CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration

CloudEngine S3700, S5700, and S6700 Series
Switches
V600R022C10
Configuration Guide - Basic

Configuration
Issue 02
Date 2023-11-15
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2023. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. i

Switches
Configuration Guide - Basic Configuration Contents
Contents
1 About This Document.............................................................................................................1

2 First Login to a Device Configuration.................................................................................5
2.1 Overview of the First Login................................................................................................................................................. 5
2.2 First Login Through the Console Port.............................................................................................................................. 5
2.3 Performing Basic Configurations After the First Login.............................................................................................. 9
2.3.1 Configuring User Login Prompt Information............................................................................................................. 9
2.3.2 Setting the Time Zone, Date, and Time of the Device........................................................................................... 9
2.3.3 Setting the Device Name................................................................................................................................................ 10
2.3.4 Configuring the Management Address and Gateway of the Device............................................................... 10
2.3.5 Configuring STelnet for Device Login......................................................................................................................... 11
2.4 Verifying the Configuration............................................................................................................................................... 12
2.5 Example for Performing Basic Configurations After the First Login................................................................... 13
3 CLI Overview Configuration............................................................................................... 16

3.1 How to Use the CLI.............................................................................................................................................................. 16
3.1.1 Entering Command Views.............................................................................................................................................. 16
3.1.2 Intelligent Command Backtracking............................................................................................................................. 18
3.1.3 Setting Command Privilege Levels.............................................................................................................................. 18
3.1.4 Editing Command Lines.................................................................................................................................................. 20
3.1.5 Using Command Online Help....................................................................................................................................... 22
3.1.6 Interpreting Command Error Messages.....................................................................................................................23
3.1.7 Using an undo Command.............................................................................................................................................. 24
3.1.8 Displaying Historical Commands................................................................................................................................. 25
3.1.9 Using Command Line Shortcut Keys.......................................................................................................................... 26
3.1.10 Configuring an Alias for a Command...................................................................................................................... 29
3.1.11 Running User View Commands in the System View.......................................................................................... 30
3.1.12 Enabling Secondary Authentication......................................................................................................................... 30
3.2 Displaying the Command Output................................................................................................................................... 31
3.2.1 Displaying Command Configurations.........................................................................................................................31
3.2.2 Checking the Diagnostic Information.........................................................................................................................31
3.2.3 Controlling Command Display...................................................................................................................................... 31
3.2.4 Filtering Command Outputs.......................................................................................................................................... 32
3.2.4.1 Command Output Display.......................................................................................................................................... 32
Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. ii

Switches
3.2.4.2 Regular Expressions....................................................................................................................................................... 33
4 CLI-based Device Login Configuration............................................................................. 39

4.1 Overview of CLI-based Device Login............................................................................................................................. 39
4.2 Configuration Precautions for CLI-based Device Login........................................................................................... 42
4.3 Configuring the User Interface.........................................................................................................................................46
4.3.1 Understanding User Interfaces..................................................................................................................................... 46
4.3.2 Configuring the Console User Interface.................................................................................................................... 48
4.3.3 Configuring a VTY User Interface................................................................................................................................ 52
4.3.4 Verifying the Configuration........................................................................................................................................... 59
4.4 Configuring Local Login Through a Console Port......................................................................................................59
4.4.1 Configuring Device Login Through a Console Port............................................................................................... 59
4.4.2 Example for Configuring Login Through a Console Port.....................................................................................62
4.5 Configuring Remote Login Through Telnet................................................................................................................. 65
4.5.1 Configuring Telnet Login................................................................................................................................................ 65
4.5.2 Configuring a Device to Access Another Device as a Telnet Client................................................................. 71
4.5.3 Example for Configuring Telnet Login....................................................................................................................... 73
4.5.4 Example for Configuring a Device to Access Another Device as a Telnet Client........................................ 75
4.6 Configuring Remote Login Through STelnet............................................................................................................... 77
4.6.1 Configuring STelnet Login.............................................................................................................................................. 78
4.6.2 Configuring a Device to Access Another Device as an STelnet Client.............................................................79
4.6.3 Example for Configuring STelnet Login..................................................................................................................... 81
4.6.4 Example for Configuring a Device to Access Another Device as an STelnet Client .................................. 85
4.7 Maintaining the Device CLI............................................................................................................................................... 92
4.8 Troubleshooting CLI-based Device Login Failure....................................................................................................... 94
4.8.1 Failed to Log In to the Telnet Server Using Telnet................................................................................................ 94
4.8.2 Failed to Log In to the SSH Server Using STelnet.................................................................................................. 95
5 Web UI-based Login Configuration.................................................................................. 97

5.1 Overview of Web UI-based Login................................................................................................................................... 97
5.2 Configuration Precautions for Web UI-based Login................................................................................................. 97
5.3 Configuring Web UI-based Login..................................................................................................................................108
5.3.1 Configuring Web UI-based Login.............................................................................................................................. 108
5.3.2 Adjusting Web UI-based Login Parameters........................................................................................................... 111
5.3.3 Example for Configuring Web UI-based Login Through HTTPS (Default Certificate)............................112
5.3.4 Example for Configuring Web UI-based Login Through HTTPS (Specified Certificate).........................114
5.3.5 Example for Configuring Web UI Login Through HTTPS (Two-Factor Authentication).........................116
5.4 Maintaining Web UI-based Login................................................................................................................................. 119
5.5 Troubleshooting Web-based Device Login Failure.................................................................................................. 119
5.6 Web UI-based Login FAQs.............................................................................................................................................. 120
5.6.1 How Does the Device Process the Administrator's Consecutive Login Failures?...................................... 120
6 ZTP Configuration............................................................................................................... 121

6.1 Overview of ZTP................................................................................................................................................................. 121
Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. iii

Switches
6.2 Understanding ZTP............................................................................................................................................................ 121

6.2.1 ZTP Fundamentals.......................................................................................................................................................... 122
6.2.2 SZTP Fundamentals........................................................................................................................................................128
6.3 Configuration Precautions for ZTP............................................................................................................................... 133
6.4 Default ZTP Settings.......................................................................................................................................................... 164
6.5 Configuring DHCP-based ZTP (with a Controller).................................................................................................. 164
6.5.1 Understanding DHCP-based ZTP with a Controller............................................................................................ 164
6.5.2 Configuring a DHCP Server......................................................................................................................................... 172
6.5.3 Starting DHCP-based ZTP with a Controller..........................................................................................................180
6.5.4 Verifying DHCP-based ZTP with a Controller........................................................................................................ 181
6.6 Configuring DHCP-based ZTP (Without a Controller)...........................................................................................181
6.6.1 Understanding DHCP-based ZTP Without a Controller.....................................................................................181
6.6.2 Preparing Deployment Files........................................................................................................................................ 187
6.6.3 Intermediate File in the INI Format..........................................................................................................................191
6.6.4 Intermediate File in the Python Format..................................................................................................................203
6.6.5 Configuring a DHCP Server......................................................................................................................................... 265
6.6.6 (Optional) Configuring a Bootstrap Server............................................................................................................276
6.6.7 Configuring a File Server.............................................................................................................................................. 278
6.6.8 Starting DHCP-based ZTP Without a Controller.................................................................................................. 279
6.6.9 Verifying DHCP-based ZTP Without a Controller................................................................................................ 280
6.6.10 (Optional) Configuring the Device to Download a CA Certificate from the Bootstrap Server......... 280
6.6.11 Example for Configuring Intermediate File-based ZTP................................................................................... 281
6.6.12 Example for Configuring Option Parameter-based ZTP..................................................................................285
6.6.13 Example for Configuring Bootstrap Server-based SZTP.................................................................................. 289
6.7 Configuring USB-based Deployment........................................................................................................................... 292
6.7.1 Understanding USB-based Deployment................................................................................................................. 292
6.7.2 Preparing Deployment Files........................................................................................................................................ 295
6.7.3 Intermediate File for USB-based Deployment...................................................................................................... 296
6.7.4 (Optional) Configuring Deployment File Security Verification....................................................................... 309
6.7.5 Starting USB-based Deployment............................................................................................................................... 310
6.7.6 Verifying USB-based Deployment............................................................................................................................. 311
6.7.7 (Optional) Configuring the Device to Download a CA Certificate from the Bootstrap Server............311
6.7.8 Example for Configuring USB-based Deployment.............................................................................................. 313
7 File System Management Configuration.......................................................................316

7.1 Overview of the File System........................................................................................................................................... 316
7.2 Configuration Precautions for File System Management.................................................................................... 318
7.3 File System Management Modes Supported by the Device................................................................................ 337
7.4 Managing Files Locally..................................................................................................................................................... 339
7.4.1 Managing Files Locally.................................................................................................................................................. 339
7.4.2 Example for Managing Files Locally.........................................................................................................................342
7.5 Managing Files Using FTP............................................................................................................................................... 343
7.5.1 Configuring a Device as an FTP Server................................................................................................................... 343
Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. iv

Switches
7.5.2 Configuring a Device as an FTP Client.................................................................................................................... 353

7.5.3 Example for Configuring a Device as an FTP Server.......................................................................................... 360
7.5.4 Example for Configuring a Device as an FTP Client........................................................................................... 363
7.6 Managing Files Using SFTP............................................................................................................................................. 365
7.6.1 Configuring a Device as an SFTP Server................................................................................................................. 365
7.6.2 Configuring a Device as an SFTP Client.................................................................................................................. 370
7.6.3 Example for Configuring a Device as an SFTP Server........................................................................................ 377
7.6.4 Example for Configuring a Device as an SFTP Client......................................................................................... 379
7.7 Managing Files Using SCP............................................................................................................................................... 385
7.7.1 Configuring a Device as an SCP Server................................................................................................................... 385
7.7.2 Configuring a Device as an SCP Client.................................................................................................................... 388
7.7.3 Example for Configuring a Device as an SCP Client........................................................................................... 391
7.8 Managing Files Using TFTP.............................................................................................................................................393
7.8.1 Configuring a Device as a TFTP Client.................................................................................................................... 393
7.8.2 Example for Configuring a Device as a TFTP Client........................................................................................... 397
7.9 Troubleshooting File System Management Errors.................................................................................................. 398
7.9.1 Failed to Log In to the FTP Server.............................................................................................................................398
7.9.2 Failed to Transfer Files Between the FTP Server and Client.............................................................................400
8 Configuration File Management Configuration.......................................................... 402

8.1 Overview of Configuration File Management.......................................................................................................... 402
8.2 Configuration Precautions for Configuration File Management....................................................................... 402
8.3 Managing Configuration Files........................................................................................................................................426
8.3.1 Understanding Configuration Files........................................................................................................................... 426
8.3.2 Viewing a Configuration File.......................................................................................................................................428
8.3.3 Saving a Configuration File......................................................................................................................................... 429
8.3.4 Specifying the Configuration File for Next Startup............................................................................................. 431
8.3.5 Reusing the Configuration File of Another Device.............................................................................................. 432
8.3.6 Comparing Configuration Files.................................................................................................................................. 432
8.3.7 Backing Up the Configuration File by Copying Configurations on the Screen.......................................... 434
8.3.8 Backing Up the Configuration File to the Storage Medium............................................................................ 435
8.3.9 Backing Up the Configuration File to an FTP Server or Client........................................................................435
8.3.10 Backing Up the Configuration File to a TFTP Server........................................................................................437
8.3.11 Backing Up the Configuration File to an SFTP Server or Client................................................................... 437
8.3.12 Backing Up the Configuration File to an SCP Server or Client..................................................................... 439
8.3.13 Restoring the Configuration File from the Storage Medium........................................................................ 440
8.3.14 Copying the Configuration File from an FTP Server or Client to the Device........................................... 441
8.3.15 Copying the Configuration File from a TFTP Server to the Device............................................................. 442
8.3.16 Copying the Configuration File from an SFTP Server or Client to the Device.........................................443
8.3.17 Copying the Configuration File from an SCP Server or Client to the Device...........................................444
8.3.18 Compressing the Configuration File.......................................................................................................................446
8.3.19 Clearing the Configuration File................................................................................................................................446
8.3.20 Rolling Back Configurations...................................................................................................................................... 447
Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. v

Switches
8.3.21 Example: Specifying the Configuration File to Be Loaded for Next Startup............................................449
Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. vi

Switches
Configuration Guide - Basic Configuration 1 About This Document
1 About This Document
Intended Audience
This document is intended for network engineers responsible for switch
management and maintenance. You should be familiar with basic Ethernet
knowledge and have extensive network management experience. In addition, you
should understand your network well, including the network topology and
deployed network services.
Symbol Conventions
The symbols used in this document are described in the following table. They are
defined as follows.
Symbol Description
Indicates a hazard with a high level of

risk which, if not avoided, will result in
death or serious injury.
Indicates a hazard with a medium

level of risk which, if not avoided,
could result in death or serious injury.
Indicates a hazard with a low level of

risk which, if not avoided, could result
in minor or moderate injury.
Indicates a potentially hazardous

situation which, if not avoided, could
result in equipment damage, data loss,
performance deterioration, or
unanticipated results.
NOTICE is used to address practices
not related to personal injury.
Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 1

Switches
Symbol Description
Supplements the important

information in the main text.
NOTE is used to address information
not related to personal injury,
equipment damage, and environment
deterioration.
Command Conventions
Convention Description
Boldface The keywords of a command line are in boldfaces.
Italic Command arguments are in italic.
[] Items (keywords or arguments) in square brackets

[ ] are optional.
{ x | y | ... } Alternative items are grouped in braces and

separated by vertical bars. One is selected.
[ x | y | ... ] Optional alternative items are grouped in square

brackets and separated by vertical bars. One or none
is selected.
{ x | y | ... } * Alternative items are grouped in braces and

separated by vertical bars. A minimum of one or a
maximum of all can be selected.
[ x | y | ... ] * Optional alternative items are grouped in square

brackets and separated by vertical bars. Many or
none can be selected.
&<1-n> This parameter before the & sign can be repeated 1

to n times.
# This parameter before the # sign can be repeated 1

to n times.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use
the existing interface numbers on devices.
Security Conventions
● Password setting
– Configuring a ciphertext password is recommended. For security
purposes, do not disable password complexity check, and change the
password periodically.

Switches
– When configuring a cleartext password, do not start and end the

password with %@%# because this will allow the password to be
considered as a valid ciphertext that can be decrypted by the device and
make it visible in the configuration file.
– Multiple features cannot use the same ciphertext password. For example,
the ciphertext password set for the AAA feature cannot be used for other
features.
● Encryption algorithms
Currently, the device supports the following encryption algorithms: DES, 3DES,
AES, DSA, RSA, DH, ECDH, HMAC, SHA1, SHA2, and MD5. Select an
encryption algorithm according to the application scenario. Use the
recommended encryption algorithm; otherwise, security protection
requirements may not be met.
● Personal data
Some personal data (such as MAC or IP addresses of terminals) may be
obtained or used during operation or fault locating of your purchased
products, services, or features, so you have an obligation to make privacy
policies and take proper measures according to applicable laws of the country
to fully protect personal data.
● The terms mirrored port, port mirroring, flow mirroring, and mirroring in this
document are mentioned only to describe the purpose of detecting faults and
errors in communication transmission. They do not involve collection or
processing of any personal information or communication data of users.
● Reliability design declaration
Network planning and site design must comply with reliability design
principles and provide device- and solution-level protection. Device-level
protection includes planning principles of dual-network and inter-card dual-
link to avoid single point or single link of failure. Solution-level protection
refers to fast convergence protection mechanisms such as FRR and VRRP. If
solution-level protection is used, ensure that the primary and backup paths do
not share links or transmission devices. Otherwise, solution-level protection
may fail to take effect.
Reference Standards and Protocols

To obtain reference standards and protocols, log in to Huawei official website,
search for "standard and protocol compliance list", and download the Huawei S-
Series Switch Standard and Protocol Compliance List.
Disclaimer
● This document is designed as a reference for you to configure your devices. Its
contents, including web pages, command line input and output, are based on
laboratory conditions. It provides instructions for general scenarios, but does
not cover all use cases of all product models. The examples given may differ
from your use case due to differences in software versions, models, and
configuration files. When configuring your device, alter the configuration
depending on your use case.
● The specifications provided in this document are tested in a lab environment
(for example, a certain type of cards have been installed on the tested device
or only one protocol is run on the device). Results may differ from the listed

Switches
specifications when you attempt to obtain the maximum values due to factors
such as differences in hardware configurations and carried services.
● In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.

Switches
Configuration Guide - Basic Configuration 2 First Login to a Device Configuration
2 First Login to a Device Configuration
2.1 Overview of the First Login

2.2 First Login Through the Console Port
2.3 Performing Basic Configurations After the First Login
2.4 Verifying the Configuration
2.5 Example for Performing Basic Configurations After the First Login
2.1 Overview of the First Login

Definition
First login to a device refers to logging in to a new device locally for the first time
prior to configuring it.
Purpose
Before configuring services on a new device, you need to log in to the device
locally through the console port.
After logging in locally, you can configure basic system parameters, such as the
device name, management IP address, and system time. You can also configure
STelnet to enable remote login.
2.2 First Login Through the Console Port

Prerequisites
Before logging in to a device locally for the first time through the console port,
you have completed the following tasks:
● Power on the device properly.

● Prepare a console cable.

Switches
● Prepare the terminal emulation software.

For details about how to use specific terminal emulation software, see the
related software user guide or online help. This section uses the third-party
software PuTTY as an example.
Default Settings
Table 2-1 Default settings for the console port

Parameter Default Setting
Transmission rate 9600 bit/s
Flow control mode No flow control
No parity bit configured, indicating no

Parity bit
parity check
Stop bit 1
Data bit 8
Procedure
Step 1 Connect the DB9 connector of the prepared console cable to the PC's serial port
(COM), and the RJ45 connector to the device's console port. If there is no DB9
serial port on your terminal (PC), use a DB9-to-USB cable to connect the USB port
to the terminal.
Step 2 Start PuTTY on the PC (PuTTY is an example terminal emulator). Create a
connection, select the connection port, and set communication parameters.
1. Click Session to create a connection, as shown in Figure 2-1.

Switches
Figure 2-1 Creating a connection
2. Click Serial and set the port to be connected and the communication
parameters, as shown in Figure 2-2.
a. Select the port according to your requirements. For example, in a
Windows operating system, you can open Device Manager to view port
information and select the port to be connected.
b. Ensure that the communication parameters you set in the terminal
emulation software are consistent with the default parameter settings of
the device's console port.
c. Click Open.
NOTE
A PC may have multiple ports that can be connected to the device. In this step, the
port to be connected to a console cable must be selected. In most cases, COM1 is
used.
If the device's communication parameters are modified, those on the PC must be
modified accordingly and the connection must be re-established.

Switches
Figure 2-2 Setting the connection port and communication parameters
Step 3 Press Enter until information similar to the following is displayed. Enter a
password and confirm the password as prompted. (The following information is
for reference only.)
User interface con0 is available
Please Press ENTER.
Please configure the login password (8-16)

Enter Password:
Confirm Password: //Enter the password for logging in to the device through the console port.
Info: Save the password now. Please wait for a moment.
Info: The max number of VTY users is 21, the number of current VTY users online is 1, and total number of
terminal users online is 2.
The current login time is 2020-06-30 18:15:10+08:00
<HUAWEI>
NOTE
● You must set a login password upon first login to the device through the console port.
After the login is successful, the console port has the default administrator rights.
● The password is a string of 8 to 16 case-sensitive characters. It must contain at least
two of the following character types: uppercase letters, lowercase letters, digits, and
special characters. Special characters do not include question marks (?) or spaces.
● In interactive mode, the entered password is not displayed on the terminal screen.
● For security purposes, change the password periodically.
After completing the preceding steps, you can run commands to configure the
device. Enter a question mark (?) whenever you need help.
----End

Switches
2.3 Performing Basic Configurations After the First

Login
2.3.1 Configuring User Login Prompt Information

Context
To provide some prompts or alarms to users, you can configure such information
as titles on the device. When a user logs in to the device, the configured titles will
be displayed.
When a terminal connection is activated and a user attempts to log in, the
terminal displays the title configured using the header login command. If the user
successfully logs in, the terminal displays the title configured using the header
shell command.
Procedure
Step 1 Enter the system view.
system-view
Step 2 Set the prompt upon a login attempt.

header login { information text | file file-name }
Step 3 Set the prompt upon successful login.

header shell { information text | file file-name }
----End
2.3.2 Setting the Time Zone, Date, and Time of the Device
Context
The system time on a device is randomly set upon device delivery. When the
device is connected to a network, you must set the system time to the actual local
time to ensure that the time in logs and alarms generated by the device is correct.
Procedure
Step 1 Configure the time zone where the device is located.
clock timezone time-zone-name { add | minus } offset
By default, a device uses the Universal Time Coordinated (UTC) time zone. The
default time zone name is DefaultZoneName.
add: adds the specified time zone offset to the UTC time. The sum of the default
UTC time zone and offset equals the time zone specified by time-zone-name.
minus: subtracts the specified time zone offset from the UTC. The remainder
obtained by subtracting offset from the default UTC time zone equals the time
zone specified by time-zone-name.

Switches
The time format of a local log is Original system time±offset specified in the time
zone configuration command, for example, Apr 27 2020 22:36:09+08:00.
Step 2 Set the current date and time.
clock datetime [ utc ] time date
No default value is available. The value of time must be in the format HH:MM:SS,
which indicates the current hour, minute, and second on the device. The value of
date must be in the format of YYYY-MM-DD, which indicates the current year,
month, and day on the device.
----End
2.3.3 Setting the Device Name

Context
To differentiate devices on the network, you can set a unique device name for
each device.
Procedure
system-view
Step 2 Set the device name.

sysname host-name
By default, the device name is HUAWEI.

You can run the undo sysname command to restore the default host name.
----End
2.3.4 Configuring the Management Address and Gateway of

the Device
Context
Each device on a network must have a globally unique management address,
enabling O&M personnel to easily locate and log in to the device.
Procedure
● Configure the management IP address on the management interface.
a. Enter the system view.
system-view
b. Enter the management interface view.

interface meth0/0/0
c. Configure the IP address and mask on the management interface.

ip address ip-address { mask | mask-length }
d. Return to the system view.

quit

Switches
e. Configure a route on the device.

ip route-static ip-address { mask | mask-length } nexthop-address
● Configure the management IP address on a common network interface.

system-view
b. Create a VLAN for the management network.

vlan vlan-id
c. Return to the system view.

quit
d. Enter the VLANIF interface view.

interface vlanif vlan-id
e. Configure the IP address and mask on the VLANIF interface.

ip address ip-address { mask | mask-length }
f. Return to the system view.

quit
g. Enter the view of the common service interface used for management.
interface interface-type interface-number
h. Switch the interface working mode to Layer 2.

portswitch
This step is supported only on the S6730-H-V2 and S5732-H-V2.

Determine whether to perform this step based on the current interface
working mode.
i. Set the link type of the interface to access.
port link-type access
j. Configure a VLAN as the default VLAN of the interface and add the
interface to the VLAN.
port default vlan vlan-id
k. Return to the system view.

quit
l. Configure a route on the device.

ip route-static ip-address { mask | mask-length } nexthop-address
----End
2.3.5 Configuring STelnet for Device Login
Context
In order to remotely log in to the device from the terminal through STelnet when
the IP address of a terminal and the management IP address of a device are Layer
3 reachable, an administrator must first create a login user on the device and
configure STelnet.
NOTE
By default, a new user needs to change the password at first login to the device. If the
administrator resets the password, the user also needs to change the password at the first
login to the device after password reset.

Switches
This section describes how to configure STelnet-based login in the password

authentication mode.
Procedure
Step 1 Set the VTY user authentication mode to AAA and configure the VTY user
interface to support SSH.
system-view
user-interface vty first-ui-number [ last-ui-number ]
authentication-mode aaa //Set the VTY user authentication mode to AAA.
protocol inbound ssh //Configure the VTY user interface to support SSH.
quit
Step 2 Configure a local AAA user and its password.

aaa
local-user user-name password irreversible-cipher irreversible-cipher-password //Create a local user
whose name is the same as the SSH user name and configure the local user's password.
local-user user-name service-type ssh //Set the service type of the local user to SSH.
local-user user-name privilege level level //Set the privilege level of the local user.
quit
Step 3 Create an SSH user and configure the authentication mode and service type.
ssh user user-name //Create an SSH user.
ssh user user-name authentication-type password //Set the authentication mode of the SSH user to
password.
ssh user user-name service-type stelnet //Set the service type of the SSH user to STelnet.
stelnet server enable //Enable the STelnet server function for the device.
ssh server-source -i interface-type interface-number //Configure the source interface for the SSH server. If
IPv6 addresses are used for login, run the ssh ipv6 server-source -a ipv6-address command to configure
the source IP address for the SSH server.
NOTE
Ensure that the SSH user name is the same as the local user name.
The created user must change the password upon first login.
----End
2.4 Verifying the Configuration

Procedure
● Run the display clock command to check the current date and time of the
system.
● Run the display sysname command to check the current host name.
● Run the display current-configuration command to check the current
configuration of the device.
● Run the display language character-set [ test ] command to check the
character set encoding supported by the current system and terminal software
for device login.
----End

Switches
2.5 Example for Performing Basic Configurations After

the First Login
Networking Requirements
You must perform basic configurations after logging in to the device through the
console port for the first time. You must also set the privilege level to 3 and the
authentication mode to AAA authentication for users 0 to 4 who log in remotely
through STelnet. This example assumes that there are reachable routes between
PC2 and the device.
Figure 2-3 Performing basic configurations after the first login through the
console port
NOTE
In this example, Interface1 represents the management interface MEth0/0/0.
Configuration Roadmap
1. Log in to the device through the console port.
2. Perform basic configurations on the device.
Procedure
Step 1 Log in to the device through the console port from PC1. For details, see First
Login Through the Console Port.
Step 2 Perform basic configurations on the device.
# Set the date, time, and time zone.
<HUAWEI> clock timezone BJ add 08:00:00
<HUAWEI> clock datetime 20:20:00 2018-08-08
NOTE
Before configuring the current time and date, run the clock timezone command to
configure the time zone. If no time zone is configured, running the clock datetime
command will configure the Coordinated Universal Time (UTC).
# Set the device name and IP address of the management interface.

<HUAWEI> system-view
[HUAWEI] sysname Device
[Device] interface meth 0/0/0
[Device-MEth0/0/0] ip address 10.137.217.203 24
[Device-MEth0/0/0] quit
# Configure a default route for the device with a gateway address of 10.137.217.1.
[Device] ip route-static 0.0.0.0 0 10.137.217.1

Switches
# Configure the SSH client encryption algorithm, HMAC authentication algorithm,

key exchange algorithm list, and public key algorithm.
[Device] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[Device] ssh server hmac sha2_256 sha2_512
[Device] ssh server key-exchange dh_group_exchange_sha256
[Device] ssh server publickey rsa_sha2_256 rsa_sha2_512
[Device] ssh server dh-exchange min-len 3072
# Set parameters for the SSH user and the local user for SSH login.
[Device] user-interface vty 0 4
[Device-ui-vty0-4] authentication-mode aaa
[Device-ui-vty0-4] protocol inbound ssh
[Device-ui-vty0-4] quit
[Device] aaa
[Device-aaa] local-user admin123 password
It is recommended that the password consist of at least 2 types of characters, including lowercase letters,
uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[Device-aaa] local-user admin123 service-type ssh
[Device-aaa] local-user admin123 privilege level 3
[Device-aaa] quit
[Device] ssh user admin123
[Device] ssh user admin123 authentication-type password
[Device] ssh user admin123 service-type stelnet
[Device] ssh server-source all-interface
[Device] stelnet server enable
----End
Verifying the Configuration

Log in to the device using STelnet from PC2. The third-party software OpenSSH
and Windows CLI are used in the following example.
● For details about how to install OpenSSH, see the OpenSSH installation guide.
● To use OpenSSH to connect to the device using STelnet, run the OpenSSH
commands. For details about OpenSSH commands, see the OpenSSH help.
● The Windows CLI can identify OpenSSH commands only when OpenSSH is
installed on the terminal.
Access the Windows CLI and run the OpenSSH commands to connect to the
device. (The following information is for reference only.)
C:\Users\User1>ssh admin123@10.137.217.203
admin123@10.137.217.203's password:
The current login time is 2020-12-15 14:23:00.
<Device>
Configuration Scripts
Device
#
sysname Device
#
stelnet server enable
#
clock timezone BJ add 08:00:00

Switches
#
aaa
local-user admin123 password irreversible-cipher $1d$+,JS+))\\2$KVNj(.
3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user admin123 service-type ssh
local-user admin123 privilege level 3
#
interface MEth0/0/0
ip address 10.137.217.203 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.137.217.1
#
ssh user admin123
ssh user admin123 authentication-type password
ssh user admin123 service-type stelnet
ssh server-source all-interface
#
ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh server hmac sha2_256 sha2_512
ssh server key-exchange dh_group_exchange_sha256
ssh server publickey rsa_sha2_256 rsa_sha2_512
ssh server dh-exchange min-len 3072
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
return

Switches
Configuration Guide - Basic Configuration 3 CLI Overview Configuration
3 CLI Overview Configuration
3.1 How to Use the CLI

3.2 Displaying the Command Output
3.1 How to Use the CLI
3.1.1 Entering Command Views

Devices provide rich functions and a variety of configuration and query commands
for device configuration, management, and maintenance. To simplify the use of
such commands on the Huawei devices, these commands are registered in
different command views based on their functions. To configure a function, you
need to enter the required command view and run the required commands.
A device provides various command views. The following describes the most
commonly used command views. For instructions on how to enter command views
not listed below, see the Command Reference.
Common Command Views

● User view
The user view allows you to check statistics and view the operating status of
the device.
You automatically enter the user view after logging in to the device, and the
following prompt is displayed:
<HUAWEI>
● System view
The system view allows you to set the device's system parameters and enter
other function views.
To enter the system view, run the system-view command and press Enter
while in the user view.
Enter system view, return user view with return command.
[HUAWEI]

Switches
● Interface view
You can configure interface parameters in the interface view. Interface
parameters include physical attributes, link layer protocols, and IP addresses.
To enter the interface view, run the interface command and specify an
interface type and number. A 10GE interface is used here as an example.
[HUAWEI] interface 10ge X/Y/Z
[HUAWEI-10GEX/Y/Z]
X/Y/Z indicates the interface number that needs to be specified, and is

displayed in the following format: slot number/subcard number/interface
sequence number.
● Routing protocol view
Routing protocol views enable you to configure most routing protocol
parameters. The routing protocol views include the IS-IS view, the OSPF view,
and the RIP view.
To enter a routing protocol view, run a specific command to activate a routing
protocol process in the system view.
[HUAWEI] isis
[HUAWEI-isis-1]
The command line prompt HUAWEI is the default host name (sysname), and the
prompt indicates the current view. For example, <> indicates the user view and []
indicates all other views.
To add comments, enter ! or # followed by a character string in any view. All the
entered content (including ! and #) is displayed as comments and no
corresponding configuration will be generated.
NOTE
● Some commands can be executed in multiple views, while their functions depend on the
views these commands are executed.
● In the system view, you can run the diagnose command to enter the diagnostic view.
Diagnostic commands (level-3 management commands) are used for device fault
diagnosis, and running certain commands in this view may cause the device unable to
work properly or interrupt services. To use these diagnostic commands, contact technical
support.
Exiting Command Views

To return from the current view to an upper-level view, run the quit command.
For example, run the quit command to return from the AAA view to the system
view, and then run the quit command again to return from the system view to the
user view.
[HUAWEI-aaa] quit
[HUAWEI] quit
<HUAWEI>
To return from the AAA view directly to the user view, press Ctrl+Z or run the
return command.
# Press Ctrl+Z to return directly to the user view.
[HUAWEI-aaa] //Enter Ctrl+Z.
<HUAWEI>
# Run the return command to return directly to the user view.

Switches
[HUAWEI-aaa] return
<HUAWEI>
3.1.2 Intelligent Command Backtracking

Each command can be run in some specific views. For example, the vlan
command can be run in the system view. During service deployment, you may
need to run commands in different views, which complicates operations and
reduces service deployment efficiency.
Commands that can be run in the system view support the intelligent
backtracking function. If a command cannot be run in the current view (a non-
system and non-user view), the system automatically returns to the system view.
If the command can be run in the system view, the corresponding configuration is
directly delivered, enhancing ease of use of the command.
For example, the interface command can be run in the system view. If you are
performing operations in the VLAN view, you can run the interface command in
the VLAN view to enter the interface view.
[HUAWEI] vlan 2
[HUAWEI-vlan2] interface 10ge 1/0/1
[HUAWEI-10GE1/0/1]
To disable intelligent command backtracking, run the undo terminal command

forward matched upper-view command in the user view. By default, intelligent
command backtracking is enabled.
NOTE
● In some cases, the system automatically disables intelligent command backtracking to

prevent service deployment from being affected. For example, a command can be run in
the system view and the interface view, but generate different configurations in the two
views. If a service that conflicts with the command is configured in the interface view,
this command cannot be run in the interface or system view.
● Intelligent command backtracking requires a complete command line to be entered, and
the command word cannot be automatically displayed through the question mark help
function.
3.1.3 Setting Command Privilege Levels
Context
The system manages commands based on command privilege levels. Each
command to be run in a command view has its privilege level. The device
administrator can change the command privilege level as required, enabling
lower-level users to run some high-level commands. The device administrator can
also increase the command privilege level to improve device security.
● A device manages users by level, and maintains the relationship between user
privilege levels and command privilege levels in order to limit user access
permissions. After a user logs in to a device, the user can only use commands
at the user's privilege level and below. By default, the values of both
command privilege levels and user privilege levels range from 0 to 3. Table
3-1 describes the relationship between user privilege levels and command
privilege levels.

Switches
Table 3-1 Relationship between command privilege levels and user privilege
levels
User Com Description
Privil mand
ege Privil
Level ege
Level
0 Visit Commands at this privilege level include network

level diagnosis tool commands (such as ping and tracert),
(0) commands for accessing external devices from the local
device (such as Telnet), and some display commands.
1 Visit Commands at this level are used for system maintenance,

level including display commands.
(0) NOTE
and Not all display commands are at this level. For example, the
monit display current-configuration and display saved-configuration
oring configuration commands are at level 3. For details about
command privilege levels, see the Command Reference.
level
(1)
2 Visit Commands at this privilege level are used for service

level configurations to provide network services, including
(0), routing, Layer 2, and Layer 3 commands.
monit
oring
level
(1),
and
config
uratio
n
level
(2)

Switches
User Com Description

Privil mand
ege Privil
Level ege
Level
3 Visit Commands at this privilege level are used for basic system
level operations, including file system, FTP, TFTP download,
(0), command privilege level configuration, and debugging.
monit
oring
level
(1),
config
uratio
n
level
(2),
and
mana
geme
nt
level
(3)
NOTICE
To prevent security risks to devices, you are not advised to change the default
command privilege level.
Procedure
system-view
Step 2 Set the command privilege level in the specified view.

command-privilege level level view view-name command-key
----End
3.1.4 Editing Command Lines
Function Overview
You can edit command lines in a CLI. Each command can contain a maximum of
3100 characters. The keywords in the commands are case insensitive, and whether
a command parameter is case sensitive depends on the parameter.
Table 3-2 lists keys that are frequently used for editing command lines

Switches
Table 3-2 Keys for editing command lines
Key Function
Common key Inserts a character at the current location of the cursor

and moves the cursor forward if the editing buffer is
not full. Otherwise, an alarm is generated.
Backspace Deletes the character before the cursor and moves the
cursor back one character. When the cursor reaches the
beginning of the command, an alarm is generated.
Left cursor key ← or Moves the cursor back one character. When the cursor
Ctrl+B reaches the beginning of the command, an alarm is
generated.
Right cursor key → or Moves the cursor forward one character. When the
Ctrl+F cursor reaches the end of the command, an alarm is
generated.
How to Edit Command Lines

Incomplete Keyword
You are not required to enter complete keywords on the device, as long as entered
characters can match a unique keyword. This function improves operating
efficiency.
If the current input keyword matches multiple commands, you need to type more
of the keyword until it can match a unique command. Then the command can be
successfully delivered.
For example, to execute the display current-configuration command, you can

enter d cu, di cu, or dis cu, but you cannot enter d c or dis c because they do not
match unique keywords.
NOTICE
The maximum length of a command (including an incomplete command) is 3100

characters. If an incomplete command is configured, the system saves this
command to the configuration file in its complete format, which may cause the
command to have more than 3100 characters. In this case, the incomplete
commands cannot be restored after the system restarts. As such, you must pay
attention to the length of a command when configuring it in incomplete format.
Tab
Enter an incomplete keyword and press Tab to complete it.

● When the input matches a unique keyword, the system replaces it with the
unique keyword and displays it in a new line with the cursor leaving a space
behind. For example:

Switches
a. Enter an incomplete keyword.

[HUAWEI] info-
b. Press Tab.
The system replaces the entered keyword with the complete keyword in a
new line with the cursor leaving a space behind.
[HUAWEI] info-center
● When the input has multiple matches, press Tab repeatedly to display the
keywords beginning with the incomplete input one by one until the desired
keyword is displayed. In this case, the cursor immediately follows the end of
the keyword. For example:
a. Enter an incomplete keyword.
[HUAWEI] info-center log
b. Press Tab.
The system displays the prefixes of all matched keywords. In this
example, the prefix is log.
[HUAWEI] info-center log-severity
Press Tab to switch from one matched keyword to another. In this case,
the cursor immediately follows the end of the keyword.
[HUAWEI] info-center logbuffer
[HUAWEI] info-center logfile
[HUAWEI] info-center loghost
Stop pressing Tab when the desired keyword is displayed.
● When a keyword that matches no command is entered, press Tab and the
keyword is displayed in a new line without being changed. For example:
a. Enter an incorrect keyword.
[HUAWEI] info-center loglog
b. Press Tab.
[HUAWEI] info-center loglog
The system displays information in a new line, but the keyword loglog
remains unchanged and there is no space between the cursor and
keyword, indicating that this keyword does not exist.
3.1.5 Using Command Online Help

You can use command online help to obtain real-time assistance, avoiding the
need to memorize a large number of complex commands.
When entering commands, you can enter a question mark (?) at any time to
obtain online help. You can choose to obtain either full or partial help.
Full Help
When entering a command, you can use the full help function to obtain all the
keywords and parameters of the command. Use any of the following methods to
obtain full help for commands.
● Enter a question mark (?) in any command view to obtain all the commands
and their simple descriptions in this command view. For example:
<HUAWEI> ?
Current view commands:
activate Activate locked user
cd Change current directory

Switches
clear Clear operation

clock Clock status and configuration information
copy Copy from one file to another
...
● Enter some keywords of a command and a question mark (?) separated by a
space to display all the keywords associated with this command, as well as
simple descriptions. For example:
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] authentication-mode ?
aaa AAA authentication
password Authentication through the password of a user terminal interface
In the preceding command output, the description of the aaa keyword is AAA
authentication, and the description of the password is Authentication
through the password of a user terminal interface.
● Enter some keywords of a command and a question mark (?) separated by a
space to display all the parameters associated with this keyword, as well as
simple descriptions. For example:
[HUAWEI] ssh server timeout ?
INTEGER<1-35791> Set the authentication timeout, the default value is 60 seconds
[HUAWEI] ssh server timeout 35 ?
<cr>
[HUAWEI] ssh server timeout 35
INTEGER<1-35791> describes the value range of the parameter. Set the
authentication timeout, the default value is 60 briefly describes the
function of this parameter. <cr> indicates that there is no keyword or
parameter in this position. You can press Enter to run this command.
Partial Help
If you enter one or more of the first few characters of a command keyword,
partial help provides all the keywords that begin with this character or character
string. Use any of the following methods to obtain partial help for commands.
● Enter a character string followed directly by a question mark (?) to display all
keywords that begin with this character string. For example:
<HUAWEI> d?
debugging delete
dir display
<HUAWEI> d
● Enter a command and a string followed directly by a question mark (?) to
display all the keywords that begin with this character string. For example:
<HUAWEI> display s?
sysname system
● Enter the first several letters of a keyword in a command and press Tab to
display a complete keyword. However, the first several letters must uniquely
identify the keyword. Otherwise, keep pressing Tab to display different
keywords and select the required one.
NOTE
The command output obtained through the online help function is used for reference only.
3.1.6 Interpreting Command Error Messages

If a command passes the syntax check, it will be executed by the system.
Otherwise, the system reports an error message.

Switches
Table 3-3 lists common error messages.
Table 3-3 Common command error messages

Error Message Error Cause
Error: Unrecognized command No command is found.

found at '^' position.
No keyword is found.
Error: Wrong parameter found at The parameter type is incorrect.

'^' position.
The parameter value exceeds the limit.
Error: Incomplete command The entered command is incomplete.

Error: Too many parameters Too many parameters are entered.

Error: Ambiguous command Unspecific command is entered.

3.1.7 Using an undo Command

An undo command restores a default configuration, disables a function, or deletes
a configuration. Most configuration commands have a corresponding undo
command.
Some examples of using undo commands are as follows:
● Run an undo command to restore a default configuration.
For example, the undo sysname command restores the default device host
name. For example:
[HUAWEI] sysname Server
[Server] undo sysname
[HUAWEI]
● Run an undo command to disable a function.

The undo sftp server enable command disables the SFTP server function on
the device. For example:
[HUAWEI] sftp server enable
Info: Succeeded in starting the SFTP server.
[HUAWEI] undo sftp server
Warning: The operation will stop the SFTP server. Continue? [Y/N]:Y
Info: Succeeded in closing the SFTP server.
● Run an undo command to delete a configuration.

The undo header command deletes the header information displayed on
devices when users log in. For example:
[HUAWEI] header login information "Hello,Welcome to Huawei!"
Log out of the device and re-log in. A message "Hello, Welcome to Huawei!"
is displayed before authentication. Run the undo header login command.

Switches
Hello,Welcome to Huawei!
Password:
Info: The max number of VTY users is 21, and the number of current VTY users on
line is 2.
[HUAWEI] undo header login
Log out of the device and re-log in. No message is displayed before
authentication.
Password:
Info: The max number of VTY users is 21, and the number of current VTY users on
line is 2.
<HUAWEI>
NOTE
The command output provided here is used for reference only, and actual output
information may differ.
3.1.8 Displaying Historical Commands

The device automatically saves a user's historical commands. If you want to enter
a command that has already been executed, you can use the function of
displaying historical commands to find the desired one.
By default, the device saves the last 10 commands for each user. You can run the
history-command max-size size-value command in a user interface view to set
the number of historical commands that can be saved for the corresponding user.
The maximum number is 256.
NOTE
The time spent in finding the desired command among all the historical commands saved
on the device is related to the value specified in the history-command max-size size-value
command. To ensure an efficient search, set an appropriate value.
Table 3-4 describes the operations on historical commands.
Table 3-4 Accessing historical commands
Action Command or Key Result
Display historical display history-command ● The historical

commands. [ all-users ] commands entered by
the current user are
displayed when all-
users is not specified.
● The historical
commands entered by
all users are displayed
when all-users is
specified. (all-users
can be selected only
by users of level 3 or
higher.)

Switches
Action Command or Key Result
Display the previous Up arrow key ↑ or Ctrl+P The previous historical

historical command. command is displayed. If
the current command is
the first historical
command, an alarm is
generated when you
attempt to display the
previous historical
command.
Display the next Down arrow key ↓ or Ctrl+N The next historical
historical command. command is displayed. If
the current command is
the latest historical
command, no output is
displayed and an alarm
is generated when you
attempt to display the
next historical command.
NOTE
The HyperTerminal bundled with Windows 9X that defines a different function of the Up
arrow key ↑, where you need to use the Ctrl+P shortcut key instead to access historical
commands.
Note the following when displaying historical commands:
● The device saves commands in the same way as how users enter them. For
example, if a user enters an incomplete command, the saved command will
also be incomplete.
● If a user runs the same command several times, only the most recently
entered command is saved. If a command is entered in different formats, the
command in each of these formats is considered different.
For example, if the display current-configuration command is run several
times, this command last executed is saved. If the display current-
configuration command and the dis curr command are run, both of them
are saved.
● Historical commands entered by the current user can be deleted using the
reset history-command command in the user view, and those entered by all
users can be deleted using the reset history-command all-users command in
the user view. Once deleted, historical commands can no longer be displayed
or accessed.
3.1.9 Using Command Line Shortcut Keys

A device provides command shortcut keys to speed up and simplify command
input.

Switches
Command shortcut keys are classified into user-defined shortcut keys and system
default shortcut keys.
● There are four user-defined shortcut keys: Ctrl+G, Ctrl+L, Ctrl+O, and Ctrl+U.
A user-defined shortcut key can be associated with any command. After you
press a shortcut key, the system will automatically run the command
associated with the shortcut key.
● System default shortcut keys: shortcut keys defined in the system that have
fixed functions and cannot be defined by users. Table 3-5 lists the common
system shortcut keys.
NOTE
The terminal being used may affect the functions of the shortcut keys. For example, if the
shortcut keys defined by the terminal conflict with those defined in the device, the shortcut
keys entered by the user are identified by the terminal program and the commands
corresponding to the shortcut keys are not executed.
User-defined Shortcut Keys

If a user frequently uses a specific command or selection of commands, the user
can use shortcut keys to define them. Only management-level users have the
rights to define shortcut keys. The configurations are as follows:
1. Enter the system view.

system-view
2. Configure a shortcut key for a command.

hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U } command-text
The system supports four user-defined shortcut keys and the default values
are as follows:
– Ctrl+G: display current-configuration
– Ctrl+L: display ip routing-table
– Ctrl+O: undo debugging all
– Ctrl+U: Null
NOTE
● When defining shortcut keys, use double quotation marks to surround a command that
contains several keywords separated by spaces, for example, hotkey ctrl_l "display tcp
status". Do not use double quotation marks to surround a command that contains only
one keyword.
● Run the display hotkey command to view the status of the defined, undefined, and
system-defined shortcut keys.
● Run the undo hotkey command to restore the default values of the configured shortcut
keys.
● Entering shortcut keys is equivalent to command execution. The device records the
commands corresponding to the entered shortcut keys in the command buffer and logs
for fault detection and query.
● The user-defined shortcut keys are available to all users. However, if a user does not
have the rights to use the command defined by a shortcut key, the system displays an
error message when the user uses this shortcut key.

Switches
System-defined Shortcut Keys
Table 3-5 System-defined shortcut keys
Key Function
<Ctrl+A> Moves the cursor to the beginning of the

current command line.
<Ctrl+B> Moves the cursor back one character.
<Ctrl+C> Stops performing the current functions.
<Ctrl+D> Deletes the character where the cursor is

located.
<Ctrl+E> Moves the cursor to the end of the

current command line.
<Ctrl+F> Moves the cursor forward one character.
<Ctrl+H> Deletes the character before the cursor.
<Ctrl+K> Stops outgoing connections in the call

establishment stage.
<Ctrl+N> Displays the next command in the history

command buffer.
<Ctrl+P> Displays the previous command in the

history command buffer.
<Ctrl+R> Re-displays information about the current

command line.
<Ctrl+T> Stops outgoing connections.
<Ctrl+V> Pastes the text of the clipboard.
<Ctrl+W> Deletes the word before the cursor.
<Ctrl+X> Deletes all characters before the cursor.
<Ctrl+Y> Deletes all characters following the cursor

and the character where the cursor is
located.
<Ctrl+Z> Returns to the user view.
<Ctrl+]> Stops incoming connections or redirects

them.
<Esc+B> Moves the cursor back one word.
<Esc+D> Deletes the word following the cursor.
<Esc+F> Moves the cursor forward one word.
<Esc+N> Moves the cursor downwards a line.

Switches
Key Function
<Esc+P> Moves the cursor upwards a line.
<Esc+<> Positions the cursor at the beginning of

the text to be copied.
<Esc+>> Positions the cursor at the end of the text

to be copied.
3.1.10 Configuring an Alias for a Command
Context
The command alias function allows you to define your preferred character strings
for commands to facilitate command usage.
You can use the alias command to achieve the following:

● Configure an easy-to-remember string of characters as the alias for a
command or command keyword. By doing this, you only need to enter the
alias when you want to run the command. For example, if you define the alias
for display as show, you only need to enter the show command instead of
display.
● Adjust the order of parameters to cater for your need. For example, after you
configure the alias showif parameter $ifnum $iftype command "display
interface $iftype $ifnum" command, you can enter showif 1 Eth-Trunk to
substitute display interface Eth-Trunk 1.
To enable the command alias function for the current terminal, run the terminal
command alias command. To disable the command alias function for the current
terminal, run the undo terminal command alias command. Disabling the
command alias function does not delete the existing alias configuration.
Therefore, the existing alias configuration will continue to take effect after you
enable the command alias function again for the current terminal. To check
whether or not the command alias function is enabled, you can run the display
terminal command alias command.
Procedure
system-view
Step 2 Enter the command alias view.

command alias
Step 3 Configure an alias for a command.

alias alias-string [ parameter parameter &<1-32> ] command command
----End

Switches

Run the display command alias command to view the configuration of the
command alias.
<HUAWEI> display command alias
show = display
showif $ifnum $iftype = display interface $iftype $ifnum
3.1.11 Running User View Commands in the System View
Context
Some commands can be run only in the user view. To run these commands, you
need to return to the user view first. To facilitate command execution, this
function allows you to run such commands in the system view without returning
to the user view.
Procedure
system-view
Step 2 Run user view commands in the system view.

run command-line
----End
3.1.12 Enabling Secondary Authentication
Context
Misoperations of some commands cause the configurations of related features to
be deleted, interrupting services and disconnecting the user network. To prevent
misoperations, you can run the configuration re-authentication enable
command to enable secondary authentication.
After the secondary authentication function is enabled, you need to enter the
login password for secondary authentication before running the following
commands: reboot, reset saved-configuration, undo capwap source interface,
undo multicast routing-enable, undo pim, undo igmp, undo stp enable
NOTE
● To prevent some services from being unavailable due to misoperations, you are advised
to enable secondary authentication.
● By default, secondary authentication is disabled for the execution of risky commands.
Procedure
system-view
Step 2 Enable secondary authentication.

Switches
configuration re-authentication enable
----End
3.2 Displaying the Command Output
3.2.1 Displaying Command Configurations

After completing the configurations on a device, you can run the display
command to check the configuration and running information.
For example, after the SFTP server configuration is complete, you can run the
display ssh server-info command to check the RSA and ECC public keys bound to
the SSH server that is connected to the device functioning as an SSH client or the
SSH server that was connected to the device. For details about the usage and
functions of the display command, see "Verifying the Configuration" in each
feature of the Configuration Guide.
You can also check the configurations running on the device and in the current
view.
● Check the configurations running on the device:
display current-configuration
This command does not display the default parameter settings.
● Check configurations in the current view:
display this
This command does not display the default parameter settings.
NOTE
● You can run the timestamp enable command to enable the timestamp function in the
system to ensure that the system adds the query time to the output of the display
command.
● If the value of a parameter in the command output is too long, it will be truncated to
fit.
3.2.2 Checking the Diagnostic Information

When the system experiences a fault or is during routine maintenance, you can
check diagnostic information to collect the running information of all modules.
display diagnostic-information [ module-name ] &<1-8> [ slot slot-id ] [ file-name ]
The display diagnostic-information command output includes the output for

multiple display commands, such as display clock, display version, and display
current-configuration. Running the display diagnostic-information command is
equivalent to running these display commands in batches.
3.2.3 Controlling Command Display

You can control how a command output will be displayed with function keys to
meet your needs.

Switches
● When a command output occupies more than one screen, you can use PgUp
and PgDn to display information on the previous screen and the next screen.
● When a command output occupies more than one screen, the system pauses
after each screen, facilitating your information check. You can use the
function keys listed in Table 3-6 to control the display mode of command
lines.
NOTE
The screen-length screen-length temporary command sets the lines to be displayed

temporarily on the terminal screen. If the screen-length value is 0, the command
output will be continuous. Therefore, the system will not pause when the information
cannot be completely displayed on one screen.
Table 3-6 Control of command display
Key Function
Ctrl+C or Ctrl+Z Stops displaying information or running

commands.
NOTE
You can also press any key except the Space
and Enter keys.
Space Continues to display the information on

the next screen.
Enter Continues to display the information in

the next line.
3.2.4 Filtering Command Outputs
3.2.4.1 Command Output Display

Filtering command outputs help you quickly find the information you need. For
example, you can use a regular expression (specifying the rule to filter
information) in a display command to filter the output information.
When the displayed information cannot be completely output on one screen, you
can use the pause function to view the information on that screen, before moving
onto the next screen. Table 3-7 describes the display functions.
Table 3-7 Display functions
Key Function
Space Continues to display the information on

the next screen.
Enter Continues to display the information in

the next line.

Switches
Key Function
Plus sign (+)+regular-expression Same functions as | include regular-

expression.
Minus sign (-)+regular-expression Same functions as | exclude regular-
expression.
Slash (/)+regular-expression Same functions as | begin regular-
expression.
Ctrl+C and any other key except Stops information display and command
the preceding ones execution.
3.2.4.2 Regular Expressions
Context
A regular expression is a mode matching tool that consists of common characters
(such as letters from a to z) and special characters (also called meta-characters).
It functions as a template to match a character pattern with the searched
character string.
A regular expression provides the following functions:
● Checks and obtains the sub-character string that matches a certain rule in the
character string.
● Replaces the character string based on the matching rule.
A regular expression consists of the following characters:
● Common characters
Common characters match themselves in a string. Common characters include
all uppercase and lowercase letters, digits, punctuations, and special
characters. For example, a matches the letter "a" in "abc", 10 matches the
digits "10" in "10.113.25.155", and @ matches the symbol "@" in
"xxx@xxx.com".
● Special characters
Special characters, together with common characters, match complicated or
special character strings. Table 3-8 describes special characters and their
functions.
Table 3-8 Special characters and their functions
Special Function Example

Charact
er
\ Defines an escape character. It \* matches *.

converts a special or common
character next to it into a
common character.

Switches

Charact
er
^ Matches the start of the string. ^10 matches 10.10.10.1 instead

of 172.16.1.1.
$ Matches the end of the string. 1$ matches 10.10.10.1 instead

of 10.10.10.2.
* Matches a sub-regular 10* matches 1, 10, 100, 1000,

expression that it follows for and so on.
zero or multiple times. (10)* matches null, 10, 1010,
101010, and so on.
+ Matches a sub-regular 10+ matches 10, 100, 1000,

expression that it follows once and so on.
or for multiple times. (10)+ matches 10, 1010,
101010, and so on.
? Matches a sub-regular 10? matches 1 or 10.

expression that it follows for (10)? matches null or 10.
zero times or once.
NOTE
When regular expressions with a
question mark (?) are entered on
Huawei datacom devices, the
command help information is
displayed. However, if the
command output is displayed on
more than one screen and filter
criteria followed by a question
mark (?) are entered, this
question mark is considered a
special character of a regular
expression.
. Matches any single character. a.b matches any string of three

characters that starts with a
and ends with b.
0.0 matches 0x0, 020, and so
on.
.oo matches book, look, tool,
and so on.

Switches

Charact
er
() Matches and obtains a sub- 100(200)+ matches 100200,

regular expression within the 100200200, and so on.
parentheses. (ab) matches abcab.
If there is no value within the () can match any string.
parentheses, the string is
equivalent to a null string. a()b matches 12ab12.
If a pattern string has only (), a)b matches za)bc.

it can match any string. a(b is an invalid pattern string.
If the right parenthesis in a
pattern string has no matching
left parenthesis, the right
parenthesis is used as a
common character.
If the left parenthesis in a
pattern string has no matching
right parenthesis, the pattern
string is invalid.
_ Matches regular expressions _65001_ matches 20 65001 30,

with a sign, such as a comma 20 65001, 65001 30, 65001,
(,), left brace ({), right brace and so on.
(}), left parenthesis ((), right
parenthesis ()), or space. In
addition, the underscore (_)
can be used at the beginning
of a regular expression with
the same function as the caret
(^) or at the end of a regular
expression with the same
function as the dollar sign ($).
x|y Matches x or y. 100|200 matches 100 or 200.

1(2|3)4 matches 124 or 134,
rather than 1234, 14, 1224,
and 1334.
[xyz] Matches any character [123] matches 2 in 255.

contained in a regular [abc] matches characters a, b,
expression. It cannot and c.
simultaneously match multiple
characters or match the same
character multiple times.
[^xyz] Matches characters excluding [^123] matches any character

x, y, and z in a character string. except 1, 2, and 3.
That is, it matches any string [âbc] matches any character
with at least one character except a, b, and c.
that is not x, y, or z.

Switches

Charact
er
[a-z] Matches any character within a [0-9] matches any digit within
specified range. It cannot the range of 0 to 9.
simultaneously match multiple [a-z] matches any letter from
characters or match the same a to z.
character multiple times.
[z-a] is an invalid pattern
string.
[â-d] Matches all characters except [^0-9] matches all non-digit

a, b, c, and d in a character characters.
string. That is, it matches any [â-z] matches all non-letter
string with at least one characters.
character that is beyond the
range of a to d. [^z-a] is an invalid pattern
string.
NOTE
Unless otherwise specified, all the characters in the preceding table must be printable
characters.
Use of Characters
Certain special characters, when placed at certain positions in a regular expression,
degenerate to common characters.
● The special characters following escape character \ match themselves.
● Special characters * and + placed at the beginning of a regular expression. For
example, +45 matches "+45" and abc(*def) matches "abc*def".
● Special character ^ placed in a non-start position of a regular expression. For
example, abc^ matches "abc^".
● Special character $ placed in a non-end position of a regular expression. For
example, 12$2 matches "12$2".
● A right parenthesis ) or right bracket ] alone. For example, abc) matches
"abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules also apply when the preceding regular
expressions are sub-regular expressions within parentheses.
● Combination of common and special characters
In actual usage, regular expressions combine multiple common and special
characters to match certain strings.

Switches
Filter Modes of Regular Expressions

NOTE
When a character string is used to filter command output information, the first line of the
output starts from the line where certain information matches the character string, not
from the matched information.
The system allows you to use | count to display the number of lines, | section to
display the command output by section, | ignore-case to match a string of case-
insensitive characters, and | no-more to display filtered output information on
only one screen. | count, | section, | ignore-case, and | no-more can work
together with the following filter modes.
Three filter modes are provided for commands that support regular expressions.
● | begin regular-expression: displays all the lines beginning with the line that
matches the regular expression.
Filter the command output information until the information matches the
specified case-sensitive character string is displayed. The output following the
certain information that matches the character string will be displayed on the
screen.
● | exclude regular-expression: displays all the lines that do not match the
regular expression.
If the character strings to be output do not contain the specified case-
sensitive character string, they are displayed on the screen; otherwise, they
are filtered.
● | include regular-expression: displays all the lines that match the regular
expression.
If the character strings to be output contain the specified case-sensitive
character string, they are displayed on the screen; otherwise, they are filtered.
NOTE
The value of regular-expression is a string of 1 to 255 characters.

The command output can be filtered by multiple regular expressions, which take effect in
configuration sequence. A maximum of 32 regular expressions can be configured to filter
the command output.
| section is used to display only the commands with section information in the output, such
as the display current-configuration and display this commands.
The following examples describe how to specify a filter mode in a command.

Example 1: Use the Directory|Files regular expression to filter the display pm brief
command output.
<HUAWEI> display pm brief | exclude Directory|Files
Statistics Status : disable
Statistics Start Time :-
Current Statistics Cycles :-
Number of Statistics Tasks :0
Number of Statistics Objects :0
Number of Configured Pm Servers :0
Example 2: Use the vlan regular expression to filter the display current-
configuration command output.
<HUAWEI> display current-configuration | include vlan
vlan batch 7 10 18 to 19 30 60 66 70 77 100 105

Switches
vlan batch 200 1024

port default vlan 77
port default vlan 19
port hybrid pvid vlan 10
port hybrid untagged vlan 10
undo port hybrid vlan 1
port hybrid tagged vlan 60
port trunk allow-pass vlan 60
port hybrid tagged vlan 7
port hybrid untagged vlan 10
Example 3: Use the vlan regular expression to filter the display current-
configuration command output.
<HUAWEI> display current-configuration | include vlan | count
Total lines: 14.
NOTE
The preceding information is used for reference only.
You can save the display command output to a specified file on devices in either
of the following ways:
● > filename
The output is saved to a specified file. If the target file already exists, the
original content of the file is overwritten.
● >> filename
The output is appended to a specified file, and the original content of the file
remains unchanged.

Switches
Configuration Guide - Basic Configuration 4 CLI-based Device Login Configuration
4 CLI-based Device Login Configuration
NOTE
● For security purposes, change the password periodically.

● The initial password must be changed upon the first login for an account created by the
administrator.
4.1 Overview of CLI-based Device Login

4.2 Configuration Precautions for CLI-based Device Login
4.3 Configuring the User Interface
4.4 Configuring Local Login Through a Console Port
4.5 Configuring Remote Login Through Telnet
4.6 Configuring Remote Login Through STelnet
4.7 Maintaining the Device CLI
4.8 Troubleshooting CLI-based Device Login Failure
4.1 Overview of CLI-based Device Login

When a device functions as a server, you can log in to the device through the
console port, Telnet, or STelnet. When a device functions as a client, you can log in
to a server from the device through Telnet or STelnet.
To manage and maintain the device either locally or remotely, you need to
configure the user interface, user management information, and terminal services
before login.
● User interface: provides the login entry.
● User management information: ensures login security.
● Terminal services: support login protocols, such as Telnet or STelnet.
You can log in to the device using one of the modes listed in Table 4-1 to
configure and manage the device.

Switches
Table 4-1 User login modes

Login Advantage Disadvant Application Description
Mode age Scenario
Config A You ● The device is Login through a

uring dedicated cannot configured for console port is the
Local console remotely the first time. basis for other login
Login cable is log in to ● Remote login modes.
Throug used for the device. to the device is By default, you can
ha device unavailable. log in to the device
Consol control. through a console
e Port ● If the device
fails to start, port and use
you can access command at privilege
the BootLoader level 3.
menu for
device
diagnosis or
upgrade.
4.5 You can log Data is If you need to By default, you

Config in to transmitte configure the cannot log in to the
uring devices d using device locally or device directly using
Remote remotely TCP in remotely after Telnet. Before using
Login using plain text, connecting a Telnet to log in, you
Throug Telnet for posing terminal to the must locally log in to
h manageme potential network, log in to the device through a
Telnet nt and security the device using console port and
maintenan risks. Telnet. Login using perform the following
ce without Telnet is typically configurations:
the need to used on networks ● Configure a
connect a that do not have reachable route
terminal to high security between the user
each requirements. terminal and
device, device. (By
thereby default, no IP
facilitating address is
operations. configured on the
device.)
● Enable the Telnet
server function
and configure
related
parameters.
● Configure a user
interface for Telnet
login.

