Configuration guide basic configurations(v800 r002c01-01)

HUAWEI NetEngine5000E Core Router
V800R002C01
Configuration Guide - Basic
Configurations
Issue 01
Date 2011-10-15
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2011-10-15) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i

Configuration Guide - Basic Configurations About This Document
About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the Basic Configurations feature supported by the
NE5000E device.
This document describes how to configure the Basic Configurations feature.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Related Versions (Optional)
The following table lists the product versions related to this document.
Product Name Version
HUAWEI NetEngine5000E
V800R002C01
Core Router
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
ii

Configuration Guide - Basic Configurations About This Document
Symbol Description
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save time.
Provides additional information to emphasize or supplement
important points of the main text.
Command Conventions (Optional)
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by
vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by
vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 01 (2011-10-15)
The initial commercial release.
iii

Configuration Guide - Basic Configurations Contents
Contents
About This Document.....................................................................................................................ii
1 Logging In to the System for the First Time............................................................................1
1.1 Overview of Logging In to the System for the First Time.................................................................................2
1.2 Logging In to the router Through the Console Port...........................................................................................2
1.2.1 Logging In to the router Through the Console Port..................................................................................3
1.2.2 Logging In to the router.............................................................................................................................3
2 Configure the User Interface.......................................................................................................6
2.1 User Interface Overview.....................................................................................................................................7
2.2 Configuring the Console User Interface.............................................................................................................8
2.2.1 Configuring Physical Attributes for the Console User Interface...............................................................9
2.2.2 Configuring Terminal Attributes for the Console User Interface............................................................10
2.2.3 Configuring the User Priority for the Console User Interface.................................................................11
2.2.4 Configuring Authentication for the Console User Interface....................................................................12
2.2.5 Checking the Configuration.....................................................................................................................13
2.3 Configuring VTY User Interfaces....................................................................................................................14
2.3.1 Configuring the Maximum Number of VTY User Interfaces.................................................................15
2.3.2 Configuring the Limit on Incoming and Outgoing Calls for VTY User Interfaces................................16
2.3.3 Configuring Terminal Attributes for VTY User Interfaces.....................................................................16
2.3.4 Configuring the User Priority for a VTY User Interface.........................................................................17
2.3.5 Configuring Authentication for a VTY User Interface............................................................................18
2.4 Configuration Examples...................................................................................................................................21
2.4.1 Example for Configuring the Console User Interface.............................................................................21
2.4.2 Example for Configuring VTY User Interfaces......................................................................................23
3 Configuring User Login.............................................................................................................26
3.1 User Login Overview.......................................................................................................................................27
3.2 Logging In to the System Through the Console Port.......................................................................................30
3.2.1 Configuring the Console User Interface..................................................................................................30
3.2.2 Logging In to the System Through the Console Port..............................................................................31
3.3 Logging In to the System by Using Telnet.......................................................................................................32
3.3.1 Configuring VTY User Interfaces...........................................................................................................33
iv

3.3.2 (Optional) Configuring Local Telnet Users.............................................................................................33
3.3.3 Enabling the Telnet Server Function.......................................................................................................34
3.3.4 (Optional) Configuring the Listening Port Number for the Telnet Server..............................................35
3.3.5 Logging In to the System by Using Telnet..............................................................................................36
3.4 Logging In to the System by Using STelnet.....................................................................................................37
3.4.1 Configuring VTY User Interfaces...........................................................................................................38
3.4.2 Configuring VTY User Interfaces to Support SSH.................................................................................39
3.4.3 Configuring an SSH User and Specifying the Service Type...................................................................39
3.4.4 Enabling the STelnet Server Function.....................................................................................................42
3.4.5 (Optional) Configuring STelnet Server Parameters................................................................................42
3.4.6 Logging In to the System by Using STelnet............................................................................................43
3.5.1 Example for Logging In to the System Through the Console Port.........................................................46
3.5.2 Example for Logging In to the System by Using Telnet.........................................................................48
3.5.3 Example for Logging In to the System by Using STelnet.......................................................................51
4 Transferring Files........................................................................................................................55
4.1 File Transfer Overview.....................................................................................................................................56
4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E................................................................57
4.3 Operating Files After Logging In to the System..............................................................................................58
4.3.1 Managing Directories..............................................................................................................................59
4.3.2 Managing Files........................................................................................................................................59
4.4 Using FTP to Operate Files..............................................................................................................................61
4.4.1 Configuring a Local FTP User................................................................................................................62
4.4.2 (Optional) Changing the Listening Port Number of the FTP Server.......................................................63
4.4.3 Enabling the FTP Server Function..........................................................................................................63
4.4.4 (Optional) Configuring FTP Server Parameters......................................................................................64
4.4.5 (Optional) Configuring FTP Access Control...........................................................................................65
4.4.6 Using FTP to Access the System.............................................................................................................65
4.4.7 Using FTP to Operate Files.....................................................................................................................66
4.5 Using SFTP to Operate Files............................................................................................................................70
4.5.1 Configuring an SSH User and Specifying the Service Type...................................................................71
4.5.2 Enabling the SFTP Server Function........................................................................................................73
4.5.3 (Optional) Configuring SFTP Server Parameters....................................................................................74
4.5.4 Using SFTP to Access the System..........................................................................................................76
4.5.5 Using SFTP to Operate Files...................................................................................................................77
4.6.1 Example for Operating Files After Logging In to the System................................................................80
4.6.2 Example for Using FTP to Operate Files................................................................................................80
v

