthenticationAfter the user configuration, the system authenticates users when they access the ATNequipment.

The three types of user authentication are as follows:

l Non-authentication: In this type, a user accesses the ATN equipment without the user nameor password. This is not recommended due to security reasons.

l Password authentication: In this type, a user accesses the ATN equipment only with thepassword rather than the user name. This is safer compared to non-authentication.

l Authentication, Authorization and Accounting (AAA) local: This scheme needs both theuser name and the password. This scheme authenticates the Telnet and HyperTerminalusers.

User PlanningThe network administrator provides the user plan based on the requirements.

l At least one HyperTerminal user is created on a ATN equipment.l A Telnet user is created for remote access.l An FTP user uploads or downloads files on a ATN equipment from the remote.l A network administrator manages ATN equipments in machine-to-machine mode, and

NMS users need to be added to the ATN equipments.

NOTE

For the configuration of FTP users, refer to Chapter 8 "FTP, TFTP and XModem".

4.2 Configuring Console User InterfaceYou can configure the console user interface so as to maintain a ATN equipment on the localdevice.



46

4.2.1 Establishing the Configuration TaskBefore configuring a console interface, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentA console user interface is required for maintaining the local ATN equipment.

Pre-configuration TasksBefore configuring a console interface, complete the following tasks:

l Powering on the ATN equipmentl Connecting a PC to the ATN equipment through an asynchronous interface

Data PreparationTo configure a console interface, you need the following data.

No. Data

1 Baud rate, flow-control mode, parity, stop bit, and data bit

2 Idle timeout period, number of lines displayed in a terminal screen, and the size ofhistory command buffer

3 User priority

4 User authentication method, user name, and password

NOTE

All the configuration items of the ATN equipment, excluding the user name and password, have defaultvalues and do not need to be configured additionally.

4.2.2 Configuring Console Interface AttributesYou can configure the rate, flow control mode, parity mode, stop bit, and data bit for the consoleport.

ContextDo as follows on the ATN equipment that the user logs in to:

Procedure





47

Step 2 Run:user-interface console interface-number

The console user interface view is displayed.

----End

4.2.3 Setting Console Terminal AttributesYou can configure the timeout period for idle users, maximum number of lines to displayed oneach screen, and the size of historical command buffer for the console interface.

ContextDo as follows on the ATN equipment to which a user logs in:

Procedure




The console interface view is displayed.

Step 3 Run:shell

The terminal service is started.

Step 4 Run:idle-timeout minutes [ seconds ]

The timeout period for idle users is set.

By default, the timeout period for idle users is 10 minutes.

Step 5 Run:screen-length screen-length

The number of lines to be displayed on each screen is set.

By default, a terminal displays 24 lines on each screen.

You can run the screen-length screen-length temporary command to specify the number oflines that a terminal displays on each screen.

Step 6 Run:history-command max-size size-value

The buffer of the history command is set.

By default,the history command buffer on a user interface can cache a maximum of 10commands.

----End



48

4.2.4 Configuring User PriorityYou can set the priority for a user who logs in through the console port.


Procedure




The console user interface view is displayed.

Step 3 Run:user privilege level level

The priority of the user is set.

This process is to set the priority for a user who logs in through the console port. A user can onlyuse the command of the level corresponding to the user level.

For more information about the command priority, see "Command Level" in Chapter 3 "CLIOverview".

----End

4.2.5 Configuring User AuthenticationThe system provides three authentication modes, namely, AAA, password, and none.

Procedurel Configuring AAA Authentication

1. Run:system-view

The system view is displayed.2. Run:

user-interface console interface-number

The console user interface view is displayed.3. Run:

authentication-mode aaa

The authentication mode is set to AAA.4. Run:

quit

Exit from the console user interface view.



49

5. Run:aaa

The AAA view is displayed.6. Run:

local-user user-name password { simple | cipher } password

Name and password of the local user are created.l Configuring Password Authentication

1. Run:system-view




authentication-mode password

You can set the authentication mode as password authentication.4. Run:

set authentication password { cipher | simple } password

A password for authentication is set.l Configuring Non-Authentication

1. Run:system-view




authentication-mode none

The authentication mode is set to non-authentication.

----End

4.2.6 Checking the ConfigurationAfter configuring the console user interface, you can view the usage information of the userinterface, physical attributes and configurations of the user interface, local user list, and onlineusers.

PrerequisitesThe configurations of the User Management function are complete.

Procedurel Run the display users [ all ] command to check information about user interface.



50

l Run the display user-interface console ui-number1 [ summary ] command to checkphysical attributes and configurations of the user interface.

l Run the display local-user command to check the local user list.

----End

4.3 Configuring VTY User InterfaceYou can configure the VTY user interface to maintain a remote ATN equipment.

4.3.1 Establishing the Configuration TaskBefore configuring a VTY interface, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


If you want to log in to the ATN equipment using Telnet or SSH to perform management orconfiguration operations, .a VTY interface is required.


Before configuring a VTY user interface, complete the following tasks:


l Connecting a PC to the ATN equipment correctly

Data Preparation

To configure a VTY user interface, you need the following data.

No. Data

1 Maximum VTY user interfaces

2 (Optional) Number of the ACL for limiting incoming and outgoing calls of userslogging in using VTY user interfaces

3 Timeout period for idle users, maximum number of lines to be displayed on eachscreen and the size of the history command buffer

4 User authentication mode, user name, and password

4.3.2 Configuring Maximum VTY User InterfacesYou can configure the maximum number of VTY user interfaces through which users log in toa ATN equipment.



51


Procedure



Step 2 Run:user-interface maximum-vty number

The maximum VTY user interfaces that can log in to the ATN equipment is set.

NOTE

When the maximum number of VTY user interfaces is set to zero, any user including the NMS user cannotlog in to a ATN equipment.

If the maximum number of VTY user interfaces to be configured is smaller than the maximumnumber of current interfaces, other parameters need not be configured.

If the maximum number of VTY user interfaces to be configured is larger than the maximumnumber of current interfaces, the authentication mode and password need to be configured fornewly added user interfaces.

For newly added user interfaces, the system applies password authentication by default.

For example, a maximum of five users are allowed online. To allow 15 VTY users online at thesame time, you need to run the authentication-mode command and the set authenticationpassword command to configure authentication modes and passwords for user interfaces fromVTY 5 to VTY 14. The command is run as follows:

<HUAWEI> system-view[HUAWEI] user-interface maximum-vty 15[HUAWEI] user-interface vty 5 14[HUAWEI-ui-vty5-14] authentication-mode password[HUAWEI-ui-vty5-14] set authentication password cipher huawei

----End

4.3.3 (Optional)Configuring Limits for Incoming Calls andOutgoing Calls

You can set the limit on incoming and outgoing calls for VTY user interfaces.


Procedure





52

Step 2 Run:user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed.

Step 3 Run:acl acl-number { inbound | outbound }

The limits to calling in/out of VTY are configured.

When you need to prevent a user of certain address or segment address from logging in to theATN equipment, use the inbound command; when you need to prevent a user who logs in toan ATN equipment from accessing other ATN equipments, use the outbound command.

----End

4.3.4 Configuring VTY Terminal AttributesYou can configure the timeout period for idle users, maximum number of lines to be displayedon each screen, and the size of the historical command buffer for a VTY interface.


Procedure



Step 2 Run:user-interface vty number1 [ number2 ]

The VTY interface view is displayed.

Step 3 Run:shell

Terminal services are enabled.


The timeout period for idle users is set.

Step 5 Run:screen-length screen-length

The maximum number of lines to be displayed on each screen is set.

By default, a maximum of 24 lines are displayed on each screen.

You can run the screen-length screen-length temporary command to specify the maximumnumber of lines to be temporarily displayed on each terminal screen.

Step 6 Run:history-command max-size size-value



53

The size of the history command buffer is set.

By default, the history command buffer on a user interface can cache a maximum of 10commands.

----End

4.3.5 Configuring User AuthenticationThe system provides three authentication modes, namely, AAA, password, and none.

ContextThe ATN equipment supports user authentication of three types:

l AAA authentication: requires the user name and password.l Password authentication: requires no user name but a password must be set. Otherwise, the

user can log in to the ATN equipment only through the console interface.l None: requires neither user name nor password. No authentication is needed when the user

logs in to the ATN equipment.

Procedurel Configuring AAA Authentication

1. Run:system-view


user-interface vty number1 [ number2 ]

The VTY user interface view is displayed.3. Run:

authentication-mode aaa

The authentication mode is set to AAA.4. Run:

quit

Exit from the VTY user interface view.5. Run:

aaa

The AAA view is displayed.6. Run:

local-user user-name password { simple | cipher } password

Name and password of the local user are created.l Configuring Password Authentication

1. Run:system-view




54

2. Run:user-interface vty number1 [ number2 ]


authentication-mode password

Set the authentication mode as password.4. Run:

set authentication password { cipher | simple } password

A password for this authentication mode is set.l Configuring Non-Authentication

1. Do as follows on the ATN equipment, run:system-view


user-interface vty number1 [ number2 ]


authentication-mode none

The authentication mode is set to none.

----End

4.3.6 Checking the ConfigurationAfter configuring the VTY user interface, you can view the usage information of the userinterface, the maximum number of VTY user interfaces, and physical attributes andconfigurations of the user interface.

PrerequisitesThe configuration of VTY User Interface are complete.

Procedurel Run the display users [ all ] command to check the usage information of the user interface.l Run the display user-interface maximum-vty command to check the number of maximum

VTY user interfaces.l Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ]

command to check the physical attributes and configurations of the user interface.

----End

4.4 Managing User InterfacesYou need to configure user management to ensure that the operator manages ATN equipmentssafely.



55

4.4.1 Establishing the Configuration TaskBefore configuring user management interfaces, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentTo ensure that the operator managesATN equipments safely, you need to send messages betweenuser interfaces and clear designated user.

Pre-configuration TasksBefore managing the user interface, complete the following tasks:

l Powering on the ATN equipmentl Connecting the PC with the ATN equipment properly

Data PreparationsTo manage the user interface, you need the following data:

No. Data

1 Type and number of the user interface

2 Contents of the message to be sent

4.4.2 Sending Messages to Other User InterfacesYou can configure messaging between user interfaces.


Procedure

Step 1 Run:send { all | ui-type ui-number | ui-number1 }

You can enable message sending between user interfaces.

Step 2 Following the prompt, you can enter the message to be sent. You can press Ctrl_Z or Enter toend, and press Ctrl_C to abort.

----End

4.4.3 Clearing Online UserYou can clear specified online users.



56


Procedure

Step 1 Run:kill user-interface { ui-number | ui-type ui-number1 }

Online users are cleared.

Step 2 On receiving the prompts, you can confirm whether the designated online users have to becleared.

----End

4.4.4 Checking the ConfigurationAfter configuring user management interfaces, you can view the usage information of userinterfaces.

PrerequisitesThe configuration of User Interfaces are complete.

Procedure

Step 1 Run the display users [ all ] command to check the usage information of the user interface.

----End

4.5 Configuring User AuthenticationThrough user management, you can create users for ATN equipments, set user passwords, andmanage users.

4.5.1 Establishing the Configuration TaskBefore configuring user management, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentAfter the IP address is assigned to the main control board or the interface board, any remote usercan use Telnet to log in to the ATN equipment, or connect the ATN equipment through PPP toaccess networks. This compromises the security. To ensure network security and ease usermanagement, configure a user name and the user password for the ATN equipment.

Pre-configuration TasksBefore configuring a user, complete the following tasks:



57


l Connecting the PC with the ATN equipment properly

Data Preparation

To configure a user, you need the following data.

No. Data

1 Authentication mode

2 User name and password

3 User priority

4.5.2 Configuring Authentication ModeThe system provides three authentication modes, namely, AAA local authentication, passwordauthentication, and none authentication.

Context

Do as follows on the ATN equipment that the user logs in to:

Procedure



Step 2 Run:user-interface [ ui-type ] first-ui-number [ last-ui-number ]

The user interface view is displayed.

Step 3 Run:authentication-mode { aaa | password | none }

The user authentication mode is configured.

----End

4.5.3 Configuring Authentication PasswordYou can configure a plain or cipher text password for authentication.

Context




58

Procedure





Step 3 Run:authentication-mode password

The authentication mode is set to Password.

Step 4 Run:set authentication password { cipher | simple } password

The authentication password is configured.

NOTE

The default authentication mode is the password authentication.

----End

4.5.4 Setting Username and Password for AAA LocalAuthentication

You can configure a plain or cipher text password for AAA local authentication.


Procedure





Step 3 Run:authentication-mode aaa

The authentication mode is set to AAA.

Step 4 Run:quit

Return to the system view.



59

Step 5 Run:aaa

The AAA view is displayed.

Step 6 Run:local-user user-name password { simple | cipher } password

The local username and the password are configured.

----End

4.5.5 Configuring Non-AuthenticationYou can configure users to log in to a ATN equipment without being authenticated.

Context

CAUTIONConfiguring the non-authentication mode may cause security problems of the ATNequipment.


Procedure





Step 3 Run:authentication-mode none

The non-authentication mode is configured.

NOTE

l If the authentication mode is non-authentication or password authentication, the priority of the user-interface determines the command level that the users can access.

l If the authentication mode needs the username and the password, the priority of the user determinesthe command level that the users can access.

----End

4.5.6 Configuring User PriorityYou can configure the user priority.



60

Context

Refer to the ATN 910 Configuration Guide - Security.

4.5.7 Checking the ConfigurationAfter configuring user management, you can view the usage information of user interfaces, localuser list, and online users.

PrerequisitesThe configuration of User Management are complete.

Procedurel Run the display users [ all ] command to check the user information.

l Run the display local-user [ domain domain-name | username user-name ] command tocheck information about local users.

----End

4.6 Configuring Exclusive Configuration AccessWhen multiple users log in to a device to simultaneously configure services, the configurationsmay conflict and thus the services become abnormal on the device. To prevent the problem, youcan provide exclusive configuration access to ensure that only one user performs configurationat a time.

4.6.1 (Optional) Viewing the Current Locked Configuration SetYou need to check whether the configuration set is locked by another user before enablingexclusive configuration access.

Context


Procedure

Step 1 Run:display configuration-occupied user

Information about the user that locks the configuration set is displayed.

----End

4.6.2 Enabling Exclusive Configuration AccessA user can explicitly obtain exclusive configuration access. In this case, other users cannot obtainconfiguration access.



61

Context


Procedure

Step 1 Run:configuration exclusive

The user obtains exclusive configuration access.

NOTEIf the configuration set is already locked, an error message is displayed after this command is run.

----End

4.6.3 (Optional) Setting the Unlocking TimeYou can set an allowable maximum lock timeout period when no command is delivered by theuser that locks the configuration set. After the period, the configuration set is automaticallyunlocked and other users can normally run commands.

Context


Procedure

Step 1 Run:configuration-occupied timeout

The timeout period for automatic unlocking the configuration set is set.

NOTE

l When a user without exclusive configuration access runs this command, the system prompts an errormessage.

l If the configuration set is locked by another user, this command cannot be configured, and the systemprompts an error message.

l If the configuration set is locked by the current user, the current user can run this command.

----End

4.7 Configuring Local User ManagementAfter configuring attributes of a local user on an access device, you can enable the access deviceto function as a local AAA server.

4.7.1 Establishing the Configuration TaskThis section describes the applicable environment of local user management and required tasksand data for configuring a local user.



62


You can create a single local user database on a Network Access Server (NAS) to manage accessusers.

Pre-configuration Task

Before configuring local user management, complete the following tasks:

l Configuring parameters of the link layer protocol and IP addresses for the interfaces andensuring that the status of the link layer protocol on the interfaces is Up

l Creating an Access Control List (ACL) and set ACL rules if you need to apply the ACL tomanage local users

Data Preparation

To configure local user management, you need the following data.