Switches
Login Advantage Disadvant Application Description

Mode age Scenario
4.6 The STelnet The You can log in to By default, you

Config protocol configurati the device using cannot log in to the
uring provides on is STelnet on device directly using
Remote secure complex. networks with STelnet. Before using
Login remote high security STelnet to log in, you
Throug login on requirements. must locally log in to
h insecure STelnet, based on the device through a
STelnet networks the SSH protocol, console port or
to ensure provides powerful remotely log in using
secure data authentication Telnet and perform
transmissio functions to the following
n as well as ensure configurations:
data information ● Configure a
integrity security and reachable route
and protect the device between the user
reliability. against attacks, terminal and
such as IP device. (By
spoofing attacks. default, no IP
address is
configured on the
device.)
● Enable the STelnet
server function
and configure
related
parameters.
● Configure a user
interface for SSH
login.
● Configure SSH
user information.
Console Port
Each device provides one console port that conforms to the EIA/TIA-232 standard.
The console port is a Data Connection Equipment (DCE) port. You can directly
connect the serial port of a user terminal to the console port of the device to log
in to the device and configure the device locally.
Telnet
Telnet is an application layer protocol in the TCP/IP protocol stack. It provides
remote login and virtual terminal services, and uses the client/server model. That
is, the Telnet client sends a request to the Telnet server, and the Telnet server
provides the Telnet service. The devices support the Telnet client and server
functions.
As shown in Figure 4-1, DeviceA functions as both a Telnet server and a Telnet
client. If there is no reachable route between the PC and DeviceB, you can

Switches
remotely log in to DeviceB through DeviceA. In this case, DeviceB functions as the
Telnet server for DeviceA.
Figure 4-1 Telnet client/server model
STelnet
Telnet uses the TCP protocol to transmit data in plain text. It does not have a
secure authentication mode and is vulnerable to Denial of Service (DoS), IP
address spoofing, and route spoofing attacks.
STelnet is based on SSH2.0. The STelnet client and server establish a secure
connection through negotiation, and the client can then access the server.
4.2 Configuration Precautions for CLI-based Device

Login
Licensing Requirements
CLI-based Device Login is not under license control.
Hardware Requirements
Table 4-2 Hardware requirements
Series Models
S5735-L-V2 series S5735-L10T4X-A-V2/S5735-L10T4X-TA-V2/S5735-

L16T4S-A-V2/S5735-L16T4X-QA-V2/S5735-
L24P4S-A-V2/S5735-L24P4XE-A-V2/S5735-
L24P4XE-TA-V2/S5735-L24T4S-A-V2/S5735-
L24T4X-QA-V2/S5735-L24T4XE-A-V2/S5735-
L24T4XE-D-V2/S5735-L48LP4S-A-V2/S5735-
L48LP4XE-A-V2/S5735-L48P4XE-A-V2/S5735-
L48T4S-A-V2/S5735-L48T4XE-A-V2/S5735-
L48T4XE-TA-V2/S5735-L48T4XE-D-V2/S5735-
L8P2T4X-A-V2/S5735-L8P2T4X-TA-V2/S5735-
L8P4S-A-V2/S5735-L8P4X-QA-V2/S5735-L8T4S-A-
V2/S5735-L8T4X-QA-V2

Switches
Series Models
S5735-S-V2 series S5735-S24P4XE-V2/S5735-S24T4XE-V2/S5735-

S24U4XE-V2/S5735-S48P4XE-V2/S5735-S48T4XE-
V2/S5735-S48U4XE-V2
S5735I-L-V2 series S5735I-L10T4X-A-V2/S5735I-L8P4X-A-V2
S3710-H series S3710-H24P4S-A/S3710-H24T4S-A/S3710-

H48LP4S-A/S3710-H48T4S-A
S5732-H-V2 series S5732-H24S4X6QZ-TV2/S5732-H24S4X6QZ-V2/

S5732-H24UM4Y2CZ-TV2/S5732-H24UM4Y2CZ-
V2/S5732-H44S4X6QZ-TV2/S5732-H44S4X6QZ-
V2/S5732-H48UM4Y2CZ-TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S-V2 series S5735I-S24T4XE-V2/S5735I-S24T4XE-T-V2/S5735I-

S24U4XE-V2/S5735I-S24U4XE-T-V2/S5735I-
S8T4SN-V2/S5735I-S8T4XN-T-V2/S5735I-S8T4XN-
V2/S5735I-S8U4XN-V2
S6730-H-V2 series S6730-H24X6C-TV2/S6730-H24X6C-V2/S6730-

H28X6CZ-TV2/S6730-H28X6CZ-V2/S6730-
H48X6C-TV2/S6730-H48X6C-V2/S6730-H48X6CZ-
TV2/S6730-H48X6CZ-V2/S6730-H48Y6C-TV2/
S6730-H48Y6C-V2

Switches
Feature Requirements
Table 4-3 Feature requirements

Feature Requirements Series Models
Telnet is not recommended for security S5735-S- S5735-S24P4XE-

purposes. By default, the device provides the V2 series V2/S5735-
weak security algorithm/protocol feature S5735-L- S24T4XE-V2/
package WEAKEA. If you need to use the weak V2 series S5735-S24U4XE-
security algorithm/protocol feature package V2/S5735-
WEAKEA, run the install feature-software S3710-H S48P4XE-V2/
WEAKEA command to install it. series S5735-S48T4XE-
S5735I-L- V2/S5735-
V2 series S48U4XE-V2
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2 series S5735-L16T4S-A-
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2 series S5735-L24P4S-A-
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2

Switches
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-

Switches
TV2/S6730-
H48Y6C-V2
4.3 Configuring the User Interface
4.3.1 Understanding User Interfaces

The system supports console and virtual type terminal (VTY) user interfaces.
Each user interface has a corresponding view, which is a command-line interface
(CLI). In this view, you can configure and manage all physical and logical
interfaces that work in the asynchronous interaction mode to centrally manage
user interfaces.
User Interfaces Supported by the Device

● Console (CON)
The console port is an EIA/TIA-232 DCE port.
Each device provides one console port. The serial port of a user terminal can
be directly connected to the console port of the device for local access.
● VTY
A VTY is a virtual port.
When a Telnet or Secure Shell (SSH) connection is established between a
terminal and a device, a VTY connection is established to log in to the device.
A maximum of 21 users can log in to a device through the VTY.
Relationship Between a User and a User Interface

A user interface is not exclusive to a specific user. User interfaces are used to
manage and monitor users who have logged in to the device using a specific
method. Although a user interface may be used by only one user at a time, the
user interface is not specific to the user.
When a user logs in, the system allocates the idle user interface with the smallest
number to the user based on the user's login mode. The login process is restricted
by the configuration in the user interface view. For example, when user A logs in
through the console port, the login process depends on the configuration in the
console user interface view; when user A logs in through VTY 1, the login process
depends on the configuration in the VTY 1 user interface view. If a user logs in to
a device using different modes or at different times, the user may be allocated
different user interfaces.
User Interface Numbering

When a user logs in, the system allocates the idle user interface with the smallest
number to the user based on the user's login mode. User interfaces are numbered
in either of the following methods:

Switches
● Relative numbering
The numbering format is User interface type + Number.
This method uniquely specifies a user interface or a group of user interfaces
of the same type. Relative numbering must comply with the following rules:
– Console user interface numbering: CON 0
– VTY user interface numbering: The first VTY user interface is VTY 0, the
second VTY user interface is VTY 1, and so on.
● Absolute numbering
This method uniquely specifies a user interface or a group of user interfaces.
You can run the display user-interface command without specifying
parameters to view user interfaces and their absolute numbers supported by
the current device.
Only one console user interface and 21 VTY user interfaces are supported. You
can run the user-interface maximum-vty command in the system view to set
the maximum number of available VTY user interfaces.
Table 4-4 lists the default relative and absolute numbers of the console and
VTY user interfaces.
Table 4-4 Absolute and relative numbers of user interfaces

User Description Absolute Relative Number
Interface Number
Console Manages and 0–19 0

user controls users
interface who log in to a
device using the
console port.
VTY user Manages and 34–54 The first VTY user interface is VTY
interface controls users 0, the second VTY user interface
who log in to is VTY 1, and so on. By default,
the device using VTY 0 to VTY 4 are available.
Telnet or Absolute numbers 34 to 54
STelnet. correspond to relative numbers
VTY 0 to VTY 20, respectively.
Authentication Modes for User Interfaces

After a user authentication mode is configured, the device authenticates users
who want to log in using the configured authentication mode.
The following user authentication modes are available:
● Password authentication: A user is authenticated by password only.
● AAA authentication: A user is authenticated by user name and password. This
mode is typically used to authenticate Telnet or STelnet users.
NOTE
The password authentication mode cannot be used on VTY user interfaces.

Switches
User Privilege Levels for User Interfaces

You can manage login users based on their privilege levels. The privilege level of
commands available to a user depends on the user privilege level.
● If password authentication is configured, the privilege level of commands that

a user can use depends on the privilege level of the user interface through
which the user logs in.
● If AAA authentication is configured, the privilege level of commands that a
user can use depends on the privilege level of the local user specified in the
AAA configuration.
4.3.2 Configuring the Console User Interface
Prerequisites
To locally maintain a device through the console port, configure attributes for the
console user interface as needed.
Before configuring the console user interface, you have completed the following
task:
● Log in to the device from a terminal.
Procedure
Table 4-5 Configuring physical attributes for the console user interface
Operation Command Description
Enter the system system-view -

view.
Enter the console user-interface console -

user interface view. interface-number
Set the speed speed-value By default, the transmission
transmission rate. rate is 9600 bit/s.
Set the flow control flow-control { hardware | By default, the flow control
mode. none | software } mode is none.
Set the parity bit. parity { even | mark | none By default, the parity bit is
| odd | space } none.
Set the stop bit. stopbits { 1.5 | 1 | 2 } By default, the stop bit is 1.
Set the data bit. databits { 5 | 6 | 7 | 8 } By default, the data bit is 8.
Exit the console quit -

user interface view.
Return to the user quit -

view.

Switches
NOTE
The settings of the preceding physical attributes on the device must be the same as those
on the terminal. Otherwise, the device cannot be logged in.
Table 4-6 Configuring terminal attributes for the console user interface

view.

Set the connection idle-timeout minutes If a connection remains idle
timeout period. [ seconds ] during the specified period,
the terminal will be
automatically disconnected
from the device.
By default, the connection
timeout period is 5 minutes.
NOTE
If the connection timeout
period is set to too large a
value, the terminal will remain
connected, posing security
risks. To prevent risks, you are
advised to run the lock
command to lock the
connection.
Set the number of screen-length screen- The temporary parameter

lines to be length [ temporary ] specifies the number of
displayed on a lines to be temporarily
terminal screen. displayed on a terminal
screen.
By default, 24 lines are
displayed on a terminal
screen.
Set the buffer size history-command max- By default, a maximum of

for historical size size-value 10 historical commands can
commands. be buffered.


view.

Switches
Table 4-7 Configuring the user privilege level for the console user interface

view.

Set the user user privilege level level Table 3-1 shows the
privilege level. mapping between user
privilege levels and
command privilege levels.
NOTE
● By default, the default
command privilege level
for the console user
interface is 3.
● If the command privilege
level configured for a user
interface conflicts with the
user privilege level
configured for a user, the
configured user privilege
level takes precedence.


view.
Table 4-8 Configuring the AAA authentication mode for the console user interface

view.

Set the user authentication-mode aaa -
authentication
mode to AAA.

Enter the AAA view. aaa -
Configure the local local-user user-name For security purposes,

user name and password irreversible- change the password
password. cipher password periodically.

Switches
Set the local user local-user user-name -

access type to service-type terminal
console.
Exit the AAA view. quit -

view.
Table 4-9 Configuring the password authentication mode for the console user
interface

view.

Set the user authentication-mode -
authentication password
mode to password
authentication.
Set the set authentication The password can be a

authentication password [ cipher ciphertext or cleartext
password. password ] password. If you do not
specify cipher password,
you can enter a cleartext
password in interactive
mode. If you specify cipher
password, you can enter a
cleartext or ciphertext
password. Both types of
passwords are saved to the
configuration file in cipher
text. For security purposes,
change the password
periodically.
NOTE
After the weak password
dictionary maintenance
function is enabled, the
passwords (which can be
queried using the display
security weak-password-
dictionary command) defined
in the weak password
dictionary cannot be specified
in this command.

Switches


view.
Table 4-10 Disabling the console user interface

Enter the system view. system-view -
Enter the console user user-interface console -

interface view. interface-number
Disable the console user shutdown By default, the console
interface view. user interface is enabled.
4.3.3 Configuring a VTY User Interface

Prerequisites
To locally or remotely maintain a device using Telnet or STelnet, you can configure
a VTY user interface as needed.
Before configuring a VTY user interface, you have completed the following task:
Procedure
Table 4-11 Configuring terminal attributes for a VTY user interface


view.

Switches
Set the maximum user-interface maximum- By default, a maximum of

number of VTY vty number five VTY user interfaces are
user interfaces. allowed.
If the configured maximum
number of VTY user
interfaces is less than the
number of currently used
VTY user interfaces, the
current online users are not
affected and no additional
configuration is required.
If the configured maximum
number is greater than the
current maximum number,
you must configure an
authentication mode for
additional user interfaces.
If the maximum number of
VTY user interfaces is set to
0, users cannot log in to
the device through VTY
user interfaces.
Configure an alarm user-interface vty By default, the alarm

threshold for the available-vty-threshold threshold is 4.
number of threshold-value When the number of
available VTY available VTY channels is
channels. less than this threshold, the
device reports an alarm.
When the number of
available VTY channels is
equal to this threshold, no
alarm is reported. When
the number of available
VTY channels is greater
than this threshold, the
device clears the alarm.
Enter the VTY user user-interface vty first-ui- -

interface view. number [ last-ui-number ]
Enable the VTY shell By default, all VTY terminal
terminal services. services are enabled.

Switches
Set the connection idle-timeout minutes If a connection remains idle

timeout period. [ seconds ] during the specified period,
the terminal will be
automatically disconnected
from the device.
By default, the connection
timeout period is 10
minutes.
NOTE
If the connection timeout
period is set to too large a
value or 0, the terminal will
remain connected, posing
security risks. To prevent risks,
you are advised to run the
lock command to lock the
connection.
Set the number of screen-length screen- The number of lines set

lines to be length [ temporary ] using this command is
displayed on a temporary and is not
terminal screen. effective after
disconnection or system
restart.
By default, 24 lines are
displayed on a terminal
screen.
Set the buffer size history-command max- By default, a maximum of

for historical size size-value 10 historical commands can
commands. be buffered.
Exit the VTY user quit -

interface view.

view.
Table 4-12 Configuring the user privilege level for a VTY user interface

view.


Switches
Set the user user privilege level level By default, the user
privilege level. privilege level of a VTY user
interface is 0.
If the command privilege
interface conflicts with the
user privilege level

interface view.

view.
Table 4-13 Configuring the AAA authentication mode for a VTY user interface

view.

Set the user authentication-mode aaa -
authentication
mode to AAA.

interface view.

Set the access type local-user user-name The Telnet protocol has
of the local user to service-type { telnet | ssh } security risks. You are
Telnet or SSH. advised to use the secure
SSHv2 protocol.
Exit the AAA view. quit -

view.

Switches
Table 4-14 Configuring extended functions for a VTY user interface


view.
Enable the security undo user- By default, the security policy is

policy for a VTY interface vty enabled for a VTY user interface.
user interface. security-policy
disable
Enter the VTY user user-interface -

interface view. vty first-ui-
number [ last-
ui-number ]

Switches
Configure ACL- acl [ ipv6 ] ● To prevent users with specified IP

based login control { acl-number | addresses or on a specified IP
for a VTY user acl-name } address segment from logging to a
interface. { inbound | device, specify inbound in the
outbound } command.
● To prevent users who have already
logged in to a device from logging
in to other devices, specify
outbound in the command.

Switches

NOTE
● The user interface supports the basic
ACL (ranging from 2000 to 2999)
and the advanced ACL (ranging from
3000 to 3999).
● When the action in an ACL is permit
and the packets from other devices
match the ACL:
● If the ACL is applied to the
inbound direction, other devices
can access the local device.
outbound direction, the local
device can access other devices.
● When the action in an ACL is deny
and the packets from other devices
match the ACL:
cannot access the local device.
device cannot access other
devices.
● When an ACL rule is configured but
the packets from other devices do
not match the ACL rule:
cannot access the local device.
device cannot access other
devices.
● When no rule is configured in an
ACL:
inbound direction, any other
device can access the local
device.
device can access all other
devices.
● For details about the ACL
configuration, see "ACL
Configuration" in CLI Configuration
Guide > IP Addresses and Services.

interface view.

Switches

view.
4.3.4 Verifying the Configuration
Procedure
● Run the display users [ all ] command to check information about users who
have logged in to a device through the user interfaces.
● Run the display user-interface console ui-number [ summary ] command to
check information of the console user interface.
● Run the display user-interface maximum-vty command to check the
maximum number of VTY user interfaces.
● Run the display user-interface vty ui-number1 [ summary ] command to
check information of the VTY user interface.
● Run the display ssh server ip-block all command to view all client IP
addresses that fail authentication.
● Run the display ssh server ip-block list command to view client IP addresses
that are locked out due to authentication failure.
● Run the display vty ip-block list command to check the list of IP addresses
that are blocked due to authentication failures.
● Run the display vty ip-block all command to check all IP addresses that fail
to be authenticated.
● Run the display vty mode command to check the VTY mode.
----End
4.4 Configuring Local Login Through a Console Port
4.4.1 Configuring Device Login Through a Console Port
Prerequisites
Before configuring device login through a console port, you have completed the
following tasks:
● Prepare a console cable.

● Install the terminal emulation software on the PC.
NOTE
If the system does not provide terminal emulation software, obtain it from a third
party. For details about how to use the software, see the software user guide or online
help.

Switches
Default Settings
Table 4-15 Default settings for the console port

Transmission rate 9600 bit/s
Flow control mode No flow control
Parity check None
Stop bits 1
Data bits 8
Procedure
to the terminal.

Switches
c. Click Open.
NOTE
used.
Step 3 Press Enter until the system prompts you to enter the password. (During AAA
authentication, the system asks you to enter the user name and password. The
following information is for reference only.)
Login authentication
Password:

Switches
You can run commands to configure the device. Enter a question mark (?) if you
need help.
----End

● Run the display user-interface console 0 command to check information
about the user interface.
● Run the display local-user command to check attributes of local users.
● Run the display access-user command to check information about online
users.
4.4.2 Example for Configuring Login Through a Console Port

If users cannot remotely log in to a device, they can locally log in to the device
through the console port on the device. Password authentication is used for login
through the console port. To prevent unauthorized users from accessing a device,
you can change the authentication mode of the console user interface (used for
login through the console port) to AAA authentication.
Figure 4-4 Network diagram of login through the console port
The configuration roadmap is as follows:
1. Use the terminal emulation software to log in to the device through the
console port.
2. Configure the authentication mode for the console user interface.
NOTE
If the system does not provide terminal emulation software, obtain it from a third party. For
details about how to use the software, see the software user guide or online help.
Procedure
to the terminal.

Switches
c. Click Open.
NOTE
used.

Switches
Step 3 Press Enter until the system prompts you to enter the password. (During AAA
authentication, the system asks you to enter the user name and password. The
Login authentication
Password:
You can run commands to configure the device. Enter a question mark (?) if you
need help.
Step 4 Configure the authentication mode for the console user interface.
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode aaa
[HUAWEI-ui-console0] user privilege level 3
[HUAWEI-ui-console0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234 password
[Device-aaa] local-user admin1234 privilege level 3
[HUAWEI-aaa] local-user admin1234 service-type terminal
----End

Switches

After the preceding operations, you must enter the user name admin1234 and
password YsHsjx_202206 when logging in to the device.
Username:admin1234
Password:
<HUAWEI>
#
aaa
local-user admin1234 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
$UF-.fQ,Q}>^)OBzgoU$
local-user admin1234 service-type terminal
#
user-interface con 0
#
return
4.5 Configuring Remote Login Through Telnet
4.5.1 Configuring Telnet Login
Prerequisites
Before configuring Telnet login, you have completed the following task:
● Ensure that there are reachable routes between the terminal and the device.
● Run the install feature-software WEAKEA command to install the weak
security algorithm/protocol feature package (WEAKEA).
Context
NOTE
STelnet V2 is more secure than Telnet, and is therefore recommended.

In FIPS mode, Telnet cannot be used.
Table 4-16 describes the tasks involved in the Telnet login configuration process.
Table 4-16 Tasks involved in Telnet login configuration
No. Task Description Remarks
Enable the Telnet

Enable the Telnet server Tasks 1, 2, and 3
server function and
1 function and configure can be performed
configure related
related parameters. in any sequence.
parameters.

Switches
Configure the user

privilege level,
Configure a VTY user authentication mode,
2 interface for Telnet whether to support the
login. Telnet protocol, and
other basic VTY user
interface attributes.
Create the Telnet user

Configure a local name and password,
3
Telnet user. service type, and user
privilege level.
Log in to the device Use the Telnet client

4 using Telnet from a software to log in to the -
terminal. device from a terminal.
Default Settings
Table 4-17 Default settings for configuring Telnet login

Telnet server function Disabled
Telnet server port 23
Authentication mode for a VTY user

No authentication mode configured
interface
Protocol supported by a VTY user

All protocols
interface
The default command privilege level

User privilege level
for a VTY user interface is 0.
Procedure
● Enable the Telnet server function and configure related parameters.
Before telneting to the device from a user terminal, ensure that the Telnet
server function is enabled on the device.

Switches
Table 4-18 Enabling the Telnet server function and configuring related
parameters

view.
Enable the Telnet telnet [ ipv6 ] server By default, the Telnet

server function. enable server function is disabled.
The default port number

is 23.
(Optional) Configuring a new port
Configure a port telnet [ ipv6 ] server number for the Telnet
number for the port port-number server prevents attackers
Telnet server. from accessing the server
using the standard Telnet
server port.
By default, no ACL is
configured.
(Optional) telnet [ ipv6 ] server acl An ACL is configured to
Configure an ACL. { acl-number | acl-name } determine which clients
can access the device
using Telnet.
By default, no source
● telnet server-source -i interface is specified for a
{ interface-type Telnet server.
interface-number | NOTE
Configure the interface-name } ● If the specified source
source interface ● telnet ipv6 server- interface is a loopback
for the Telnet source -a ipv6-address interface, the loopback
server. [ -vpn-instance vpn- interface must have been
created. Otherwise, the
instance-name ] configuration cannot be
● telnet [ ipv6 ] server- executed.
source all-interface ● You can run one of the
commands as required.

Switches
(Optional) Enable undo telnet server ip- By default, the function of

the client IP block disable locking client IP addresses
address locking is enabled on a Telnet
function on the server.
Telnet server. If a user fails
authentication for six
consecutive times within 5
minutes, the user's IP
address will be locked for
5 minutes. To unlock the
IP address before the
locking period elapses,
run the activate vty ip-
block ip-address ip-
address [ vpnname vpn-
name ] command.
(Optional) telnet server login-failed By default, an alarm is
Configure alarm threshold-alarm upper- generated when 30 or
generation and limit report-times lower- more login failures occur
clearance limit resume-times within 5 minutes. The
thresholds for the period period-time alarm is cleared when the
number of Telnet number of login failures
server login within 5 minutes falls
failures within a below 20.
specified period.
(Optional) telnet server ip-limit- By default, a maximum of

Configure the session limit-session-num 64 Telnet connections to
maximum number the server can be
of Telnet established for a single IP
connections to the address.
server that can be
established for a
single IP address.
(Optional) telnet server dscp value By default, the DSCP

Configure the priority of Telnet packets
DSCP priority of is 48.
Telnet packets.

view.
● Configure a VTY user interface for Telnet login.

Configure the user privilege level and other basic attributes for the VTY user
interface.

Switches
Table 4-19 Configuring a VTY user interface for Telnet login

Enter the system

system-view -
view.
Enter the VTY

user-interface vty first-ui-
user interface -
number [ last-ui-number ]
view.
By default, the user

privilege level of a VTY
user interface is 0.
To run the commands of
a higher privilege level,
configure a higher user
Configure a user
privilege level.
privilege level for user privilege level level
the user interface. If the command privilege
interface conflicts with
the user privilege level
The device provides the

AAA authentication
Configure the user mode. Configure a local
authentication authentication-mode aaa Telnet user by referring to
mode. Configuring a local
Telnet user (AAA
authentication mode).
Configure the VTY

By default, a VTY user
user interface to protocol inbound { all |
interface supports all
support the Telnet telnet }
protocols.
protocol.
Use the default settings

(Optional) for other attributes of the
For details, see 4.3.3
Configuring other VTY user interface. You
Configuring a VTY User
attributes of the can also modify these
Interface.
user interface. attributes according to
your requirements.

interface view.

view.
● Configure a local Telnet user (AAA authentication mode).

Switches
Configure a local user name and password for the administrator to ensure
that only the administrator can log in to the device.
Table 4-20 Configuring a local Telnet user (AAA authentication mode)

Enter the system

system-view -
view.

Configure the
local-user user-name
service type for the -
service-type telnet
local user.
After login, a user can

only run the commands
at privilege levels equal
to or lower than the user
privilege level, thereby
ensuring the device
Configure the security.
privilege level for If the command privilege
privilege level level
the local user. level configured for a
user interface conflicts
with the user privilege
level configured for a
user, the configured user
privilege level takes
precedence.
● Log in to the device using Telnet from a terminal.

You can use Windows CLI or third-party software to log in to the device using
Telnet from a terminal. Windows CLI is used in the following example.
Perform the following operations on the terminal:
a. Enter the Windows CLI.
b. Run the telnet ip-address port command to log in to the device using
Telnet.
C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025
c. Press Enter and enter the password and the user name configured for the
AAA authentication mode. If the authentication is successful, the
command line prompt for the user view is displayed, indicating that you
have successfully logged in to the device. (The following information is
Username:admin1234
Password:
Info: The max number of VTY users is 8, the number of current VTY users online is 1, and total

Switches
number of terminal users online is 1.

<Telnet Server>
----End

● Run the display tcp status command to check all TCP connections.
● Run the display telnet server status command to check the current
connections of the Telnet server.
● Run the display vty ip-block list command to check the list of IP addresses
that are blocked due to authentication failures.
● Run the display vty ip-block all command to check all IP addresses that fail
to be authenticated.
4.5.2 Configuring a Device to Access Another Device as a

Telnet Client
Prerequisites
Before configuring a device to access another device as a Telnet client, you have
completed the following tasks:
● Ensure that there are reachable routes between the device and the Telnet
server.
● Enable the Telnet server function on the Telnet server.
● Obtain the Telnet user name, password, and port number configured on the
Telnet server.
Context
NOTE
STelnet V2 is more secure than Telnet, and is therefore recommended.

In FIPS mode, Telnet cannot be used.
Table 4-21 describes the tasks involved in configuring a device to access another
device as a Telnet client.

Switches
Table 4-21 Tasks involved in configuring a device to access another device as a

Telnet client
Configure the source

address and
(Optional) Configure
differentiated
1 Telnet client
services code point
parameters. -
(DSCP) priority of
the Telnet client.
Log in to another Access the Telnet

2
device using Telnet. server using Telnet.
Procedure
1. (Optional) Configure Telnet client parameters.
Table 4-22 (Optional) Configuring Telnet client parameters

Enter the system

system-view -
view.
By default, the source

IPv4 address of a
telnet client source { -a Telnet client is
source-ip-address | -i 0.0.0.0, and source
interface-type interface- IPv6 address of a
Configure the source number } Telnet client is ::.
address of the Telnet
client. telnet ipv6 client source -a The source address of
source-ipv6-address [ -vpn- the Telnet client
instance ipv6-vpn-instance- displayed on the
name ] server is the same as
that configured in
this step.
Configure the DSCP By default, the DSCP

priority of Telnet telnet client dscp value priority of Telnet
packets. packets is 48.
Return to the user

quit -
view.
2. Log in to another device using Telnet.

Switches
Table 4-23 Logging in to another device using Telnet
telnet [ -i { interface-type Run either command

interface-number | interface- depending on the
Telnet to the server
name } | [ vpn-instance vpn- network address
using an IPv4
instance-name ] [ -a source- type.
address.
ip-address ] ] host-ip-address The Telnet client can
[ port-number ] connect to the server
successfully without a
telnet ipv6 [ -a source-ipv6- specified port
address ] [ public-net | vpn- number only when
Telnet to the server instance ipv6-vpn-name ] the server is listening
using an IPv6 ipv6-address [ -oi on port 23. If the
address. { interface-type interface- server is listening on
number | interface-name } ] another port, the
[ port-number ] port number must be
specified upon login.

● Run the display tcp status command to check all TCP connections.
4.5.3 Example for Configuring Telnet Login
Users want to easily configure and manage the device shown in Figure 4-7. AAA
authentication needs to be configured for Telnet users on the server, and an ACL
policy needs to be configured to ensure that only the users matching the ACL can
log in to the device.
Figure 4-7 Network diagram of Telnet login
1. Configure Telnet login to remotely maintain the device.

2. Configure an ACL to ensure that only users matching the ACL can log in to
the device.

Switches
3. Configure the user name and password for the administrator, and configure
an AAA authentication policy to ensure that only users passing the
authentication can log in to the device.
Configuration Precautions
In insecure network environments, you are advised to use a secure password
authentication mode, encryption authentication algorithm, or protocol. For details
about secure configuration examples, see 4.6.3 Example for Configuring STelnet
Login.
Procedure
Step 1 Run the install feature-software WEAKEA command in the user view to install
the weak security algorithm/protocol feature package (WEAKEA).
Step 2 Configure an IP address for the management interface on the Telnet server.
[HUAWEI] sysname Telnet Server
[Telnet Server] interface meth 0/0/0
[Telnet Server-MEth0/0/0] ip address 10.137.217.177 255.255.255.0
[Telnet Server-MEth0/0/0] quit
Step 3 Set the server port number and enable the server function.
[Telnet Server] telnet server enable
[Telnet Server] telnet server port 1025
[Telnet Server] telnet server-source -i meth 0/0/0
Step 4 Set parameters for the VTY user interface.

# Set the maximum number of VTY user interfaces.
[Telnet Server] user-interface maximum-vty 8
# Specify the IP address of the host allowed to access the device.

[Telnet Server] acl 2001
[Telnet Server-acl4-basic-2001] rule permit source 10.137.217.10 0
[Telnet Server-acl4-basic-2001] rule deny source 10.137.217.20 0
[Telnet Server-acl4-basic-2001] quit
[Telnet Server] user-interface vty 0 7
[Telnet Server-ui-vty0-7] acl 2001 inbound
# Configure terminal attributes for the VTY user interface.

[Telnet Server-ui-vty0-7] shell
[Telnet Server-ui-vty0-7] idle-timeout 20
[Telnet Server-ui-vty0-7] screen-length 30
[Telnet Server-ui-vty0-7] history-command max-size 20
[Telnet Server-ui-vty0-7] protocol inbound telnet
# Configure the authentication mode for the VTY user interface.

[Telnet Server-ui-vty0-7] authentication-mode aaa
[Telnet Server-ui-vty0-7] quit
Step 5 Configure login user information.

# Configure the authentication mode for the login user.
[Telnet Server] aaa
[Telnet Server-aaa] local-user admin1234 password

Switches

[Telnet Server-aaa] local-user admin1234 service-type telnet
[Telnet Server-aaa] local-user admin1234 privilege level 3
[Telnet Server-aaa] quit
----End

# Run the following command on the CLI of PC1 to telnet to the device:
C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025
# Press Enter, and enter the user name and password configured for AAA
authentication in the login window. If the authentication is successful, the
command line prompt for the user view is displayed, indicating that you have
successfully logged in to the device.
Username:admin1234
Password:
<Telnet Server>
#
sysname Telnet Server
#
telnet server-source -i MEth0/0/0
telnet server port 1025
#
acl number 2001
rule 5 permit source 10.137.217.10 0
rule 10 deny source 10.137.217.20 0
#
aaa
local-user admin1234 service-type telnet
#
interface MEth0/0/0
ip address 10.137.217.177 255.255.255.0
#
user-interface maximum-vty 8
#
acl 2001 inbound
history-command max-size 20
idle-timeout 20 0
screen-length 30
#
return
4.5.4 Example for Configuring a Device to Access Another

Device as a Telnet Client
In Figure 4-8, there are reachable routes between the PC and Device1, and
between Device1 and Device2. Users want to remotely manage and maintain

Switches
Device2. However, there is no reachable route between the PC and Device2, and
therefore users cannot directly log in to Device2 using Telnet. To address this issue,
users can use Telnet to log in to Device1 and then use Telnet to log in to Device2
from Device1. An ACL rule also needs to be configured to only allow Device1 to
access Device2 using Telnet, preventing unauthorized devices from telneting to
Device2.
Figure 4-8 Configuring a device to access another device as a Telnet client

NOTE
In this example, interface1 represents 10GE1/0/1.
1. Configure the authentication mode and password for Telnet access on
Device2.
2. Configure an ACL rule on Device2 to allow access from Device1.
3. Telnet to Device2 from Device1.
about secure configuration examples, see 4.6.4 Example for Configuring a
Device to Access Another Device as an STelnet Client .
Procedure
Step 2 Configure the authentication mode and password for Telnet access on Device2.
[HUAWEI] sysname Device2
[Device2] user-interface vty 0 4
[Device2-ui-vty0-4] authentication-mode aaa
[Device2-ui-vty0-4] quit
Step 3 Configure login user information.

[Device2] aaa
[Device2-aaa] local-user admin1234 password

Switches

[Device2-aaa] local-user admin1234 service-type telnet
[Device2-aaa] local-user admin1234 privilege level 3
[Device2-aaa] quit
Step 4 Configure an ACL rule on Device2 to allow access from Device1.

[Device2] acl 2000
[Device2-acl4-basic-2000] rule permit source 10.1.1.1 0
[Device2-acl4-basic-2000] quit
[Device2] user-interface vty 0 4
[Device2-ui-vty0-4] acl 2000 inbound
[Device2-ui-vty0-4] quit
NOTE
The ACL configuration is optional.
----End

# After the preceding configurations are complete, you can telnet to Device2 from
Device1, but not from other devices.
[HUAWEI] sysname Device1
[Device1] quit
<Device1> telnet 10.2.1.1
Username:admin1234
Password:
<Device2>
Device2
#
sysname Device2
#
acl number 2000
#
aaa
local-user admin1234 service-type telnet
#
acl 2000 inbound
#
return
4.6 Configuring Remote Login Through STelnet

Switches
4.6.1 Configuring STelnet Login

Prerequisites
Before configuring STelnet login, you have completed the following tasks:
● Install the SSH client software on the terminal.
NOTE
The STelnet V1 protocol poses security risks, and STelnet V2 is recommended.
Default Settings
Table 4-24 Default settings for configuring STelnet login

STelnet server function Disabled
Procedure
Step 1 Enable the STelnet server function and configure related parameters.
For details, see "Configuring the SSH Server Function and Related Parameters" in
CLI Configuration Guide > Security Configuration.
Step 2 Configure the VTY user interface for SSH users to log in to the device.
For details, see "Configuring a VTY User Interface to Support SSH" in CLI
Configuration Guide > Security Configuration.
Step 3 Configure SSH user information.
For details, see "Configuring an SSH User" in CLI Configuration Guide > Security
Configuration.
Step 4 Log in to the device using STelnet.
Use the SSH client software to log in to the device using STelnet from a terminal.
The third-party software OpenSSH and Windows CLI are used in the following
example.
● For details about how to install OpenSSH, see the OpenSSH installation guide.
● To use OpenSSH to connect to the device using STelnet, run the OpenSSH
commands. For details about OpenSSH commands, see the OpenSSH help.
● The Windows CLI can identify OpenSSH commands only when OpenSSH is
device. (The following information is for reference only.)
C:\Users\User1>ssh admin@10.136.195.11
admin@10.136.195.11's password:

Switches
<HUAWEI>
----End

● Run the display ssh user-information [ username ] command to check SSH
user information on the SSH server. If no SSH user is specified, this command
displays information about all SSH users on the SSH server.
● Run the display ssh server status command to check global configuration
information about the SSH server.
● Run the display ssh server session command on the SSH server to check the
sessions between the SSH server and the SSH clients.
4.6.2 Configuring a Device to Access Another Device as an

STelnet Client
Prerequisites
Before configuring a device to access another device as an STelnet client, you have

● Ensure that there are reachable routes between the device and the STelnet
server.
● Enable the STelnet server function on the STelnet server.
● Obtain the SSH user name, password, and port number configured on the
STelnet server.
NOTE
The STelnet V1 protocol poses security risks, and STelnet V2 is recommended.
Procedure
Step 1 Configure the mode for connecting the device (SSH client) to the SSH server
for the first time.
For details, see "Configuring the Mode for Connecting a Device to the SSH Server
for the First Time" in CLI Configuration Guide > Security Configuration.
Step 2 Set SSH client parameters.
For details, see "Setting SSH Client Parameters" in CLI Configuration Guide >
Security Configuration.
Step 3 Log in to another device using STelnet.

Switches
Table 4-25 Logging in to another device using STelnet (normal Layer 3 network
connection)
Run either
command
depending on the
network address
type.
The STelnet client
can connect to
the server
successfully with
no port number
specified only
when the server
is listening on
port 22. If the
server is listening
on another port,
stelnet [ -a source-ip-address | -i
the port number
interface-type interface-number ] [ - must be specified
force-receive-pubkey ] host-ip-address
upon login.
[ server-port ] [ [ prefer_kex
prefer_kex ] | [ prefer_ctos_cipher When connecting
Log in to the prefer_ctos_cipher ] | to the SSH server,
SSH server [ prefer_stoc_cipher prefer_stoc_cipher ] the STelnet client
through an IPv4 | [ prefer_ctos_hmac prefer_ctos_hmac ] can carry the
address using | [ prefer_stoc_hmac prefer_stoc_hmac ] source IP address,
STelnet. | [ prefer_ctos_compress zlib ] | VPN instance
[ prefer_stoc_compress zlib ] | [ -vpn- name, a key
instance vpn-instance-name ] | [ -ki exchange
interval ] | [ -kc count ] | [ identity-key algorithm, an
identity-key-type ] | [ user-identity-key encryption
algorithm, a
user-key ] ] *
compression
algorithm, and an
HMAC algorithm,
and be
configured with
the keepalive
function.
If the source
interface is
specified using -i
interface-type
interface-number,
the public-net
and -vpn-
instance vpn-
instance-name

Switches
stelnet ipv6 [ -a source-ipv6-address ]

[ -force-receive-pubkey ] host-ipv6-
address [ [ public-net | -vpn-instance
vpn-instance-name ] | [ -oi { interface-
name | interface-type interface-
number } ] | [ server-port ] |
Log in to the [ prefer_kex prefer_kex ] |
SSH server [ prefer_ctos_cipher prefer_ctos_cipher ]
parameters are
through an IPv6 | [ prefer_stoc_cipher
not supported.
address using prefer_stoc_cipher ] |
STelnet. [ prefer_ctos_hmac prefer_ctos_hmac ] |
[ prefer_stoc_hmac prefer_stoc_hmac ] |
[ prefer_ctos_compress zlib ] |
[ prefer_stoc_compress zlib ] | [ -ki
interval ] | [ -kc count ] | [ identity-key
identity-key-type ] | [ user-identity-key
user-key ] ] *
----End

● Run the display ssh server-info command on the SSH client to check the
mappings between all SSH servers and public keys on the SSH client.
● Run the display ssh client session command on the SSH client to check the
number of transmitted and received packets for online sessions, data volume
of the transmitted and received packets, and STelnet login duration after key
renegotiation.
4.6.3 Example for Configuring STelnet Login

In Figure 4-9, after the STelnet server function is enabled on the device
functioning as the SSH server, the PC functioning as the SSH client can connect to
the SSH server in different authentication modes. This section uses the RSA
authentication mode as an example to describe how to log in to the SSH server
using STelnet.
To improve system security and prevent unauthorized users from logging in to the
SSH server, you can configure an ACL rule on the SSH server.
Figure 4-9 Network diagram of STelnet login

Switches
1. Configure an IP address for the management interface on the SSH server.
2. Generate a local key pair on the SSH server.
3. Configure a VTY user interface on the SSH server.
4. Create a local user and configure the service type for the user.
5. Create an SSH user and configure the authentication mode for the user.
6. On the SSH client, create a key pair based on the configured SSH user
authentication mode and copy the public key to the SSH server.
7. On the SSH server, edit the public key and assign it to the user.
8. Enable STelnet on the SSH server and set the service type of the SSH user to
STelnet.
9. On the SSH server, configure an ACL to allow access of the STelnet client.
10. Set parameters for STelnet login to the server.
Data Preparation
To complete the configuration, ensure that the following configurations have been
completed:
NOTE
To ensure high security, you are advised to use the RSA key pair whose length is 3072 bits
or longer.
● OpenSSH has been installed on the SSH client.
● The IP address 10.248.103.194/24 has been assigned to the management
interface of the SSH server.
● The local user's authentication mode is set to password authentication, and
the user name and password are admin123 and YsHsjx_202206, respectively.
● The SSH user's authentication mode is RSA.
● ACL 2000 is configured to allow the clients on the network segment
10.248.103.0/24 to access the SSH server.
Procedure
Step 1 Configure an IP address for the management interface on the SSH server.
[HUAWEI] sysname SSH Server
[SSH Server] interface meth 0/0/0
[SSH Server-MEth0/0/0] ip address 10.248.103.194 255.255.255.0
[SSH Server-MEth0/0/0] quit
Step 2 Generate a local key pair on the SSH server.

[SSH Server] rsa local-key-pair create
The key name will be:Host
The range of public key size is (2048, 4096).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:
Step 3 Configure a VTY user interface on the SSH server.

Switches
[SSH Server] user-interface vty 0 4

[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the device automatically disables the Telnet
function.
Step 4 On the server, create a local user and configure the service type for the user.
[SSH Server] aaa
[SSH Server-aaa] local-user admin123 password
[SSH Server-aaa] local-user admin123 service-type ssh
[SSH Server-aaa] local-user admin123 privilege level 3
[SSH Server-aaa] quit
Step 5 Create an SSH user on the server and configure the authentication mode for the
user.
[SSH Server] ssh user admin123
[SSH Server] ssh user admin123 authentication-type rsa
Step 6 Configure the public key algorithm, encryption algorithm, key exchange algorithm
list, HMAC authentication algorithm, and minimum key length on the SSH server.
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SSH Server] ssh server hmac sha2_256 sha2_512
[SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[SSH Server] ssh server dh-exchange min-len 3072
Step 7 Use OpenSSH to create an RSA key pair on the SSH client and copy the public key
to the SSH server.
Access the Windows CLI, create an RSA key pair, and save it to the local
id_rsa.pub file. (The following information is for reference only.)
C:\Users\User1>ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\User1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\User1/.ssh/id_rsa.
Your public key has been saved in C:\Users\User1/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:c43yubJjCUjY3JqH0aVZwJFM3gWJcH4YI5+4HUDAIqo
The key's randomart image is:
+---[RSA 3072]----+
| ..o==B=.o. |
|o . O=*+. |
|o. +.oB=o |
|. . =o=o o |
|. ..*. S o . |
|E = o = . |
| . . .o |
| = . |
| ..+. |
+----[SHA256]-----+
Step 8 On the SSH server, edit the public key generated using OpenSSH on the SSH client
and assign it to the user.

Switches
[SSH Server] rsa peer-public-key rsa01 encoding-type openssh

[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-public-key-rsa-key-code] ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCg5Ag490i6ilB7QuCVb35B8RJEh1DIYB88h2p1qjdh7qdMQv8rp
JaVAgQWxwzKZO0XdFuz4ReGQzTCSf7Det7Ajicddw3qi+6P8hRqZj6MPdLg/o3RN4aPCfr/
LFWCwqJ3gWGHlOC7qqjRk+6pySVoiWcSk5/elBkU7WVk/
cSWrt4qFXJV373OCesKcEVeDvAa1Tvx6L3LQroBqUO0EXzDgOthPCmOqiqvS5h3JipzqVsesdSKjeInooCQzS
Ov5eePpBcFcIvU6wFiLIZ5vnf6YtypgTVzHuje/sh4xM7Iuuon7AYXKHT8NpO9jd9zA/lKaRPXyDtei1O1Bt/
5lxnn
[SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[SSH Server-key-code] peer-public-key end
[SSH Server] ssh user admin123 assign rsa-key rsa01
Step 9 Enable the STelnet function and set the user service type to STelnet.
[SSH Server] stelnet server enable
[SSH Server] ssh server-source all-interface
[SSH Server] ssh user admin123 service-type stelnet
Step 10 Configure an ACL rule.

[SSH Server] acl 2000
[SSH Server-acl4-basic-2000] rule permit source 10.248.103.0 8
[SSH Server-acl4-basic-2000] quit
[SSH Server] ssh server acl 2000
----End

Use the OpenSSH software to log in to the SSH server from the client. Access the
Windows CLI and run the OpenSSH commands to connect to the device using
STelnet.
C:\Users\User1>ssh admin123@10.248.103.194
Enter passphrase for key 'C:\Users\User/.ssh/id_rsa':
<SSH Server>
#
sysname SSH Server
#
acl number 2000
rule 5 permit source 10.248.103.0 0.0.0.255
#
rsa peer-public-key rsa01 encoding-type openssh
public-key-code begin
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCg5Ag490i6ilB7QuCVb35B8RJEh1DIYB88h2p1qjdh7qdMQv8rpJaVA
gQWxwzKZO0XdFuz4ReGQzTCSf7Det7Ajicddw3qi+6P8hRqZj6MPdLg/o3RN4aPCfr/
LFWCwqJ3gWGHlOC7qqjRk+6pySVoiWcSk5/elBkU7WVk/
cSWrt4qFXJV373OCesKcEVeDvAa1Tvx6L3LQroBqUO0EXzDgOthPCmOqiqvS5h3JipzqVsesdSKjeInooCQzSOv5e
ePpBcFcIvU6wFiLIZ5vnf6YtypgTVzHuje/sh4xM7Iuuon7AYXKHT8NpO9jd9zA/lKaRPXyDtei1O1Bt/5lxnn rsa-key
public-key-code end
peer-public-key end
#
aaa
local-user admin123 password irreversible-cipher $1d$+,JS+))\\2$KVNj(.
3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user admin123 service-type terminal ssh
#
interface MEth0/0/0
ip address 10.248.103.194 255.255.255.0

Switches
#
ssh user admin123
ssh user admin123 authentication-type rsa
ssh user admin123 assign rsa-key rsa01
ssh user admin123 service-type stelnet
ssh server acl 2000
#
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
#
idle-timeout 120 0
#
return
4.6.4 Example for Configuring a Device to Access Another

Device as an STelnet Client
The customer requires secure data exchange between the server and client. As
shown in Figure 4-10, two login users Client001 and Client002 are configured
and they use the password and RSA authentication modes respectively to log in to
the SSH server. A new port number is configured, and the default port number is
not used.
Figure 4-10 Network diagram for login to another device using STelnet
NOTE
1. Generate a local key pair on the SSH server to secure data exchange between
the server and client.
2. Configure different authentication modes for the SSH users client001 and
client002 on the SSH server.

Switches
3. Enable the STelnet server function on the SSH server.

4. Configure the STelnet service type for the SSH users client001 and client002
on the SSH server.
5. Set an SSH server listening port number on the SSH server to prevent
attackers from accessing the standard SSH service port, ensuring security.
6. Log in to the SSH server as the client001 and client002 users through
STelnet.
Procedure
Step 1 Generate a local key pair on the server.
Step 2 Create SSH users on the server.

# Configure a VTY user interface.
● Create an SSH user named client001.

# Create an SSH user named client001 and configure the password
authentication mode for the user.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password
It is recommended that the password consist of at least 2 types of characters, including lowercase
letters, uppercase letters, numerals and special characters.
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
# Configure the encryption algorithm, HMAC authentication algorithm, key

exchange algorithm list, and public key algorithm on Client001.
[HUAWEI] sysname client001
[client001] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[client001] ssh client hmac sha2_256 sha2_512
[client001] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
[client001] ssh client publickey rsa_sha2_256 rsa_sha2_512
● Create an SSH user named client002.

# Create an SSH user named client002 and configure the RSA authentication
mode for the user.
[SSH Server] ssh user client002 authentication-type rsa
[SSH Server] ssh authorization-type default root
# Generate a local key pair on Client002.

Switches
[client002] rsa local-key-pair create
The key name will be: client002_Host
exchange algorithm list, and public key algorithm on Client002.
# Check the public key in the RSA key pair generated on the client.
[client002] display rsa local-key-pair public
======================Host key==========================
Time of key pair created : 2019-11-03 08:56:38
Key name : client002_Host
Key type : RSA encryption key
========================================================
Key code:
3082010A
02820101
00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707
E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709
3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D
BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1
13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98
8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8
DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527
FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268
4345131D 431419D2 DD5E4003 6A7D3295 145F3175
22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836
F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14
9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142
4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D0203
010001
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQCkuri5ZAd+92V/f+S+Hehx7hcH5O4oZC0G
++C/wctS+Zt6mQEytwk/hByiNUS4sm7gqe0EsZ/j+z2obb5o/+IjAxCNvcJLgKF5
Ogj9oLbBE8MepSmOybErC8i9Ms/4lin4ypiLFySvXaijkCCQat5qitd9YjTwyNyW
W6AXcdnAqJ7Um17PfuLVmXUn/If+A+UWWMEJlt/f3EVjdi+ksmhDRRMdQxQZ0t1e
QANqfTKVFF8xdSLoBobms5oFeZ1rz6ePaba8LQg29QE0IXfWi4mp7BgqBLh741AP
zhSclc94dXBDWQxw/WAe/AuZMvAhQkzngeQ2pgv8LL0H9p5wDO5N
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkuri5ZAd+92V/f+S+Hehx7hcH5O4oZC0G++C/wctS
+Zt6mQEytwk/hByiNUS4sm7gqe0EsZ/j+z2obb5o/+IjAxCNvcJLgKF5Ogj9oLbBE8MepSmOybErC8i9Ms/
4lin4ypiLFySvXaijkCCQat5qitd9YjTwyNyWW6AXcdnAqJ7Um17PfuLVmXUn/If+A+UWWMEJlt/f3EVjdi
+ksmhDRRMdQxQZ0t1eQANqfTKVFF8xdSLoBobms5oFeZ1rz6ePaba8LQg29QE0IXfWi4mp7BgqBLh741
APzhSclc94dXBDWQxw/WAe/AuZMvAhQkzngeQ2pgv8LL0H9p5wDO5N rsa-key
Host public key for SSH1 format code:

2048 65537
20795157856672359848547361269858029949242843585831182669194523227368193104900346497
51564062838779994414811756574319056037283986651865082633457078943496774842175805981
90093729334060817838060780955449126599749626192655532498343534107533323544305478060
44311868210891515536106321547674857755678562420627679242838953538641596303196319735
54494558678562482442247018243129430270141612311783975353971113532423335500440937726
19909488601542170799462826313639069974340296484981794888174430354307491156572632525
09381070628794959223309539977269992957151749764061913059943557804219705266011480071
185559202342216149175188942626811469
======================Server key========================

Switches

Key name : client002_Server
Key type : RSA encryption key
========================================================
Key code:
3081B9
0281B1
00B9AE42 B8419F19 35C49A7B A55DBB6F 67D931F3
9C19ECF9 9E17961B D01ED5DD 3AE68CFA 38C57113
C93663F2 86768B19 AD0F603E 98F2C6AB A71A6C26
8813411D 4AA56BC4 6505EC15 94647621 AB7D03BB
79DA9B24 09BB1FD2 3927E2F9 00F79116 466411CD
AC3D8FF6 A051FA5A 9BCE84CE 20842134 D2D27B4A
219CB801 9F5A90E0 518DEEFC F48F5ED4 49215B1F
11E1AC81 5E168A97 3AA5320D 7B158556 AF5CC95C
9B508BBC 6EEFEEF9 0E23AA13 59E1F746 D5
0203
010001
# Copy the RSA public key (the information in bold in the display command
output) generated on the client to the server.
[SSH Server] rsa peer-public-key rsakey001
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-public-key-rsa-key-code] 3082010A
[SSH Server-rsa-public-key-rsa-key-code] 2820101
[SSH Server-rsa-public-key-rsa-key-code] 00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707
[SSH Server-rsa-public-key-rsa-key-code] E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709
[SSH Server-rsa-public-key-rsa-key-code] 3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D
[SSH Server-rsa-public-key-rsa-key-code] BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1
[SSH Server-rsa-public-key-rsa-key-code] 13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98
[SSH Server-rsa-public-key-rsa-key-code] 8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8
[SSH Server-rsa-public-key-rsa-key-code] DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527
[SSH Server-rsa-public-key-rsa-key-code] FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268
[SSH Server-rsa-public-key-rsa-key-code] 4345131D 431419D2 DD5E4003 6A7D3295 145F3175
[SSH Server-rsa-public-key-rsa-key-code] 22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836
[SSH Server-rsa-public-key-rsa-key-code] F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14
[SSH Server-rsa-public-key-rsa-key-code] 9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142
[SSH Server-rsa-public-key-rsa-key-code] 4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D
[SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
# On the server, bind the RSA public key of the STelnet client to the SSH user
client002.
[SSH Server] ssh user client002 assign rsa-key rsakey001
Step 3 Enable the STelnet service on the SSH server and specify the source interface for
the SSH server.
# Enable the STelnet server function.

[SSH Server] stelnet server enable
# Specify the source interface for an SSH server.

# Configure the public key algorithm, encryption algorithm, key exchange

algorithm list, HMAC authentication algorithm, and minimum key length on the
SSH server.

Switches
Step 4 Configure the STelnet service type for the SSH users client001 and client002.
[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet
Step 5 Configure a new listening port number on the SSH server.

[SSH Server] ssh server port 1025
Step 6 Connect the STelnet client to the SSH server.

# Enable the first login function for the SSH client.
Enable first login for Client001.
[client001] ssh client first-time enable
[client001] quit
Enable first login for Client002.

[client002] quit
# Log in to the SSH server from Client001 in password authentication mode by

entering the user name and password.
<client001> stelnet 10.1.1.1 1025
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server's public key does not match the one cached before.
The server is not authenticated. Continue to access it?[Y/N]:y
The keyname:10.1.1.1 already exists. Update it? [Y/N]:n
Please input the username: client001

Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:r
Enter password:
Enter the password. The following information indicates that the login is
successful:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]:n
Info: The max number of VTY users is 21, the number of current VTY users online
is 4, and total number of terminal users online is 4.
The last login time is 2013-12-31 10:24:13 from 10.1.2.2 through SSH.
<SSH Server>
# Log in to the SSH server from Client002 in RSA authentication mode.

<client002> stelnet 10.1.1.1 1025
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it?[Y/N]:y
The keyname:192.168.1.182 already exists. Update it? [Y/N]: n

Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:r
Info: The max number of VTY users is 21, the number of current VTY users online
is 4, and total number of terminal users online is 4.
<SSH Server>

Switches
If the user view is displayed, the login is successful. If the message Session is
disconnected is displayed, the login fails.
----End

# Attackers fail to log in to the SSH server using the default listening port number
22.
<client002> stelnet 10.1.1.1
Trying 10.1.1.1 ...
Error: Failed to connect to the remote host.
The display ssh server status command output indicates that the STelnet server
function has been enabled. The display ssh user-information command output
contains information about SSH users on the server.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) :3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Disable
SSH server keepalive : Enable
SFTP server : Enable
STelnet server : Enable
SNETCONF server : Disable
SNETCONF server port(830) : Enable
SCP server : Disable
SSH server port : 1025
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
SSH server source address : 0.0.0.0
# Check information about SSH users.

[SSH Server] display ssh user-information
--------------------------------------------------------------------------------
User Name : client001
Authentication type : password
User public key name : --
User public key type : --
Sftp directory : flash:
Service type : stelnet

Authentication type : rsa
Service type : stelnet
--------------------------------------------------------------------------------
Total 2, 2 printed
● SSH Server
#
sysname SSH Server
#

Switches
rsa peer-public-key rsakey001

3082010A
02820101
00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707 E4EE2864 2D06FBE0 BFC1CB52
F99B7A99 0132B709 3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D BE68FFE2
2303108D BDC24B80 A1793A08 FDA0B6C1 13C31EA5 298EC9B1 2B0BC8BD 32CFF896
29F8CA98 8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8 DC965BA0 1771D9C0
A89ED49B 5ECF7EE2 D5997527 FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268
4345131D 431419D2 DD5E4003 6A7D3295 145F3175 22E80686 E6B39A05 799D6BCF
A78F69B6 BC2D0836 F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14 9C95CF78
75704359 0C70FD60 1EFC0B99 32F02142 4CE781E4 36A60BFC 2CBD07F6 9E700CEE
4D
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1d$v!=.5/:(q-$xL=\K
+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
local-user client001 service-type ssh
local-user client001 privilege level 3
#
ssh server port 1025
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key rsakey001
ssh user client002 service-type stelnet
#
#
#
return
● Client001
#
sysname client001
#
ssh client first-time enable
#
ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh client hmac sha2_256 sha2_512
ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh client publickey rsa_sha2_256 rsa_sha2_512
#
return
● Client002
#
sysname client002
#
#

Switches
#
return
4.7 Maintaining the Device CLI

Deleting Online Users
To disconnect a login user from a device, you can delete the user.
Run the kill user-interface { ui-number | ui-type ui-number1 } command to
delete online users.
Run the display users command to view information about users who have
logged in to the device.
Locking Configuration Rights

When multiple users log in to the system to perform configurations at the same
time, conflicts may occur. To avoid service exceptions, you can configure exclusive
configuration rights to ensure that only one user can perform configurations at a
time.
● Method 1: Lock configuration rights based on the session.
a. Lock configuration rights for the current user.
configuration exclusive
After the command is executed, the configuration rights are exclusive to

the current user.
NOTE
● This command applies to all views.

● You can run the display configuration exclusive user command to check
information about a user who holds an exclusive lock on the configuration
rights.
● If the configuration rights have been locked, a message will be displayed
when you attempt to lock the configuration rights again.
b. Enter the system view.
system-view
c. (Optional) Configure the lockout period after which the system

automatically unlocks the configuration rights.
configuration exclusive timeout timeout-value
This command specifies the maximum period for locking the

configuration rights for a specific user when no configuration command
is delivered. After the specified period expires, the system automatically
unlocks the configuration rights and other users can perform
configurations.
By default, the lockout period is 30 seconds.
● Method 2: Lock the configurations based on the user name.
Multiple users can access a device in order to manage it. These users can be
controller users or other types of users. If a non-controller user logs in to the
device and modifies device configurations in a scenario where the controller is
deployed, the configurations delivered by the controller may be different from

Switches
those on the device. You can run the configuration exclusive by-user-name
command to lock the system configuration for a specified controller user,
preventing configuration inconsistency between the device and controller.
When multiple users manage a device, you can lock the device for a specified
user name, so that only users who log in to the device using this user name
can modify device configurations.
system-view
b. Lock the system configuration for a specified user name.

configuration exclusive by-user-name user-name
By default, the system configuration is not locked.

NOTE
● The system configuration can be locked for one user name at a time.
● Only users of the management privilege level can lock and unlock the system
configuration.
● After the system configuration is locked for a specified user name, only users
with this user name can perform configuration operations. The configuration
operations performed by other users cannot take effect. To make other users'
configurations take effect, run the undo configuration exclusive by-user-
name user-name command to unlock the configuration.
● When running the undo configuration exclusive by-user-name user-name
command, ensure that user-name is set to the user name for which the
configuration is locked.
● Run the display configuration exclusive by-user-name command to view
lock information about system configuration that is locked or unlocked based
on the user name.
Locking a User Interface

When you need to temporarily stop operating the terminal, lock the user interface
to prevent unauthorized users from operating it.
1. Run the lock command to lock the user interface.

2. Enter the lock password and confirm it when prompted.
<HUAWEI> lock
Enter Password:
Confirm Password:
Info: The terminal is locked.
After running the lock command, you are prompted to enter and then
confirm the lock password. If the two passwords are the same, the user
interface is locked.
To unlock the user interface, press Enter, and then enter the login password
as prompted.
NOTE
After the weak password dictionary maintenance function is enabled, the passwords
(which can be queried using the display security weak-password-dictionary
command) defined in the weak password dictionary cannot be specified in this
command.

Switches
User Interface Communication

When multiple users concurrently log in to the device, the device supports
message exchanges between user interfaces.
1. Run the send { all | ui-type ui-number } command to specify the user
interface from which messages are to be sent.
2. Enter a message and send it as prompted.
After entering a message on the current user interface, press Enter or Ctrl+Z
to send the message. You can also press Ctrl+C to cancel message sending.
After receiving the message, the target user interface immediately displays it.
<HUAWEI> send all
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
hello~!
Send message? [Y/N]:Y
4.8 Troubleshooting CLI-based Device Login Failure
4.8.1 Failed to Log In to the Telnet Server Using Telnet

Fault Description
A user fails to log in to the Telnet server using Telnet.
Procedure
Step 1 Check whether the number of users who have logged in to the Telnet server
reaches the upper limit.
Log in to the device through the console port. Then, run the display users
command to check whether the current VTY user interfaces are all occupied. You
can run the display user-interface maximum-vty command to check the
If the number of current VTY user interfaces reaches the upper limit, run the user-
interface maximum-vty 21 command to increase the maximum number of VTY
user interfaces to 21.
Step 2 Check whether an ACL has been configured on the VTY user interface of the
device.
Run the user-interface vty command on the Telnet server to enter the user
interface view. Run the display this command to check whether an ACL has been
configured on the VTY user interface. If so, record the ACL number.
Run the display acl acl-number command on the Telnet server to check whether
the Telnet client IP address is denied in the ACL. If so, run the undo rule rule-id
command in the ACL view to delete the deny rule, and then run the rule permit
source source-ip-address source-wildcard command in the ACL view to permit the
client IP address.
Step 3 Check the protocol configuration in the VTY user interface view.
Run the user-interface vty command on the Telnet server to enter the user
interface view. Run the display this command to check whether protocol

Switches
inbound of the VTY user interface is telnet or all. (By default, the user interface
supports all protocol types, including SSH and Telnet.) If not, run the protocol
inbound { telnet | all } command to allow Telnet users to access the device.
Step 4 Check whether the login authentication mode is configured in the VTY user
interface view.
If AAA authentication is configured using the authentication-mode aaa

command, you must run the local-user user-name password command to create
a local AAA user and set the user service type to Telnet.
----End
4.8.2 Failed to Log In to the SSH Server Using STelnet
Fault Description
A user fails to log in to the SSH server using STelnet.
Procedure
Step 1 Check whether the SSH service is enabled on the SSH server.
Log in to the SSH server through the console port or Telnet. Run the display ssh
server status command to check the configuration on the SSH server.
If STelnet is disabled, run the stelnet server enable command to enable the
STelnet server function on the SSH server.
Step 2 Check whether the access protocol is correctly configured in the VTY user interface
view on the SSH server.
Run the user-interface vty command on the SSH server to enter the user
interface view. Run the display this command to check whether protocol
inbound of the VTY user interface is ssh or all. (By default, the user interface
supports all protocol types, including SSH and Telnet.) If not, run the protocol
inbound { ssh | all } command to allow STelnet users to access the device.
Step 3 Check whether an SSH user is configured on the SSH server.
Run the display ssh user-information command to check the SSH user
configuration. If no user is configured, run the ssh user, ssh user authentication-
type, and ssh user service-type commands in the system view to create an SSH
user and configure its authentication mode and service type.
Step 4 Check whether the number of users who have logged in to the SSH server reaches
the upper limit.
Log in to the device through the console port. Then, run the display users
command to check whether the current VTY user interfaces are all occupied. You
can run the display user-interface maximum-vty command to check the
If the number of current VTY user interfaces reaches the upper limit, run the user-
interface maximum-vty 21 command to increase the maximum number of VTY
user interfaces to 21.

Switches
Step 5 Check whether an ACL is bound to the VTY user interface of the SSH server.
Run the user-interface vty command on the SSH server to enter the SSH user
interface view. Run the display this command to check whether an ACL has been
configured on the VTY user interface. If so, record the ACL number.
Run the display acl acl-number command on the SSH server to check whether the
IP address of the STelnet client is denied in the ACL. If so, run the undo rule rule-
id command in the ACL view to delete the deny rule, and then run the rule
permit source source-ip-address soucer-wildcard command in the ACL view to
permit the client IP address.
Step 6 Check the SSH versions of the SSH client and server.
Run the display ssh server status command on the SSH server to check the SSH
version information.
Step 7 Check whether first login is enabled for the SSH client.
Run the display this command in the system view of the SSH client to check
whether first login is enabled for the SSH client.
If not, the initial login of the STelnet client to the SSH server fails because validity
check on the RSA public key of the SSH server fails. Therefore, you need to run the
ssh client first-time enable command to enable first login for the SSH client.
----End

Switches
Configuration Guide - Basic Configuration 5 Web UI-based Login Configuration
5 Web UI-based Login Configuration
5.1 Overview of Web UI-based Login

5.2 Configuration Precautions for Web UI-based Login
5.3 Configuring Web UI-based Login
5.4 Maintaining Web UI-based Login
5.5 Troubleshooting Web-based Device Login Failure
5.6 Web UI-based Login FAQs
5.1 Overview of Web UI-based Login

Definition
Users can log in to and manage a device through a web-based graphical user
interface (GUI).
Purpose
The built-in web server function of a device provides a GUI, through which users
can log in to the device from a terminal using HTTPS for management and
maintenance.
5.2 Configuration Precautions for Web UI-based Login

Web UI-based login is not under license control.