4.6.3 Example for Using SFTP to Operate Files..............................................................................................83
5 Accessing Other Devices............................................................................................................86
5.1 Overview..........................................................................................................................................................87
5.2 Using Telnet to Log In to Other Devices.........................................................................................................89
5.3 Using STelnet to Log In to Other Devices.......................................................................................................91
5.3.1 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH
Client)...............................................................................................................................................................92
5.3.2 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key
Generated on the SSH Server)..........................................................................................................................93
5.3.3 Using STelnet to Log In to Other Devices..............................................................................................94
5.4 Using TFTP to Access Other Devices..............................................................................................................95
5.4.1 Configuring the Source Address for the TFTP Client.............................................................................96
5.4.2 Configuring TFTP Access Control..........................................................................................................96
5.4.3 Using TFTP to Download Files from Other Devices..............................................................................97
5.4.4 Using TFTP to Upload Files to Other Devices........................................................................................98
5.5 Using FTP to Access Other Devices................................................................................................................99
5.5.1 (Optional) Configuring the Source Address for the FTP Client............................................................100
5.5.2 Using FTP to Connect the FTP Client to Other Devices.......................................................................100
5.5.3 Using FTP to Operate Files...................................................................................................................101
5.5.4 (Optional) Changing the User Login.....................................................................................................103
5.5.5 Terminating a Connection to the FTP Server........................................................................................104
5.5.6 Checking the Configuration...................................................................................................................105
5.6 Using SFTP to Access Other Devices............................................................................................................105
5.6.1 (Optional) Configuring the Source Address for the SFTP Client.........................................................106
5.6.2 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH
Client).............................................................................................................................................................107
5.6.3 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key
Generated on the SSH Server)........................................................................................................................107
5.6.4 Using SFTP to Connect the SSH Client to the SSH Server..................................................................109
5.6.5 Using SFTP to Operate Files.................................................................................................................109
5.7 Configuration Examples.................................................................................................................................111
5.7.1 Example for Using Telnet to Log In to Other Devices..........................................................................111
5.7.2 Example for Using STelnet to Log In to Other Devices.......................................................................113
5.7.3 Example for Using TFTP to Access Other Device................................................................................120
5.7.4 Example for Using FTP to Access Other Devices................................................................................123
5.7.5 Example for Using SFTP to Access Other Devices..............................................................................125
5.7.6 Example for Accessing the SSH Server by Using a Non-default Listening Port Number....................131
5.7.7 Example for Configuring SSH Clients on the Public Network to Access an SSH Server on a Private
Network..........................................................................................................................................................137
6 Using the Command Line Interface.......................................................................................148
vi

6.1 Overview of the Command Line Interface.....................................................................................................149
6.2 Establishing the Running Environment for the Command Line....................................................................149
6.2.1 Configuring the Login Alert..................................................................................................................150
6.2.2 Setting a Device Name..........................................................................................................................150
6.2.3 Configuring Command Levels..............................................................................................................151
6.2.4 Lock the User Interface.........................................................................................................................152
6.3 How to Use Command Lines..........................................................................................................................152
6.3.1 Entering a Command View...................................................................................................................153
6.3.2 Editing Command Lines........................................................................................................................153
6.3.4 Checking the Diagnostic Information....................................................................................................155
6.3.5 Display Mode of Command Lines.........................................................................................................155
6.3.6 Error Information in Command Lines...................................................................................................159
6.4 How to Obtain Command Help......................................................................................................................159
6.5 How to Use Shortcut Keys.............................................................................................................................160
6.5.1 Classification of Shortcut Keys.............................................................................................................161
6.5.2 Defining Shortcut Keys.........................................................................................................................161
6.5.3 Displaying Shortcut Keys and Their Functions.....................................................................................162
6.6.1 Example for Using Tab..........................................................................................................................163
6.6.2 Example for Defining Shortcut Keys....................................................................................................164
7 Device Upgrade..........................................................................................................................166
7.1 Overview of Device Upgrade.........................................................................................................................167
7.2 Upgrade Modes Supported by the NE5000E.................................................................................................167
8 Patch Installation.......................................................................................................................169
8.1 Overview........................................................................................................................................................170
8.2 Patch Installation Modes Supported by the NE5000E...................................................................................170
9 Configuration Management....................................................................................................171
9.1 Introduction to Configuration Management...................................................................................................172
9.2 Configuration Management Features that the NE5000E Supports................................................................173
9.3 Selecting a Configuration Validation Mode...................................................................................................173
9.3.1 Configuring Immediate Configuration Validation Mode......................................................................174
9.3.2 Configuring Two-Phase Configuration Validation Mode.....................................................................175
9.4 Managing Configuration Files........................................................................................................................177
9.4.1 Saving Configurations...........................................................................................................................178
9.4.2 Comparing Configuration Files.............................................................................................................179
9.4.3 Specifying the System Configuration File to Be Loaded at the Next Startup.......................................179
9.4.4 Clearing the System Configuration File Loaded at the Current Startup................................................180
9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode......................183
vii

9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in Two-
Phase Configuration Validation Mode...........................................................................................................184
9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode
........................................................................................................................................................................186
9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode
........................................................................................................................................................................187
9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration Validation
Mode...............................................................................................................................................................189
9.5.6 Example for Managing Configuration Files..........................................................................................191
10 File System Management.......................................................................................................193
10.1 File System Overview..................................................................................................................................194
10.2 File System Supported by the NE5000E......................................................................................................194
10.3 Managing the Directory................................................................................................................................194
10.4 Managing Files.............................................................................................................................................195
10.5 Configuration Examples...............................................................................................................................197
10.5.1 Example for Managing a Directory.....................................................................................................197
10.5.2 Example for Managing Files...............................................................................................................198
11 Clock Synchronization Configuration................................................................................200
11.1 Clock Synchronization Overview.................................................................................................................201
11.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16)...........................................202
11.3 Configuring an External BITS Clock Reference Source..............................................................................206
11.3.1 Configuring an External Clock Reference Source for the router and the Clock Signal Type.............207
11.3.2 Configuring a Mapping from an External Clock Reference Source to the Index of a User Clock Source
for the router...................................................................................................................................................207
11.3.3 Checking the Configuration.................................................................................................................208
11.4 Specifying a Clock Source Manually...........................................................................................................209
11.5 Configuring Automatic Clock Source Selection to Be Based on Priorities.................................................210
11.5.1 Configuring the System to Automatically Select a Clock Source.......................................................211
11.5.2 Configuring Clock Source Selection Not to Be Based on SSM Levels..............................................212
11.5.3 Setting the Priority of a Clock Source.................................................................................................212
11.6 Configuring Automatic Clock Source Selection to Be Based on SSM Levels............................................214
11.6.1 Configuring the System to Automatically Select a Clock Source.......................................................215
11.6.2 Configuring Clock Source Selection to Be Based on SSM Levels.....................................................216
11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock Source.............................................216
11.6.4 Configuring SA Timeslots in 2.048 Mbit/s BITS Clock Source Signals to Bear SSM Levels...........217
11.7 Configuration Examples...............................................................................................................................219
11.7.1 Example for Configuring Protection Switching Among Clock Sources.............................................219
viii

Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time
1 Logging In to the System for the First Time
About This Chapter
To configure a new device, the device must be logged in to the console port.
1.1 Overview of Logging In to the System for the First Time
User can log in to a device that is powered on for the first time only through the console port.
Other login modes can be configured after the user logged in to the device for the first time.
1.2 Logging In to the router Through the Console Port
A terminal can be connected to the console port on the router to establish the configuration
environment.
1

1.1 Overview of Logging In to the System for the First Time
User can log in to a device that is powered on for the first time only through the console port.
Other login modes can be configured after the user logged in to the device for the first time.
The console port is a linear port on the main control board. Each main control board provides
one console port that conforms to the EIA/TIA-232 standard. The console port is a type of Data
Connection Equipment (DCE) interface. Users can directly connect a serial interface from a
terminal to the console port to configure the device.
The console port has the following states:
l Connected: The console port is being connected.
l Disconnected: The console port is disconnected.
1.2 Logging In to the router Through the Console Port
environment.
Applicable Environment
When the router is powered on for the first time, you must use the console port to log in to the
router to configure and manage the router.
Pre-configuration Tasks
Before logging in to the router through the console port, complete the following tasks:
l Preparing a PC or a terminal, including a serial interface and an RS-232 cable
l Installing a terminal emulator on the PC, such as Windows XP HyperTerminal
Configuration Procedures
Figure 1-1 Logging in to the router through the console port
Establish a physical connection
Log in to the device
Mandatory procedure
Optional procedure
2

1.2.1 Logging In to the router Through the Console Port
environment.
When the router is powered on for the first time, you must use the console port to log in to the
router to configure and manage the router.
Before logging in to the router through the console port, complete the following tasks:
Figure 1-2 Logging in to the router through the console port
Establish a physical connection
Log in to the device
Mandatory procedure
Optional procedure
1.2.2 Logging In to the router
You can use a PC (connected to the console port on the router) to log in to the router that is
powered on for the first time to configure and manage the router.
Context
Configure physical attributes for the PC according to the attributes configured for the console
port on the router, including the transmission rate, data bits, parity bit, stop bits, and flow control
mode. As the router is logged in for the first time, terminal attributes use the default values.
Procedure
Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) on the PC to establish a
connection. Follow the instructions as shown in Figure 1-3 and click OK.
3

Figure 1-3 Establishing a connection
Step 2 Set the COM port. Follow the instructions as shown in Figure 1-4 and click OK.
Figure 1-4 Setting the COM port
Step 3 Set communication parameters for the COM port to the default values of the router, as shown
in Figure 1-5 and click OK.
4

Figure 1-5 Setting communication parameters
A command prompt such as <HUAWEI> appears, the user view is displayed, and you can start
the configuration on the HUAWEI device.
In the user view, configure the device or check its operating status, or enter a question mark (?)
for online help.
----End
5

Configuration Guide - Basic Configurations 2 Configure the User Interface
2 Configure the User Interface
About This Chapter
When a user logs in to the router through the console port or using Telnet or Secure Shell (SSH),
the system uses a corresponding user interface to manage and monitor the session between the
router and the user.
2.1 User Interface Overview
The system supports console and Virtual Type Terminal (VTY) user interfaces.
2.2 Configuring the Console User Interface
The console user interface manages and monitors users logging in to a device through the console
port.
2.3 Configuring VTY User Interfaces
VTY user interfaces manage and monitor users logging in to the device by using VTY.
2.4 Configuration Examples
This section provides examples for configuring console and VTY user interfaces. These
examples explain networking requirements, configuration roadmap, and configuration notes.
6

2.1 User Interface Overview
The system supports console and Virtual Type Terminal (VTY) user interfaces.
Users can log in to a device to configure, monitor, and maintain local or remote network devices
only after user interfaces, user management, and terminal services are configured. User
interfaces provide the login entrance. User management ensures login security. Terminal
services offer login protocols.
Each user interface has a corresponding user interface view. A network administrator can
configure a set of parameters in a user interface view to determine whether authentication is
required and the level of logged in users. This allows uniform management of various user
sessions.
Currently, the following user interfaces are supported:
l Console: manages and monitors users logging in through the console port.
The type of the console port is EIA/TIA-232 DCE.
l VTY: manages and monitors users logging in using VTY.
A VTY connection is set up when a user uses Telnet or SSH to log in to the device. A
maximum of 18 users can log in to the device by using VTY.
NOTE
A user using different login modes to log in is allocated different user interfaces. A user logging in several
times using the same way may be allocated different user interfaces.
User Interface Numbering
After a user logs in to a device, the system allocates an idle user interface with the smallest
number to the user based on the login mode of the user. The login process is restricted by the
configurations for the user interface.
User interface can be numbered in the following manners:
l Relative numbering
The relative numbering uniquely specifies a user interface or a group of user interfaces of
the same type.
The numbering format is user interface type + number, adhering to the following rules:
– Console port numbering: CON0.
– VTY user interface numbering: The first VTY is 0, the second VTY is 1, and so on.
l Absolute numbering
The absolute numbering uniquely specifies a user interface or a group of user interfaces.
The number starts with 0, increasing by 1. The console port is numbered before VTY user
interfaces.
There are 20 consoles and 18 VTY user interfaces. You can run the user-interface
maximum-vty command in the system view to set the maximum number of VTY user
interfaces. The default value is 5.
Table 2-1 shows the default absolute numbers of the console and VTY user interfaces.
Numbers 1 to 32 are reserved for TTY user interfaces.
7

Table 2-1 Example of absolute numbers for user interfaces
Absolute Number User Interface
0 CON0
34 VTY0: the first VTY
35 VTY1: the second VTY
36 VTY2: the third VTY
37 VTY3: the fourth VTY
38 VTY4: the fifth VTY
Authentication for User Interfaces
After authentication mode is configured for a user interface, the system authenticates users to
log in through this user interface. Authentication modes are as follows:
l No-authentication: Users can log in to the device without entering user names or passwords.
This mode is insecure and is not recommended.
l Password authentication: Users need to enter passwords but not user names for login.
l AAA authentication: Users must enter both user names and passwords for login. If either
a user name or a password is incorrect, the login fails. Telnet users are usually authenticated
in AAA mode.
User Priorities for User Interfaces
Users log in to the device are managed based on the user levels. Like command levels, users are
classified into 18 levels from 0 to 17. The greater the value, the higher the user level.
The level of commands that a user can use is determined by the user level.
l If no-authentication or password authentication is configured, the level of commands that
a user can use depends on the level of the user interface through which the user logs in.
l If AAA authentication is configured, the level of commands that a user can use depends
on the local user priority specified in the AAA configuration.
2.2 Configuring the Console User Interface
The console user interface manages and monitors users logging in to a device through the console
port.
If you need to log in to a device through the console port for local maintenance, configure the
console user interface, including the physical attributes, terminal attributes, user priority, and
user authentication mode. Configure parameters based on the use and security requirements.
8

