CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration
CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration
CloudEngine S3700, S5700, and S6700 V600R022C10 Configuration Guide - Basic Configuration
Switches
V600R022C10
Issue 02
Date 2023-11-15
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: https://e.huawei.com
Contents
8.3.21 Example: Specifying the Configuration File to Be Loaded for Next Startup............................................449
Intended Audience
This document is intended for network engineers responsible for switch
management and maintenance. You should be familiar with basic Ethernet
knowledge and have extensive network management experience. In addition, you
should understand your network well, including the network topology and
deployed network services.
Symbol Conventions
The symbols used in this document are described in the following table. They are
defined as follows.
Symbol Description
Symbol Description
Command Conventions
Convention Description
Security Conventions
● Password setting
– Configuring a ciphertext password is recommended. For security
purposes, do not disable password complexity check, and change the
password periodically.
Disclaimer
● This document is designed as a reference for you to configure your devices. Its
contents, including web pages, command line input and output, are based on
laboratory conditions. It provides instructions for general scenarios, but does
not cover all use cases of all product models. The examples given may differ
from your use case due to differences in software versions, models, and
configuration files. When configuring your device, alter the configuration
depending on your use case.
● The specifications provided in this document are tested in a lab environment
(for example, a certain type of cards have been installed on the tested device
or only one protocol is run on the device). Results may differ from the listed
specifications when you attempt to obtain the maximum values due to factors
such as differences in hardware configurations and carried services.
● In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
Purpose
Before configuring services on a new device, you need to log in to the device
locally through the console port.
After logging in locally, you can configure basic system parameters, such as the
device name, management IP address, and system time. You can also configure
STelnet to enable remote login.
Default Settings
Stop bit 1
Data bit 8
Procedure
Step 1 Connect the DB9 connector of the prepared console cable to the PC's serial port
(COM), and the RJ45 connector to the device's console port. If there is no DB9
serial port on your terminal (PC), use a DB9-to-USB cable to connect the USB port
to the terminal.
Step 2 Start PuTTY on the PC (PuTTY is an example terminal emulator). Create a
connection, select the connection port, and set communication parameters.
1. Click Session to create a connection, as shown in Figure 2-1.
2. Click Serial and set the port to be connected and the communication
parameters, as shown in Figure 2-2.
a. Select the port according to your requirements. For example, in a
Windows operating system, you can open Device Manager to view port
information and select the port to be connected.
b. Ensure that the communication parameters you set in the terminal
emulation software are consistent with the default parameter settings of
the device's console port.
c. Click Open.
NOTE
A PC may have multiple ports that can be connected to the device. In this step, the
port to be connected to a console cable must be selected. In most cases, COM1 is
used.
If the device's communication parameters are modified, those on the PC must be
modified accordingly and the connection must be re-established.
Step 3 Press Enter until information similar to the following is displayed. Enter a
password and confirm the password as prompted. (The following information is
for reference only.)
User interface con0 is available
NOTE
● You must set a login password upon first login to the device through the console port.
After the login is successful, the console port has the default administrator rights.
● The password is a string of 8 to 16 case-sensitive characters. It must contain at least
two of the following character types: uppercase letters, lowercase letters, digits, and
special characters. Special characters do not include question marks (?) or spaces.
● In interactive mode, the entered password is not displayed on the terminal screen.
● For security purposes, change the password periodically.
After completing the preceding steps, you can run commands to configure the
device. Enter a question mark (?) whenever you need help.
----End
Procedure
Step 1 Enter the system view.
system-view
----End
2.3.2 Setting the Time Zone, Date, and Time of the Device
Context
The system time on a device is randomly set upon device delivery. When the
device is connected to a network, you must set the system time to the actual local
time to ensure that the time in logs and alarms generated by the device is correct.
Procedure
Step 1 Configure the time zone where the device is located.
clock timezone time-zone-name { add | minus } offset
By default, a device uses the Universal Time Coordinated (UTC) time zone. The
default time zone name is DefaultZoneName.
add: adds the specified time zone offset to the UTC time. The sum of the default
UTC time zone and offset equals the time zone specified by time-zone-name.
minus: subtracts the specified time zone offset from the UTC. The remainder
obtained by subtracting offset from the default UTC time zone equals the time
zone specified by time-zone-name.