Switches
Series Models

L16T4S-A-V2/S5735-L16T4X-QA-V2/S5735-
L24P4S-A-V2/S5735-L24P4XE-A-V2/S5735-
L24P4XE-TA-V2/S5735-L24T4S-A-V2/S5735-
L24T4X-QA-V2/S5735-L24T4XE-A-V2/S5735-
L24T4XE-D-V2/S5735-L48LP4S-A-V2/S5735-
L48T4S-A-V2/S5735-L48T4XE-A-V2/S5735-
L48T4XE-D-V2/S5735-L48T4XE-TA-V2/S5735-

V2/S5735-S48U4XE-V2


V2
S5735I-S-V2 series S5735I-S24T4XE-T-V2/S5735I-S24T4XE-V2/S5735I-

S24U4XE-T-V2/S5735I-S24U4XE-V2/S5735I-
V2/S5735I-S8U4XN-V2

H28X6CZ-TV2/S6730-H28X6CZ-V2/S6730-
H48X6C-TV2/S6730-H48X6C-V2

Switches

When the northbound API function is enabled, S5735-L- S5735-L10T4X-A-

you are not advised to log in to the device V2 series V2/S5735-
through the web UI or CLI to configure the S5735-S- L10T4X-TA-V2/
device. Otherwise, the northbound API user V2 series S5735-L16T4S-A-
and you may deliver configurations at the V2/S5735-
same time, causing inconsistency between S3710-H L16T4X-QA-V2/
configurations on the northbound API series S5735-L24P4S-A-
controller and those on the device. S5735I-L- V2/S5735-
V2 series L24P4XE-A-V2/
S5732-H- S5735-L24P4XE-
V2 series TA-V2/S5735-
L24T4S-A-V2/
S5735I-S- S5735-L24T4X-
V2 series QA-V2/S5735-
S6730-H- L24T4XE-A-V2/
V2 series S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
D-V2/S5735-
L48T4XE-TA-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S5735-S24P4XE-
V2/S5735-
S24T4XE-V2/
S5735-S24U4XE-
V2/S5735-
S48P4XE-V2/
S5735-S48T4XE-
V2/S5735-
S48U4XE-V2

Switches
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2

Switches
The following browsers are supported for web S5735-L- S5735-L10T4X-A-

UI-based login: V2 series V2/S5735-
Firefox 78 or later S5735-S- L10T4X-TA-V2/
Google Chrome 81 or later V2/S5735-
Edge 81 or later S3710-H L16T4X-QA-V2/
series S5735-L24P4S-A-
S5735I-L- V2/S5735-
S5732-H- S5735-L24P4XE-
L24T4S-A-V2/
S5735I-S- S5735-L24T4X-
S6730-H- L24T4XE-A-V2/
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
D-V2/S5735-
L48T4XE-TA-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S5735-S24P4XE-
V2/S5735-
S24T4XE-V2/
S5735-S24U4XE-
V2/S5735-
S48P4XE-V2/
S5735-S48T4XE-
V2/S5735-
S48U4XE-V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2

Switches
The web UI of a device supports TLS1.2 and S5735-L- S5735-L10T4X-A-

TLS1.3, which are secure SSL protocols. A V2 series V2/S5735-
browser using an insecure SSL protocol will fail S5735-S- L10T4X-TA-V2/
to display the login page, as will a browser V2 series S5735-L16T4S-A-
that is not of a supported version. V2/S5735-
S3710-H L16T4X-QA-V2/
series S5735-L24P4S-A-
S5735I-L- V2/S5735-
S5732-H- S5735-L24P4XE-
L24T4S-A-V2/
S5735I-S- S5735-L24T4X-
S6730-H- L24T4XE-A-V2/
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
D-V2/S5735-
L48T4XE-TA-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S5735-S24P4XE-
V2/S5735-
S24T4XE-V2/
S5735-S24U4XE-
V2/S5735-
S48P4XE-V2/
S5735-S48T4XE-
V2/S5735-
S48U4XE-V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2

Switches
1. If the web page cannot be accessed after the S5735-L- S5735-L10T4X-A-

device software version is upgraded, clear the V2 series V2/S5735-
historical cache data of the browser. S5735-S- L10T4X-TA-V2/
2. When the web addresses of different devices V2 series S5735-L16T4S-A-
are translated into the same IP address but V2/S5735-
S3710-H L16T4X-QA-V2/
different ports through NAT, you are advised to series
use different browsers to access the web S5735-L24P4S-A-
addresses at the same time to avoid conflicts S5735I-L- V2/S5735-
because the cookies of the same IP address are V2 series L24P4XE-A-V2/
shared. S5732-H- S5735-L24P4XE-
L24T4S-A-V2/
S5735I-S- S5735-L24T4X-
S6730-H- L24T4XE-A-V2/
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
D-V2/S5735-
L48T4XE-TA-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S5735-S24P4XE-
V2/S5735-
S24T4XE-V2/
S5735-S24U4XE-
V2/S5735-
S48P4XE-V2/
S5735-S48T4XE-
V2/S5735-
S48U4XE-V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2

Switches
Ensure that JavaScript is enabled. Otherwise, S5735-L- S5735-L10T4X-A-

the web UI may fail to be properly displayed. V2 series V2/S5735-
According to the browser in use, use one of the S5735-S- L10T4X-TA-V2/
following methods to enable JavaScript: V2 series S5735-L16T4S-A-
Firefox: JavaScript is enabled by default in V2/S5735-
S3710-H L16T4X-QA-V2/
Firefox 23.0 and later versions. series S5735-L24P4S-A-
Chrome browser: Choose Settings > Show S5735I-L- V2/S5735-
advanced settings > Privacy > Content Settings V2 series L24P4XE-A-V2/
> JavaScript and select Allow all site to run S5735-L24P4XE-
JavaScript. The configuration method varies S5732-H-
according to the Chrome version. L24T4S-A-V2/
Edge: Choose Settings > Site permissions > S5735I-S- S5735-L24T4X-
JavaScript and ensure that JavaScript is V2 series QA-V2/S5735-
enabled. S6730-H- L24T4XE-A-V2/
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
D-V2/S5735-
L48T4XE-TA-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S5735-S24P4XE-
V2/S5735-
S24T4XE-V2/
S5735-S24U4XE-
V2/S5735-
S48P4XE-V2/
S5735-S48T4XE-
V2/S5735-
S48U4XE-V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2
5.3 Configuring Web UI-based Login
5.3.1 Configuring Web UI-based Login
Context
Using local authentication as an example, this section describes how to configure
web UI-based login through HTTPS. For details about how to configure this
function when server authentication is used, see "AAA Configuration" in CLI
Configuration Guide > User Access and Authentication Configuration.
For security purposes, change the password periodically.

Switches
Procedure
Step 1 Create a local account. (This step is required upon first login, as there is no default
account.)
1. Enter the system view.
system-view
2. Enter the AAA view.

aaa
3. Configure the local user name and password.

local-user user-name { password irreversible-cipher ir-password
4. Set the service type of the local user to HTTP.

local-user user-name service-type http
5. Set the privilege level to 3 for the local user.

local-user user-name privilege level 3
Users with a privilege level of 3 can access all the pages by default. If you
need to set up different users to access different levels of pages, please see
"Creating an Administrator Role" in Web Configuration Guide > System >
Administrator.
6. Return to the system view.
quit
Step 2 Enable the HTTPS service.

web-manager enable [ port port-number ]
Step 3 Enable forcible redirection from HTTP to HTTPS.

web-manager http forward enable
By default, this function is enabled. With this function enabled, a device will
automatically display the web UI using HTTPS — a secure version of HTTP — if a
user attempts to log in to the device's management interface at http://ip-address
using HTTP. If this function is disabled, you cannot use HTTP to access the web UI.
Step 4 Configure the certificate sent by the device functioning as a server to the terminal
functioning as a client.
web-manager security server-certificate server-certificate-file
If no certificate is specified, the server sends the default certificate to the client for
authentication when the client attempts to log in to the server through HTTPS. If
a certificate is specified, the server sends the specified certificate to the client for
authentication. You can obtain the CA certificate from the device's web UI or CA
server and import it to the client's browser. The client then uses the imported CA
certificate to verify the identity of the device.
The specified certificate needs to be applied for from the CA server. After the CA
server generates the requested certificate, download the certificate to the device's
storage path and then import it to the memory for the certificate to take effect.
For details, see "PKI Configuration" in CLI Configuration Guide > Security
Configuration.

Switches
NOTE
The CA can be an internationally recognized organization or a PC running certificate

services. The client can trust a certificate only after the client user has obtained the CA
certificate of the CA server that issues the server's certificate and imports it to the browser.
If the CA certificate is not imported to the browser, the client can still log in to the device
through HTTPS. In this case, the client cannot verify the validity of the server's certificate
and is vulnerable to attacks.
If the local certificate is issued by a multi-level CA, you need to make the local certificate
and CA certificates into a certificate chain file and import it to the device. If the local
certificate and CA certificates are separately imported, the CA certificate downloaded on
the login page cannot clear the security alarm generated during device access.
Step 5 Configure two-way authentication. Before enabling this function, import the client
certificate to the browser and import the matching CA certificate to the server.
When logging in to the server using HTTPS, the client sends its certificate to the
server, which then uses the CA certificate to verify the client certificate.
1. Enable two-way authentication between the server and client.
web-manager security verify-ssl-peer
2. Specify the CA certificate used by the server to verify the client certificate.
web-manager security ca-certificate ca-certificate
Step 6 Configure the device IP address that can be used to access the web UI.
web-manager { ipv4 | ipv6 } server-source -a ip-address [ vpn-instance vpn-instance ]
By default, no IP address is configured for accessing the web UI. That is, all IP
addresses can be used to access the web UI.
Step 7 Configure the device interface that can be used to access the web UI.
● Configure an interface to be used to access the web UI.
web-manager server-source -i interface-type interface-num
● Configure all interfaces to be used to access the web UI.

web-manager server-source all-interface
NOTE
If you have configured an IP address that can be used to access the web UI, you do not
need to configure the interface for accessing the web UI. Select either of them.
Step 8 Use an Ethernet cable to connect the network interface of the terminal to the
interface of the device, either directly or via a Layer 2 switch.
Step 9 Open a browser on the terminal and log in to the device by entering https://
Device's management interface IP address:port number. Use the account and
password configured in Step 1 to log in to the web UI of the device. During the
first login, the device prompts you to change the password.
----End

Run the display web-manager { configuration | users [ brief ] } command in
any view to check information about the web server and web login user.

Switches
5.3.2 Adjusting Web UI-based Login Parameters
Procedure
system-view
Step 2 Enable the CAPTCHA code check function of the web authentication page.
web-manager captcha enable
Step 3 Configure the web service timeout interval.

web-manager timeout time-out
If no operation is performed on the web UI within the timeout interval, the current
user is automatically logged out.
Step 4 Configure the maximum number of online web users.

web-manager max-user-number max-user-num
Step 5 Set abnormal packet check parameters for HTTP low-rate attack defense.
web-manager slow-attack check [ content-length content-length | payload-length payload-length |
packet-number packet-number ] *
Step 6 Enable the function of displaying login warning information. After this function is
enabled, the system displays a warning about possible consequences of
unauthorized device use when you enter a user name and password to log in to
the web UI. You can access the web UI only after confirming the warning.
1. Enable the function of displaying login warning information.
web-manager warning-banner enable
2. Configure the warning information.

web-manager warning-banner { chinese | english } description-text
The device provides default warning information. You can choose to modify it.
– Default warning information:

WARNING! Unauthorized use of the device is strictly prohibited and may
be subject to criminal prosecution. Accept, Enter the system; Reject,
Withdraw from the system; If nothing is selected, you will not allow to
access the system.
Step 7 Configure the function of responding to a non-existent URL access request.

web-manager security non-existent-url enable
By default, the device does not respond when the client browser accesses a non-
existent URL, and the client browser returns error 404. After this command is
configured, the device returns a blank page when the client browser accesses a
non-existent URL. This function makes it difficult for hackers to traverse web
server resources.
Step 8 Enable the IP address lockout function. If the maximum number of consecutive
failed login attempts of an IP address is reached within the retry interval, the IP
address is locked out and cannot be used for login within the lockout period.
web-manager lock-ip retry-interval retry-interval retry-time retry-time block-time block-time

Switches
By default, the IP address lockout function is enabled, login retry interval is 15

minutes, maximum number of consecutive failed login attempts is 16, and IP
address lockout period is 5 minutes.
----End
5.3.3 Example for Configuring Web UI-based Login Through

HTTPS (Default Certificate)
In Figure 5-1, the local account admin123 is configured for DeviceA, which can be
used to log in to the web UI of DeviceA through HTTPS.
Figure 5-1 Network diagram for logging in to the web UI through HTTPS (default
certificate)
NOTE
In this example, interface 1 represents Vlanif10.
Data Planning
Item Data
User name admin123
Password YsHsjx_202206
Service type HTTPS
User privilege level 3
1. Configure all interfaces to be used to access the web UI.
2. Configure a login interface for the device.
3. Create a local user account for logging in to the web UI of the device.
4. Enable the web service function on the device.
5. Use the local user account to log in to the web UI of the device.
Procedure
Step 1 Configure all interfaces to be used to access the web UI.

Switches
[HUAWEI] sysname DeviceA
[DeviceA] web-manager server-source all-interface
Step 2 Configure a login interface for the device.

1. Configure an IP address for the interface.
[DeviceA] interface vlanif10
[DeviceA-Vlanif10] ip address 10.3.0.1 255.255.255.0
[DeviceA-Vlanif10] quit
Step 3 Create a web user account.

[DeviceA] aaa
[DeviceA-aaa] local-user admin123 password irreversible-cipher YsHsjx_202206
[DeviceA-aaa] local-user admin123 service-type http
[DeviceA-aaa] local-user admin123 privilege level 3
[DeviceA-aaa] quit
Step 4 Enable the web service function.

1. Enable the HTTPS service.
[DeviceA] web-manager enable port 8443
By default, the HTTPS service is enabled and the corresponding port number
is 8443.
2. Enable forcible redirection from HTTP to HTTPS.
[DeviceA] web-manager http forward enable
By default, this function is enabled. When this function is enabled, HTTPS is

used even if you use HTTP to access the web UI.
Step 5 Log in to the web UI.

1. Set the IP address of the PC used for web UI login to 10.3.0.10/24.
2. Open a browser and enter https://10.3.0.1:8443.
3. Enter the created web user account (user name: admin123; password:
YsHsjx_202206) and click Login.
----End

Use a browser to access the web UI of the device, enter the user name and
password, and check whether the login is successful.
#
sysname DeviceA
#
web-manager enable port 8443
#
interface Vlanif10
ip address 10.3.0.1 255.255.255.0
#
aaa
local-user admin123 password irreversible-cipher $1d$OwseVRh@LH}ZeTBm$1nH4$ab>d(N{-%0!
ab48y=Ic*xEUR4pVhR2"9-~,$
local-user admin123 service-type http

Switches
#
return
5.3.4 Example for Configuring Web UI-based Login Through

HTTPS (Specified Certificate)
In Figure 5-2, the local account admin123 is configured for DeviceA, which can be
used to log in to the web UI of DeviceA through HTTPS.
Figure 5-2 Network diagram for logging in to the web UI through HTTPS
(specified certificate)
NOTE
In this example, interface 1 represents Vlanif10.
Data Planning
Item Data
User name admin123
Service type HTTPS
Specified certificate cep_local.cer
1. Configure a certificate for login authentication.
3. Create a local user account for logging in to the web UI of the device.
4. Enable the web service function on the device.
5. Use the local user account to log in to the web UI of the device.
Procedure
Step 1 Configure a certificate.
1. Generate a certificate request file on DeviceA and send the file to the CA
server using methods such as the web UI, disks and emails. After the

Switches
application is approved, the CA server will generate certificates. You can use
HTTP, LDAP, or other methods to download the CA certificate and local
certificate from the CA server to DeviceA and install them for them to take
effect. For details, see "PKI Configuration" in CLI Configuration Guide >
Security Protection.
NOTE
In the local certificate, the value of Subject Alternative Name must be the same as
the IP address for logging in to the web UI of the device. If a domain name is used to
access the web UI, set Subject Alternative Name to the domain name.
Assume that the CA certificate and local certificate are cep_ca.cer and cep_local.cer,
respectively.
2. Obtain the CA certificate of the CA server that issues certificates to the device
and import it to the browser of the PC (client) used for web UI login.
NOTE
If the CA certificate is not imported to the browser, the client can still log in to the
device through HTTPS. In this case, the client cannot verify the validity of the server's
certificate and is vulnerable to attacks.
3. Configure the certificate sent by the device to the client during the client's
login to the device through HTTPS.
[DeviceA] web-manager security server-certificate cep_local.cer
Step 2 Configure all interfaces to be used to access the web UI.

Step 3 Configure a login interface for the device.

1. Configure an IP address for the interface.
[DeviceA] interface vlanif 10

Step 4 Create a web user account.

[DeviceA] aaa
[DeviceA-aaa] local-user admin123 password irreversible-cipher YsHsjx_202206
[DeviceA-aaa] local-user admin123 service-type http
[DeviceA-aaa] local-user admin123 privilege level 3
[DeviceA-aaa] quit
Step 5 Enable the web service function.

1. Enable the HTTPS service.
By default, the HTTPS service is enabled and the corresponding port number
is 8443.
2. Enable forcible redirection from HTTP to HTTPS.
By default, this function is enabled. When this function is enabled, HTTPS is

used even if you use HTTP to access the web UI.
Step 6 Log in to the web UI of the device.
1. Set the IP address of the PC used for web UI login to 10.3.0.10/24.

Switches
2. Open a browser and enter https://10.3.0.1:8443.

3. Enter the created web user account (user name: admin123; password:
YsHsjx_202206) and click Login.
----End

Use a browser to access the web UI of the device, enter the user name and
password, and check whether the login is successful.
#
sysname DeviceA
#
web-manager security server-certificate cep_local.cer
#
interface Vlanif10
ip address 10.3.0.1 255.255.255.0
#
aaa
local-user admin123 password irreversible-cipher $1d$OwseVRh@LH}ZeTBm$1nH4$ab>d(N{-%0!
ab48y=Ic*xEUR4pVhR2"9-~,$
local-user admin123 service-type http
#
return
5.3.5 Example for Configuring Web UI Login Through HTTPS

(Two-Factor Authentication)
As shown in Figure 5-3, administrator account admin123 is configured for
RADIUS server and this account is allowed for web UI login through HTTPS.
DeviceA uses two-factor authentication ("user name + password" and SMS
verification code) to authenticate the administrator who uses this account.
Figure 5-3 Networking diagram for web UI login through HTTPS (two-factor
authentication)
NOTE
Interface1 and Interface2 stand for Vlanif10 and Vlanif20, respectively.

Switches
Data Planning
Item Data
User name admin123
Service type HTTPS
3. Configure the interface connecting the device to the RADIUS server.
4. Configure a RADIUS server template.
5. Configure an authentication scheme.
6. Configure an authentication domain and references a RADIUS server template
and authentication scheme.
7. Configure the RADIUS server.
8. Use the administrator account to log in to the web UI of the device.
NOTE
This example describes only the configurations of the administrator on the device.
Procedure

a. Set an IP address for the interface.
3. Enable the web service function.

a. Enable the HTTPS service.
b. Enable forcible redirection from HTTP to HTTPS.

4. Configure the interface connecting the device to the RADIUS server.

a. Configure an IP address for the interface.
[DeviceA-Vlanif20] ip address 255.255.255.0
5. Configure a RADIUS server template and realize the connectivity between the
device and RADIUS server.

Switches
[DeviceA] radius-server template radius_server

[DeviceA-radius-radius_server] radius-server authentication 172.16.0.2 1812
[DeviceA-radius-radius_server] radius-server shared-key cipher Huawei@123456789
[DeviceA-radius-radius_server] quit
6. Configure an authentication scheme.

[DeviceA] aaa
[DeviceA-aaa] authentication-scheme auth1
[DeviceA-aaa-authen-auth1] authentication-mode radius
[DeviceA-aaa-authen-auth1] quit
7. Configure an authentication domain and references a RADIUS server template

and authentication scheme.
[DeviceA-aaa] domain huawei.com
[DeviceA-aaa-domain-huawei.com] authentication-scheme auth1
[DeviceA-aaa-domain-huawei.com] radius-server radius_server
[DeviceA-aaa-domain-huawei.com] quit
[DeviceA-aaa] quit
8. Configure the RADIUS server.

The configuration includes the following steps: add a device, add an
administrator account, and set the administrator privilege level to 3. For the
configuration methods of the RADIUS server you use, refer to related
documents.
9. Use the administrator account to log in to the web UI of the device.
a. Set the IP address of the PC used for web UI login to 10.3.0.100/24.
b. Open a browser and access https://10.3.0.1:8443.
c. Enter the created administrator account (user name: admin123;
password: YsHsjx_202206) and click Login.
d. After the user name and password are authenticated, the RADIUS server
sends a verification code to the mobile phone or email address of the
administrator. On the page that is displayed, enter the received
verification code and click Submit to log in to the device web UI.

The administrator uses a web browser to access the device web UI and checks
whether the login is successful based on the two factors ("user name + password"
and SMS verification code).
#
sysname DeviceA
#
#
interface vlanif10
ip address 10.3.0.1 255.255.255.0
#
interface vlanif20
ip address 172.16.0.1 255.255.255.0
#
radius-server template radius_server
radius-server authentication 172.16.0.2 1812
radius-server shared-key cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@
#
aaa
authentication-scheme auth1

Switches
authentication-mode radius
domain huawei.com
authentication-scheme auth1
radius-server radius_server
#
return
5.4 Maintaining Web UI-based Login

Table 5-3 describes the operations for maintaining web UI-based login.
Table 5-3 Maintaining web UI-based login

To... Run...
Clear the statistics about reset web-manager statistics

the web server.
5.5 Troubleshooting Web-based Device Login Failure

Fault Symptom
The device and client can ping each other, but users cannot log in to the device
through the web UI.
Possible Causes
1. The HTTPS service is disabled.
2. The number of online web users reaches the upper limit.
3. The service type of the web user is incorrect.
Procedure
Step 1 Check whether the HTTPS service is enabled.
By default, the HTTPS service is enabled. To check whether it is enabled, run the
display web-manager configuration command in the system view. If it is not
enabled, run the web-manager enable command in the system view to enable it.
Step 2 Check whether the number of online web users reaches the upper limit.
1. Run the display web-manager users command in the system view to check
the number of online users.
2. Run the display this command in the system view to check the web-
manager max-user-number configuration.
3. Determine whether the number of online users reaches the upper limit. If it
does, you can increase the maximum number of web users using the web-
manager max-user-number command.
Step 3 Check whether the access type of the web user is correct.
Run the display this command in the AAA view to check whether the access type
of the web user is HTTPS. If the local-user user-name service-type http

Switches
configuration exists, the access type of the user specified by user-name is HTTPS.
Otherwise, run the local-user user-name service-type http command in the AAA
view to set the access type of the web user to HTTPS.
----End
5.6 Web UI-based Login FAQs
5.6.1 How Does the Device Process the Administrator's

Consecutive Login Failures?
By default, an administrator account will be locked for 5 minutes if the
administrator enters incorrect passwords three times consecutively. You can run
the local-aaa-user wrong-password command in the AAA view to enable the
local account lockout function and configure the retry interval, maximum number
of failed consecutive login attempts, and account lockout period.

Switches
Configuration Guide - Basic Configuration 6 ZTP Configuration
6 ZTP Configuration
6.1 Overview of ZTP

6.2 Understanding ZTP
6.3 Configuration Precautions for ZTP
6.4 Default ZTP Settings
6.5 Configuring DHCP-based ZTP (with a Controller)
6.6 Configuring DHCP-based ZTP (Without a Controller)
6.7 Configuring USB-based Deployment
6.1 Overview of ZTP

Definition
Zero Touch Provisioning (ZTP) enables newly delivered devices or devices with
factory configurations to automatically load deployment files (including system
software, configuration files, and patch files) when they are powered on and
started.
Purpose
After devices are installed on the live network, engineers usually need to perform
onsite configurations for the devices. Typically, this requires engineers to configure
each device locally, which is inefficient and costly, especially if there are a large
number of sparsely deployed devices.
To overcome such efficiency and cost challenges, the ZTP function can be enabled
on a device. ZTP allows the device to obtain and automatically load deployment
files from the USB flash drive or file server. This ultimately frees engineers from
having to carry out onsite configuration and deployment.
6.2 Understanding ZTP

Switches
6.2.1 ZTP Fundamentals

Typical Networking
In Figure 6-1, the device functions as a DHCP client to periodically send DHCP
request packets to the DHCP server in order to obtain configuration information.
The DHCP server responds with DHCP reply packets that contain information
about the IP address allocated to the device, IP address of the intermediate file
server, and intermediate file server login method. After receiving the DHCP reply
packets, the device connects to the intermediate file server to obtain the
configuration information about the deployment files, based on which the device
then automatically obtains deployment files from the specified deployment file
server and sets them as the files to be loaded for the next startup. These
deployment files are then automatically loaded by the device upon restart.
Figure 6-1 Typical network diagram of ZTP
● DHCP server: allocates a temporary management IP address, default gateway

address, DNS server address, and intermediate file server address to the
device to be deployed.
● Syslog server: uploads user logs recorded during the ZTP process to the
network management system (NMS).
● DHCP relay agent: forwards packets exchanged between the device to be
deployed and the DHCP server when they are located on different network
segments.
● Intermediate file server: stores the intermediate file required for ZTP, which
can be an INI file or a Python script. By parsing the intermediate file, the
device to be deployed obtains information about the deployment file server
address and deployment files. An intermediate file server must be an SFTP file
server.
● Deployment file server: stores the deployment files to be loaded to the
device to be deployed, including the system software, configuration file, and
patch file. The deployment file server and intermediate file server can be
combined, which must be an SFTP file server.

Switches
● DNS server: provides mappings between domain names and IP addresses,

and resolves the file server domain name to an IP address for the device to be
deployed. Based on the resolved IP address, the device can obtain requested
files from the file server.
Deployment Modes
Currently, the device supports DHCP-based, and USB-based deployment. You can
select a proper deployment mode as required. DHCP-based ZTP can be classified
into DHCP-based ZTP with a controller deployed and DHCP-based ZTP without a
controller deployed.
If a controller is deployed, DHCP-based ZTP can be classified into DHCP option
parameter-based ZTP and registration query center-based ZTP.
If no controller is deployed, DHCP-based ZTP can be classified into intermediate
file-based ZTP and option parameter-based ZTP.

Switches
Table 6-1 ZTP modes

Deployme Description Application Task
nt Mode Scenario
DHCP- If a controller is deployed, DHCP- This mode 6.5

based ZTP based ZTP can be classified into applies to Configuring
(with a DHCP option parameter-based batch device DHCP-based
controller) ZTP and registration query deployment ZTP (with a
center-based ZTP. when a Controller)
DHCP option parameter-based controller is
ZTP: Option 148 or Option 17 is deployed.
configured on the DHCP server
on the network. This option
parameter contains the controller
address information. Devices
obtain the information through
DHCP. The device establishes a
NETCONF connection with the
controller based on the obtained
controller information. Then you
can perform deployment
configuration on the device
through the controller.
Registration query center-based
ZTP: A device accesses the
Huawei device registration query
center through the preconfigured
URL/IP address and port number
of the Huawei device registration
query center, and then obtains
the controller address based on
the device ESN or MAC address.
The device establishes a
NETCONF connection with the
controller based on the obtained
controller information. Then you
can perform deployment
configuration on the device
through the controller.

Switches

nt Mode Scenario
DHCP- If no controller is deployed, This mode 6.6

based ZTP DHCP-based ZTP can be classified applies to Configuring
(Without a into intermediate file-based ZTP batch device DHCP-based
Controller) and option parameter-based ZTP. deployment ZTP
Intermediate file-based ZTP: when no (Without a
During deployment, the device controller is Controller)
functions as a DHCP client to deployed.
periodically send DHCP request
packets to the DHCP server in
order to obtain configuration
information. The DHCP server
responds with DHCP reply
packets that contain information
about the IP address allocated to
the device, IP address of the
intermediate file server, and
intermediate file server login
method. After receiving the DHCP
reply packets, the device connects
to the intermediate file server to
obtain the configuration
information about deployment
files, based on which the device
then automatically obtains
deployment files from the
specified deployment file server
and sets them as the files to be
loaded for the next startup. These
deployment files are then
automatically loaded by the
device upon restart.
Option parameter-based ZTP:
During deployment, the device
functions as a DHCP client to
periodically send DHCP request
packets to the DHCP server in
order to obtain configuration
information. The DHCP server
responds with DHCP reply
packets that contain information
about the IP address allocated to
the device, deployment file server
login method, deployment file
information. After receiving the
DHCP reply packets, the device
connects to the deployment file
server to obtain the deployment
files, and sets them as the files to
be loaded for the next startup.

Switches

nt Mode Scenario
These deployment files are then

automatically loaded by the
device upon restart.
USB-based In this mode, deployment files of This mode 6.7

deploymen a device are typically saved in a applies to Configuring
t USB flash drive by trained scenarios USB-based
engineers, after which untrained where devices Deployment
personnel can perform automatic are scattered
device deployment by inserting and no DHCP
the USB flash drive into the server is
device and downloading the deployed.
deployment files from the USB This mode
flash drive. lowers the
deployment
cost.
DHCP-based ZTP is simple. You can use this deployment mode as long as a DHCP
server is deployed. However, this deployment mode may cause data leakage and
interception, which poses security risks. In deployment scenarios that require high
security, you can deploy a dedicated bootstrap server and use two-way
authentication and data encryption to ensure the data reliability for DHCP-based
ZTP. For details, see 6.2.2 SZTP Fundamentals and 6.6 Configuring DHCP-based
ZTP (Without a Controller)
When multiple deployment modes are available, their priorities are as follows:
USB-based deployment > SZTP > DHCP option parameter-based ZTP with a
controller > option parameter-based ZTP without a controller > intermediate file-
based ZTP without a controller > registration query center-based ZTP with a
controller
Deployment Process
Device deployment processes include the deployment processes for devices with
factory configurations and with non-factory configurations.
● Figure 6-2 shows the deployment process for a device that starts with factory
configurations. After the device is powered on and starts, it checks whether a
USB flash drive is inserted. If a USB flash drive is inserted and the usb.ini file
exists in the root directory of the USB flash drive, the device starts USB-based
deployment. If no USB flash drive is available or no usb.ini file exists in the
root directory of the USB flash drive, the device functions as a DHCP client
and sends a DHCP request packet to the DHCP server. If the device receives a
packet carrying option 143 from the DHCP server, the device starts the Secure
Zero Touch Provisioning (SZTP) process. Otherwise, the device starts the
DHCP-based ZTP process. You can select a deployment mode based your site
requirements.

Switches
● When a device is powered on with non-factory configurations, ZTP is not

supported by default, and the device starts using the non-factory
configuration file.
Figure 6-2 Deployment process after a device is powered on with factory

configurations
NOTE
● If a user logs in to the device during the ZTP process, the ZTP process will be
terminated.
● When deploying a device with factory configurations, you are advised not to manually
deliver the same configurations as those delivered during ZTP. If the deployment fails,
the configurations will be deleted.

Switches
6.2.2 SZTP Fundamentals
Context
SZTP applies to scenarios that require high security. DHCP-based ZTP is easy to
implement because you only need to deploy a DHCP server. However, it may lead
to data leakage or interception, posing security risks. To mitigate the security risks,
you can deploy a DHCP server and a dedicated bootstrap server and use two-way
authentication and data encryption.
Basic Networking
about the IP address allocated to the device, as well as the IP address or domain
name of the bootstrap server. After obtaining such information, the device
establishes an HTTPS connection with the bootstrap server through two-way
authentication based on a preconfigured certificate. The device then obtains
information about deployment files from the bootstrap server, connects to the
deployment file server, obtains the deployment files, and sets them as the files to
be loaded for the next startup. These deployment files are then automatically
loaded by the device upon restart.
Figure 6-3 SZTP networking

Switches

address, DNS server address, and bootstrap server address or domain name to
the device to be deployed through SZTP.
segments.
● Bootstrap server: is used to guide SZTP. After establishing a secure
connection with the device to be deployed through SZTP, the bootstrap server
sends deployment file information (such as the address of the deployment file
server and deployment file version) to the device.
patch file.
and resolves the domain name of the bootstrap server to an IP address.
● Syslog server: uploads user logs recorded during the SZTP process to the
NMS.
NOTE
A deployment file server used for SZTP must be an HTTPS server.
Trusted Connection
During SZTP, the device establishes a trusted connection with the bootstrap server
through two-way authentication and obtains deployment file information from
the server. The device then functions as an HTTPS client to establish an HTTPS
connection with the deployment file server and download deployment files.
Certificates listed in Table 6-2 are required for establishing a secure connection
between the device and bootstrap server.
Table 6-2 Certificates on which a trusted connection depends

Certificate Type Description
Device identity certificate This certificate is pre-configured before

device delivery. It is an 802.1AR
certificate generated using the Huawei
CA signature. By default, Huawei
devices have built-in identity
certificates before delivery. The
certificate contains information such
as the public key and device SN.
Huawei root CA certificate /
Huawei level-2 CA certificate /

Switches
Certificate Type Description
Ownership voucher It is a Cryptographic Message Syntax

(CMS) file, which is issued by the
device vendor to the customer. Huawei
plans to use the carrier's level-2 CA to
issue an ownership voucher to the
customer. The voucher contains the
release time, expiration time, hardware
serial number for connecting to
Huawei devices, and root certificate of
the bootstrap server.
Owner certificate This certificate is an X.509 certificate,

which is used to identify an owner. The
device can use this certificate to verify
the signature of conveyed information.
NOTE
The ownership voucher is valid only when the Huawei level-2 CA certificate is pre-
configured on the bootstrap server.
The bootstrap server has a built-in Huawei level-2 CA certificate, an ownership voucher, and
an owner certificate. The device has a built-in identity certificate, a Huawei root CA
certificate, and a Huawei level-2 CA certificate.
● You can configure deployment file information (such as the deployment file
server address and deployment file name) on the bootstrap server. The
deployment file information is stored in onboarding information.
● If the device does not have a built-in trust root certificate, it establishes an
untrusted connection with the bootstrap server. The bootstrap server
encapsulates the onboarding information, ownership voucher, and owner
certificate into bootstrapping data and sends the data to the device.
● After verifying the signature of the ownership voucher, the device performs
operations shown in Figure 6-4: It uses the built-in Huawei root level-2 CA
certificate to authenticate the owner certificate to form a complete trust
chain, and then verifies the signature of the onboarding information. The
device parses the deployment file information from the onboarding
information, establishes an HTTPS connection with the deployment file server,
and downloads the deployment files.
Figure 6-4 Establishing a trust chain

Switches
In practice, you can deploy one or more bootstrap servers based on security
requirements. If multiple bootstrap servers are deployed, a redirect-to
bootstrap server address may be configured on a bootstrap server. Redirection
information is stored in Redirect Information. When an untrusted connection
is established between the device and bootstrap server, the bootstrap server
encapsulates the Redirect Information, ownership voucher, and owner
certificate into bootstrapping data and sends the data to the device to
establish a trusted connection. The device then obtains the IP address of the
redirect-to bootstrap server and the trust anchor certificate from the Redirect
Information. After the trust anchor certificate is installed, the device
establishes a trusted connection with the redirect-to bootstrap server until the
device obtains the onboarding information, which contains deployment file
information.
Deployment Process
Figure 6-5 shows the SZTP process.

Switches
Figure 6-5 SZTP process

Switches
The SZTP process involves the following phases:

1. Powering on and starting the device
If a non-factory configuration file is available, the device starts with that
configuration file. Otherwise, the device automatically starts the ZTP process.
2. Obtaining DHCP information
The device broadcasts a DHCP request packet on high-bandwidth Ethernet
interfaces and low-bandwidth Ethernet interfaces, in that sequence. The
DHCP server sends a DHCP reply packet to the device. If the reply packet
contains the DHCP option 143 field, the device starts the SZTP process. If the
reply packet does not contain the DHCP option 143 field, the device starts the
DHCP-based ZTP process. After entering the SZTP process, the device obtains
information such as the device IP address, default gateway address, Syslog
server address, and bootstrap server address from the DHCP server. The device
obtains the IPv4 address of the Syslog server from the DHCP reply packet to
enable the Syslog server function. Information about important phases during
SZTP is recorded in user logs, which the Syslog server will upload to the NMS.
3. Obtaining deployment file information
The device parses the bootstrap server address from the DHCP option 143
field, establishes a secure connection with the bootstrap server, and obtains
deployment file information.
4. Restarting the device
The device automatically sets the downloaded deployment files as those to be
loaded for its next startup. The device then restarts to complete automatic
deployment.
NOTE
● If a user logs in to the device during the SZTP process, the SZTP process will be
terminated.
● When deploying a device with factory configurations, you are advised not to manually
deliver the same configurations as those delivered during ZTP. If the deployment fails,
the configurations will be deleted.
6.3 Configuration Precautions for ZTP

ZTP is not under license control.

Switches
Series Models

L16T4S-A-V2/S5735-L16T4X-QA-V2/S5735-
L24P4S-A-V2/S5735-L24P4XE-A-V2/S5735-
L24P4XE-TA-V2/S5735-L24T4S-A-V2/S5735-
L24T4X-QA-V2/S5735-L24T4XE-A-V2/S5735-
L24T4XE-D-V2/S5735-L48LP4S-A-V2/S5735-
L48T4S-A-V2/S5735-L48T4XE-A-V2/S5735-

V2/S5735-S48U4XE-V2


V2/S5732-H48UM4Y2CZ-TV2/S5732-
H48UM4Y2CZ-V2

V2/S5735I-S8U4XN-V2

H28X6CZ-TV2/S6730-H28X6CZ-V2/S6730-
TV2/S6730-H48X6CZ-V2/S6730-H48Y6C-TV2/
S6730-H48Y6C-V2

Switches

When using a USB flash drive for deployment, S5735-S- S5735-S24P4XE-

ensure that the read and write protection V2 series V2/S5735-
functions of the USB flash drive are disabled. S5735-L- S24T4XE-V2/
V2 series S5735-S24U4XE-
V2/S5735-
S5732-H- S48P4XE-V2/
V2 series S5735-S48T4XE-
S5735I-S- V2/S5735-
S6730-H- S5735-L24P4XE-
V2 series A-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4XE-A-V2/
S5735-L48P4XE-
A-V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
D-V2
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
KV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
KV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24U4XE-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
V2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
V2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-V2

Switches
The file path and name for option parameter- S5735-S- S5735-S24P4XE-
based deployment cannot contain the V2 series V2/S5735-
following special characters: # & > < " ' | · $ ; S5735-L- S24T4XE-V2/
( ) [ ] { } ~ * ? ! \n # % , \ V2 series S5735-S24U4XE-
V2/S5735-
S3710-H S48P4XE-V2/
series S5735-S48T4XE-
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
· To ensure data security, it is recommended S5735-S- S5735-S24P4XE-

that the device administrator use a key V2 series V2/S5735-
encryption or fingerprint encryption USB flash S5735-L- S24T4XE-V2/
drive and keep the USB flash drive containing V2 series S5735-S24U4XE-
the deployment configuration file safe. After V2/S5735-
the deployment is complete, delete the S5732-H- S48P4XE-V2/
deployment configuration file in time. V2 series S5735-S48T4XE-
· Devices to be deployed are unconfigured S5735I-S- V2/S5735-
devices and do not have security measures V2 series S48U4XE-V2
configured. Therefore, when onsite non- S6730-H- S5735-L24P4XE-
professionals perform deployment task, ensure V2 series A-V2/S5735-
that they do not perform any unauthorized L24T4XE-A-V2/
operations on the devices, USB flash drive, and S5735-L24T4XE-
deployment files. D-V2/S5735-
· If a non-unconfigured device needs to be L48LP4XE-A-V2/
deployed using a USB flash drive, you are S5735-L48P4XE-
advised to encrypt and compress files and A-V2/S5735-
configure HMAC key-based integrity L48T4XE-A-V2/
verification to ensure deployment file security. S5735-L48T4XE-
D-V2
· Do not remove the USB flash drive before the
USB-based deployment is complete; otherwise, S5732-
the data in the USB flash drive may be H24S4X6QZ-V2/
damaged. S5732-
H24UM4Y2CZ-
· Do not power off the device during USB- KV2/S5732-
based deployment. Otherwise, the upgrade will H24UM4Y2CZ-V2/
fail. S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
KV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24U4XE-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
V2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
V2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-V2

Switches
The device to be deployed must meet the S5735-S- S5735-S24P4XE-

following requirements: V2 series V2/S5735-
1. The current device is running with factory S5735-L- S24T4XE-V2/
configurations. V2 series S5735-S24U4XE-
V2/S5735-
2. No user has logged in to the device. S3710-H S48P4XE-V2/
3. ZTP will be terminated and the delivered series S5735-S48T4XE-
ZTP configuration will be deleted if user login S5735I-L- V2/S5735-
is detected during ZTP. V2 series S48U4XE-V2
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The option fields in the downloaded S5735-S- S5735-S24P4XE-

intermediate file and script, and the user V2 series V2/S5735-
name, password, and version file name S5735-L- S24T4XE-V2/
configured in the intermediate file cannot V2 series S5735-S24U4XE-
contain the following special characters: & > < V2/S5735-
" ' | · $ ; ( ) [ ] { } ~ * ? ! \n # % , S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
Python 3 script. S5735-S- S5735-S24P4XE-

V2 series V2/S5735-
S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The Syslog server address is obtained through S5735-S- S5735-S24P4XE-

the Options field configured on the DHCP V2 series V2/S5735-
server, but not through the intermediate file. S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The Python script file must use a format S5735-S- S5735-S24P4XE-

supported by the Windows or Unix format. V2 series V2/S5735-
S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
ZTP needs to be deployed on a private network S5735-S- S5735-S24P4XE-

because doing otherwise may cause security V2 series V2/S5735-
risks. In scenarios where security risks are S5735-L- S24T4XE-V2/
uncontrollable, use the SZTP mode for V2 series S5735-S24U4XE-
deployment. V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
1. Device configuration will be modified during S5735-S- S5735-S24P4XE-

the deployment. Therefore, you need to check V2 series V2/S5735-
whether the configuration modified during the S5735-L- S24T4XE-V2/
deployment is saved by mistake when you log V2 series S5735-S24U4XE-
in to the device and try to save the V2/S5735-
configuration. S3710-H S48P4XE-V2/
2. In non-deployment scenarios, you are
advised to save the configuration first to S5735I-L- V2/S5735-
prevent the ZTP script from modifying the V2 series S48U4XE-V2
configuration. S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The option 148 field configured on the DHCP S5735-S- S5735-S24P4XE-

server must comply with the following rules: V2 series V2/S5735-
agilemanage-domain and agilemanage-port S5735-L- S24T4XE-V2/
must be used in pairs, and the number of IP V2 series S5735-S24U4XE-
addresses must be the same as the number of V2/S5735-
ports. S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
1. For SZTP deployment, a device identity S5735-S- S5735-S24P4XE-

certificate must be preconfigured before V2 series V2/S5735-
delivery. The certificate is used for S5735-L- S24T4XE-V2/
authentication between the device and V2 series S5735-S24U4XE-
bootstrap server and for TLS connection V2/S5735-
establishment. S3710-H S48P4XE-V2/
2. The bootstrapping data sent from the
bootstrap server may be encrypted using the S5735I-L- V2/S5735-
public key of the device identity certificate. The V2 series S48U4XE-V2
device needs to decrypt the bootstrapping data S5732-H- S5735-L10T4X-A-
using the private key of the device identity V2 series V2/S5735-
certificate. S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
1. If the source file is compressed, the HMAC S5735-S- S5735-S24P4XE-

value in the index file is the HMAC value V2 series V2/S5735-
calculated for the compressed file. S5735-L- S24T4XE-V2/
2. On a device with a configuration file, if the V2 series S5735-S24U4XE-
HMAC password is configured, whether to V2/S5735-
S3710-H S48P4XE-V2/
perform verification on files is determined series
based on the HMAC field in the index file. S5735-S48T4XE-
S5735I-L- V2/S5735-
3. To change an HMAC password configured V2 series S48U4XE-V2
on a device, run the required command to
overwrite it. S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
1. For compressed files, the *FILENAME_n field S5735-S- S5735-S24P4XE-

in the index file must be named in compliance V2 series V2/S5735-
with the following rules: S5735-L- S24T4XE-V2/
a. The file name extension must be .zip. V2 series S5735-S24U4XE-
V2/S5735-
b. The file name is the name and format of the S3710-H S48P4XE-V2/
file to be compressed into a package, for series S5735-S48T4XE-
example, tyj_cc.zip (indicating that the name S5735I-L- V2/S5735-
of the file to be compressed into a package is V2 series S48U4XE-V2
tyj.cc) and wxc_pat.zip (indicating that the
name of the file to be compressed into a S5732-H- S5735-L10T4X-A-
package is wxc.pat). When the .ini file is V2 series V2/S5735-
parsed, the verification can be performed S5735I-S- L10T4X-TA-V2/
based on the name and the *TYPE_n field. V2 series S5735-L16T4S-A-
V2/S5735-
2. Each package can contain only one file. S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
For USB-based deployment on a device with S5735-S- S5735-S24P4XE-

factory configurations, you need to configure a V2 series V2/S5735-
password for logging in to the device through S5735-L- S24T4XE-V2/
the console port or other login modes in the V2 series S5735-S24U4XE-
index file in advance. Otherwise, the V2/S5735-
deployment will fail. S5732-H- S48P4XE-V2/
V2 series S5735-S48T4XE-
S5735I-S- V2/S5735-
S6730-H- S5735-L24P4XE-
V2 series A-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4XE-A-V2/
S5735-L48P4XE-
A-V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
D-V2
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
KV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
KV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24U4XE-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
V2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
V2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-V2

Switches
Service interfaces are used for ZTP, but this S5735-S- S5735-S24P4XE-
deployment mode may cause isolation of the V2 series V2/S5735-
service plane, management plane, and control S5735-L- S24T4XE-V2/
plane. Security hardening has been performed V2 series S5735-S24U4XE-
on the system by default during deployment. V2/S5735-
Users need to perform deployment in a secure S3710-H S48P4XE-V2/
networking environment. series S5735-S48T4XE-
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
6.4 Default ZTP Settings

The default ZTP settings are classified into settings for a device that starts with
factory configurations and those for a device that starts with non-factory
configurations.
● When a device is powered on and starts with factory configurations, it
automatically starts the ZTP process by default.
● When a device is powered on and starts with non-factory configurations, ZTP
is not supported by default, and the device starts using the non-factory
configuration file.
6.5 Configuring DHCP-based ZTP (with a Controller)
6.5.1 Understanding DHCP-based ZTP with a Controller
Fundamentals
If a controller is deployed, DHCP-based ZTP can be classified into DHCP option
parameter-based ZTP and registration query center-based ZTP.
In Figure 6-6, Option 148 or Option 17 is configured on the DHCP server on the
network. This option parameter contains the controller address information.
Devices obtain the information through DHCP. The device establishes a NETCONF
connection with the controller based on the obtained controller information. Then
you can perform deployment configuration on the device through the controller.
Figure 6-6 Network diagram of DHCP option parameter-based ZTP when a

controller is deployed
● iMaster NCE-Campus: establishes NETCONF connections with devices.

● DHCP server: allocates the temporary management IP address, default
gateway address, controller's IP address and port number, DNS server's IP

Switches
address, bootstrap server's IP address and port number, and Syslog server's IP
address to the device that performs ZTP.
● Bootstrap server: stores CA certificates applied by users. For security
purposes, no certificate is preconfigured on iMaster NCE-Campus. For this
reason, the device needs to download a CA certificate from the bootstrap
server so that two-way authentication for establishing a NETCONF connection
between the device and iMaster NCE-Campus can be successfully performed.
Currently, iMaster NCE-Campus integrates the bootstrap server function.
● Syslog server: uploads user logs recorded during the ZTP process to the NMS.
segments.
In Figure 6-7, a device accesses the Huawei device registration query center
through the preconfigured URL/IP address and port number of the Huawei device
registration query center, and then obtains the controller address based on the
device ESN or MAC address. The device establishes a NETCONF connection with
the controller based on the obtained controller information. Then you can perform
configurations on the device through the controller.
Figure 6-7 Network diagram of registration query center-based ZTP when a

controller is deployed
● iMaster NCE-Campus: establishes NETCONF connections with devices.

address, DNS server IP address, and Syslog server IP address to the device to
be deployed.
● Registration query center: provides address information of the controller and
bootstrap server for devices to be deployed through ZTP.
● Bootstrap server: stores CA certificates applied by users. For security
purposes, no certificate is preconfigured on iMaster NCE-Campus. For this

Switches
reason, the device needs to download a CA certificate from the bootstrap

server so that two-way authentication for establishing a NETCONF connection
between the device and iMaster NCE-Campus can be successfully performed.
Currently, iMaster NCE-Campus integrates the bootstrap server function.
segments.
ZTP Process
Figure 6-8 shows the flowchart of DHCP option parameter-based ZTP when a
controller is deployed.

Switches
Figure 6-8 Flowchart of DHCP option parameter-based ZTP when a controller is

deployed

Switches
The ZTP process involves the following phases:

2. Obtaining information through DHCP
contains the DHCP option 148 field or DHCP option 17 field, the device starts
the DHCP option parameter-based ZTP process with a controller. After
entering the DHCP option parameter-based ZTP process with a controller, the
device obtains information such as the device IP address, default gateway
address, controller's IP address and port number, bootstrap server's IP address
and port number, and Syslog server's IP address from the DHCP server. The
device obtains the IPv4 address of the Syslog server from the DHCP reply
packet to enable the Syslog server function. Information about important
phases during ZTP is recorded in user logs, which the Syslog server will upload
to the NMS.
3. (Optional) Downloading a CA certificate from the bootstrap server
This phase is mandatory when no certificate is preconfigured on the controller
and you want to use controller-based ZTP.
After receiving a DHCP reply packet carrying the DHCP option 43 field
(suboption 5) or the DHCP option 17 field (suboption 1) that carries
bootstrap server information, the device downloads a CA certificate from the
bootstrap server as follows:
a. The device establishes an HTTPS connection with the bootstrap server
based on the obtained IP address and port number of the bootstrap
server.
b. The device sends a request packet to the bootstrap server to download a
CA certificate. The request packet carries the device ESN or the IP address
of the bootstrap server. If the option field specifies the certificate
verification mode as ESN, the request packet carries the device ESN. If
the option field specifies the certificate verification mode as DOMAIN_IP,
the request packet carries the IP address of the bootstrap server.
c. The bootstrap server searches for the CA certificate based on the ESN or
IP address in the request packet and sends a response packet carrying the
CA certificate to the device. The response packet also carries the device
ESN or the IP address of the bootstrap server.
d. After receiving the response packet from the bootstrap server, the device
terminates the HTTPS connection with the bootstrap server, parses the
response packet, and verifies the validity of the certificate. If the CA
certificate sent by the bootstrap server has been signed, the device
verifies the signature of the certificate. After the signature verification is
successful, the device verifies the certificate. If the CA certificate sent by
the bootstrap server has not been signed, the device determines whether
to trust the certificate based on the option field setting. If the option field
specifies that the certificate can be trusted, the device verifies the
certificate. Otherwise, the device verifies the signature first. In this case,
signature verification will fail.

Switches
The device verifies the certificate based on the certificate verification

mode specified by an option field. If the certificate verification mode is
ESN, the device verifies the certificate based on the device ESN. If the
certificate authentication mode is DOMAIN_IP, the device verifies the
certificate based on the IP address of the bootstrap server. If the
verification fails, the device fails to obtain a CA certificate.
e. The device imports the obtained CA certificate to the default realm.
4. Establishing a NETCONF connection with the controller
After receiving a DHCP reply packet that contains the DHCP option 148 field
or DHCP option 17 field, the device enables NETCONF and proactive
NETCONF registration, creates an SSH user named huawei, and configures
VLAN 1 as the management VLAN. The device establishes a NETCONF
connection with the controller based on the obtained IP address and port
number of the controller.
Figure 6-9 shows the flowchart of registration query center-based ZTP when a
controller is deployed.

Switches
Figure 6-9 Flowchart of registration query center-based ZTP when a controller is

deployed

Switches

2. Obtaining information through DHCP
contains the DHCP option 148 field or DHCP option 17 field, the device starts
the DHCP option parameter-based ZTP process when a controller is deployed.
If the reply packet does not contain the option 148 or option 17 field, the
device further determines whether the conditions for DHCP-based ZTP
without a controller are met. If none of the preceding conditions is met, the
device enters the registration query center-based ZTP process with a controller
deployed. After entering the registration query center-based ZTP process with
a controller, the device obtains information such as the device IP address,
default gateway, and Syslog server IP address from the DHCP server. The
device obtains the IPv4 address of the Syslog server from the DHCP reply
to the NMS.
3. Obtaining information from the registration query center
The device accesses the Huawei device registration query center through the
preconfigured URL/IP address and port number of the Huawei device
registration query center, obtains the controller address based on the device
ESN or MAC address, and obtains the IP address and port number of the
bootstrap server.
4. (Optional) Downloading a CA certificate from the bootstrap server
This phase is mandatory when no certificate is preconfigured on the controller
and you want to use controller-based ZTP.
After obtaining the IP address and port number of the bootstrap server from
the registration query center, the device downloads the CA certificate from the
bootstrap server as follows:
a. The device establishes an HTTPS connection with the bootstrap server
based on the obtained IP address and port number of the bootstrap
server.
b. The device sends a request packet to the bootstrap server to download a
CA certificate. The request packet carries the device ESN or the IP address
of the bootstrap server. If the option field specifies the certificate
verification mode as ESN, the request packet carries the device ESN. If
the option field specifies the certificate verification mode as DOMAIN_IP,
the request packet carries the IP address of the bootstrap server.
c. The bootstrap server searches for the CA certificate based on the ESN or
IP address in the request packet and sends a response packet carrying the
CA certificate to the device. The response packet also carries the device
ESN or the IP address of the bootstrap server.
d. After receiving the response packet from the bootstrap server, the device
response packet, and verifies the validity of the certificate. If the CA

Switches
certificate sent by the bootstrap server has been signed, the device
verifies the signature of the certificate. After the signature verification is
successful, the device verifies the certificate. If the CA certificate sent by
the bootstrap server has not been signed, the device determines whether
to trust the certificate based on the option field setting. If the option field
specifies that the certificate can be trusted, the device verifies the
certificate. Otherwise, the device verifies the signature first. In this case,
signature verification will fail.
The device verifies the certificate based on the certificate verification
mode specified by an option field. If the certificate verification mode is
ESN, the device verifies the certificate based on the device ESN. If the
certificate authentication mode is DOMAIN_IP, the device verifies the
certificate based on the IP address of the bootstrap server. If the
verification fails, the device fails to obtain a CA certificate.
e. The device imports the obtained CA certificate to the default realm.
5. Establishing a NETCONF connection with the controller
After receiving a packet carrying the controller address from the registration
query center, the device enables NETCONF, enables proactive NETCONF
registration, and creates an SSH user (huawei) and VLAN1 for management.
The device establishes a NETCONF connection with the controller based on
the obtained IP address and port number of the controller.
6.5.2 Configuring a DHCP Server
Context
The DHCP server uses option fields to carry network configuration parameters
that are required for ZTP. The device can function as a DHCP server. If a controller
is deployed, you can enable the built-in DHCP function of iMaster NCE-Campus or
deploy an independent DHCP server.
Table 6-5 describes DHCPv4 option fields used for controller-based ZTP, and Table
6-6 describes the DHCPv6 option fields.
If the device to be deployed and DHCP server are on different network segments,
configure a DHCP relay agent to forward DHCP packets exchanged between them.
CAUTION
● The DHCP server does not support authentication and may be spoofed. You are
advised to use a trusted DHCP server for deployment on a secure network.
Table 6-5 DHCPv4 option fields
Option Mandatory or Not Function
Option 1 Yes Specifies the subnet

mask of the IP address.

Switches
Option 3 Yes Specifies the egress

gateway of the DHCP
client.
Option 6 No Specifies the IP address

of the DNS server.
A DNS server is required
if a domain name (for
example, www.ztp.com),
instead of an IP address,
is specified as the host
name of the bootstrap
server.
Option 7 No Specifies the IPv4

address of the Syslog
server.

Switches
Option 43 (suboption 5) No Specifies the IP address

and port number of the
bootstrap server, from
which the device can
download a CA
certificate.
The value format is as
follows: bootstrap-
domain=https://ip-
address-or-
hostname:port;bootstrap
-trust=xxx;bootstrap-
voucher=xxx.
● bootstrap-domain:
specifies the IPv4
address or domain
name and port
number of the
bootstrap server. port
is optional, and its
default value is 443.
● bootstrap-trust:
indicates whether to
trust the downloaded
CA certificate. The
value can be true or
false. The value true
indicates that the
device trusts the CA
certificate and will
verify the signature of
the CA certificate only
when the CA
certificate sent by the
bootstrap server is
signed. The value
false indicates that
the device does not
trust the CA
always verify the
signature of the CA
certificate. If
bootstrap-trust is not
specified, the default
value false is used.
● bootstrap-voucher:
specifies the CA
certificate verification

Switches
mode. The value can

be DOMAIN_IP or
ESN. The value
DOMAIN_IP indicates
that the IP address is
used to verify the
validity of the
certificate, and the
value ESN indicates
that the device ESN is
used to verify the
validity of the
certificate. The CA
certificate can be
obtained only after
being successfully
verified.
NOTE
The ESN of the device
cannot contain spaces.

Switches
Option 148 Yes Specifies the IP address

and port number of the
iMaster NCE-Campus
server so that devices
can register with iMaster
NCE-Campus.
The value format is
agilemanage-
domain=ipv41&ipv42;agil
emanage-
port=port1&port2;sitecod
e=XXXXX.
● agilemanage-domain:
IPv4 address of the
iMaster NCE-Campus
server. You can
configure one or more
IPv4 addresses. Use
ampersands (&) to
separate multiple IPv4
addresses.
● agilemanage-port:
port number of the
iMaster NCE-Campus
server. You can
port numbers. Use
ampersands (&) to
separate multiple port
numbers.
● (Optional) sitecode:
sitecode value
generated by the
iMaster NCE-Campus
server. When a device
registers with iMaster
NCE-Campus, the
controller can use the
sitecode for
verification,
implementing ESN-
free verification.
NOTE
agilemanage-domain
and agilemanage-port
must be used together
and have the same
number of values.

Switches
Table 6-6 DHCPv6 option fields


mask of the IPv6
address.

address of the DNS
server.
example, www.ztp.com),
instead of an IP address,
server.

Switches
Option 17 (suboption 1) Yes Specifies the IPv6

address and port number
of iMaster NCE-Campus
and IPv6 address of the
bootstrap server so that
devices can register with
iMaster NCE-Campus
and download CA
certificates from the
bootstrap server.
The value format is
agilemanage-
domain=ipv61&ipv62;agil
emanage-
port=port1&port2;bootstr
ap-domain=https://ip-
address-or-
hostname:port;bootstrap
-trust=xxx;bootstrap-
voucher=xxx.
● agilemanage-
domain: IPv6 address
of the iMaster NCE-
Campus server. You
can configure one or
more IPv6 addresses.
Use ampersands (&)
to separate multiple
IPv6 addresses.
● agilemanage-port:
port number of the
iMaster NCE-Campus
server. You can
port numbers. Use
ampersands (&) to
separate multiple port
numbers.
● bootstrap-domain:
specifies the IPv6
address or domain
name and port
number of the
bootstrap server. port
is optional, and its
default value is 443. If
an IP address is used,
the format is [ip-
address]:port, for

Switches
example, https://
[2001:db8:1::2]:200.
● bootstrap-trust:
indicates whether to
trust the downloaded
CA certificate. The
value can be true or
false. The value true
indicates that the
device trusts the CA
verify the signature of
the CA certificate only
when the CA
certificate sent by the
bootstrap server is
signed. The value
false indicates that
the device does not
trust the CA
always verify the
signature of the CA
certificate. If
bootstrap-trust is not
specified, the default
value false is used.
● bootstrap-voucher:
specifies the CA
certificate verification
mode. The value can
be DOMAIN_IP or
ESN. The value
DOMAIN_IP indicates
that the IP address is
used to verify the
validity of the
certificate, and the
value ESN indicates
that the device ESN is
used to verify the
validity of the
certificate. The CA
certificate can be
obtained only after
being successfully
verified.

Switches

NOTE
agilemanage-domain
and agilemanage-port
must be used together
and have the same
number of values.
Option 17 (suboption 2) No Specifies the IPv6

server.
NOTE
If the registration query center is used for deployment, Option 148 or Option 17 (suboption
1) does not need to be configured on the DHCP server, but Option 6 needs to be configured
to obtain the IP address of the DNS server. The device accesses the Huawei device
registration query center through the preconfigured URL/IP address and port number of the
Huawei device registration query center, obtains the controller address based on the device
ESN or MAC address, and obtains the IP address and port number of the bootstrap server.
Procedure
Step 1 Configure the DHCP server.
Step 2 (Optional) Configure the DHCP relay agent.
NOTE
If a Huawei device is used as the DHCP relay agent, see "DHCPv4 Configuration" or
"DHCPv6 Configuration" in CLI Configuration Guide > IP Address and Service Configuration.
If a third-party device is used as the DHCP relay agent, see the operation guide of the third-
party DHCP server and DHCP relay agent.
----End
6.5.3 Starting DHCP-based ZTP with a Controller
Prerequisites
To implement ZTP through iMaster NCE-Campus, you need to log in to iMaster
NCE-Campus and import the ESN, device type, and CA certificate of each device in
advance. If the registration query center is used for deployment, you need to
connect iMaster NCE-Campus to the registration query center. For details about
how to configure iMaster NCE-Campus, see the iMaster NCE-Campus product
documentation.
Context
A device with factory configurations has never started ZTP before. In its factory
configurations, the ZTP function is enabled by default. To start ZTP, you only need
to power on the device. The ZTP function can be disabled on a device. If you log in

Switches
to a device through the console port and disable the ZTP function when the device
starts with factory configurations, the ZTP process is terminated. To enable the
device to execute the ZTP process when it starts with factory configurations next
time, you need to enable the ZTP function.
Procedure
Step 1 Power on the device.
Step 2 (Optional) Enable the ZTP function on the device.
set ztp enable
By default, the ZTP function is enabled on a device.

To disable a device from running the ZTP process upon startup with factory
configurations, run the set ztp disable command on the device.
Step 3 (Optional) Restart the device with factory configurations.
reboot fast
----End
6.5.4 Verifying DHCP-based ZTP with a Controller
Procedure
Step 1 The device completes the ZTP process in about 15 minutes after it is powered on.
Yu can then log in to the device to check the status of the NETCONF connection
between the device and iMaster NCE-Campus.
display netconf session
----End
Follow-up Procedure
If deployment fails, analyze ZTP logs on the device to determine the cause. ZTP
logs are saved in the file named ztp_YYYYMMHHMMSS.log in the flash:/
directory.
6.6 Configuring DHCP-based ZTP (Without a

Controller)
6.6.1 Understanding DHCP-based ZTP Without a Controller

Basic Networking
DHCP-based ZTP can be further classified into intermediate file-based ZTP and
option parameter-based ZTP.