Before configuring the console user interface, complete the following task:
l Logging In to the router Through the Console Port
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
2.2.1 Configuring Physical Attributes for the Console User Interface
Physical attributes of the console user interface include the baud rate, flow control mode, parity
bit, stop bits, and data bits for the console port.
Context
When a user logs in a device through the console port, physical attributes set on the
HyperTerminal for the console port must be consistent with the attributes of the console user
interface on the device. Otherwise, the user cannot log in to the device.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
user-interface console ui-number
The console user interface is displayed.
Step 3 Run:
speed line-speed
The transmission rate is set.
The value can be 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, or 115200, in bit/s.
By default, the value is 9600.
Step 4 Run:
flow-control { hardware | none | software }
The flow control mode is set.
By default, the value is none.
The none mode indicates that the flow control function does not take effect on the console port.
Step 5 Run:
parity { even | mark | none | odd | space }
The parity bit is set.
By default, the value is none.
Step 6 Run:
stopbits { 1.5 | 1 | 2 }
9

The stop bits are set.
By default the value is 1.
Step 7 Run:
databits { 5 | 6 | 7 | 8 }
The data bits are set.
Step 8 Run:
commit
The configuration is committed.
----End
2.2.2 Configuring Terminal Attributes for the Console User
Interface
Terminal attributes of the console user interface include the timeout period of an idle connection,
number of lines displayed on a terminal screen, and buffer size for previously used commands.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The console user interface view is displayed.
Step 3 Run:
shell
The terminal service is started.
Step 4 Run:
idle-timeout minutes [ seconds ]
The timeout period is set.
By default, idle timeout period on the user interface is 10 minutes.
Step 5 Run:
screen-length screen-length
Screen length of the console terminal is set.
By default, the length of a terminal screen is 24 rows.
Step 6 Run:
screen-width screen-width
Screen width of the console terminal is set.
10

Step 7 Run:
history-command max-size size-value
The buffer of the history command is set.
By default, the size of history command buffer on a user interface is 10 entries.
Step 8 Run:
commit
----End
2.2.3 Configuring the User Priority for the Console User Interface
You can set user priorities for user interfaces to manage users based on their levels. This section
describes how to set the user priority for the console user interface.
Context
User levels correspond to command levels. User can use commands of the corresponding level
or lower after log in to the system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
user privilege level level
The user priority is set.
By default, users logging in through the console user interface can use commands at level 3, and
users logging in through other user interfaces can use commands at level 0.
NOTE
If the user priority configured for the user interface and the user priority configured for the user conflict,
the user level takes precedence.
For example, user 001 can use commands at level 3, and the user level configured in the user interface
view Console 0 for the user is 2. After user 001 logs in through Console 0, the user can use commands at
level 3 or lower.
Step 4 Run:
commit
----End
11

2.2.4 Configuring Authentication for the Console User Interface
The system provides three authentication modes: AAA, password authentication, and no-authentication.
Configuring authentication improves system security.
Procedure
l Configure AAA authentication.
1. Run:
system-view
2. Run:
3. Run:
authentication-mode aaa
The authentication mode is set to AAA.
4. Run:
quit
Exit from the console user interface.
5. Run:
aaa
The AAA view is displayed.
6. Run:
local-user user-name password { simple | cipher } password
The user name and password is set.
– If the password is in the form of simple, the password must be in the plain text.
– If the password is in the form of cipher, the password can be either in the encrypted
text or in the plain text. The result is determined by the input.
7. Run:
commit
l Configure password authentication.
1. Run:
system-view
2. Run:
3. Run:
authentication-mode password
Password authentication is set.
12

4. Run:
set authentication password { cipher | simple } password
Authentication password is set.
5. Run:
commit
l Configure no-authentication.
1. Run:
system-view
2. Run:
3. Run:
authentication-mode none
No-authentication is set.
4. Run:
commit
----End
2.2.5 Checking the Configuration
After configuring the console user interface, you can view user login information about the user
interface, physical attributes and configurations of the user interface, the local user list, and
online users.
Prerequisite
The configurations of the console user interface are complete.
Procedure
l Run the display users [ all ] command to check user login information about user interfaces.
l Run the display user-interface console 0 command to check physical attributes and
configurations of the user interface.
l Run the display local-user command to check the local user list.
l Run the display access-user command to check information about logged-in users.
----End
13

Example
Run the display users command to view user login information about the current user interface.
<HUAWEI> display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0
Username : Unspecified
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Username : Unspecified 259 VTY 1
Run the display user-interface console 0 command to view physical attributes and
<HUAWEI> display user-interface console 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 3 - N -
1 CON 0 9600 - 3 - N -
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
----------------------------------------------------------------------------
Username State Type Online
----------------------------------------------------------------------------
user123 Active All 0
ll Active F 0
user1 Active F 0
----------------------------------------------------------------------------
Total 3,3 printed
Run the display access-user command to view information about logged-in users.
<HUAWEI> display access-user
-----------------------------------------
User-name domain-name userid
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
Authentication success : 2
2.3 Configuring VTY User Interfaces
VTY user interfaces manage and monitor users logging in to the device by using VTY.
If you need to log in to a device for local or remote configuration and maintenance by using
Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user
interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user
authentication mode. Configure parameters based on the user and security requirements.
14

Before configuring VTY user interfaces, complete the following task:
l Logging In to the router Through the Console Port
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
2.3.1 Configuring the Maximum Number of VTY User Interfaces
Configuring the maximum number of VTY user interfaces limits the number of simultaneous
login users.
Context
The maximum number of VTY user interfaces is the total number of users that use Telnet and
SSH to log in.
CAUTION
If the maximum number of VTY user interfaces is set to zero on a device, no user can log in to
the device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface maximum-vty number
The maximum number of VTY user interfaces is set.
l If the configured maximum number is smaller than the original, logged in users are not
affected and no additional configuration is needed.
l If the configured maximum number is greater than the original, configure the authentication
mode and password for additional users. The system uses password authentication to
authenticate users logging in through newly-added user interfaces.
For example, run the authentication-mode and set authentication password commands to
increase allowed login users to 18 from 5.
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 18
[~HUAWEI] user-interface vty 5 17
[~HUAWEI-ui-vty5-17] authentication-mode password
[~HUAWEI-ui-vty5-17] set authentication password cipher huawei
Step 3 Run:
commit
15