The time format of a local log is Original system time±offset specified in the time
zone configuration command, for example, Apr 27 2020 22:36:09+08:00.
Step 2 Set the current date and time.
clock datetime [ utc ] time date
No default value is available. The value of time must be in the format HH:MM:SS,
which indicates the current hour, minute, and second on the device. The value of
date must be in the format of YYYY-MM-DD, which indicates the current year,
month, and day on the device.
----End
Procedure
Step 1 Enter the system view.
system-view
----End
Procedure
● Configure the management IP address on the management interface.
a. Enter the system view.
system-view
g. Enter the view of the common service interface used for management.
interface interface-type interface-number
j. Configure a VLAN as the default VLAN of the interface and add the
interface to the VLAN.
port default vlan vlan-id
----End
Context
In order to remotely log in to the device from the terminal through STelnet when
the IP address of a terminal and the management IP address of a device are Layer
3 reachable, an administrator must first create a login user on the device and
configure STelnet.
NOTE
By default, a new user needs to change the password at first login to the device. If the
administrator resets the password, the user also needs to change the password at the first
login to the device after password reset.
Procedure
Step 1 Set the VTY user authentication mode to AAA and configure the VTY user
interface to support SSH.
system-view
user-interface vty first-ui-number [ last-ui-number ]
authentication-mode aaa //Set the VTY user authentication mode to AAA.
protocol inbound ssh //Configure the VTY user interface to support SSH.
quit
Step 3 Create an SSH user and configure the authentication mode and service type.
ssh user user-name //Create an SSH user.
ssh user user-name authentication-type password //Set the authentication mode of the SSH user to
password.
ssh user user-name service-type stelnet //Set the service type of the SSH user to STelnet.
stelnet server enable //Enable the STelnet server function for the device.
ssh server-source -i interface-type interface-number //Configure the source interface for the SSH server. If
IPv6 addresses are used for login, run the ssh ipv6 server-source -a ipv6-address command to configure
the source IP address for the SSH server.
NOTE
Ensure that the SSH user name is the same as the local user name.
The created user must change the password upon first login.
----End
Figure 2-3 Performing basic configurations after the first login through the
console port
NOTE
Configuration Roadmap
1. Log in to the device through the console port.
2. Perform basic configurations on the device.
Procedure
Step 1 Log in to the device through the console port from PC1. For details, see First
Login Through the Console Port.
Step 2 Perform basic configurations on the device.
# Set the date, time, and time zone.
<HUAWEI> clock timezone BJ add 08:00:00
<HUAWEI> clock datetime 20:20:00 2018-08-08
NOTE
Before configuring the current time and date, run the clock timezone command to
configure the time zone. If no time zone is configured, running the clock datetime
command will configure the Coordinated Universal Time (UTC).
# Configure a default route for the device with a gateway address of 10.137.217.1.
[Device] ip route-static 0.0.0.0 0 10.137.217.1
# Set parameters for the SSH user and the local user for SSH login.
[Device] user-interface vty 0 4
[Device-ui-vty0-4] authentication-mode aaa
[Device-ui-vty0-4] protocol inbound ssh
[Device-ui-vty0-4] quit
[Device] aaa
[Device-aaa] local-user admin123 password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters,
uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[Device-aaa] local-user admin123 service-type ssh
[Device-aaa] local-user admin123 privilege level 3
[Device-aaa] quit
[Device] ssh user admin123
[Device] ssh user admin123 authentication-type password
[Device] ssh user admin123 service-type stelnet
[Device] ssh server-source all-interface
[Device] stelnet server enable
----End
Info: The max number of VTY users is 21, the number of current VTY users online is 5, and total number of
terminal users online is 5.
The current login time is 2020-12-15 14:23:00.
<Device>
Configuration Scripts
Device
#
sysname Device
#
stelnet server enable
#
clock timezone BJ add 08:00:00
#
aaa
local-user admin123 password irreversible-cipher $1d$+,JS+))\\2$KVNj(.