Switches
about the IP address allocated to the device, IP address of the intermediate file
server, and intermediate file server login method. After receiving the DHCP reply
packets, the device connects to the intermediate file server to obtain the
configuration information about the deployment files, based on which the device
then automatically obtains deployment files from the specified deployment file
server and sets them as the files to be loaded for the next startup. These
deployment files are then automatically loaded by the device upon restart.
Figure 6-10 DHCP-based ZTP (intermediate file mode)

address, DNS server address, and intermediate file server address to the
device to be deployed.
segments.
● Intermediate file server: stores the intermediate file required for ZTP, which
can be an INI file or a Python script. By parsing the intermediate file, the
device to be deployed obtains information about the deployment file server
address and deployment files. An intermediate file server must be an SFTP file
server.
patch file. The deployment file server and intermediate file server can be
combined, which must be an SFTP file server.

Switches
about the IP address allocated to the device, deployment file server login method,
deployment file information. After receiving the DHCP reply packets, the device
connects to the deployment file server to obtain the deployment files, and sets
them as the files to be loaded for the next startup. These deployment files are
then automatically loaded by the device upon restart.
Figure 6-11 DHCP-based ZTP (option parameter mode)

address, DNS server address, and deployment file server address to the device
to be deployed.
segments.
patch file. A deployment file server must be an SFTP server.
Deployment Process
● Figure 6-12 shows the intermediate file-based ZTP process.

Switches
Figure 6-12 Intermediate file-based ZTP process


Switches

interfaces and low-bandwidth Ethernet interfaces, in that sequence. After
receiving the DHCP request packet, the DHCP server sends a DHCP reply
packet to the device. Options in the packet contain the device-requested
information, including the IP address allocated to the device, default gateway
address, IP address of the intermediate file server, IP address of the Syslog
server, and intermediate file name. The device obtains the IPv4 address of the
Syslog server from the DHCP reply packet to enable the Syslog server
function. Information about important phases during ZTP is recorded in user
logs, which the Syslog server will upload to the NMS.
3. Enabling the Syslog server
The device obtains the IPv4 address of the Syslog server from the DHCP reply
to the NMS.
4. Obtaining the intermediate file and deployment files
The device downloads the intermediate file from the intermediate file server
according to the information carried in the DHCP reply packet, and then
downloads deployment files from the deployment file server according to the
intermediate file.
If the intermediate file is an INI file, the device downloads deployment files
based on the deployment file server address and deployment file names
contained in the intermediate file. If the intermediate file is a Python script,
the device automatically runs the script to download deployment files from
the deployment file server.
deployment.
● Figure 6-13 shows the option parameter-based ZTP process.

Switches
Figure 6-13 Option parameter-based ZTP process

interfaces and low-bandwidth Ethernet interfaces, in that sequence. After
receiving the DHCP request packet, the DHCP server sends a DHCP reply
packet to the device. Options in the packet contain the device-requested
information, including the IP address allocated to the device, default gateway

Switches
address, IP address of the file server, IP address of the Syslog server, and
deployment file information. The device obtains the IPv4 address of the Syslog
server from the DHCP reply packet to enable the Syslog server function.
Information about important phases during ZTP is recorded in user logs,
which the Syslog server will upload to the NMS.
3. Enabling the Syslog server
The device obtains the IPv4 address of the Syslog server from the DHCP reply
to the NMS.
4. Obtaining deployment files
The device downloads deployment files from the deployment file server based
on the information obtained from the DHCP reply packet.
deployment.
6.6.2 Preparing Deployment Files
Context
Before DHCP-based ZTP, you need to prepare deployment files, including the
configuration file and intermediate file.
The configuration file name is a string of 5 to 64 characters and suffixed with *.zip,
*.cfg, or *.dat. The configuration file is used for the next startup. The configuration
file can be manually edited or copied from other devices. You can use either of the
following methods to obtain the configuration file:
● Saving the configuration file: Run the save shareable-configuration
command on the device that provides the configuration file to save the
configuration file, and then export the configuration file using SFTP or other
methods.
● Changing the system master key: Run the set master-key command to
change the system master key, save the configuration file, and export the
configuration file using SFTP or other methods.
NOTE
To ensure security, you are advised to perform the following operations to export the
configuration file and not advised to manually edit the configuration file.
Ensure that the configuration file for deployment contains the console password or an
AAA user name that can be used to log in to the device remotely. Otherwise, the
configuration file cannot be successfully set, causing a deployment failure.
For intermediate file-based ZTP:
The name extension of the intermediate file is .ini or .python. By parsing the
intermediate file, the device to be deployed obtains information about the
deployment file server address and deployment files. The intermediate file needs
to be manually edited.

Switches
● The intermediate file in .ini format is used to save information about the
device and its deployment files. For details about the file example, see 6.6.3
Intermediate File in the INI Format.
● The intermediate file in Python format (known as a Python script) is used to
download deployment files. For details about the file example, see 6.6.4
Intermediate File in the Python Format.
For option parameter-based ZTP:
The password in the intermediate file is used to decrypt the ciphertext in the
configuration file so that the device can identify the ciphertext at next startup. The
file name extension is .ini, and the file name contains 5 to 64 characters.
Procedure
Step 1 Prepare the configuration file.
● Configuration file saving mode
1. Save the configuration file on the device that provides the configuration file.
save shareable-configuration configuration-file [ password ]
If the password parameter is not specified, the configuration file uses the
default key information. If the password parameter is specified, the device
generates key information in the configuration file based on the password
entered in interactive mode.
2. Export the configuration file using SFTP.
● System master key changing mode
1. Change the system master key.
<HUAWEI> set master-key
Enter the user password: //Password of the current user, not the master key of the current system
Warning: This operation will automatically save configurations. Are you sure you want to perform it?
[Y/N]:y
Whether to enter the master key? (If you enter Y, then you need to enter a master key. If you enter N,
the master key will be automatically generated by the system.) [Y/N]:y
Enter a new master key: //System master key
Confirm the new master key:
Info: Keep the new master key well.
Info: Operating, please wait for a moment......
Info: Operation success.
For details, see "System Master Key Configuration" in CLI Configuration Guide
> User Access and Authentication Configuration.
2. Export the configuration file using SFTP.
Step 2 Prepare the intermediate file.
For intermediate file-based ZTP:
The intermediate file can be an .ini file or a Python script. You can select either
format to configure related fields. In addition, the configuration of some fields in
the intermediate file is related to the method of obtaining the configuration file.
For details, see Table 6-7 and Table 6-8. For more information about the fields in
an intermediate file, see 6.6.3 Intermediate File in the INI Format and 6.6.4
Intermediate File in the Python Format.
For option parameter-based ZTP:

Switches
1. Create a .txt file and change the file name to *.ini, for example, masterkey.ini.
[BEGIN]
EXPORTCFG=
SET_MASTER=
CLEAR_MASTER=
[END]
2. Set fields in the intermediate file. For details about the fields, see Table 6-7.
Table 6-7 Fields in an intermediate file in .ini format

Field Mandatory or Not Description Value Range
[BEGIN] Yes Start field of -

the
intermediate
file.
EXPORTCF ● This field is Password used ● If the password

G mandatory for saving the parameter is not
when the configuration specified when the save
configuration file. shareable-
file saving configuration
mode is used. command is executed to
● The field is save the configuration
optional when file, leave the
the system EXPORTCFG field
master key empty.
changing mode ● If the password
is used. parameter is specified
when the save
shareable-
configuration
command is executed to
save the configuration
file, set the EXPORTCFG
field to a value that is
the same as that of
password.
SET_MAST ● This field is System master The value must be the

ER optional when key. same as the system master
the key of the device that
configuration provides the configuration
file saving file.
mode is used.
● The field is
mandatory
when the
system master
key changing
mode is used.

Switches
CLEAR_MA ● This field is Whether to ● The value 1 indicates

STER optional when clear the that the device restores
the system master the random master key
configuration key. after the device
file saving deployment is complete.
mode is used. ● The value 0 indicates
● The field is that the device still uses
mandatory the value of
when the SET_MASTER as the
system master master key after the
key changing device deployment is
mode is used. complete.
[END] Yes End field of the -

intermediate
file.
Table 6-8 Fields in an intermediate file in Python format

master_ex ● This field is Password used ● If the password

portcfg mandatory for saving the parameter is not
when the configuration specified when the save
configuration file. shareable-
file saving configuration
mode is used. command is executed to
● The field is save the configuration
optional when file, set the
the system master_exportcfg field
master key to None.
changing mode ● If the password
is used. parameter is specified
when the save
shareable-
configuration
command is executed to
save the configuration
file, set the
master_exportcfg field
to a value that is the
same as that of
password.

Switches
is_set_mas ● This field is System master The value must be the

ter optional when key. same as the system master
the key of the device that
configuration provides the configuration
file saving file.
mode is used.
● The field is
mandatory
when the
system master
key changing
mode is used.
is_clear_m ● This field is Whether to ● The value 1 indicates

aster optional when clear the that the device restores
the system master the random master key
configuration key. after the device
file saving deployment is complete.
mode is used. ● The value 0 indicates
● The field is that the device still uses
mandatory the value of
when the SET_MASTER as the
system master master key after the
key changing device deployment is
mode is used. complete.
----End
6.6.3 Intermediate File in the INI Format

The intermediate file in .ini format is used to save information about the device
and its deployment files. The file name must be ***.ini, and the following is an
example of such a file. For details about the fields included in this file, see Table
6-9.
#sha256="676a306a0c22d46ed975633de9d05af4b1ebb94879ed1dd1d1e34de2a72c4e7e"
;BEGIN ZTP CONFIG
[GLOBAL CONFIG]
*FILESERVER=sftp://sftp_user:Hyx_Hy1234@10.1.3.2
*TIME_SN=20200526120159
*DEVICE_TYPE_NUM=
SET_MASTER=Root@123456789123456
CLEAR_MASTER=1
EXPORTCFG=
[DEVICE_TYPE_1 DESCRIPTION]
DEVICE_TYPE=S6700
ESN=
MAC=
VRPVER=
SYSLOG_INFO=UDP
SPACE_CLEAR=1
DIRECTORY=folder/
ACTIVE_DELAYTIME=60
ACTIVE_INTIME=

Switches
*FILETYPENUM=5
*FILENAME_1=software_file1.cc
*TYPE_1=SOFTWARE
*EFFECTIVE_MODE_1=0
ISBATCHPROCESS_1=0
SHA256_1=a7638ea0a69933ac20df66ea9bf6ea301de8155684d81fbcdf00f6ca07261d7c
*FILENAME_2=cfg_file1.cfg
*TYPE_2=CFG
*EFFECTIVE_MODE_2=0
ISBATCHPROCESS_2=0
*FILENAME_3=pat_file1.pat
*TYPE_3=PAT
*EFFECTIVE_MODE_3=1
ISBATCHPROCESS_3=0
*FILENAME_4=lic_file1.xml
*TYPE_4=LIC
*EFFECTIVE_MODE_4=1
ISBATCHPROCESS_4=0
*FILENAME_5=user_file1.txt
*TYPE_5=USER
*EFFECTIVE_MODE_5=2
ISBATCHPROCESS_5=0
;END ZTP CONFIG
Table 6-9 Fields in an INI file

Field Mandatory or Not Description
sha256 No SHA256 verification code

of the script, which is
used to check the
integrity of the
downloaded script.
NOTE
Before an SHA256
verification code is
generated, do not add the
#sha256= field to the
script. Instead, #sha256=
should be added to the
beginning of the script
after the SHA256
generated.
A script without an
SHA256 verification code
can still be executed.
;BEGIN ZTP CONFIG Yes Start flag of the file. This

field cannot be modified.
[GLOBAL CONFIG] Yes Start flag of the global

configuration. This field
cannot be modified.

Switches
FILESERVER Yes Address of the

deployment file server.
Files can be obtained
only in SFTP mode.
In the IPv4 scenario, the
value format is as
follows:
sftp://
username:password@hos
tname:port/path
In this format, port is
optional and path
specifies the directory
where deployment files
are stored on the file
server.
In the IPv6 scenario, the
value format is as
follows:
sftp://
tname:port/path
The value of hostname
can be a domain name
or an IP address.
● If the value is a
domain name, the
format is sftp://
username:password@
hostname:port/path.
● If the value is an IP
address, the format is
sftp://
username:password
@[address]:port/path.
optional and path
server.

Switches
TIME_SN Yes Uniquely identifies a

deployment in order to
prevent repeated
deployment. The value
format is
yyyymmddhhmmss.
For example, this field
can be set to
20200526120159,
indicating 12:01:59 on
2020-05-26.
DEVICE_TYPE_NUM Yes Number of device types.

The value 1 indicates
that only one type of
device can be deployed.
SET_MASTER No Master key of a

configuration file for
deployment. The value is
a string of 20 to 32
characters. It must
contain uppercase
letters, lowercase letters,
digits, and special
characters.
NOTE
● This field takes effect
only when the
configuration file for
deployment exists.
● The configuration file is
exported from a device,
which has a master key
configured. This master
key is used as the value
of this field.
● Because this field is
configured, the
intermediate file
contains the key in
plaintext. Therefore,
you need to ensure the
security of the
intermediate file.

Switches
CLEAR_MASTER No Whether to clear the

master key configured in
the intermediate file for
deployment. This field
takes effect only when
the SET_MASTER field
exists.
● 1: After ZTP is
complete, the device
clears the master key
configured in the .ini
file, and restores the
master key to the
random master key.
● 0: After ZTP
deployment, the
device continues to
use the master key
configured in the .ini
file. This value is used
by default.
If the CLEAR_MASTER
field is not set or is not
set to 1, the value 0 is
used.
EXPORTCFG No Value of password in the

save shareable-
configuration
configuration-file
password command. For
details, see 6.6.2
Preparing Deployment
Files.
NOTE
If both SET_MASTER and
EXPORTCFG exist in
the .ini file, EXPORTCFG
takes effect.
This field takes effect only
for the configuration file
for deployment.
[DEVICE_TYPE_n Yes Start tag of the device

DESCRIPTION] description. n indicates
the device number. The
value is an integer
starting from 1.

Switches
DEVICE_TYPE When Device type.

DEVICE_TYPE_NUM is The value of
set to 1, DEVICE_TYPE, DEVICE_TYPE can be
ESN, and MAC can all be queried using the
set to DEFAULT or left display version
empty. command. In the
When command output, S6700
DEVICE_TYPE_NUM is in "Version xxx (S6700
greater than 1, xxx)" is the value of
DEVICE_TYPE, ESN, and DEVICE_TYPE.
MAC must be specified If this field is left empty
and only one of them or set to DEFAULT, the
can be specified. device type is not
NOTE checked. The default
● To upgrade devices in
value is DEFAULT.
batches, set
ESN DEVICE_TYPE.
ESN of the device, which
can be queried using the
● To upgrade a single
display device esn
device, you can set the
ESN or MAC address of command.
the device. If this field is left empty
or set to DEFAULT, the
device does not check
the value. If this field is
set to another value, the
device checks whether
that value is the same as
its ESN. The default
value is DEFAULT.
MAC MAC address of a device,

in the XXXX-XXXX-XXXX
format, in which X is a
hexadecimal number.
You can run the display
bridge mac-address
command to query the
MAC address.
If this field is set to
DEFAULT, the MAC
address does not need to
be matched. If this field
is set to another value,
the MAC address needs
to be matched. The
entered value must be in
lowercase. The default
value is DEFAULT.

Switches
VRPVER No System software version

number.
If the current system
software version of the
device is the same as the
value specified here, the
device does not
download the system
software from the
software package is that
required for deployment,
you are advised to set
this field.
SYSLOG_INFO No Transport protocol used

by the Syslog server.
● TCP: Logs are
transmitted using TCP.
● UDP: Logs are
transmitted using
UDP.

Switches
SPACE_CLEAR No Whether to
automatically clean up
the system storage space
in the case of space
insufficiency. The value is
of the enumerated type.
● 0: The system storage
space is not cleaned
up.
● 1: Only system
software among
deployment files is
deleted.
● 2: In-depth cleanup is
performed. System
software among
deployment files is
deleted first. If the
available space is still
insufficient,
unnecessary files are
deleted.
If this field is left empty
space is not cleaned up.
The default value is
DEFAULT.
NOTE
In-depth cleanup involves
some inherent risks. As
such, you are advised to
back up required files
locally before performing
in-depth cleanup.
DIRECTORY No Relative directory where

deployment files are
stored on the file server.
or set to DEFAULT,
stored in the root
directory. The default
value is DEFAULT.
NOTE
The relative directory must
start with a folder name
and cannot start with a
slash (/).

Switches
ACTIVE_DELAYTIME No Delay for deployment to

NOTE be performed. The value
If both is an integer that ranges
ACTIVE_DELAYTIME and from 0 to 86400, in the
ACTIVE_INTIME are set, unit of seconds. If the
ACTIVE_DELAYTIME is
value is greater than
preferentially used.
86400, the value 86400
is used.
ACTIVE_INTIME Scheduled time for

deployment to be
performed within 24
hours. The value format
is HH:MM, where HH
indicates the 24-hour
format, and MM
indicates the 60-minute
format. For example, the
value 20:10 indicates
that the deployment will
be performed at 20:10.
NOTE
If the configured time is
earlier than the system
time of the device, the
deployment time is the
configured time plus 24
hours minus the current
system time. For example,
if the configured time is
10:00 and the device
system time is 11:00, the
deployment will be
performed at 23:00.
FILETYPENUM Yes Number of deployment

files to be loaded.
NOTE
The total number of
deployment files must not
exceed 9.
The value of this field must
be the same as the actual
number of deployment
files, and the value is the
same as n in FILENAME_n.

Switches
FILENAME_n Yes Name of a deployment

file, which can be the
name of a system
software file,
configuration file, license
file, patch file, or
customized file.
NOTE
If the length of a
deployment file name
exceeds the limit, it will fail
to be downloaded. The
length limits for different
deployment files are as
follows:
● System software: 4 to
127 characters
● Configuration file: 5 to
64 characters
● License file: 5 to 127
characters
● Patch file: 5 to 63
characters
● Module file: 5 to 63
characters
● Customized file: 3 to 64
characters
TYPE_n Yes Type of a deployment

file. The value is of the
enumerated type.
● SOFTWARE: system
software
● CFG: configuration file
● LIC: license file
● PAT: patch file
● MOD: module file
● USER: customized file

Switches
EFFECTIVE_MODE_n Yes Activation mode. The

value is of the
enumerated type.
● 0: effective upon
restart, which applies
to the system
software,
configuration file,
module file, and
patch file.
● 1: effective
immediately, which
applies to the license
file, module file, and
patch file.
● 2: Activation is not
required, which
applies to the
customized file.
The default activation
mode of the system
software and
configuration file is 0.
mode of the patch file,
module file, and license
file is 1.
mode of the customized
file is 2.
If EFFECTIVE_MODE_n is
set to a value that is not
0, 1, or 2, the default
activation mode of each
type of file is used.

Switches
ISBATCHPROCESS_n No Whether to perform

batch processing for the
license list file. The value
is of the enumerated
type.
● 0: no
● 1: yes
or set to DEFAULT or a
value not 1, batch
processing is not
performed. The default
value is DEFAULT.
NOTE
Devices can use the license
list file, which contains
mappings between licenses
and device ESNs, to
automatically load license
files. A device first
downloads the license list
file and then downloads
the corresponding license
file based on the mappings
to load it. The license list
file is in XML format and
its name must be
ztp_license_list. An
example of such a file is as
follows:
<?xml version="1.0"
encoding="utf-8"
standalone="yes"?>
<Index formatVersion="1.0">
<Lic name="LIC_file1.xml"
sha256="d27305447dbb1e76e
a9c6f27e19be2986503b91d82
40612f9ebde708e7d1019e">
<LSN>LIC202005183TCG5M</
LSN>
<Esn>102050157695</
Esn>
</Lic>
<Lic name="LIC_file2.dat"
sha256="6a2690e7a08e3df844
ba86e1f48dc3c504af3b760dd0
e38134771e1024fe1a5f">
<LSN>LIC202005183TCI50</
LSN>
<Esn>2102311LDL0000000805
</Esn>
</Lic>
</Index>

Switches
SHA256_n No Verification code

corresponding to the
SHA256 encryption
algorithm, which is used
to verify the integrity of
a deployment file.
If this field is left empty,
the deployment file
integrity is not verified.
;END ZTP CONFIG Yes End flag of the file. This

6.6.4 Intermediate File in the Python Format

The intermediate file in Python format (known as a Python script) is used to
download deployment files. The file name must be ***.py, and the following is a
file example. For details about the content to be modified in the script, see Table
6-10.
NOTE
The Python script can invoke the script defined using open programmability system (OPS)
APIs. The invoked script defines automatic service deployment upon device startup. To
configure more service functions for ZTP, edit the Python script by referring to the following
file example and "Writing an OPS API-based Script" in CLI Configuration Guide > System
Management Configuration.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Copyright (C) Huawei Technologies Co., Ltd. 2020-2030. All rights reserved.
# ----------------------------------------------------------------------------------------------------------------------
# History:
# Date Author Modification
# 202005
"""
Zero Touch Provisioning (ZTP) enables devices to automatically load version files including system software,
patch files, configuration files when the device starts up, the devices to be configured must be new devices
or have no configuration files.
This is a sample of a Zero Touch Provisioning user script. You can customize it to meet the requirements of
your network environment.
"""
import http.client
import string
import re
import os
import sys
import xml.etree.ElementTree as etree
import stat
import logging
import traceback
import glob
import ops
import ipaddress
from hashlib import sha256

Switches
from urllib.request import urlretrieve

from urllib.parse import urlparse, urlunparse
from urllib.error import URLError, HTTPError, ContentTooShortError
from time import sleep, time, mktime, strptime
#
======================================================================================
================================
# Script configuration information start
# error code
OK = 0
ERR = 1
# Maximum number of device startup retries when there is no query result.

GET_STARTUP_INTERVAL = 15 # The unit is second.
MAX_TIMES_GET_STARTUP = 120 # Maximum number of retries.
# Maximum number of file downloading retries.

MAX_TIMES_RETRY_DOWNLOAD = 3
MAX_TIMES_RETRY = 5
DELAY_INTERVAL = 10
# Define the file length.

FELMNAMME_127 = 127
FELMNAMME_64 = 64
FELMNAMME_4 = 4
FELMNAMME_5 = 5
# Mode for activating the device deployment file

EFFECTIVE_MODE_REBOOT = '0'
EFFECTIVE_MODE_NO_REBOOT = '1'
EFFECTIVE_MODE_NO_NEED = '2'
FILE_TYPE_SOFTWARE = 'software'
FILE_TYPE_CFG = 'cfg'
FILE_TYPE_PAT = 'pat'
FILE_TYPE_MOD = 'mod'
FILE_TYPE_LIC = 'lic'
FILE_TYPE_USER = 'user'
FILE_TYPE_FEATURE_PLUGIN = 'feature-plugin'
# Log level.
LOG_INFO_TYPE = 'INFO'
LOG_WARN_TYPE = 'WARNING'
LOG_ERROR_TYPE = 'ERROR'
# Configure the default mode for activating the deployment file.

FILE_DEFAULT_EFFECTIVE_MODE = {
FILE_TYPE_SOFTWARE: EFFECTIVE_MODE_REBOOT, # cc package
FILE_TYPE_CFG: EFFECTIVE_MODE_REBOOT, # configuration file
FILE_TYPE_PAT: EFFECTIVE_MODE_NO_REBOOT, # patch
FILE_TYPE_MOD: EFFECTIVE_MODE_NO_REBOOT, # mod plug-in
FILE_TYPE_LIC: EFFECTIVE_MODE_NO_REBOOT, # license
FILE_TYPE_USER: EFFECTIVE_MODE_NO_NEED, # User-defined file
FILE_TYPE_FEATURE_PLUGIN: EFFECTIVE_MODE_NO_REBOOT # Feature package
}
# File name extension of the deployment file, which is used for file name verification
FILE_EXTENSION = {
FILE_TYPE_SOFTWARE: ('.cc', ),
FILE_TYPE_CFG: ('.cfg', '.zip', '.dat'),
FILE_TYPE_PAT: ('.pat', ),
FILE_TYPE_MOD: ('.mod', ),
FILE_TYPE_LIC: ('.xml', '.dat', '.zip'),
FILE_TYPE_FEATURE_PLUGIN : ('.ccx', ),
FILE_TYPE_USER: (None, )
}

Switches
FLASH_HOME_PATH = '{}'.format('/opt/vrpv8/home')
# Record the name of the startup information file.
STARTUP_INFO_FILE_NAME = 'ztp_startupInfo.txt'
# License list file used for batch license deployment.
LICENSE_LIST_FILE_NAME = 'ztp_license_list.xml'
SET_MASTER_FILE_NAME = 'ztp_master.txt'
# One hour
> #One minute
>
# ZTP status
ZTP_STATUS_RUNNING = 'false'
ZTP_STATUS_END = 'true'
# Space clearance strategy

ZTP_SPACE_CLEAR_NO_NEED = '0' # Not cleared
ZTP_SPACE_CLEAR_NORMAL = '1' # Common clearance (Only the software package is deleted.)
ZTP_SPACE_CLEAR_DEEP = '2' # In-depth clearance
# List of downloaded files

ZTP_DOWNLOAD_FILE_LIST = []
# Script configuration information end

#
======================================================================================
================================
#
======================================================================================
================================
# User configuration information start
# Remote file paths:

# (1) The path may include the directory name and file name.
# (2) If no file name is specified, this procedure can be skipped.
# File information of the system software on the file server. The file name extension is '.cc'.
REMOTE_IMAGE = {
'product-name': {
'S6700' : {
'path': '/image/software_file_name.cc',
'sha256': '',
},
},
'esn': {},
'mac': {}
}
# File information of the configuration file on the file server. The file name extension is '.cfg', '.zip', or '.dat.'
REMOTE_CONFIG = {
'product-name': {},
'esn': {
'BARCODETEST20200620' : {
'path': '/config/conf_S6700.cfg',
'sha256': '',
},
},
'mac': {}
}
# File information of the patch file on the file server. The file name extension is '.pat.'
REMOTE_PATCH = {
'product-name': {},
'esn': {},
'mac': {
'xxxx-xxxx-xxxx' : {
'path': '/patch/S6700.pat',
'effective_mode': EFFECTIVE_MODE_NO_REBOOT,

Switches
'sha256': '',
},
}
}
# File information of the patch file on the file server. The file name extension is '.mod.'
REMOTE_MOD = {
'product-name': {},
'esn': {},
'mac': {
'xxxx-xxxx-xxxx' : {
'path': '/patch/S6700.MOD',
'effective_mode': EFFECTIVE_MODE_NO_REBOOT,
'sha256': '',
},
}
}
# File information of the license list file. The file name extension is '.xml.'
REMOTE_LICLIST = {
'path': '/{}'.format(LICENSE_LIST_FILE_NAME),
'sha256': 'a7638ea0a69933ac20df66ea9bf6ea301de8155684d81fbcdf00f6ca07261d7c',
}
# File information of the user file on the file server.
REMOTE_USER = {
'product-name': {},
'esn': {
'BARCODETEST20200620' : [
{
'path': '',
'sha256': '',
},
],
{
'path': '/user/ztp_user.txt',
'sha256': '',
},
{
'path': '/user/ztp_user1.txt',
'sha256': '',
},
],
},
'mac': {}
}
# File server that stores the necessary system software, configuration and patch files.
# (1) Specify the file server that supports the following format.
# sftp://[username[:password]@]hostname[:port]
# (2) Do not add a trailing slash at the end of the file server path.
FILE_SERVER = 'sftp://sftp_user:sftp_pwd@xx.xx.xx.xx'
# TIME_SN is a string consisting of the year, month, day, hour, minute, and second.
TIME_SN = '20200526120159'
# device info
SYSLOG_INFO = 'UDP'
SPACE_CLEAR = ZTP_SPACE_CLEAR_NO_NEED
ACTIVE_DELAYTIME = '60'
#ACTIVE_INTIME is a string consisting of hour and minute
ACTIVE_INTIME = None
#VRPVER indicates the software version
VRPVER = None
#DHCP_TYPE means using dhcpv4 or v6 to download file
DHCP_TYPE = 'DHCPv4'
# User configuration information end
#
======================================================================================
================================

Switches
# 25 Author created file.

# ----------------------------------------------------------------------------------------------------------------------
# OPS objects
slog = ops.ops()
# Log file name
LOG_FILE = ''
# python file name
PYTHON_FILE = os.path.basename(__file__)
SYSTEM_FILE_INIT =0
SYSTEM_FILE_SETTING_END = 1
system_file_state = SYSTEM_FILE_INIT
SYSTEM_STARUPINFO_INIT = 0
SYSTEM_STARUPINFO_END = 1
system_startupInfo_state = SYSTEM_STARUPINFO_INIT
system_reboot_needed = True
SFTP_DEFAULT_PORT = 22
HTTP_DEFAULT_PORT = 80
SET_SOFTWARE = 'SET_SOFTWARE'
SET_CFG = 'SET_CFG'
SET_PATCH = 'SET_PATCH'
SET_MOD_PATCH = 'SET_MOD_PATCH'
SET_FEATURE_PLUGIN = 'SET_FEATURE_PLUGIN'
TIMES_STARTUP_RETRY = 60
DELAY_INTERVAL_SET_INFO = 2
CLI_TYPE_YANG = 'YANG'
is_set_master = None
is_clear_master = False
master_exportcfg = None
flash_home_path_master = None
flash_home_path_slave = None
item_str = lambda key, value: f'<{key}>{value}</{key}>'
log_info_dict = {LOG_INFO_TYPE : logging.info,

LOG_WARN_TYPE : logging.warning,
LOG_ERROR_TYPE : logging.error}
class OPIExecError(Exception):
"""OPI executes error."""
pass
class ZTPErr(Exception):
"""ZTP error."""
pass
class ExecFileErr(Exception):
"""Execute file error."""
pass
class ZTPAbort(Exception):
"""Abort ZTP automatically."""
pass
class ZTPRollback(Exception):
"""ZTP startup info rollback."""
pass
def ops_conn_operation(func):
def wapper(*args, **kwargs):

Switches
ops_conn = ops.OPSConnection("localhost")
kwargs.update({"ops_conn": ops_conn})
try:
ret = func(*args, **kwargs)
return ret
except OPIExecError as reason:
raise OPIExecError(reason)
except Exception as reason:
exception_info = \
"{} failed, reason = {}".format(func.__name__, reason)
raise Exception(exception_info)
finally:
ops_conn.close()
return wapper
def print_ztp_log(ztp_info, log_type):

"""
ZTP log printing mode: console port log printing and logging log printing
"""
log_info_dict.get(log_type)(ztp_info)
# log_level = log_type.upper()
# slog.terminal.write(f"\n{log_level}:{ztp_info}", None, fgrd = True)
def cli_operation(func):
def wapper(*args, **kwargs):
ops_obj = ops.ops()
ops_obj.set_model_type(CLI_TYPE_YANG)
handle, result = ops_obj.cli.open()
if handle is None or result != "Success":
return ERR, result
kwargs.update({"ops_obj": ops_obj})
kwargs.update({"handle": handle})
try:
return func(*args, **kwargs)
return ERR, str(reason)
finally:
ret, result = ops_obj.cli.close(handle)
if ret != OK:
logging.warning(f"Failed to close cli channel, handle = {handle}.")
return wapper
class cli():
""" Command operations """
@staticmethod
@cli_operation
def patch_delete_all(ops_obj=None, handle=None):
ops_obj.cli.execute(handle, "return")
choice = {"[Y/N]": "y"}
ret, _, result = ops_obj.cli.execute(handle, f'patch delete all', choice)
if ret is None:
return ERR, result
return OK, ret
@staticmethod
@cli_operation
def reset_next_feature_plugin(file_path, ops_obj=None, handle=None):
ops_obj.cli.execute(handle, "return")
ret, _, result = ops_obj.cli.execute(handle, f'reset feature-software next-startup {file_path}')
if ret is None:
return ERR, result
return OK, ret

Switches
def ops_return_result(ret):
return ((ret != http.client.OK) and \
(ret != http.client.CREATED) and \
(ret != http.client.NO_CONTENT))
@ops_conn_operation
def file_exist_on_slave(file_path='', ops_conn=None):
file_dir, file_name = os.path.split(file_path)

file_dir = file_dir + "/"
file_dir = file_dir.replace('/', '%2F')
uri = '{}'.format(f'/restconf/data/huawei-file-operation:file-operation/dirs/dir={file_name},{file_dir}')
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ops_return_result(ret) or rsp_data == '':
return False
return True
@ops_conn_operation
def get_home_path(ops_conn=None):
""" Get the full filename of the home directory """
uri = '{}'.format('/restconf/data/huawei-file-operation:file-operation/disk-usages')
req_data = None
logging.error('Failed to get the current working directory.')
raise OPIExecError('Failed to get the home directory.')
root_elem = etree.fromstring(rsp_data)
namespaces = {'file-operation': 'urn:huawei:yang:huawei-file-operation'}
usb_dirs = []
slave_dir_list = []
master_dir = None
for disk_usage in root_elem.findall('file-operation:disk-usage', namespaces):
elem = disk_usage.find("file-operation:path", namespaces)
if elem is None or elem.text is None:
continue
if elem.text.lower().find('usb') >= 0:
usb_dirs.append(elem.text)
else:
if elem.text.lower().startswith('flash'):
master_dir = elem.text
else:
slave_dir_list.append(elem.text)
usb_dirs.sort(reverse=True)
return master_dir, slave_dir_list, usb_dirs
@ops_conn_operation
def file_exist_on_master(file_path='', ops_conn=None):
home_dir, _, _ = get_home_path()
if home_dir is None:
logging.error("Failed to get the home directory.")
return False
if file_path.startswith(home_dir):
file_path_real = file_path
else:
file_path_real = os.path.join(home_dir, file_path)
file_dir, file_name = os.path.split(file_path_real)

if file_dir == home_dir:
# Run the glob module to query the file in the root directory of the flash memory.
file_path_real = file_path_real.replace(home_dir, FLASH_HOME_PATH, 1)
file_list = glob.glob(file_path_real)
return True if len(file_list) > 0 else False
else:
# Invoke the YANG interface if the file is not in the root directory of the flash memory.
file_dir = file_dir + "/"

Switches

uri = '{}'.format(f'/restconf/data/huawei-file-operation:file-operation/dirs/dir={file_name},{file_dir}')
req_data = None
return False
return True
def file_exist(file_path=''):
""" Check whether a file exists on the main control board. """
if file_path is None or file_path == '':

logging.warning("The path of file is none or ''.")
return ERR
if file_path.lower().startswith('flash'):
return file_exist_on_master(file_path)
else:
return file_exist_on_slave(file_path)
@ops_conn_operation
def file_delete(file_path='', ops_conn=None):
if file_path is None or file_path == '':
logging.warning("The path of file is none or ''.")
return ERR
if not file_exist(file_path): # file not exist

return OK
logging.info(f"Delete file '{file_path}' permanently...")

uri = '{}'.format('/restconf/operations/huawei-file-operation:delete-file')
req_template = string.Template('''
<input>
<file-name>$filePath</file-name>
<delete-type>$deleteType</delete-type>
</input>
''')
req_data = req_template.substitute(filePath=file_path, deleteType="unreserved")
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error('Failed to delete the file.')
return ret
logging.info("Delete the file successfully.")

return OK
def file_delete_on_MPUs(file_path='', slave=0):

if file_path:
file_name = os.path.basename(file_path)
home_path_master, home_path_slave, _= get_home_path()
ret = file_delete(file_path=os.path.join(home_path_master, file_name))
if ret != OK:
return ret
if slave: # If the standby main control board exists, delete files from it.
for slave_path in home_path_slave:
ret = file_delete(file_path=os.path.join(slave_path, file_name))
if ret != OK:
return ret
return OK
def del_list_file(files_list):
""" Deleted all files in the specified file list. """
for key in files_list.keys():
for filename in files_list.get(key):
file_delete(os.path.join(key, filename))

Switches
@ops_conn_operation
def copy_file(src_path='', dest_path='', ops_conn=None):
"""Copy a file.
The value of src_path and dest_path can be in the format of filename,

flash:/filename, and flash:/xxx/filename.
"""
logging.info('Copy file {} to {}...'.format(src_path, dest_path))
uri = '{}'.format('/restconf/operations/huawei-file-operation:copy-file')
str_temp = string.Template('''\
<input>
<src-file-name>$src</src-file-name>
<des-file-name>$dest</des-file-name>
</input>
''')
req_data = str_temp.substitute(src=src_path, dest=dest_path)
logging.error('Copy file failed.')
return ERR
return OK
def get_file_list_cur(types=0):
filelist = []
fileNames = glob.glob(FLASH_HOME_PATH + r"/*.*")
try:
for fileName in fileNames:
name = os.path.basename(fileName)
filelist.append(name)
logging.error("Failed to get file list! reason = {} ".format(reason))
return filelist
return filelist
@ops_conn_operation
def get_file_list(file_dir='', ops_conn=None):
"""Obtain the file list. """
file_list = []
if home_dir == file_dir:
file_list = get_file_list_cur()
return file_list
if not file_dir.endswith('/'):
file_dir = '{}{}'.format(file_dir, '%2F')
uriTmp = '{}'.format('/restconf/data/huawei-file-operation:file-operation/dirs/dir=')
uri = '{}{}{}'.format(uriTmp, ',', file_dir)
req_data = None
logging.error('Failed to get file list')
return file_list
rsp_data1=rsp_data.replace('<?xml version="1.0" encoding="UTF-8"?>','')

rsp_data1=rsp_data1.replace('xmlns="urn:huawei:yang:huawei-file-operation"','')
rsp_data = '{}{}{}'.format('<dirs>',rsp_data1,'</dirs>')
mpath = '{}'.format('dir')
for file_tmp in root_elem.findall(mpath, namespaces):
file_name = file_tmp.find("file-name", namespaces)
elem = file_tmp.find("dir-name", namespaces)

Switches
if elem is None or file_name is None:

continue
_, part2 = os.path.splitext(file_name.text)
if part2 != '':
file_list.append(file_name.text)
return file_list
@ops_conn_operation
def get_file_size_form_dir(file_path='', file_dir='', ops_conn=None):
"""Return the size of a file in the directory under the home directory. """
file_size = 0
src_file_name = os.path.basename(file_path)
uriTmp = '{}'.format('/restconf/data/huawei-file-operation:file-operation/dirs/dir=')
uri = '{}{}{}{}'.format(uriTmp, src_file_name, ',', file_dir)
req_data = None
return file_size
else:
uriTmp = '{}'.format('/size')
uriTmp = uriTmp.replace('/', '/file-operation:')
mpath = uriTmp[1:]
elem = root_elem.find(mpath, namespaces)
if elem is None:
return file_size
file_size = int(elem.text) / 1024
return file_size
def get_file_size_cur(file_path=''):
file_size = 0
if file_path == '' or file_path == None:
return file_size
src_file_name = os.path.basename(file_path)
fileName = '{}{}{}'.format(FLASH_HOME_PATH, '/', src_file_name)
try:
fileinfo = os.stat(fileName)
file_size = int(fileinfo.st_size)/1024
return file_size
print_ztp_log(f"Get file size failed. reason = {reason}", LOG_ERROR_TYPE)
return file_size
def get_file_size(file_path=''):
"""Return the size of a file in the home directory."""
if file_path == '' or file_path == None:
return 0
file_dir, _ = os.path.split(file_path)
if home_dir == file_dir:
return get_file_size_cur(file_path)
cwd, file_name= os.path.split(file_path)

file_dir = '{}{}'.format(cwd, '%2F')
size = get_file_size_form_dir(file_path=file_name, file_dir=file_dir)
return size
@ops_conn_operation
def _sftp_download_file(ops_conn=None, url='', local_path=''):
"""Download files using SFTP.

Switches
Args:
url: URL of a remote file, for example, sftp://sftp_user:sftp_pwd@xx.xx.xx.xx:port/test/vrpcfg.cfg
local_path: The path must start with the root directory flash:, for example, flash:/vrpcfg.cfg or
vrpcfg.cfg.
"""
print_ztp_log(f'SFTP download {os.path.basename(url)} to {local_path}.', LOG_INFO_TYPE)
uri = '{}'.format('/restconf/operations/huawei-sshc:ssh-transfer-file')
<input>
<server-port>$serverPort</server-port>
<host-addr-ipv4>$serverIp</host-addr-ipv4>
<command-type>get</command-type>
<user-name>$username</user-name>
<password>$password</password>
<local-file-name>$localPath</local-file-name>
<remote-file-name>$remotePath</remote-file-name>
</input>
''')
url_tuple = urlparse(url)
if re.match(r"\d+\.\d+\.\d+\.\d+", url_tuple.hostname):
server_ip = url_tuple.hostname
else:
server_ip = get_addr_by_hostname(host=url_tuple.hostname)
global sftp_server
sftp_server = server_ip
if url_tuple.port == None:
server_port = SFTP_DEFAULT_PORT
else:
server_port = url_tuple.port
req_data = str_temp.substitute(serverIp=server_ip,
serverPort=server_port,
username=url_tuple.username,
password=url_tuple.password,
remotePath=url_tuple.path[1:],
localPath=local_path)
try:
logging.error('Failed to download file "%s" using SFTP ret %s' %
(os.path.basename(local_path),ret))
ret = ERR
else:
ret = OK
return ret
except Exception:
print_ztp_log(f'Failed to download file {os.path.basename(local_path)} using SFTP. (reason={reason})',
LOG_ERROR_TYPE)
return ERR
@ops_conn_operation
def _sftp_download_v6_file(ops_conn=None, url='', local_path=''):
print_ztp_log(f'SFTP ipv6 download {os.path.basename(url)} to {local_path}.', LOG_INFO_TYPE)
uri = '{}'.format('/restconf/operations/huawei-sshc:ssh-transfer-file')
<input>
<server-port>$serverPort</server-port>
<host-addr-ipv6>$serverIp</host-addr-ipv6>
<command-type>get</command-type>
<user-name>$username</user-name>
<password>$password</password>
<local-file-name>$localPath</local-file-name>
<remote-file-name>$remotePath</remote-file-name>
</input>
''')
if check_addr(url_tuple.hostname) == 'DHCPv6':
server_ip = url_tuple.hostname
else:

Switches
server_ip = get_ipv6_addr_by_hostname(host=url_tuple.hostname)
global sftp_server
sftp_server = server_ip
if url_tuple.port == None:
server_port = SFTP_DEFAULT_PORT
else:
server_port = url_tuple.port
req_data = str_temp.substitute(serverIp=server_ip,
serverPort=server_port,
username=url_tuple.username,
password=url_tuple.password,
remotePath=url_tuple.path[1:],
localPath=local_path)
try:
logging.error('Failed to download file "%s" using SFTP ret %s' %
ret = ERR
else:
ret = OK
return ret
print_ztp_log(f'Failed to download file {os.path.basename(local_path)} using SFTP. (reason={reason})',
LOG_ERROR_TYPE)
return ERR
@ops_conn_operation
def _http_download_file(ops_conn=None, url='', local_path=''):
"""Download files using HTTP.
Args:
url: URL of a remote file, for example,http://hostname[:port]/path
local_path: The path must start with the root directory flash:, for example, flash:/vrpcfg.cfg or
vrpcfg.cfg.
"""
print_ztp_log(f'HTTP download {os.path.basename(url)} to {local_path}.', LOG_INFO_TYPE)
uri = "{}".format('/restconf/operations/huawei-sztp:ztp-http-download')
<input>
<fileurl>$file_url</fileurl>
<filepath>$file_path</filepath>
</input>
''')
file_dir, _, _ = get_home_path()
local_path = '{}{}'.format(file_dir, '/')
if not re.match(r"\d+\.\d+\.\d+\.\d+", url_tuple.hostname):
ip_address = get_addr_by_hostname(url_tuple.hostname)
if url_tuple.port is None:
url = f'{url_tuple.scheme}://{ip_address}:{HTTP_DEFAULT_PORT}{url_tuple.path}'
else:
url = f'{url_tuple.scheme}://{ip_address}:{url_tuple.port}{url_tuple.path}'
req_data = req_template.safe_substitute(file_url=url, file_path=local_path)
try:
logging.error('Failed to download file "%s" using HTTP ret %s' %
ret = ERR
else:
ret = OK
return ret

Switches
print_ztp_log(f'Failed to download file {os.path.basename(local_path)} using HTTP. (reason={reason})',

LOG_ERROR_TYPE)
return ERR
def download_file(url, local_path, retry_times=0):

"""Download files using SFTP.
sftp://[username[:password]@]hostname[:port]/path
Download files using HTTP
http://hostname[:port]/path
Args:
url: URL of remote file
local_path: local path to put the file
Returns:
A integer of return code
"""
print_ztp_log(f"Download {url_tuple.path[1:]} to {local_path}...", LOG_INFO_TYPE)
func_dict = {
'sftp': _sftp_download_file,
'http': _http_download_file,
}
scheme = url_tuple.scheme
if scheme not in func_dict.keys():
raise ZTPErr('Unknown file transfer scheme %s' % scheme)
ret = OK
cnt = 0
while (cnt < 1 + retry_times):
if cnt:
print_ztp_log('Retry downloading...', LOG_INFO_TYPE)
ret = func_dict[scheme](url=url, local_path=local_path)
if ret is OK:
break
cnt += 1
if ret is not OK:

logging.warning('Try to delete the file that failed to download')
clean_download_temp_file(os.path.basename(url))
raise ZTPErr('Failed to download file "%s"' % os.path.basename(url))
return OK
def download_v6_file(url, local_path, retry_times=0):

print_ztp_log(f"Download {url_tuple.path[1:]} to {local_path} through IPv6...", LOG_INFO_TYPE)
func_dict = {
'sftp': _sftp_download_v6_file
}
scheme = url_tuple.scheme
if scheme not in func_dict.keys():
raise ZTPErr('Unknown file transfer scheme %s' % scheme)
ret = OK
cnt = 0
while (cnt < 1 + retry_times):
if cnt:
print_ztp_log('Retry downloading...', LOG_INFO_TYPE)
ret = func_dict[scheme](url=url, local_path=local_path)
if ret is OK:
break
cnt += 1
if ret is not OK:

logging.warning('Try to delete the file that failed to download')
clean_download_temp_file(os.path.basename(url))
raise ZTPErr('Failed to download file "%s"' % os.path.basename(url))
return OK

Switches
class StartupInfo(object):
""" Startup configuration information
image: startup system software

config: startup saved-configuration file
patch: startup patch package
feature_image: startup feature software
mod_list: startup module list
"""
def __init__(self, image=None, config=None, patch=None, mod_list=None, feature_plugin_list=None):

# display startup
self.image = image
self.config = config
self.patch = patch
self.feature_plugin_list = feature_plugin_list
# display module-information [next-startup]
self.mod_list = mod_list
def __eq__(self, obj):

if not isinstance(obj, StartupInfo):
return False
if self.image != obj.image or self.config != obj.config or self.patch != obj.patch:

return False
if self.feature_plugin_list is not None:

self.feature_plugin_list.sort()
if obj.feature_plugin_list is not None:

obj.feature_plugin_list.sort()
if self.feature_plugin_list != obj.feature_plugin_list:
return False
if self.mod_list is not None:

self.mod_list.sort()
if obj.mod_list is not None:

obj.mod_list.sort()
if self.mod_list != obj.mod_list:
return False
return True
class Startup(object):
"""Startup configuration information
current: current startup configuration

next: current next startup configuration
"""
def __init__(self):
self.current, self.next = self.get_startup_info()
self.is_need_clear_config = False
self.exportcfg = None
def set_exportcfg(self, export_value):

logging.info('Import configuration file.')
if export_value is not None:
self.exportcfg = export_value
def print_startup_info(self):
def get_info_str(info):
return str(info)

Switches
print_info = "Startup information of the current device:\n"

print_info += "{: <26}{: <68}{: <68}\n".format('item-name', 'configured', 'next-startup')
print_info += "-" * 150
print_info += "\n"
print_info += "{: <26}{: <68}{: <68}\n".format('system software',
get_info_str(self.current.image), get_info_str(self.next.image))
print_info += "{: <26}{: <68}{: <68}\n".format('saved-configurated file',
get_info_str(self.current.config), get_info_str(self.next.config))
print_info += "{: <26}{: <68}{: <68}\n".format('patch package',
get_info_str(self.current.patch), get_info_str(self.next.patch))
current_mod_info_len = len(self.current.mod_list)
next_mod_info_len = len(self.next.mod_list)
mod_info_len = max(current_mod_info_len, next_mod_info_len)
if mod_info_len == 0:
print_info += "{: <26}{: <68}{: <68}\n".format("module information", "None", "None")
else:
current_mod_info_print = [self.current.mod_list[i] if i < current_mod_info_len else "" for i in
range(mod_info_len)]
next_mod_info_print = [self.next.mod_list[i] if i < next_mod_info_len else "" for i in
range(mod_info_len)]
flag = True
for i in range(mod_info_len):
_item_name = "module information"
if not flag:
_item_name = ""
print_info += "{: <26}{: <68}{: <68}\n".format(_item_name, current_mod_info_print[i],
next_mod_info_print[i])
flag = False
current_feature_plugin_info_len = len(self.current.feature_plugin_list)
next_feature_plugin_info_len = len(self.next.feature_plugin_list)
feature_plugin_info_len = max(current_feature_plugin_info_len, next_feature_plugin_info_len)
if feature_plugin_info_len == 0:
print_info += "{: <26}{: <68}{: <68}\n".format("feature software", "None", "None")
else:
current_feature_plugin_info_print = [self.current.feature_plugin_list[i] if i <
current_feature_plugin_info_len else "" for i in range(feature_plugin_info_len)]
next_feature_plugin_info_print = [self.next.feature_plugin_list[i] if i < next_feature_plugin_info_len
else "" for i in range(feature_plugin_info_len)]
flag = True
for i in range(feature_plugin_info_len):
_item_name = "feature software"
if not flag:
_item_name = ""
print_info += "{: <26}{: <68}{: <68}\n".format(_item_name, current_feature_plugin_info_print[i],
next_feature_plugin_info_print[i])
flag = False
logging.info(print_info)
@staticmethod
def get_startup_info_by_type(file_type):
def func_execption_retry_policy(sleep_interval, try_times, func, *argv):
for _ in range(try_times):
try:
return func(*argv)
logging.warning(f"{reason}, retry...")
sleep(sleep_interval)
raise OPIExecError(f"Failed to get startup {file_type} information for many times.")
func_dict = {
FILE_TYPE_CFG: Startup.get_cfg_info,
FILE_TYPE_PAT: Startup.get_patch_info,
FILE_TYPE_SOFTWARE: Startup.get_software_info,
FILE_TYPE_MOD: Startup.get_mod_patch_info,
FILE_TYPE_FEATURE_PLUGIN: Startup.get_feature_plugin_info
}

Switches
func = func_dict.get(file_type)
if func is None:
return None, None
return func_execption_retry_policy(GET_STARTUP_INTERVAL, MAX_TIMES_GET_STARTUP, func)
@staticmethod
@ops_conn_operation
def get_cfg_info(ops_conn=None):
items = ['current-cfg-file', 'next-cfg-file']
filtering_str = ';'.join(items)
uri = "{}".format(f'/restconf/data?fields=/huawei-cfg:cfg/startup-infos/startup-info({filtering_str})')
req_data = None
raise OPIExecError('Failed to get the current config file information')
node_dict = {}
namespaces = {'cfg': 'urn:huawei:yang:huawei-cfg'}
elems = root_elem.find('cfg:cfg/cfg:startup-infos/cfg:startup-info', namespaces)
if elems is None:
return None, None
nslen = len(namespaces.get('cfg'))
for elem in elems:
tag_name = elem.tag[nslen + 2:]
if elem.text is None or elem.text == 'NULL':
continue
node_dict[tag_name] = elem.text
current_cfg = node_dict.get('current-cfg-file')
if current_cfg is not None:
current_cfg = os.path.basename(current_cfg)
next_cfg = node_dict.get('next-cfg-file')
if next_cfg is not None:
next_cfg = os.path.basename(next_cfg)
return current_cfg, next_cfg
@staticmethod
@ops_conn_operation
def get_software_info(ops_conn=None):
items = ['current-package', 'next-package']
uri = "{}".format(f'/restconf/data?fields=/huawei-software:software/startup-packages/startup-
package({filtering_str})')
req_data = None
if ret == http.client.NOT_FOUND:
rsp_data = '<software xmlns="urn:huawei:yang:huawei-software"></software>'
else:
raise OPIExecError('Failed to get the startup software information')
namespaces = {'software': 'urn:huawei:yang:huawei-software'}
elems = root_elem.find('software:software/software:startup-packages/software:startup-package',
namespaces)
if elems is None:
return None, None
node_dict = {}
nslen = len(namespaces.get('software'))
for elem in elems:
if elem.text is None or elem.text == 'NULL':
continue

Switches
cur_image = node_dict.get('current-package')
if cur_image is not None:
cur_image = os.path.basename(cur_image)
next_image = node_dict.get('next-package')
if next_image is not None:
next_image = os.path.basename(next_image)
return cur_image, next_image
@staticmethod
@ops_conn_operation
def get_patch_info(ops_conn=None):
items = ['patch-infos', 'next-startup-patchs']
uri = "{}".format(f'/restconf/data?fields=/huawei-patch:patch({filtering_str})')
req_data = None
return None, None

raise OPIExecError('Failed to get the patch file information')
namespaces = {'patch': 'urn:huawei:yang:huawei-patch'}
elems = root_elem.find('patch:patch/patch:patch-infos/patch:patch-info', namespaces)
node_dict = {}
cur_pat_file = None
if elems is not None:
nslen = len(namespaces.get('patch'))
for elem in elems:
cur_pat_file = node_dict.get("name")
if cur_pat_file is not None:
cur_pat_file = os.path.basename(cur_pat_file)
elems = root_elem.find('patch:patch/patch:next-startup-patchs/patch:next-startup-patch', namespaces)

if elems is None:
return cur_pat_file, None
node_dict = {}
nslen = len(namespaces.get('patch'))
for elem in elems:
next_pat_file = node_dict.get("name")
if next_pat_file is not None:
next_pat_file = os.path.basename(next_pat_file)
return cur_pat_file, next_pat_file
@staticmethod
@ops_conn_operation
def get_mod_patch_info(ops_conn=None):
items = ['module-infos', 'next-startup-modules']
uri = "{}".format(f'/restconf/data?fields=/huawei-module-management:module-
management({filtering_str})')
req_data = None
return [] ,[]

Switches
raise OPIExecError('Failed to get the mod patch file information')
namespaces = {'module-management' : 'urn:huawei:yang:huawei-module-management'}
cur_mod_patch_files = []
node_path = 'module-management:module-management/module-management:module-infos/module-
management:module-info'
elems = root_elem.findall(node_path, namespaces)
for elem in elems:
elem_text = elem.find('module-management:package-name', namespaces)
cur_mod_patch_files.append(elem_text.text)
next_mod_patch_files = []
node_path = 'module-management:module-management/module-management:next-startup-modules/
module-management:next-startup-module'
for elem in elems:
elem_text = elem.find('module-management:name', namespaces)
next_mod_patch_files.append(elem_text.text)
return cur_mod_patch_files, next_mod_patch_files
@staticmethod
@ops_conn_operation
def get_feature_plugin_info(ops_conn=None):
items = ['current-feature-packages', 'next-feature-packages']
req_data = None
rsp_data = '<software xmlns="urn:huawei:yang:huawei-software"></software>'
else:
raise OPIExecError('Failed to get the startup software information')
node_path = 'software:software/software:startup-packages/software:startup-package'
namespaces = {'software' : 'urn:huawei:yang:huawei-software'}
if elems is None:
return [], []
cur_feature_files = []
next_feature_files = []
nlen = len(namespaces['software'])
for elem in elems:
for child in elem:
if child.tag[nlen + 2:] == 'current-feature-packages':
feature_plugin = os.path.basename(child.text)
cur_feature_files.append(feature_plugin)
elif child.tag[nlen + 2:] == 'next-feature-packages':
feature_plugin = os.path.basename(child.text)
next_feature_files.append(feature_plugin)
else:
pass
break
return cur_feature_files, next_feature_files
def get_startup_info(self):
"""Get the startup information."""
print_ztp_log("Start to get the startup information...", LOG_INFO_TYPE)
current = StartupInfo()
curnext = StartupInfo()

Switches
current.config, curnext.config = Startup.get_startup_info_by_type(FILE_TYPE_CFG)

current.patch, curnext.patch = Startup.get_startup_info_by_type(FILE_TYPE_PAT)
current.image, curnext.image = Startup.get_startup_info_by_type(FILE_TYPE_SOFTWARE)
current.feature_plugin_list, curnext.feature_plugin_list =
Startup.get_startup_info_by_type(FILE_TYPE_FEATURE_PLUGIN)
current.mod_list, curnext.mod_list = Startup.get_startup_info_by_type(FILE_TYPE_MOD)
return current, curnext
@staticmethod
@ops_conn_operation
def set_mod_patch_file(file_path, ops_conn=None):
uri = '/restconf/operations/huawei-module-management:install-module'
<input>
<name>$fileName</name>
</input>
''')
req_data = req_template.substitute(fileName=file_path)
ret, _, rsp_data = ops_conn.create(uri, req_data)
logging.error(f'set_mod_patch_file failed. (reason={rsp_data})')
raise OPIExecError('Failed to set the mod patch file')
def clean_next_config_file(self):
if self.is_need_clear_config == False:
return
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
@ops_conn_operation
def set_next_mod_patch_file(self, file_path, ops_conn=None):
uri = '/restconf/operations/huawei-module-management:startup-module'
<input>
</input>
''')
logging.error(f'set_next_mod_patch_file failed. (reason={rsp_data})')
raise OPIExecError('Failed to set the next mod patch file')
@ops_conn_operation
def startup_next_feature_software(self, file_path, ops_conn=None):
""" Set next feature software file """
uri = '/restconf/operations/huawei-software:startup-feature-software'
<input>
<feature-package-name>$fileName</feature-package-name>
</input>
''')
raise OPIExecError(f"Failed to set next feature plugin {rsp_data}.")
@ops_conn_operation
def unset_mod_patch_file(self, file_path, ops_conn=None):
uri = '/restconf/operations/huawei-module-management:uninstall-module'
<input>
<action-type>single</action-type>
</input>

Switches
''')
logging.error(f'unset_mod_patch_file failed. (reason={rsp_data})')
raise OPIExecError('Failed to unset the mod patch file')
@staticmethod
@ops_conn_operation
def set_feature_software(file_path, ops_conn=None):
uri = '/restconf/operations/huawei-software:install-feature-software'
<input>
</input>
''')
logging.error(f'Failed to set the feature software file. (reason={rsp_data})')
raise OPIExecError('Failed to set the feature software file')
@ops_conn_operation
def uninstall_feature_software(self, file_path, ops_conn=None):
""" Install feature software file """
uri = '/restconf/operations/huawei-software:uninstall-feature-software'
<input>
</input>
''')
return ERR
return OK
def unset_feature_file_list(self, file_list, slave):

for file in file_list:
logging.info("Unset the feature plugin file...")
ret = self.uninstall_feature_software(file)
if ret == ERR:
logging.error(f"Failed unset feature {file}.")
continue
file_delete_on_MPUs(file, slave)
def reset_next_feature_file_list(self, file_list, slave):

for file in file_list:
logging.info("Reset the next feature plugin file...")
ret, _ = cli.reset_next_feature_plugin(file)
if ret == ERR:
logging.error(f"Failed reset next feature {file}.")
continue
file_delete_on_MPUs(file, slave)
@ops_conn_operation
def _set_startup_image_file(self, file_path, ops_conn=None):
"""Set the next startup system software."""
logging.info("Set the next startup system software "
"to {}...".format(file_path))
uri = '/restconf/operations/huawei-software:startup-by-mode'
<input>
<mode>all</mode>
</input>
''')

Switches
req_data = str_temp.substitute(fileName=file_path)
slog.syslog("Set the next startup system software to {} failed."\
.format(file_path), ops.ERROR, ops.SYSLOG)
raise OPIExecError("Failed to set startup system software.")
slog.syslog("Set the next startup system software to {} successfully."\

.format(file_path), ops.INFORMATIONAL, ops.SYSLOG)
@ops_conn_operation
def _set_startup_config_file(self, file_path, exportcfg=None, ops_conn=None):
"""Set the configuration file for the next startup."""
logging.info("Set the next startup saved-configuration file "
uri = '/restconf/operations/huawei-cfg:set-startup'
req_data = ''
if exportcfg is not None:
exportcfg_change = ops.opscharacterEncode(exportcfg)
items = {'filename': file_path, 'shareable-mode': 'password', 'password': exportcfg_change}
else:
items = {'filename': file_path, 'shareable-mode': 'default'}
for key in items.keys():

req_data = '{}{}'.format(req_data, item_str(key, items[key]))
req_data=item_str('input', req_data)
ret, _, data = ops_conn.create(uri, req_data)
logging.error(f"Set the next startup saved-configuration file to {data} failed")
slog.syslog("Set the next startup saved-configuration file to {} failed."\
raise OPIExecError("Failed to set startup configuration file.")
slog.syslog("Set the next startup saved-configuration file to {} successfully."\

@ops_conn_operation
def _del_startup_config_file(self, ops_conn=None):
"""Clear the startup configuration file."""
logging.info("Delete the next startup config file...")
uri = '/restconf/operations/huawei-cfg:clear-startup'
req_data = '''
<input>
</input>
'''
raise OPIExecError("Failed to clear startup configuration file.")
@ops_conn_operation
def _set_startup_patch_file(self, file_path, ops_conn=None):
"""Set the next startup patch file."""
logging.info("Set the next startup patch file "
uri = '/restconf/operations/huawei-patch:startup-next-patch'
<input>
</input>
''')
req_data = str_temp.substitute(fileName=file_path)
slog.syslog("Set the next startup patch file to {} failed."\

Switches
raise OPIExecError("Failed to set startup patch file.")
slog.syslog("Set the next startup patch file to {} successfully."\

def set_next_mod_patch_file_list(self, mod_patch_file, slave):

if mod_patch_file is None:
return
try:
self.set_next_mod_patch_file(mod_patch_file)
ret = self._check_set_startup_schedule(set_type=SET_MOD_PATCH, phase_item="startup-module",
retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
raise Exception("Set startup info {} failed".format(SET_MOD_PATCH))
if self.is_need_clear_config:
sleep(5)
logging.error(reason)
self.reset_startup_info(slave)
file_delete(f'flash:/{mod_patch_file}')
file_delete(f'flash:/$_install_mod/{mod_patch_file}')
raise
def set_next_feature_plugin(self, file_name, slave):

if file_name is None:
return
try:
logging.info("Set the next feature plugin file...")
self.startup_next_feature_software(file_name)
self.clean_next_config_file()
raise
def reset_mod_patch_file_list(self, cur_mod_list, pre_next_mod_list, slave):

del_mod_file_list = []
for mod_file in cur_mod_list:
if mod_file not in pre_next_mod_list:
del_mod_file_list.append(mod_file)
for mod_patch_file in del_mod_file_list:

src_file_path = f'flash:/{mod_patch_file}'
dest_file_path = f'flash:/$_install_mod/{mod_patch_file}'
try:
self.unset_mod_patch_file(mod_patch_file)
ret = self._check_set_startup_schedule(set_type=SET_MOD_PATCH, phase_item="uninstall-
module", retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
raise Exception("Unset startup info {} failed".format(SET_MOD_PATCH))
file_delete(src_file_path)
file_delete(dest_file_path)
sleep(5)

Switches
def reset_feature_plugin_file(self, pre_cur_file_list, configured_cur_file_list, pre_next_file_list,

configured_next_file_list, slave):
unset_file_list = [file for file in configured_cur_file_list if file not in pre_cur_file_list]
self.unset_feature_file_list(unset_file_list, slave)
reset_file_list = [file for file in configured_next_file_list if file not in pre_next_file_list and file not in
configured_cur_file_list]
self.reset_next_feature_file_list(reset_file_list, slave)
def rollback_feature_plugin_file(self, cur_file_list, pre_file_list):

for file in cur_file_list:
if pre_file_list is not None and file in pre_file_list:
continue
logging.info(f"Reset the feature software file {file}...")