----End
2.3.2 Configuring the Limit on Incoming and Outgoing Calls for
VTY User Interfaces
An Access Control List (ACL) can be configured to limit incoming and outgoing calls for VTY
user interfaces.
Context
An ACL can be configured to either allow or deny Telnet connections based on source or
destination IP addresses:
l A basic ACL, with number ranging from 2000 to 2999, controls Telnet connections based
on source IP addresses.
l An advanced ACL, with number ranging from 3000 to 3999, controls Telnet connections
based on both source and destination IP addresses.
Before configuring the limit on incoming and outgoing calls for VTY user interfaces, run the
acl command in the system view to create an ACL and enter the ACL view. Then, run the
rule command to add rules to the ACL.
Procedure
Step 1 Run:
system-view
Step 2 Run:
user-interface vty first-ui-number [ last-ui-number ]
A VTY user interface view is displayed.
Step 3 Run:
acl acl-number | name acl-name { inbound | outbound }
The limit on incoming and outgoing calls is set for the VTY user interface.
l Choose inbound if users at a specified IP address or within a specified address range are
either allowed to log in to the device or prohibited from logging in to the device.
l Choose outbound if logged-in users are either allowed to log in to other devices or prohibited
from logging in to other devices.
Step 4 Run:
commit
----End
2.3.3 Configuring Terminal Attributes for VTY User Interfaces
Terminal attributes of VTY user interfaces include the timeout period of an idle connection,
number of rows displayed on a terminal screen, and buffer size for previously-used commands.
16

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
shell
The VTY terminal service is enabled.
Step 4 Run:
idle-timeout minutes [ seconds ]
The timeout period of an idle connection is set.
If the connection is idle within the timeout period, the system automatically terminates the
connection when the timeout period expires.
By default, the timeout period is 10 minutes.
Step 5 Run:
screen-length screen-length
The number of rows displayed on a terminal screen is set.
By default, a terminal screen displays 24 rows.
Step 6 Run:
history-command max-size size-value
The buffer size is set for previously-used commands.
By default, a maximum of 10 previously-used commands can be cached in the buffer.
Step 7 Run:
commit
----End
2.3.4 Configuring the User Priority for a VTY User Interface
To improve security, user priorities can be set for user interfaces to manage users based on their
levels. This section describes how to set a user priority for a VTY user interface.
Context
User levels correspond to command levels. User can use commands of the corresponding level
or lower after log in to the system.
17

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
user privilege level level
The user priority is set.
By default, users logging in from a VTY user interface can use commands at level 0.
NOTE
If the user priority configured for the user interface and the user priority configured for the user conflict,
the user level takes precedence.
For example, a user can use commands at level 3, and the user level configured in the user interface view
VTY0 for the user is 2. After the user logs in through VTY0, the user can use commands at level 3 or lower.
Step 4 Run:
commit
----End
2.3.5 Configuring Authentication for a VTY User Interface
The system provides three authentication modes: AAA, password authentication, and no-authentication.
Configuring authentication improves system security.
Procedure
l Configure AAA authentication.
1. Run:
system-view
2. Run:
3. Run:
authentication-mode aaa
Authentication mode is set to AAA.
4. Run:
commit
18

5. Run:
quit
Exit from the VTY user interface view.
6. Run:
aaa
7. Run:
8. Run:
commit
l Configure password authentication.
1. Run:
system-view
2. Run:
3. Run:
Authentication mode is set to password authentication.
4. Run:
set authentication password { cipher | simple } password
Local authentication password is set.
5. Run:
commit
l Configure no-authentication.
1. Run:
system-view
2. Run:
19

3. Run:
authentication-mode none
Authentication mode is set to no-authentication.
4. Run:
commit
----End
After configuring the VTY user interfaces, you can view user login information about the VTY
user interfaces, the maximum number of the VTY user interfaces, and the physical attributes
and configuration of the VTY user interfaces.
Prerequisite
The configuration of VTY user interfaces are complete.
Procedure
l Run the display user-interface maximum-vty command to check the configured
maximum number of VTY user interfaces.
l Run the display user-interface vty ui-number command to check physical attributes and
configuration of the user interface.
l Run the display vty mode command to check the VTY mode.
----End
Example
0 CON 0
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Run the display user-interface maximum-vty command to view the configured maximum
number of VTY user interfaces.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user:15
Run the display user-interface vty command to view the configured user interface information.
<HUAWEI> display user-interface vty
+ 34 VTY 0 - 15 15 N -
20

-----------------------------------------
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
Run the display vty mode command to view the configured VTY mode. For example:
<HUAWEI> display vty mode
current VTY mode is Human-Machine interface
This section provides examples for configuring console and VTY user interfaces. These
examples explain networking requirements, configuration roadmap, and configuration notes.
2.4.1 Example for Configuring the Console User Interface
In this configuration example, the physical attributes, terminal attributes, user priority, user
authentication mode, and password are set for the console user interface. This allows users to
log in to a device through the console port in password authentication mode.
Networking Requirements
To initialize the configurations of a new device or locally maintain the device, the device must
be logged in to through the console user interface. Attributes are set for the console user interface
based on user and security requirements.
Configuration Notes
By default, terminal services are enabled on all user interfaces. If terminal services are disabled,
use Telnet to log in to the system through the console port and run the shell command to enable
terminal services.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure physical attributes for the console user interface.
2. Configure terminal attributes for the console user interface.
3. Set the user priority.
21