No. Data


2 Type of the service that the local user accesses

3 Name of the FTP directory that the local user can access

4 Local user status

5 Local user level

6 Limited number of local access users

7 Number of the ACL used to managing the local user

4.7.2 Creating a Local User AccountYou can create a user in the AAA view. The user can carry a domain name. If the user does notcarry a domain name, the user belongs to the default domain by default.

Context

Do as follows on the NAS:

Procedure



Step 2 Run:aaa



63



A local user account is created.

If the user name contains @, the character before @ is the user name and the character after @is the domain name. If the user name does not contain @, the whole character string representsthe user name and the domain name is default_admin.

----End

4.7.3 Configuring the Type of the Service That the Local UserAccesses

By setting the service type of local users, you can manage users based on the service type.

Context


Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name service-type { ftp | ssh | telnet | terminal }*

The type of the service that the local user accesses is configured.

By default, all access types are available for local users.

----End

4.7.4 Configuring the Local User Authority of Accessing the FTPDirectory

If the access mode of a local user is FTP, you must configure the FTP directory for the localuser. Otherwise, the FTP user cannot log in.

Context




64

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name ftp-directory directory

The local user authority of accessing the FTP directory is configured.

By default, the FTP directory is null.

----End

4.7.5 Configuring Local User StatusThe local user can be in the activated or blocked state. An activated user can be authenticated;a blocked user cannot be authenticated.

ContextDo as follows on the NAS:

Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name state { active | block }

The local user status is configured.

By default, the local user is in the active state.

----End

Follow-up ProcedureDo as follows to process the local user in the active or block state:

l If the local user is in the active state, the authentication request from this user is allowedfor further processing.

l If the local user is in the block state, the authentication request from this user is denied.



65

4.7.6 Configuring the Local User LevelAfter the priority of a user is set, the login user can use only the commands whose priorities arelower than or equal to the user priority.


Procedure



Step 2 Run:aaa


Step 3 Run:local-user user-name level level

The local user level is configured.

By default, the level of the local user is determined by the management module.

----End

Follow-up ProcedureThe login user has the same 16 levels like the command. They are Visit, Monitoring, Configureand Management, and are marked from 0 to 15. The higher the mark is, the higher the priorityis.

4.7.7 Setting the Maximum Number of Access Users with the SameUser Name

A user name can be used for several connections. By restricting the access of local users, youcan control the number of connections under one user name.


Procedure



Step 2 Run:aaa



66


Step 3 Run:local-user user-name access-limit max-number

The local user access limit is configured.

By default, the number of access users with the same user name is not restricted.

----End

4.7.8 Configuring a ATN equipment to Cut off Idle Access UsersAfter a ATN equipment is configured to logoff idle local users, local users automatically gooffline when their traffic is less than the set limit during the idle time.


Procedure



Step 2 Run:aaa


Step 3 Run:local-user username idle-cut

The ATN equipment is configured to cut off an idle local user.

By default, the idle-cut function of the domain is disabled for users. That is, idle users in thedomain are not cut off by default.

After you enable the idle-cut function of local users, the idle-cut time is prioritized in descendingorder: the idle-cut time delivered by the server, the idle-cut time set in the AAA domain view,and the idle-cut time set on the VTY interface.

----End

4.7.9 Local Users Changing the PasswordsA local user can perform this operation to change its password.


Procedure

Step 1 Run:local-user change-password



67

The password of the local user is changed.

Only the user that passes local authentication can change the password.

NOTE

Run the command in the user view.

----End

4.7.10 Checking the ConfigurationAfter a local user is successfully configured, you can view basic information about the user,such as the user name, user status, user type, access restriction, and whether the user is online.

PrerequisitesThe configurations of the local user management are complete.

ProcedureStep 1 Run the display local-user [ domain domain-name | username user-name ] command to check

attributes of the local user.

----End

4.8 Configuring an NM User to Log in to a Device in VTYMode

You can configure an Network Management System (NMS) user to log in to a device in VTYmode to set parameters of the device.

4.8.1 Establishing the Configuration TaskBefore configuring an NMS user to log in to a device in VTY mode, familiarize yourself withthe applicable environment, complete the pre-configuration tasks, and obtain the required data.This can help you complete the configuration task quickly and accurately.

Applicable EnvironmentThe Network Management System (NMS) user can log in to the device through VTY to setparameters about the device.

Pre-configuration TasksBefore configuring an NMS user to log in to a device through the machine-to-machine mode,complete the following task:

l Configuring reachable ATN equipment to network management end and the device

Data PreparationTo configure an NMS user to log in to a device through the machine-to-machine mode, you needthe following data.



68

No. Data


2 Type and number of the user interface

4.8.2 Configuring an NM UserYou can create a local user and configure the user as an NM user.

ContextDo as follows on the ATN equipment that an NMS user needs to manage.

Procedure



Step 2 Run:aaa



A local user is created.

Step 4 Run:local-user user-name user-type netmanager

The local user is set as an NM user.

----End

4.8.3 Configuring the Authentication Mode of an NM UserNMS users can be configured with only AAA authentication.

ContextDo as follows on the ATN equipment that an NMS user needs to manage.

Procedure



Step 2 Run:



69

user-interface [ ui-type ] first-ui-number [ last-ui-number ]



An authentication mode used to log in to the user interface is configured.

NOTE

The system reserves five VTYs (VTY 16-VTY 20) for an NMS user. The five VTYs are used as specialchannels of the network management. The channels do not support the RSA authentication mode butsupport the password authentication.

----End

4.8.4 Switching to Machine-to-Machine ModeYou can switch the system to the machine-to-machine mode.

ContextNOTE

This command is invisible on the terminal of command lines. In addition, the command cannot be obtainedfrom help information. Human-to-machine users should use this command with caution.

Do as follows on the ATN equipment that an NMS user needs to manage.

Procedure



Step 2 Run:mmi-mode enable

The system is switched to the machine-to-machine mode.

NOTE

l In the VTY machine-to-machine mode, the system reserves five user interfaces to which an NMS usercan log in through VTYs. A common user cannot log in through Telnet but can log in by using the fivereserved user interfaces.

l In the machine-to-machine mode, the system does not output logs, alarms, and debugging informationto the screen.

l In the machine-to-machine mode, the save and reboot commands can be used directly.

l In the machine-to-machine mode, a maximum of 512 lines are displayed by default. The value can beadjusted by using the screen-length command. In addition, you can run the screen-lengthtemporary command to adjust the number of lines temporarily displayed on the screen.

----End

4.8.5 Checking the ConfigurationAfter configuring an NMS user to log in to a device in VTY mode, you can view the VTY mode.



70

PrerequisitesThe configuration of an NM User to Log in to a Device in VTY Mode are complete.

Procedure

Step 1 Run the display vty mode command to check the VTY mode.

----End

4.9 Configuration ExamplesThis section provides examples for configuring users to log in to a ATN equipment in differentmodes. These configuration examples explain networking requirements, configuration roadmap,and configuration notes.

Context

CAUTIONAfter the first and second configuration examples are complete, the commands with prioritieshigher than 2 cannot be run if the current user is VTY0. Ensure that users can log in to theATNequipment in other methods to delete configurations.

4.9.1 Example for Configuring Logging In to the ATN ThroughPassword

In this example, the VTY0 priority, authentication mode, and disconnection time are configured,which enables users to log in to the ATN equipment through a password.

Networking RequirementsThe COM port of the PC is connected with the Console port. Set the priority of VTY0 to 2 andauthenticate the passwords of users. Users need to enter the password Huawei to log insuccessfully.

After login, if the operations are not carried out in 30 minutes, it means that the user-interfaceis disconnected from the ATN equipment.


1. Enter the user interface, and configure the priority of VTY0 as 2.2. Configure the simple authentication and the disconnect time.

Data PreparationTo complete the configuration, you need the following data:



71

l The password of the authentication model The disconnect time

Procedure

Step 1 Configure the priority of VTY0 to be 2 on the ATN.<HUAWEI> system-view[HUAWEI] user-interface vty0[HUAWEI-ui-vty0] user privilege level 2

Step 2 Configuring password and disconnect time.[HUAWEI-ui-vty0] authentication-mode password[HUAWEI-ui-vty0] set authentication password simple huawei[HUAWEI-ui-vty0] idle-timeout 30

----End

Configuration Files# sysname HUAWEI#aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default_admin#user-interface vty 0 user privilege level 2 set authentication password simple huawei idle-timeout 30 #return

4.9.2 Example for Logging In to the Device Through AAAIn this example, the VTY0 priority and disconnection time are configured and the idle-outfunction is enabled for local users, which enables users to log in to the ATN equipment throughAAA authentication.

Networking RequirementsThe COM port of the PC and the console port of the ATN equipment are connected.

Configure the priority of VTY0 to be 2, perform AAA authentication on the user that logs inthrough VTY0. The login user must enter the username "huawei" and the password "huawei".

After login, if the user does not operate the ATN equipment within 30 minutes, the connectionwith the ATN equipment is disabled.


1. Enter the user interface view to configure the priority of VTY0 to be 2 and the disconnectiontime.

2. Enter the AAA view to configure the username, the password, and the user level.



72

3. Switch on the idle timeout for the local user in the AAA view.

Data Preparation

To complete the configuration, you need the following data:

l Username and password for authentication

l Disconnect time

Procedure

Step 1 Configure the priority of VTY0 to be 2 and the disconnection time within 30 minutes.<HUAWEI> system-view[HUAWEI] user-interface vty0[HUAWEI-ui-vty0] user privilege level 2[HUAWEI-ui-vty0] authentication-mode aaa[HUAWEI-ui-vty0] idle-timeout 30[HUAWEI-ui-vty0] quit

Step 2 Configuring the local username, the password, and user level.[HUAWEI] aaa[HUAWEI-aaa] local-user huawei password cipher huawei[HUAWEI-aaa] local-user huawei level 2

Step 3 Switch on the idle timeout for the local user in the AAA view.[HUAWEI-aaa] local-user huawei idle-cut

----End

Configuration Files# sysname HUAWEI#aaa local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!! local-user huawei level 2local-user huawei idle-cutlocal-user huawei idle-cut# authorization-scheme default # accounting-scheme default # domain default_admin#user-interface vty 0 authentication-mode aaa user privilege level 2 idle-timeout 30#return

4.9.3 Example for Configuring an NMS User to Manage Devices inMachine-to-machine Mode

In this example, an NMS user is created and the authentication mode is set for the NMS user,which enables the NMS user to manage the ATN equipment in machine-to-machine mode.



73

Networking RequirementsAs shown in Figure 4-1, the NM station logs in to ATN through the channel reserved by ATNfor an NMS user, and then manages devices.

Figure 4-1 Networking diagram of configuring an NMS user to manage devices in the machine-to-machine mode

ATNGE0/0/01.1.1.1/24

1.1.1.2/24NM Station


1. Configure an NMS user.2. Configure the authentication mode of the NMS user.3. Enter the machine-to-machine mode.


l Name and IP address of an interfacel Name of the local user

Procedure

Step 1 Configure IP addresses. The configuration details are not mentioned here.

Step 2 Configure an NMS user.

# Enter the AAA view.

<HUAWEI> system-view[HUAWEI] sysname ATN[ATN] aaa

# Configure the NMS user.

[ATN-aaa] local-user [email protected] password simple hello[ATN-aaa] local-user [email protected] user-type netmanager[ATN-aaa] quit

Step 3 Configure the authentication mode of an NMS user.

# Enter the user interface view.

[ATN] user-interface vty 16 20

# Configure the authentication mode of the NMS user.

[ATN-ui-vty16-20] authentication-mode aaa[ATN-ui-vty16-20] quit



74

NOTE

l To log in to a device through reserved channels, an NMS user can log in to the device successfullyonly after the user passes the AAA authentication.

l Reserved channels do not support the RSA authentication mode.

Step 4 Enter the machine-to-machine mode.[ATN] mmi-mode enable[ATN] quit

Step 5 Verify the configuration.<ATN> display vty modecurrent VTY mode is Machine-Machine interface

----End

Configuration Files# sysname ATN#interface Ethernet0/0/0 ip address 1.1.1.1 255.255.255.0#aaa local-user [email protected] password simple hello local-user [email protected] user-type netmanager# user-interface vty 16 20 authentication-mode aaa#return



75

5 File System

About This Chapter

The file system manages files and directories in the storage device.

5.1 File System IntroductionThe file system manages the files and directories in the storage device. You can create a filesystem, create, delete, modify, and rename files and directories, and view file contents.

5.2 Managing Storage DevicesYou can restore and format storage devices.

5.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.

5.4 Managing FilesYou can view, create, delete, and rename files.

5.5 Example for Managing FilesThis section describes how to manage files.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 5 File System


76

5.1 File System IntroductionThe file system manages the files and directories in the storage device. You can create a filesystem, create, delete, modify, and rename files and directories, and view file contents.

5.1.1 File SystemThis section describes the definition and function of the file system.

Definitions

The file system manages the files and directories in the storage devices. It can create, delete,modify, and rename a file or directory and display the contents of the file.

Functions

The file system has two functions: managing the storage devices and managing the files that arestored in those storage devices.

5.1.2 File System Supported by the ATN 910The file system supported by the ATN 910 consists of storage devices, directories, and files.

Storage Devices

Storage devices are hardware devices for storing messages.

At present, the ATN equipment supports the storage devices such as compact flash (CF) cardand flash card.

Files

The file is a mechanism with which the system stores and manages messages.

Directories

The directory is a mechanism with which the system integrates and organizes the file, servingas a logical container of the file.

5.1.3 FileA file is a mechanism used for the system to store and manage information.

The file system provides two functions:

l Managing storage devices

l Managing the files that are stored in storage devices

By managing files, you can view, create, delete or rename files.



77

5.1.4 DirectoryA directory is a repository or database of information and a logical container of files. You cansave files to nested directories to implement hierarchical file management.

5.2 Managing Storage DevicesYou can restore and format storage devices.

5.2.1 Establishing the Configuration TaskBefore managing storage devices, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentWhen the ATN equipment cannot access data normally, the storage devices that do not functionnormally need to be restored.

Pre-configuration TasksBefore managing the storage devices, complete the following tasks:

l Installing the ATN equipment and starting it normallyl Enabling the client to log in to the ATN equipment

Data PreparationsBefore managing the storage devices, you need the following data.

No. Data

1 Device name

5.2.2 Restoring Storage Devices with File System TroublesWhen the file system on a storage device fails, the terminal of the ATN equipment prompts youto rectify the fault.


Procedure

Step 1 Run:fixdisk device-name



78

The storage devices with file system troubles is repaired.

NOTE

After this command is run, if the prompt that the system should be repaired is still received, it indicatesthat the physical medium may be damaged.

----End

5.2.3 Formatting Storage DevicesYou can format a storage device when you fail to repair the file system or you do not need anydata saved on the storage device.

Context

CAUTIONFormatting storage devices may lead to data loss.


Procedure

Step 1 Run:format device-name

The storage device is formatted.

NOTE

If the storage device cannot work after running the format device-name command, a fault may occur inthe hardware.

----End

5.3 Managing the DirectoryYou can manage directories to logically store files in hierarchy.

5.3.1 Establishing the Configuration TaskBefore managing directories, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


When you need to transfer files between the client and the server, configure the directory byusing the file system.



79


Before configuring the management directory, complete the following tasks:

l Powering on the ATN equipmentl Connecting the client with the server correctly

Data Preparation

To configure a management directory, you need the following data.

No. Data

1 Directory name to be created

2 Directory name to be deleted

5.3.2 Viewing the Current DirectoryYou can view the current directory to know its information.

Context

Do as follows on the ATN equipment.

Procedure

Step 1 Run:pwd

The current directory is displayed.

----End

5.3.3 Switching a DirectoryYou can switch the current directory to another directory.

Context


Procedure

Step 1 Run:cd directory

A directory is specified.

Step 2 Run:pwd



80

The current directory is displayed.

----End

5.3.4 Displaying a Directory or FileYou can view a directory or files in the directory.


Procedure


A directory is specified and the specified directory is displayed.

Step 2 Run:dir [ /all ] [ filename ]

The file and sub-directory list in the directory is displayed.