3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user admin123 service-type ssh
local-user admin123 privilege level 3
#
interface MEth0/0/0
ip address 10.137.217.203 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.137.217.1
#
stelnet server enable
ssh user admin123
ssh user admin123 authentication-type password
ssh user admin123 service-type stelnet
ssh server-source all-interface
#
ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh server hmac sha2_256 sha2_512
ssh server key-exchange dh_group_exchange_sha256
ssh server publickey rsa_sha2_256 rsa_sha2_512
ssh server dh-exchange min-len 3072
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
return
A device provides various command views. The following describes the most
commonly used command views. For instructions on how to enter command views
not listed below, see the Command Reference.
● System view
The system view allows you to set the device's system parameters and enter
other function views.
To enter the system view, run the system-view command and press Enter
while in the user view.
<HUAWEI> system-view
Enter system view, return user view with return command.
[HUAWEI]
● Interface view
You can configure interface parameters in the interface view. Interface
parameters include physical attributes, link layer protocols, and IP addresses.
To enter the interface view, run the interface command and specify an
interface type and number. A 10GE interface is used here as an example.
[HUAWEI] interface 10ge X/Y/Z
[HUAWEI-10GEX/Y/Z]
The command line prompt HUAWEI is the default host name (sysname), and the
prompt indicates the current view. For example, <> indicates the user view and []
indicates all other views.
To add comments, enter ! or # followed by a character string in any view. All the
entered content (including ! and #) is displayed as comments and no
corresponding configuration will be generated.
NOTE
● Some commands can be executed in multiple views, while their functions depend on the
views these commands are executed.
● In the system view, you can run the diagnose command to enter the diagnostic view.
Diagnostic commands (level-3 management commands) are used for device fault
diagnosis, and running certain commands in this view may cause the device unable to
work properly or interrupt services. To use these diagnostic commands, contact technical
support.
To return from the AAA view directly to the user view, press Ctrl+Z or run the
return command.
# Press Ctrl+Z to return directly to the user view.
[HUAWEI-aaa] //Enter Ctrl+Z.
<HUAWEI>
[HUAWEI-aaa] return
<HUAWEI>
Commands that can be run in the system view support the intelligent
backtracking function. If a command cannot be run in the current view (a non-
system and non-user view), the system automatically returns to the system view.
If the command can be run in the system view, the corresponding configuration is
directly delivered, enhancing ease of use of the command.
For example, the interface command can be run in the system view. If you are
performing operations in the VLAN view, you can run the interface command in
the VLAN view to enter the interface view.
<HUAWEI> system-view
[HUAWEI] vlan 2
[HUAWEI-vlan2] interface 10ge 1/0/1
[HUAWEI-10GE1/0/1]
NOTE
Context
The system manages commands based on command privilege levels. Each
command to be run in a command view has its privilege level. The device
administrator can change the command privilege level as required, enabling
lower-level users to run some high-level commands. The device administrator can
also increase the command privilege level to improve device security.
● A device manages users by level, and maintains the relationship between user
privilege levels and command privilege levels in order to limit user access
permissions. After a user logs in to a device, the user can only use commands
at the user's privilege level and below. By default, the values of both
command privilege levels and user privilege levels range from 0 to 3. Table
3-1 describes the relationship between user privilege levels and command
privilege levels.
Table 3-1 Relationship between command privilege levels and user privilege
levels
User Com Description
Privil mand
ege Privil
Level ege
Level
3 Visit Commands at this privilege level are used for basic system
level operations, including file system, FTP, TFTP download,
(0), command privilege level configuration, and debugging.
monit
oring
level
(1),
config
uratio
n
level
(2),
and
mana
geme
nt
level
(3)
NOTICE
To prevent security risks to devices, you are not advised to change the default
command privilege level.
Procedure
Step 1 Enter the system view.
system-view
----End
Function Overview
You can edit command lines in a CLI. Each command can contain a maximum of
3100 characters. The keywords in the commands are case insensitive, and whether
a command parameter is case sensitive depends on the parameter.
Table 3-2 lists keys that are frequently used for editing command lines
Key Function
Backspace Deletes the character before the cursor and moves the
cursor back one character. When the cursor reaches the
beginning of the command, an alarm is generated.
Left cursor key ← or Moves the cursor back one character. When the cursor
Ctrl+B reaches the beginning of the command, an alarm is
generated.
Right cursor key → or Moves the cursor forward one character. When the
Ctrl+F cursor reaches the end of the command, an alarm is
generated.