4. Set the user authentication mode and password.
NOTE
The user name and password do not have default values. Other parameters have default values, which are
recommended.
Data Preparation
To complete the configuration, you need the following data:
l Transmission rate of a connection: 4800 bit/s
l Flow control mode: none
l Parity bit: even
l Stop bits: 2
l Data bits: 6
l Timeout period of an idle connection: 30 minutes
l Number of lines displayed on a terminal screen: 30
l Buffer size for previously-used commands: 20
l User priority value: 15
l User authentication mode: password (password is huawei)
Procedure
Step 1 Configure physical attributes for the console user interface.
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 4800
[~HUAWEI-ui-console0] flow-control none
[~HUAWEI-ui-console0] parity even
[~HUAWEI-ui-console0] stopbits 2
[~HUAWEI-ui-console0] databits 6
[~HUAWEI-ui-console0] commit
Step 2 Configure terminal attributes for the console user interface.
[~HUAWEI-ui-console0] shell
[~HUAWEI-ui-console0] idle-timeout 30
[~HUAWEI-ui-console0] screen-length 30
[~HUAWEI-ui-console0] history-command max-size 20
Step 3 Set a user priority for the console user interface.
[~HUAWEI-ui-console0] user privilege level 15
Step 4 Configure password authentication for the console user interface.
[~HUAWEI-ui-console0] authentication-mode password
[~HUAWEI-ui-console0] set authentication password simple huawei
[~HUAWEI-ui-console0] quit
After the console user interface has been configured, users can log in to the device through the
console port in password authentication mode. For information about how to log in to the system
through the console port, see 3.2 Logging In to the System Through the Console Port.
Step 5 Verify the configuration.
22

After completing the configurations, run the display_user-interface command to view the
configuration of Console 0.
<HUAWEI> display user-interface 0
+0 CON 0 9600 - 3 - N -
+ : Current user-interface is active.
F : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi : The privilege of user-interface.
ActualPrivi : The actual privilege of user-interface.
Auth : The authentication mode of user-interface.
A : Authenticate use AAA.
N : Current user-interface need not authentication.
P : Authenticate use current UI's password.
----End
Configuration Files
#
sysname HUAWEI
#
user-interface con 0
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
databits 6
parity even
stopbits 2
speed 4800
screen-length 30
#
admin
return
2.4.2 Example for Configuring VTY User Interfaces
In this configuration example, the maximum number of VTY user interfaces, limit on incoming
and outgoing calls, terminal attributes, authentication mode, and password are set. This allows
users to use Telnet or SSH (Stelnet) to log in to a device in password authentication mode.
Networking Requirements
If you need to log in to a device for local or remote configuration and maintenance by using
Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user
interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user
authentication mode. Configure parameters based on the user and security requirements.
Configuration Roadmap
The configuration roadmap is as follows:
1. Set the maximum number of VTY user interfaces.
2. Configure the limit on incoming and outgoing calls for VTY user interfaces.
3. Configure terminal attributes for VTY user interfaces.
23

4. Set user priorities for VTY user interfaces.
5. Configure the authentication mode and password for the VTY user interface.
Data Preparation
To complete the configuration, you need the following data:
l Maximum number of VTY user interfaces: 18
l Number of the ACL applied to limit incoming calls on the VTY user interface: 2000
l Timeout period of an idle connection: 30 minutes
l Number of lines displayed on a terminal screen: 30
l Buffer size for previously-used commands: 20
l User priority: 15
l User authentication mode: password (password is huawei)
NOTE
The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and user name
do not have default values. Other parameters have default values, which are recommended.
Procedure
Step 1 Set the maximum number of VTY user interfaces.
[~HUAWEI] user-interface maximum-vty 18
[~HUAWEI] commit
Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces.
[~HUAWEI] acl 2000
[~HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0
[~HUAWEI-acl-basic-2000] quit
[~HUAWEI] user-interface vty 0 17
[~HUAWEI-ui-vty0-17] acl 2000 inbound
[~HUAWEI-ui-vty0-17] commit
Step 3 Configure terminal attributes for VTY user interfaces.
[~HUAWEI-ui-vty0-17] shell
[~HUAWEI-ui-vty0-17] idle-timeout 30
[~HUAWEI-ui-vty0-17] screen-length 30
[~HUAWEI-ui-vty0-17] history-command max-size 20
Step 4 Set user priorities for VTY user interfaces.
[~HUAWEI-ui-vty0-17] user privilege level 15
Step 5 Configure the authentication mode and password for VTY user interfaces.
[~HUAWEI-ui-vty0-17] authentication-mode password
[~HUAWEI-ui-vty0-17] set authentication password simple huawei
[~HUAWEI-ui-vty0-17] quit
After a VTY user interface is configured, a user can use Telnet or SSH to log in to the device in
password authentication mode to maintain the device locally or remotely. For information about
how to use Telnet or SSH to log in to a device, see 3.3 Logging In to the System by Using
Telnet or 3.4 Logging In to the System by Using STelnet.
Step 6 Verify the configuration.
24

After completing the configurations, run the display user-interface command to view the
configurations of VTY user interfaces.
Use VTY14 as an example:
[~HUAWEI] display user-interface vty 14
+ 34 VTY 14 - 15 15 password -
----End
Configuration Files
#
sysname HUAWEI
#
user-interface maximum-vty 18
#
acl number 2000
rule 5 deny source 10.1.1.1 0
#
user-interface vty 0 17
user privilege level 15
set authentication password simple huawei
history-command max-size 20
idle-timeout 30 0
screen-length 30
acl 2000 inbound
#
admin
return
25

Configuration Guide - Basic Configurations 3 Configuring User Login
3 Configuring User Login
About This Chapter
A user can log in to a device by using the console port, Telnet, or SSH (STelnet) to maintain the
device locally or remotely.
3.1 User Login Overview
Users can log in to devices by using the console port, Telnet, or STelnet.
3.2 Logging In to the System Through the Console Port
To configure a device that is powered on for the first time or locally maintain the device, log in
to the device through the console port.
3.3 Logging In to the System by Using Telnet
Telnet allows users to log in to remote devices to manage and maintain the devices.
3.4 Logging In to the System by Using STelnet
STelnet based on SSH2 provides secure remote access over an insecure network.
This section provides configuration examples for logging in to the system through the console
port or by using Telnet or STelnet. These configuration examples explain networking
requirements, configuration roadmap, and precautions.
26

3.1 User Login Overview
Users can log in to devices by using the console port, Telnet, or STelnet.
Users can log in to devices to configure, monitor, and maintain the devices locally or remotely
only after user interfaces, user management, and terminal services have been configured.
User interfaces provide the login entrance. User management ensures login security. Terminal
services offer login protocols.
Users can log in by using any of the login modes listed in Table 3-1 to configure and manage
the router.
Table 3-1 User login modes
Login Mode Application
Logging In to the
System Through the
Console Port
Users log in through the console port to configure a device locally.
This login mode is required when a device is powered on for the
first time.
Logging In to the
System by Using
Telnet
Users log in by using Telnet to maintain a device locally or
remotely. Telnet helps users maintain remote devices but brings
security threats.
Logging In to the
System by Using
STelnet
STelnet provides protection for users logging in to a device to
maintain the device locally or remotely.
Console Port Overview
For information about the console port, see Overview of Logging In to the System for the
First Time.
Telnet Overview
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login
and virtual terminal services. The NE5000E provides the following Telnet services:
l Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
l Telnet client: After using the terminal emulator or Telnet client program on a PC to connect
to the router, a user runs the telnet command to log in to another device for configuration
and management. The router functions as a Telnet client. In Figure 3-1, the CE functions
as both a Telnet server and a Telnet client.
27