Either the absolute path or relative path is applicable.

----End

5.3.5 Creating a DirectoryYou can create a directory in the specified directory on a specified storage device.


Procedure


The parent directory of the directory to be created is displayed.

Step 2 Run:mkdir directory

The directory is created.

----End

5.3.6 Deleting a DirectoryYou can delete an unneeded directory.




81

Procedure


The parent directory of the directory to be deleted is displayed.

Step 2 Run:rmdir directory

The directory is deleted.

----End

5.4 Managing FilesYou can view, create, delete, and rename files.

5.4.1 Establishing the Configuration TaskBefore managing files, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configurationtask quickly and accurately.

Applicable EnvironmentTo view, delete, or rename files on the ATN equipment, you need to configure files using thefile system.

Pre-configuration TasksBefore configuring the file system, complete the following tasks:

l Powering on the ATN equipmentl Connecting the client with the server correctly

Data PreparationTo configure a file system, you need the following data.

No. Data

1 File name to be viewed

2 File name to be deleted

3 File name to be renamed

5.4.2 Displaying Contents of FilesYou can view the contents of a file, which are displayed in texts.



82


Procedure


The directory of the file is displayed.

Step 2 Run:more filename [ offset | all ]

The content of the file is displayed.

By specifying parameters in the more command, you can view files flexibly:l By running the more file-name command, you can view the file named file-name. Contents

of a text file are displayed screen after screen. If you hold and press the spacebar on thecurrent terminal, all contents of the current file can be displayed.There are two preconditions if you want to display the contents of a text file screen afterscreen:– The value configured by screen-length screen-length command must be larger than 0.– The total lines of the file must be larger than the value configured by screen-length

command.l By running the more file-name offset command, you can view the file named file-name.

Contents of a text file are displayed from the line specified by offset screen after screen. Ifyou hold and press the spacebar on the current terminal, all contents of the current file canbe displayed.There are two preconditions if you want to display the contents of a text file screen afterscreen:– The value configured by screen-length screen-length command must be larger than 0.– The result of the number of file characters subtracted by the value of offset must be larger

than the value configured by screen-length command.l By running the more file-name all command, you can view the file named file-name.

Contents of a text file are completely displayed without pausing after each screenful ofinformation.

----End

5.4.3 Copying FilesYou can copy files.


Procedure




83


Step 2 Run:copy source-filename destination-filename

The file is copied.

NOTE

The file to be copied must be larger than 0 bytes. Otherwise, the operation fails.

----End

5.4.4 Moving FilesYou can move files to a specified directory.

Context


Procedure



Step 2 Run:move source-filename destination-filename

The file is moved.

----End

5.4.5 Renaming FilesYou can rename files.

Context


Procedure



Step 2 Run:rename source-filename destination-filename

The file is renamed.

----End



84

5.4.6 Compressing FilesYou can compress files to reduce the size of the files.

ContextDo as follows on the ATN equipment.

Procedure

Step 1 Run:zip source-filename destination-filename

The file is compressed.

----End

5.4.7 Deleting FilesYou can delete unneeded files.


Procedure



Step 2 Run:delete [ /unreserved ] [ /quiet ] { filename | device-name }

The file is deleted.

----End

5.4.8 Deleting Files in the Recycle BinYou can permanently delete files in the recycle bin.


Procedure

Step 1 Run:reset recycle-bin [ filename ]

The file is deleted.

----End



85

5.4.9 Undeleting FilesYou can undelete files.


Procedure

Step 1 Run:undelete filename

The deleted file is recovered.

NOTE

l If the current directory is not the parent directory, you must operate the file by using the absolute path.

l If you use the parameter [ /unreserved ] in the delete command, the file cannot be restored after beingdeleted.

----End

5.4.10 Running Files in BatchYou can upload the files and then process the files in batches.

PrerequisitesUploading the batched files on the client end to the ATN equipment.

ContextWhen the batch file is created, you can run the batch file to implement routine tasksautomatically.

Procedure



Step 2 Run:execute filename

The batched file is executed.

----End

5.4.11 Configuring Prompt ModesThe system displays prompts or warning messages when you operate the device. If you need tochange the prompt mode for file operations, you can configure the prompt mode of the filesystem.



86

PrerequisitesBefore configuring a file system, complete the following tasks:

l Powering on the ATN equipmentl Logging in to the ATN equipmentfrom the client end

ContextThe data may be lost or damaged during the process, and the prompt is required.

Procedure



Step 2 Run:file prompt { alert | quiet }

The prompt mode of the file system is configured.

By default, the prompt mode is alert.

CAUTIONIf the prompt is in the quiet mode, no prompt appears for data lossdue to maloperation.

----End

5.5 Example for Managing FilesThis section describes how to manage files.

Networking RequirementsBy configuring the file system of the ATN equipment, the user can operate the ATNequipment through the console port and copy files to the specified directory.

The file path in the storage device must be correct. If the user does not specify a target file name,the source file name is the name of the target file by default.


1. Check the files under a certain directory.2. Copy a file to this directory.3. Check this directory and view that the file is copied successfully to the specified directory.



87


l Source file name and target file namel Source file path and target file path

Procedure

Step 1 Display the file information in the directory of cfcard:/folder2, cfcard:/ is the flash memoryidentifier.<HUAWEI> pwdcfcard:/<HUAWEI> cd cfcard:/folder2<HUAWEI> dirInfo: File can't be found in the directory. 499,720 KB total (47,776 KB free)

Step 2 Copy files from cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt.<HUAWEI> copy cfcard:/folder1/sample.txt cfcard:/folder2Copy cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt?[Y/N]:Y 100% complete Info: Copied file cfcard:/folder1/sample.txt to cfcard:/folder2/sample.txt...Done.

Step 3 Display the file information about the current directory, and you can view that the file is copiedto the specified directory.<HUAWEI> dirDirectory of cfcard:/folder2/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 6 Dec 21 2011 16:15:52 sample.txt 499,720 KB total (47,768 KB free)

----End



88

6 Management of Configuration Files

About This Chapter

This chapter describes current configurations, configuration files, detection of master/slaveconfiguration consistency, and configuration recovery.

6.1 Management of Configuration Files IntroductionThe configuration file is the add-in configuration item when restarting the ATN equipment thistime or next time.

6.2 Managing Configuration FilesYou can manage configuration files to ensure that the ATN equipment starts normally.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 6 Management of Configuration Files


89

6.1 Management of Configuration Files IntroductionThe configuration file is the add-in configuration item when restarting the ATN equipment thistime or next time.

6.1.1 Configuration FilesThis part describes basic concepts of configuration files.

The configuration file is the add-in configuration item when restarting the ATN equipment thistime or next time.

The configuration file is a text file in the following formats:

l It is saved in the command format.

l To save space, default parameters are not saved. For the default values of the configurationparameters, see following sections.

l Commands are organized on the basis of the command view. All commands of the identicalcommand view are grouped into a section. Every two command sections are separated byone or several blank lines or comment lines (beginning with "#").

l The sequence of command sections is global configuration, logic interface configuration,physical interface configuration, routing protocol configuration and so on.

NOTE

l The system can run the command with the maximum length of 512 characters, including the commandin an incomplete form.

l If the configuration is in the incomplete form, the command is saved in complete form. Therefore, thecommand length in the configuration file may exceed 512 characters. When the system restarts, thesecommands cannot be restored.

6.1.2 Configuration Files and Current ConfigurationsThe part describes basic concepts of configuration files and current configurations.

l Initial configurations: On powering on, the ATN equipment retrieves the configuration filesfrom a default save path to initiate itself. If configuration files do not exist in the defaultsave path, the ATN equipment uses the default parameters.

l Current configurations: indicates the effective configurations of the currently running ATNequipment.

l Users can modify the current configurations of the ATN equipment through the commandline interface. Use the save command to save the current configuration to the configurationfile of the default storage devices, and the current configuration becomes the initialconfiguration of the ATN equipment when the ATN equipment is powered on next time.

6.2 Managing Configuration FilesYou can manage configuration files to ensure that the ATN equipment starts normally.



90

6.2.1 Establishing the Configuration TaskBefore managing configuration files, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentIn one of the following situations, you need to manage configuration files:

l To start the ATN equipment normally, you need to select the correct ATN 910 systemsoftware and configuration file for the ATN equipment to load.

l After modifying current configurations, you need to save the modified contents.l You need to view the configuration of the ATN equipment.

Pre-configuration TasksBefore managing configuration files, complete the following task:l Installing the ATN equipment and starting it properly

Data PreparationTo manage configuration files, you need the following data.

No. Data

1 ATN 910 System software and its file name

2 Configuration file and its name

3 The number of the start line from which the comparison of the configuration filesbegins

6.2.2 Configuring System Software for a ATN equipment to Loadfor the Next Startup

To upgrade the system software of a ATN equipment, you can specify the ATN 910 systemsoftware to be loaded for the next startup.


Procedure

Step 1 Run:startup system-software system-file [ slave-board ]

The ATN 910 system software for the ATN equipment to load next time when it starts isconfigured.



91

The filename extension of the system software must be .cc and must be stored in the root directoryof a storage device.

You can specify the system-file and use the system software for the next startup that is saved onthe device.

slave-board is valid only on the ATN equipment with dual main control boards.

----End

6.2.3 Configuring the Configuration File for ATN to Load for theNext Startup

Before restarting a ATN equipment, you can specify the configuration files that are loaded forthe next startup.


ProcedureStep 1 Run:

startup saved-configuration configuration-file

Configuration file is saved for the ATN equipment to load next time on startup.

The filename extension of the configuration file must be .cfg or .zip, and must be stored in theroot directory of a storage device.

The effective configuration when a ATN equipment is working is called current configuration.

----End

6.2.4 Saving Configuration FilesYou can save configuration files periodically or immediately.

ContextThe system can save the configuration files periodically or in real time to prevent data loss whenthe ATN equipment is powered off or accidentally restarted.

Run one of the following commands to save configuration files.

Procedurel Run:

1. system-viewThe system view is displayed.

2. set save-configuration [ interval interval | cpu-limit cpu-usage | delay delay-interval ] *

The configuration file is saved at intervals.After the parameter interval interval is specified, the device saves the configurationfile at specified intervals regardless of whether the configuration file is changed.



92

– If the set save-configuration command is not run, the system does notautomatically save configurations.

– If the set save-configuration command without specified interval is run, thesystem automatically saves configurations at 30-minute intervals.

When you configure the automatic saving function, to prevent that function fromaffecting system performance, you can set the upper limit of the CPU usage for thesystem during automatic saving. When automatic saving is triggered by the expiry ofthe timer, the CPU usage is checked. If the CPU usage is higher than the set upperlimit, automatic saving will be canceled.After delay delay-interval is specified, if the configuration is changed, the deviceautomatically saves the configuration after the specified delay.After automatic saving of configurations is configured, the system automatically savesthe changed configurations to the configuration file for the next startup andconfiguration files are changed accordingly with the saved configurations.Before configuring the automatic configure file saving on the server, you need to runthe set save-configuration backup-to-server server server-ip [ transport-type{ ftp | sftp } ] user user-name password password [ path folder ] or set save-configuration backup-to-server server server-ip transport-type tftp [ pathfolder ] command to configure the server, including the IP address, username,password of the server, destination path, and mode of transporting the configurationfile to the server.

NOTEIf configuration files transmitted in TFTP mode are saved, the tftp client-source commandcan be run to configure the address of a loopback interface of the ATN equipment as a sourceaddress of a client to ensure security.

WARNINGWhen the automatic saving function is enabled and the LPU is not properly installed,corresponding configurations may be lost.

l Run:save [ all ] [ configuration-file ]

The current configurations are saved.

The filename extension of the configuration file must be .cfg or .zip. The system startupconfiguration file must be saved in the root directory of a storage device.

The user can modify the current configuration through the command line interface. To setthe current configuration as initial configuration when the ATN equipment starts next time,you can use the save command to save the current configuration in the cfcard memory.

You can use the save all command to save all the current configurations, including theconfigurations of the boards that are not inserted, to the default directory.

NOTE

When saving the configuration file for the first time, if you do not specify the optional parameterconfiguration-file, the ATN equipment asks you whether to save the file as "vrpcfg.zip" or not.

----End



93

6.2.5 Clearing a Configuration FileYou can clear the configuration file that has been loaded to a device, or clear the inactiveconfigurations of the boards that are not installed in slots.

Context

The configuration file stored in cfcard memory needs to be cleared in the following cases:

l The system software does not match the configuration file after the ATN equipment hasbeen upgraded.

l The configuration file is destroyed or an incorrect configuration file has been loaded.

Procedurel Clear the currently loaded configuration file.

Run the reset saved-configuration command to clear the currently loaded configurationfile.

– If the configuration file of the ATN equipment used for the current startup is the sameas that used for the next startup, running the reset saved-configuration command willclear both the configuration files. The ATN equipment will uses the defaultconfiguration file for the next startup.

– If the configuration file of the ATN equipment used for the current startup is differentfrom that used at the next startup, running the reset saved-configuration command willclear the configuration file used for the current startup.

– If the configuration file of the ATN equipment used for the current startup is empty, thesystem will prompt you that the configuration file does not exist after you run the resetsaved-configuration command.

If you do not run the startup saved-configuration configuration-file command to specifya new correct configuration file, or do not run the save command to save the configurationfile after the configuration file is cleared, the ATN equipment will use the defaultconfiguration file at the next startup.

----End

6.2.6 Comparing Configuration FilesYou can compare the current configuration with the initial configuration.

Context


Procedure

Step 1 Run:compare configuration [ configuration-file ] [ current-line-number save-line-number ]

The current configuration is compared with the configuration file for next startup.



94

If no parameter is set, the comparison begins with the first lines of configuration files. current-line-number and save-line-number are used to continue the comparison by ignoring thedifferences between the configuration files.

When comparing differences between the configuration files, the system displays the contentsof the current configuration file and saved configuration file from the first different line. Bydefault, 150 characters are displayed for each configuration file. If the number of characters fromthe first different line to the end is less than 150, the contents after the first different line are alldisplayed.

In comparing the current configurations with the configuration file for next startup, if theconfiguration file for next startup is unavailable or its contents are null, the system prompts thatreading files fails.

----End

6.2.7 Checking the ConfigurationAfter managing configuration files has been configured, you can view the current configurationfiles, configuration files to be loaded at the next startup, files for the device startup, and filessaved in the storage device.

PrerequisitesThe configuration of managing configuration files are complete.

Procedurel Run the display current-configuration [ configuration [ configuration-type

[ configuration-instance ] ] | controller | interface [ interface-type [ interface-number ] ] ][ feature feature-name [ filter filter-expression ] | filter filter-expression ] or displaycurrent-configuration [ all | inactive ] command to view the current configuration files.

l Run the display saved-configuration [ last | time | configuration ] command to viewconfiguration files to be loaded at the next startup.

l Run the display startup command to view files for the device startup.l Run the dir [ /all ] [ filename ] command to view files saved in the storage device.l Run the display changed-configuration time command to view the time of the last

configuration change.

----End



95

7 FTP and TFTP

About This Chapter

FTP and TFTP are commonly-used file transfer protocols.

7.1 FTP and TFTP IntroductionThis section describes basic concepts of FTP and TFTP.

7.2 Configuring the ATN to be the FTP ServerAfter a ATN equipment is configured with basic functions of the FTP server, you can run theFTP client application to log in to the ATN equipment, and then access files on the ATNequipment.

7.3 Configuring FTP ACLYou can configure the FTP ACL on a ATN equipment to allow only specified users to log in tothe ATN equipment.

7.4 Configuring the ATN to Be the FTP ClientYou can configure a ATN equipment to be an FTP client and then log in to the FTP server.

7.5 Configuring the ATN to Be the TFTP ClientYou can configure a ATN equipment to be an FTP client and then log in to the FTP server.

7.6 Limiting the Access to the TFTP ServerYou can configure the maximum number of TFTP servers that a TFTP client can access todetermine which TFTP servers the TFTP client can log in to.