You are not required to enter complete keywords on the device, as long as entered
characters can match a unique keyword. This function improves operating
efficiency.
If the current input keyword matches multiple commands, you need to type more
of the keyword until it can match a unique command. Then the command can be
successfully delivered.
NOTICE
Tab
Full Help
When entering a command, you can use the full help function to obtain all the
keywords and parameters of the command. Use any of the following methods to
obtain full help for commands.
● Enter a question mark (?) in any command view to obtain all the commands
and their simple descriptions in this command view. For example:
<HUAWEI> ?
Current view commands:
activate Activate locked user
cd Change current directory
Partial Help
If you enter one or more of the first few characters of a command keyword,
partial help provides all the keywords that begin with this character or character
string. Use any of the following methods to obtain partial help for commands.
● Enter a character string followed directly by a question mark (?) to display all
keywords that begin with this character string. For example:
<HUAWEI> d?
debugging delete
dir display
<HUAWEI> d
● Enter a command and a string followed directly by a question mark (?) to
display all the keywords that begin with this character string. For example:
<HUAWEI> display s?
sysname system
● Enter the first several letters of a keyword in a command and press Tab to
display a complete keyword. However, the first several letters must uniquely
identify the keyword. Otherwise, keep pressing Tab to display different
keywords and select the required one.
NOTE
The command output obtained through the online help function is used for reference only.
Log out of the device and re-log in. A message "Hello, Welcome to Huawei!"
is displayed before authentication. Run the undo header login command.
Hello,Welcome to Huawei!
Password:
Info: The max number of VTY users is 21, and the number of current VTY users on
line is 2.
The current login time is 2019-11-06 16:31:24.
<HUAWEI> system-view
[HUAWEI] undo header login
Log out of the device and re-log in. No message is displayed before
authentication.
Password:
Info: The max number of VTY users is 21, and the number of current VTY users on
line is 2.
The current login time is 2019-11-06 16:45:06.
<HUAWEI>
NOTE
The command output provided here is used for reference only, and actual output
information may differ.
By default, the device saves the last 10 commands for each user. You can run the
history-command max-size size-value command in a user interface view to set
the number of historical commands that can be saved for the corresponding user.
The maximum number is 256.
NOTE
The time spent in finding the desired command among all the historical commands saved
on the device is related to the value specified in the history-command max-size size-value
command. To ensure an efficient search, set an appropriate value.
Display the next Down arrow key ↓ or Ctrl+N The next historical
historical command. command is displayed. If
the current command is
the latest historical
command, no output is
displayed and an alarm
is generated when you
attempt to display the
next historical command.
NOTE
The HyperTerminal bundled with Windows 9X that defines a different function of the Up
arrow key ↑, where you need to use the Ctrl+P shortcut key instead to access historical
commands.
● The device saves commands in the same way as how users enter them. For
example, if a user enters an incomplete command, the saved command will
also be incomplete.
● If a user runs the same command several times, only the most recently
entered command is saved. If a command is entered in different formats, the
command in each of these formats is considered different.
For example, if the display current-configuration command is run several
times, this command last executed is saved. If the display current-
configuration command and the dis curr command are run, both of them
are saved.
● Historical commands entered by the current user can be deleted using the
reset history-command command in the user view, and those entered by all
users can be deleted using the reset history-command all-users command in
the user view. Once deleted, historical commands can no longer be displayed
or accessed.
Command shortcut keys are classified into user-defined shortcut keys and system
default shortcut keys.
● There are four user-defined shortcut keys: Ctrl+G, Ctrl+L, Ctrl+O, and Ctrl+U.
A user-defined shortcut key can be associated with any command. After you
press a shortcut key, the system will automatically run the command
associated with the shortcut key.
● System default shortcut keys: shortcut keys defined in the system that have
fixed functions and cannot be defined by users. Table 3-5 lists the common
system shortcut keys.
NOTE
The terminal being used may affect the functions of the shortcut keys. For example, if the
shortcut keys defined by the terminal conflict with those defined in the device, the shortcut
keys entered by the user are identified by the terminal program and the commands
corresponding to the shortcut keys are not executed.