Figure 3-1 Telnet server providing the Telnet client service
Telnet session 1 Telnet session 2
PC CE PE
Telnet server
l Telnet service interruption
Figure 3-2 Usage of Telnet shortcut keys
Telnet session 1 Telnet session 2
P2 P3
Telnet server
P1
Telnet client
Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure
3-2, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the
Telnet client of P3. The usage of shortcut keys is described as follows:
– Ctrl_]: Instructs the server to disconnect a Telnet connection.
If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server
interrupts the current Telnet connection.
For example, enter Ctrl_] on P3, and the P2 prompt is displayed.
<P3> Select Ctrl_] to return to the prompt of P2
The connection was closed by the remote host.
<P2> Select Ctrl_] to return to the prompt of P1
<P2> Ctrl_]
The connection was closed by the remote host.
<P1>
NOTE
If the network connection is disconnected, shortcut keys do not take effect.
– Ctrl_K: Instructs the client to disconnect the connection.
When the server fails and the client is unaware of the failure, the server does not respond
to the client for input. In this case, if you select Ctrl_K, the Telnet client interrupts the
connection and quits the Telnet connection.
For example, select Ctrl_K on P3 to quit the Telnet connection.
<P3> Select Ctrl_K to abort
<P1>
28

CAUTION
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all user
interfaces are in use and no more Telnet connections are allowed.
STelnet Overview
NOTE
Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices running SSH2
can function as SSH clients. STelnet is based on SSH2. When the client and the server set up a secure
connection after negotiation, the client can log in to the server in the same way as using Telnet.
Logins using Telnet add security risks because Telnet does not provide any secure authentication
mechanism and data is transmitted using TCP in plain text. Telnet connections are vulnerable
to Denial of Service (DoS) attacks, IP address spoofing, and route spoofing.
SSH provides secure remote access on an insecure network by supporting the following
functions:
l Remote Subscriber Access (RSA) authentication: Public and private keys are generated
according to the encryption principle of the asymmetric encryption system to implement
secure key exchange and ensure a secure session.
l Data encryption standards: Data Encryption Standard (DES), 3DES, and Advanced
Encryption Standard (AES).
l User name and password encryption: This prevents the user name and password from being
intercepted during the communication between the client and the server.
l Encryption of transmitted data
A device serving as an SSH server can accept connection requests from multiple SSH clients.
The device can also serve as an SSH client, helping users establish SSH connections with an
SSH server. This allows users to use SSH to log in to remote devices from the local device.
l Local connection
As shown in Figure 3-3, an SSH channel is established for a local connection.
Figure 3-3 Establishing an SSH channel on a local area network (LAN)
Server
PC
Ethernet 100BASE-TX
Server LapTop
PC running SSH Client
29

l Wide area network (WAN) connection
As shown in Figure 3-4, an SSH channel is established for a connection on a WAN.
Figure 3-4 Establishing an SSH channel on a WAN
PC running SSH Client
WAN
Local LAN
Router
Remote LAN
SSH Router
PC
3.2 Logging In to the System Through the Console Port
To configure a device that is powered on for the first time or locally maintain the device, log in
to the device through the console port.
A device can be logged in to only through the console port when the device is powered on for
the first time.
Before logging in to the system through the console port, complete the following tasks:
Figure 3-5 Logging in to the system through the console port
Configure the console user
interface
Log in to the system through
the console port
Mandatory procedure
Optional procedure
3.2.1 Configuring the Console User Interface
To allow users to log in to the system through the console port, configure attributes for the
console user interface.
30

Context
If you need to log in to a device through the console port for local maintenance, configure the
console user interface, including the physical attributes, terminal attributes, user priority, and
user authentication mode. Configure parameters based on the use and security requirements.
For configurations of the console user interface, see Configuring the Console User
Interface.
3.2.2 Logging In to the System Through the Console Port
Users can connect a terminal to the console port on a device, and then log in to the device.
Context
NOTE
l Communication parameters of the user terminal must be consistent with the physical attributes of the
console user interface on the device.
l After a user authentication mode is specified in the console user interface, a user can log in to the device
only after authentication succeeds. This enhances network security.
For information about logging in to the system through the console port, see Logging In to the
router Through the Console Port.
After logging in to the system through the console port, you can view information about the
console user interface, such as the usage, physical attributes and configurations, local user list,
and logged-in users.
Prerequisite
Configurations of user login through the console port are complete.
Procedure
l Run the display user-interface console 0 command to check physical attributes and
l Run the display access-user command to check information about logged-in users.
----End
Example
0 CON 0
+ 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no
Run the display user-interface console 0 command to view physical attributes and
31

<HUAWEI> display user-interface console 0
0 CON 0 9600 - 3 - N -
1 CON 0 9600 - 3 - N -
Run the display local-user command to view the local user list.
<HUAWEI> display local-user
----------------------------------------------------------------------------
Username State Type Online
----------------------------------------------------------------------------
user123 Active All 0
ll Active F 0
user1 Active F 0
----------------------------------------------------------------------------
Total 3,3 printed
-----------------------------------------
-----------------------------------------------
root default 1
abcd default 2
-----------------------------------------------
Total users : 2
Wait authen-ack : 0
3.3 Logging In to the System by Using Telnet
Telnet allows users to log in to remote devices to manage and maintain the devices.
If one or more devices need to be configured and managed, you do not need to connect each of
the devices to a terminal to maintain the devices locally. If you have obtained the IP address of
a device and logged in to the device before, you can use Telnet to log in to the device to remotely
configure the device. This allows you to maintain multiple devices on one terminal, greatly
facilitating device management.
NOTE
The IP address of a device needs to be preset through the console port.
Before using Telnet to log in to the system, complete the following task:
l Configuring a route between a terminal and a device
32