7.7 Configuration ExamplesThis section provides several configuration examples for FTP,and TFTP together with theconfiguration flowchart. The configuration examples explain networking requirements,configuration notes, and configuration roadmap.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 7 FTP and TFTP


96

7.1 FTP and TFTP IntroductionThis section describes basic concepts of FTP and TFTP.

7.1.1 FTPYou can transfer files between local and remote hosts through FTP. FTP is commonly used inversion upgrade, log downloading, file transfer, and configuration saving.

File Transfer Protocol (FTP) is an application layer protocol in the TCP/IP protocol suite. Itimplements file transfer between local and remote hosts based on related file systems. The FTPprotocol is implemented based on corresponding file system.

The ATN equipment provides the following FTP services:

l FTP server service. Users can run the FTP client program to log in to the ATNequipment and access the files on the ATN equipment.

l FTP client service. Users can establish a connection with the ATN equipment by runninga terminal emulation program or a Telnet program on a PC. Enter an FTP command toconnect with the remote FTP server and access the files on the remote host.

7.1.2 TFTPTFTP does not have a complex interactive access interface and authentication control. TFTP isapplicable when there is no complex interaction between the client and server.

The Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol.

Compared with FTP, TFTP does not have a complex interactive access interface andauthentication control. TFTP is applicable in an environment where there is no complexinteraction between the client and the server. For example, TFTP is used to obtain the memoryimage of the system when the system starts up.

TFTP is implemented based on the User Datagram Protocol (UDP).

The client initiates the TFTP transfer. To download files, the client sends a read request packetto the TFTP server, receives packets from the server, and sends acknowledgement to the server.To upload files, the client sends a write request packet to the TFTP server, sends packets to theserver, and receives acknowledgement from the server.

TFTP transfers the files in two formats:

l The binary format: transfers program files.l The ASCII format: transfers text files.

At present, the ATN 910 serves only as the TFTP client and transfers files in the binary format.

7.2 Configuring the ATN to be the FTP ServerAfter a ATN equipment is configured with basic functions of the FTP server, you can run theFTP client application to log in to the ATN equipment, and then access files on the ATNequipment.



97

7.2.1 Establishing the Configuration TaskBefore configuring a ATN equipment to be the FTP server, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data. Thiscan help you complete the configuration task quickly and accurately.


When the ATN equipment serves as the FTP server, after the client logs in to the ATNequipment through FTP, the user can transfer files between the client and the server.


Before configuring the ATN equipment as the FTP server, complete the following tasks:


l Connecting the FTP client to the server

Data Preparation

To configure the ATN equipment as the FTP server, you need the following data.

NOTEFor FTP secure server connection, perform step 2.

No. Data

1 (Optional) Listening port number specified on the FTP server

2 Configuring FTP Server Certificate-key and Chain-key

3 Enabling FTP Server

4 (Optional) Source IP address or source interface of the FTP server

5 (Optional) Timeout period of the disconnection from the FTP server

6 FTP username and password

7 File directory authorized to the FTP user

7.2.2 (Optional) Specifying a Port Number for the FTP ServerYou can configure or change the monitoring port number of the FTP server. After the portnumber is changed, only the user knows the current port number, which guarantees the security.

Context

If the FTP is not enabled, change the FTP port as required.

If the FTP service is enabled, run the undo ftp server command to disable the FTP service, andthen change the FTP port.



98

Procedure



Step 2 Run:ftp server port port-number

The port number of the FTP server is configured.

If a new number of a monitored port is configured, the FTP server interrupts all the FTPconnections and monitors the port of the new number. By default, the number of the portmonitored by the FTP server is 21.

----End

7.2.3 Enabling the FTP ServerThis section describes how to enable FTP server.

Procedure



Step 2 Run:ftp server enable

The FTP server is enabled.

NOTE

When the file operation between clients and the ATN equipment ends, run the undo ftp server commandto disable the FTP server function. This ensures the security of the ATN equipment.

----End

7.2.4 Configuring the Source IP Address of the FTP ServerThe source address of the FTP server can be specified to allow only authorized users to accessthe FTP server. This ensures security.

ContextDo as follows on the ATN equipment that functions as an FTP server:

Procedure



Step 2 Run:



99

ftp server-source -a source-ip-address

The source IP address of an FTP server is configured.

After the source address is configured, the address specified in the ftp command for login to theFTP server must be the configured source address. Otherwise, the login fails.

----End

7.2.5 (Optional) Configuring the Timeout PeriodThis section describes how to configure the timeout period of the FTP server.

ContextIf the client is idle for the configured time, the connection is removed from the FTP server.

By default, the timeout value is 10 minutes.

Procedure



Step 2 Run:ftp timeout minutes

The timeout period of the FTP server is configured.

----End

7.2.6 Configuring the Local Username and the PasswordYou can configure the authentication information for FTP users, which prevents unauthorizedusers from performing operations on the device and thus guarantees the security.

ContextDo as follows on the ATN equipment that serves as the FTP server:

Procedure



Step 2 Run:aaa





100

The local username and the password are configured.

----End

7.2.7 Configuring the Service Type and Authorization InformationYou can configure the authorization mode and authorization directory for FTP users. In thiscase, unauthorized users cannot access the restricted directory, which guarantees the security.


Procedure



Step 2 (Optional) Run:set default ftp-directory directory

The default FTP working directory is configured.

Step 3 Run:aaa


Step 4 Run:local-user user-name service-type ftp

The FTP service type is configured.

Step 5 Run:local-user user-name ftp-directory directory

The authorization directory about the FTP user is configured.

----End

7.2.8 Checking the ConfigurationThis section describes how to check the FTP server configuration.

PrerequisitesThe FTP server must be configured before running the below mentioned commands. Otherwisethe system does not display any data.

Procedurel Run the display ftp-server command to check the configuration of the FTP server.l Run the display ftp-server secure-info command to check the configuration of the FTP

secure server.



101

l Run the display ftp-users command to check how many users are currently logged in FTPserver.

----End

7.3 Configuring FTP ACLYou can configure the FTP ACL on a ATN equipment to allow only specified users to log in tothe ATN equipment.

7.3.1 Establishing the Configuration TaskBefore configuring the FTP ACL, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentWhen the ATN equipment serves as the FTP server, for security, you can configure the ATNequipment by the access control list (ACL) to be accessed by only those clients that meet thematching conditions.

Pre-configuration TasksBefore configuring the FTP ACL, complete the following tasks:

l Powering on the ATN equipmentl Connecting the FTP client with the server

Data PreparationTo configure the FTP ACL, you need the following data.

No. Data

1 ACL number

7.3.2 Enabling the FTP ServerThe FTP server is disabled by default. You need to enable the FTP server before using FTPfunctions.


Procedure




102


Step 2 Run:ftp server enable

The FTP server is started.

----End

7.3.3 Configuring a Basic ACLYou can configure a basic ACL and define rules by specifying the source IP address.


Procedure



Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

The ACL rule is configured.

NOTE

FTP supports only the basic ACL.

----End

7.3.4 Configuring the Basic FTP ACLYou can configure the basic FTP ACL.


Procedure



Step 2 Run:ftp acl acl-number



103

The basic FTP ACL is configured.

----End

7.3.5 Checking the ConfigurationAfter configuring the FTP ACL, you can view the configuration and status of the FTP server aswell as information about login FTP users.

PrerequisitesThe configuration of FTP ACL are complete.

Procedurel Run the display ftp-server command to check the configuration and status of the FTP

server.

----End

7.4 Configuring the ATN to Be the FTP ClientYou can configure a ATN equipment to be an FTP client and then log in to the FTP server.

7.4.1 Establishing the Configuration TaskBefore configuring a ATN equipment to be an FTP client, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentWhen a ATN equipment serves as an FTP client, you can log in to the FTP server through theATN equipment and then transmit files or manage server directory.

Pre-configuration TasksBefore configuring the ATN equipment as an FTP client, complete the following tasks:

l Powering on the ATN equipmentl Connecting the FTP client to the server

Data PreparationTo configure the ATN equipment as an FTP client, you need the following data.

NOTEFor FTP secure server connection, perform step 2, 3 and 4.

No. Data

1 (Optional) Source IP address or source interface of the device functioning as an FTPclient



104

No. Data

2 Configuring FTP Client Trusted-CA

3 (Optional) Configuring FTP Client CRL

4 (Optional) Configuring FTP Client Set Verify Depth

5 Logging into the FTP Server

6 Host name or IP address of the FTP server

7 Port number of connecting FTP

8 FTP protocol command

9 Local file name and file name on the remote FTP server

10 Working directory name of the remote FTP server, local working directory of theFTP client, or directory name of the remote FTP server

11 Login username and password

7.4.2 (Optional) Configuring Source IP Address and Interface of theFTP Client

This section describes how to configure the source IP address and interface of FTP client toestablish the connection with FTP server.

PrerequisitesThe interface configuration is possible, only if the system has a loopback interface.

Procedure



Step 2 Run:ftp client-source { -a ip-address }

The source IP address of the FTP client is configured.

or

ftp client-source { -i interface-type interface-number }

The loopback addresses of the FTP client is configured.

NOTE

Then, run the display ftp-client command on the ATN equipment to view the current configuration of the FTPclient.

----End



105

7.4.3 Logging In to the FTP ServerYou can log in to the FTP server in the user view or the FTP view.

ContextDo as follows on the ATN equipment that serves as the client:

Procedure

Step 1 Run the following commands according to types of the server IP address.l If the IP address of the server is an IPv4 address, do as follows:

– In the user view, establish a connection to the FTP server.Run:ftp [ [ -a source-ip-address | -i interface-type interface-number ] host [ port-number ]

The ATN equipment is connected to the FTP server.– In the FTP view, establish a connection to the FTP server.

1. Run:ftp

The FTP view is displayed.2. Run:

open [-a source-ip-address | -i interface-type interface-number ] host [ port-number ]

The ATN equipment is connected to the FTP server.

NOTE

Before logging in to the FTP server, you can run the set net-manager vpn-instancecommand to configure a default VPN instance. After that, the default VPN instance is usedin the FTP operation.

----End

7.4.4 Configuring Data Type and Transmission Mode for the FileThis section describes how to configure the data type and transmission mode for the file.

ContextDo as follows on the ATN equipment that serves as the client:

Procedure

Step 1 Run:ascii | binary

The data type of the file to be transmitted is ascii or binary mode.

NOTEFTP server supports ascii mode for data transmission. But in ATN 910, user has to switch to binary mode fordata transfer.



106

Step 2 Run:passive

The passive file transfer mode is configured.

Step 3 Run:verbose

The verbose mode for FTP is enabled.

When verbose is enabled, all FTP responses are displayed. After file transmission, the statisticsabout transmission efficiency will be displayed.

----End

7.4.5 (Optional) Viewing Online Help of the FTP CommandThis section describes how to view the online help of the FTP command.

Context

This configuration provides help information for protocol commands.

Procedure

Step 1 Run:remotehelp command

The online help of the FTP command is displayed.

----End

7.4.6 Uploading or Downloading FilesYou can upload local files to a remote FTP server, download files of the FTP server, and savethe files on the local device.

Context

Do as follows on the ATN equipment that serves as the client:

Procedure

Step 1 Upload or download files.l Run:

put local-filename [ remote-filename ]

The local file is uploaded to the remote FTP server.l Run:

get remote-filename [ local-filename ]

The FTP file is downloaded from the FTP server and saved to the local file.

----End



107

7.4.7 Managing DirectoriesYou can perform management operations, such as creating and deleting directories, on the FTPserver.

Context


Procedure

Step 1 Run one or more commands in the following order to manage directories.

l Run:cd pathname

The working path of the remote FTP server is specified.

l Run:cdup

The working path of the FTP server is switched to the upper-level directory.

l Run:pwd

The specified directory of the FTP server is displayed.

l Run:lcd [ local-directory ]

The directory of the FTP client is displayed or changed.

l Run:mkdir remote-directory

A directory is created on the FTP server.

l Run:rmdir remote-directory

A directory is removed from the FTP server.

NOTE

l The directory to be created can comprise letters and digits, but not special characters such as <,>, ?, \ and :.

l When running the mkdir /abc command, you create a sub-directory named "abc".

----End

7.4.8 Managing FilesYou can view a specified directory or file on the remote FTP server or delete a specified filefrom the FTP server.

Context




108

Procedure

Step 1 Run one or more commands in the following to manage directories.

l Run:ls [ remote-filename ] [ local-filename ]

The specified directory or file on the remote FTP server is displayed.

If the directory name is not specified when a specific remote file is selected, the systemsearches the working directory for the specific file.

l Run:dir [ remote-filename ] [ local-filename ]

The specified directory or file on the local FTP server is displayed.


l Run:delete remote-filename

The specified file on the FTP server is deleted.


When local-filename is set, related information about the file can be downloaded locally.

----End

7.4.9 (Optional) Changing Login UsersThis section describes how to change the username and password for remote login.

Prerequisites

This configuration must be performed in FTP view.

Context

The username and password are of string data type. The string length for username must be inthe range of 1 to 85 case-insensitive characters and password must be in the range of 1 to 16case-insensitive characters.

Procedure

Step 1 Run:user username [ password ]

The current login user is changed and the user logs in again.

----End

7.4.10 Disconnecting from the FTP ServerThis section describes how the client ATN equipment disconnects from FTP server.



109

PrerequisitesThe configurations must be performed in the FTP view.

Procedure

Step 1 Run:bye

or

quit

The client ATN equipment is disconnected from the FTP server.

Return to the user view.

Step 2 Run:close

or

disconnect

The client ATN equipment is disconnected from the FTP server.

This command terminates the FTP session.

----End

7.4.11 Checking the ConfigurationThis section describes how to check the FTP client configuration.

PrerequisitesThe FTP client must be configured before running the below mentioned command. Otherwisethe system does not display any data.

Procedurel Run the display ftp-client command to check the configuration status of FTP client.l Run the display ftp-client secure-info command to check the configuration status of FTP

secure client.

----End

7.5 Configuring the ATN to Be the TFTP ClientYou can configure a ATN equipment to be an FTP client and then log in to the FTP server.

7.5.1 Establishing the Configuration TaskBefore configuring TFTP, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.



110

Applicable EnvironmentYou can transfer files through TFTP between the server and the client in a simple interactionenvironment.

Pre-configuration TasksBefore configuring TFTP, complete the following tasks:

l Powering on the ATN equipmentl Connecting the TFTP client with the server

Data PreparationTo configure TFTP, you need the following data.

No. Data

1 IP address of the TFTP server

2 Name of the specific file in the TFTP server

3 File directory

7.5.2 (Optional) Configuring a Source IP Address for a TFTP ClientYou can configure a source IP address for a TFTP client. Then, you can set up a TFTP connectionfrom the TFTP client to the server through a specific route by using this source IP address.

ContextDo as follows on a ATN equipment that functions as a TFTP client.

Procedure



Step 2 Run:tftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of a TFTP client is configured.

After the configuration, the source IP address of the TFTP client displayed on the TFTP servermust be the same as the configured one.

----End

7.5.3 Downloading Files Through TFTPYou can download files from the TFTP server to the TFTP client.



111

Context

Do as follows on the ATN equipment that serves as the TFTP client:

Procedure

Step 1 Run the following commands according to the type of the server IP addresses.

NOTE

Currently, the ATN equipment only supports IPv4.

l The IP address of the server is IPv4 address, run:tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] get source-filename [ destination-filename ]

The ATN equipment is configured to download files through TFTP.

----End

7.5.4 Uploading Files Through TFTPYou can upload files from the TFTP client to the TFTP server.

Context


Procedure

Step 1 Run the following commands according to the type of the server IP addresses.

NOTE


l The IP address of the server is IPv4 address, run:tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ public-net | vpn-instance vpn-instance-name ] put source-filename [ destination-filename ]

The ATN equipment is configured to upload files through TFTP.

----End

7.6 Limiting the Access to the TFTP ServerYou can configure the maximum number of TFTP servers that a TFTP client can access todetermine which TFTP servers the TFTP client can log in to.