The system supports four user-defined shortcut keys and the default values
are as follows:
– Ctrl+G: display current-configuration
– Ctrl+L: display ip routing-table
– Ctrl+O: undo debugging all
– Ctrl+U: Null
NOTE
● When defining shortcut keys, use double quotation marks to surround a command that
contains several keywords separated by spaces, for example, hotkey ctrl_l "display tcp
status". Do not use double quotation marks to surround a command that contains only
one keyword.
● Run the display hotkey command to view the status of the defined, undefined, and
system-defined shortcut keys.
● Run the undo hotkey command to restore the default values of the configured shortcut
keys.
● Entering shortcut keys is equivalent to command execution. The device records the
commands corresponding to the entered shortcut keys in the command buffer and logs
for fault detection and query.
● The user-defined shortcut keys are available to all users. However, if a user does not
have the rights to use the command defined by a shortcut key, the system displays an
error message when the user uses this shortcut key.
Key Function
Key Function
Context
The command alias function allows you to define your preferred character strings
for commands to facilitate command usage.
To enable the command alias function for the current terminal, run the terminal
command alias command. To disable the command alias function for the current
terminal, run the undo terminal command alias command. Disabling the
command alias function does not delete the existing alias configuration.
Therefore, the existing alias configuration will continue to take effect after you
enable the command alias function again for the current terminal. To check
whether or not the command alias function is enabled, you can run the display
terminal command alias command.
Procedure
Step 1 Enter the system view.
system-view
----End
Context
Some commands can be run only in the user view. To run these commands, you
need to return to the user view first. To facilitate command execution, this
function allows you to run such commands in the system view without returning
to the user view.
Procedure
Step 1 Enter the system view.
system-view
----End
Context
Misoperations of some commands cause the configurations of related features to
be deleted, interrupting services and disconnecting the user network. To prevent
misoperations, you can run the configuration re-authentication enable
command to enable secondary authentication.
After the secondary authentication function is enabled, you need to enter the
login password for secondary authentication before running the following
commands: reboot, reset saved-configuration, undo capwap source interface,
undo multicast routing-enable, undo pim, undo igmp, undo stp enable
NOTE
● To prevent some services from being unavailable due to misoperations, you are advised
to enable secondary authentication.
● By default, secondary authentication is disabled for the execution of risky commands.
Procedure
Step 1 Enter the system view.
system-view
----End
For example, after the SFTP server configuration is complete, you can run the
display ssh server-info command to check the RSA and ECC public keys bound to
the SSH server that is connected to the device functioning as an SSH client or the
SSH server that was connected to the device. For details about the usage and
functions of the display command, see "Verifying the Configuration" in each
feature of the Configuration Guide.
You can also check the configurations running on the device and in the current
view.
● Check the configurations running on the device:
display current-configuration
This command does not display the default parameter settings.
● Check configurations in the current view:
display this
This command does not display the default parameter settings.
NOTE
● You can run the timestamp enable command to enable the timestamp function in the
system to ensure that the system adds the query time to the output of the display
command.
● If the value of a parameter in the command output is too long, it will be truncated to
fit.
● When a command output occupies more than one screen, you can use PgUp
and PgDn to display information on the previous screen and the next screen.
● When a command output occupies more than one screen, the system pauses
after each screen, facilitating your information check. You can use the
function keys listed in Table 3-6 to control the display mode of command
lines.
NOTE
Key Function
When the displayed information cannot be completely output on one screen, you
can use the pause function to view the information on that screen, before moving
onto the next screen. Table 3-7 describes the display functions.
Key Function
Key Function
Context
A regular expression is a mode matching tool that consists of common characters
(such as letters from a to z) and special characters (also called meta-characters).
It functions as a template to match a character pattern with the searched
character string.
A regular expression provides the following functions:
● Checks and obtains the sub-character string that matches a certain rule in the
character string.
● Replaces the character string based on the matching rule.
A regular expression consists of the following characters:
● Common characters
Common characters match themselves in a string. Common characters include
all uppercase and lowercase letters, digits, punctuations, and special
characters. For example, a matches the letter "a" in "abc", 10 matches the
digits "10" in "10.113.25.155", and @ matches the symbol "@" in
"xxx@xxx.com".
● Special characters
Special characters, together with common characters, match complicated or
special character strings. Table 3-8 describes special characters and their
functions.