Figure 3-6 Logging in to the system by using Telnet
Configure VTY user interfaces
Configure local Telnet users
Enable the Telnet server function
Configure the listening port
number of the Telnet server
Use Telnet to log in to the system
from terminals
Mandatory procedure
Optional procedure
3.3.1 Configuring VTY User Interfaces
If you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device,
configure VTY user interfaces based on user and security requirements.
Context
The default user authentication mode for VTY user interfaces is password authentication. Before
using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user
interfaces. Otherwise, you cannot log in to the device.
NOTE
Authentication mode can be configured for VTY user interfaces by logging in to a device through the
console port.
For configurations about VTY user interfaces, see Configuring VTY User Interfaces.
3.3.2 (Optional) Configuring Local Telnet Users
If the user authentication mode of VTY user interfaces is no-authentication or password
authentication, the following configuration is not required.
Context
By default, a local user can use any access type. After the user access mode has been specified,
only users using the specified access mode can log in to the system.
33

Procedure
Step 1 Run:
system-view
Step 2 Run:
aaa
Step 3 Run:
l If the password is in the form of simple, the password must be in the plain text.
l If the password is in the form of cipher, the password can be either in the encrypted text or
in the plain text. The result is determined by the input.
Step 4 Run:
local-user user-name service-type Telnet
The access mode of local users is set to Telnet.
Step 5 Run:
commit
----End
3.3.3 Enabling the Telnet Server Function
The Telnet server can be connected only after the Telnet server function has been enabled.
Choose either of the following steps based on the network protocol:
Procedure
l IPv4:
1. Run:
system-view
2. Run:
telnet server enable
The Telnet server function is enabled.
3. Run:
commit
l IPv6:
1. Run:
system-view
34

2. Run:
telnet ipv6 server enable
The Telnet server function is enabled.
3. Run:
commit
NOTE
l If the undo telnet [ ipv6 ] server enable command is run to disable the Telnet server function
when there are users logging in by using Telnet, the command does not take effect.
l After the Telnet server function is disabled, established Telnet connections are not interrupted,
and no new Telnet connection is allowed. In this situation, users can log in to the system by using
SSH or through the console port.
----End
3.3.4 (Optional) Configuring the Listening Port Number for the
Telnet Server
The listening port number of the Telnet server can be configured and changed to ensure network
security. After the listening port number is changed, only users who know the current listening
port number can log in to the router.
Context
By default, the listening port number of the Telnet server is 23. Users can log in to the router
without specifying the listening port number. Attackers may access the default listening port,
reducing available bandwidth, affecting performance of the server, and causing valid users
unable to access the server. After the listening port number of the Telnet server is changed,
attackers do not know the new listening port number. This effectively prevents attackers from
accessing the listening port.
Procedure
Step 1 Run:
system-view
Step 2 Run:
telnet [ ipv6 ] server port port-number
The listening port number is set for the Telnet server.
If a new listening port number is set, the Telnet server terminates all established Telnet
connections, and then uses the new port number to listen to new requests for Telnet connections.
Step 3 Run:
commit
----End
35

3.3.5 Logging In to the System by Using Telnet
After the device is configured, you can use Telnet to log in to the device from a terminal to
remotely maintain the device.
Context
If you need to log in to the system by using Telnet, use either the Windows Command Prompt
or third-party software on the terminal. Use the Windows Command Prompt as an example.
Do as follows on the PC:
Procedure
Step 1 Enter the Windows Command Prompt window.
Step 2 Run the telnet ip-address command to use Telnet to log in to the device.
1. Input the IP address of the Telnet server.
Figure 3-7 Schematic diagram 1 for login by using Telnet
2. Press Enter, and the command prompt of the user view is displayed, such as
<HUAWEI>. This indicates that you have accessed the Telnet server.
Figure 3-8 Schematic diagram 2 for login by using Telnet
----End
36

After logging in to the system by using Telnet, you can view information about the current user
interface, every user interface, and established TCP connections.
Prerequisite
The configurations of logging in to the system by using Telnet are complete.
Procedure
l Run the display users [ all ] command to check information about user interfaces.
l Run the display tcp status command to check established TCP connections.
l Run the display telnet server status command to check the configuration and status of the
Telnet server.
----End
Example
Run the display users command to view information about the current user interface.
<HUAWEI]> display users
34 VTY 0 00:00:12 TEL 1.1.1.1 no
+ 35 VTY 1 00:00:00 TEL 1.1.1.2 no
Run the display tcp status command to view TCP connections. Established in the command
output indicates that a TCP connection has been established.
<HUAWEI> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed
32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 LISTEN
34042c80 73 /17 10.1.1.1:23 10.2.2.2:1147 0 Established
Run the display telnet server status command to view the configuration and status of the Telnet
server.
<HUAWEI> display telnet server status
Session 1:
Source ip address : 10.137.217.221
VTY Index : 14
Current number of sessions : 1
3.4 Logging In to the System by Using STelnet
STelnet based on SSH2 provides secure remote access over an insecure network.
A large number of devices on a network need to be managed and maintained. It is impossible
to connect each device to a terminal, especially when there is no reachable route between a
device and the terminal. To manage and maintain remote devices, log in to other devices by
using Telnet from the device that you have logged in to. Login by using Telnet brings security
37

risk because Telnet does not provide any secure authentication mechanism and data is
transmitted by using TCP in plain text.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks such as IP address spoofing and plain text
password interception.
Before logging in to the system by using STelnet, complete the following task:
l Configuring a route between a terminal and a device
Figure 3-9 Logging in to the system by using STelnet
Configure VTY user interfaces
Configure VTY user interfaces to
support SSH
Configure an SSH user and
specify Stelnet as the service
type
Enable the Stelnet server
function
Configure Stelnet server
parameters
Use Stelnet to log in to the
system from a terminal
Mandatory procedure
Optional procedure
3.4.1 Configuring VTY User Interfaces
If you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device,
configure VTY user interfaces based on user and security requirements.
Context
The default user authentication mode for VTY user interfaces is password authentication. Before
using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user
interfaces. Otherwise, you cannot log in to the device.
38

Configuration guide basic configurations(v800 r002c01-01)

Configuration guide basic configurations(v800 r002c01-01)

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Viewers also liked

Viewers also liked (20)

Similar to Configuration guide basic configurations(v800 r002c01-01)

Similar to Configuration guide basic configurations(v800 r002c01-01) (20)

Recently uploaded

Recently uploaded (20)

Configuration guide basic configurations(v800 r002c01-01)