7.6.1 Establishing the Configuration TaskBefore configuring a limit to access TFTP servers, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.



112

Applicable EnvironmentWhen the ATN equipment serves as the TFTP client, you can configure the ACL on the ATNequipment. After the configuration, you can control the TFTP server to which the device canlog in through TFTP.

Pre-configuration TasksBefore configuring a limit to access the TFTP server, complete the following tasks:

l Powering on the ATN equipmentl Connecting the TFTP client to the server

Data PreparationTo configure a limit to access to the TFTP server, you need the following data.

No. Data

1 Source IP address of the TFTP client

2 IP address of the TFTP server

3 ACL number

7.6.2 Configuring the Basic ACLYou can configure ACL rules.

ContextNOTE

TFTP supports only the basic ACL.



system-view


Step 2 Run:acl acl-number

The ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ip-address source-wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

The ACL rule is configured.

----End



113

7.6.3 Configuring the Basic TFTP ACLYou can configure the basic TFTP ACL.

Context


Procedure



----End

7.7 Configuration ExamplesThis section provides several configuration examples for FTP,and TFTP together with theconfiguration flowchart. The configuration examples explain networking requirements,configuration notes, and configuration roadmap.

7.7.1 Example for Configuring FTPIn this example, a PC connected to a ATN equipment logs in to the FTP server by entering thecorrect user name and password through FTP, and then downloads files to the memory of theATN equipment.

Networking Requirements

As shown in Figure 7-1, the IP address of the FTP server is 172.16.104.110/24.

Log in to the ATN equipment from the HyperTerminal and then download files from the FTPserver.

Figure 7-1 Networking diagram with FTP server basic functions

GE0/3/0172.16.104.120/24

1.1.1.2/24PC

ServerGE2/0/0172.16.104.110/24

ATN



114


1. Run the HyperTerminal on the PC and log in to the ATN equipment.2. Use the correct username and password to log in to the FTP server to download the files

on the memory of the ATN equipment.3. Download files to the memory of the ATN equipment.


l FTP username as huawei and password as huawei on the serverl The correct path of the original files on the FTP serverl The destination file name and its position in the ATN equipment

Procedure

Step 1 Enable FTP on the FTP server and configure the authentication information about the FTP user.<HUAWEI> system-view[HUAWEI] sysname server[server] ftp server enable[server] ftp timeout 30[server] aaa[server-aaa] local-user huawei password simple huawei

Step 2 Configure the authorization mode and directory of the FTP user on the FTP server[server-aaa] local-user huawei service-type ftp[server-aaa] local-user huawei ftp-directory cfcard:[server-aaa] quit

Step 3 Configure the IP address of the FTP server[server] interface gigabitethernet2/0/0[server-GigabitEthernet2/0/0] undo shutdown[server-GigabitEthernet2/0/0] ip address 172.16.104.110 255.255.255.0[server-GigabitEthernet2/0/0] quit

Step 4 Log in to the ATN equipment from the PC through the HyperTerminal, and connect to the FTPserver using the correct username and password to obtain system host software

# Log in to the FTP server to obtain the system host software and save it in the root directory ofthe cf of the ATN equipment.

<HUAWEI> cd cfcard:<HUAWEI> pwdcfcard:<HUAWEI> ftp 172.16.104.110Trying 172.16.104.110 ...Press CTRL+K to abortConnected to 172.16.104.110.220 FTP service ready.User(172.16.104.110:(none)):huawei331 Password required for huawei.Password:230 User logged in.[ftp] binary200 Type set to I.[ftp] get V200R001C01.ccThe file V200R001C01.cc is already existing, overwrite it? [Y/N]:y200 PORT command okay



115

150 Opening BINARY mode data connection for V200R001C01.cc.226 Transfer complete.FTP: 15805100 byte(s) received in 54.175 second(s) 291.74Kbyte(s)/sec.[ftp] dir200 Port command okay.150 Opening ASCII mode data connection for *. -rwxrwxrwx 1 noone nogroup 67 Jul 17 13:24 V200R001C01.cc-rwxrwxrwx 1 noone nogroup 13990 Jun 26 17:41 license-80ip.txt-rwxrwxrwx 1 noone nogroup 4 Jul 17 15:25 snmpnotilog.txt226 Transfer complete.FTP: 402 byte(s) received in 0.140 second(s) 2.87Kbyte(s)/sec. [ftp] bye

----End

Configuration FilesConfiguration file of the FTP server.#sysname Server# FTP server enable#interface GigabitEthernet2/0/0 undo shutdown ip address 172.16.104.110 255.255.255.0#aaa local-user huawei password simple Huawei local-user huawei service-type ftp local-user huawei ftp-directory cfcard: authentication-scheme default#authorization-scheme default#accounting-scheme default#domain default#return

7.7.2 Example for Configuring the FTP ClientIn this example, a ATN equipment is configured to be an FTP client. Then, the ATNequipment logs in to the FTP server and downloads system software and configuration software.

Networking RequirementsAs shown in Figure 7-2, the ATN equipment that serves as the FTP client are connected to theFTP server, and download system software and configuration software from the FTP server tothe client side.

Figure 7-2 Networking diagram of configuring the FTP client

Server172.16.104.110/24

IP Network

ATN172.16.105.110/24

GE0/3/0



116

Configuration Roadmap1. Log in to the FTP server from the FTP client.

2. Download the system files form the server to the storage devices on the client side.

Data Preparation


l IP address of the FTP server

l The destination file name and its position in the ATN equipment

l User name and password used to log in to the FTP server

Procedure

Step 1 Log in to the FTP server from the ATN equipment.<HUAWEI> ftp 172.16.104.110Trying 72.16.104.110Press CTRL+K to abortConnected to 172.16.104.110220 FTP service ready.User(ftp 172.16.104.110:(none)):huawei331 Password required for huaweiPassword:230 User logged in.

Step 2 Configure the transmission mode to the binary format and configure the directory of the Flashmemory on the ATN equipment.[ftp] binary200 Type set to I.[ftp] lcd cfcard:/Info: Local directory now cfcard:.

Step 3 Download the newest system software from the remote FTP server on the ATN equipment.[ftp] get V200R001C01.cc200 Port command okay.150 Opening ASCII mode data connection for V200R001C01.cc.226 Transfer complete.FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.[ftp] quit

----End

7.7.3 Example for Configuring TFTPIn this example, the TFTP application is run on the TFTP server and the location of the sourcefile on the server is set. After that, you can upload and download files.


As shown in Figure 7-3, the IP address of the TFTP server is 10.111.16.160/24.

Log in to the ATN equipment from the HyperTerminal and then download the fileV200R001C01.cc from the TFTP server.



117

Figure 7-3 Networking diagram of configuring TFTP

TFTP Client TFTP ServerPC

10.111.16.160/24


1. Run the TFTP application on the TFTP server, and set the location of the file on the server.2. Use the TFTP command on the ATN equipment to download the file.3. Use the TFTP command on the ATN equipment to upload the file.


l The TFTP application installed on the TFTP serverl The path of the file on the TFTP serverl The destination file name and its path on the ATN equipment

Procedure

Step 1 Start the TFTP server, and set its Current Directory as the directory where theV200R001C01.cc file resides. Figure 7-4 shows the interface.

Figure 7-4 Setting the Base Directory of the TFTP server



118

NOTE

The display may be different depending on different TFTP server applications run in the computer.

Step 2 Log in to the ATN equipment from the computer HyperTerminal and enter the followingcommand to download the file.<HUAWEI>tftp 10.111.16.160 get V200R001C01.cc cfcard:/V200R001C01.cc Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait...| TFTP: Downloading the file successfully. 15805100 bytes received in 42734 second.

Step 3 Run the dir command to check whether the downloaded file is saved in the specified directoryon the ATN equipment.<HUAWEI> dir cfcard:Directory of cfcard:/ Idx Attr Size(Byte) Date Time FileName 1 -rw- 40 Jun 24 2011 09:30:40 private-data.txt 2 -rw- 396 May 19 2011 15:00:10 rsahostkey.dat 3 -rw- 540 May 19 2011 15:00:10 rsaserverkey.dat 4 -rw- 2718 Jun 21 2011 17:46:46 1.cfg 5 -rw- 14343 May 19 2011 15:00:10 paf.txt 6 -rw- 1004 Feb 05 2010 09:51:22 vrp1.zip 7 -rw- 6247 May 19 2011 15:00:10 license.txt 8 -rw- 14343 May 16 2011 14:13:42 paf.txt.bak 9 -rw- 86235884 Feb 05 2010 10:23:46 V200R001C01.cc

Step 4 Log in to the ATN equipment from the computer HyperTerminal and enter the followingcommand to upload the file.<HUAWEI> tftp 10.111.16.160 put cfcard:/vrpcfg.zip Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait.../ TFTP: Uploading the file successfully. 1217 bytes send in 1 second.

----End



119

8 Telnet and SSH

About This Chapter

Telnet and SSH can provide a terminal which enables users to remotely log in to and access aserver.

8.1 Telnet and SSH IntroductionThis section explains basic concepts of user login by means of Telnet and SSH.

8.2 Configuring Telnet Terminal ServicesThis section explains how to log in to a ATN equipment by means of Telnet and configure theATN equipment.

8.3 Configuring SSH UsersSSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSHservers.

8.4 Configuring the SSH Server FunctionThis section describes how to configure the SSH server. STelnet or SFTP must first be enabledon the SSH server.

8.5 Configuring the STelnet Client FunctionThis section describes how to configure the STelnet client. A secure connection between theclient and server can be established through negotiation, and the client will be able to log in tothe server similarly to using Telnet services.

8.6 Configuring the SFTP Client FunctionThis section explains how to configure the SFTP client. The authentication and bidirectionaldata encryption of the SFTP client can be manually configured, which will ensure secure filetransmission on the network.

8.7 Configuration ExamplesThis section provides configuration examples for Telnet and SSH along with a configurationflowchart. The configuration examples explain networking requirements, configuration notes,and configuration roadmap.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 8 Telnet and SSH


120

8.1 Telnet and SSH IntroductionThis section explains basic concepts of user login by means of Telnet and SSH.

8.1.1 Overview of User LoginYou can locally or remotely log in to a ATN equipment through the console port, Telnet, orSSH.

To configure, monitor, and maintain the local or remote network devices running ATN 910, youneed to configure the user interface, the user management, and the terminal service.

The user interface provides a login plane. The user management guarantees the login securityand the terminal service provides related processes of login protocol.

The ATN 910 supports the following login methods:

l Login through the console portl Local or remote login through Telnet or SSH

8.1.2 Telnet Terminal ServicesThe ATN 910 provides Telnet services including Telnet server, Telnet client, and redirectionterminal.

Telnet ServicesTelnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login anda virtual terminal service through the network.

The ATN 910 provides the following Telnet services:

l Telnet server: You can run the Telnet client program on a PC to log in to the ATNequipment, configure and manage it. The ATN equipment acts as a Telnet server.

l Telnet client: You can run the terminal emulation program or the Telnet client program ona PC to connect with the ATN equipment. With the telnet command, you can log in to otherATN equipments to configure and manage them. As shown in Figure 8-1, ATN A servesas both the Telnet server and the Telnet client.

Figure 8-1 Telnet client services

ATN APC ATN B

Telnet Session 1 Telnet Session2

TelnetServer



121

l Redirection terminal services: You can run the Telnet client program on a PC to log in tothe ATN equipment through a specified port number. Then connect with the serial interfacedevices that are connected with the asynchronous interface of the ATN equipment, as shownin Figure 8-2. The typical application is to connect the asynchronous interface of the ATNequipment with multiple devices for their remote configuration and maintenance.

Figure 8-2 Telnet redirection services

PC

Ethernet

ATN

CX600-1 CX600-2Lan Switch Modem

Async0 Async1 Async2Async8/16

NOTE

Only the devices that provide the asynchronous interface support the Telnet redirection service.

l Interruption of Telnet servicesIn Telnet connection, you can use two types of shortcut keys to interrupt the connection.As shown in Figure 8-3, ATN A logs in to ATN B through Telnet, and ATN B logs into ATN C through Telnet. Thus, a cascade network is formed. In this case, ATN A is theclient of ATN B and ATN B is the client of ATN C. Figure 8-3 illustrates the usage ofthe two types of shortcut keys.

Figure 8-3 Usage of Telnet shortcut keys

ATN BATN A ATN C

Telnet Session 1 Telnet Session2

TelnetServer

TelnetClient

<Ctrl_]>: The server interrupts the connection.



122

If the network connection is normal, when you press Ctrl_], the Telnet server interruptsthe current Telnet connection actively. For example:<ATNC>Press <Ctrl_]> to return to the prompt of ATN B.Info: The max number of VTY users is 10, and the current numberof VTY users on line is 1.Info: The connection was closed by the remote host.<ATNB>Press <Ctrl_]> to return to the prompt of ATN A.Info: The max number of VTY users is 10, and the current numberof VTY users on line is 1.Info: The connection was closed by the remote host.<ATNA>

NOTE

If the network disconnects, the shortcut keys become invalid. The instruction cannot be sent to theserver.

<Ctrl_T>: The client interrupts the connection.When the server fails and the client is unaware of the failure, the server does not respondto the input of the client. In this case, if you press Ctrl_T, the Telnet client interrupts theconnection actively and quits the Telnet connection.For example:<ATNC>Press <Ctrl_T> to directly interrupt the connection and quit Telnet connection.<ATNA>

CAUTIONWhen the number of remote login users reaches to the maximum number of VTY userinterfaces, the system prompts that all user interfaces are in use and you cannot use Telnetto log in.

8.1.3 SSH Terminal ServicesSSH terminal services support the basic SSH protocol, SFTP protocol, STelnet protocol,. Inaddition, SSH terminal services support other ports and secure remote access.

SSH OverviewWhen users on an insecure network log in to the ATN equipment through Telnet, the SecureShell (SSH) feature ensures information security and authentication to protect the ATNequipment from attacks such as IP address spoofing and interception of plain text password.

The ATN equipment can be connected to multiple SSH users.

The SSH client function allows users to establish SSH connections with the ATN equipmentserving as SSH server or with UNIX hosts.

l SSH connection in a LANAs shown in Figure 8-4, the client can set up an SSH connection with the server in a LocalArea Network (LAN).



123

Figure 8-4 Establishing an SSH channel in a LAN

PC running SSH ClientPC

Server

LapTopServer

Ethernet 100BASE-TX

l SSH connection in a WAN

As shown in Figure 8-5, the client can set up an SSH connection with the server in a WideArea Network (WAN).

Figure 8-5 Establishing an SSH channel in a WAN

ATN

Local LAN

PC running SSH Client

SSH Server

PC

Remote LAN

WAN

Advantages of SSHSSH supports the STelnet client n, Secure FTP (SFTP) client.

l STelnet clientTelnet services do not provide secure authentication and use TCP to transmit data in plaintext. This leads to security problems. In addition, Telnet services are prone to networkattacks, such as DOS (Denial of Service) attacks, the host IP address spoofing, and routingspoofing..Unlike Telnet, SSH provides the secure remote access on insecure networks and has thefollowing advantages:– Supports Remote Subscriber Access (RSA) authentication. In RSA authentication, SSH

generates and exchanges public and private keys compliant with asymmetricencipherment system to ensure the session security.

– Supports Data Encryption Standard (DES), 3DES, and AES authentications.– Prevents password interception by encrypting the username and password in the

communication between the SSH client and the SSH server..– Encrypts the data to be transferred.When the STelnet server or the connection to the client is faulty, the client must detect thefault in time and release the connection voluntarily. This requires that the client be



124

configured with the interval at which keepalive packets are sent and the maximum numberof times that the server does not respond when it logs in to the server through Stelnet. Ifthe client does not receive any response within specified period, the client sends a keepalivepacket to the server. If the number of times that the server does not respond exceeds thespecified limit, the client releases the connection voluntarily.

l SFTP clientSFTP allows you to log in to a device from the remote end to manage files. This improvesthe security of data transfer when the remote system is updated. Meanwhile, the clientfunction enables you to log in to the remote device using SFTP for secure file transfer.When the SFTP server or the connection between it and the client is faulty, the client mustdetect the fault in time and releases the connection voluntarily. This requires that the clientbe configured with the interval at which keepalive packets are sent and the maximumnumber of times that the server does not respond when it logs in to the server throughStelnet. If the client does not receive any response within specified period, the client sendsa keepalive packet to the server. If the number of times that the server does not respondexceeds the specified limit, the client releases the connection voluntarily.