ret, rsp_data = cli.reset_next_feature_plugin(file)
if ret == ERR:
logging.error(f'Failed to reset the feature software file {rsp_data}')
sleep(5)
def rollback_mod_patch_file_list(self, cur_mod_list, pre_next_mod_list):

del_mod_file_list = []
for mod_file in cur_mod_list:
if pre_next_mod_list is not None and mod_file in pre_next_mod_list:
continue
del_mod_file_list.append(mod_file)
for mod_patch_file in del_mod_file_list:

try:
self.unset_mod_patch_file(mod_patch_file)
ret = self._check_set_startup_schedule(set_type=SET_MOD_PATCH, phase_item="uninstall-
module", retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
logging.warning("Unset startup info {} failed".format(SET_MOD_PATCH))
sleep(5)
@ops_conn_operation
def _reset_startup_patch_file(self, ops_conn=None):
"""Reset the patch file for system startup."""
logging.info("Reset the next startup patch file...")
uri = '/restconf/operations/huawei-patch:reset-startup-patch'
req_data = '''\
<input>
<delete-type>all</delete-type>
</input>
'''
raise OPIExecError('Failed to reset patch.')
def reset_startup_info(self, slave):

"""Reset startup info and delete the downloaded files"""
print_ztp_log("Reset the next startup information...", LOG_INFO_TYPE)
cur_startup_info, configured = self.get_startup_info()
self.is_need_clear_config = True
if self.next.config is not None:

Switches
# 1. Reset next startup config file and delete it

try:
if configured.config != self.next.config:
if self.next.config is None:
sleep(15)
else:
self._set_startup_config_file(self.next.config)
ret = self._check_set_startup_info(set_type=SET_CFG, file_path=self.next.config,
retry_times=TIMES_STARTUP_RETRY)
if ret == ERR:
logging.warning("Set startup info {} failed".format(SET_CFG))
if configured.config is not None:

file_delete_on_MPUs(configured.config, slave)

# 2. Reset next startup patch file

try:
if cur_startup_info.patch != self.current.patch:
if self.current.patch is None:
cli.patch_delete_all()
else:
self.patch_active_proc(self.current.patch)
sleep(5)
if cur_startup_info.patch is not None:
file_delete_on_MPUs(cur_startup_info.patch, slave)
if configured.patch != self.next.patch:
if self.next.patch is None:
self._reset_startup_patch_file()
ret = self._check_set_startup_schedule(set_type=SET_PATCH, phase_item="reset-startup-
patch", retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
logging.warning("Reset startup info {} failed".format(SET_PATCH))
else:
self._set_startup_patch_file(self.next.patch)
ret = self._check_set_startup_schedule(set_type=SET_PATCH, phase_item="startup-next-patch",
if ret == ERR:
logging.warning("Set startup info {} failed".format(SET_PATCH))
sleep(5)
if configured.patch is not None:
file_delete_on_MPUs(configured.patch, slave)

# 3. Reset next startup system software and delete it

try:
if configured.image != self.next.image:
self._set_startup_image_file(self.next.image)
ret = self._check_set_startup_info(set_type=SET_SOFTWARE, file_path=self.next.image,
if ret == ERR:
logging.warning("Set startup info {} failed".format(SET_SOFTWARE))

Switches
sleep(5)
sleep(90)
file_delete_on_MPUs(configured.image, slave)
self.reset_mod_patch_file_list(configured.mod_list, self.next.mod_list, slave)

configured_cur_feature_list = cur_startup_info.feature_plugin_list
configured_next_feature_list = configured.feature_plugin_list
pre_cur_feature_list = self.current.feature_plugin_list
pre_next_feature_list = self.next.feature_plugin_list
self.reset_feature_plugin_file(pre_cur_feature_list, configured_cur_feature_list, pre_next_feature_list,
configured_next_feature_list, slave)
def set_startup_info(self, image_file=None, config_file=None, patch_file=None,

mod_file=None, feature_plugin=None, slave=0):
"""Set the next startup information."""
print_ztp_log("Set the next startup information...", LOG_INFO_TYPE)
if self.next.config is not None:
# 1. Set next startup system software

if image_file is not None:
try:
self._set_startup_image_file(image_file)
ret = self._check_set_startup_info(set_type=SET_SOFTWARE, file_path=image_file,
if ret == ERR:
raise Exception("Set startup info {} failed".format(SET_SOFTWARE))
_, nextcfg = self.get_startup_info_by_type(FILE_TYPE_CFG)
sleep(5)
file_delete_on_MPUs(image_file, slave)
raise
# 2. Set next startup patch file

if patch_file is not None:
try:
self._set_startup_patch_file(patch_file)
ret = self._check_set_startup_schedule(set_type=SET_PATCH, phase_item="startup-next-
patch",retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
raise Exception("Set startup info {} failed".format(SET_PATCH))
sleep(5)
file_delete_on_MPUs(patch_file, slave)
raise
# 3. Set mod patch

self.set_next_mod_patch_file_list(mod_file, slave)

Switches
self.set_next_feature_plugin(feature_plugin, slave)
# 4. Set next startup config file

if config_file is not None:
try:
self._set_startup_config_file(config_file, self.exportcfg)
ret = self._check_set_startup_info(set_type=SET_CFG, file_path=config_file,
if ret == ERR:
raise Exception("Set startup info {} failed".format(SET_CFG))
file_delete_on_MPUs(config_file, slave)
raise
def rollback_startup_info(self, image_file, config_file=None, patch_file=None,

mod_file_list=None, feature_plugin_list=None):
"""Rollback startup information."""
print_ztp_log("Rollback startup information...", LOG_INFO_TYPE)

_, configured = self.get_startup_info()
if config_file is not None:
# 1. Reset next startup config file
try:
if configured.config != config_file:
if config_file is None:
sleep(15)
else:
self._set_startup_config_file(config_file)
ret = self._check_set_startup_info(set_type=SET_CFG, file_path=config_file,
if ret == ERR:
logging.warning("Set startup info {} failed".format(SET_CFG))
# 2. Reset next startup patch file

try:
if configured.patch != patch_file:
if patch_file is None:
self._reset_startup_patch_file()
ret = self._check_set_startup_schedule(set_type=SET_PATCH, phase_item="reset-startup-
patch", retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
logging.warning("Reset startup info {} failed".format(SET_PATCH))
else:
self._set_startup_patch_file(patch_file)
ret = self._check_set_startup_schedule(set_type=SET_PATCH, phase_item="startup-next-patch",
if ret == ERR:
logging.warning("Set startup info {} failed".format(SET_PATCH))
sleep(5)
# 3. Reset the next startup system software

try:
if configured.image != image_file:
self._set_startup_image_file(image_file)

Switches
ret = self._check_set_startup_info(set_type=SET_SOFTWARE, file_path=image_file,

if ret == ERR:
logging.warning("Set startup info {} failed".format(SET_SOFTWARE))
sleep(90)
sleep(5)
# 4. Reset next startup system mod patch

self.rollback_mod_patch_file_list(configured.mod_list, mod_file_list)
self.rollback_feature_plugin_file(configured.feature_plugin_list, feature_plugin_list)
@ops_conn_operation
def _get_set_next_software_status(self, file_path, ops_conn=None):
"""Get the next software information."""
print_ztp_log("Get the next startup software information...", LOG_INFO_TYPE)

items = ['next-package']
req_data = None
logging.warning('Failed to get the startup information')
return ERR
namespaces = {'software': 'urn:huawei:yang:huawei-software'}
elems = root_elem.find('software:software/software:startup-packages/software:startup-package',
namespaces)
if elems is None:
return ERR
node_dict = {}
nslen = len(namespaces.get('software'))
for elem in elems:
if elem.text is None and elem.text == 'NULL':
continue
next_image = node_dict.get('next-package')
if next_image is not None:
next_image = os.path.basename(next_image)
return OK if file_name == next_image else ERR
@ops_conn_operation
def _get_set_next_cfg_status(self, file_path, ops_conn=None):
"""Get the next cfg file information."""
print_ztp_log("Get the next cfg file information...", LOG_INFO_TYPE)
uri = '/restconf/data?fields=/huawei-cfg:cfg/startup-infos/startup-info(next-cfg-file)'
req_data = None

logging.warning('Failed to get the next cfg file information')
return ERR

Switches
namespaces = {'data':'urn:ietf:params:xml:ns:yang:ietf-restconf','cfg': 'urn:huawei:yang:huawei-cfg'}

uriTmp = '{}'.format('/cfg/startup-infos/startup-info')
uriTmp = uriTmp.replace('/', '/cfg:')
mpath = uriTmp[1:]
for info in root_elem.findall(mpath, namespaces):
elem_name = info.find("cfg:next-cfg-file", namespaces)
if elem_name is None:
return ERR
cfg_file_name = os.path.basename(elem_name.text)
if cfg_file_name != file_name:
return ERR
return OK
def _get_set_next_feature_image_status(self, file_path):

_, next_feature_image = Startup.get_feature_plugin_info()
return ERR if file_path != next_feature_image else OK
def _check_set_startup_info(self, set_type, file_path, retry_times=10):

print_ztp_log(f"Now checking {set_type} is complete or not...", LOG_INFO_TYPE)
func_dict = {
SET_SOFTWARE: self._get_set_next_software_status,
SET_CFG: self._get_set_next_cfg_status,
SET_FEATURE_PLUGIN: self._get_set_next_feature_image_status
}
if set_type not in func_dict.keys():

logging.warning('Unknown check startup type')
return ERR
ret = OK
cnt = 0
while cnt < retry_times:
ret = func_dict[set_type](file_path=file_path)
if ret == ERR:
cnt += 1
logging.info("Now system is {}, please wait...".format(set_type))
sleep(DELAY_INTERVAL_SET_INFO) # sleep to wait for system ready
continue
else:
sleep(10) # Wait for a period of time when the next startup item is as expected.
break
return ret
@ops_conn_operation
def _get_patch_progress(self, phase_item, ops_conn=None):
"""Get the next patch file information."""
uri = f'/restconf/data?fields=/huawei-patch:patch/operation-schedules(operation-schedule)'
req_data = None
schedule_dict = {}
logging.warning('Failed to get the next patch operation schedule')
return schedule_dict
namespaces = {'patch': 'urn:huawei:yang:huawei-patch'}

node_path = "patch:patch/patch:operation-schedules/patch:operation-schedule"
if elems is None:
for elem in elems:

phase_node = elem.find('patch:phase', namespaces)
if phase_node is not None and phase_node.text == phase_item:
status_node = elem.find('patch:status', namespaces)
if status_node is not None:
schedule_dict['status'] = status_node.text
schedule_node = elem.find('patch:schedule', namespaces)
if schedule_node is not None:

Switches
schedule_dict['schedule'] = schedule_node.text
break
@ops_conn_operation
def _get_mod_patch_progress(self, phase_item, ops_conn=None):
"""Get the next patch file information."""
uri = f'/restconf/data?fields=/huawei-module-management:module-management/operation-
schedules(operation-schedule)'
req_data = None
schedule_dict = {}
logging.warning('Failed to get the next mod patch operation schedule')
namespaces = {'module-management': 'urn:huawei:yang:huawei-module-management'}

node_path = "module-management:module-management/module-management:operation-schedules/
module-management:operation-schedule"
if elems is None:
for elem in elems:

phase_node = elem.find('module-management:phase', namespaces)
if phase_node is not None and phase_node.text == phase_item:
status_node = elem.find('module-management:status', namespaces)
if status_node is not None:
schedule_dict['status'] = status_node.text
schedule_node = elem.find('module-management:schedule', namespaces)
if schedule_node is not None:
schedule_dict['schedule'] = schedule_node.text
break
def _check_set_startup_schedule(self, set_type, phase_item, retry_times=10):
print_ztp_log(f"Now checking {set_type} is complete or not...", LOG_INFO_TYPE)

func_dict = {
SET_PATCH: self._get_patch_progress,
SET_MOD_PATCH: self._get_mod_patch_progress
}
if set_type not in func_dict.keys():

logging.warning('Unknown check startup type')
return ERR
ret = ERR
cnt = 0
while cnt < retry_times:
schedule_dict = func_dict[set_type](phase_item=phase_item)
status = schedule_dict.get('status')
schedule = schedule_dict.get('schedule')
print_ztp_log(f"Now schedule is {schedule}, status is {status}...", LOG_INFO_TYPE)
if schedule == "100" and status == "successful":
ret = OK
break
elif schedule == "100" and status == "failed":
break
else:
cnt += 1
sleep(10)
sleep(10)
return ret
@ops_conn_operation
def patch_active_proc(self, patch_name='', ops_conn=None):
"""patch active"""

Switches
if patch_name is None:
return OK
curpat, _ = self.get_startup_info_by_type(FILE_TYPE_PAT)
if curpat is not None:
cli.patch_delete_all()
uri = '/restconf/operations/huawei-patch:load-patch'
<input>
<name>$patchName</name>
<load-type>run</load-type>
</input>
''')
req_data = req_template.substitute(patchName=patch_name)
raise OPIExecError('Failed to execute the patch active operation.')
ret = self._check_set_startup_schedule(set_type=SET_PATCH, phase_item="load-patch",

return ret
@ops_conn_operation
def mod_patch_active_proc(self, module_name='', ops_conn=None):
"""MOD active"""
if module_name is None:
return OK
uri = '/restconf/operations/huawei-module-management:install-module'
<input>
</input>
''')
req_data = req_template.substitute(fileName=module_name)
raise OPIExecError('Failed to execute the mod active operation.')
ret = self._check_set_startup_schedule(set_type=SET_MOD_PATCH, phase_item="install-module",

return ret
@ops_conn_operation
def feature_plugin_active_proc(self, feature_name='', ops_conn=None):
"""feature plugin active"""
if feature_name is None:
return OK
uri = '/restconf/operations/huawei-software:install-feature-software'
<input>
</input>
''')
req_data = req_template.substitute(fileName=feature_name)
raise OPIExecError('Failed to execute the feature plugin active operation.')
sleep(30)
return ret
@ops_conn_operation
def license_active_proc(self, license_name='', ops_conn=None):
"""license active"""
if license_name is None:
return OK

Switches
uri = '/restconf/operations/huawei-license:license-active'
<input>
<filename>$licenseName</filename>
</input>
''')
req_data = req_template.substitute(licenseName=license_name)
raise OPIExecError('Failed to execute the license active operation.')
sleep(120) # license sleep 120s
return ret
def file_effective_proc(self, file_info_list, file_name_dict):

"""Effect file"""
print_ztp_log("Activation will be performed.", LOG_INFO_TYPE)
active_startup_func_dict = {
FILE_TYPE_PAT : self.patch_active_proc,
FILE_TYPE_MOD : self.mod_patch_active_proc,
FILE_TYPE_LIC : self.license_active_proc,
FILE_TYPE_FEATURE_PLUGIN : self.feature_plugin_active_proc
}
for file_info in file_info_list:

effective_mode = file_info.get('*EFFECTIVE_MODE')
if effective_mode != EFFECTIVE_MODE_NO_REBOOT:
continue
file_type = file_info.get('*TYPE').lower()
func = active_startup_func_dict.get(file_type)
if func is None:
continue
logging.info(f"{file_type} active...")
ret = func(file_name_dict.get(file_type))
if ret == ERR:
raise ZTPErr(f"Active {file_type} file failed")
def check_filename_length(filename, filetype):

"""File name length check
Input parameters: filename, filetype

Return value: OK/ERR
Function usage: Check whether the name of the downloaded file exceeds the maximum length allowed
by the system.
If so, an error is returned and the file is not downloaded.
"""
file_name = os.path.basename(filename)
if filetype == FILE_TYPE_SOFTWARE:
if len((file_name)) > FELMNAMME_127 or len(file_name) < FELMNAMME_4:
logging.error('%s too long or too short, please check!',file_name)
return ERR
return OK
elif filetype == FILE_TYPE_CFG:
logging.error('%s too long, please check!', file_name)
return ERR
return OK
elif filetype == FILE_TYPE_PAT:
if len((file_name)) > (FELMNAMME_64 - 1) or len(file_name) < FELMNAMME_5:
logging.error('%s too long or too short, please check!', file_name)
return ERR
return OK
elif filetype == FILE_TYPE_MOD:
if len((file_name)) > (FELMNAMME_64 - 1) or len(file_name) < FELMNAMME_5:
return ERR
return OK

Switches
elif filetype == FILE_TYPE_FEATURE_PLUGIN:

return ERR
return OK
elif filetype == FILE_TYPE_LIC:
return ERR
return OK
else:
if len((file_name)) > FELMNAMME_64 or len(file_name) < 3:
return ERR
return OK
@ops_conn_operation
def get_disk_free_size(path='', ops_conn=None):
"""return list of disk free size, types = 0: main, types = 1: slave"""
uri = '{}'.format('/restconf/data/huawei-file-operation:file-operation/disk-usages')
disk_info = 0
req_data = None
logging.error('Failed to get disk free size')
return disk_info
for disk_usage in root_elem.findall("file-operation:disk-usage", namespaces):
elem = disk_usage.find("file-operation:path", namespaces) # Path of the file system partition
if elem is None or elem.text is None:
continue
if not elem.text.lower().startswith(path):
continue
elem = disk_usage.find("file-operation:free-size", namespaces)

if elem is not None:
disk_info = int(elem.text)
return disk_info
return disk_info
@ops_conn_operation
def del_recycle_bin(ops_conn=None):
"""Delete files from the recycle bin."""
uri = '{}'.format('/restconf/operations/huawei-file-operation:reset-recycle-bin')
req_data = '''\
<input>
<reset-type>all</reset-type>
</input>
'''
logging.error('Delete recycle bin failed.')
return ERR
return OK
def space_enough(masterspace, slavespace, filespace, slave):

if int(filespace) < int(masterspace):
if slave:
if int(filespace) < int(slavespace):
return OK
else:

Switches
return ERR
return OK
else:
return ERR
def get_space_mode_str(space_clear):
check_print = 'undefined'
if space_clear in ['0', None]:
check_print = 'no cleanup'
elif space_clear == '1':
check_print = 'normal cleanup'
elif space_clear == '2':
check_print = 'deep cleanup'
return check_print
def check_devices_space(devices_res_space, need_space):

for key in devices_res_space.keys():
if need_space > devices_res_space.get(key):
return ERR
return OK
def check_if_space_enough(master_path, cc_image, all_devices_paths):

current_image_size = get_file_size(file_path=(os.path.join(master_path, cc_image)))
# Required space
need_space = 40000 + current_image_size
# Obtain the available space of the master and slave MPUs.
devices_res_space = get_residual_space(all_devices_paths)
ret = check_devices_space(devices_res_space, need_space)
return ret, need_space
def get_residual_space(all_devices_paths=[]):
"""Obtain the available space of the master and slave MPUs."""
devices_space = {}
if len(all_devices_paths) == 0:
return devices_space
for path in all_devices_paths:
path_space = get_disk_free_size(path)
devices_space.update({path : path_space})
return devices_space
def get_mpus_files_list(all_devices_paths):
print_ztp_log("Get all file list.", LOG_INFO_TYPE)

devices_files = {}
for path in all_devices_paths:
device_path_list = get_file_list(path)
devices_files.update({path : device_path_list})
return devices_files
def get_devices_images_files(files_list, cc_image):

"""Obtain the system software packages on the master and slave MPUs."""
print_ztp_log("Obtain the list of system software packages.", LOG_INFO_TYPE)

images_files_list = {}
files_removes_device_images = {}
files_removes_images = []
images_in_devices = []
if os.path.splitext(filename)[-1] in ['.cc', '.CC'] and filename != os.path.basename(cc_image):
images_in_devices.append(filename)
if filename != os.path.basename(cc_image):
files_removes_images.append(filename)
images_files_list.update({key:images_in_devices})
files_removes_device_images.update({key:files_removes_images})

Switches
return files_removes_device_images, images_files_list
def get_space_of_files_list(files_list):
all_files_space = {}
space_temp = 0
space_temp = space_temp + get_file_size(os.path.join(key, filename))
all_files_space.update({key:space_temp})
space_temp = 0
return all_files_space
def check_space(startup_info, cc_image):
master_path, slave_paths, _ = get_home_path()

all_devices_paths = slave_paths
all_devices_paths.append(master_path)
space_clear_strategy = startup_info['SPACE_CLEAR']
ret, need_space = check_if_space_enough(master_path, cc_image, all_devices_paths)
if ret == OK:
print_ztp_log("The space enough, continue ztp...", LOG_INFO_TYPE)
return OK
if space_clear_strategy not in [ZTP_SPACE_CLEAR_NO_NEED, ZTP_SPACE_CLEAR_NORMAL,

ZTP_SPACE_CLEAR_DEEP]:
print_ztp_log("Invalid space clear strategy.", LOG_WARN_TYPE)
return ERR
print_ztp_log(f"The space clear strategy is {get_space_mode_str(space_clear_strategy)}.",

LOG_INFO_TYPE)
if space_clear_strategy == ZTP_SPACE_CLEAR_NO_NEED:
print_ztp_log("The current space is insufficient and no clearing policy is "
"configured to exit the ZTP process.", LOG_ERROR_TYPE)
return ERR
# Clear the recycle bin.

del_recycle_bin()
devices_res_space = get_residual_space(all_devices_paths)
ret = check_devices_space(devices_res_space, need_space)
if ret == OK:
print_ztp_log("Empty recycle bin, the space enough and continue ztp...", LOG_INFO_TYPE)
return OK
devices_files_list = get_mpus_files_list(all_devices_paths)
files_removes_device_images, devices_images_list = get_devices_images_files(devices_files_list, cc_image)
all_files_list_space = get_space_of_files_list(files_removes_device_images)
all_images_list_space = get_space_of_files_list(devices_images_list)
space_not_enough_path = []
space_enough_del = []
for image_path in all_images_list_space.keys():

if (all_images_list_space.get(image_path) + devices_res_space.get(image_path) < need_space):
space_not_enough_path.append(image_path)
else:
space_enough_del.append(image_path)
need_del_all_file = {}
need_del_images_file = {}
if len(space_not_enough_path) == 0:
del_list_file(devices_images_list)
print_ztp_log("Delete the system software packages on the master, continue the ZTP process.",
LOG_INFO_TYPE)
ret, _ = check_if_space_enough(master_path, cc_image, all_devices_paths)
if ret == ERR:
for path in space_enough_del:

Switches
need_del_all_file.update({path : files_removes_device_images.get(path)})
del_list_file(need_del_all_file)
elif len(space_not_enough_path) != 0 and space_clear_strategy == ZTP_SPACE_CLEAR_NORMAL:
print_ztp_log(f"The space of the following {space_not_enough_path} devices is insufficient.",
LOG_ERROR_TYPE)
return ERR
else:
for path in space_not_enough_path:
if all_files_list_space.get(path) + devices_res_space.get(path) < need_space:
print_ztp_log(f"The space of the following {path} devices is insufficient.", LOG_ERROR_TYPE)
return ERR
need_del_all_file.update({path : files_removes_device_images.get(path)})
for path in space_enough_del:

need_del_images_file.update({path : devices_images_list.get(path)})
del_list_file(need_del_all_file)
del_list_file(need_del_images_file)
print_ztp_log("Delete files on master and standby, continue the ZTP process.", LOG_INFO_TYPE)
# If some files fail to be deleted, check the space after the delete operation.
ret, _ = check_if_space_enough(master_path, cc_image, all_devices_paths)
if ret == ERR:
logging.error('Try to clean file failed, the space is still not enough.')
return ret
def check_file_sha256(path, file_sha256):

"""SHA256 verification on files"""
if file_sha256 is None:
return OK
# Calculate the SHA256 value of the file.

ret, calc_sha256 = sha256_calc(path, False)
if ret != OK or calc_sha256 != file_sha256:
return ERR
return OK
def download_xml(lic_list_file_path, lic_list_file_sha256, startup_info):

"""Download the XML file to be parsed for license-based batch deployment."""
local_path_file = None
lic_list_file_name = os.path.basename(lic_list_file_path)
if lic_list_file_name is not None:
url = os.path.join(startup_info['*FILESERVER'], lic_list_file_path)
local_path_file = lic_list_file_name
logging.info('Download "{}" for get license.'.format(lic_list_file_name))
file_delete(file_path=local_path_file)
ret = check_filename_length(url, FILE_TYPE_LIC)
if ret != OK:
raise ZTPErr("The file length is incorrect.")
if DHCP_TYPE == 'DHCPv4':
ret = download_file(url, local_path_file, MAX_TIMES_RETRY_DOWNLOAD)
else:
ret = download_v6_file(url, local_path_file, MAX_TIMES_RETRY_DOWNLOAD)
if ret is ERR or not file_exist(file_path=os.path.basename(url)):
logging.error('Failed to download file "{}"'.format(lic_list_file_name))
return ERR
logging.info('Download file "{}" successfully.'.format(lic_list_file_name))
# Add the downloaded file to the list of downloaded files.
ZTP_DOWNLOAD_FILE_LIST.append(lic_list_file_name)
# SHA256 verification
ret = check_file_sha256(local_path_file, lic_list_file_sha256)
if ret != OK:
logging.error('{} sha256 check error'.format(lic_list_file_name))
return ERR
return OK

Switches
def ztp_get_file_list(startup, sys_info, startup_info):

"""Obtain the list of files to be downloaded."""
file_list = []
file_name_dict = {}.fromkeys((FILE_TYPE_SOFTWARE, FILE_TYPE_CFG, FILE_TYPE_PAT, FILE_TYPE_MOD,
FILE_TYPE_LIC, FILE_TYPE_FEATURE_PLUGIN))
for file_info in startup_info.get('FILE_INFO'):
file_name = file_info.get('*FILENAME')
file_type = file_info.get('*TYPE')
if file_name is not None:
_file_name = file_name
_file_path = file_info.get('PATH')
_file_sha256 = file_info.get('SHA256')
_file_type = file_type.lower()
if file_type == FILE_TYPE_SOFTWARE:
if _file_name in [startup.current.image, startup.next.image]:
raise ZTPErr('The name of image file to be downloaded is the same as the image file of
system.')
file_name_dict[FILE_TYPE_SOFTWARE] = _file_name
elif file_type == FILE_TYPE_CFG:
if _file_name in [startup.current.config, startup.next.config]:
raise ZTPErr('The name of config file to be downloaded is the same as the config file of
system.')
file_name_dict[FILE_TYPE_CFG] = _file_name
elif file_type == FILE_TYPE_PAT:
if _file_name in [startup.current.patch, startup.next.patch]:
raise ZTPErr('The name of patch file to be downloaded is the same as the patch file of
system.')
file_name_dict[FILE_TYPE_PAT] = _file_name
elif file_type == FILE_TYPE_MOD:
if _file_name in startup.current.mod_list or _file_name in startup.next.mod_list:
raise ZTPErr('The name of mod patch file to be downloaded is the same as the mod patch file
of system.')
file_name_dict[FILE_TYPE_MOD] = _file_name
elif file_type == FILE_TYPE_FEATURE_PLUGIN:
if _file_name in startup.current.feature_plugin_list or _file_name in
startup.next.feature_plugin_list:
raise ZTPErr('The name of feature_image file to be downloaded is the same as the
feature_image file of system.')
file_name_dict[FILE_TYPE_FEATURE_PLUGIN] = _file_name
elif file_type == FILE_TYPE_LIC:
if file_info.get('ISBATCHPROCESS') != '1':
file_name_dict[FILE_TYPE_LIC] = _file_name
else:
# Batch process licenses.
ret = download_xml(_file_path, _file_sha256, startup_info)
if ret is not OK:
raise ZTPErr('Download license list file error.')
_license_name, _license_sha256 = get_license_from_xml(sys_info['esn'], _file_name)

if _license_name is None:
raise ZTPErr('Failed to get license file from license list file.')
_file_name_real = os.path.basename(_license_name)
_file_path = _license_name.lstrip('/')
_file_sha256 = _license_sha256
logging.info('Get license from {} succesfully.(name={}, sha256={})'\

.format(_file_name, _file_name_real, _license_sha256))
file_name_dict['license'] = _file_name_real
else:
pass
file_list.append((_file_path, _file_sha256, _file_type))
return file_list, file_name_dict

Switches
def ztp_file_download(filelist, startup_info, slave):

"""Download all files in the file list."""
if startup_info.get('DIRECTORY') is None:
direct = ''
else:
direct = startup_info.get('DIRECTORY')
chg_flag = False
print_ztp_log(f"Ztp download filelist: {filelist}.", LOG_INFO_TYPE)

for _file in filelist:
local_path_file = None
if _file[0] is not None:
_file_path = _file[0]
_file_name = os.path.basename(_file_path)
_file_sha256 = _file[1]
_file_type = _file[2]
url = os.path.join(startup_info['*FILESERVER'], direct, _file_path)
local_path_file = _file_name
logging.info('The system begins to download {} file.'.format(_file_name))
slog.syslog('The system begins to download {} file.'.format(_file_name), ops.INFORMATIONAL,
ops.SYSLOG)
ret = check_filename_length(url, _file_type)
if ret != OK:
raise ZTPErr("The file length is incorrect.")
ret = download_file(url, local_path_file, MAX_TIMES_RETRY_DOWNLOAD)
else:
ret = download_v6_file(url, local_path_file, MAX_TIMES_RETRY_DOWNLOAD)
if ret is ERR or not file_exist(file_path=os.path.basename(url)):
logging.error('Failed to download file "{}"'.format(_file_name))
slog.syslog('Failed to download file "{}"'.format(_file_name), ops.ERROR, ops.SYSLOG)
return ERR, chg_flag
logging.info('Download file "{}" successfully.'.format(_file_name))
slog.syslog('Download file "{}" successfully.'.format(_file_name), ops.INFORMATIONAL, ops.SYSLOG)
# Add the downloaded file to the list of downloaded files.
ZTP_DOWNLOAD_FILE_LIST.append(_file_name)
# SHA256 check
ret = check_file_sha256(local_path_file, _file_sha256)
if ret != OK:
slog.syslog('{} sha256 check error'.format(_file_name), ops.ERROR, ops.SYSLOG)
logging.error('{} sha256 check error'.format(_file_name))
return ERR, chg_flag
chg_flag = True
if slave:
if (flash_home_path_slave is None or len(flash_home_path_slave) <= 0):
return ERR
print_ztp_log(f"The {_file_name} is being copied to the other master board, please wait...",
LOG_INFO_TYPE)
for path in flash_home_path_slave:
file_path_slave = os.path.join(path, _file_name)
_ = file_delete(f"{file_path_slave}.tmp")
ret = file_delete(file_path_slave)
if ret != OK:
return ERR
ret = copy_file(src_path=local_path_file, dest_path=file_path_slave)
if ret != OK:
return ERR
return OK, chg_flag
@ops_conn_operation
def get_syslog_config(ops_conn=None, ip_type='ipv4'):
"""Obtain the log server configuration."""
ip_addresses = []
uri = '/restconf/data?fields=/huawei-syslog:syslog/servers/server(ipaddress)'
req_data = None

Switches

logging.warning('Failed to get information of syslog servers.')
return ip_addresses
namespaces = {
'syslog': 'urn:huawei:yang:huawei-syslog',
}
servers = root_elem.find("syslog:syslog/syslog:servers", namespaces)

if servers is not None:
for server in servers.findall("syslog:server", namespaces):
elem = server.find("syslog:ipaddress", namespaces)
if (elem is not None) and (elem.text is not None) and elem.text == ip_type:
ip_addresses.append(elem.text)
return ip_addresses
@ops_conn_operation
def set_syslog_config(ops_conn=None, ip_addresses=[], ipaddr_type='ipv4', syslog_trans=''):
"""Configure the log server."""
syslog_tran = syslog_trans.lower()
if syslog_tran in ['tcp']:
for ip_address in ip_addresses:
xpath = '/restconf/data/huawei-syslog:syslog/servers/server'
<server>
<ip-type>$ip_type</ip-type>
<ipaddress>$ip_addr</ipaddress>
<is-default-vpn>true</is-default-vpn>
<vrf-name>_public_</vrf-name>
<level>debugging</level>
<port>514</port>
<facility>local2</facility>
<channel-id>2</channel-id>
<timestamp>UTC</timestamp>
<transport-mode>$syslog_tran</transport-mode>
</server>
''')
req_data = str_temp.substitute(ip_type=ipaddr_type, ip_addr=ip_address, syslog_tran=syslog_tran)
ret, _, _ = ops_conn.set(xpath, req_data)
raise OPIExecError('Failed to change the transmission mode')
return OK
@ops_conn_operation
def get_addr_by_hostname(ops_conn=None, host='', addr_type='1'):
"""Convert the host name into an IP address."""
print_ztp_log("Get IP address by host name...", LOG_INFO_TYPE)

xpath = '{}{}'.format('/restconf/data/huawei-dns:dns/query-host-ips/query-host-ip=', host)
req_data = None
ret, _, rsp_data = ops_conn.get(xpath, req_data)
raise OPIExecError('Failed to get address by host name')
uriTmp = '{}'.format('/ip-address')
uriTmp = uriTmp.replace('/', '/dns:')
mpath = uriTmp[1:]
namespaces = {'dns': 'urn:huawei:yang:huawei-dns'}
elem = root_elem.find(mpath,namespaces)
if elem is None:
raise OPIExecError('Failed to get IP address by host name')
return elem.text

Switches
@ops_conn_operation
def get_ipv6_addr_by_hostname(ops_conn=None, host=''):
print_ztp_log("Get IPv6 address by host name...", LOG_INFO_TYPE)
xpath = '{}{}'.format('/restconf/data/huawei-dns:dns/query-host-ipv6s/query-host-ipv6=', host)
req_data = None
raise OPIExecError('Failed to get IPv6 address by host name')
namespaces = {'dns': 'urn:huawei:yang:huawei-dns'}
elem = root_elem.find('dns:ipv6-address', namespaces)
if elem is None:
raise OPIExecError('Failed to get IPv6 address by host name.')
return elem.text
@ops_conn_operation
def ztp_status_set(envValue=ZTP_STATUS_END, ops_conn=None):
"""Set the ZTP process status.
input: envValue int Environment variable value, which can be true or false
output: ret int Operation result
"""
logging.info("Set the value of envZtpStatus to {} .".format(envValue))
if envValue not in ['true', 'false']:
logging.error("The envValue:%s is invalid, not in ['true', 'false']!" % envValue)
return ERR
xpath = '{}'.format('/restconf/operations/huawei-ztp:set-enable-status')
<input>
<enable>$enableSta</enable>
</input>
''')
req_data = str_temp.substitute(enableSta=envValue)
ret, _, _ = ops_conn.create(xpath, req_data)
raise OPIExecError('Failed to set the value of envZtpStatus.')
return OK
@ops_conn_operation
def ztp_status_get(ops_conn=None):
"""Obtain the ZTP process status.
output: ret int Operation result

envValue str Environment variable value obtained
"""
logging.info("Get the value of envZtpStatus...")
xpath = '{}'.format('/restconf/data?fields=/huawei-ztp:ztp/status(enable)')
req_data = None
return ERR, ''
raise OPIExecError('Failed to get the value of envZtpStatus.')
namespaces = {'data':'urn:ietf:params:xml:ns:yang:ietf-restconf', 'ztp':'urn:huawei:yang:huawei-ztp'}
uriTmp = '{}'.format('/ztp/status/enable')
uriTmp = uriTmp.replace('/', '/ztp:')
mpath = uriTmp[1:]
if elem is None:
return ERR, ''

Switches
return OK, elem.text
@ops_conn_operation
def has_slave_mpu(ops_conn=None, mpu_slot={}):
"""Whether device has slave MPU, returns a bool value"""
print_ztp_log("Test whether device has slave MPU...", LOG_INFO_TYPE)

uri = '/restconf/data/huawei-devm:devm/physical-entitys/physical-entity=mpuModule'
req_data = None
has_slave = False
raise OPIExecError('Failed to get the device slave information')
# Re-construct a packet for parsing.

rsp_data_tmp = rsp_data.replace('<?xml version="1.0" encoding="UTF-8"?>','')
rsp_data_tmp = rsp_data_tmp.replace(' xmlns="urn:huawei:yang:huawei-devm"','')
rsp_data_tmp = '{}{}{}'.format(
'<physical-entitys xmlns="urn:huawei:yang:huawei-devm">', rsp_data_tmp,
'</physical-entitys>')
root_elem = etree.fromstring(rsp_data_tmp)
namespaces = {'devm': 'urn:huawei:yang:huawei-devm'}

for entity in root_elem.findall("devm:physical-entity", namespaces):
elem = entity.find("devm:standby-state", namespaces)
if (elem is not None) and (elem.text is not None):
if elem.text.lower().find('slave') >= 0:
has_slave = True
elem = entity.find("devm:position", namespaces)
mpu_slot['slave'] = elem.text
elif elem.text.lower().find('master') >= 0:
elem = entity.find("devm:position", namespaces)
mpu_slot['master'] = elem.text
logging.info("device has slave: {} .".format(str(has_slave)))
return has_slave
@ops_conn_operation
def get_system_info(ops_conn=None):
"""Get system info, returns a dict"""
print_ztp_log("Get the system information...", LOG_INFO_TYPE)

uri = '/restconf/data?fields=/huawei-system:system/system-info(product-name;esn;mac;product-version)'
req_data = None
raise OPIExecError('Failed to get the system information.')
sys_info = {}.fromkeys(('product-name', 'esn', 'mac', 'product-version'))

namespaces = {
'system': 'urn:huawei:yang:huawei-system'
}
mpath = '{}'.format('system:system/system:system-info')
nslen = len(namespaces['system'])
for child in elem:
tag = child.tag[nslen + 2:] # skip the namespace, '{namespace}esn'
if tag in list(sys_info.keys()):
sys_info[tag] = child.text
return sys_info

Switches
def convert_file_list_info(file_list):
if not isinstance(file_list, list):
return ""
return ",".join(file_list)
def record_startup_info_to_file(startup_info, startup):

"""Record the startup information to file."""
print_ztp_log("Record the current startup information to file...", LOG_INFO_TYPE)

slog.syslog("Record the current startup information to file...", ops.INFORMATIONAL, ops.SYSLOG)
sn_value = startup_info.get('*TIME_SN')
sn_value = '' if sn_value in [None, 'DEFAULT'] else sn_value
record_info = {}.fromkeys((FILE_TYPE_SOFTWARE, FILE_TYPE_CFG, FILE_TYPE_PAT,
FILE_TYPE_MOD, FILE_TYPE_FEATURE_PLUGIN), '')
if startup.current.image is not None:

record_info[FILE_TYPE_SOFTWARE] = startup.current.image
if startup.current.config is not None:
record_info[FILE_TYPE_CFG] = startup.current.config
if startup.current.patch is not None:
record_info[FILE_TYPE_PAT] = startup.current.patch
if startup.current.mod_list is not None:
record_info[FILE_TYPE_MOD] = convert_file_list_info(startup.current.mod_list)
if startup.current.feature_plugin_list is not None:
record_info[FILE_TYPE_FEATURE_PLUGIN] = convert_file_list_info(startup.current.feature_plugin_list)
str_temp = string.Template('TIME_SN=$sn\n'
'SOFTWARE=$image_name\n' \
'CFG=$config_name\n' \
'PAT=$patch_name\n'
'MOD=$mod_list\n'
'FEATURE_IMAGE=$feature_image_name\n')
startup_info_str = str_temp.substitute(sn=sn_value,
image_name=record_info[FILE_TYPE_SOFTWARE],
config_name=record_info[FILE_TYPE_CFG],
patch_name=record_info[FILE_TYPE_PAT],
mod_list=record_info[FILE_TYPE_MOD],
feature_image_name=record_info[FILE_TYPE_FEATURE_PLUGIN])
try:
file_path = os.path.join(FLASH_HOME_PATH, STARTUP_INFO_FILE_NAME)
if os.path.islink(file_path) != False:
raise Exception("This is a soft link file. Please chack.")
with open(file_path, 'w', encoding='utf-8') as fhdl:

fhdl.write(startup_info_str)
os.fsync(fhdl)
os.chmod(file_path,0o660)
raise
def revert_file_list_info(file_info):
return file_info.split(",")
def get_startup_info_from_file():
"""Get startup information from file"""
print_ztp_log("Get the backup startup information from file...", LOG_INFO_TYPE)

sn_value = ''
startup_info_backup = {}.fromkeys((FILE_TYPE_SOFTWARE, FILE_TYPE_CFG, FILE_TYPE_PAT,
FILE_TYPE_MOD, FILE_TYPE_FEATURE_PLUGIN), None)

Switches
try:
file_path = os.path.join(FLASH_HOME_PATH, STARTUP_INFO_FILE_NAME)
with open(file_path, 'r', encoding='utf-8') as fhdl:

fhdl.seek(0)
lines_info = fhdl.readlines()
for line in lines_info:
if line.startswith('TIME_SN='):
sn_value = line[8:-1]
elif line.startswith('SOFTWARE=') and line[9:-1] != '':
startup_info_backup[FILE_TYPE_SOFTWARE] = line[9:-1]
elif line.startswith('CFG=') and line[4:-1] != '':
startup_info_backup[FILE_TYPE_CFG] = line[4:-1]
elif line.startswith('PAT=') and line[4:-1] != '':
startup_info_backup[FILE_TYPE_PAT] = line[4:-1]
elif line.startswith('MOD=') and line[4:-1] != '':
startup_info_backup[FILE_TYPE_MOD] = revert_file_list_info(line[4:-1])
elif line.startswith('FEATURE_IMAGE=') and line[14:-1] != '':
startup_info_backup[FILE_TYPE_FEATURE_PLUGIN] = revert_file_list_info(line[14:-1])
else:
continue
raise
return sn_value, startup_info_backup
def set_file_effectiveMode(startup_info):
"""Set the mode for activating version files.
Traverse the information in the startup_info file and read the *EFFECTIVE_MODE field.
If it has been set, no processing is required. If it is set to None, the default
activation mode is used based on the file type. The system software package and
configuration file take effect only after the device is restarted.Therefore, only the
default activation mode can be configured for them. Activation is not required for
customized files.
"""
file_info_list = startup_info.get('FILE_INFO')
if not isinstance(file_info_list, list):
logging.error("Parameters is invalid.")
return
for i in range(len(file_info_list)):
file_type = file_info_list[i].get('*TYPE').lower()
effective_mode = file_info_list[i].get('*EFFECTIVE_MODE')
if effective_mode is None or file_type in [FILE_TYPE_SOFTWARE, FILE_TYPE_CFG, FILE_TYPE_LIC,
FILE_TYPE_USER] or \
(file_type in [FILE_TYPE_PAT, FILE_TYPE_MOD, FILE_TYPE_FEATURE_PLUGIN] and effective_mode
== EFFECTIVE_MODE_NO_NEED):
file_info_list[i].update({
'*EFFECTIVE_MODE': FILE_DEFAULT_EFFECTIVE_MODE.get(file_type.lower())
})
def get_license_from_xml(esn, file_path_xml):

"""Obtain the license file that matches the ESN from the license file list.
The license file name and SHA256 value of the file are returned.
"""
if not isinstance(file_path_xml, str):
logging.error("File path is invalid.")
return None, None
# Check the file name.
file_name = os.path.basename(file_path_xml)
if file_name != LICENSE_LIST_FILE_NAME:

Switches
logging.error("File name is not {}.(file_name={})"\

.format(LICENSE_LIST_FILE_NAME, file_name))
return None, None
file_path_real = os.path.join(FLASH_HOME_PATH, file_name)
# Check whether the file exists.
if not os.path.isfile(file_path_real):
logging.error("File does not exist.")
return None, None
try:
tree = etree.parse(file_path_real)
# Obtain the root node.
root = tree.getroot()
raise
for lic in root:

for child in lic:
if child.tag == "Esn" and child.text == esn:
lic_name = lic.get("name")
lic_sha256 = lic.get("sha256")
if lic_sha256 == '':
lic_sha256 = None
return lic_name, lic_sha256
return None, None
@ops_conn_operation
def patch_active_proc(ops_conn=None, patch_name=''):
"""Activate the patch file."""
print_ztp_log("Patch active...", LOG_INFO_TYPE)
uri = '/restconf/operations/huawei-patch:load-patch'
<input>
<name>$patchName</name>
<load-type>run</load-type>
</input>
''')
req_data = str_temp.substitute(patchName=patch_name)
raise OPIExecError('Failed to execute the patch active operation.')
@ops_conn_operation
def license_active_proc(ops_conn=None, license_name=''):
"""Activate the license file."""
print_ztp_log("License active...", LOG_INFO_TYPE)

uri = '/restconf/operations/huawei-license:license-active'
<input>
<filename>$licenseName</filename>
</input>
''')
req_data = str_temp.substitute(licenseName=license_name)
raise OPIExecError('Failed to execute the license active operation.')
@ops_conn_operation
def delete_startup_patch_file(ops_conn=None):
"""Delete patch file for system to startup"""
print_ztp_log("Delete the patch file...", LOG_INFO_TYPE)

Switches
uri = '/restconf/operations/huawei-patch:delete-patch'
req_data = '''\
<input>
<delete-type>all</delete-type>
</input>
'''
# it is a action operation, so use create for HTTP POST
logging.error("delete_startup_patch_file failed, rsp_data = \n{}".format(rsp_data))
raise OPIExecError('Failed to delete patch.')
@ops_conn_operation
def get_active_intime(ops_conn=None):
"""Obtain the number of seconds to be delayed based on the activation delay configured in the .ini
file."""
time_sys = '0:0'
uri = '/restconf/data?fields=/huawei-tm:tm/date-and-time(current-time)'
req_data = None
logging.warning("Get active in time failed!")
return time_sys
namespaces = {'tm': 'urn:huawei:yang:huawei-tm'}
elem = root_elem.find('tm:tm/tm:date-and-time/tm:current-time', namespaces)
text_list = re.findall(".*T(.*)Z.*", elem.text)
if text_list is not None:
text_list_member = text_list[0]
time_sys = text_list_member[0:5]
return time_sys
def get_active_intime_delay(active_in_time):
if not isinstance(active_in_time, str):

return None
if re.match(r'^(0[0-9]|1[0-9]|2[0-3]|[0-9])\:(0[0-9]|1[0-9]|2[0-9]|3[0-9]|4[0-9]|5[0-9]|[0-9])$',
active_in_time):
# The time is entered, for example, 23:59.
h_intime, m_intime = active_in_time.split(":")
m_intime_count = int(h_intime) * ONEMINUTE + int(m_intime)
time_now = get_active_intime()
h_timenow, m_timenow = time_now.split(":")
m_timenow_count = int(h_timenow) * ONEMINUTE + int(m_timenow)
if m_intime_count > m_timenow_count:

time_sleep = m_intime_count - m_timenow_count
return time_sleep * ONEMINUTE
else:
time_sleep = m_intime_count + 24 * ONEMINUTE - m_timenow_count
return time_sleep * ONEMINUTE
else:
logging.warning("The field of ACTIVE_INTIME is invalid!")
return None
def get_delay_time_sec(active_delay_time):
if not isinstance(active_delay_time, str):

return None
if re.match(r'(\d+)$', active_delay_time):
# The delay is entered, for example, 60.

Switches
delay_time_sec = int(active_delay_time)
if delay_time_sec > (ONEHOUR * 24):
logging.error("The active delay time over 24 hours!")
delay_time_sec = ONEHOUR * 24
return delay_time_sec
else:
logging.warning("The field of ACTIVE_DELAYTIME is invalid!")
return None
def get_delay_time(active_delay_time, active_in_time):

"""Obtain the number of seconds to be delayed based on the activation delay or file effective time
configured in the .ini file."""
print_ztp_log("Get activation delay time...", LOG_INFO_TYPE)

if active_delay_time is None and active_in_time is None:
return 0
delay_time = get_delay_time_sec(active_delay_time)
if delay_time is not None:
return delay_time
delay_time = get_active_intime_delay(active_in_time)
if delay_time is not None:
return delay_time
logging.warning("Activation delay time is invalid!")

return None
def sha256_calc(file_path, is_config_file=False):

"""Calculate the SHA256 value.
input: file_path str Path of the file for which the SHA256 needs to be calculated.
is_config_file int Indicates whether a file is an intermediate file.
output: ret int Indicates whether the calculation is successful.
outStr str SHA256 value.
"""
def read_chunks(fhdl):
"""read chunks"""
chunk = fhdl.read(8096)
while chunk:
yield chunk
chunk = fhdl.read(8096)
else:
fhdl.seek(0)
if not isinstance(file_path, str):

logging.error("File path is invalid.")
return ERR, ""
file_path_real = os.path.join(FLASH_HOME_PATH, file_name)
if os.path.islink(file_path_real) != False:
if not os.path.exists(file_path_real):
logging.error("File does not exist.")
return ERR, ""
if is_config_file not in [True, False]:

logging.error("The flag of config file is invalid. "
"is_config_file = {}".format(is_config_file))
return ERR, ""
sha256_obj = sha256()
with open(file_path_real, "rb") as fhdl:
if is_config_file is True:
# skip the first line

Switches
fhdl.seek(0)
fhdl.readline()
for chunk in read_chunks(fhdl):
sha256_obj.update(chunk)
sha256_value = sha256_obj.hexdigest()
return OK, sha256_value
def get_file_info_str(file_info_list):
if len(file_info_list) == 0:
return None
str_tmp = ''
str_tmp = '{}{} {}'.format(str_tmp, '\n', str(file_info))
return str_tmp
def get_file_infos_from_user_config(user_config_dict, dict_name_str):

cnt = 0
_key = None
for key in list(user_config_dict.keys()):
file_infos = user_config_dict.get(key)
if len(file_infos) != 0:
cnt += 1
_key = key
if cnt == 1:
return _key, user_config_dict.get(_key)
elif cnt > 1:
logging.warning("User configuration information {} is invalid, "
"please check!".format(dict_name_str))
return None, None
else:
return None, None
def print_product_infos(sys_info):
product_name = sys_info.get('product-name')
product_esn = sys_info.get('esn')
product_mac = sys_info.get('mac')
print_ztp_log(f"Product info of the device: product-name = '{product_name}', esn = '{product_esn}', "

f"mac = '{product_mac}'.", LOG_INFO_TYPE)
def set_startup_info_from_user_config(startup_info, sys_info):

startup_info.update({'*FILESERVER': FILE_SERVER})
startup_info.update({'*TIME_SN': TIME_SN})
startup_info.update({'SPACE_CLEAR': SPACE_CLEAR})
startup_info.update({'SYSLOG_INFO': SYSLOG_INFO})
startup_info.update({'DIRECTORY': ''})
startup_info.update({'ACTIVE_DELAYTIME': ACTIVE_DELAYTIME})
startup_info.update({'ACTIVE_INTIME': ACTIVE_INTIME})
file_info_list = []
print_product_infos(sys_info)
# REMOTE_IMAGE
if len(REMOTE_IMAGE) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_IMAGE, 'REMOTE_IMAGE')
if _infos != None:
image_info = _infos.get(sys_info.get(_key))
if image_info != None:
image_path = image_info.get('path')
if image_path != None:
file_info = {}.fromkeys(('*FILENAME', '*TYPE', '*EFFECTIVE_MODE', 'ISBATCHPROCESS',
'SHA256', 'PATH'))

Switches
file_info['*FILENAME'] = os.path.basename(image_path)
file_info['PATH'] = image_path.lstrip('/')
if file_info['*FILENAME'] not in [None, '']:
file_info['*TYPE'] = FILE_TYPE_SOFTWARE
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_REBOOT
file_info['ISBATCHPROCESS'] = '0'
file_info['SHA256'] = image_info.get('sha256')
if file_info['SHA256'] == '':
file_info['SHA256'] = None
if ((VRPVER is not None) and (sys_info['product-version'].lower() == VRPVER.lower())):

logging.warning('The downloaded package version is the same as the current device
package version, '
'package download will be skipped')
pass
else:
file_info_list.append(file_info)
# REMOTE_CONFIG
if len(REMOTE_CONFIG) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_CONFIG, 'REMOTE_CONFIG')
if _infos != None:
config_info = _infos.get(sys_info.get(_key))
if config_info != None:
config_path = config_info.get('path')
if config_path != None:
'SHA256', 'PATH'))
file_info['*FILENAME'] = os.path.basename(config_path)
file_info['PATH'] = config_path.lstrip('/')
file_info['*TYPE'] = FILE_TYPE_CFG
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_REBOOT
file_info['SHA256'] = config_info.get('sha256')
# REMOTE_PATCH
if len(REMOTE_PATCH) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_PATCH, 'REMOTE_PATCH')
if _infos != None:
patch_info = _infos.get(sys_info.get(_key))
if patch_info != None:
patch_path = patch_info.get('path')
if patch_path != None:
'SHA256', 'PATH'))
file_info['*FILENAME'] = os.path.basename(patch_path)
file_info['PATH'] = patch_path.lstrip('/')
file_info['*TYPE'] = FILE_TYPE_PAT
file_info['*EFFECTIVE_MODE'] = patch_info.get('effective_mode')
if file_info['*EFFECTIVE_MODE'] in [None, '']:
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_NO_REBOOT
file_info['SHA256'] = patch_info.get('sha256')
# REMOTE_PATCH
if len(REMOTE_MOD) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_MOD, 'REMOTE_MOD')
if _infos != None:
patch_info = _infos.get(sys_info.get(_key))
if patch_info != None:
patch_path = patch_info.get('path')
if patch_path != None:

Switches

'SHA256', 'PATH'))
file_info['*FILENAME'] = os.path.basename(patch_path)
file_info['PATH'] = patch_path.lstrip('/')
file_info['*TYPE'] = FILE_TYPE_MOD
file_info['*EFFECTIVE_MODE'] = patch_info.get('effective_mode')
if file_info['*EFFECTIVE_MODE'] in [None, '']:
file_info['SHA256'] = patch_info.get('sha256')
# REMOTE_LICLIST
license_info = REMOTE_LICLIST
license_path = license_info.get('path')
if license_path != None:
file_info = {}.fromkeys(('*FILENAME', '*TYPE', '*EFFECTIVE_MODE', 'ISBATCHPROCESS', 'SHA256',
'PATH'))
file_info['*FILENAME'] = os.path.basename(license_path)
file_info['PATH'] = license_path.lstrip('/')
file_info['*TYPE'] = FILE_TYPE_LIC
file_info['SHA256'] = license_info.get('sha256')
# REMOTE_USER
if len(REMOTE_USER) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_USER, 'REMOTE_USER')
if _infos != None:
user_info_list = _infos.get(sys_info.get(_key))
if user_info_list != None:
for user_info in user_info_list:
if len(file_info_list) >= 9:
logging.warning("Too many user files, please check!")
break
user_path = user_info.get('path')
if user_path != None:
'SHA256', 'PATH'))
file_info['*FILENAME'] = os.path.basename(user_path)
file_info['PATH'] = user_path.lstrip('/')
file_info['*TYPE'] = FILE_TYPE_USER
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_NO_NEED
file_info['SHA256'] = user_info.get('sha256')
print_ztp_log(f"The device deployment file infos: {get_file_info_str(file_info_list)}.", LOG_INFO_TYPE)

startup_info.update({'FILE_INFO': file_info_list})
def check_parameter(aset):
seq = ['&', '>', '<', '"', "'", "|", '`', '$', ';', '(', ')', '[', ']', '{', '}', '~', '*', '?']
if aset:
for c in seq:
if c in aset:
return True

Switches
return False
def check_number(aset):
nums = ['1', '2', '3', '4', '5', '6', '7', '8', '9', '0']
if aset:
for num in aset:
if num not in nums:
return True
return False
def check_filename_and_extension(startup_info):
if file_name not in ['', None] and check_parameter(file_name):
raise ZTPErr('Invalid filename of {} file, the name should not contain: {} {} {} {} {} {} {} {} .'\
.format(file_type, '&', '>', '<', '"', "'", "|", '`', '$'))
_, ext = os.path.splitext(file_name)
if (file_type != FILE_TYPE_USER) and (ext.lower() not in FILE_EXTENSION.get(file_type)):
raise ZTPErr('Invalid filename extension of {} file.'.format(file_type))
def check_SN_config(startup_info):
sn = startup_info.get('*TIME_SN')
if not isinstance(sn, str):
raise ZTPErr('Invalid type of TIME_SN value.')
if len(sn) != 14:
raise ZTPErr('Invalid length of TIME_SN value.')
if check_number(sn):
raise ZTPErr('Invalid value of TIME_SN, the value should only contain numbers.')
def check_user_config(startup_info):
check_filename_and_extension(startup_info)
check_SN_config(startup_info)
def check_starupinfo_txt(startup_info, startup):

if file_exist(file_path=STARTUP_INFO_FILE_NAME):
# Obtain information from the file.
sn_from_file, startup_info_last = get_startup_info_from_file()
sn_from_py = TIME_SN
if sn_from_py == sn_from_file:
# Obtain the current deployment status flag.
ret, ztp_status = ztp_status_get()
if ret is OK:
if ztp_status == str(ZTP_STATUS_END):
# Exit the ZTP process. The device starts.
logging.warning('The current device was successfully deployed last time, '
'and the TIME_SN configured this time is the same as that of the last time. '
'Please check!')
raise ZTPAbort('There is no need to continue!')
elif ztp_status == str(ZTP_STATUS_RUNNING):
# The device restarts unexpectedly during the last deployment. Rollback is required.
startup.rollback_startup_info(
startup_info_last.get(FILE_TYPE_SOFTWARE),
startup_info_last.get(FILE_TYPE_CFG),
startup_info_last.get(FILE_TYPE_PAT),
startup_info_last.get(FILE_TYPE_MOD),
startup_info_last.get(FILE_TYPE_FEATURE_PLUGIN))
global system_startupInfo_state
system_startupInfo_state = SYSTEM_STARUPINFO_END
raise ZTPRollback('Startup info rollback successfully.')
else:
flag = 0
flag1 = 0

Switches
ret, ztp_status = ztp_status_get()

if ret is OK and ztp_status == str(ZTP_STATUS_END):
for file_info in startup_info.get('FILE_INFO'):
if file_type in [FILE_TYPE_SOFTWARE, FILE_TYPE_PAT]:
flag += 1
if file_name == startup.current.image or file_name == startup.current.patch:
logging.warning('The file {} is the same as the current of device.'.format(file_name))
flag1 += 1
if flag1 > 0:
record_startup_info_to_file(startup_info, startup)
if flag == flag1:
logging.warning('The current device was successfully deployed last time, '
'and the system software or patch configured this time '
'is the same as that of the current device. Please check!')
raise ZTPAbort('There is no need to continue!')
else:
logging.warning('The current device is successfully started last time. '
'The system software package and patch in the intermediate file for '
'this deployment are the same as those of the current device. Please check.')
raise ZTPErr('The intermediate file system software package or patch is the same as '
'the device system software package or patch!')
def check_if_reboot_needed(startup_info):
logging.error("The type of FILE_INFO is invalid.")
return True
reboot_flag = False
for i in range(len(file_info_list)):
effective_mode = file_info_list[i].get('*EFFECTIVE_MODE')
if effective_mode == EFFECTIVE_MODE_REBOOT:
reboot_flag = True
break
return reboot_flag
@ops_conn_operation
def set_master_key(masterkey='', ops_conn=None):
"""set masterkey"""
print_ztp_log('Now set master key...', LOG_INFO_TYPE)

is_master_key = ops.opscharacterEncode(masterkey)
uri = '{}'.format('/restconf/operations/huawei-masterkey:set-masterkey')
if is_master_key == '':
req_data = """<input> </input>"""
else:
<input>
<new-masterkey>$newmasterkey</new-masterkey>
</input>
''')
req_data = req_template.substitute(newmasterkey=is_master_key)
return ERR, rsp_data
return OK, ''
def record_clear_master_key_to_file():
"""Record the startup information to file."""
print_ztp_log("Record clear master key to file...", LOG_INFO_TYPE)

try:

Switches
file_path = os.path.join(FLASH_HOME_PATH, SET_MASTER_FILE_NAME)
with open(file_path, 'w', encoding='utf-8') as fhdl:

os.fsync(fhdl)
os.chmod(file_path,0o660)
raise
def copy_mod_file_to_dest(mod_name):
if mod_name is None:
return OK
src_file_path = f'flash:/{mod_name}'
dest_file_path = f'flash:/$_install_mod/{mod_name}'
ret = file_delete(dest_file_path)
if ret != OK:
return ERR
ret = copy_file(src_file_path, dest_file_path)
if ret != OK:
return ERR
return OK
def check_addr(address):
try:
version = ipaddress.ip_address(address).version
if version == 4:
return 'DHCPv4'
elif version == 6:
return 'DHCPv6'
else:
return None
except Exception as e:
return None
def check_filserver_dhcp_type(url):
ipaddr = url_tuple.hostname
cur_type = check_addr(ipaddr)
return cur_type
def clean_download_temp_file(file_path):
ret1 = file_delete(file_path)
ret2 = file_delete(f"{file_path}.tmp")
if ret1 != OK or ret2 != OK:
return ERR
return OK
def main_proc():
"""Main processing"""
print_ztp_log("Start ztp_script...", LOG_INFO_TYPE)

sys_info = get_system_info()
startup = Startup()
mpu_slot = {}.fromkeys(('master', 'slave'))
slave = has_slave_mpu(mpu_slot=mpu_slot) # Check whether a slave MPU exists.
# Generate startup information based on the user configuration.

startup_info = {}
set_startup_info_from_user_config(startup_info, sys_info)
# Check the user input configuration.