8.2 Configuring Telnet Terminal ServicesThis section explains how to log in to a ATN equipment by means of Telnet and configure theATN equipment.

8.2.1 Establishing the Configuration TaskBefore configuring Telnet terminal services, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.

Applicable EnvironmentTo remotely log in to the ATN equipment through the Telnet protocol for maintenance andmanagement, you need to configure Telnet terminal services.

Pre-configuration TasksBefore configuring Telnet terminal services, complete the following tasks:

l Ensuring that the ATN equipment runs normallyl Ensuring that the IP addresses of interfaces on the ATN equipment are configured correctlyl Configuring the user account, correct login authentication mode, and call-in and call-out

restrictionl Ensuring that reachable routes exist between the terminal and the ATN equipment

Data PreparationTo configure Telnet terminal services, you need the following data.

No. Data

1 IP address of the ATN equipment



125

No. Data

2 Name of the VPN instance

3 IPv4 address or host name of the remote ATN equipment

4 Number of the TCP port that is used by the remote ATN equipment to provide Telnetservices

5 (Optional) Timeout period after which the server terminates the connection with theuser interface

6 (Optional) Source IP address or source interface of the device functioning as an Telnetclient

8.2.2 Enabling the Telnet ServiceBefore establishing a Telnet connection with the server, you need to enable the Telnet service.

Context

Do as follows on the ATN equipment that serves as an Telnet server.

Select and perform one of the following two steps for IPv4.

NOTE

Currently, the ATN equipment only supprots IPv4.

Procedurel For the IPv4 network

1. Run:system-view


2. Run:telnet server enable

The Telnet service is enabled.

NOTE

l By default, the function of the Telnet server is enabled.

l If the undo telnet server enable command is run when Telnet login is in progress, thecommand does not take effect.

l After the Telnet server function is disabled, you can log in to the device only through SSHor an asynchronous serial interface rather than through Telnet.

----End



126

8.2.3 (Optional) Configuring a Source IP Address for an TelnetClient

You can configure a source IP address for an Telnet client. Then, you can set up an Telnetconnection from the Telnet client to the server through a specific route by using this source IPaddress.

Context

Do as follows on a ATN equipment that functions as an Telnet client.

Procedure



Step 2 Run:telnet client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address of an Telnet client is configured.

After the configuration, the source IP address of the Telnet client displayed on the Telnet servermust be the same as the configured one.

----End

8.2.4 Establishing a Telnet ConnectionYou can log in to and manage a ATN equipment through Telnet.

Context

Do as follows on the ATN equipment that serves as a Telnet client:

NOTE


Procedurel Run:

telnet [ vpn-instance vpn-instance-name ] [-a source-ip-address ] host-name [ port-number ]

Log in to the ATN equipment and manage other ATN equipments.

----End

8.2.5 (Optional) Configuring a Telnet Server Port NumberA user can configure or change the Telnet server port number. After the port number is changed,only the user knows the port number, improving security.



127

ContextDo as follows on the ATN equipment that functions as a Telnet server:

Procedure



Step 2 Run:telnet server port port-number

A Telnet server port number is set.

If a new port number is set, the Telnet server terminates all established Telnet connections, andthen uses the new port number to listen to new requests for Telnet connections. By default, theTelnet server port number is 23.

----End

8.2.6 (Optional) Scheduled Telnet DisconnectionYou can set the idle-timeout period for Telnet connections. In this manner, if the Telnetconnections keep idle during the specified period, the system automatically terminates the Telnetconnections.

ContextDo as follows on the ATN equipment that serves as a Telnet client:

Procedure






The scheduled Telnet disconnection is enabled.

----End

8.2.7 Checking the ConfigurationAfter configuring Telnet terminal services, you can view the connection status of the currentuser interface, connection status of each user interface, and status of all established TCPconnections.



128

PrerequisitesThe configuration of Telnet Terminal Services are complete.

Procedurel Run the display users command to check information about connected users.l Run the display users all command to check information about all users, including

connected and disconnected users.l Run the display tcp status command to check TCP connections.l Run the display telnet server status command to check the configuration and status of the

Telnet server.

----End

8.3 Configuring SSH UsersSSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSHservers.

8.3.1 Establishing the Configuration TaskBefore configuring SSH users, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


The STelnet or SFTP client can log in to the SSH server to perform operations only after SSHusers are correctly configured on the SSH server.


Before configuring SSH users, complete the following tasks:

l Creating a local userl Configuring an RSA public key for the SSH client on the SSH server

Data Preparation

To configure SSH users, you need the following data.

No. Data

1 Name and password of SSH users

2 Authentication mode of SSH users

3 Service type of SSH users

4 Name of the peer RSA public key assigned to SSH users



129

No. Data

5 Operating directory of the SFTP service for SSH users

8.3.2 Creating SSH UserAAA does not support RSA authentication. Therefore, when RSA authentication or password-rsa authentication is adopted, you need to create an SSH user. When password authentication isadopted, you need to create a local user with the same name in the AAA view.

ContextNOTE

Besides creating an SSH user separately, you can also create an SSH user when you configure the following.

l Configuring the Authentication Mode for SSH Users

l Configuring the Service Type of SSH Users

Do as follows on the ATN equipment that serves as an SSH server:

Procedure



Step 2 Run:ssh user user-name

If you want to create an SSH user in the password authentication mode, you need to create alocal user with the same name in the AAA view.

1. Run:aaa


2. Run:local-user user-name password { simple | cipher } password

Name and password of the local user are created.

----End

8.3.3 Configuring SSH for the VTY User InterfaceYou can configure SSH for the VTY user interface.

Context




130

Procedure



Step 2 Run:user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed.


The AAA authentication mode is configured.

Step 4 Run:protocol inbound ssh

The VTY is configured to support SSH.

NOTE

The authentication mode of the VTY user interface must be set to AAA. Otherwise, the protocolinbound ssh command cannot be configured successfully.

----End

8.3.4 Generating a Local RSA Key PairYou need to create an RSA key before configuring SSH.

ContextDo as follows on the ATN equipments that serve as a client or a server:

Procedure



Step 2 Run:rsa local-key-pair create

A local RSA key pair is generated.

NOTE

To log in to an SSH server, the local RSA key pair must be configured and generated first. Before performingthe other SSH configurations, you must configure the rsa local-key-pair create command to generate alocal key pair.

----End

8.3.5 Configuring the Authentication Mode for SSH UsersYou can configure the password or RSA authentication mode for SSH users.



131

ContextDo as follows on the ATN equipment that serves as an SSH server:

Procedure



Step 2 Run:ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured.

Perform the following as required:

l Authenticate the SSH user through the password.– Run:

ssh user user-name authentication-type password

The password authentication is configured for the SSH user.– Run:

ssh authentication-type default password

The default password authentication is configured for the SSH user.For the local authentication or HWTACACS authentication, if the number of SSH usersis small, you can adopt the former command; if the number of SSH users is large, adoptthelater command to simplify the configuration.

l Authenticate the SSH user through RSA.1. Run:

ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user.2. Run:

rsa peer-public-key key-name

The public key view is displayed.3. Run:

public-key-code begin

The public key editing view is displayed.4. Run:

hex-data

The public key is edited.

The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public commandto view a generated public key.

5. Run:public-key-code end

Quit the public key editing view.



132

If the specified hex-data is invalid, the public key cannot be generated after the peer-public-key end command is run; If the specified key-name is deleted in other views, the systemprompts that the key does not exist after the peer-public-key end command is run and thesystem view is displayed.

6. Run:peer-public-key end

Return to the system view from the public key view.7. Run:

ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user.

NOTE

l After the public key editing view is displayed, the RSA public key generated on the client can be sentto the server. Copy the RSA public key to the ATN equipment that serves as the SSH server.

l Before the peer RSA public key is assigned to the SSH users, the SSH server must be configured andthe peer RSA public key must be the RSA public key of the SSH client.

----End

8.3.6 (Optional) Configuring the Basic Authentication Informationfor SSH Users

You can configure the interval for updating the server key pair, timeout period of the SSHauthentication, and retry times of the SSH authentication.


Procedure



Step 2 Run:ssh server rekey-interval interval

The interval for updating the server key pair is configured.

By default, the interval for updating the key pair of the SSH server is 0 that indicates no updating.

Step 3 Run:ssh server timeout seconds

The timeout period of the SSH authentication is set.

By default, the timeout period is 60 seconds.

Step 4 Run:ssh server authentication-retries times

The number of retry times of the SSH authentication is set.



133

By default, the retry times is 3.

----End

8.3.7 (Optional) Authorizing SSH Users Through the CommandLine

If RSA authentication is adopted, you need to configure command line authorization for SSHusers.

ContextNOTE

There are four authentication modes for an SSH user, namely, password, rsa, password-rsa, and all. Fordetails of the configuration of the command line authorization for password authentication, refer to thechapter "AAA and User Management" in the ATN 910 Configuration Guide - Security. This sectiondescribes how to configure the command line authorization for RSA authentication.


Procedure



Step 2 Run:ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user.

----End

Follow-up ProcedureAfter configuring the authorization through command lines for the SSH user to perform RSAauthentication, you have to configure the AAA authorization. Otherwise, the command lineauthorization for the SSH user does not take effect.

8.3.8 Configuring the Service Type of SSH UsersYou can set the service type of SSH users to SFTP, STelnet, or all.

ContextDo as follows on the ATN equipment that functions as an SSH server:

Procedure





134

Step 2 Run:ssh user username service-type { sftp | stelnet | all }

The service type for the SSH user is configured.

By default, the service type of the SSH user is not configured.

----End

8.3.9 (Optional) Configuring the Authorized Directory of the SFTPService for SSH Users

You can configure a directory as an authorized directory to allow SSH users to use SFTP services.


Procedure



Step 2 Run:ssh user username sftp-directory directoryname

The authorized directory of the SFTP service for SSH users is configured.

By default, the authorized directory of the SFTP service for SSH users is cfcard:.

----End

8.3.10 Checking the ConfigurationAfter configuring SSH users, you can view SSH user information.

PrerequisitesThe configuration of SSH Users are complete.

Procedurel Run the display ssh user-information command to check the information about the SSH

client on the SSH server.l Run the display ssh user-information username command to check the information about

the specified SSH client on the SSH server.

----End

8.4 Configuring the SSH Server FunctionThis section describes how to configure the SSH server. STelnet or SFTP must first be enabledon the SSH server.



135

8.4.1 Establishing the Configuration TaskBefore configuring the SSH server, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentBefore configuring the SSH server, you must enable STelnet or SFTP on the SSH server. Youcan change the number of the port monitored by the SSH server to other port numbers. This canprevent attackers from accessing standard ports of the SSH server and thus save bandwidth andsystem resources.

Pre-configuration TasksBefore configuring the SSH server, complete the following tasks:

l Connecting the SSH client to the SSH server correctlyl Ensuring that the SSH client and the SSH server are routablel Configuring the VTY interface on the SSH server to support SSHl Configuring the SSH client on the SSH serverl Creating the local RSA key pair on the SSH server

Data PreparationTo configure the SSH server, you need the following data.

No. Data

1 Number of the port monitored by the SSH server

8.4.2 Enabling the STelnet ServiceBefore enjoying the STelnet service, you need to enable it.


Procedure



Step 2 Run:stelnet server enable

The STelnet service is enabled.



136

By default, STelnet services are disabled.

----End

8.4.3 Enabling the SFTP ServiceBefore enjoying the STelnet service, you need to enable it.

Context


Procedure



Step 2 Run:sftp server enable

The SFTP service is enabled.

By default, the SFTP service is disabled.

----End

8.4.4 (Optional) Enabling the Earlier Version - Compatible FunctionYou can configure whether SSH of earlier versions are compatible.

Context


Procedure



Step 2 Run:ssh server compatible-ssh1x enable

The earlier version-compatible function is enabled.

By default, the server configured with the SSH2.0 protocol is compatible with the serverconfigured with SSH1.X. If the client of SSH1.3 to SSH1.99 (protocol version ranges from 1.3to 1.99) is denied access to log in, you can run the undo ssh server compatible-ssh1x enablecommand to disable the ATN equipment to be compatible with the earlier protocol version.



137

NOTE

l Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes and keyexchange modes with higher service capability, such as SFTP.

l The ATN 910 supports the SSH protocol of version 1.3 to version 2.0.

----End

8.4.5 (Optional) Configuring the Number of the Port Monitored bythe SSH Server

You can configure or change the monitoring port number of the SSH server. After the portnumber is changed, only the user knows the current port number, which guarantees the security.


Procedure



Step 2 Run:ssh server port port-number

The number of the port monitored by the SSH server is configured.

If a new number of a monitored port is configured, the SSH server interrupts all the STelnet andSFTP connections and monitors the port of the new number. By default, the number of the portmonitored by the SSH server is 22.

----End

8.4.6 (Optional) Configuring the Interval for Updating the Key Pairon the SSH Server

You can configure the interval for updating the key pair of the SSH server, which can guaranteethe security.


Procedure



Step 2 Run:ssh server rekey-interval interval



138

The interval for updating the key pair is set.

By default, the interval for updating the key pair of the SSH server is 0, which means that thekey pair is never updated.

----End

8.4.7 Checking the ConfigurationAfter configuring the SSH server, you can view the global configuration of the SSH server.

PrerequisitesThe configurations of the SSH server are complete.

Procedure

Step 1 Run the display ssh server status command to view the global configuration of the SSH server.

----End

8.5 Configuring the STelnet Client FunctionThis section describes how to configure the STelnet client. A secure connection between theclient and server can be established through negotiation, and the client will be able to log in tothe server similarly to using Telnet services.

8.5.1 Establishing the Configuration TaskBefore configuring an STelnet client, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manneras using the Telnet service.


Before connecting the STelnet client to the SSH server, complete the following tasks:

l Generating the local RSA key pair on the SSH server

l Configuring the STelnet user on the SSH server

l Enabling the STelnet service on the SSH server

Data Preparation

To connect the STelnet client to the SSH server, you need the following data:



139

No. Data

1 Name of the SSH server


3 Preferred encrypted algorithm from the STelnet client to the SSH server

4 Preferred encrypted algorithm from the SSH server to the STelnet client

5 Preferred HMAC algorithm from the STelnet client to the SSH server

6 Preferred HMAC algorithm from the SSH server to the STelnet client

7 Preferred algorithm of key exchange

8 Name of the outgoing interface

9 Source address

8.5.2 Enabling the First-Time Authentication on the SSH ClientAfter the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

ContextIf the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time. Afterthe login, the system automatically allocates the RSA public key and saves it for authenticationin next login.

To simplify user operations, you are recommended to enable the first-time authentication on theSSH client.

Do as follows on the ATN equipment that serves as an SSH client:

Procedure



Step 2 Run:ssh client first-time enable

The first-time authentication on the SSH client is enabled.

By default, the first-time authentication on the SSH client is disabled.



140

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validityof the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the firsttime. The check is skipped because the STelnet server has not saved the RSA public key of the SSHserver.

l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to theSSH server for the first time, the STelnet client fails to pass the check on the RSA public key validityand cannot log in to the server.

TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSApublic key in advance to the SSH server on the SSH client in addition to enabling the first-timeauthentication on the SSH client.

----End

8.5.3 (Optional) Assigning an RSA Public Key to the SSH ServerYou can assign an RSA public key to the SSH server.

ContextIf the first-time authentication on the SSH client is disabled, you need to allocate an RSA publickey to the SSH server before the STelnet client logs in to the SSH server.



system-view


Step 2 Run:rsa peer-public-key key-name

The public key view is displayed.

Step 3 Run:public-key-code begin

The public key editing view is displayed.

Step 4 Run:hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public command toview a generated public key.

Step 5 Run:public-key-code end


If the specified hex-data is invalid, the public key cannot be generated after the peer-public-key end command is run; If the specified key-name is deleted in other views, the system prompts



141

that the key does not exist after the peer-public-key end command is run and the system viewis displayed.

Step 6 Run:peer-public-key end

Return to the system view from the public key view.

Step 7 Run:ssh client servername assign rsa-key keyname

The RSA public key is assigned to the SSH server.

NOTE

l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from theSSH server and must be configured on the SSH client. Then, the STelnet client client can successfullyundergo the validity check on the RSA public key of the SSH server.

l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servernameassign rsa-key command to cancel the association between the SSH client and the SSH server. Then,run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key tothe SSH server.

----End

8.5.4 Enabling the STelnet ClientYou can log in to the SSH server from the SSH client through STelnet.

ContextNOTE

When accessing an SSH server, the STelnet client can carry the source address and the VPN instance nameand choose the key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure thekeepalive function..


Procedure



Step 2 According to the address type of the SSH server, run the following commands.

l For IPv4 addresses,

Run the stelnet [ -a source-address ] host-ipv4 [ port ] [ [ -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher{ des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] |[ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 |sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. Youcan log in to the SSH server through STelnet.

----End



142

8.5.5 Checking the ConfigurationAfter configuring the STelnet client, you can view the global configuration of the SSH server.

PrerequisitesThe configuration of the STelnet Client Function are complete.

Procedurel Run the display ssh server-info command to check the mapping between the RSA public

key and the SSH client on the SSH client.l Run the display ssh server session command to check the session of the SSH client on the

SSH server.

----End

8.6 Configuring the SFTP Client FunctionThis section explains how to configure the SFTP client. The authentication and bidirectionaldata encryption of the SFTP client can be manually configured, which will ensure secure filetransmission on the network.

8.6.1 Establishing the Configuration TaskBefore configuring the SFTP client, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.

Applicable EnvironmentSFTP enables users to log in to the device from a secure remote end to manage files. Thisimproves the security of data transmission for the remote end to update its system. The SFTPclient function also enables you to log in to the remote device through SFTP for the secure filetransmission.

Pre-configuration TasksBefore connecting the SFTP client to the SSH server, complete the following tasks:

l Creating a local RSA key pair on an SSH serverl Configuring an SFTP client on the SSH serverl Enabling the SFTP service on the SSH server

Data PreparationTo connect an SFTP client to an SSH server, you need the following data.

No. Data

1 Name of the SSH server



143

No. Data


3 Preferred encrypted algorithm from the SFTP client to the SSH server

4 Preferred encrypted algorithm from the SFTP server to the SSH client

5 Preferred HMAC algorithm from the SFTP client to the SSH server

6 Preferred HMAC algorithm from the SFTP server to the SSH client

7 Preferred algorithm of key exchange

8 Name of the outgoing interface

9 Source address

10 Directory name

11 File name

8.6.2 (Optional) Configuring a Source IP Address for an SFTP ClientYou can configure a source IP address for an SFTP client. Then, you can set up an SFTPconnection from the SFTP client to the server through a specific route by using this source IPaddress.

ContextDo as follows on a ATN equipment that functions as an SFTP client.

Procedure



Step 2 Run:sftp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address is configured for an SFTP client.

----End

8.6.3 Configuring the First-Time Authentication on the SSH ClientAfter the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time.

ContextIf the first-time authentication on the SSH client is enabled, the STelnet client does not checkthe validity of the RSA public key when logging in to the SSH server for the first time. After



144

the login, the system automatically allocates the RSA public key and saves it for authenticationin next login.

To simplify user operations, you are recommended to enable the first-time authentication on theSSH client.


Procedure



Step 2 Run:ssh client first-time enable

Enable the SSH client with the first authentication.

By default, first-time authentication is disabled on SSH clients.

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validityof the RSA public key of the SSH server when the SFTP client logs in to the SSH server for the firsttime. The check is skipped because the SFTP server has not saved the RSA public key of the SSHserver.

l If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to theSSH server for the first time, the SFTP client fails to pass the check on the RSA public key validityand cannot log in to the server.

TIP

Except for enabling the first-time authentication on the SSH client, the SFTP client can assign the RSApublic key in advance to the SSH server on the SSH client to log in to the server successfully for the firsttime.

----End

8.6.4 (Optional) Assigning an RSA Public Key to the SSH ServerYou can assign an RSA public key on the SSH client to the SSH server.

ContextIf the first-time authentication on the SSH client is disabled, you need to assign an RSA publickey to the SSH server before the STelnet client logs in to the SSH server.


Procedure



Step 2 Run:rsa peer-public-key key-name



145

The public key view is displayed.

Step 3 Run:public-key-code begin

The public key editing view is displayed.

Step 4 Run:hex-data


The public key must be a string of hexadecimal alphanumeric characters. It is automaticallygenerated by an SSH client. You can run the display rsa local-key-pair public command toview a generated public key.

Step 5 Run:public-key-code end


If the specified hex-data is invalid, the public key cannot be generated after the peer-public-key end command is run; If the specified key-name is deleted in other views, the system promptsthat the key does not exist after the peer-public-key end command is run and the system viewis displayed.

Step 6 Run:peer-public-key end

Return to the system view from the public key view.

Step 7 Run:ssh client servername assign rsa-key keyname

Assign a public key to the SSH server.

NOTE

l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from theSSH server and must be configured on the SSH client. Then, the SFTP client can successfully undergothe validity check on the RSA public key of the SSH server.

l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servernameassign rsa-key command to cancel the association between the SSH client and the SSH server. Then,run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key tothe SSH server.

----End

8.6.5 Enabling the SFTP ClientYou can log in to the SSH server from the SSH client through SFTP.

ContextNOTE

The command of enabling the SFTP client is similar to that of the STelnet. When accessing the SSH server,the SFTP can carry the source address and the name of the VPN instance and choose the key exchangealgorithm, encrypted algorithm and HMAC algorithm, and configure the keepalive function.

Do as follows on the ATN equipment that serves as an SSH client.



146

Procedure



Step 2 According to the address type of the SSH server, run the following commands.l For IPv4 addresses, Run:

sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP.

----End

8.6.6 (Optional) Managing the DirectoryOn the SFTP client, you can log in to the SSH server to create or delete directories on the SSHserver.

ContextNOTE

After the SFTP client logs in to the SSH server, the SFTP client can create or delete the directory on theSSH server, display the current operating directory and information about a specified directory and its files.


Procedure






Step 3 Perform the following as required:l Run:

cd [ remote-directory ]

The current operating directory of users is changed.



147

l Run:cdupThe operating directory of users is switched to the upper-level directory.

l Run:pwdThe current operating directory of users is displayed.

l Run:dir / ls [ remote-directory ]The file list in the specified directory is displayed.

l Run:rmdir remote-directory & <1-10>

l The directory on the server is deleted.l Run:

mkdir remote-directoryA directory is created on the server.

----End

8.6.7 (Optional) Managing the FileOn the SFTP client, you can view specified remote directories or files on the SFTP server ordelete specified files on the SFTP server.

ContextNOTE

After the SFTP client logs in to the SSH server, SFTP client can change file names, delete files, displaythe file list, upload and download files on the SFTP server.

Do as follows on the login ATN equipment.

Procedure




sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]You can log in to the SSH server through SFTP.

Step 3 Run the command.l Run:

rename old-name new-name



148

The name of the specified file on the server is changed.l Run:

get remote-filename [local-filename]

The file on the remote server is downloaded.l Run:

put local-filename [remote-filename]

The local file is uploaded to the remote server.l Run:

remove remote-filename

The file on the server is removed.

----End

8.6.8 (Optional) Displaying the SFTP Client Command HelpYou can view the SFTP client command help.

ContextDo as follows on the login ATN equipment:

Procedure






Step 3 Run:help [all | command-name ]

The SFTP client command help is displayed.

----End

8.6.9 Checking the ConfigurationAfter configuring the SFTP client, you can view the global configuration of the SSH server.

PrerequisitesThe configuration of the SFTP Client Function are complete.



149

Procedurel Run the display sftp-client command to check the source IP address of the SFTP client on

the SSH client.

l Run the display ssh server-info command to check the mapping between the SSH serverand the RSA public key on the SSH client.

l Run the display ssh server session command to check the session of the SSH client on theSSH server.

----End

8.7 Configuration ExamplesThis section provides configuration examples for Telnet and SSH along with a configurationflowchart. The configuration examples explain networking requirements, configuration notes,and configuration roadmap.

8.7.1 Example for Configuring Telnet ServicesIn this example, the authentication mode and password are configured for users to log in throughTelnet.


On the network shown in Figure 8-6, CX deviceand ATN can ping each other successfully. Auser logs in to ATN from CX device through Telnet.

Figure 8-6 Networking diagram for configuring Telnet services

ATNCX600

GE1/0/01.1.1.1/24

GE0/3/01.1.1.2/24

Configuration Roadmap

The configuration roadmap is as follows:

1. On ATN, configure the authentication mode and password for VTY0 to VTY4.

2. Configure users to use passwords to log in to ATNfrom CX devicethrough Telnet.

Data Preparation


l Host address of ATN

l Authentication mode and password



150

Procedure

Step 1 Configure IP addresses.

# Configure CX600.

<CX600> system-view[CX600] interface gigabitethernet 1/0/0[CX600-GigabitEthernet1/0/0] undo shutdown[CX600-GigabitEthernet1/0/0] ip address 1.1.1.1 24[CX600-GigabitEthernet1/0/0] quit[CX600] quit

# Configure ATN.

<HUAWEI> system-view[HUAWEI] sysname ATN[ATN] interface gigabitethernet 0/3/0[ATN-GigabitEthernet0/3/0] undo shutdown[ATN-GigabitEthernet0/3/0] ip address 1.1.1.2 24[ATN-GigabitEthernet0/3/0] quit

Step 2 Configure the authentication mode and password for Telnet services on ATN .[ATN] user-interface vty 0 4[ATN-ui-vty0-4] authentication-mode password[ATN-ui-vty0-4] set authentication password simple hello[ATN-ui-vty0-4] quit

To configure an ACL for Telnet services, run the following commands on ATN .

[ATN] acl 2000[ATN-acl-basic-2000] rule permit source 1.1.1.1 0[ATN-acl-basic-2000] quit[ATN] user-interface vty 0 4[ATN-ui-vty0-4] acl 2000 inbound

NOTE

It is optional to configure an ACL for Telnet services.

Step 3 Log in to ATN from CX device through Telnet.<CX600> telnet 1.1.1.2Trying 1.1.1.2 ...Press CTRL+K to abortConnected to 1.1.1.2 ...Login authenticationPassword:Info: The max number of VTY users is 10, and the current number of VTY users on line is 1.

----End

Configuration Filesl Configuration file of CX600

The configuration file of CX600 is not provided.l Configuration file of ATN

# sysname ATN#acl number 2000 rule 5 permit source 1.1.1.1 0#interface GigabitEthernet 0/3/0 undo shutdown ip address 1.1.1.2 255.255.255.0



151

#user-interface con 0user-interface vty 0 4 acl 2000 inbound set authentication password simple hello#return



152

9 Device Maintenance

About This Chapter

With routine device maintenance, you can detect potential operation threats on devices and theneradicate the potential threats in time to ensure that the system runs securely, stably, and reliably.

9.1 Introduction of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

9.2 Monitoring the Device StatusMonitoring the device status facilitates fault location and cause analysis.

9.3 Board MaintenceBoard Maintenance involves resetting a board and clearing the maximum CPU usage.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 9 Device Maintenance


153

9.1 Introduction of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

9.1.1 Overview of Device MaintenanceDevice maintenance involves replacing boards and monitoring the internal environment.

ConceptThe stable running of a ATN equipmentdepends on the mature network planning and the routinemaintenance. In addition, fast location of the hidden hazards is necessary.

The maintenance personnel must check the alarm information in time and deal with the faultproperly to keep the device in normal operation and reduce the failure rate. Thus, the systemruns in a safe, stable, and reliable environment.

Maintenance OperationMaintenance such as board replacement and internal environment check ensures the normaloperation of the ATN equipment.

9.1.2 Maintenance Features Supported by the ATN 910The ATN 910 allows the operation status to be monitored.

MonitoringIn routine maintenance of the device, you can run the display commands to view the workingstatus of the ATN equipment. This can help the maintenance personnel fast locate the fault duringthe troubleshooting procedure.

9.2 Monitoring the Device StatusMonitoring the device status facilitates fault location and cause analysis.

9.2.1 Displaying the System Version InformationThe system version information includes the system software version and various hardwareversions.

Procedure

Step 1 Run:display version

The system version information is displayed.

In practice, using this command in any view, you can view the system version information. Themain information is as follows:



154

l System software version

l Hardware and software version of the MPUs

l Hardware and software version

.

l Hardware and software version of the Fan

.

----End

9.2.2 Displaying Basic Information About the RouterThe basic information includes detailed information about the system-control board, physicalinterface card, clock board, power supply, and fan module.

Procedure

Step 1 Run:display device [ pic-status | slot-id]

Basic information about the ATN equipment is displayed.

In practice, using this command in any view, you can view the basic device information. Enterslot-id to view information about the board in the specified slot.

l Choose a board in a certain slot. You can view basic information about this board.

l Run:

display device pic-statusBasic information about the PIC card is displayed.

----End

9.2.3 Displaying the Electronic LabelThe electronic label information includes the type of the board/card, bar code, BOM code,English description, production date, supplier name, issuing number, Common LanguageEquipment Identification (CLEI) code, and sales BOM code.

Procedurel Run:

display elabel [ backplane | slot-id ]

The electronic label is displayed.

In practice, using this command in the user view, you can view information about theelectronic label of the boards. Enter slot-id to view information about the electronic labelof the board in the specified slot.

NOTE

For the range of numbers of the slots on the ATN equipment, refer to the ATN 910Multi-serviceAccess Equipment Hardware Description.



155

Information displayed includes the type of the board and PIC card, bar code, BOM, Englishdescription, production date, supplier name, issuing number, CLEI (Common LanguageEquipment Identification) code, and sales BOM.

NOTE

You can back up the electronic label of the specified board in the following methods:l Run the backup elabel filename [ backplane | slot-id ] command to back up the electronic label

to the CF card on the ATN equipment.l Run the backup elabel ftp host filename username password [ backplane | slot-id ] command

to back up the electronic label to the specified FTP server.

----End

9.2.4 Displaying the Threshold of the Memory UsageBy specifying the slot ID, you can check the memory usage of the system control board.


display memory-usage

The threshold of the memory usage of the main system control board is displayed.

NOTE

To set the threshold of the memory usage in the main system control board , you can run the set memory-usage threshold thresholdcommand.

----End

9.2.5 Displaying the Threshold of CPU UsageBy specifying the slot ID, you can check the CPU usage of the MPU.


display cpu-usage [ task-name ] [ congfiguration ]

NOTE

To set the threshold of the CPU usage on the main MPU, you can run the set cpu-usage threshold threshold-value command, and run thedisplay cpu-usage configuration command can display the currentconfiguration of the CPU usage.

----End

9.2.6 Displaying Alarm InformationThe alarm information includes the alarm level, alarm date and time, and alarm description.


display alarm { slot-id | all }

Information about the alarm is displayed.



156

In the operation, using this command in any view, you can view current information about thealarm of the ATN equipment. Alarm information includes the following:

l Alarm levell Alarm date and timel Alarm description

NOTE

After displaying the alarm of the ATN equipment, you can run the clear alarm index index-id { send-trap | no-trap } command to clear the alarm at the specified index-id.

----End

9.2.7 Displaying the Board TemperatureThe temperature information includes the temperature status of each board, temperature alarmthresholds of a board, and actual temperature of a board.