Switches
check_user_config(startup_info)
# Configure the log server based on the configured log transfer protocol.
syslog_trans_protocol = startup_info.get('SYSLOG_INFO')
addr_type = 'ipv4'
addr_type = 'ipv6'
ip_addresses = get_syslog_config(ip_type = addr_type)
set_syslog_config(ip_addresses=ip_addresses, ipaddr_type=addr_type, syslog_trans=syslog_trans_protocol)
check_starupinfo_txt(startup_info, startup)
global system_startupInfo_state
system_startupInfo_state = SYSTEM_STARUPINFO_END
# Check the flash memory space.

ret = check_space(startup_info, startup.current.image)
if ret is ERR:
slog.syslog("Error: the space is not enough.", ops.ERROR, ops.SYSLOG)
raise ZTPErr('The space is not enough.')
# Set the ZTP deployment status to 0.

ztp_status_set(ZTP_STATUS_RUNNING)
# Record the current startup and configuration information to a file for new deployment.
record_startup_info_to_file(startup_info, startup)
url = startup_info['*FILESERVER']
cur_dhcp_type = check_filserver_dhcp_type(url)
if cur_dhcp_type is not None and cur_dhcp_type != DHCP_TYPE:
print_ztp_log("The IP version in ini file is inconsistant with bootfile server.", LOG_ERROR_TYPE)
return ERR
# Obtain the version file list and names.

file_list, file_name_dict = ztp_get_file_list(startup, sys_info, startup_info)
slog.syslog('The device of system mac %s, ESN %s begins to download file.' %(sys_info['mac'],
sys_info['esn']), ops.INFORMATIONAL, ops.SYSLOG)
# Activate the file.
delay_time_sec = get_delay_time(startup_info.get('ACTIVE_DELAYTIME'),
startup_info.get('ACTIVE_INTIME'))
if delay_time_sec == None:
slog.syslog("Get delay time failed.", ops.INFORMATIONAL, ops.SYSLOG)
return ERR
# Download the version files.
ret, chg_flag= ztp_file_download(file_list, startup_info, slave)
if ret != OK or chg_flag is False:
return ERR
# Set the mode for activating the file.
set_file_effectiveMode(startup_info)
global system_reboot_needed
system_reboot_needed = check_if_reboot_needed(startup_info)
image_name = file_name_dict.get(FILE_TYPE_SOFTWARE)
config_name = file_name_dict.get(FILE_TYPE_CFG)
patch_name = file_name_dict.get(FILE_TYPE_PAT)
mod_name = file_name_dict.get(FILE_TYPE_MOD)
feature_name = file_name_dict.get(FILE_TYPE_FEATURE_PLUGIN)
# Activate the file.
print_ztp_log(f"After {delay_time_sec} seconds activation will be performed.", LOG_INFO_TYPE)
slog.syslog("After {} seconds activation will be performed.".format(delay_time_sec),
ops.INFORMATIONAL, ops.SYSLOG)
sleep(delay_time_sec)
# copy the mod file.
ret = copy_mod_file_to_dest(mod_name)
if ret != OK:
logging.error("Failed to copy mod file to destination path.")
return ERR
# set masterkay
if master_exportcfg is None and config_name is not None and is_set_master is not None :

Switches
ret, _= set_master_key(is_set_master)
_, nextcfg = startup.get_startup_info_by_type(FILE_TYPE_CFG)
startup._del_startup_config_file()
if ret == OK:
print_ztp_log('Now set master key success...', LOG_INFO_TYPE)
else:
raise ZTPErr('Failed to set master key.')
if is_clear_master == True:
record_clear_master_key_to_file()
ZTP_DOWNLOAD_FILE_LIST.append(SET_MASTER_FILE_NAME)
logging.error("Parameters is invalid.")
return ERR

effective_mode = file_info.get('*EFFECTIVE_MODE')
if effective_mode != EFFECTIVE_MODE_NO_REBOOT:
continue
file_type = file_info.get('*TYPE').lower()
if file_type == FILE_TYPE_PAT:
patch_name = None
if file_type == FILE_TYPE_MOD:
mod_name = None
if file_type == FILE_TYPE_FEATURE_PLUGIN:
feature_name = None
startup.set_exportcfg(master_exportcfg)
# Specify the version files for the next startup.
startup.set_startup_info(image_name, config_name, patch_name, mod_name, feature_name, slave)
global system_file_state
system_file_state = SYSTEM_FILE_SETTING_END
startup.file_effective_proc(file_info_list, file_name_dict)
return OK
def main(download_file_list=[], logfile_name=''):

"""The main function of user script. It is called by ZTP frame, so do not remove or change this function.
Args:
Raises:
Returns: user script processing result
"""
try:
global LOG_FILE
LOG_FILE = logfile_name
global flash_home_path_master
global flash_home_path_slave
flash_home_path_master, flash_home_path_slave, _= get_home_path()
ret = main_proc()
except ZTPAbort as reason:

raise ZTPAbort(reason)
except ZTPRollback as reason:

raise ZTPRollback(reason)

print_ztp_log(f"OPI execute error: {str(reason)}", LOG_ERROR_TYPE)
ret = ERR

Switches
except ZTPErr as reason:

print_ztp_log(f"ZTP error: {str(reason)}", LOG_ERROR_TYPE)
ret = ERR
except IOError as reason:

print_ztp_log(f"{str(reason)}", LOG_ERROR_TYPE)
ret = ERR

print_ztp_log(f"{str(reason)}", LOG_ERROR_TYPE)
traceinfo = traceback.format_exc()
logging.error(traceinfo)
ret = ERR
finally:
download_file_list.extend(ZTP_DOWNLOAD_FILE_LIST)
return ret, (system_file_state, system_startupInfo_state, system_reboot_needed)
if __name__ == "__main__":
main()
NOTE
In Table 6-10, the bold content in the Script Content column can be modified based on
the actual running environment.
Table 6-10 Script description

Script Content Description
#sha256="cb203b72b6070f535eaff14c7c7d984cf SHA256 verification code of the script,
28c58052fadf1b484f80258b07fc8c9"
which is used to check the integrity of
the downloaded script.
NOTE
Before an SHA256 verification code is
generated, do not add the #sha256= field
to the script. Instead, #sha256= should be
added to the beginning of the script after
the SHA256 verification code is generated.
A script without an SHA256 verification
code can still be executed.

Switches

REMOTE_IMAGE = { Path, file name, and SHA256
'product-name': {
'S6700' : {
verification code of the system
'path': '/image/software_file_name.cc', software.
'sha256': '',
}, ● path: If this field is left empty, no
}, system software needs to be
'esn': {}, loaded.
'mac': {}
} ● sha256: SHA256 verification code,
which can be left empty.
NOTE
Only one of product-name, esn, and mac
can be specified and cannot be all empty.
● When product-name is used for
deployment, the value of product-
name can be queried using the display
version command. In the command
output, S6700 in "Version xxx (S6700
xxx)" is the value of product-name.
● When esn is used for deployment, the
value of esn can be queried using the
display device esn command.
● When mac is used for deployment, the
value of mac can be queried using the
display bridge mac-address command.
The MAC address, which is case
sensitive, must be the same as that
queried on the device, for example,
00e0-fc12-3456.

Switches

REMOTE_CONFIG = { Path, file name, and SHA256
'product-name': {},
'esn': {
verification code of the configuration
'BARCODETEST20200620' : { file.
'path': '/config/conf_file_name.cfg',
'sha256': '', ● path: If this field is left empty, no
}, configuration file needs to be
}, loaded.
'mac': {}
} ● sha256: SHA256 verification code,
NOTE
Only one of product-name, esn, and mac
can be specified and cannot be all empty.
name can be queried using the display
version command. In the command
output, in "Version xxx ( xxx)" is the
value of product-name.
● When esn is used for deployment, the
value of esn can be queried using the
display device esn command.
● When mac is used for deployment, the
value of mac can be queried using the
display bridge mac-address command.
The MAC address, which is case
sensitive, must be the same as that
queried on the device, for example,
00e0-fc12-3456.

Switches

REMOTE_PATCH = { Path, file name, activation mode, and
'product-name': {},
'esn': {},
SHA256 verification code of the PAT
'mac': { patch file.
'00E0-FC12-3456' : {
'path': '/patch/pat_file_name.pat', ● path: If this field is left empty, no
'effective_mode': patch file needs to be loaded.
EFFECTIVE_MODE_NO_REBOOT,
'sha256': '', ● effective_mode: activation mode. If
}, this field is left empty, a patch file is
} activated without the need of
}
device restart.
– EFFECTIVE_MODE_NO_REBOOT:
A patch file is activated without
the need of device restart.
– EFFECTIVE_MODE_REBOOT: A
patch file is activated upon
restart.
● sha256: SHA256 verification code,
NOTE
Only one of product-name, esn, and
mac can be specified and cannot be all
empty.
name can be queried using the
display version command. In the
command output, in "Version xxx
( xxx)" is the value of product-
name.
● When esn is used for deployment,
the value of esn can be queried
using the display device esn
command.
● When mac is used for deployment,
the value of mac can be queried
using the display bridge mac-
address command. The MAC
address, which is case sensitive,
must be the same as that queried
on the device, for example, 00e0-
fc12-3456.

Switches

REMOTE_MOD = { Path, file name, activation mode, and
'product-name': {},
'esn': {},
SHA256 verification code of the MOD
'mac': { patch file.
'00E0-FC12-3456' : {
'path': '/patch/mod_file_name.MOD', ● path: If this field is left empty, no
'effective_mode': patch file needs to be loaded.
EFFECTIVE_MODE_NO_REBOOT,
'sha256': '', ● effective_mode: activation mode. If
}, this field is left empty, a patch file is
} activated without the need of
}
device restart.
– EFFECTIVE_MODE_NO_REBOOT:
A patch file is activated without
the need of device restart.
– EFFECTIVE_MODE_REBOOT: A
patch file is activated upon
restart.
NOTE
Only one of product-name, esn, and
mac can be specified and cannot be all
empty.
name can be queried using the
display version command. In the
command output, S6700 in "Version
xxx (S6700 xxx)" is the value of
product-name.
● When esn is used for deployment,
the value of esn can be queried
using the display device esn
command.
● When mac is used for deployment,
the value of mac can be queried
using the display bridge mac-
address command. The MAC
address, which is case sensitive,
must be the same as that queried
on the device, for example, 00e0-
fc12-3456.

Switches

REMOTE_LICLIST = { Path and SHA256 verification code of
'path': '/{}'.format(LICENSE_LIST_FILE_NAME),
'sha256':
the license list file.
'a7638ea0a69933ac20df66ea9bf6ea301de815568 ● path: If this field is left empty, no
4d81fbcdf00f6ca07261d7c',
} license file needs to be loaded. The
name of the license list file is
ztp_license_list.xml and this
cannot be changed. The following is
an example of the license list file:
<?xml version="1.0" encoding="utf-8"
standalone="yes"?>
<Index formatVersion="1.0">
<Lic name="LIC_file1.xml"
sha256="d27305447dbb1e76ea9c6f27e19be29
86503b91d8240612f9ebde708e7d1019e">
<LSN>LIC202005183TCG5M</LSN>
<Esn>102050157695</Esn>
</Lic>
<Lic name="LIC_file2.dat"
sha256="6a2690e7a08e3df844ba86e1f48dc3c5
04af3b760dd0e38134771e1024fe1a5f">
<LSN>LIC202005183TCI50</LSN>
<Esn>2102311LDL0000000805</Esn>
</Lic>
</Index>

REMOTE_USER = { Path, name, and SHA256 verification
'product-name': {},
'esn': {
code of a customized file.
'BARCODETEST20200620' : [ ● path: If this field is left empty, no
{
'path': '', customized file is required.
'sha256': '', ● sha256: SHA256 verification code,
},
], which can be left empty.
'BARCODETEST20200000' : [ NOTE
{ Customized deployment files are
supported. For a deployment, a maximum
'sha256': '',
}, of nine files can be used. As such, the
{ number of customized deployment files is
'path': '/user/ztp_user1.txt', limited. For example, if the system
'sha256': '', software, configuration file, patch file, and
}, customized files are involved in a
], deployment, a maximum of six customized
}, files can be added. The information about
'mac': {}
multiple customized files is as follows:
}
{
'sha256': '',
},
{
'path': '/user/ztp_user1.txt',
'sha256': '',
},
],

Switches

FILE_SERVER = 'sftp:// File server information.
sftp_user:sftp_pwd@10.1.3.2'
You can obtain deployed files from an
SFTP server.
In the IPv4 scenario, the value format
is as follows:
sftp://
username:password@hostname:port
In this format, port is optional.
In the IPv6 scenario, the value format
is as follows:
sftp://
username:password@hostname:port/
path
The value of hostname can be a
domain name or an IP address.
● If the value is a domain name, the
format is sftp://
username:password@hostname:port
/path.
● If the value is an IP address, the
format is sftp://
username:password@[address]:port
/path.
In this format, port is optional and
path specifies the directory where
deployment files are stored on the file
server.
TIME_SN = '20200526120159' Uniquely identifies a deployment in
order to prevent repeated deployment.
The value format is
yyyymmddhhmmss.
For example, this field can be set to
20200526120159, indicating 12:01:59
on 2020-05-26.
SYSLOG_INFO = 'UDP' Transport protocol used by the Syslog
server.
● TCP: Logs are transmitted using TCP.
● UDP: Logs are transmitted using
UDP.

Switches

SPACE_CLEAR = Whether to automatically clean up the
ZTP_SPACE_CLEAR_NO_NEED
system storage space in the case of
space insufficiency.
● ZTP_SPACE_CLEAR_NO_NEED: The
system storage space is not cleaned
up.
● ZTP_SPACE_CLEAR_NORMAL: Only
system software among
deployment files is deleted.
● ZTP_SPACE_CLEAR_DEEP: In-depth
cleanup is performed. System
software among deployment files is
deleted first. If the available space
is still insufficient, unnecessary files
are deleted.
NOTE
In-depth cleanup involves some inherent
risks. As such, you are advised to back up
required files locally before performing in-
depth cleanup.
ACTIVE_DELAYTIME = '60' Delay for deployment to be performed.

The value is an integer that ranges
from 0 to 86400, in the unit of
seconds. If the value is greater than
86400, the value 86400 is used.
ACTIVE_INTIME = None Scheduled time for deployment to be
NOTE performed within 24 hours. The value
If both ACTIVE_DELAYTIME and format is HH:MM, where HH indicates
ACTIVE_INTIME are set, the 24-hour format, and MM indicates
ACTIVE_DELAYTIME is preferentially used.
the 60-minute format. For example,
the value 20:10 indicates that the
deployment will be performed at
20:10.
NOTE
If the configured time is earlier than the
system time of the device, the deployment
time is the configured time plus 24 hours
minus the current system time. For
example, if the configured time is 10:00
and the device system time is 11:00, the
deployment will be performed at 23:00.

Switches

VRPVER = None System software version number.
If the current system software version
of the device is the same as the value
specified here, the device does not
download the system software from
the deployment file server.
If the current system software package
is that required for deployment, you
are advised to set this field.
DHCP_TYPE = 'DHCPv6' DHCP packet type.
DHCPv4: The current deployment
mode is intermediate file-based
deployment in IPv4 scenarios, and
DHCPv4 packets are used.
DHCPv6: The current deployment
mode is intermediate file-based
deployment in IPv6 scenarios, and
DHCPv6 packets are used.
INSTALL_WEAK = None Indicates whether to install the weak
security algorithm or protocol feature
package. The options are as follows:
● 1: The weak security algorithm or
protocol feature package is installed
during ZTP deployment, and will
not be uninstalled after the
deployment.
● 0: The weak security algorithm or
protocol feature package may be
installed during ZTP deployment
(for example, when deployment
files are obtained through FTP or
TFTP), and will be uninstalled after
the deployment.
If this parameter is not set or is set to
a value that is not 1, the value 0 is
used.
NOTE
If the value of INSTALL_WEAK is not 1 and
the configuration file contains weak
security algorithms or protocols, the weak
security algorithm or protocol feature
package will fail to be uninstalled.
For security purposes, you are not advised
to use FTP or TFTP to obtain deployment
files.

Switches

is_set_master = Master key of a configuration file for
"""AB123xxei9e:e*)34dkeieneii21@2343\0d"""
deployment. The value is a string of 20
to 32 characters. It must contain
uppercase letters, lowercase letters,
digits, and special characters.
NOTE
● This field takes effect only when the
configuration file for deployment exists.
● The configuration file is exported from
a device, which has a master key
configured. This master key is used as
the value of this field.
● Because this field is configured, the
intermediate file contains the key in
plaintext. Therefore, you need to ensure
the security of the intermediate file.
is_clear_master = False Whether to clear the master key

configured in the .ini file.
● True: After ZTP is complete, the
device clears the master key
configured in the .ini file, and
restores the master key to the
random master key.
● False: After ZTP deployment, the
device continues to use the master
key configured in the .ini file.
6.6.5 Configuring a DHCP Server

Context
The DHCP server uses option fields to carry network configuration parameters
that are required for ZTP. The device can function as a DHCP server. If the device
to be deployed and DHCP server are on different network segments, configure a
DHCP relay agent to forward DHCP packets exchanged between them.
Table 6-11 describes the DHCPv4 option fields. Table 6-12 shows the DHCPv6
DHCP option fields.
Table 6-13 describes the DHCP option fields.
Table 6-14 describes the DHCP option parameters required in SZTP.

Switches
CAUTION
● The DHCP server does not support authentication and may be spoofed. You are
advised to use a trusted DHCP server for deployment on a secure network.
● DHCP uses a non-encrypted transmission protocol, so the user name and
password of the SFTP file server carried in DHCP option 59, option 66, and
option 67 fields have security risks. You are advised to use this protocol on a
secure network.
Table 6-11 DHCP option parameters for intermediate file-based ZTP



gateway of the DHCP
client.

of the DNS server.
example, www.ztp.com)
name of the
intermediate file server.
If an IP address is
specified as the host
name of the
intermediate file server,
no DNS server is
required.

server.

Switches
Option 66 No Specifies the host name

of the intermediate file
server.
The file server must be
an SFTP server, whose
address is in sftp://
tname[:port] format.
In this format, hostname
can be set to a domain
name or an IP address. If
it is set to a domain
name, a DNS server is
required.
NOTE
● The configured server
URL cannot contain
forward slashes (/) or
number signs (#).
● The domain name of
the SFTP server is in
the standard URL
format.

Switches
Option 67 Yes Specifies the name of

the intermediate file.
The value format is
path/filename, whereby:
● path may or may not
contain the host
name of the
intermediate file
server. For example,
the value can be /
script/ztp_script.py
without a host name,
or sftp://
sftp_user:Hyx_Hy123
4@10.1.3.2/
ztp_script.py with a
host name. If a
relative path is used,
you need to set
Option 66.
● filename can be
ztp***.ini or ztp***.py,
and has a maximum
length of 64
characters.
NOTE
The configured
intermediate file name
cannot contain forward
slashes (/) or number signs
(#).

Switches
Table 6-12 DHCPv6 option parameters for intermediate file-based ZTP

Option 59 Yes Specifies the host name

of the intermediate file
server.
The intermediate file
server must be an SFTP
file server whose address
format is as follows:
sftp://
tname:port/path
The value of hostname
can be a domain name
or an IP address.
● If the value is a
domain name, the
format is sftp://
username:password@
hostname:port/path
and a DNS server
needs to be deployed.
● If the value is an IP
address, the format is
sftp://
username:password
@[address]:port/path.
optional and path
server.
NOTE
URL cannot contain
number signs (#).
the SFTP server is in the
standard URL format.

Switches

address of the DNS
server.
server. If an IP address is
name of the
no DNS server is
required.
Option 17 (suboption 2) No Specifies the IPv6

server.
Table 6-13 DHCP option parameters for option parameter-based ZTP



gateway of the DHCP
client.

of the DNS server.
name of the
If an IP address is
name of the
no DNS server is
required.

of the Syslog server.

Switches
Option 66 No Specifies the host name

of the deployment file
server.
The deployment file
server must be an SFTP
server, whose address is
in sftp://
tname:port format.
optional and hostname
can be set to a domain
name or an IP address. If
hostname is set to a
domain name, a DNS
server is required.
NOTE
URL cannot contain
number signs (#).
the standard URL
format.

Switches
Option 67 Yes Specifies the name of

the deployment
configuration file. You
can specify a file path.
The specified path and
file name can contain a
maximum of 69
characters and cannot
contain spaces or special
characters.
The value format is
path/filename, whereby:
● path may or may not
contain the host
name of the
deployment file
server. For example,
the value can be /
path_name/filename
without a host name,
or sftp://
username:password@
hostname/filename
with a host name. If
the path without a
host name is used,
you must set option
66. The value of
hostname can be a
domain name or an IP
address. If hostname
is set to a domain
name, a DNS server is
required.
● filename can have an
extension name
of .cfg, .dat, and .zip.
and has a maximum
of 64 characters.
NOTE
URL cannot contain
number signs (#).
the standard URL
format.

Switches
Option 145 No Specifies the system

software, version
number, patch file, or
masterkey file. A file
path can be specified. If
no path is specified, the
root path on the
deployment file server is
used by default. The
format is as follows:
vrpfile=VRPFILENAME;vrpver=VR
PVERSION;patchfile=PATCHFILE
NAME;masterfile=MASTERFILE;
● vrpfile: system
software name,
including the file path
and file name. The
value is a string of 4
to 69 characters. The
system software
package name
excluding the file path
can contain a
maximum of 64
characters.
● vrpver: system
software version.
● patchfile: patch file
name, including the
path and file name.
The value is a string
of 5 to 69 characters.
The patch file name
excluding the file path
can contain a
maximum of 63
characters
● masterfile: masterkey
file name, including
the file path and file
name. The value is a
string of 5 to 32
characters.

Switches
Option 146 No Specifies the information

about a specified action,
which can be actions
taken when the storage
space is insufficient and
the delay for a file to
take effect. It contains
the following subfields:
● opervalue: indicates
whether to delete the
system software from
the file system if the
storage space is
insufficient. The value
0 indicates that the
system software will
not be deleted, and
the value 1 indicates
that the system
software will be
deleted. The default
value of this subfield
is 0.
● delaytime: indicates
the delay for a
downloaded file to
take effect. The unit is
second. The default
value of this subfield
is 0.
● intime: indicates the
time when a file takes
effect. The value
ranges from 00:00 to
23:59.
NOTE
● The maximum delay for
a file to take effect is
one day (86400
seconds). A delay
longer than one day is
counted as one day.
● If both delaytime and
intime are configured,
delaytime takes effect.

Switches
Table 6-14 DHCP option parameters for SZTP



gateway of the DHCP
client.

of the DNS server.
name of the
If an IP address is
name of the
no DNS server is
required.

of the Syslog server.
Option 143 Yes Specifies the bootstrap

server address list.
NOTE
This field must be
configured using the
option 143 hex sub-hex-
string command.
Procedure
Step 2 (Optional) Configure the DHCP relay agent.
NOTE
If a Huawei device is used as the DHCP relay agent, see "DHCPv4 Configuration" or
"DHCPv6 Configuration" in CLI Configuration Guide > IP Address and Service Configuration.
If a third-party device is used as the DHCP relay agent, see the operation guide of the third-
party DHCP server and DHCP relay agent.
----End

Switches
6.6.6 (Optional) Configuring a Bootstrap Server

Context
Huawei devices do not provide the bootstrap server capability. Therefore, a third-
party bootstrap server needs to be deployed. For details about how to configure
the third-party bootstrap server, see the operation guide of the third-party
bootstrap server.
Before configuring the bootstrap server, you must obtain the ownership voucher of
the device to be deployed by referring to the following process:
● Send the root certificate of the bootstrap server to Huawei technical support
engineers.
● Huawei then issues the ownership voucher of the device to be deployed based
on the root certificate of the bootstrap server and the ESN of the device.
● Huawei technical support engineers send the ownership voucher to you.
Procedure
Step 1 Obtain the ownership voucher issued by Huawei for the ZTP device to be
deployed.
Step 2 Install the ownership voucher on the bootstrap server.
Step 3 Configure the bootstrap server.
For SZTP, you need to create and upload bootstrapping data on the bootstrap
server. Bootstrapping data is a set of data obtained by the device from the
bootstrap server during SZTP. For details, see RFC 8572.
The following is an example of the interaction process between the device to be
deployed and the bootstrap server:
The device to be deployed requests bootstrapping data:
POST:/restconf/operations/ietf-sztp-bootstrap-server:get-bootstrapping-data
Content-Type: application/yang.data+xml
<input xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-bootstrap-server">
<signed-data-preferred/>
</input>
The bootstrap server replies with bootstrapping data:

Content-Type: application/yang.data+xml
<output xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-bootstrap-server">
<conveyed-information>base64encodedvalue==</conveyed-information>
<owner-certificate>base64encodedvalue==</owner-certificate>
<ownership-voucher>base64encodedvalue==</ownership-voucher>
</output>
Bootstrapping data contains the following parts:

1. Conveyed information: contains the bootstrapping information required by the
device to be deployed, that is, redirect information or onboarding information
(only one type of the information can be carried).
ietf-sztp-conveyed-info example of the YANG model:
yang-data conveyed-information:
+-- (information-type)

Switches
+--:(redirect-information)
| +-- redirect-information
| +-- bootstrap-server* [address]
| +-- address inet:host
| +-- port? inet:port-number
| +-- trust-anchor? cms
+--:(onboarding-information)
+-- onboarding-information
+-- boot-image
| +-- os-name? string
| +-- os-version? string
| +-- download-uri* inet:uri
| +-- image-verification* [hash-algorithm]
| +-- hash-algorithm identityref
| +-- hash-value yang:hex-string
+-- configuration-handling? enumeration
+-- pre-configuration-script? script
+-- configuration? binary
+-- post-configuration-script? script
– Redirect information: is used to redirect a device to another bootstrap
server. The redirect information contains a list of bootstrap servers, as
well as the host name, optional port, and optional trust anchor certificate
used by the device to authenticate the bootstrap server.
Example:
<conveyed-information xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-conveyed-info">
<redirect-information>
<bootstrap-server>
<address>https://sztp1.example.com</address>
<port>90</port>
<trust-anchor>base64encodedvalue==</trust-anchor>
</bootstrap-server>
<bootstrap-server>
<port>90</port>
</bootstrap-server>
<bootstrap-server>
<port>90</port>
</bootstrap-server>
</redirect-information>
</conveyed-information>
– Onboarding information: provides detailed information about the image,
configuration file, and other deployment files of the device to be
deployed.
Example:
<conveyed-information xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-conveyed-info">
<onboarding-information>
<boot-image>
<os-name></os-name>
<os-version></os-version>
<download-uri>https://example.com/path/to/image/cfg_file_name.cfg</download-uri>
<image-verification>
<hash-algorithm>ietf-sztp-conveyed-info:sha-256</hash-algorithm>
<hash-
value>ee0d0a46ebb2db92762eedba2c0afd9543bf3c3a983dab2e00c559ba9e62196f</hash-value>
</image-verification>
</boot-image>
<configuration-handling>merge</configuration-handling>
<pre-configuration-script>base64encodedvalue==</pre-configuration-script>
<configuration>base64encodedvalue==</configuration>
<post-configuration-script>base64encodedvalue==</post-configuration-script>
</onboarding-information>
</conveyed-information>

Switches
2. Owner certificate: contains the public key certificate of the customer. The
device can use this certificate to verify the signature of the conveyed
information.
3. Ownership voucher: is signed by Huawei. The customer needs to provide the
pinned domain certificate and the ESN of the device to be deployed. Huawei
generates and provides the ownership voucher for the customer. For details
about the ownership voucher, see RFC 8366.
Example:
{
"ietf-voucher:voucher": {
"created-on": "2023-05-30T19:31:42Z",
"expires-on": "2023-09-30T19:31:42Z",
"assertion": "verified",
"serial-number": "BARCODETEST20200620",
"idevid-issuer": "base64encodedvalue==",
"pinned-domain-cert": "base64encodedvalue==",
"domain-cert-revocation-checks": "false",
"last-renewal-date": ""
}
}
----End
6.6.7 Configuring a File Server

Prerequisites
There must be reachable routes between the file server and the device with
factory configurations.
Context
A file server stores the files to be downloaded to devices with factory
configurations, including intermediate files and deployment files. If a device is
configured as the file server, those files will occupy a significant amount of device
storage resources. To ensure the device performance, a third-party file server is
typically used on a ZTP network. For details about how to configure a third-party
file server, see the third-party server operation guide.
The intermediate file server and deployment file server can be the same file server.
The file server must be an SFTP file server. Currently, the device uses the SHA2
algorithm by default. The file server must also support the SHA2 algorithm. You
can run the display this include-default | include ssh command to check the
algorithms used by the client and server. At least one algorithm supported by the
file server must be the same as that supported by the device.
Procedure
Step 1 Configure the file server. SFTP and HTTPS file servers are recommended because
they are more secure than FTP and HTTP file servers.

Switches
NOTE
● If a Huawei device is used as the file server, see "Managing Files Using SFTP" in CLI
Configuration Guide > Basic Configuration.
● If a third-party device is used as the file server, see the operation guide of the third-
party SFTP or HTTPS file server.
● The file server used for SZTP must have the HTTPS server capability, but Huawei devices
do not provide the capability. Therefore, a third-party server needs to be deployed. For
details about how to configure a third-party server, see the third-party server operation
guide.
Step 2 Place the intermediate file and deployment files to the working directory of the
file server.
The HTTPS deployment file server has certain requirements on the length of the
deployment file name. Ensure that the following requirements are met:
● System software: 4 to 124 characters

● Configuration file: 5 to 64 characters
● Patch file: 5 to 63 characters
● Intermediate file: 5 to 64 characters
NOTE
To ensure security of the file server, configure a unique user name for the file server and
assign the read-only permission to the user to prevent unauthorized modification of the
files. After the ZTP process is complete, disable the file server function.
----End
6.6.8 Starting DHCP-based ZTP Without a Controller
Context
A device with factory configurations has never started ZTP before. In its factory
configurations, the ZTP function is enabled by default. To start ZTP, you only need
to power on the device. The ZTP function can be disabled on a device. If you log in
to a device through the console port and disable the ZTP function when the device
Procedure
Step 1 Power on the device.
Step 2 (Optional) Enable the ZTP function on the device.

set ztp enable
By default, the ZTP function is enabled on a device.
To disable a device from running the ZTP process upon startup with factory
configurations, run the set ztp disable command on the device.
Step 3 (Optional) Restart the device with factory configurations.

Switches
reboot fast
----End
6.6.9 Verifying DHCP-based ZTP Without a Controller

Procedure
Step 1 The device completes the ZTP process in about 15 minutes after it is powered on.
You can then log in to the device to check whether the startup files are the
required ones.
display startup
----End
Follow-up Procedure
If deployment fails, analyze ZTP logs on the device to determine the cause. ZTP
logs are saved in the file named ztp_YYYYMMHHMMSS.log in the flash:/
directory.
6.6.10 (Optional) Configuring the Device to Download a CA

Certificate from the Bootstrap Server
Prerequisites
The device has been deployed.
Context
In the scenario where no certificate is preconfigured on iMaster NCE-Campus if
the device needs to be managed by the controller, you need to import the CA
certificate trusted by the controller to the device.
The bootstrap server stores the CA certificate trusted by the controller. Currently,
iMaster NCE-Campus integrates the function of the bootstrap server. The device
needs to download the CA certificate NCE-bootstrap.pem from the bootstrap
server and import the certificate to the default domain.
A maximum of 10 bootstrap servers can be configured for the device. The
bootstrap servers with the same IP address and VPN instance name are considered
as one bootstrap server. The interaction process between the device and bootstrap
server is as follows:
1. The device proactively establishes an HTTPS connection with a bootstrap
server.
2. The device sends a request packet to the bootstrap server to download a CA
certificate. The request packet carries the device ESN or the IP address of the
bootstrap server.
3. The bootstrap server searches for the CA certificate based on the ESN or IP
address in the request packet and sends a response packet carrying the CA
certificate to the device. The response packet also carries the device ESN or
the IP address of the bootstrap server.

Switches
4. After receiving the response packet from the bootstrap server, the device
response packet, and verifies the validity of the certificate. If the verification
fails, the device cannot obtain the CA certificate. In this case, the device
attempts to obtain the CA certificate from the next bootstrap server. The
device will keep doing so until it successfully obtains a CA certificate.
After successfully obtaining the CA certificate NCE-bootstrap.pem from the

bootstrap server, the device automatically imports the certificate to the default
domain.
Procedure
system-view
Step 2 Configure an SSL policy and bind it to the default domain.

ssl policy policy-name
pki-domain default
quit
Step 3 Configure the device to download a CA certificate from the bootstrap server.
ztp certificate-remote { ipv4-addr | ipv6 ipv6-addr } [ vpn-instance vpnvalue ] port portvalue ssl-policy
policyname [ verify-type esn ]
By default, the device is not configured to download a CA certificate from the

bootstrap server.
When the verify-type esn parameter is specified, a certificate is authenticated

based on the device ESN. That is, the request packet sent by the device to the
bootstrap server for downloading the CA certificate carries the device ESN. When
parsing the response packet from the bootstrap server, the device uses the ESN for
verification.
When the verify-type esn parameter is not specified, a certificate is authenticated

based on the IP address of the bootstrap server. That is, the request packet sent by
the device to the bootstrap server for downloading the CA certificate carries the IP
address of the bootstrap server. When parsing the response packet from the
bootstrap server, the device uses the IP address for verification.
After NCE-bootstrap.pem is imported to the default domain, if another CA

certificate needs to be downloaded from the bootstrap server, delete the original
certificate from the default domain and run the ztp certificate-remote command
again.
----End
6.6.11 Example for Configuring Intermediate File-based ZTP
In Figure 6-14, DeviceA and DeviceB are two devices with factory configurations
on the network, and both are connected to DeviceC, which functions as the egress
gateway of DeviceA and DeviceB. There are reachable routes between DeviceC
and the DHCP server, and between DeviceC and the file server.

Switches
The customer requires that DeviceA and DeviceB automatically load the system
software and configuration files after they are powered on to reduce labor costs
and device deployment time.
Table 6-15 lists information about DeviceA and DeviceB, and the files to be
loaded to them.
Table 6-15 Device information and files to be loaded

New Device Device ESN Files to Be Loaded
DeviceA 2102311LDL000000 ● System software: software_file.cc

0806 ● Configuration file: conf_file.cfg
DeviceB 2102311LDL000000 ● System software: software_file.cc

Figure 6-14 Network diagram of DHCP-based ZTP

NOTE
In this example, interface1, interface2, and interface3 represent 10GE1/0/1, 10GE1/0/2, and
10GE1/0/3, respectively.
1. Edit the intermediate file.
2. Configure the DHCP server.
3. Configure the DHCP relay agent.
4. Configure the file server.
5. Power on DeviceA and DeviceB to start the ZTP process.

Switches
Procedure
Step 1 Edit the intermediate file according to 6.6.4 Intermediate File in the Python
Format, and name the file ztp_script.py. For details about the file content, see
Configuration Scripts.
# Configure the IP address pool that the DHCP server uses to allocate IP addresses
to DeviceA and DeviceB and set DHCP options by referring to Table 6-16. In this
example, a Huawei device is used as the DHCP server.
Table 6-16 DHCP server options

Option Description Value
Option 1 Subnet mask of an IP 255.255.225.0

address
Option 3 Egress gateway of a 10.1.1.1

DHCP client
Option 67 File server address and sftp://

intermediate file name sftp_user:Hyx_Hy1234@1
0.1.3.2/ztp_script.py
[HUAWEI] sysname dhcp_server
[dhcp_server] dhcp enable
[dhcp_server] ip pool pool1
[dhcp_server-ip-pool-pool1] gateway-list 10.1.1.1
[dhcp_server-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[dhcp_server-ip-pool-pool1] option 67 cipher sftp://sftp_user:Hyx_Hy1234@10.1.3.2/ztp_script.py
[dhcp_server-ip-pool-pool1] quit
[dhcp_server] vlan batch 10
[dhcp_server] interface 10ge 1/0/3
[dhcp_server-10GE1/0/3] port link-type trunk
[dhcp_server-10GE1/0/3] port trunk allow-pass vlan 10
[dhcp_server-10GE1/0/3] quit
[dhcp_server] interface vlanif 10
[dhcp_server-Vlanif10] ip address 10.1.2.2 24
[dhcp_server-Vlanif10] quit
Step 3 Configure the DHCP relay agent.

# Configure the DHCP relay function on DeviceC. Set the IP address of the
interface connecting DeviceC to DeviceA and DeviceB to 10.1.1.1 to configure
DeviceC as the default gateway of DeviceA and DeviceB.
[HUAWEI] sysname DeviceC
[DeviceC] vlan batch 10
[DeviceC] interface 10ge 1/0/1
[DeviceC-1/0/1] port link-type trunk
[DeviceC-1/0/1] port trunk allow-pass vlan 10
[DeviceC-1/0/1] port trunk pvid vlan 10
[DeviceC-1/0/1] quit
[DeviceC-1/0/2] port link-type trunk
[DeviceC-1/0/2] port trunk allow-pass vlan 10
[DeviceC-1/0/2] port trunk pvid vlan 10

Switches
[DeviceC-1/0/2] quit
[DeviceC] interface vlanif 10
[DeviceC-Vlanif10] ip address 10.1.1.1 24
[DeviceC-Vlanif10] quit
[DeviceC] dhcp enable
[DeviceC-Vlanif10] dhcp select relay
[DeviceC-Vlanif10] dhcp relay server-ip 10.1.2.2
Step 4 Configure the file server.

# If a device is configured as the file server, files will occupy a significant amount
of device storage resources. To ensure the device performance, a third-party file
server is typically used on a ZTP network. For details about how to configure a
third-party file server, see the third-party server operation guide.
# After configuring the file server, save the system software, configuration files,
and intermediate files to be loaded to DeviceA and DeviceB in the D:\ztp directory.
Step 5 Power on DeviceA and DeviceB to start the ZTP process.
----End

The devices complete the ZTP process in about 15 minutes after they are powered
on. Log in to the devices and run the display startup command to check whether
the current system software and configuration files are the required ones. The
following shows the command output of DeviceA.
<DeviceA> display startup
MainBoard:
Configured startup system software: flash:/software_file.cc
Startup system software: flash:/software_file.cc
Next startup system software: flash:/software_file.cc
Startup saved-configuration file: flash:/conf_file.cfg
Next startup saved-configuration file: flash:/conf_file.cfg
Startup paf file: default
Next startup paf file: default
Startup patch package: NULL
Next startup patch package: NULL
Startup feature software: NULL
Next startup feature software: NULL
● DeviceC
#
sysname DeviceC
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.2.2
#
interface 10GE1/0/1
port link-type trunk
port trunk pvid vlan 10
#
interface 10GE1/0/2

Switches

#
return
● DHCP server
#
sysname dhcp_server
#
dhcp enable
#
vlan batch 10
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
option 67 cipher %+%#,nl-3C^(L"r2cE=]>Z[X2Xo+<e0-S;@s"#ReXBA(h>4\4h_@P']"!t4*26):
0x31:fqp7Jz4FG'SYLo#%+%#
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
#
interface 10GE1/0/3
#
return
● Intermediate file
For details about the intermediate file, see 6.6.3 Intermediate File in the INI
Format and 6.6.4 Intermediate File in the Python Format.
6.6.12 Example for Configuring Option Parameter-based ZTP
software and configuration files after they are powered on to reduce labor costs
and device deployment time.
loaded to them.



Switches
Figure 6-15 Network diagram of option parameter-based ZTP

NOTE

3. Configure the file server.
4. Power on DeviceA and DeviceB to start the ZTP process.
Procedure
Step 1 Edit the masterkey.ini file.
1. Create a .txt file and change the file name to masterkey.ini. The following
uses saving the configuration file as an example. The password is
YsHsjx_202206. Edit the file as follows:
[BEGIN]
EXPORTCFG=YsHsjx_202206
[END]

address

Switches

DHCP client
Option 67 File server address and sftp://

deployment file name sftp_user:Hyx_Hy1234@1
0.1.3.2/conf_file.cfg
Option 145 Deployment system ● The deployment

software and masterkey system software is
file software_file.cc.
● The masterkey file is
masterkey.ini.
[dhcp_server-ip-pool-pool1] option 67 cipher sftp://sftp_user:Hyx_Hy1234@10.1.3.2/conf_file.cfg
[dhcp_server-ip-pool-pool1] option 145 ascii vrpfile=software_file.cc;masterfile=masterkey.ini;
[DeviceC-10GE1/0/1] port link-type trunk
[DeviceC-10GE1/0/1] port trunk allow-pass vlan 10
[DeviceC-10GE1/0/1] port trunk pvid vlan 10
[DeviceC-10GE1/0/1] quit
Step 4 Configure the file server.

Switches
# If a device is configured as the file server, files will occupy a significant amount
of device storage resources. To ensure the device performance, a third-party file
server is typically used on a ZTP network. For details about how to configure a
third-party file server, see the third-party server operation guide.
# After configuring the file server, save the system software, configuration files,
and intermediate files to be loaded to DeviceA and DeviceB in the D:\ztp directory.
Step 5 Power on DeviceA and DeviceB to start the ZTP process.
----End

The devices complete the ZTP process in about 15 minutes after they are powered
on. Log in to the devices and run the display startup command to check whether
the current system software and configuration files are the required ones. The
following shows the command output of DeviceA.
MainBoard:
Startup saved-configuration file: flash:/conf_file.cfg
Next startup saved-configuration file: flash:/conf_file.cfg
● DeviceC
#
sysname DeviceC
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select relay
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
● DHCP server
#
sysname dhcp_server
#
dhcp enable
#

Switches
vlan batch 10
#
ip pool pool1
network 10.1.1.0 mask 255.255.255.0
option 67 cipher %+%#,nl-3C^(L"r2cE=]>Z[X2Xo+<e0-S;@s"#ReXBA(h>4\4h_@P']"!t4*26):
0x31:fqp7Jz4FG'SYLo#%+%#
option 145 ascii vrpfile=software_file.cc;masterfile=masterkey.ini;
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
#
interface 10GE1/0/3
#
return
6.6.13 Example for Configuring Bootstrap Server-based SZTP

software and configuration files after they are powered on.
loaded to them.

New Device Files to Be Loaded
DeviceA ● System software: software_file.cc

● Configuration file: conf_file1.cfg
DeviceB ● System software: software_file.cc

● Configuration file: conf_file2.cfg
Figure 6-16 Network diagram of SZTP

NOTE

Switches
3. Configure the bootstrap server.
4. Configure the HTTPS deployment file server.
5. Power on DeviceA and DeviceB to start the SZTP process.
Procedure

address

DHCP client
Option 143 IP address of a bootstrap 10.1.4.2

server
[dhcp_server-ip-pool-pool1] option 143 hex 001268747470733a2f2f31302e312e342e323a31


Switches

Step 3 Configure the bootstrap server.
# Huawei devices do not support the bootstrap server function. In the SZTP
networking, a third-party server needs to be deployed. For details about how to
configure a third-party server, see the third-party server operation guide.
# Huawei level-2 CA certificate, ownership voucher, and owner certificate need to

be built in the bootstrap server.
# On the bootstrap server, set the IP address of the HTTPS file server to 10.1.3.2,
and set the deployment files, configuration files, and their paths for DeviceA and
DeviceB.
Step 4 Configure the HTTPS deployment file server.
# Huawei devices do not support the HTTPS server function. In the SZTP
networking, a third-party server needs to be deployed. For details about how to
configure a third-party server, see the third-party server operation guide.
# After configuring the file server, save the deployment files and configuration
files to be loaded to devices to the paths specified on the bootstrap server.
Step 5 Power on DeviceA and DeviceB to start the SZTP process.
----End

# The devices complete the SZTP process in about 15 minutes after they are
powered on. Log in to the devices and run the display startup command to check
whether the current system software and configuration files are the required ones.
The following shows the command output of DeviceA.
MainBoard:
Startup saved-configuration file: flash:/conf_file1.cfg
Next startup saved-configuration file: flash:/conf_file1.cfg

Switches
● DeviceC
#
sysname DeviceC
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select relay
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
● DHCP server
#
sysname dhcp_server
#
dhcp enable
#
vlan batch 10
#
ip pool pool1
network 10.1.1.0 mask 255.255.255.0
option 143 hex 001268747470733a2f2f31302e312e342e323a31
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
#
interface 10GE1/0/3
#
return
6.7 Configuring USB-based Deployment
6.7.1 Understanding USB-based Deployment

NOTE
Only products with USB ports support USB-based deployment. For product hardware
information, see "Get to Know the Product" > "Hardware Description" in the corresponding
product documentation.
Fundamentals
Before initiating USB-based deployment, create an intermediate file named usb.ini
and save it to the root directory of the USB flash drive. Then save the deployment

Switches
files to be loaded to the directory specified in the usb.ini file. Insert the USB flash
drive into the device; the device will automatically load the deployment files based
on the usb.ini file.
Implementation Process
Implementation Process shows the implementation process of USB-based
deployment.

Switches
Figure 6-17 Implementation process

Switches
The USB-based deployment implementation process involves the following steps:
1. Powering on the device and inserting the USB flash drive into the device
After the device is powered on and starts, it detects the USB flash drive. If the
device has no configuration file, it directly enters the USB-based deployment
process. If the device has a configuration file, it checks whether the USB-
based deployment function is enabled. A device with a configuration file can
enter the USB-based deployment process only when the function is enabled.
The device then checks whether the intermediate file usb.ini exists in the root
directory of the USB flash drive. If not, the deployment process exits.
2. Reading the intermediate file and obtaining deployment files
The device reads the usb.ini file in the root directory of the USB flash drive
and obtains deployment files from the directory specified in the usb.ini file.
If the device fails to read the intermediate file, the USB-based deployment
process exits. If no deployment file is obtained from the specified directory in
the USB flash drive, the USB-based deployment process ends due to the
exception.
3. Performing security check
– If the function of compressing deployment files with a password is
enabled in the intermediate file but the file requires the use of HMAC to
verify the integrity of the deployment files, the device decompresses the
deployment files and then performs HMAC verification. The deployment
process can continue only after the deployment files have been
decompressed and verified successfully.
– If the function of compressing deployment files with a password is
enabled in the intermediate file but the file does not require using
hashed-based message authentication (HMAC) to verify the integrity of
the deployment files, the device only decompresses the deployment files.
The deployment process continues after the deployment files have been
decompressed successfully.
– If the function of compressing the deployment files with a password is
not enabled in the intermediate file and the file requires the use of
HMAC to verify the integrity of the deployment files, the device directly
performs HMAC verification on the deployment files. The deployment
process continues after the deployment files have been verified
successfully.
4. Deployment end
The device determines whether to activate a deployment file online or
whether to set a deployment file as the system startup file according to the
deployment file type, and then restarts to complete automatic deployment.
6.7.2 Preparing Deployment Files
Context
Before USB-based ZTP, you need to prepare the configuration file and
intermediate file. The configuration file can be copied from other devices, and the
intermediate file needs to be manually edited.

Switches
NOTE
To ensure security, you are advised to run the save shareable-configuration command to
export the configuration file and not advised to manually edit the configuration file.
Ensure that the configuration file for deployment contains the console password or an AAA
user name that can be used to log in to the device remotely. Otherwise, the configuration
file cannot be successfully set, causing a deployment failure.
Procedure
Step 1 Save the configuration file on the device that provides the configuration file.
save shareable-configuration configuration-file
Step 2 Export the configuration file from the device to the USB flash drive.
Step 3 Edit the intermediate file. Create a text file named usb.ini on the terminal, and
edit the intermediate file by referring to 6.7.3 Intermediate File for USB-based
Deployment.
Step 4 Copy the intermediate file usb.ini to the root directory of the USB flash drive.
NOTE
The file system format of a USB flash drive must be FAT32 or EXT4 and its interface must
be USB 2.0 compliant.
Step 5 Copy the configuration file to the directory specified by DIRECTORY in the usb.ini
file.
----End
6.7.3 Intermediate File for USB-based Deployment

Intermediate File for USB-based Deployment
The intermediate file is used to save information about the device and its
deployment files. The file name must be usb.ini, and the following is an example
of such a file. For details about the fields included in this file, see Table 6-21.
#sha256="676a306a0c22d46ed975633de9d05af4b1ebb94879ed1dd1d1e34de2a72c4e7e"
;BEGIN USB
[GLOBAL CONFIG]
*TIME_SN=20200526120159
*DEVICE_TYPE_NUM=1
DEVICE_TYPE=
ESN=
MAC=
VRPVER=
SPACE_CLEAR=1
DIRECTORY=
ACTIVE_DELAYTIME=10
ACTIVE_INTIME=
*FILETYPENUM=6
*FILENAME_1=software_file1.cc
*TYPE_1=SOFTWARE
*EFFECTIVE_MODE_1=1
ISBATCHPROCESS_1=0
SHA256_1=
HMAC_1=
COMPRESS_ENCRYTION_1=

Switches
*FILENAME_2=file1_cfg.zip
*TYPE_2=CFG
*EFFECTIVE_MODE_2=2
ISBATCHPROCESS_2=0
SHA256_2=
HMAC_2=
COMPRESS_ENCRYTION_2=1
*FILENAME_3=lic_file1.xml
*TYPE_3=LIC
*EFFECTIVE_MODE_3=1
ISBATCHPROCESS_3=0
SHA256_3=
HMAC_3=
*FILENAME_4=pat_file1.PAT
*TYPE_4=PAT
*EFFECTIVE_MODE_4=1
ISBATCHPROCESS_4=1
SHA256_4=d4b1670069a2b2b9fbe0eaaf872564c305783d438fc6a020ce8aa05f91053d5e
HMAC_4=
*FILENAME_5=pat_file2.MOD
*TYPE_5=PAT
*EFFECTIVE_MODE_5=0
ISBATCHPROCESS_5=0
SHA256_5=c7f70c5bd82a1ccb71eb3b6a837d8311594cba0ebf00f84bcccf2578fcf83698
HMAC_5=
*FILENAME_6=user_file1.log
*TYPE_6=USER
*EFFECTIVE_MODE_6=2
ISBATCHPROCESS_6=0
SHA256_6=
HMAC_6=
;END USB CONFIG
Table 6-21 Fields in the intermediate file
sha256 No SHA256 verification code

of the script, which is
used to check the
integrity of the
downloaded script.
NOTE
Before an SHA256
generated, do not add the
#sha256= field to the
script. Instead, #sha256=
should be added to the
beginning of the script
after the SHA256
generated.
A script without an
SHA256 verification code
can still be executed.
;BEGIN USB Yes Start flag of the file. This


Switches
[GLOBAL CONFIG] Yes Start flag of the global

configuration. This field
cannot be modified.
TIME_SN Yes Uniquely identifies a

deployment in order to
prevent repeated
deployment. The value
format is
yyyymmddhhmmss.
For example, this field
can be set to
20200526120159,
indicating 12:01:59 on
2020-05-26.
DEVICE_TYPE_NUM Yes Number of device types.

The value 1 indicates
that only one type of
device can be deployed.
[DEVICE_TYPE_n Yes Start tag of the device

DESCRIPTION] description. n indicates
the device number. The
value is an integer
starting from 1.
DEVICE_TYPE When Device type.

DEVICE_TYPE_NUM is The value of
set to 1, DEVICE_TYPE, DEVICE_TYPE can be
ESN, and MAC can all be queried using the
set to DEFAULT or left display version
empty. command. In the
When command output, S6700
DEVICE_TYPE_NUM is in "Version xxx (S6700
greater than 1, xxx)" is the value of
DEVICE_TYPE, ESN, and DEVICE_TYPE.
MAC must be specified If this field is left empty
and only one of them or set to DEFAULT, the
can be specified. device type is not
NOTE checked. The default
● To upgrade devices in value is DEFAULT.
batches, set
DEVICE_TYPE.
● To upgrade a single
device, you can set the
ESN or MAC address of
the device.

Switches
ESN ESN of a device. You can

run the display device
esn command to query
the ESN.
its ESN. The default
value is DEFAULT.
MAC MAC address of a device,

in the XXXX-XXXX-XXXX
format, in which X is a
hexadecimal number.
You can run the display
bridge mac-address
command to query the
MAC address.
its MAC address. The
default value is
DEFAULT.
VRPVER No System software version

number.
software version of the
device is the same as the
value specified here, the
device does not
download the system
software from the
software package is that
required for deployment,
you are advised to set
this field.

Switches
SPACE_CLEAR No Whether to
automatically clean up
the system storage space
in the case of space
insufficiency. The value is
of the enumerated type.
● 0: The system storage
space is not cleaned
up.
● 1: Only system
software among
deployment files is
deleted.
● 2: In-depth cleanup is
performed. System
software among
deployment files is
deleted first. If the
available space is still
insufficient,
unnecessary files are
deleted.
space is not cleaned up.
The default value is
DEFAULT.
NOTE
In-depth cleanup involves
some inherent risks. As
such, you are advised to
back up required files
locally before performing
in-depth cleanup.

Switches
DIRECTORY No Relative directory of the

deployment file on the
file server. The maximum
length of the path and
file name is 110
characters.
or set to DEFAULT,
stored in the root
directory. The default
value is DEFAULT.
NOTE
The relative directory must
start with a folder name
and cannot start with a
slash (/).
ACTIVE_DELAYTIME No Delay for deployment to

NOTE be performed. The value
If both is an integer that ranges
ACTIVE_DELAYTIME and from 0 to 86400, in the
ACTIVE_INTIME are set, unit of seconds. If the
ACTIVE_DELAYTIME is
value is greater than
preferentially used.
86400, the value 86400
is used.
ACTIVE_INTIME Scheduled time for

deployment to be
performed within 24
hours. The value format
is HH:MM, where HH
indicates the 24-hour
format, and MM
indicates the 60-minute
format. For example, the
value 20:10 indicates
that the deployment will
be performed at 20:10.
NOTE
If the configured time is
earlier than the system
time of the device, the
deployment time is the
configured time plus 24
hours minus the current
system time. For example,
if the configured time is
10:00 and the device
system time is 11:00, the
deployment will be
performed at 23:00.

Switches
FILETYPENUM Yes Number of deployment

files to be loaded.
NOTE
The total number of
deployment files must not
exceed 9.
The value of this field must
be the same as the actual
number of deployment
files, and the value is the
same as n in FILENAME_n.

Switches
FILENAME_n Yes Name of a deployment

file, which can be the
system software,
configuration file, license
file, patch file, stack
configuration file, or
customized file.
The configuration file of
a stack is suffixed
with .bat, and the file
name contains 5 to 64
characters. The following
is an example of the
configuration file of a
stack.
#
stack
stack member 1 priority 150
stack member 1 domain 10
#
interface Stack-Port 1/1
port member-group interface
10ge1/0/1
#
interface Stack-Port 1/2
port member-group interface
10ge1/0/2
NOTE
You are advised to run the
save shareable-
configuration password
command without entering
a password to export a
configuration file.
If the length of a
deployment file name
exceeds the limit, it may
fail to be downloaded. The
length limits for different
deployment files are as
follows:
● System software: 4 to
100 characters
● Configuration file: 5 to
64 characters
● License file: 5 to 100
characters
● Patch file: 5 to 63
characters
● Customized file: 3 to 64
characters
● Stack configuration file:
5 to 64 characters

Switches
TYPE_n Yes Type of a deployment

file. The value is of the
enumerated type.
● SOFTWARE: system
software
● CFG: configuration file
● LIC: license file
● PAT: patch file
● USER: customized file
● SCRIPT: stack
configuration file

Switches
EFFECTIVE_MODE_n Yes Activation mode. The

value is of the
enumerated type.
● 0: effective upon
restart, which applies
to the system
software,
configuration file,
stack configuration
file, and patch file.
● 1: effective
immediately, which
applies to the license
file, stack
configuration file, and
patch file.
● 2: Activation is not
required, which
applies to the
customized file.
mode of the system
software and
configuration file is 0.
mode of the patch file,
stack configuration file,
and license file is 1.
mode of the customized
file is 2.
If EFFECTIVE_MODE_n is
set to a value that is not
0, 1, or 2, the default
activation mode of each
type of file is used.

Switches
ISBATCHPROCESS_n No Whether to perform

batch processing for the
license list file. The value
is of the enumerated
type.
● 0: no
● 1: yes
or set to DEFAULT, batch
processing is not
performed. The default
value is DEFAULT.

Switches

NOTE
Devices can use the license
list file, which contains
mappings between licenses
and device ESNs, to
automatically load license
files. A device first
downloads the license list
file and then downloads
the corresponding license
file based on the mappings
to load it. The license list
file is in XML format and
its name must be
ztp_license_list. An
example of such a file is as
follows:
<?xml version="1.0"
encoding="UTF-8"
standalone="true"?>
-<Index formatVersion="1.0">
-<Lic
Esn="2102353UNW123456789
0">
<LSN>LIC202005183TCG5M</
LSN>
<name>LIC_file1.xml</name>
<sha256>eb75e8456b049e240
6fe61925499080a083bd91319
c50f59551cc3ea113a35f2</
sha256>
<hamc_sha256/>
<compress_encrytion/>
>
</Lic>
-<Lic
Esn="BARCODETEST20200620
">
<LSN>LIC202005183TCI50</
LSN>
<name>LIC_file2.dat</name>
<sha256>6a2690e7a08e3df84
4ba86e1f48dc3c504af3b760dd
0e38134771e1024fe1a5f</
sha256>
<hamc_sha256>6a2690e7a08e
3df844ba86e1f48dc3c504af3b
760dd0e3813477</
hamc_sha256>
<compress_encrytion>1</
compress_encrytion>
>
</Lic>
</Index>

Switches
SHA256_n No Verification code

NOTE corresponding to the
If neither SHA256 nor SHA256 encryption
HMAC is selected, the algorithm, which is used
device does not verify the to verify the integrity of
deployment file integrity.
a deployment file.
If either SHA256 or HMAC
is configured, the If this field is left empty,
configured one takes the deployment file
effect. integrity is not verified.
If both SHA256 and HMAC
HMAC_n are configured, only HMAC
Verification code
verification is performed. corresponding to the
HMAC_SHA256
encryption algorithm,
which is used to verify
the integrity of a
deployment file.
If this field is left empty,
the file integrity is not
verified.
COMPRESS_ENCRYTION_ No Whether to compress a

n deployment file.
The value can only be
empty or 1.
If the value is empty, the
deployment file is not
compressed. In this case,
the device does not need
to decompress the
deployment file.
If the value is 1, the
deployment file is
compressed with a
password. The device
needs to use the
password to decompress
the deployment file.
;END USB CONFIG Yes End flag of the file. This


Switches
6.7.4 (Optional) Configuring Deployment File Security

Verification
Context
To ensure the security of deployment files, you can encrypt and compress the files
and configure HMAC key-based integrity verification.
● Setting a password for decompressing a deployment file

– Before a deployment file is copied to the USB flash drive, you can
compress the deployment file into a .zip package based on a specified
password.
NOTE
Deployment files can only be encrypted and compressed on Huawei devices.

The .zip package name must be in the name_nametype.zip format, where name
is the name of the file extracted from the package, and nametype is the type of
the extracted file.
Each deployment file is compressed into a separate .zip file, and one .zip file can
contain only one deployment file.
– During USB-based deployment, the device downloads the deployment
files and uses the preset password to decompress them.
● Configuring an HMAC key for deployment file integrity verification
– Before copying a deployment file to the USB flash drive, you can calculate
a hash value based on the configured HMAC key for the deployment file
and writes it to the HMAC field in the intermediate file usb.ini. You can
use the openssl dgst tool to obtain the hash value.
– During USB-based deployment, the device downloads the deployment file
and uses the configured HMAC key to calculate the hash value of the
deployment file.
– The device compares the calculated hash value with that of the HMAC
field in the usb.ini file. If the two values are the same, HMAC-based
integrity verification succeeds. Otherwise, the verification fails.
NOTE
To compress a deployment file and configure HMAC key-based verification, you must
calculate the hash value for the file and compress the deployment file with a password.
Procedure
system-view
Step 2 Set a password for decompressing a deployment file.

ztp usb-deployment file-compress password [ filepasswordval ]
By default, no decompression password is configured for a deployment file. The

password must be the same as that used to compress the deployment file.

Switches
NOTE
If the weak password dictionary maintenance function is enabled, the passwords defined in
the weak password dictionary cannot be used. To view these passwords, run the display
security weak-password-dictionary command.
Step 3 Configure an HMAC key for deployment file integrity verification.

ztp usb-deployment file-integrity password [ hmacpasswordval ]
By default, no HMAC key is configured for deployment file integrity verification.

The key must be the same as the HMAC key used to calculate the hash value of
the deployment file.
NOTE
If the weak password dictionary maintenance function is enabled, the passwords defined in
the weak password dictionary cannot be used. To view these passwords, run the display
security weak-password-dictionary command.
----End
6.7.5 Starting USB-based Deployment

Context
USB-based deployment is classified into deployment for devices that start with
factory configurations and deployment for devices with non-factory
configurations. If the device starts with factory configurations, the USB-based
deployment function is enabled on the device. In this case, you do not need to
perform the following operations. To enable the USB-based deployment function
when a configuration file exists, perform the following operations first.
Procedure
system-view
Step 2 (Optional) Enable the ZTP function on the device. By default, a device
automatically starts the ZTP process after it is powered on and starts with factory
configurations. You can disable the ZTP function on a device. If you log in to a
device through the console port and disable the ZTP function when the device
set ztp enable
NOTE
This command does not take effect for USB-based deployment on a device with non-
factory configurations.
By default, the ZTP function is enabled on a device. To disable a device from

running the ZTP process upon startup with factory configurations, run the set ztp
disable command on the device.
Step 3 Enable the USB-based deployment function for a device with a non-factory
configuration file.

Switches
ztp usb-deployment enable
By default, the USB-based deployment function is not enabled for a device with a
non-factory configuration file.
NOTE
This command takes effect only when a USB flash drive is installed on the device that has a
configuration file.
Step 4 Restart the device with factory configurations.

reboot fast
----End
6.7.6 Verifying USB-based Deployment
Context
When using a USB flash drive for deployment, you can observe the USB indicator
to determine the progress of USB-based deployment.
● Steady green: USB-based deployment succeeds. If there is no deployment

configuration file, deployment will be repeatedly performed. In this case, the
indicator is also steady green.
● Blinking green: USB-based deployment is in progress.
● Steady red: USB-based deployment fails.
● Off: No USB flash drive is installed, or the indicator fails.
Procedure
Step 1 A device completes the USB-based process within about 15 minutes after it is
powered on. You can then log in to the device to check whether the startup files
are the required ones.
display startup
----End
Follow-up Procedure
If deployment fails, analyze USB logs on the device to determine the cause. ZTP-
related logs are saved in the ztp_YearMonthHourMinuteSecond.log file in the
flash:/ directory and in the ztp_esn_YearMonthHourMinuteSecond.log file in the
root directory of the USB flash drive.
NOTE
You can run the display device esn command to obtain the ESN of a device.
6.7.7 (Optional) Configuring the Device to Download a CA

Certificate from the Bootstrap Server

Switches
Prerequisites
The device has been deployed.
Context
In the scenario where no certificate is preconfigured on iMaster NCE-Campus if
the device needs to be managed by the controller, you need to import the CA
certificate trusted by the controller to the device.
The bootstrap server stores the CA certificate trusted by the controller. Currently,
iMaster NCE-Campus integrates the function of the bootstrap server. The device
needs to download the CA certificate NCE-bootstrap.pem from the bootstrap
server and import the certificate to the default domain.
A maximum of 10 bootstrap servers can be configured for the device. The
bootstrap servers with the same IP address and VPN instance name are considered
as one bootstrap server. The interaction process between the device and bootstrap
server is as follows:
1. The device proactively establishes an HTTPS connection with a bootstrap
server.
2. The device sends a request packet to the bootstrap server to download a CA
certificate. The request packet carries the device ESN or the IP address of the
bootstrap server.
3. The bootstrap server searches for the CA certificate based on the ESN or IP
address in the request packet and sends a response packet carrying the CA
certificate to the device. The response packet also carries the device ESN or
the IP address of the bootstrap server.
4. After receiving the response packet from the bootstrap server, the device
response packet, and verifies the validity of the certificate. If the verification
fails, the device cannot obtain the CA certificate. In this case, the device
attempts to obtain the CA certificate from the next bootstrap server. The
device will keep doing so until it successfully obtains a CA certificate.
After successfully obtaining the CA certificate NCE-bootstrap.pem from the
bootstrap server, the device automatically imports the certificate to the default
domain.
Procedure
system-view
Step 2 Configure an SSL policy and bind it to the default domain.

ssl policy policy-name
pki-domain default
quit
Step 3 Configure the device to download a CA certificate from the bootstrap server.
ztp certificate-remote { ipv4-addr | ipv6 ipv6-addr } [ vpn-instance vpnvalue ] port portvalue ssl-policy
policyname [ verify-type esn ]
By default, the device is not configured to download a CA certificate from the

bootstrap server.

Switches
When the verify-type esn parameter is specified, a certificate is authenticated

based on the device ESN. That is, the request packet sent by the device to the
bootstrap server for downloading the CA certificate carries the device ESN. When
parsing the response packet from the bootstrap server, the device uses the ESN for
verification.
When the verify-type esn parameter is not specified, a certificate is authenticated

based on the IP address of the bootstrap server. That is, the request packet sent by
the device to the bootstrap server for downloading the CA certificate carries the IP
address of the bootstrap server. When parsing the response packet from the
bootstrap server, the device uses the IP address for verification.
After NCE-bootstrap.pem is imported to the default domain, if another CA

certificate needs to be downloaded from the bootstrap server, delete the original
certificate from the default domain and run the ztp certificate-remote command
again.
----End
6.7.8 Example for Configuring USB-based Deployment
A new network needs to be deployed. DeviceA and DeviceB are two devices
without a configuration file, and the customer requires that they automatically
load system software and configuration files after they are powered on to reduce
labor costs and deployment time. Table 6-22 lists device information and files to
be loaded to DeviceA and DeviceB.

0806 ● Configuration file: conf_file1.cfg

0918 ● Configuration file: conf_file2.cfg
1. Edit the intermediate file usb.ini to enable the devices to obtain their system
software and configuration files according to the intermediate file.
2. Save the usb.ini file to the root directory of the USB flash drive and system
software and configuration files to the USB flash drive path specified in the
intermediate file.
3. Insert the USB flash drive into the devices and power them on.

Switches
Procedure
Step 1 Edit the intermediate file usb.ini according to the file format requirements in 6.7.3
Intermediate File for USB-based Deployment. The file format is as follows:
;BEGIN USB
[GLOBAL CONFIG]
*TIME_SN=20200526120159
*DEVICE_TYPE_NUM=2
DEVICE_TYPE=
ESN=2102311LDL0000000806
MAC=
VRPVER=
SPACE_CLEAR=1
DIRECTORY=
ACTIVE_DELAYTIME=10
ACTIVE_INTIME=
*FILETYPENUM=2
*FILENAME_1=software_file.cc
*TYPE_1=SOFTWARE
*EFFECTIVE_MODE_1=0
ISBATCHPROCESS_1=0
SHA256_1=
HMAC_1=
*FILENAME_2=conf_file1.cfg
*TYPE_2=CFG
*EFFECTIVE_MODE_2=0
ISBATCHPROCESS_2=0
SHA256_2=
HMAC_2=
DEVICE_TYPE=
ESN=2102311LDL0000000918
MAC=
VRPVER=
SPACE_CLEAR=1
DIRECTORY=
ACTIVE_DELAYTIME=10
ACTIVE_INTIME=
*FILETYPENUM=2
*FILENAME_1=software_file.cc
*TYPE_1=SOFTWARE
*EFFECTIVE_MODE_1=0
ISBATCHPROCESS_1=0
SHA256_1=
HMAC_1=
*FILENAME_2=conf_file2.cfg
*TYPE_2=CFG
*EFFECTIVE_MODE_2=0
ISBATCHPROCESS_2=0
SHA256_2=
HMAC_2=
;END USB CONFIG
Step 2 Save the usb.ini file to the root directory of the USB flash drive and system
software and configuration files to the USB flash drive path specified in the
intermediate file.
Step 3 Insert the USB flash drive to DeviceA and power on the device.

Switches
Step 4 After DeviceA completes automatic deployment, remove the USB flash drive and
insert it to DeviceB. Then power on DeviceB to start automatic deployment.
----End

# The devices complete the USB-based deployment process within about 15
minutes after they are powered on. Log in to the devices and run the display
startup command to check whether the current system software and
configuration files are the required ones. The following shows the command
output of DeviceA.
MainBoard:
Startup saved-configuration file: flash:/conf_file1.cfg
Next startup saved-configuration file: flash:/conf_file1.cfg
N/A

Switches
Configuration Guide - Basic Configuration 7 File System Management Configuration
7 File System Management Configuration
NOTE
● When downloading files to a device or performing other file-related operations on a

device, ensure that the power supply of the device is working properly. Otherwise, the
downloaded files or the file system may be damaged, further damaging the storage
medium or causing the device startup to fail.
7.1 Overview of the File System

7.2 Configuration Precautions for File System Management
7.3 File System Management Modes Supported by the Device
7.4 Managing Files Locally
7.5 Managing Files Using FTP
7.6 Managing Files Using SFTP
7.7 Managing Files Using SCP
7.8 Managing Files Using TFTP
7.9 Troubleshooting File System Management Errors
7.1 Overview of the File System

File System
The file system manages files and directories in storage media. It allows users to
create, delete, and modify files and directories, as well as view the contents of
files.
Storage Medium
The device supports the flash memory and USB flash drive.

Switches
File Naming Rules

A file name must be a string of 1 to 255 case-sensitive characters without spaces.
The file name formats are as follows:
● File name
The file name format is filename. If a file name is in this format, the file is in
the current working directory.
● Path + File name
The file name format is drive/path/filename, which uniquely identifies a file in
a specified path.
drive indicates the storage medium in the device. For example, if the flash
memory is specified for storage, replace drive with flash:.
Besides, path indicates the path where a file is stored. The path name is case-
sensitive and cannot contain spaces or the following special characters: ~ * /
\:'"
The path can be an absolute path or a relative path: A path that contains the
root directory (specified by drive) is an absolute path. A relative path can be
designated relative to either the root directory or the current working
directory. A relative path beginning with a slash (/) is a path relative to the
root directory.
– The path flash:/my/test/ is an absolute path.
– The path /selftest/ is a path relative to the root directory and indicates
the selftest directory in the root directory.
– The path selftest/ is a path relative to the current working directory and
indicates the selftest directory in the current working directory.
For example, in the dir flash:/my/test/mytest.txt command, the path
flash:/my/test/ is an absolute path.
If a path relative to the root directory is used, the command becomes
dir /my/test/mytest.txt.
If a path relative to the current working directory such as flash:/my/ is used,
the command becomes dir test/mytest.txt.
NOTE
● In file operation commands, a file name is specified by filename.

● In file operation commands, a directory is specified by directory in the format of
drive/path.
File List Information

You can run the dir command to view the file list of the system.
<HUAWEI> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName

0 dr-x - Nov 11 2019 20:16:35 $_checkpoint
1 dr-x - Nov 06 2019 15:51:57 $_install_mod
2 dr-x - Oct 12 2019 18:12:15 $_license
3 dr-x - Oct 12 2019 18:12:26 $_security_info
4 dr-x - Nov 11 2019 20:16:31 $_startup
5 dr-x - Nov 11 2019 20:15:06 $_system
6 -rw- 14,940 Nov 11 2019 17:56:29 SPH001.PAT

Switches
7 -rw- 572,847,476 Oct 21 2019 15:21:23 software.cc

8 -rw- 34,505 Nov 11 2019 20:01:07 device.sys
9 drwx - Nov 11 2019 21:01:39 logfile
2,994,228 KB total (801,664 KB free)
Table 7-1 describes the file list information displayed using the dir command.
Table 7-1 Description of file list information

Item Description
$_checkpoint Directory where configuration rollback point information

is saved
$_install_mod Directory where dynamic module packages are saved
$_license Directory where activated license files are backed up
$_security_info Directory where historical information about AAA users

is saved.
$_startup Directory where the startup configuration file is saved
$_system Linux system-predefined directory where system scripts

are saved
*.pat/*.PAT Patch file
**.cc Software version file
device.sys System hardware configuration file
logfile Log file
7.2 Configuration Precautions for File System

Management
File System Management is not under license control.

Switches
Series Models

L16T4S-A-V2/S5735-L16T4X-QA-V2/S5735-
L24P4S-A-V2/S5735-L24P4XE-A-V2/S5735-
L24P4XE-TA-V2/S5735-L24T4S-A-V2/S5735-
L24T4X-QA-V2/S5735-L24T4XE-A-V2/S5735-
L24T4XE-D-V2/S5735-L48LP4S-A-V2/S5735-
L48T4S-A-V2/S5735-L48T4XE-A-V2/S5735-

V2/S5735-S48U4XE-V2


V2/S5732-H48UM4Y2CZ-TV2/S5732-
H48UM4Y2CZ-V2

V2/S5735I-S8U4XN-V2

H28X6CZ-TV2/S6730-H28X6CZ-V2/S6730-
TV2/S6730-H48X6CZ-V2/S6730-H48Y6C-TV2/
S6730-H48Y6C-V2

Switches

For security purposes, FTP is not S5735-S- S5735-S24P4XE-

recommended. By default, the device provides V2 series V2/S5735-
the weak security algorithm/protocol feature S5735-L- S24T4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2

Switches
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-

Switches
TV2/S6730-
H48Y6C-V2

Switches
TFTP is not recommended for security S5735-S- S5735-S24P4XE-

purposes. By default, the device provides the V2 series V2/S5735-
weak security algorithm/protocol feature S5735-L- S24T4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
For details about the types and specifications S5735-S- S5735-S24P4XE-

of storage mediums, see "Technical V2 series V2/S5735-
Specifications" in the Hardware Description. S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
A file whose size is greater than or equal to 4 S5735-S- S5735-S24P4XE-

GB is not supported. For example, the file size V2 series V2/S5735-
cannot be correctly displayed in the dir S5735-L- S24T4XE-V2/
command output. V2 series S5735-S24U4XE-
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The available storage space of a file system is S5735-S- S5735-S24P4XE-

less than the maximum size of the physical V2 series V2/S5735-
storage. You can run the dir command to check S5735-L- S24T4XE-V2/
the available space. V2 series S5735-S24U4XE-
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The SCP cannot interwork with the WinSCP S5735-S- S5735-S24P4XE-

tool. V2 series V2/S5735-
S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The total length of the directory and file name S5735-S- S5735-S24P4XE-
in the file system cannot exceed 128 V2 series V2/S5735-
characters. The directory can contain 1 to 128 S5735-L- S24T4XE-V2/
characters, and the file name can contain 1 to V2 series S5735-S24U4XE-
128 characters. After a directory with the V2/S5735-
maximum length is created, files cannot be S3710-H S48P4XE-V2/
stored in the directory. After a file with the series S5735-S48T4XE-
maximum length is created, files cannot be S5735I-L- V2/S5735-
stored in subdirectories. V2 series S48U4XE-V2
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The file name is case-sensitive. S5735-S- S5735-S24P4XE-

V2 series V2/S5735-
S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
7.3 File System Management Modes Supported by the

Device
During file management, a device may work as either a server or a client with the
following functions:
● If the device works as a server, you can access the device using a terminal.
● If the device works as a client, you can use the device to access another
device that works as a server.
In TFTP mode, the device can function only as a client. In SFTP, FTP, and SCP
modes, the device can function as both a server and a client.
Based on whether files are uploaded or downloaded when a connection to the
device is being set up, the transfer protocols may work in the following modes:
● One-click mode: You can upload and download files when the connection is
being set up.
● Interactive mode: After the server is connected, you can perform operations
on directories and files on the server and view the help of commands on the
client.
There are advantages and disadvantages to each file system management mode,
making them applicable to varying scenarios. Details are provided in Table 7-4.
You can select an appropriate mode based on your specific requirements.
Table 7-4 File system management modes

File Application Advantage Disadvantage
System Scenario
Manage
ment
Mode
This mode applies to

This mode facilitates
the scenario of
storage medium, Only files on the
managing storage
directory, and file logged-in device can
media, directories,
Local management, and be managed. File
and files after device
improves transfer is not
login through the
management supported.
console port, Telnet,
efficiency.
or STelnet.

Switches

System Scenario
Manage
ment
Mode
● FTP is easy to
configure and
supports file
transfer and file
This mode applies to directory Data is transmitted
the file transfer operations. in plain text,
scenario with low
● FTP supports file resulting in potential
FTP network security
transfer between security risks. The
requirements, and is
two file systems. interactive mode is
widely used in
● The authorization supported.
version upgrade.
and
authentication
functions are
provided.
● The device can

function as a
TFTP client only.
● TFTP supports
only file transfer.
On a lab local area
The interactive
network (LAN), you
mode is not
can perform online
supported.
system software load
or upgrade using ● TFTP does not
TFTP requires less provide
TFTP TFTP. This mode
memory than FTP. authorization and
applies to the
environment without authentication
complex interactions functions and
between a client and transmits data in
a server. plain text, posing
security risks and
making the device
vulnerable to
network viruses
and attacks.
● Encryption and
This mode applies to integrity check
scenarios demanding are performed on
data to ensure The configuration is
high network
high security. complex and the
SFTP security, such as log
interactive mode is
download and ● File transfer and supported.
configuration file file directory
backup scenarios. operations are
supported.

Switches

System Scenario
Manage
ment
Mode
● Encryption and
integrity check
are performed on
data to ensure
This mode applies to high security. The configuration is
scenarios demanding complex (similar to
high network ● File upload/ the configuration in
SCP download is
security and efficient SFTP mode) and the
file upload/ efficient, requiring interactive mode is
download. a single not supported.
command that
also sets up the
client-server
connection.
The direct device login, FTP, and TFTP modes are easy to understand and
configure, and are therefore not detailed here. The following only details the SFTP
and SCP modes.
SFTP
As an extension of SSH, SFTP provides a secure channel through which remote
users can log in to a device to manage and transfer files. In addition, the device
can function as an SFTP client, from which users can securely log in to an SSH
server for file transfer.
SCP
SCP is used to copy, upload, and download files based on the SSH remote copy
function. The SCP file copy command is easy to use, improving network
maintenance efficiency.
7.4 Managing Files Locally
7.4.1 Managing Files Locally
Prerequisites
Before managing files locally, complete the following tasks:
● Log in to the device from the terminal.

Switches
Procedure
● Perform operations on directories.
Table 7-5 Operations on directories
Display the current

pwd -
directory.
Change the current

cd [ directory ] -
directory.
Display files and

dir [ /all ] [ filename | /
subdirectories in a -
all-filesystems ]
specified directory.
Display all files in display backup-file -

the backup
partition.
Create a directory. mkdir directory -
● The directory to be
deleted must be
empty.
Delete a directory. rmdir directory ● A deleted directory
and its files cannot be
restored from the
recycle bin.
● Perform operations on files.
Table 7-6 Operations on files
You can also run the tail

file-name [ line ]
Display the file
more file-name [ offset ] command to view the last
content.
specified lines in the
specified file.
● Before copying a file,

ensure that the
storage space is
sufficient for the file.
copy source-filename
Copy a file. destination-filename ● If the destination file
[ all ] has the same name as
an existing file, the
system prompts you
whether to overwrite
the existing file.

Switches
Copy the files in copy backup-file file- -

the backup name scrFile path desFile
partition to the copy backup-file all
specified path. path desFile
If the destination file has

the same name as an
move source-filename
Move a file. existing file, the system
destination-filename
prompts you whether to
overwrite the existing file.
rename old-name new-

Rename a file. -
name
zip source-filename
Compressed file or
destination-filename -
directory
[ password password ]
unzip source-filename
Decompress a file. destination-filename -
[ password password ]
This command cannot be

used to delete a directory.
delete [ /unreserved ] NOTICE
Delete a file. If the command contains
[ /quiet ] filename [ all ]
the /unreserved parameter,
the deleted file cannot be
restored.
After you run the delete

command without the /
unreserved parameter,
Restore a deleted
undelete filename the file is moved to the
file.
recycle bin. You can run
the undelete command
to restore the file.
To permanently delete a
Delete a file from reset recycle-bin [ /f |
file from the recycle bin,
the recycle bin. filename ]
run this command.
To perform multiple file

operations at a time, run
Run a batch file or the execute filename
VRP Shell execute filename command in the system
Languages (VSL) [ parameter &<1-8> ] view. The created batch
script file. file must be saved in the
storage medium in
advance.
----End

Switches
7.4.2 Example for Managing Files Locally
A user logs in to a device using the console port, Telnet, or STelnet, and needs to
perform the following operations on the files on the device:
● View files and subdirectories in the current directory.

● Create a directory named test. Copy the vrpcfg.zip file to the directory test
and rename the file backup.zip.
● View files in the test directory.
Procedure
Step 1 View files and subdirectories in the current directory.
[HUAWEI] sysname Device
[Device] quit
<Device> dir

0 -rw- 889 Mar 01 2019 14:41:56 private-data.txt
1 -rw- 6,311 Feb 17 2019 14:05:04 backup.cfg
2 -rw- 2,393 Mar 06 2019 17:20:10 vrpcfg.zip
3 -rw- 812 Nov 12 2019 15:43:10 hostkey
4 drw- - Mar 01 2019 14:41:46 compatible
5 -rw- 540 Nov 12 2019 15:43:12 serverkey
...
670,092 KB total (569,904 KB free)
Step 2 Create a directory named test. Copy the vrpcfg.zip file to the directory test and
rename the file backup.zip.
# Create the test directory.

<Device> mkdir test
Info: Create directory flash:/test/......Done.
# Copy the vrpcfg.zip file to the test directory and rename the file backup.zip.
<Device> copy vrpcfg.zip flash:/test/backup.zip
Info: Are you sure to copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
NOTE
If the destination file name is not specified, the source file name is used as the destination
file name by default. That is, the destination file has the same name as the source file.
----End

# Access the test directory.
<Device> cd test
# View the current directory.

Switches
<Device> pwd
flash:/test/
# View files in the test directory.

<Device> dir
Directory of flash:/test/

0 -rw- 2,399 Mar 12 2012 11:16:44 backup.zip
670,092 KB total (569,900 KB free)
#
sysname Device
#
return
7.5 Managing Files Using FTP
7.5.1 Configuring a Device as an FTP Server
Prerequisites
You can log in to a device that functions as an FTP server from a terminal to
manage files. FTP is widely used for file service operations such as system
software upgrade.
Before configuring a device as an FTP server to manage files, you have completed
the following tasks:
● Ensure that the terminal has FTP client software installed.
Context
NOTICE
SFTP V2 or SCP is more secure than FTP, and is therefore recommended.

In FIPS mode, FTP cannot be used to manage files.
Table 7-7 describes the process for configuring a device as an FTP server for file
management. Tasks 1, 2, 3, and 4 can be performed in any sequence.

Switches
Table 7-7 Configuring a device as an FTP server for file management

No. Task Description
Enable the FTP server

Enable the FTP server function function and configure related
1 and configure related parameters such as the port
parameters. number, source IP address,
and timeout interval.
Configure the service type,

user privilege level, and
2 Configure a local FTP user.
authorized directory for an
FTP user.
Configure ACL rules and a

(Optional) Configure FTP access
3 basic FTP ACL to improve FTP
control.
access security.
Enable the IP address locking

function and configure
parameters such as the
(Optional) Configure the IP maximum number of
4
address locking function. consecutive authentication
failures and a period in which
consecutive authentication
failures are counted.
Log in to the device through Log in to the device from a

5
FTP. terminal through FTP.
Default Settings
Table 7-8 Default settings

FTP server function Disabled
Port number 21
FTP user None created
Procedure
● Enable the FTP server function and configure related parameters.

Switches
Table 7-9 Enabling the FTP server function and configuring related
parameters
Enter the system

system-view -
view.
By default, the port number

of the FTP server is 21.
If a new port number is
configured, the FTP server
(Optional) terminates all FTP
Specify a port ftp [ ipv6 ] server port connections and then uses
number for the port-number the new port number to
FTP server. listen to connection
requests. In this way,
attackers cannot connect to
the server through the
standard FTP port, ensuring
security.
(Optional) ftp server max-sessions By default, the maximum

Specify the max-session-count number of connections to
maximum an FTP server is 15.
number of This command applies to
connections to an both IPv4 and IPv6
FTP server. connections.
If the maximum number is
less that or equal to the
number of current
connections, the current
connections are not
disconnected, but new
connection requests will be
rejected.
Enable the FTP ftp [ ipv6 ] server By default, the FTP server
server function. enable function is disabled.

Switches
Specify the source interface

● ftp server source { -a or source IP address for the
ip-address | -i FTP server to filter incoming
{ interface-type and outgoing packets,
interface-number | ensuring security.
Specify the interface-name } }
source interface After the source IP address
● ftp ipv6 server is specified for the FTP
or source IP
source -a ipv6- server, you must use the
address for the
address [ -vpn- specified IP address to log in
FTP server.
instance vpn- to the FTP server. Otherwise,
instance-name ] the login fails.
● ftp [ ipv6 ] server NOTE
source all-interface Run one of the commands as
required.
By default, the idle duration

is 10 minutes.
(Optional)
Configure the ftp [ ipv6 ] server If an FTP connection is idle
idle duration for timeout minutes during the specified period
FTP connections. of time, the FTP server
automatically disconnects
from the FTP client.
(Optional)
Configure the By default, an alarm is
alarm generation ftp server login-failed generated if the number of
and clearance threshold-alarm upper- login failures reaches 30
thresholds for the limit report-times within 5 minutes and is
number of FTP lower-limit resume- cleared if the number of
server login times period period-time login failures falls below 20
failures within a within the same period.
specified period.
(Optional) ftp server ip-max- By default, the maximum

Configure the sessions ip-max- number of FTP connections
maximum sessions-num to the server for a single IP
number of FTP address is 15.
connections to
the server that
can be
established for a
single IP address.

Switches
NOTE
● The FTP service port cannot be changed after the FTP server function is enabled.
To change the port number, you must run the undo ftp [ ipv6 ] server command
to disable the FTP server function first.
● After file operations between the client and server are complete, run the undo ftp
[ ipv6 ] server command to disable the FTP server function promptly to ensure
device security.
● Configure a local FTP user.
To use FTP to manage files, configure the local user name and password for
logging in to the device that functions as an FTP server, and specify the
service type and authorized directory.
Table 7-10 Configuring a local FTP user
Enter the system

system-view -
view.
Enter the AAA

aaa -
view.
Configure the local-user user-name For security purposes,

local user name password irreversible- change the password
and password. cipher password periodically.
You must set the user

privilege level to the
Configure the
local-user user-name management level.
privilege level for
privilege level level Otherwise, the FTP
the local user.
connection cannot be
established.
Set the service By default, a local user can

type of the local use any type of access
service-type ftp
user to FTP. services.
By default, no authorized
directory is configured for
the local user.
If the same authorized
directory needs to be set
for multiple FTP users, you
Configure an can run the ftp server
authorized local-user user-name ftp- default-directory directory
directory for the directory directory command to configure a
FTP user. default working directory
for these FTP users, instead
of running the local-user
user-name ftp-directory
directory command to
configure an authorized
directory for each FTP user.

Switches
● (Optional) Configure FTP access control.

An ACL is a list of rules that classify and filter packets according to their
source address, destination address, port number, and other fields. After an
ACL is applied to a routing device, the routing device determines whether to
permit or deny a packet based on the ACL rules.
You can configure an ACL to allow only specified clients to access an FTP
server.
ACL rule:
– When the permit action is defined in an ACL rule, devices that match the
rule can set up FTP connections with the local device.
– When the deny action is defined in an ACL rule, devices that match the
rule cannot set up FTP connections with the local device.
– If packets from other devices do not match any rule in an ACL, these
devices cannot set up FTP connections with the local device.
– If no rule is defined in an ACL, any other devices can set up FTP
connections with the local device.
Table 7-11 (Optional) Configuring FTP access control

Enter the system

system-view -
view.
acl { [ number ] basic-acl-

Enter the ACL
number | name basic-acl- -
view.
name }
rule [ rule-id ] [ name
rule-name ] { permit |
deny } [ fragment-type
fragment | source
Configure an ACL { source-ip-address
-
rule. { source-wildcard | 0 | src-
netmask } | any } | time-
range time-name | vpn-
instance vpn-instance-
name | logging ] *
Return to the
quit -
system view.
Apply the ACL for ftp [ ipv6 ] server acl

-
the FTP service. { acl-number | name }
● (Optional) Configure the IP address locking function.

After the IP address locking function is enabled, the number of FTP server
login failures is recorded on a per IP address-basis. If the number of login
failures for an IP address within a specified period reaches the threshold, the

Switches
IP address is locked, and this IP address cannot set up an FTP connection with
the FTP server.
Table 7-12 (Optional) Configuring the IP address locking function

Enter the system

system-view -
view.
Enable the client

By default, the client IP
IP address locking undo ftp server ip-block
address locking function
function on the disable
is enabled.
FTP server.
Configure the
maximum number
of consecutive
By default, a maximum
authentication
ftp server ip-block failed- of 6 consecutive
failures and the
times failed-times period authentication failures is
period in which
period allowed within 5
consecutive
minutes.
authentication
failures are
counted.
Configure the
period after which
ftp server ip-block By default, the period is
the system
reactive reactive-period 5 minutes.
automatically
unlocks a user.
Return to the
quit -
system view.
activate ftp server ip-

Unlock an IP block ip-address ip-
-
address. address [ vpn-instance
vpn-name ]
● Log in to the device through FTP.

To log in to the FTP server from a terminal, use either the Windows CLI or
third-party software. The following uses the Windows CLI as an example.
– Run the ftp ip-address command to log in to the device through FTP.
The IP address entered here is the IP address configured on the device
and must be reachable to the IP address of the user terminal.
– Enter the user name and password at the prompt, and press Enter. If the
command prompt of the FTP client view, ftp> for example, is displayed,
you have entered the working directory of the FTP server. (The following
information is for reference only.)
C:\Windows\System32> ftp 192.168.150.208
Connected to 192.168.150.208.
220 FTP service ready.

Switches
User(192.168.150.208:(none)):admin123331 Password required for admin123.

Password:
230 User logged in.
ftp>
● Perform file operations using FTP.

After logging in to the FTP server, you can run FTP commands to perform
operations on files, including managing directories, managing files,
configuring the file transfer mode, and viewing online help of FTP commands.
NOTE
The operation rights of a user are set on the FTP server.
You can perform one or more operations listed in the following table, and in
any sequence.
Table 7-13 Performing file operations using FTP

Change the
working
cd pathname -
directory of the
FTP server.
Change the -
working
directory of the
cdup
FTP server to its
upper-level
directory.
Display the -
working
pwd
directory of the
FTP server.
The lcd command displays the

Display or
local working directory of the
change the
FTP client, whereas the pwd
working lcd [ directory ]
command displays the
directory of the
working directory of the FTP
FTP client.
server.
The name of a directory can

Create a
contain letters and digits, but
directory on the mkdir remote-directory
cannot contain the following
server.
special characters: < > ? \ :
Delete a
directory from rmdir remote-directory -
the FTP server.

Switches
● The ls command displays

only the name of a
directory or file, but the dir
dir [ remote-directory command displays details
Display the about a directory or file,
specified [ local-filename ] ]
such as the size and
directory or file or creation date.
on the FTP ls [ remote-directory
server. ● If no path is specified for a
[ local-filename ] ] remote file, the system
searches an authorized
directory for the specified
file.
Delete a
specified file
delete remote-filename -
from the FTP
server.
put local-filename ● The put command uploads

[ remote-filename ] a single file.
Upload one or
more files. or ● The mput command
uploads multiple files at a
mput local-filenames time.
get remote-filename ● The get command

[ local-filename ] downloads a single file.
Download one
or more files. or ● The mget command
downloads multiple files at
mget remote-filenames a time.
Set the data Run only one of the

transmission ascii commands.
mode to ASCII. ● By default, the data
transmission mode is ASCII.
● ASCII is used to transfer
Set the data
text files. Binary is used for
transmission binary
transferring programs,
mode to binary.
system software, and
database files.
Set the file

transfer mode to passive Run only one of the
passive. commands.
Set the file undo passive By default, the file transfer
transfer mode to mode is active.
active.
Display online
remotehelp
help for an FTP -
[ command ]
command.

Switches
Enable the file

By default, the prompt
transfer prompt prompt
function is disabled.
function.
After the verbose function is

enabled, all FTP responses are
Enable the displayed on the FTP client,
verbose
verbose function. including the FTP protocol
information and details about
the responses.
● (Optional) Change the login user.

You can log in to the FTP server using another user name without exiting the
FTP client view. The created FTP connection is the same as the FTP connection
created by running the ftp command.
Table 7-14 Changing the login user

Change the current user username After the login user is

login user in the FTP changed, the original
client view. user is disconnected
from the server.
● Disconnect from the FTP server.

You can run different commands in the FTP client view to disconnect from the
FTP server.
Table 7-15 Disconnecting from the FTP server

Disconnect from the bye Run only one of the

FTP server and return or quit commands.
to the user view.
Disconnect from the close

FTP server and remain or disconnect
in the FTP client view.
----End

● Run the display ftp server command to check the configuration and status of
the FTP server.
● Run the display ftp server users command to check information about FTP
users.

Switches
● Run the display ftp server ip auth-fail information command to check

details about the IP addresses of the clients that fail to be authenticated,
including the time when the first authentication fails and the number of
authentication failures.
● Run the display ftp server ip-block list command to check the FTP client IP
addresses that are locked due to authentication failures and the remaining
locking time.
7.5.2 Configuring a Device as an FTP Client

Prerequisites
You can configure a device as an FTP client, through which you can log in to a
remote FTP server to transfer files between the server and client and manage files
and directories on the server.
Before configuring a device to access files on another device as an FTP client, you
have completed the following tasks:
● Ensure that there are reachable routes between the device and FTP server.
● Obtain the IP address, user name, and password of the FTP server.
● Obtain the port number configured for the server if the standard port number
is not used.
Context
NOTICE
SFTP V2 or SCP is more secure than FTP, and is therefore recommended.

In FIPS mode, FTP cannot be used.
Table 7-16 describes the process for configuring a device to access files on
another device as an FTP client.
Table 7-16 Configuring a device to access files on another device as an FTP client
Configure the source interface

(Optional) Configure the source
or source IP address for the
1 interface or source IP address
FTP client to implement
for the FTP client.
security verification.
Select only one of the tasks.

(One-click mode) Log in to ● One-click mode: You can
2 another device through FTP to upload and download files
perform file operations. while the connection is set
up.

Switches

● Interactive mode: After a
connection is set up, you
can perform operations on
(Interactive mode) Log in to
directories and files,
another device through FTP to
configure the file transfer
perform file operations.
mode, and view the online
help of FTP commands on
the FTP server.
(Optional) Change the login

3 -
user.
4 Disconnect from the FTP server. -
Procedure
● (Optional) Configure the source interface or source IP address for the FTP
client.
The source IP address to be configured must be that of a stable interface,
such as a loopback interface. This configuration makes it easier to configure
ACL rules. You simply need to specify the source or destination IP address in
an ACL rule as the interface IP address, thereby allowing the device to filter
incoming and outgoing packets.
Table 7-17 Configuring the source interface or source IP address for the FTP
client
Enter the system

system-view -
view.
The IP address of a
loopback interface is
recommended.
When the source
Configure the source address is set to a
ftp client source { -a ip-
IPv4 address or loopback interface, an
address | -i interface-type
source interface for IP address must be
interface-number }
the FTP client. configured for the
loopback interface in
advance. Otherwise, the
FTP connection fails to
be set up.

Switches
Configure the source ftp ipv6 client-source -a If the specified source

IPv6 address for the ipv6-address [ -vpn- address does not exist,
FTP client. instance ipv6-vpn- the configuration can
instance-name ] be successful, but the
function does not take
effect.
● (One-click mode) Log in to another device through FTP to perform file

operations.
To only upload files to the FTP server or download files to the device, you can
run commands in the user view to complete file transfer (These commands
cannot be used to perform other FTP operations).
Table 7-18 One-click file operations using commands
Connect to the FTP ftp { put | get } [ -a Connect to the FTP

server using an IPv4 source-ip4 | -i server in IPv4 mode
address. { interface-type and download files
interface-number | from the server to the
interface-name } ] FTP client or upload
host-ip ip4-address files from the FTP client
[ port portnumber ] to the server.
[ vpn-instance ipv4-
vpn-name | public-
net ] username user-
name sourcefile
localfilename
[ destination
remotefilename ]
Connect to the FTP ftp { put | get } ipv6 Connect to the FTP
server using an IPv6 [ -a source-ip6 ] host- server in IPv6 mode
address. ip ipv6-address [ [ vpn- and download files
instance ipv6-vpn- from the server to the
name ] | public ] [ port FTP client or upload
port-number ] files from the FTP client
username username to the server.
sourcefile local-
filename [ destination
remote-filename ]
● (Interactive mode) Log in to another device through FTP to perform file

operations.
a. Connect to another device using FTP commands.
In the user view or FTP client view, you can run a command to log in to
the FTP server.

Switches
Perform operations in either of the following tables based on the server's

IP address type.
Table 7-19 Logging in to another device that functions as the FTP server
configured with an IPv4 address
ftp [ -a source-ip-address
Establish a
| -i { interface-type
connection
interface-number |
with the IPv4
interface-name } ] host-
FTP server in
ip [ port-number ] [ vpn-
the user
view. Use either method
name | public-net ]
Before setting up a
ftp connection with the FTP
server in the FTP client view,
Establish a open [ -a source-ip | -i
run the ftp command to
connection { interface-type
enter the FTP client view.
with the IPv4 interface-number |
FTP server in interface-name } ] host-
the FTP ip-address [ port-
client view. number ] [ vpn-instance
vpn-instance-name |
public-net ]
NOTE
Before logging in to the FTP server, run the set net-manager vpn-instance
command to set the default VPN instance. Then the default VPN instance will be
used in the FTP operation.
The source IP address specified in the ftp command takes precedence over the
source IP address specified in the ftp client source command. If the source IP
addresses specified in the ftp client source and ftp commands are different, the
source IP address specified in the ftp command takes effect. The source IP
address specified in the ftp client source command applies to all FTP
connections, whereas the source IP address specified in the ftp command applies
only to the current FTP connection.
Table 7-20 Logging in to another device that functions as the FTP server
configured with an IPv6 address
ftp ipv6 [ -a source-ip6 ] Use either method

Establish a host-ipv6-address [ [ vpn-
connection with instance ipv6-vpn-instance- Before setting up a
the IPv6 FTP name ] | public-net ] [-oi connection with the
server in the { interface-type interface- FTP server in the
user view. number | interface-name } ] FTP client view, run
[ port-number ] the ftp command to

Switches
ftp
Establish a open ipv6 [ -a source-ip6 ]

connection with host-ipv6-address [ -oi
{ interface-type interface- enter the FTP client
the IPv6 FTP
number | interface-name } ] view.
server in the
FTP client view. [ port-number ] [ vpn-
instance vpn-instance |
public-net ]
You must enter a correct user name and password for authentication
before you are allowed access to the FTP server.
b. Perform file operations using FTP.
After logging in to the FTP server, you can run FTP commands to perform
operations on files, including managing directories, managing files,
configuring the file transfer mode, and viewing online help of FTP
commands.
NOTE
The operation rights of a user are set on the FTP server.
You can perform one or more operations listed in the following table, and
in any sequence.
Table 7-21 Performing file operations using FTP

Change the
working
cd pathname -
directory of the
FTP server.
Change the -
working
directory of the
cdup
FTP server to its
upper-level
directory.
Display the -
working
pwd
directory of the
FTP server.

Switches
The lcd command displays

Display or
the local working directory
change the
of the FTP client, whereas
working lcd [ directory ]
the pwd command displays
directory of the
the working directory of the
FTP client.
FTP server.
The name of a directory can

Create a contain letters and digits,
mkdir remote-
directory on the but cannot contain the
directory
server. following special characters:
<>?\:
Delete a
rmdir remote-
directory from -
directory
the FTP server.
● The ls command displays

only the name of a
directory or file, but the
dir [ remote-directory dir command displays
Display the details about a directory
specified [ local-filename ] ]
or file, such as the size
directory or file or and creation date.
on the FTP ls [ remote-directory
server. ● If no path is specified for
[ local-filename ] ] a remote file, the system
searches an authorized
directory for the specified
file.
Delete a
specified file delete remote-
-
from the FTP filename
server.
put local-filename ● The put command

[ remote-filename ] uploads a single file.
Upload one or
more files. or ● The mput command
uploads multiple files at
mput local-filenames a time.
get remote-filename ● The get command

[ local-filename ] downloads a single file.
Download one
or ● The mget command
or more files.
mget remote- downloads multiple files
filenames at a time.
Set the data

Run only one of the
transmission ascii
commands.
mode to ASCII.

Switches
● By default, the data

transmission mode is
ASCII.
Set the data
transmission binary ● ASCII is used to transfer
mode to binary. text files. Binary is used
for transferring programs,
system software, and
database files.
Set the file

transfer mode passive Run only one of the
to passive. commands.
Set the file undo passive By default, the file transfer
transfer mode mode is active.
to active.
Display online
remotehelp
help for an FTP -
[ command ]
command.
Enable the file

By default, the prompt
transfer prompt prompt
function is disabled.
function.
After the verbose function is

enabled, all FTP responses
Enable the
are displayed on the FTP
verbose verbose
client, including the FTP
function.
protocol information and
details about the responses.
Enable ftp client resumable- By default, resumable data

resumable data transfer enable transfer is disabled for an
transfer for the FTP client. This command
FTP client. takes effect in the system
view.
● (Optional) Change the login user.
You can log in to the FTP server using another user name without exiting the
FTP client view. The created FTP connection is the same as the FTP connection
created by running the ftp command.
Table 7-22 Changing the login user
Change the current user username After the login user is

login user in the FTP changed, the original
client view. user is disconnected
from the server.

Switches
● Disconnect from the FTP server.
You can run different commands in the FTP client view to disconnect from the
FTP server.
Table 7-23 Disconnect from the FTP server.
Disconnect from the bye Run only one of the

FTP server and return or quit commands.
to the user view.
Disconnect from the close

FTP server and remain or disconnect
in the FTP client view.
----End

● Run the display ftp client command to check the source address of the FTP
client.
7.5.3 Example for Configuring a Device as an FTP Server
In Figure 7-1, PC1 connects to the device at 10.136.23.5. The device needs to be
upgraded. To be specific, the device needs to function as the FTP server so that the
system software can be uploaded from PC1 to the device and the configuration
file of the device can be saved to PC1 for backup. In addition, an ACL policy needs
to be configured so that only PC1 can access the FTP server.
Figure 7-1 Network diagram for configuring a device as an FTP server

NOTE

Switches
1. Configure the FTP server function for the device and configure information
about an FTP user, including the source address, user name, password, user
privilege level, service type, and authorized directory.
2. Configure access permissions on the FTP server.
3. Save the current configuration file on the device.
4. Log in to the FTP server from PC1.
5. Upload the system software to the device and back up the configuration file
of the device to PC1.
Device as an SFTP Server.
Procedure
Step 2 Configure an IP address for the FTP server.
[HUAWEI] sysname FTP_Server
[FTP_Server] interface 10ge 1/0/1
[FTP_Server-10GE1/0/1] undo portswitch
[FTP_Server-10GE1/0/1] ip address 10.136.23.5 255.255.255.0
[FTP_Server-10GE1/0/1] quit
Step 3 Configure the FTP server function for the device and configure information about
an FTP user.
[FTP_Server] ftp server enable
[FTP_Server] ftp server source -i 10ge 1/0/1
[FTP_Server] aaa
[FTP_Server-aaa] local-user admin1234 password
[FTP_Server-aaa] local-user admin1234 privilege level 3
[FTP_Server-aaa] local-user admin1234 service-type ftp
[FTP_Server-aaa] local-user admin1234 ftp-directory flash:/
[FTP_Server-aaa] quit
Step 4 Configure access permissions on the FTP server.

[FTP_Server] acl number 2001
[FTP_Server-acl4-basic-2001] rule permit source 10.136.23.10 0
[FTP_Server-acl4-basic-2001] rule deny source 10.136.23.20 0
[FTP_Server-acl4-basic-2001] quit
[FTP_Server] ftp server acl 2001
[FTP_Server] quit
Step 5 Save the current configuration file on the device.

<FTP_Server> save
Step 6 Log in to the FTP server from PC1 using the user name admin1234 and password
YsHsjx_202206. Set the file transfer mode to binary.

Switches
Assume that PC1 runs the Windows operating system.

C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp>
Step 7 Upload the system software to the device and back up the configuration file of
the device to PC1.
# Upload the system software to the device.
ftp> put devicesoft.cc
200 Port command okay.
150 Opening BINARY mode data connection for /devicesoft.cc
226 Transfer complete.
ftp: 107973953 bytes sent in 151.05Seconds 560.79Kbytes/sec.
# Back up the configuration file.

ftp> get vrpcfg.zip
200 Port command okay.
150 Opening BINARY mode data connection for /vrpcfg.zip.
226 Transfer complete.
ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.
NOTE
When uploading or downloading files, you need to specify the FTP working directory of the
client. For example, the default FTP working directory of the Windows operating system is
C:\Windows\System32. Save the system software to be uploaded to this directory in
advance, and the backup configuration file is also saved to this directory.
----End

# Run the dir command on the FTP server to check whether the system software
is uploaded to the FTP server.
<FTP_Server> dir

0 -rw- 14 Mar 13 2019 14:13:38 back_time_a
1 drw- - Mar 11 2019 00:58:54 logfile
2 -rw- 4 Nov 17 2019 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2019 21:15:56 private-data.txt
4 -rw- 1,257 Mar 12 2019 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2019 14:13:38 back_time_b
6 -rw- 107,973,953 Mar 13 2019 14:24:24 devicesoft.cc
7 drw- - Oct 31 2019 10:20:28 sysdrv
8 drw- - Feb 21 2019 17:16:36 compatible
9 drw- - Feb 09 2019 14:20:10 selftest
10 -rw- 19,174 Feb 20 2019 18:55:32 backup.cfg
11 -rw- 23,496 Oct 15 2019 20:59:36 20191015.zip
12 -rw- 588 Nov 04 2019 13:54:04 servercert.der
13 -rw- 320 Nov 04 2019 13:54:26 serverkey.der
14 drw- - Nov 04 2019 13:58:36 security
...
670,092 KB total (569,904 KB free)

Switches
# Access the FTP user's working directory on PC1 and check for the vrpcfg.zip file.
#
sysname FTP_Server
#
ftp server enable
ftp server source -i 10GE1/0/1
ftp server acl 2001
#
acl number 2001
#
aaa
local-user admin1234 ftp-directory flash:
local-user admin1234 service-type ftp
#
interface 10GE1/0/1
undo portswitch
ip address 10.136.23.5 255.255.255.0
#
return
7.5.4 Example for Configuring a Device as an FTP Client
In Figure 7-2, the remote device with IP address 10.1.1.1/24 functions as the FTP
server. The device with IP address 10.2.1.1/24 functions as the FTP client and has
reachable routes to the FTP server.
The FTP client needs to be upgraded. To be specific, you need to download the
system software from the FTP server to the FTP client and back up the current
configuration file of the FTP client to the FTP server.
Figure 7-2 Network diagram for accessing files on another device using FTP
NOTE
1. Run the FTP software on the FTP server and configure an FTP user.
2. Establish a connection between the FTP client and FTP server.
3. Upload and download files on the FTP client using FTP commands.

Switches
Device as an SFTP Client.
Procedure
Step 2 Run the FTP software on the FTP server and configure an FTP user. For details, see
the help document of the third-party software.
Step 3 Establish a connection between the FTP client and FTP server.
<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL + K to abort
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
[ftp]
Step 4 Download files from and upload files to the FTP server using FTP commands.
[ftp] binary
200 Type is Image (Binary)
[ftp] get devicesoft.cc
500 Unidentified command SIZE test123.cfg
200 PORT command okay
150 "D:\FTP\test123.cfg" file ready to send (3544 bytes) in IMAGE / Binary mode
..
226 Transfer finished successfully.
FTP: 107973953 byte(s) received in 151.05 second(s) 560.79Kbyte(s)/sec.
[ftp] put vrpcfg.zip
200 PORT command okay
150 "D:\FTP\vrpcfg.zip" file ready to receive in IMAGE / Binary mode
/ 100% [***********]
226 Transfer finished successfully.
FTP: 1257 byte(s) send in 0.03 second(s) 40.55Kbyte(s)/sec.
[ftp] quit
----End

# Run the dir command on the FTP client to check whether the system software is
successfully downloaded.
<HUAWEI> dir

0 -rw- 14 Mar 13 2019 14:13:38 back_time_a
1 drw- - Mar 11 2019 00:58:54 logfile
4 -rw- 1,257 Mar 12 2019 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2019 14:13:38 back_time_b

Switches
7 drw- - Oct 31 2019 10:20:28 sysdrv

9 drw- - Feb 09 2019 14:20:10 selftest
10 -rw- 19,174 Feb 20 2019 18:55:32 backup.cfg
11 -rw- 23,496 Oct 15 2019 20:59:36 20191015.zip
14 drw- - Nov 04 2019 13:58:36 security
...
670,092 KB total (569,904 KB free)
# Access the working directory on the FTP server and check for the vrpcfg.zip file.
None
7.6 Managing Files Using SFTP
7.6.1 Configuring a Device as an SFTP Server

Prerequisites
SFTP runs over the SSH protocol and allows you to use SFTP to set up a secure
connection between a user terminal (client) and a device (server), enabling you to
manage files on the device while ensuring security of data transmission.
Before configuring a device as an SFTP server to manage files, you have
● Install the SSH client software on the terminal.
Context
NOTE
● SFTP V2 is more secure than SFTP V1, and is therefore recommended.
Table 7-24 describes the process for configuring a device as an SFTP server for file
management.

Switches
Table 7-24 Configuring a device as an SFTP server for file management

1 Generate a local key pair,

enable the SFTP server
function, and configure
SFTP server parameters,
Enable the SFTP
including the port
server function and
number, key pair update
configure related
interval, SSH
parameters.
authentication timeout
duration, and number of
SSH authentication
retries.
2 Create an SSH user and

set the service type, Tasks 1 and 2 can
Configure SSH user
authorized directory for be performed in
information.
the SFTP service, and any sequence.
authentication mode.
3 Use the SSH client

Connect to the device
software on the terminal
using SFTP.
to connect to the device.
4 Perform file You can use the SSH

operations using SFTP client software on the
commands. terminal to manage files
and directories on the
device.
5 Disconnect from the -

SFTP server.
Default Settings

SFTP server function Disabled
Authorized directory of the SFTP No SFTP service authorized directory is

service for the SSH user available for an SSH user.
Procedure
● Enable the SFTP server function and configure related parameters.
For details about how to generate the local server key pair and how to set
server parameters including the port number, key pair update interval, SSH

Switches
authentication timeout interval, and number of SSH authentication retries,

see "Configuring the SSH Server Function and Related Parameters" in CLI
Configuration Guide > Security Configuration. For details about how to
configure the SFTP function, see Table 7-26.
Table 7-26 Enabling the SFTP server function and configuring related
parameters
Enter the system

system-view -
view.
By default, the SFTP

Enable the SFTP sftp [ ipv4 | ipv6 ] server
server function is
server function. enable
disabled.
By default, the default

authorized directory of
the SFTP server is not
configured.
You can use one of the
following methods to
configure the default
authorized directory of
the SFTP server (the
methods are introduced
by directory priority in
descending order):
Run the ssh user
Configure the username sftp-directory
default directoryname command
sftp server default-
authorized to configure the
directory sftpdir
directory of the directory for a specified
SFTP server. user.
Run the local-user user-
name ftp-directory
directory command in
the AAA view to
configure an FTP
directory for a specified
user.
Run the sftp server
default-directory sftpdir
command to configure
the directory, which
takes effect for all SSH
users.

Switches
By default, a maximum
of five clients can
connect to the SSH
(Optional) server.
Configure the
maximum If the maximum number
sftp max-sessions max- is changed to a value
number of
session-count smaller than the number
clients that can
connect to the of current online users,
SFTP server. these users will stay
connected, but new
connection requests will
be rejected.
The default idle timeout

(Optional) period is 10 minutes.
Configure the You can run the sftp
idle timeout idle-timeout 0 0
sftp idle-timeout minutes
period for command to disable the
[ seconds ]
disconnecting an function of disconnecting
SFTP client from the SFTP client from the
the SFTP server. SFTP server upon
timeout.
● Configure SSH user information.

For details, see "Configuring an SSH User" in CLI Configuration Guide >
NOTE
When an AAA user is configured, the user privilege level must be set to 3 or higher to
ensure successful connection.
● Connect to the device using SFTP.
To connect to the device using SFTP from a terminal, the terminal must be
installed with the SSH client software. The following describes how to connect
to the device using OpenSSH and the Windows CLI.
– For details about how to install OpenSSH, see the OpenSSH installation
guide.
– To use OpenSSH to connect to the device using SFTP, run the OpenSSH
commands. For details about OpenSSH commands, see the OpenSSH
help.
– The Windows CLI can identify OpenSSH commands only when OpenSSH
is installed on the terminal.
device using SFTP.
If the command prompt of the SFTP client view, such as sftp>, is displayed,
you have entered the working directory of the SFTP server. (The following

Switches
C:/Documents and Settings/Administrator> sftp client001@10.136.23.4

Connecting to 10.136.23.4...
The authenticity of host "10.136.23.4 (10.136.23.4)" can't be established.
DSA key fingerprint is 0d:48:82:fd:2f:52:1c:f0:c4:22:70:80:8f:7b:fd:78.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added "10.136.23.4" (DSA) to the list of known hosts.
client001@10.136.23.4's password:
sftp>
● Perform file operations using SFTP commands.

After logging in to the SSH server from the SFTP client, you can perform the
operations listed in Table 7-27 on the SFTP client. The following operations
can be performed in any sequence. You can select one or more operations as
required.
Table 7-27 Performing file operations using SFTP commands

Change the current
cd [ path ] -
working directory.
Chang the current
working directory to
cdup -
its upper-level
directory.
Display the current
pwd -
working directory.
dir [ remote-directory
Display the list of [ local-filename ] ] The dir command has
files in the specified or the same effect as the ls
directory. ls [ remote-directory command.
[ local-filename ] ]
A maximum of 10
directories can be
deleted at a time.
Before running the rmdir
Delete a directory command to delete
rmdir directory-name
from the server. directories, ensure that
the directories do not
contain any files.
Otherwise, the deletion
fails.
Create a directory
mkdir remote-directory -
on the server.
Rename a file on rename old-name new-

-
the server. name
Download a file get remote-filename
-
from the server. [ local-filename ]

Switches

Upload a file to the put local-filename
-
server. [ remote-filename ]
A maximum of 10 files
remove path can be deleted at a time.
Delete a file from
or The remove command
the server.
delete path has the same effect as
the delete command.
Display the
command help on help [ command-name ] -
the SFTP client.
● Disconnect from the SFTP server.
Table 7-28 Disconnecting from the SFTP server
Disconnect from the quit You can also run the

SFTP server. bye or exit command
to disconnect from the
SFTP server.
----End

user information on the SSH server.
● Run the display ssh server status command to check global configuration of
the SSH server.
sessions between the SSH server and the SSH client.
7.6.2 Configuring a Device as an SFTP Client

Prerequisites
After a device is configured as an SFTP client, client authentication and
bidirectional data encryption are used to ensure secure file transfer and file and
directory management.
Before configuring a device to access files on another device as an SFTP client, you
● Ensure that there are reachable routes between the device and SSH server.
● Obtain the IP address of the SSH server and SSH user information, and ensure
that the SSH user has been assigned the highest privilege level.

Switches
is not used.
Context
another device as an SFTP client.
Table 7-29 Configuring a device to access files on another device as an SFTP client

interface or source IP
the source interface or
1 address for the SFTP
source IP address for
client to implement
the SFTP client.
You can enable first

Configure the mode
login for the SSH
for connecting a
client or configure
2 device to the SSH
the SSH client to
server for the first
assign a public key
time.
to the SSH server.
SFTP client
parameters include
the interval for
sending keepalive
Configure SFTP client
3 packets and the
parameters.
maximum number of
keepalive packets Tasks 1, 2, and 3 can
sent by the SFTP be performed in any
client. sequence.
Select only one of
the two tasks.
● One-click mode:
You can upload
and download
files while the
connection is set
(One-click mode) Log up.
4 in to another device ● Interactive mode:
to perform file After the SSH
operations. server is
connected, you
can perform
operations on
directories and
files on the SSH
server and view
the help of

Switches
(Interactive mode)
Log in to another commands on the
device to perform file SFTP client.
operations.
Disconnect from the

5 -
SFTP server.
Procedure
● (Optional) Configure the source interface or source IP address for the
SFTP client.

Table 7-30 Configuring the source interface or source IP address for the SFTP
client
Enter the system

system-view -
view.
sftp client-source { -a
source-ip-address [ public-
net | -vpn-instance vpn-
instance-name ] | -i
Configure the source { interface-type interface-
interface or source IP number | interface-name } } By default, the source
address for the SFTP IP address is 0.0.0.0.
or
client.
sftp ipv6 client-source -a
source-ipv6-address [ -vpn-
instance ipv6-vpn-instance-
name ]
● Configure the mode for connecting a device to the SSH server for the first
time.
For details, see "Configuring the Mode for Connecting a Device to the SSH
Server for the First Time" in CLI Configuration Guide > Security Configuration.
● Configure SFTP client parameters.
● (One-click mode) Log in to another device to perform file operations.

Switches
You can run the commands listed in the following table in the system view to
download files from the server or upload files to the server while the
connection is set up.
Table 7-31 One-click file operations using commands

Operatio Command Description
n
Connect sftp client-transfile { get | put } [ - Connect to the SFTP

to the a source-address | -i interface-type server in IPv4 mode and
SFTP interface-number ] host-ip host-ipv4 download files from the
server [ port ] [ public-net | -vpn-instance server to the SFTP client
using an vpn-instance-name | prefer_kex or upload files from the
IPv4 prefer_kex | identity-key { rsa | dsa | SFTP client to the server.
address. ecc } | prefer_ctos_cipher
prefer_ctos_cipher |
prefer_stoc_cipher
prefer_stoc_cipher |
prefer_ctos_hmac prefer_ctos_hmac
| prefer_stoc_hmac
prefer_stoc_hmac | -ki interval | -kc
count ] * username user-name
password password sourcefile
source-file [ destination
destination ]
Connect sftp client-transfile { get | put } Connect to the SFTP
to the ipv6 [ -a source-ipv6-address ] host- server in IPv6 mode and
SFTP ip host-ipv6 [ -oi interface-type download files from the
server interface-number ] [ port ] [ public- server to the SFTP client
using an net | -vpn-instance vpn-instance- or upload files from the
IPv6 name | prefer_kex prefer_kex | SFTP client to the server.
address. identity-key { rsa | dsa | ecc } |
prefer_ctos_cipher
prefer_ctos_cipher |
prefer_stoc_cipher
prefer_stoc_cipher |
prefer_ctos_hmac prefer_ctos_hmac
| prefer_stoc_hmac
prefer_stoc_hmac | -ki interval | -kc
count ] * username user-name
password password sourcefile
source-file [ destination
destination ]
The following is used for reference only.

[HUAWEI] sftp client-transfile get host-ip 10.10.1.1 username client password YsHsjx_202206
sourcefile sourcefile.txt
Trying 10.10.1.1 ...

Switches
Remote file: /sourcefile.txt ---> Local file: 1#flash:/sourcefile.txt

Downloading the file. Please wait..
Downloading file successfully ended.
File download is completed in 375 seconds.
● (Interactive mode) Log in to another device to perform file operations.

a. Connect to another device using SFTP commands.
Table 7-32 Connecting to another device using SFTP commands

Operati
Command Description
on
Connect sftp [ -a source-ip-address | -i Select either of the

to the interface-type interface- commands based on the
SFTP number ] [ -force-receive- address type.
server pubkey ] host-ip-address In most cases, only IP
using an [ port-number ] [ [ prefer_kex addresses need to be
IPv4 prefer_kex ] | specified in the command.
address [ prefer_ctos_cipher
in the prefer_ctos_cipher ] | If the source interface is
system [ prefer_stoc_cipher specified using -i interface-
view. prefer_stoc_cipher ] | type interface-number, the
[ prefer_ctos_hmac public-net and -vpn-
prefer_ctos_hmac ] | instance vpn-instance-
[ prefer_stoc_hmac name parameters are not
prefer_stoc_hmac ] | supported.
[ prefer_ctos_compress zlib ]
| [ prefer_stoc_compress
zlib ] | [ public-net | -vpn-
instance vpn-instance-name ]
| [ -ki interval ] | [ -kc count ] |
[ identity-key identity-key-
type ] | [ user-identity-key
user-key ] ] *

Switches
Operati
Command Description
on
Connect sftp ipv6 [ -force-receive-

to the pubkey ] [ -a source-ipv6-
SFTP address ] host-ipv6-address
server [ [ [ -vpn-instance vpn-
using an instance-name ] | public-net ]
IPv6 | [ -oi { interface-name |
address interface-type interface-
in the number } ] [ port-number ] |
system [ prefer_kex { prefer_kex } ] |
view. [ prefer_ctos_cipher
prefer_ctos_cipher ] |
[ prefer_stoc_cipher
prefer_stoc_cipher ] |
[ prefer_ctos_hmac
prefer_ctos_hmac ] |
[ prefer_stoc_hmac
prefer_stoc_hmac ] |
[ prefer_ctos_compress zlib ]
| [ prefer_stoc_compress
zlib ] | [ -ki interval ] | [ -kc
count ] | [ identity-key
identity-key-type ] | [ user-
identity-key user-key ] ] *
For example, after you run the following command:

[HUAWEI] sftp 10.137.217.201
If the command prompt sftp-client> is displayed, you have entered in the

SFTP client view, indicating that the SFTP client is successfully connected
to the server.
b. Perform file operations using SFTP commands.
After logging in to the SSH server from the SFTP client, you can perform
the operations listed in Table 7-33 on the SFTP client.
You can perform one or more operations listed in the following table, and
in any sequence.
Table 7-33 Performing file operations using SFTP commands

Change the current

cd [ path ] -
working directory.

Switches
Chang the current

working directory
cdup -
to its upper-level
directory.
Display the current

pwd -
working directory.
dir [ remote-directory
Display the list of [ local-filename ] ] The dir command has
files in the or the same effect as the
specified directory. ls [ remote-directory ls command.
[ local-filename ] ]
A maximum of 10
directories can be
deleted at a time.
Before running the
Delete a directory rmdir command to
rmdir directory-name delete directories,
from the server.
ensure that the
directories do not
contain any files.
Otherwise, the deletion
fails.
Create a directory
mkdir remote-directory -
on the server.
Rename a file on rename old-name

-
the server. new-name
Download a file get remote-filename
-
from the server. [ local-filename ]
Upload a file to put local-filename

-
the server. [ remote-filename ]
A maximum of 10 files
remove path can be deleted at a
Delete a file from time.
or
the server. The remove command
delete path has the same effect as
the delete command.
Display the
help [ command-
command help on -
name ]
the SFTP client.
● Disconnect from the SFTP server.

Switches
Table 7-34 Disconnecting from the SFTP server


SFTP server. bye or exit command
SFTP server.
----End

● Run the display sftp client command to check the configuration of the SFTP
client.
● Run the display ssh server-info command to check the mapping between all
SSH servers and public keys on the client.
7.6.3 Example for Configuring a Device as an SFTP Server

In Figure 7-3, PC1 connects to the device at 10.136.23.4. Files need to be securely
transferred between PC1 and the device. To ensure secure file transfer, the device
needs to be configured as an SSH server to provide the SFTP service, so that the
SSH server can authenticate the client (PC1) and bidirectional data is encrypted. In
addition, an ACL policy needs to be configured so that only PC1 can access the
SSH server.
Figure 7-3 Network diagram for performing file operations using SFTP
NOTE
1. Generate a local key pair and enable the SFTP server function on the SSH
server so that the server and client can securely exchange data.
2. Configure SSH user information including the authentication mode, service
type, authorized directory, user name, and password.
3. Configure access permissions on the SSH server to control access from SSH
users.

Switches
4. Connect to the SSH server from the PC using the third-party software
OpenSSH.
Procedure
Step 1 Configure an IP address for the SSH server.
[SSH Server] interface 10ge 1/0/1
[SSH Server-10GE1/0/1] undo portswitch
[SSH Server-10GE1/0/1] ip address 10.136.23.4 255.255.255.0
[SSH Server-10GE1/0/1] quit
Step 2 On the SSH server, generate a local key pair and enable the SFTP server function.
[SSH Server] dsa local-key-pair create
Info: The key name will be: Host_DSA
Info: The key modulus can be any one of the following :
2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[SSH Server] sftp server enable
Step 4 Configure SSH user information including the authentication mode, service type,
authorized directory, user name, and password.
Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client001 service-type sftp
[SSH Server] ssh user client001 sftp-directory flash:/
[SSH Server] aaa
[SSH Server-aaa] local-user client001 service-type terminal ssh
Step 5 Configure access permissions on the SSH server.

[SSH Server-acl4-basic-2001] rule deny source 10.136.23.20 0
----End

Connect to the SSH server from the PC using the third-party software OpenSSH.

Switches
The Windows CLI can identify OpenSSH commands only when OpenSSH is
sftp>
After you connect to the SSH server using the third-party software, the SFTP view
is displayed. You can then perform file operations in the SFTP view.
#
sysname SSH Server
#
acl number 2001
#
aaa
local-user client001 password irreversible-cipher $1d$v!=.5/:(q-$xL=\K
+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
local-user client001 service-type terminal ssh
#
interface 10GE1/0/1
undo portswitch
ip address 10.136.23.4 255.255.255.0
#
sftp server enable
ssh server acl 2001
ssh user client001
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
#
return
7.6.4 Example for Configuring a Device as an SFTP Client
The SSH protocol uses encryption to secure the connection between a client and a
server. All user authentication, commands, output, and file transfers are encrypted
to protect against attacks in the network. A client can securely connect to the SSH
server and transfer files using SFTP.
In Figure 7-4, routes between the SSH server and clients client001 and client002
are reachable. In this example, a Huawei device functions as the SSH server.

Switches
The two clients are required to connect to the SSH server in password and DSA
authentication modes respectively to ensure secure access to files on the SSH
server.
Figure 7-4 Network diagram for accessing files on another device using SFTP
NOTE
1. Generate a local key pair and enable the SFTP server function on the server so
that the server and client can securely exchange data.
2. On the SSH server, configure client001 and client002 to access the SSH
server in password and DSA authentication modes, respectively.
3. Generate a local key pair on client002 and configure the DSA public key of
client002 on the SSH server so that the server can authenticate the client
when the client attempts to access the server.
4. Configure client001 and client002 to connect to the SSH server using SFTP
for file access.
Procedure
Step 1 On the server, generate a local key pair and enable the SFTP server function.
Info: The key modulus can be any one of the following : 2048.

Switches
Step 3 Create SSH users on the server.

# Create an SSH user named client001 and configure the password
authentication mode for the user.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 service-type terminal ssh
# Create an SSH user named client002 and configure the DSA authentication
mode for the user.
[SSH Server] ssh user client002 authentication-type dsa
[SSH Server] ssh authorization-type default root
Step 4 Configure the encryption algorithm, HMAC authentication algorithm, key

exchange algorithm list, and public key algorithm on client001.
Step 5 Generate a local key pair on client002 and configure the DSA public key of
client002 on the SSH server.
# Generate a local key pair the client.
[client002] dsa local-key-pair create
2048.

exchange algorithm list, and public key algorithm on client002.
# Check the DSA public key on the client.

[client002] display dsa local-key-pair public
========================================================
Key name : Host_DSA

Switches
Key modulus : 2048

Key type : DSA encryption key
========================================================
Key code:
3082010A
02820101
00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB
D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415
D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F
E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7
F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D
B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B
03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278
AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D
FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5
26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87
2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493
646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1
32693DE5 4B103442 8E0F4DAD 2598BE5E 19
0203
010001
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQC7t6BJJK8TBPJmLS7UO51YmWfr2KT3hVrR
9mIThFCBDGX2s4ipxBXYHDS9QaS1gHDcdGDkpUB7m5VjD+IR9LMRFXct+5XT3JFa
GFjQ3kn3853Xp3eV8rnJVi6LWYy1D205JA21xvHTM6IY0JjDAQT486jKcXLJWwOu
wKCKfpn2bBk5qlLMLjG2cDJ4ruG82Nwh/KIEHJpMGFapNWiUmY37+oj/FwjDpn4J
I2is6YPXyN3N9Sb11OUWoVxc1tABjk6v4FW5P8uHK7Ru+wLATDvxZ6QXOAzQsAvF
lJNkbL6WvK89t60K+gpdFBVe1/l9wTJpPeVLEDRCjg9NrSWYvl4Z
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:

ssh-dsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7t6BJJK8TBPJmLS7UO51YmWfr2KT3hVrR9mIThFCB
DGX2s4ipxBXYHDS9QaS1gHDcdGDkpUB7m5VjD+IR9LMRFXct+5XT3JFaGFjQ3kn3853Xp3eV8rnJVi6L
WYy1D205JA21xvHTM6IY0JjDAQT486jKcXLJWwOuwKCKfpn2bBk5qlLMLjG2cDJ4ruG82Nwh/KIEHJpM
GFapNWiUmY37+oj/FwjDpn4JI2is6YPXyN3N9Sb11OUWoVxc1tABjk6v4FW5P8uHK7Ru+wLATDvxZ6QX
OAzQsAvFlJNkbL6WvK89t60K+gpdFBVe1/l9wTJpPeVLEDRCjg9NrSWYvl4Z== dsa-key
# Configure the DSA public key of the client on the server. (The information in
bold in the display command output is the DSA public key of the client. Copy the
key to the server.)
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
[SSH Server-dsa-public-key-dsa-key-code] 3082010A
[SSH Server-dsa-public-key-dsa-key-code] 02820101
[SSH Server-dsa-public-key-dsa-key-code] 00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB
[SSH Server-dsa-public-key-dsa-key-code] D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415
[SSH Server-dsa-public-key-dsa-key-code] D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F
[SSH Server-dsa-public-key-dsa-key-code] E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7
[SSH Server-dsa-public-key-dsa-key-code] F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D
[SSH Server-dsa-public-key-dsa-key-code] B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B
[SSH Server-dsa-public-key-dsa-key-code] 03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278
[SSH Server-dsa-public-key-dsa-key-code] AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D
[SSH Server-dsa-public-key-dsa-key-code] FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5
[SSH Server-dsa-public-key-dsa-key-code] 26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87
[SSH Server-dsa-public-key-dsa-key-code] 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493
[SSH Server-dsa-public-key-dsa-key-code] 646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1
[SSH Server-dsa-public-key-dsa-key-code] 32693DE5 4B103442 8E0F4DAD 2598BE5E 19
[SSH Server-dsa-public-key-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
# Bind the client002 user to the DSA public key of client002.