Procedure

Step 1 Run:display temperature slot slot-id

The temperature of the specified board is displayed.

In practice, using this command in any view, you can view the current temperature of the ATNequipment.The temperature information includes the following:

l Current temperature status of the boardl Threshold to the alarm temperature of the boardl Actual temperature of the board

----End

9.2.8 Displaying the Board VoltageThe voltage information includes the number of voltage sensors on each board, working voltagesensor of each board, working status of the voltage sensor on each board, and voltage alarmthresholds of each board.

Procedure

Step 1 Run:display voltage slot slot-id

The board voltage is displayed.

In practice, using this command in any view, you can view the voltage of all the boards. Thevoltage information includes the following:

l Number of the voltage sensorsl Working voltage sensorsl Working status of the voltage sensorsl Alarm field value of the voltage



157

l Actual board voltage

----End

9.2.9 Displaying the Power Supply StatusThe power supply information includes the slot ID of the power supply module, whether thepower supply module is registered, working mode of the power supply module, and cable statusof the power supply module.

Procedure

Step 1 Run:display power

The power supply status is displayed.

In practice, using this command in any view, you can view the power supply status. The displayedinformation includes the following:

l Slot number of the power supply modulel Presence status of the power supply modulel Operation mode of the power supply modulel Cable status of the power supply module

----End

9.2.10 Displaying the Sequence Number of the MPUEach MPU has a globally unique equipment serial number (ESN).

Procedure

Step 1 Run:display esn

The sequence number of the MPU is displayed. In the operation, using this command in anyview, you can view the sequence number of the MPU on the ATN equipment.

----End

9.3 Board MaintenceBoard Maintenance involves resetting a board and clearing the maximum CPU usage.

9.3.1 Resetting a BoardYou need to back up important data before resetting a board.

Context

In the case that a board is faulty, you can use the reset slot command to reset the board.



158

WARNINGBack up important data before resetting the board.


Procedure

Step 1 Run:reset slot slot-id

The board is reset.

NOTE

l If this command is run to reset a master MPU and no slave MPU exists, the master MPU is reset withthe CPU being powered on. If a slave MPU exists, this command performs master/slave MPUswitchover.

l If the board is still abnormal after being reset, contact the Huawei technical support personnel.

----End



159

10 Patch Management

About This Chapter

Patch management includes checking the running patch, loading patch files, and installingpatches.

10.1 Introduction of Patch ManagementThis section describes the basics of the patch.

10.2 Checking the Running of Patch in the SystemThe system allows only one patch to run. Therefore, confirm that no patch is running beforeloading a new patch.

10.3 Loading a PatchPatches can be loaded through FTP or TFTP.

10.4 Installing a PatchTo repair the system that has vulnerabilities or defects, you can install a patch on the system.By installing a patch, you can upgrade the system without upgrading the system software.

10.5 (Optional) Unactivating the activating of PatchIf an installed patch does not take effect, you need to deactivate the patch.

10.6 Configuration Examples of the Patch ManagementThis section describes some Configuration Examples.

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations 10 Patch Management


160

10.1 Introduction of Patch ManagementThis section describes the basics of the patch.

10.1.1 Overview of Patch ManagementYou can install patches to improve system functions.

Patch OverviewDuring the operation of the device, you need to revise the system software sometimes such asremove the system defects or add new functions for service requirements. We used to upgradethe software after shutting down the system. This static upgrade affects the service on the deviceand does not improve the communication. If we load a patch to the system software, we canupgrade it online without interrupting the operation of the device. This dynamic upgrade doesnot affect the service and can improve the communication.

Patch AreaIn the memory of the Main Processing Unit (MPU), a certain space is reserved to save the patch.This space is called patch area.

To install the patch, save the patch to the patch area in advance in the memory of the board.

The patch saved in the patch area is numbered uniquely. Up to 2000 patches can be saved to thepatch area in the memory of the MPU .

Patch StatesPatch status can be idle, deactive, active, and running. For details, seeTable 10-1,

Table 10-1 Patch states

State Description States Conversion

No patch(idle)

The patch file is saved to the CFcard but not loaded to the patcharea in the memory.

When the patch is loaded to the patcharea, the patch status is set to deactive.

deactive The patch is loaded to the patcharea but disabled.

The patch in the deactive state can be asfollows:l Uninstalled, that is, deleted from the

patch area.l Enabled temporarily and turns to the

active state.



161

State Description States Conversion

active The patch is loaded to the patcharea and enabled temporarily.If the board is reset, the activepatch on that board turns to thedeactive state.

The patch in the active state can be asfollows:l Uninstalled, that is, deleted from the

patch area.l Enabled temporarily and turned into

the active state.l Enabled permanently, and turns to

the running state.

running The patch is loaded to the patcharea and enabled permanently.If the board is reset, the patch onthe board keeps in the runningstate.

The patch in the running state can beuninstalled and deleted from the patcharea.

Figure 10-1shows the conversion between patch states.

Figure 10-1 Conversion between the statuses of a patch

DeactivatedNo patch

Running Activated

Delete patchDelete patch

Run patch

Deactive patch Active patch

Delete patch

Load patch

10.1.2 Patches Supported by the ATN 910The ATN 910 allows patches to be loaded to the system or a certain board.



162

Patch Functions

Installing patches can improve system functions or fix bugs. By installing a patch, you canupgrade the system without upgrading the system software.

Logic Relationships Between Configuration Tasks

Figure 10-2Shows the logic relationships between the configuration tasks.

Figure 10-2 Logical relationships between configuration tasks

Run VRP

Normally run

End

Resort totechnical

support fornew patch

Enable patchtemporarily Bug removed Disable patch

Unload patch

No

Yes

No

Yes

10.2 Checking the Running of Patch in the SystemThe system allows only one patch to run. Therefore, confirm that no patch is running beforeloading a new patch.

10.2.1 Establishing the Configuration TaskBefore checking the running patch, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


At a certain time, the system allows the running of only one patch. Therefore, you need to confirmno patch is running in the current system before installing a patch. If a patch runs, delete thepatch before installing the new patch.


Before checking the running of patch in the system, complete the following tasks:



163

l Ensuring that the ATN equipment is started normally after power-on

l Ensuring that the ATN equipment can be logged in to

Data Preparation

None

10.2.2 Checking the Running of Patch in the SystemBy running the display patch-information command, you can view information about therunning patch units, activated patch units, and deactivated patch units.

ContextDo as follows on the ATN equipment to be upgraded:

Procedure

Step 1 Run:display patch-information

All the information about the current patch is displayed, including information about the patchunits that are running, the patch units that are activated, and the patch units that are deactivated.

----End

Example<PE> display patch-informationInfo: No patch exists.

This indicates that no patch runs in the current system.

NOTEIf there are patches running, you must delete them before loading new patches.

10.2.3 (Optional) Deleting a PatchThe system allows only one patch to run. If there is a running patch, you need to delete it beforeloading a new patch.

Context

Before installing a patch, you need to delete the running patch.

Do as follows on the ATN equipment to be upgraded.

Procedure

Step 1 Run:patch delete allThe running patch is deleted.

----End



164

10.3 Loading a PatchPatches can be loaded through FTP or TFTP.

10.3.1 Establishing the Configuration TaskBefore loading a patch, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configurationtask quickly and accurately.

Applicable EnvironmentBefore a patch is installed, it should be uploaded to the root directory of the CF card of the masterMPUs.

The three methods to upload a patch are FTP,.

Pre-configuration TasksBefore loading a patch, complete the following tasks:

l Ensuring that the ATN equipment is started normally after power-onl Ensuring that the ATN equipment can be logged in to

Data PreparationBefore running a patch, you need to obtain a patch that is consistent with the board.

No. Data

1 Uploading a Patch to the Root Directory of the CF Card of the Master MPU

2 Copying a Patch to the Root Directory of the CF Card of the Slave MPU

10.3.2 Loading a PatchUpload a patch to the root directory of the CF card of the MPU.


Procedure

Step 1 Upload a patch to the root directory of the CF card of the MPU.

The ATN equipment supports the uploading of files through FTP, TFTP, for moreinfirmation ,please see: "FTP, TFTP". Choose an uploading method based on the requirements.

Step 2 Run:startup patch file-name



165

The patch package is specified for the MPU on the next startup.

----End

10.3.3 Checking the ConfigurationAfter a patch is loaded, you can check patch information.

Context

Run the following commands to check the previous configuration.

Procedurel Run:

dir cfcard:/

Check the files on the MPU.

l Run:display startup

Check the patch file used in the next system startup.

----End

10.4 Installing a PatchTo repair the system that has vulnerabilities or defects, you can install a patch on the system.By installing a patch, you can upgrade the system without upgrading the system software.

10.4.1 Establishing the Configuration TaskBefore installing a patch on the system, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This can help you completethe configuration task quickly and accurately.


Installing patches can fix system vulnerabilities or correct system defects. By installing a patch,you can upgrade the system without upgrading the system software.

When a patch is uploaded, the system checks that the patch version is the same as the systemversion. If the two versions are not the same, the system prompts that the patch uploading fails.


Before installing a patch, upload the patch to the root directory of the CF card of the master.

Data Preparation

None



166

10.4.2 Loading a PatchA patch can be successfully loaded only when the patch version matches the system softwareversion.


Procedure

Step 1 Run:patch load file-name all

The patch is loaded.

----End

Follow-up Procedure

When a patch is loaded, the system checks that the patch version is the same as the systemversion. If the two versions are not the same, the system prompts that the patch loading fails.

When the patch is loaded successfully, it's status is Deactive and keeps Deactive after the boardis reset.

10.4.3 Activating a PatchA patch can be activated only when it is correctly loaded and is in the deactivated state.


Procedure

Step 1 Run:patch active all

The patch is activated.

----End

Follow-up ProcedureA patch can be activated only when it is correctly loaded and is in the deactivated state. Whena patch is activated, it becomes valid immediately. After the board is reset, however, the statusof the patch becomes Deactive , and the patch does not remain valid.

10.4.4 Running a PatchA patch can be run only after it is activated. Running a patch means that the patch is activatedpermanently.



167

ContextDo as follows on the ATN equipment be upgraded:

Procedure

Step 1 Run:patch run all

The patch is run.

----End

Follow-up ProcedureA patch can be run only after it is activated. Running a patch means that the patch is activatedpermanently and the patch remains valid after the board is reset. The status of the patch keepsRunning.

10.4.5 Checking the ConfigurationAfter a patch is installed on the system, you can check the patch status.

Procedurel Run:

display patch-information

Check the patch state.

----End

10.5 (Optional) Unactivating the activating of PatchIf an installed patch does not take effect, you need to deactivate the patch.

10.5.1 Establishing the Configuration TaskBefore deactivating a patch, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data. This can help you complete theconfiguration task quickly and accurately.


After a patch is activated, you need to judge that the patch has achieved the expected effect. Ifthe patch does not become valid, you need to activate the patch.

A patch can be deactivated only after it is activated.


None



168

Data PreparationNone

10.5.2 Deactivating a PatchDeactivating a patch makes an active patch become inactive.


patch deactive all

The patch is deactivated.

----End

10.5.3 Checking the ConfigurationAfter a patch is deactivated, you can run the display command to check the patch status.

Procedurel Run:

display patch-information

Check the patch state.

----End

10.6 Configuration Examples of the Patch ManagementThis section describes some Configuration Examples.

10.6.1 Example for Installing a PatchWhen the system has vulnerabilities or defects, you can install a patch to repair the system.

Networking RequirementsFigure 10-3shows that some urgent bug occurs in the system software at the Provider Edge (PE)connected to the Internet. Huawei provides the patch file to remove the bug. The patch in thispatch file must be installed to remove the bug.

Figure 10-3 Networking diagram of installing a patch

MPLS Core

PE

FTP Server

GE0/3/010.1.1.1/24

PC

10.1.1.2/24

10.1.1.3/24



169


1. Save the patch file to the root directory of the CF card on the master.2. Load the patch.3. Activate the patch.4. Run the patch.


l File name of the patch: patch.patl Path the patch saved to on the MPU: cfcard:/

Procedure

Step 1 Upload the patch file for the system software.

# Log in to the FTP server.

<PE> ftp 10.1.1.2Trying 10.1.1.2 ...Press CTRL+K to abortConnected to 192.168.1.2.220 FTP service ready.User(10.1.1.2:(none)):huawei331 Password required for huawei.Password:230 User logged in.[ftp]

# Configure the binary transmission format and the working directory of the CF card on PE.

[ftp] binary200 Type set to I.[ftp] lcd cfcard:/% Local directory now cfcard:.

# Load the patch file for the current system software from the remote FTP server.

[ftp] get patch.pat200 Port command okay.150 Opening ASCII mode data connection for license.txt.226 Transfer complete.FTP: 6309 byte(s) received in 0.188 second(s) 33.55Kbyte(s)/sec. [ftp] bye221 Server closing.<PE>

Step 2 Load the patch.<PE> patch load patch.pat all

Step 3 Activate the patch.<PE> patch active all

Step 4 Run the patch.<PE> patch run all



170

Step 5 Verify the configuration<PE> display patch-information Patch Package Name :cfcard:/patch.pat Patch Package Version:V200R001C01The state of the patch state file is: RunningThe current state is: Running

************************************************************************* The hot patch information, as follows: *************************************************************************

Slot Type State Count ------------------------------------------------------------ 2 C Running 1

----End

Configuration FilesNone



171

A Acronyms and Abbreviations

This appendix collates frequently used acronyms and abbreviations in this document.

Numerics

3DES Triple Data Encryption Standard

A

AAA Authentication, Authorization and Accounting

ACL Access Control List

ARP Address Resolution Protocol

AES Advanced Encryption Standard

ASPF Application Specific Packet Filter

AUX Auxiliary port

B

BGP Border Gateway Protocol

C

CBQ Class-based Queue

CHAP Challenge Handshake Authentication Protocol

CQ Custom Queuing

CR-LDP Constraint-based Routing LDP

D

DES Data Encryption Standard

ATN 910 Multi - service Access EquipmentConfiguration Guide - Basic Configurations A Acronyms and Abbreviations


172

DHCP Dynamic Host Configuration Protocol

DNS Domain Name System

E

ESP Encapsulating Security Payload

F

FR Frame Relay

G

GRE Generic Routing Encapsulation

H

HDLC High Level Data Link Control

I

IETF Internet Engineering Task Force

IKE Internet Key Exchange

IPSec IP Security

IS-IS Intermediate System-to-Intermediate System intra-domainrouting information exchange protocol

ITU-T International Telecommunication Union TelecommunicationsStandardization Sector

L

L2TP Layer Two Tunneling Protocol

LAPB Link Access Procedure Balanced

LDP Label Distribution Protocol

M

MAC Medium Access Control

MBGP Multiprotocol Extensions for BGP-4

MFR Multiple Frame Relay



173

MP MultiLink PPP

MPLS Multiprotocol Label Switching

MSDP Multicast Source Discovery Protocol

MTU Maximum Transmission Unit

N

NAT Network Address Translation

NAT-PT Network Address Translation - Protocol Translation

O

OAM Operation, Administration and Maintenance

OSPF Open Shortest Path First

P

PAP Password Authentication Protocol

PE Provider Edge

Ping Ping (Packet Internet Groper)

PPP Point-to-Point Protocol

PPPoA PPP over AAL5

PPPoE Point-to-Point Protocol over Ethernet

PPPoEoA PPPoE on AAL5

PQ Priority Queuing

Q

QoS Quality of Service

R

RADIUS Remote Authentication Dial In User Service

RIP Routing Information Protocol

RPR Resilient Packet Ring

RSVP Resource Reservation Protocol



174

S

SFTP SSH File Transfer Protocol

T

TE Traffic Engineering

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

V

VPN Virtual Private Network

VRP Versatile Routing Platform

VRRP Virtual Router Redundancy Protocol

W

WAN Wide Area Network

WFQ Weighted Fair Queuing

WRED Weighted Random Early Detection

X

XOT X.25 Over TCP



175

configuration guide basic configurations (v200r001c01_03)

Documents