[SSH Server] ssh user client002 assign dsa-key dsakey001
Step 6 Connect SFTP clients to the SSH server.

Switches
# Enable the first login function for the SSH clients.

Enable first login for client001.
Enable first login for client002.

# Log in to the SSH server from client001 in password authentication mode.

[client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N]:y

Enter password:
sftp-client>
# Log in to the SSH server from client002 in DSA authentication mode.

[client002] sftp 10.1.1.1
Trying 10.1.1.1 ...

sftp-client>
----End

Run the display ssh server status command on the SSH server. The command
output indicates that the SFTP server function has been enabled. Run the display
ssh user-information command to check information about SSH users on the
server.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) :3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Disable
SSH server keepalive : Enable
SFTP IPv4 server : Enable
SFTP IPv6 server : Enable
STELNET IPv4 server : Enable
STELNET IPv6 server : Enable
SNETCONF IPv4 server : Disable
SNETCONF IPv6 server : Disable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable

Switches
SSH IPv4 server port : 22

SSH IPv6 server port : 22
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
SSH server ip-block : Enable
# Check information about SSH users.

[SSH Server] display ssh user-information
--------------------------------------------------------------------------------
Authentication type : password
Service type : sftp

Authentication type : dsa
Service type : sftp
--------------------------------------------------------------------------------
Total 2, 2 printed
● SSH server
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
3082010A
02820101
00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB D8A4F785 5AD1F662 13845081
0C65F6B3 88A9C415 D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F E211F4B3
1115772D FB95D3DC 915A1858 D0DE49F7 F39DD7A7 7795F2B9 C9562E8B 598CB50F
6D39240D B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B 03AEC0A0 8A7E99F6
6C1939AA 52CC2E31 B6703278 AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D
FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5 26F5D4E5 16A15C5C D6D0018E
4EAFE055 B93FCB87 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493 646CBE96
BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1 32693DE5 4B103442 8E0F4DAD 2598BE5E
19
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
local-user client001 service-type terminal ssh
#
sftp server enable
ssh user client001
ssh user client001 sftp-directory flash:/
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
ssh user client002 sftp-directory flash:/

Switches
#
#
return
● client001
#
sysname client001
#
#
#
return
● client002
#
sysname client002
#
#
#
return
7.7 Managing Files Using SCP
7.7.1 Configuring a Device as an SCP Server

Prerequisites
The Secure Copy Protocol (SCP) runs on top of SSH that allows you to use SCP to
set up a connection between a user terminal and a remote device to upload or
download files.
Before configuring a device as an SCP server to manage files, you have completed
the following tasks:
● Ensure that the terminal has SCP-capable SSH client software installed.
Context
Table 7-35 describes the process for configuring a device as an SCP server for file
management.

Switches
Table 7-35 Configuring a device as an SCP server for file management
1 Generate a local key pair,

enable the SCP server
function, and configure
SCP server parameters,
Enable the SCP server
including the port
function and
number, key pair update
configure related
interval, SSH
parameters.
authentication timeout
duration, and number of Tasks 1 and 2 can
SSH authentication be performed in
retries. any sequence.
2 Create an SSH user,
Configure SSH user configure the
information. authentication mode,
and set the service type.
3 Upload files from and

Perform file
download files to the SCP
operations using SCP.
client.
Default Settings
SCP server function Disabled
Procedure
● Enable the SCP server function and configure related parameters.
For details about how to generate the local server key pair and how to set
server parameters including the port number, key pair update interval, SSH
authentication timeout interval, and number of SSH authentication retries,
see "Configuring the SSH Server Function and Related Parameters" in CLI
Configuration Guide > Security Configuration. For details about how to
configure the SCP function, see Table 7-37.
Table 7-37 Enabling the SCP server function and configuring related
parameters
Enter the system

system-view -
view.

Switches
Enable the SCP scp [ ipv4 | ipv6 ] By default, the SCP server
server function. server enable function is disabled.
(Optional) Set the

maximum
By default, a maximum of two
number of SCP
scp max-sessions SCP clients are allowed to
clients allowed to
max-session-count connect to an SCP server
connect to an SCP
concurrently.
server
concurrently.
● Configure SSH user information.

For details, see "Configuring an SSH User" in CLI Configuration Guide >
● Perform file operations using SCP.
The SCP-capable SSH client software must be installed on the terminal, so
that the terminal can connect to the device using SCP to upload or download
files. The following describes how to connect to the device using OpenSSH
and the Windows CLI.
– For details about how to install OpenSSH, see the OpenSSH installation
guide.
– To use OpenSSH to connect to the device using SCP, run the OpenSSH
commands. For details about OpenSSH commands, see the OpenSSH
help.
– The Windows CLI can identify OpenSSH commands only when OpenSSH
is installed on the terminal.
device for file operations using SCP. (The following information is for
reference only.)
C:\Documents and Settings\Administrator> scp scpuser@10.136.23.5:flash:/vrpcfg.zip vrpcfg-
backup.zip
The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Warning: Permanently added '10.136.23.5' (DSA) to the list of known hosts.
scpuser@10.136.23.5's password:
vrpcfg.zip 100% 1257 1.2KB/s 00:00
Read from remote host 10.136.23.5: Connection reset by peer
C:\Documents and Settings\Administrator>
According to the preceding command output, the user terminal uploads files
to or downloads files from the SCP server while connecting to the SCP server
and accesses the user local directory at last.
● Disconnect from the SCP server.

Switches
Table 7-38 Disconnecting from the SCP server

SCP server. bye or exit command
SCP server.
----End

user information on the SSH server.
● Run the display ssh server status command to check global configuration of
the SSH server.
sessions between the SSH server and the SSH client.
7.7.2 Configuring a Device as an SCP Client
Prerequisites
SCP is a utility of the SSH protocol that is used to securely copy files from one
system to another. A device can be configured as an SCP client to set up a secure
connection with an SCP server to upload or download files.
Before configuring a device to access files on another device as an SCP client, you
● Ensure that there are reachable routes between the device and SSH server.
● Obtain the host name or IP address of the SSH server and SSH user
information.
is not used.
Context
another device as an SCP client.
Table 7-39 Configuring a device to access files on another device as an SCP client

interface or source IP Tasks 1, 2, and 3 can
the source interface or
1 address for the SCP be performed in any
source IP address for
client to implement sequence.
the SCP client.

Switches
You can enable first

Configure the mode
login for the SSH
for connecting a
client or configure
2 device to the SSH
the SSH client to
server for the first
assign a public key
time.
to the SSH server.
3 Configure SCP client SCP client

parameters. parameters include
the interval for
sending keepalive
packets and the
maximum number of
keepalive packets
sent by the SCP
client.
Connect to another
4 device using SCP -
commands.
Procedure
● (Optional) Configure the source interface or source IP address for the SCP
client.
Table 7-40 (Optional) Configuring the source interface or source IP address

for the SCP client
Enter the system

system-view -
view.

scp client-source { -a IPv4 address of an
source-ip-address [ public- SCP client is 0.0.0.0,
net | -vpn-instance vpn- and the IPv6 address
Configure the source instance-name ] | -i of an SCP client is
interface or source IP { interface-type interface- 0::0.
address for the SCP number | interface-name } } To use -i to specify a
client. scp ipv6 client-source -a logical interface as
source-ipv6-address [ -vpn- the source interface,
instance ipv6-vpn-instance- ensure that the
name ] logical interface has
been created.
● Configure the mode for connecting a device to the SSH server for the first
time.

Switches
For details, see "Configuring the Mode for Connecting a Device to the SSH
Server for the First Time" in CLI Configuration Guide > Security Configuration.
● Configure SCP client parameters.
● Connect to another device using SCP commands.
Different from SFTP that uses separate commands for connection setup and
file transfer, after the SCP connection is established, the client can directly
upload files to or download files from the server.
Table 7-41 Connecting to another device using SCP commands

Operati
Command Description
on
Enter
the
system-view -
system
view.
scp [ -a source-ip-address | -i
interface-type interface-number ] [ -
Connect
force-receive-pubkey ] [ [ -port
to the
server-port ] | [ public-net | vpn-
SCP
instance vpn-instance-name ] |
server
[ identity-key identity-key-type ] | Select either of the
using an
[ user-identity-key user-key ] | -r | -c | commands based on
IPv4
[ -cipher cipher ] | [ -prefer-kex the address type.
address.
prefer-kex ] ] * source-filename
If the source interface
destination-filename
is specified using -i
scp ipv6 [ [ vpn-instance vpn- interface-type
instance-name ] | public-net ] [ - interface-number, the
Connect force-receive-pubkey ] [ [ -port public-net and vpn-
to the server-port ] | [ identity-key identity- instance vpn-instance-
SCP key-type ] | [ user-identity-key username parameters are
server key ] | [ [ -a source-ipv6-address ] | [ - not supported.
using an oi { interface-name | interface-type
IPv6 interface-number } ] ] | -r | -c | [ -
address. cipher cipher ] | [ -prefer-kex prefer-
kex ] ] * source-filename destination-
filename
----End

● Run the display scp client command to check the configuration of the SCP
client.
● Run the display ssh server-info command to check the mapping between all
SSH servers and public keys on the client.

Switches
7.7.3 Example for Configuring a Device as an SCP Client
Compared with SFTP, SCP simplifies file transfer operations by combining user
identity authentication and file transfer to improve configuration efficiency.
In Figure 7-5, the routes between the SCP client and SSH server are reachable.
The SCP client needs to download files from the SSH server.
Figure 7-5 Network diagram for configuring a device to access files on another
device as an SCP client
NOTE
1. Generate a local key pair on the SSH server.

2. Create an SSH user on the SSH server.
3. Enable the SCP server function on the SSH server.
4. Download files from the SSH server to the SCP client.
Procedure
Step 1 Generate a local key pair on the server.
Step 2 Create an SSH user on the server.
# Configure a VTY user interface.

# Create an SSH user named Client, set the authentication mode to password,
and set the service type to all.

Switches
[SSH Server] ssh user Client

[SSH Server] ssh user Client authentication-type password
[SSH Server] ssh user Client service-type all
# Set a password for the Client user.

[SSH Server] aaa
[SSH Server-aaa] local-user Client password
[SSH Server-aaa] local-user Client service-type terminal ssh
[SSH Server-aaa] local-user Client privilege level 3
Step 3 Enable the SCP server function on the SSH server.

[SSH Server] scp server enable
Step 5 Configure the encryption algorithm, HMAC authentication algorithm, key

exchange algorithm list, and public key algorithm on the client.
[HUAWEI] sysname SCP Client
[SCP Client] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SCP Client] ssh client hmac sha2_256 sha2_512
[SCP Client] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SCP Client] ssh client publickey rsa_sha2_256 rsa_sha2_512
----End

Download files from the SSH server to the SCP client.
# Enable the first login function for the SSH client.

[HUAWEI] sysname SCP Client
[SCP Client] ssh client first-time enable
# Download the backup.cfg file from the SSH server at 10.1.1.1 to the local
directory using the aes256_ctr encryption algorithm.
[SCP Client] scp -cipher aes256_ctr Client1@10.1.1.1:backup.cfg backup.cfg
Trying 10.1.1.1 ...
Continue to access it? [Y/N]:y
[Y/N]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
backup.cfg 100% 19174Bytes 7Kb/s

Switches
● SSH server
#
sysname SSH Server
#
aaa
local-user Client password irreversible-cipher $#z$!9S<a#>H7{7dI>%0S{AcKGC=t:zjv14LlQqHO\
\P.*=<x1]u;y*P`'GR3[m}$
local-user Client service-type terminal ssh
local-user Client privilege level 3
#
scp server enable
ssh user Client
ssh user Client authentication-type password
ssh user Client service-type all
#
#
#
return
● SCP client
#
sysname SCP Client
#
#
#
return
7.8 Managing Files Using TFTP
7.8.1 Configuring a Device as a TFTP Client
Prerequisites
You can configure a device as a TFTP client, through which you can log in to a
TFTP server to upload and download files between the client and server.
Before configuring a device to access files on another device as a TFTP client, you
● Ensure that there are reachable routes between the device and TFTP server.
● Obtain the IP address of the TFTP server and the directory for storing the files
to be downloaded or uploaded.

Switches
Context
NOTE
SFTP V2 or SCP is more secure than TFTP, and is therefore recommended.

In FIPS mode, TFTP cannot be used.
another device as a TFTP client.
Table 7-42 Configuring a device to access files on another device as a TFTP client

(Optional) Configure interface or source IP
1 the source address for address for the TFTP
the TFTP client. client to implement
Tasks 1 and 2 can be
Configure TFTP performed in any
(Optional) Configure access control to sequence.
2
TFTP access control. improve access
security.
Transfer files using Upload and

3
TFTP. download files.
Procedure
● (Optional) Configure the source interface or source address for the TFTP
client.
Table 7-43 (Optional) Configuring the source interface or source address for
the TFTP client
Enter the system

system-view -
view.

Switches

IPv4 address and
tftp client source { -a ip- source IPv6 address
address | -i interface-type of a TFTP client are
Configure the source interface-number } 0.0.0.0 and 0::0,
interface or source IP respectively. If an
address for the TFTP tftp ipv6 client source -a interface is specified,
client. ipv6-address [ -vpn- set an IP address for
instance ipv6-vpn-instance- the interface.
name ] Otherwise, the TFTP
connection fails to be
set up.
● (Optional) Configure TFTP access control.

An ACL is a list of rules that classify and filter packets according to their
source address, destination address, port number, and other fields. After an
ACL is applied to a routing device, the routing device determines whether to
permit or deny a packet based on the ACL rules.
Multiple rules can be defined in an ACL. ACL rules are classified into basic,
advanced, and Layer 2 ACL rules based on rule functions.
NOTE
The TFTP supports only the basic ACL whose number ranges from 2000 to 2999.
ACL rule:
● When the permit action is defined in an ACL rule, the local device can set up
TFTP connections with devices that match the rule.
● When the deny action is defined in an ACL rule, the local device cannot set up
TFTP connections with devices that match the rule.
● If packets from other devices do not match any rule in an ACL, the local device
cannot set up TFTP connections with those devices.
● If no rule is defined in an ACL, the local device can set up TFTP connections with
any other devices.
Table 7-44 (Optional) Configuring TFTP access control

Enter the system

system-view -
view.
Create an ACL and acl { [ number ] acl-number By default, no ACL is

enter the ACL view. | name acl-name } created.

Switches
rule [ rule-id ] [ name rule-

name ] { permit | deny }
[ fragment-type fragment |
source { source-ip-address By default, no rule is
Configure an ACL
{ source-wildcard | 0 | src- configured in the
rule.
netmask } | any } | time- basic ACL view.
range time-name | vpn-
instance vpn-instance-name
| logging ] *
Return to the
quit -
system view.
Configure TFTP tftp server [ ipv6 ] acl acl-

-
access control. number
● Upload files to or download files from the server using TFTP commands.
Table 7-45 Connecting to another device using TFTP commands

Connect to the TFTP tftp [ -a source-ip- ● The get command

server using an IPv4 address | -i interface- downloads files
address. type interface- from the server.
number ] host-ip- ● The put command
address [ vpn-instance uploads files to the
vpn-instance-name | server.
public-net ] { get |
put } source-filename
[ destination-filename ]
Connect to the TFTP tftp ipv6 [ -a source-

server using an IPv6 ipv6-address ] tftp-
address. server-ipv6 [ vpn-
name | public-net ] [ -
oi interface-type
interface-number ]
{ get | put } source-
filename [ destination-
filename ]
The source IP address or source interface specified in the preceding

commands takes precedence over that specified in the tftp client source
command. The source IP address or source interface specified in the tftp
client source command applies to all TFTP connections, whereas the source

Switches
IP address or source interface specified in the tftp or tftp ipv6 command

applies only to the current TFTP connection.
----End

● Run the display tftp client command to check the source IP address of the
TFTP client.
7.8.2 Example for Configuring a Device as a TFTP Client

In Figure 7-6, the remote device with IP address 10.1.1.1/24 functions as the TFTP
server. The device with IP address 10.2.1.1/24 functions as the TFTP client and has
reachable routes to the TFTP server.
The TFTP client needs to be upgraded. To be specific, you need to download the
system software from the TFTP server to the TFTP client and back up the current
configuration file of the TFTP client to the TFTP server.
Figure 7-6 Network diagram for accessing files on another device using TFTP
NOTE
SFTP V2 or SCP is more secure than TFTP, and is therefore recommended.

1. Run the TFTP software on the TFTP server and set the TFTP working directory.
2. Upload files from and download files to the TFTP client using TFTP
commands.
Device as an SCP Client.
Procedure

Switches
Step 2 Run the TFTP software on the TFTP server and set the TFTP working directory. For
details, see the help document of the third-party software.
Step 3 Upload and download files on the TFTP client using TFTP commands.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc
Info: Transfer file in binary mode.
Please wait for a while...
/ 107973953 bytes transferred
Info: Downloaded the file successfully.
<HUAWEI> tftp 10.1.1.1 put vrpcfg.zip
Info: Transfer file in binary mode.
Please wait for a while...
/ 100% [***********]
Info: Uploaded the file successfully.
----End

# Run the dir command on the TFTP client to check whether the system software
is successfully downloaded.
<HUAWEI> dir

0 -rw- 14 Mar 13 2019 14:13:38 back_time_a
1 drw- - Mar 11 2019 00:58:54 logfile
4 -rw- 1,257 Mar 12 2019 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2019 14:13:38 back_time_b
7 drw- - Oct 31 2019 10:20:28 sysdrv
9 drw- - Feb 09 2019 14:20:10 selftest
10 -rw- 19,174 Feb 20 2019 18:55:32 backup.cfg
11 -rw- 23,496 Oct 15 2019 20:59:36 20191015.zip
14 drw- - Nov 04 2019 13:58:36 security
...
670,092 KB total (569,904 KB free)
# Access the working directory on the TFTP server and check whether the
vrpcfg.zip file has been uploaded successfully.
None
7.9 Troubleshooting File System Management Errors
7.9.1 Failed to Log In to the FTP Server
Possible Causes
● The FTP server function is not enabled.

Switches
● The FTP server does not use the default port number, and the port number of
the FTP server is not specified when the FTP server is accessed from the FTP
client.
● The FTP user information, working directory, and user privilege level are not
configured on the FTP server.
● The number of online FTP users reaches the upper limit.
● An ACL is configured on the FTP server to deny the access of the FTP user.
Procedure
Step 1 Check whether the FTP server function is enabled.
Run the display ftp server command in any view to check the status of the FTP
server.
● If the following information is displayed, the FTP server function is disabled:
<HUAWEI> display ftp server
Server state : Disabled
IPv6 server state : Disabled
Timeout value (mins) : 10
IPv6 Timeout value (mins) : 10
Listen port : 21
IPv6 listen port : 21
ACL name :
IPv6 ACL name :
ACL number :
IPv6 ACL number :
Current user count :0
Max user number : 15
Run the ftp server enable command in the system view to enable the FTP
server function.
[HUAWEI] ftp server enable
Warning: FTP is not a secure protocol, and it is recommended to use SFTP.
● If the following information is displayed, the FTP server function is enabled:

Server state : Enabled
Listen port : 21
ACL name :
IPv6 ACL name :
ACL number :
IPv6 ACL number :
Step 2 Check whether the port number of the FTP server is the default port number.
Run the display ftp server command in any view to check the FTP server port.
Server state : Enabled
Listen port : 21
ACL name :
IPv6 ACL name :
ACL number :

Switches
IPv6 ACL number :

If the FTP server port is not 21, run the ftp server port command to set the port
number to 21.
[HUAWEI] undo ftp server
Info: Succeeded in closing the FTP server.
[HUAWEI] ftp server port 21
[HUAWEI] ftp server enable
Warning: FTP is not a secure protocol, and it is recommended to use SFTP.
Alternatively, specify the port number of the FTP server on the FTP client when
connecting to the FTP server from the FTP client.
Step 3 Check whether the FTP user information, authorized directory, and user privilege
level are configured.
The user name, password, authorized directory, and user privilege level are
mandatory for an FTP user. An FTP user cannot log in to the FTP server if the FTP
authorized directory or user privilege level is not specified.
For details, see Configure a local FTP user. in "Configuring the Device as an FTP
Server."
Step 4 Check whether the number of users on the FTP server reaches the upper limit.
Run the display ftp server users command to check whether the number of FTP
users reaches 15.
Step 5 Check whether an ACL is configured on the FTP server.
Run the display ftp server command to check whether an ACL is configured on
the FTP server.
If an ACL is configured on the FTP server, the FTP server allows only access from
the IP addresses permitted by the ACL rules.
----End
7.9.2 Failed to Transfer Files Between the FTP Server and

Client
Possible Causes
● The FTP source or destination directory name contains characters not
supported by the device, such as spaces.
● The root directory on the FTP server does not have sufficient storage space.
Procedure
Step 1 Check whether the FTP source or destination directory name contains characters
not supported by the device.
The directory name cannot contain spaces or the following special characters: ~ * /
\:'"
If the directory name contains any of these characters, change the directory name.

Switches
Step 2 Check whether there is sufficient storage space in the root directory on the FTP
server.
Run the dir command on the FTP server to check the available space of the root
directory on the FTP server.
If the storage space is insufficient, run the delete /unreserved command in the
user view to delete unnecessary files.
----End

Switches
Configuration Guide - Basic Configuration 8 Configuration File Management Configuration
8 Configuration File Management

Configuration
8.1 Overview of Configuration File Management

8.2 Configuration Precautions for Configuration File Management
8.3 Managing Configuration Files
8.1 Overview of Configuration File Management

Definition
A configuration file is a collection of command lines that run on a device.
Purpose
Configuration file management allows you to view, save, compare, back up,
restore, and compress configuration files, as well as deleteand roll back
configurations in the files. You can also specify the configuration file to be loaded
at the next device startup. All this ensures correct configurations on the device,
prevents configuration loss, and facilitates configuration migration.
8.2 Configuration Precautions for Configuration File

Management
Configuration File Management is not under license control.

Switches
Series Models

L16T4S-A-V2/S5735-L16T4X-QA-V2/S5735-
L24P4S-A-V2/S5735-L24P4XE-A-V2/S5735-
L24P4XE-TA-V2/S5735-L24T4S-A-V2/S5735-
L24T4X-QA-V2/S5735-L24T4XE-A-V2/S5735-
L24T4XE-D-V2/S5735-L48LP4S-A-V2/S5735-
L48T4S-A-V2/S5735-L48T4XE-A-V2/S5735-

V2/S5735-S48U4XE-V2


V2/S5732-H48UM4Y2CZ-TV2/S5732-
H48UM4Y2CZ-V2

V2/S5735I-S8U4XN-V2

H28X6CZ-TV2/S6730-H28X6CZ-V2/S6730-
TV2/S6730-H48X6CZ-V2/S6730-H48Y6C-TV2/
S6730-H48Y6C-V2

Switches

For security purposes, FTP and TFTP are not S5735-S- S5735-S24P4XE-
recommended. By default, the device provides V2 series V2/S5735-
the weak security algorithm/protocol feature S5735-L- S24T4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2

Switches
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-

Switches
TV2/S6730-
H48Y6C-V2

Switches
If multiple users commit configurations at the S5735-S- S5735-S24P4XE-

same time, the operation may fail due to the V2 series V2/S5735-
conflict. A message indicating that the system S5735-L- S24T4XE-V2/
is busy is displayed. Configurations need to be V2 series S5735-S24U4XE-
committed again. V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
When the system is committing configurations S5735-S- S5735-S24P4XE-

or rolling back, there is a possibility that the V2 series V2/S5735-
card that is newly started cannot be registered S5735-L- S24T4XE-V2/
for a long time. V2 series S5735-S24U4XE-
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
Configuration change is not allowed when an S5735-S- S5735-S24P4XE-

NMS initiates full synchronization to the V2 series V2/S5735-
device. S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
When configurations are restored during S5735-S- S5735-S24P4XE-

device startup, you cannot query the current V2 series V2/S5735-
configurations. S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
After the trial run command is executed to S5735-S- S5735-S24P4XE-

enable the device to enter the trial running V2 series V2/S5735-
state, only the current trial running user can S5735-L- S24T4XE-V2/
modify the configuration. Other users cannot V2 series S5735-S24U4XE-
modify the configuration during the trial run. V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
During configuration editing, if the device S5735-S- S5735-S24P4XE-

memory usage exceeds 90%, the configuration V2 series V2/S5735-
editing fails. S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
The configuration cannot be saved during S5735-S- S5735-S24P4XE-

configuration data restoration when the device V2 series V2/S5735-
is just started. S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
Configurations cannot be committed when S5735-S- S5735-S24P4XE-

configuration data is being restored upon V2 series V2/S5735-
device startup. S5735-L- S24T4XE-V2/
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
When the configuration difference comparison S5735-S- S5735-S24P4XE-

command is being executed, if repeated V2 series V2/S5735-
commands exist in the same view, the current S5735-L- S24T4XE-V2/
command fails to be executed. V2 series S5735-S24U4XE-
V2/S5735-
S3710-H S48P4XE-V2/
S5735I-L- V2/S5735-
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A

Switches
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2

Switches
For the S5735-L-V2 Series/S5735-S-V2 Series/ S5735-L- S5735-L10T4X-A-

S5735I-L-V2 Series/S5735I-S-V2 Series: V2 series V2/S5735-L16T4S-
In the batch configuration delivery scenario, a S5735-S- A-V2/S5735-
CPU usage threshold-crossing alarm may be V2 series L16T4X-QA-V2/
generated during service deployment. After the S5735-L24P4S-A-
S5735I-L- V2/S5735-
configuration delivery is complete, the CPU V2 series
usage will be restored and the CPU usage L24P4XE-A-V2/
threshold-crossing alarm will be cleared. S5735I-S- S5735-L24T4S-A-
V2 series V2/S5735-
L24T4X-QA-V2/
S5735-L24T4XE-
A-V2/S5735-
L24T4XE-D-V2/
S5735-L48LP4S-A-
V2/S5735-
L48LP4XE-A-V2/
S5735-L48P4XE-
A-V2/S5735-
L48T4S-A-V2/
S5735-L48T4XE-
A-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P4S-A-V2/
S5735-L8P4X-QA-
V2/S5735-L8T4S-
A-V2/S5735-
L8T4X-QA-V2
S5735-S24P4XE-
V2/S5735-
S24T4XE-V2/
S5735-S24U4XE-
V2/S5735-
S48P4XE-V2/
S5735-S48T4XE-
V2/S5735-
S48U4XE-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5735I-S24T4XE-
V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-V2/
S5735I-S8U4XN-
V2

Switches
8.3 Managing Configuration Files
8.3.1 Understanding Configuration Files
Configuration File Format

Configuration files use text format and must meet the following requirements:
● A configuration file can contain only configuration commands, view switching
commands, # symbols (used to switch to the system view), and the quit
command. When the device is loading a configuration file that contains other
types of commands, such as display commands used for querying, reset,
save, and ping commands used for maintenance, the return command, and
commands for upgrade compatibility, the device reports an error when
attempting to load such commands and continues to load other commands
supported in the configuration file.
● A configuration file cannot contain repeated commands.
● Each view is displayed with an indentation of one character.
● If commands in a configuration file need to be executed in a view, the
configuration file must also contain the command for entering the view.
● The configuration sequence and dependency must be correct.
● Interactive commands in a configuration file support only Y and N choices. Y
is the default choice, which is entered automatically during configuration
restoration.
● A configuration file must be saved to the root directory of the storage
medium, with a file name extension as .zip, .cfg, or .dat.
– A .cfg file is a text file, whose contents can be viewed directly. If a .cfg file
is specified as the configuration file, the system restores the commands in
the file one by one during device startup.
– A .zip file is compressed from a .cfg file and occupies less space. If a .zip
file is specified as the configuration file, the system first decompresses
the file into a .cfg file, and then restores the commands in the .cfg file
one by one during device startup.
– A .dat file is a binary file. If the startup software version and the .dat file
version are the same, the system restores all configurations at a time
without the need to restore the commands one by one, accelerating
device startup.
Configuration File Category

The following table lists the differences between the configurations loaded when
the device is running. These configurations fall into the following types: factory
configuration, preset configuration, current configuration, and next startup
configuration.

Switches
Type Description Command
Factory Factory configurations are basic -

configurati configurations provided for a
on new device. This type of
configurations enables a device
to start and operate correctly
when there is no configuration
file, or when the configuration
file is lost or damaged. When a
device starts with factory
configurations, it is considered
to start in unconfigured mode.
Factory configurations are
different from the default
command configurations. For
example, factory configurations
may contain the snetconf
server enable command, but
this command is not configured
by default. In this case, the
SNETCONF service is enabled
when the device starts with
factory configurations or
restores factory configurations.
Preset When a device is powered on, it Run the display startup

configurati reads the configuration file command to check the
on from the default directory to configuration file used for the
initialize the system. The current startup.
configurations in the
configuration file are called
preset configurations. If no
configuration file is stored in
the default directory, the device
uses the factory configurations
for initialization.
Current The configurations that are in Run the display current-

configurati effect during device running are configuration command to
on current configurations. check the current
configurations.
Next After the system starts, you can Run the display startup
startup specify a configuration file as command to check the
configurati the initial configurations for the configuration file to be used for
on next startup, known as the next the next startup.
startup configurations Run the display saved-
configuration command to
check content in the
configuration file to be used for
the next startup.

Switches
To use modified configurations as the next startup configurations, run the save
command to save them to the default storage medium.
NOTE
If a command is configured in an incomplete format, the system saves the command to the
configuration file in its complete format. As a result, the command may have more than
510 characters, which is the maximum length supported by the system. Such a command
cannot be restored after the system restarts.
8.3.2 Viewing a Configuration File
Procedure
Table 8-3 Viewing a configuration file
Check the configuration dir -

file in the storage
medium.
Check the configuration display startup -

files for the current and
next startup.
Check configurations in a display configuration -

specified configuration configuration-file
file.
Check configurations in display saved- -

the configuration file for configuration
the next startup.
Check the system display saved- -

configurations saved last configuration last
time.
Check the time when the display saved- -

configurations are configuration time
automatically saved last
time.
Check all configurations display current- If include-default is not

that take effect on the configuration [ include- specified, only
device. default ] configured information is
displayed. If include-
default is specified, both
configured information
and default
configurations are
displayed.

Switches
Check the configurations display this [ include- This command displays

that take effect in the default ] the configurations in the
current view. view where this
command is executed.
If include-default is not
specified, only
in the current view is
displayed. If include-
default is specified, both
and default
current view are
displayed.
8.3.3 Saving a Configuration File

Context
You can run commands to modify current device configurations, but these
modified configurations will be lost once the device restarts unless you save them
to the configuration file before restarting the device. Two methods are available
for saving configurations to a configuration file:
● Enable the system to automatically save configurations.
● Manually save the configurations.
Device configurations are stored in the configuration file of the storage medium.
During startup, the system reads the configuration file to restore configurations of
the device, and then saves the restored configurations to memory.
You can use the display saved-configuration command to check configurations in
the configuration file, and the display current-configuration command to check
those in memory.
When the device is running properly, the configurations in the configuration file
should be the same as those in memory. If you add, modify, or delete
configurations, the latest configurations are saved in memory, and will be different
from those in the configuration file. In this case, you can run the save command
to save the current configurations in memory to the configuration file.
When the device has not run properly during system startup, the configurations in
the configuration file are not completely restored in memory. If you run the save
command at this time, incomplete configurations in memory will override those in
the configuration file. As a result, some configurations may be lost.
Procedure
● Enable the system to automatically save configurations.

Switches

system-view
b. Configure the system to save the configurations at a scheduled time.

configuration file auto-save [ interval interval | delay delay-interval | cpu-limit cpu-usage ] *
The system does not automatically save the configurations in the

following scenarios when the scheduled time arrives:
▪ The system is writing the configuration file.
▪ The system is restoring device configurations.
▪ CPU usage is high.

c. (Optional) Configure server information, including the IP address of the
server where the configuration file is automatically saved, user name and
password, storage path, and mode for transmitting the configuration file
to the server.
configuration file auto-save backup-to-server server server-ip [ vpn-instance vpn-instance-
name ] transport-type { { ftp | sftp } [ port port-value ] user user-name password password |
tftp } [ path folder ]
NOTE
If the local storage medium does not have sufficient space or is damaged, or the
configuration file needs to be backed up, you can run this command to specify a file
server for saving the backup configuration file.
SFTP has higher security and is therefore recommended for saving the configuration
file to the file server.
The configuration file is saved on the server as a compressed package, named in the
YY-MM-DD.HH-MM-SS.Device name.zip format (for example,
2019-10-25.15-13-37.HUAWEI.zip). After decompression, the file with the file name
extension .cfg is the configuration file.
d. (Optional) Configure the function for uploading the configuration file at
a specific time point of a certain day every month.
configuration current backup-to-server monthly date date-value [ time time-value ]
● Manually save the configurations.

– Directly save the configuration file.
save [ configuration-file ]
The configuration file name extension must be .zip, .dat, or .cfg. If the
configuration file will be loaded during system startup, it must be stored
in the root directory of the storage medium.
If the configuration-file parameter is not specified, the system asks you
whether to name the configuration file vrpcfg.zip when you save the
configuration file for the first time. The vrpcfg.zip file is the default
configuration file and does not contain any configuration in the initial
state. If configurations are not saved for the first time, they will be saved
in the running configuration file. You can run the display startup
command to check the name of the running configuration file.
– Enter a password to save the configuration file.
The device generates a key in the configuration file based on the

password entered by the user. When the configuration file is used next
time, the password must be entered for authentication.

Switches
NOTE
After the weak password dictionary maintenance function is enabled, the

passwords (which can be queried using the display security weak-password-
dictionary command) defined in the weak password dictionary cannot be
specified in this command.
----End
8.3.4 Specifying the Configuration File for Next Startup
Context
When the system restarts, it uses the specified configuration file to restore
configurations.
Before specifying the file for the next startup, you can run the display startup
command to view the current specified file.
If no configuration file is specified, the default configuration file default.cfg will

be used for the next startup.
NOTE
Manually constructing a configuration file is not recommended because manual

construction is prone to file format errors. The format error may cause a failure to restore
configurations or an error during configuration restoration.
The configuration file for the next startup must exist and be saved in the root directory of
the storage medium.
After specifying the file for the next startup, you cannot run the save command without
parameters in the user view. If you run this command, the system uses the saved
configuration file instead of the specified configuration file for the next startup.
Procedure
● Configure the configuration file for the next startup.
startup saved-configuration configuration-file
● Configure the configuration file containing key information for the next
startup.
startup shareable-configuration configuration-file [ password ]
If the configuration file configured for the next startup contains key
information, you need to enter a password for authentication before using the
file.
----End

Run the display configuration recover-result command to check the
configuration restoration result after the restart and the failure cause.

Switches
8.3.5 Reusing the Configuration File of Another Device
Context
A configuration file may contain a ciphertext encrypted using a system master key.
As a system master key is automatically and randomly generated by default,
different devices have different system master keys. The ciphertext in a
configuration file of a device cannot be decrypted on another device. As a result,
the ciphertext cannot be restored on another device and will be used as a
plaintext. To decrypt the ciphertext in the configuration file on another device,
perform the following operations.
Procedure
Step 1 Export the configuration file from device A.
1. Save the configuration file.
2. Export the configuration file.
For details, see 8.3.11 Backing Up the Configuration File to an SFTP Server
or Client.
Step 2 On device B, reuse the configuration file exported from device A.

1. Copy the configuration file of device A to device B.
For details, see 8.3.16 Copying the Configuration File from an SFTP Server
or Client to the Device.
2. Configure the exported configuration file as the configuration file to be
loaded for the next startup of device B.
startup shareable-configuration configuration-file [ password ]
----End

● Run the display configuration recover-result command to check the
configuration restoration result after the restart and the failure cause.
● Run the display master-key configuration command to check whether the
system master key is the configured one.
8.3.6 Comparing Configuration Files
Context
You can compare the current configuration file with the specified configuration file
to check whether they are consistent and determine whether to use the specified
configuration file for the next startup.
NOTE
The configuration file name extension must be .cfg or .zip.

Switches
Procedure
Table 8-4 Comparing configuration files

Check whether the display configuration These two commands

current configurations changes [ running file can only compare the
are consistent with those file-name | file file-name current running
in the specified running ] configuration file with a
configuration file. specified configuration
file. When you run these
Check whether the display configuration commands, the first
current configurations changes { running label specified configuration
are consistent with those label | label label file is called source
of a specified user label. running } configuration, and the
later specified
configuration file is
called target
configuration. If the
target configuration is
different from the source
configuration, the
difference is displayed
based on the following
rules:
● A command that
exists in the target
configuration rather
than the source
configuration is
prefixed with "+".
● A command that
exists in the source
configuration rather
than the target
configuration is
prefixed with "-".
● If a command is
modified in the target
configuration, the
original command is
prefixed with "-" and
the new command is
prefixed with "+".

Switches
Check whether the compare configuration After completing a series

current configurations [ configuration-file ] of configuration
are the same as those in operations, you can
the configuration file for compare whether the
the next startup or a current configurations
specified configuration are the same as those in
file. the configuration file for
the next startup, or a
specified configuration
file starting from the
first line. Based on the
comparison result, you
can determine whether
to save the current
configuration file and
specify it as that used for
the next startup.
If there are differences
between the
configurations, the
system displays a
maximum of nine lines
starting from the first
line with differences. If
there are fewer than
nine lines from that line
to the end of the file, the
system will display the
remaining lines.
8.3.7 Backing Up the Configuration File by Copying

Configurations on the Screen
Context
You can copy configurations on the screen to back up them as a configuration file
to the hard disk of the PC. The backup configuration file can be used if the
configuration file restoration fails due to unexpected device damage.
Procedure
Step 1 Copy configurations on the screen. Specifically, run the following command and
copy all command output to a .txt file on the PC. The configurations are then
saved on the PC.
display current-configuration

Switches
NOTE
If the configuration of a single command is too long, the configuration may be displayed in
multiple lines on the terminal screen, depending on the terminal software. When copying a
multi-line configuration from the screen to a .txt file, ensure that the configuration occupies
one line in the .txt file. Otherwise, such a configuration may fail to be restored when
the .txt file is used.
----End
8.3.8 Backing Up the Configuration File to the Storage

Medium
Context
You can back up the configuration file to the storage medium. The backup
configuration file can be used if the configuration file restoration fails due to
unexpected device damage.
Procedure
Step 1 (Optional) Save the configuration file.
save configuration-file
Step 2 Copy the configuration file to the storage medium.

copy source-filename destination-filename
----End
8.3.9 Backing Up the Configuration File to an FTP Server or

Client
Prerequisites
Before backing up the configuration file to an FTP server or client, you have
● If the device functions as an FTP client, connect it to an FTP server. For details,
see "Configuring a Device as an FTP Client" in CLI Configuration Guide > Basic
Configuration.
● If the device functions as an FTP server, connect it to an FTP client. For details,
see "Configuring a Device as an FTP Server" in CLI Configuration Guide >
Basic Configuration.
Context
If the device is unexpectedly damaged, the configuration file cannot be restored.
In this case, a backup configuration file is required for restoring the device
configurations. You can back up the configuration file through FTP using either of
the following methods:

Switches
● If the device functions as an FTP client, back up the configuration file to an

FTP server.
● If the device functions as an FTP server, back up the configuration file to an
FTP client.
Select one method as required.
NOTE
Backing up the configuration file through FTP is a simple process, which however may pose
security risks. In scenarios featuring high security requirements, SFTP and SCP are
recommended for configuration file backup.
In FIPS mode, FTP cannot be used to back up configuration files.
Procedure
● Back up the configuration file to the FTP server when the device functions as
an FTP client.
a. Set up an FTP connection with the FTP server.
ftp [ ipv6 ] host-ip
b. Transfer the configuration file.
On the device, run the put command to upload the configuration file to
the specified path on the PC that functions as an FTP server.
put local-filename [ remote-filename ]
● Back up the configuration file to the FTP client when the device functions as
an FTP server.
a. On the PC that functions as an FTP client, initiate an FTP connection with
the device.
In this example, the IP address of the device is 10.110.24.254, the FTP

user name created on the device is huawei, and the password of the FTP
user is YsHsjx_202206.
C:\Documents and Setting\Administrator> ftp 10.110.24.254
User (10.110.24.254:(none)): huawei
331 Password required for huawei.
Password:
230 User logged in.
On the PC, run the get command to download the configuration file to
the specified path on the PC.
ftp> get remote-filename [ local-filename ]
----End

The configuration file is saved to the working directory of the FTP user, and the
size of the configuration file on the device is the same as that on the FTP server or
client.

Switches
8.3.10 Backing Up the Configuration File to a TFTP Server
Prerequisites
Before backing up the configuration file to a TFTP server, you have completed the
following tasks:
● Ensure that the device has been connected to the TFTP server. For details, see
"Configuring a Device as a TFTP Client" in CLI Configuration Guide > Basic
Configuration.
Context
configurations. You can back up the configuration file through TFTP.
NOTE
Backing up the configuration file through TFTP is a simple process, which however may
pose security risks. In scenarios featuring high security requirements, SFTP and SCP are
In FIPS mode, TFTP cannot be used to back up configuration files.
Procedure
Step 1 Back up the configuration file to the TFTP server.
tftp [ ipv6 ] hostname-ip put sourcefilename [ destination-filename ]
----End

The configuration file is saved to the working directory of the TFTP user, and the
size of the configuration file on the device is the same as that on the TFTP server.
8.3.11 Backing Up the Configuration File to an SFTP Server or

Client
Prerequisites
Before backing up the configuration file to an SFTP server or client, you have
● If the device functions as an SFTP client, connect it to an SFTP server. For
details, see "Configuring a Device as an SFTP Client" in CLI Configuration
Guide > Basic Configuration.
● If the device functions as an SFTP server, connect it to an SFTP client. For
details, see "Configuring a Device as an SFTP Server" in CLI Configuration

Switches
Context
configurations. You can back up the configuration file through SFTP using either of
● If the device functions as an SFTP client, back up the configuration file to an
SFTP server.
● If the device functions as an SFTP server, back up the configuration file to an
SFTP client.
NOTE
Backing up the configuration file through FTP or TFTP is a simple process, which however
may pose security risks. In scenarios featuring high security requirements, SFTP and SCP are
Procedure
● Back up the configuration file to the SFTP server when the device functions as
an SFTP client.
system-view
b. Set up an SFTP connection with the SFTP server.

sftp [ ipv6 ] host-ip
c. Transfer the configuration file.
On the device, run the put command to upload the configuration file to
the specified path on the PC that functions as an SFTP server.
put local-filename [ remote-filename ]
● Back up the configuration file to the SFTP client when the device functions as
an SFTP server.
a. On the PC that functions as an SFTP client, initiate an SFTP connection
with the device.
The following information is for reference only.

sftp>
On the PC, run the get command to transfer the configuration file to the
specified path on the PC.
sftp> get remote-filename [ local-filename ]
----End

Switches

The configuration file is saved to the working directory of the SFTP user, and the
size of the configuration file on the device is the same as that on the SFTP server
or client.
8.3.12 Backing Up the Configuration File to an SCP Server or

Client
Prerequisites
Before backing up the configuration file to an SCP server or client, you have
● If the device functions as an SCP client, connect it to an SCP server. For
details, see "Configuring a Device as an SCP Client" in CLI Configuration Guide
> Basic Configuration.
● If the device functions as an SCP server, connect it to an SCP client. For
details, see "Configuring a Device as an SCP Server" in CLI Configuration
Context
configurations. You can back up the configuration file through SCP using either of
● If the device functions as an SCP client, back up the configuration file to an
SCP server.
● If the device functions as an SCP server, back up the configuration file to an
SCP client.
Procedure
● Back up the configuration file to the SCP server when the device functions as
an SCP client.
system-view

On the device, run the following command to upload the configuration
file to the specified path on the PC that functions as an SCP server:
scp source-filename destination-filename
For example, to back up the vrpcfg.cfg file to the SCP server at 10.1.1.1
in SCP mode, run the following command. (The following information is
[HUAWEI] scp vrpcfg.cfg scpuser@10.1.1.1:flash:/vrpcfg-backup.cfg
Trying 10.1.1.1...

Switches
Connected to 10.1.1.1...
Save the server's public key? [Y/N]:y
Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please
select [R/D/E]:e
Enter password:
vrpcfg.cfg 100% 261Bytes 1Kb/s
● Back up the configuration file to the SCP client when the device functions as
an SCP server.
On the PC that functions as an SCP client, run the following command to
back up the configuration file to the specified path on the PC:
For example, to back up the vrpcfg.cfg file to the SCP client in SCP mode, run
the following command. The IP address of the device is 10.2.2.2. (The
C:\Documents and Settings\Administrator> scp scpuser@10.2.2.2:flash:/vrpcfg.cfg vrpcfg-backup.cfg
vrpcfg.cfg 100% 1257 1.2KB/s 00:00
----End

The configuration file is saved to the working directory of the SCP user, and the
size of the configuration file on the device is the same as that on the SCP server or
client.
8.3.13 Restoring the Configuration File from the Storage

Medium
Context
If functions do not operate properly due to incorrect configurations, you can
restore the backup configuration file stored in the storage medium to the startup
configuration file.
Procedure
Step 1 Copy the backup configuration file and specify the name for the configuration file
copy.
copy source-filename destination-filename [ all ]
Step 2 Specify the configuration file for the next startup.

startup saved-configuration configuration-file
Step 3 Restart the device for the configuration file to take effect.

Switches
reboot fast
----End
8.3.14 Copying the Configuration File from an FTP Server or

Client to the Device
Prerequisites
Before copying the configuration file from an FTP server or client to the device,
● If the device functions as an FTP client, connect it to an FTP server. For details,
see "Configuring a Device as an FTP Client" in CLI Configuration Guide > Basic
Configuration.
● If the device functions as an FTP server, connect it to an FTP client. For details,
see "Configuring a Device as an FTP Server" in CLI Configuration Guide >
Basic Configuration.
Context
If functions do not operate properly due to incorrect configurations, you can copy
the backup configuration file of the device from an FTP server or client to restore
the configuration file using either of the following methods:
● If the device functions as an FTP client, copy the configuration file from an
FTP server to the device.
● If the device functions as an FTP server, copy the configuration file from an
FTP client to the device.
NOTE
Restoring the configuration file through FTP is a simple process, which however may pose
recommended for configuration file restoration.
In FIPS mode, FTP cannot be used to restore configuration files.
Procedure
● Copy the configuration file from the FTP server when the device functions as
an FTP client.
a. Set up an FTP connection with the FTP server.
ftp [ ipv6 ] host-ip
On the device, run the get command to copy the configuration file from
the PC that functions as an FTP server to the specified path on the device.
get remote-filename [ local-filename ]

Switches
● Copy the configuration file from the FTP client when the device functions as
an FTP server.
a. On the PC that functions as an FTP client, initiate an FTP connection with
the device.
In this example, the IP address of the device is 10.110.24.254, the FTP
user name created on the device is huawei, and the password of the FTP
user is YsHsjx_202206.
C:\Documents and Setting\Administrator> ftp 10.110.24.254
User (10.110.24.254:(none)): huawei
331 Password required for huawei.
Password:
230 User logged in.

On the PC that functions as an FTP client, run the put command to copy
the configuration file from the PC to the specified path on the device.
ftp> put local-filename [ remote-filename ]
----End

Run the dir command on the device to check whether the configuration file has
been successfully copied from the PC to the device.
8.3.15 Copying the Configuration File from a TFTP Server to

the Device
Prerequisites
Before copying the configuration file from a TFTP server to the device, you have
● Ensure that the device has been connected to the TFTP server. For details, see
"Configuring a Device as a TFTP Client" in CLI Configuration Guide > Basic
Configuration.
Context
the backup configuration file from the TFTP server to the device to restore the
functions.
NOTE
Restoring the configuration file through TFTP is a simple process, which however may pose
recommended for configuration file restoration.
In FIPS mode, TFTP cannot be used to restore configuration files.

Switches
Procedure
Step 1 Copy the configuration file from the TFTP server to the device.
tftp [ ipv6 ] hostname-ip get source-filename [ destination-filename ]
----End

been successfully copied from the TFTP server to the device.
8.3.16 Copying the Configuration File from an SFTP Server or

Prerequisites
Before copying the configuration file from an SFTP server or client to the device,
● If the device functions as an SFTP client, connect it to an SFTP server. For
details, see "Configuring a Device as an SFTP Client" in CLI Configuration
● If the device functions as an SFTP server, connect it to an SFTP client. For
details, see "Configuring a Device as an SFTP Server" in CLI Configuration
Context
the backup configuration file of the device from an SFTP server or client to restore
● If the device functions as an SFTP client, copy the configuration file from an
SFTP server to the device.
● If the device functions as an SFTP server, copy the configuration file from an
SFTP client to the device.
Procedure
● Copy the configuration file from the SFTP server when the device functions as
an SFTP client.
system-view
b. Set up an SFTP connection with the SFTP server.

sftp [ ipv6 ] host-ip
c. Transfer the configuration file.

On the device, run the get command to copy the configuration file from
the PC that functions as an SFTP server to the specified path on the
device.

Switches
get remote-filename [ local-filename ]

● Copy the configuration file from the SFTP client when the device functions as
an SFTP server.
a. On the PC that functions as an SFTP client, initiate an SFTP connection
with the device.
The following information is for reference only.
sftp>
On the PC that functions as an SFTP client, run the put command to copy
the configuration file from the PC to the specified path on the device.
sftp> put local-filename [ remote-filename ]
----End

8.3.17 Copying the Configuration File from an SCP Server or

Prerequisites
Before copying the configuration file from an SCP server or client to the device,
● If the device functions as an SCP client, connect it to an SCP server. For
details, see "Configuring a Device as an SCP Client" in CLI Configuration Guide
> Basic Configuration.
● If the device functions as an SCP server, connect it to an SCP client. For
details, see "Configuring a Device as an SCP Server" in CLI Configuration
Context
the backup configuration file of the device from an SCP server or client to restore
● If the device functions as an SCP client, copy the configuration file from an
SCP server to the device.
● If the device functions as an SCP server, copy the configuration file from an
SCP client to the device.

Switches
Procedure
● Copy the configuration file from the SCP server when the device functions as
an SCP client.
system-view
On the device, run the following command to copy the configuration file
from the PC that functions as an SCP server to the specified path on the
device:
For example, to copy the vrpcfg.cfg file from the SCP server at 10.1.1.1 to
the device using SCP, run the following command. (The following
[HUAWEI] scp scpuser@10.1.1.1:flash:/vrpcfg.cfg vrpcfg-backup.cfg
Trying 10.1.1.1...
Connected to 10.1.1.1...
Save the server's public key? [Y/N]:y
Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please
select [R/D/E]:e
Enter password:
vrpcfg.cfg 100% 261Bytes 1Kb/s
● Copy the configuration file from the SCP client when the device functions as
an SCP server.
Run the following command to copy the configuration file from the PC that
functions as an SCP client to the specified path on the device:
For example, to copy the vrpcfg.cfg file from the SCP client to the device at
10.2.2.2 using SCP, run the following command. (The following information is
C:\Documents and Settings\Administrator> scp vrpcfg.cfg scpuser@10.2.2.2:flash:/vrpcfg-
backup.cfg
vrpcfg.cfg 100% 1257 1.2KB/s 00:00
----End


Switches
8.3.18 Compressing the Configuration File

Context
To save a large configuration file with less storage space, you can compress the
file. A compressed configuration file stored on the device can also be
decompressed.
Procedure
● Compress the configuration file.
zip source-filename destination-filename [ password password ]
● Decompress the configuration file.

unzip source-filename destination-filename [ password password ]
----End
8.3.19 Clearing the Configuration File

Context
Clearing the configuration file is necessary in the following scenarios:
● The software and configuration file do not match after the device software is
upgraded.
● The configuration file is damaged, or an incorrect configuration file is loaded.
NOTICE
The reset saved-configuration command will clear the configuration file

used for the next startup. You are advised to run this command under the
guidance of technical support personnel.
To configure an interface on a device for other uses, you need to first delete
existing configurations from the interface one by one. If the interface has a large
number of configurations, this can take a long time. A single command is
available for deleting all configurations on an interface, reducing the maintenance
workload and simplifying the deletion operation.
Procedure
● Delete configurations for the next startup.
a. Cancel the configuration file specified for the next startup to restore the
default configurations.
reset saved-configuration

Switches
NOTE
After the configuration file specified for the next startup is canceled, the device
will use default configurations for startup, unless the startup saved-
configuration command is used to specify a new configuration file, or new
configurations have been saved to the configuration file for the next startup.
Before the reset saved-configuration command is executed, the system checks
whether the configuration files used for the current startup and the next startup
are the same:
● If they are the same, running the reset saved-configuration command clears
both configuration files, and the default configuration file will be used for the
next startup.
● If they are not the same, running the reset saved-configuration command
clears the configuration file for next startup, but the current configuration file
remains unchanged.
● If the current configuration file is empty and the configuration file for next
startup is not empty, running the reset saved-configuration command clears
the configuration file for next startup.
● If the configuration file for next startup is empty and the current
configuration file is not empty, after the reset saved-configuration
command is run, the system reports an error and does not clear any
configuration file. If you run the command to restart a device, addresses
configured for management interfaces on the device will become invalid, and
you must log in to the device through a console interface to re-configure
these addresses.
b. Restart the device to validate the configuration.
reboot fast
● Delete all configurations from an interface using one single command to

restore the default configurations.
clear configuration interface interface-type interface-number
NOTE
This command will delete all configurations of a specified interface. Exercise caution
when running this command.
Ensure that the specified interface type and number are correct. Otherwise, the
configurations of another interface may be deleted, causing service interruption.
----End
8.3.20 Rolling Back Configurations

Context
If faults are caused by incorrect configurations, or if an unexpected configuration
result is generated on the network, you can roll back configurations.
A configuration rollback point needs to be generated using the following methods
before the configuration rollback function is used:
● To enable the time when a rollback point is automatically generated, run the
set save-configuration checkpoint daily time time command in the system
view.
● After a series of configuration commands are configured, run the commit
label label [ description description ] command. The system generates a user
label for the current configuration rollback point. You can specify description

Switches
in the command to add brief description for a configuration rollback point,

allowing rapid locating of a desired configuration rollback point.
NOTE
The system configuration takes effect in immediate mode. After you enter a command line
and press Enter, the system performs a syntax check. The configuration takes effect as soon
as it passes the syntax check, and you do not need to run the commit command to commit
the configuration.
Procedure
Step 1 Check the configuration rollback points and the latest configuration changes.
For details, see Table 8-5.
Table 8-5 Checking configuration rollback points
Check all configuration display configuration This command displays

rollback points. commit list [ verbose ] configuration rollback
[ number-of-commits | points and their details.
label ] To check a specified
number of latest
configuration rollback
points, specify number-
of-commits.
Step 2 Roll back the system to the historical configuration state by specifying a
configuration rollback point.
rollback configuration { to commit-id commit-id | to label label | to file file-name }
During configuration rollback, the created configuration will be deleted, the

deleted configuration will be re-created, or the modified configuration will be
restored to the original one.
● To roll back the system to the historical configuration state at a configuration

rollback point, specify commit-id commit-id.
● To roll back the system to the historical configuration state at a configuration
rollback point with a specified user label, specify label label.
● To roll back the system to the historical configuration state using a specified
configuration file, specify file file-name.
Step 3 (Optional) Set the user label for a configuration rollback point.
set configuration commit commit-id label label-string
By default, no user label is set for a configuration rollback point.
Step 4 (Optional) Delete the user label of the specified configuration rollback point or
the earliest configuration rollback point list generated in the system.
clear configuration commit { commit-id label | oldest number-of-commits }
Step 5 (Optional) Delete the configuration rollback point with a specified user label.

Switches
clear configuration commit label label-name
----End
Example
A user logs in to the device and finds that the configuration is incorrect. The user
then rolls back the system using a backup configuration file.
1. Check the name of the backup configuration file on the current device.
<HUAWEI> dir

0 -rw- 889 Mar 01 2019 14:41:56 private-data.txt
1 -rw- 6,311 Feb 17 2019 14:05:04 backup.cfg
2 -rw- 2,393 Mar 06 2019 17:20:10 vrpcfg.zip
3 -rw- 812 Nov 12 2019 15:43:10 hostkey
4 drw- - Mar 01 2019 14:41:46 compatible
5 -rw- 540 Nov 12 2019 15:43:12 serverkey...
670,092 KB total (569,904 KB free)
2. Roll back the system using the backup configuration file.

<HUAWEI> rollback configuration to file backup.cfg
Warning: This operation will revert configuration changes to the file backup.cfg.
Continue? [Y/N]:y
3. Verify the configuration.

Run the display current-configuration command to check whether the
incorrect configuration still exists.

● Run the display configuration rollback result command to view information
about the latest configuration rollback operation, including all prompts and
failure messages.
● Run the display configuration commit at commit-id command to view all
configuration information at the specified configuration rollback point.
8.3.21 Example: Specifying the Configuration File to Be

Loaded for Next Startup
As shown in Figure 8-1, the current system software cannot meet user needs. The
device must load new software version with more features. Then the device
software needs to be upgraded remotely.
Figure 8-1 Network diagram of specifying the configuration file to be loaded for
next startup

Switches
1. Upload the new system software to the root directory of the device.
2. Save the current configuration so that it remains effective after upgrade.
3. Specify the system software to be loaded for next startup.
4. Specify the configuration file to be loaded for next startup.
5. Restart the device to complete upgrade.
Procedure
Step 1 Upload the new system software to the root directory of the device.
1. Before configuration, run the display startup command to view the files for
next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/basicsoft.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
2. Configure the device as an SFTP server.
Upload the new system software to the device. This example uses SFTP to
transfer the system software. Configure the device as an SFTP server and
upload the system software to the device from the SFTP client. Ensure that
there is enough space in the storage medium before uploading files. If the
space is insufficient, delete unnecessary files from the storage medium.
# Configure an IP address for the SFTP server.
[SSH Server] interface 10ge 1/0/1
[SSH Server-10GE1/0/1] undo portswitch
[SSH Server-10GE1/0/1] ip address 10.248.103.194 255.255.255.0
[SSH Server-10GE1/0/1] quit
# Configure the public key algorithm, encryption algorithm, key exchange
algorithm list, HMAC authentication algorithm, and minimum key length on
the SSH server.
# On the server, generate a local key pair and enable the SFTP server
function.
2048.
Info: Key pair generation will take a short
while.

Switches

# Configure SSH user information including the authentication mode, service
type, authorized directory, user name, and password.
[SSH Server] ssh user client authentication-type password
Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client service-type sftp
[SSH Server] ssh user client sftp-directory flash:
[SSH Server] aaa
[SSH Server] local-user client password
It is recommended that the password consist of at least 2 types of characters, including lowercase
letters, uppercase letters, numerals and special characters.
[SSH Server-aaa] local-user client privilege level 3
[SSH Server-aaa] local-user client service-type terminal ssh
# Configure access permissions on the SSH server.
3. Run the sftp 10.248.103.194 command in the CLI window of the PC to set up
an SFTP connection with the device. Run the put command to upload new
system software newbasicsoft.cc.
After the system software is successfully uploaded, run the dir command on
the SSH server to view the uploaded system software.
<SSH Server> dir

0 drw- - Apr 16 2012 13:19:58 logfile
1 -rw- 85,925,409 Apr 16 2012 13:18:02 basicsoft.cc
2 -rw- 4 Oct 27 2011 17:25:22 snmpnotilog.txt
3 -rw- 6,033 Jul 16 2012 16:40:02 private-data.txt
4 -rw- 3,275 Jul 14 2012 14:18:08 vrpcfg.zip
5 drw- - Nov 14 2011 19:14:26 sysdrv
6 drw- 88,239,759 Jul 16 2012 19:14:26 newbasicsoft.cc
...
670,092 KB total (569,904 KB free)
Step 2 Save the current configuration.

<SSH Server> save
The system displays a message indicating that the current configuration will be
saved and asks you whether to continue. Enter y and the configuration will be
saved to the device.
Step 3 Specify the system software to be loaded for next startup.
<SSH Server> startup system-software newbasicsoft.cc
Step 4 Specify the configuration file to be loaded for next startup.

<SSH Server> startup saved-configuration vrpcfg.zip
NOTE
In step 1, you can run the display startup command to check the configuration file for next
startup. The message "Next startup saved-configuration file: flash:/vrpcfg.zip" will be
displayed. This means that the vrpcfg.zip configuration file has been specified for next
startup, so skip this step. To specify another file for next startup, perform this step.

Switches
Step 5 Verify the configuration.
Run the following command to view the system software and configuration file
for next startup.
<SSH Server> display startup
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/newbasicsoft.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Step 6 Restart the device.
# Because the configuration file has been saved, run the following command to
restart the device quickly.
<SSH Server> reboot fast
When the system asks you whether to continue with a system restart, enter y.
----End

# Wait for several minutes until the device restart is complete. Run the display
version command to check the current system version. If the current system
software is new, the upgrade has succeeded.
#
sysname SSH Server
#
acl number 2000
rule 5 permit source 10.248.103.0 0.0.0.255
#
aaa
local-user client password irreversible-cipher $1d$+,JS+))\\2$KVNj(.3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user client service-type terminal ssh
local-user client privilege level 3
#
interface 10GE1/0/1
undo portswitch
ip address 10.248.103.194 255.255.255.0
#
sftp server enable
ssh server acl 2000
ssh user client
ssh user client authentication-type password
ssh user client service-type sftp
ssh user client sftp-directory flash:
#
#
return

CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration

Uploaded by

Copyright:

Available Formats

CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration

Uploaded by

Copyright:

Available Formats

CloudEngine S3700, S5700, and S6700 Series

Configuration Guide - Basic

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. i

1 About This Document.............................................................................................................1

3 CLI Overview Configuration............................................................................................... 16

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. ii

3.2.4.2 Regular Expressions....................................................................................................................................................... 33

4 CLI-based Device Login Configuration............................................................................. 39

5 Web UI-based Login Configuration.................................................................................. 97

6 ZTP Configuration............................................................................................................... 121

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. iii

6.2 Understanding ZTP............................................................................................................................................................ 121

7 File System Management Configuration.......................................................................316

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. iv

7.5.2 Configuring a Device as an FTP Client.................................................................................................................... 353

8 Configuration File Management Configuration.......................................................... 402

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. v

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. vi

1 About This Document

Indicates a hazard with a high level of

Indicates a hazard with a medium

Indicates a hazard with a low level of

Indicates a potentially hazardous

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 1

Supplements the important

Boldface The keywords of a command line are in boldfaces.

Italic Command arguments are in italic.

[] Items (keywords or arguments) in square brackets

{ x | y | ... } Alternative items are grouped in braces and

[ x | y | ... ] Optional alternative items are grouped in square

{ x | y | ... } * Alternative items are grouped in braces and

[ x | y | ... ] * Optional alternative items are grouped in square

&<1-n> This parameter before the & sign can be repeated 1

# This parameter before the # sign can be repeated 1

Interface Numbering Conventions

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 2

– When configuring a cleartext password, do not start and end the

Reference Standards and Protocols

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 3

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 4

2 First Login to a Device Configuration

2.1 Overview of the First Login

2.1 Overview of the First Login

2.2 First Login Through the Console Port

● Power on the device properly.

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 5

● Prepare the terminal emulation software.

Table 2-1 Default settings for the console port

Transmission rate 9600 bit/s

Flow control mode No flow control

No parity bit configured, indicating no

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 6

Figure 2-1 Creating a connection

Issue 02 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 7

Figure 2-2 Setting the connection port and communication parameters

Please Press ENTER.

Please configure the login password (8-16)