[a-z] Matches any character within a [0-9] matches any digit within
specified range. It cannot the range of 0 to 9.
simultaneously match multiple [a-z] matches any letter from
characters or match the same a to z.
character multiple times.
[z-a] is an invalid pattern
string.
NOTE
Unless otherwise specified, all the characters in the preceding table must be printable
characters.
Use of Characters
Certain special characters, when placed at certain positions in a regular expression,
degenerate to common characters.
● The special characters following escape character \ match themselves.
● Special characters * and + placed at the beginning of a regular expression. For
example, +45 matches "+45" and abc(*def) matches "abc*def".
● Special character ^ placed in a non-start position of a regular expression. For
example, abc^ matches "abc^".
● Special character $ placed in a non-end position of a regular expression. For
example, 12$2 matches "12$2".
● A right parenthesis ) or right bracket ] alone. For example, abc) matches
"abc)" and 0-9] matches "0-9]".
NOTE
Unless otherwise specified, degeneration rules also apply when the preceding regular
expressions are sub-regular expressions within parentheses.
● Combination of common and special characters
In actual usage, regular expressions combine multiple common and special
characters to match certain strings.
When a character string is used to filter command output information, the first line of the
output starts from the line where certain information matches the character string, not
from the matched information.
The system allows you to use | count to display the number of lines, | section to
display the command output by section, | ignore-case to match a string of case-
insensitive characters, and | no-more to display filtered output information on
only one screen. | count, | section, | ignore-case, and | no-more can work
together with the following filter modes.
Three filter modes are provided for commands that support regular expressions.
● | begin regular-expression: displays all the lines beginning with the line that
matches the regular expression.
Filter the command output information until the information matches the
specified case-sensitive character string is displayed. The output following the
certain information that matches the character string will be displayed on the
screen.
● | exclude regular-expression: displays all the lines that do not match the
regular expression.
If the character strings to be output do not contain the specified case-
sensitive character string, they are displayed on the screen; otherwise, they
are filtered.
● | include regular-expression: displays all the lines that match the regular
expression.
If the character strings to be output contain the specified case-sensitive
character string, they are displayed on the screen; otherwise, they are filtered.
NOTE
Example 2: Use the vlan regular expression to filter the display current-
configuration command output.
<HUAWEI> display current-configuration | include vlan
vlan batch 7 10 18 to 19 30 60 66 70 77 100 105
Example 3: Use the vlan regular expression to filter the display current-
configuration command output.
<HUAWEI> display current-configuration | include vlan | count
Total lines: 14.
NOTE
You can save the display command output to a specified file on devices in either
of the following ways:
● > filename
The output is saved to a specified file. If the target file already exists, the
original content of the file is overwritten.
● >> filename
The output is appended to a specified file, and the original content of the file
remains unchanged.
NOTE
Console Port
Each device provides one console port that conforms to the EIA/TIA-232 standard.
The console port is a Data Connection Equipment (DCE) port. You can directly
connect the serial port of a user terminal to the console port of the device to log
in to the device and configure the device locally.
Telnet
Telnet is an application layer protocol in the TCP/IP protocol stack. It provides
remote login and virtual terminal services, and uses the client/server model. That
is, the Telnet client sends a request to the Telnet server, and the Telnet server
provides the Telnet service. The devices support the Telnet client and server
functions.
As shown in Figure 4-1, DeviceA functions as both a Telnet server and a Telnet
client. If there is no reachable route between the PC and DeviceB, you can
remotely log in to DeviceB through DeviceA. In this case, DeviceB functions as the
Telnet server for DeviceA.
STelnet
Telnet uses the TCP protocol to transmit data in plain text. It does not have a
secure authentication mode and is vulnerable to Denial of Service (DoS), IP
address spoofing, and route spoofing attacks.
STelnet is based on SSH2.0. The STelnet client and server establish a secure
connection through negotiation, and the client can then access the server.
Hardware Requirements
Series Models
Series Models
Feature Requirements
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
● Relative numbering
The numbering format is User interface type + Number.
This method uniquely specifies a user interface or a group of user interfaces
of the same type. Relative numbering must comply with the following rules:
– Console user interface numbering: CON 0
– VTY user interface numbering: The first VTY user interface is VTY 0, the
second VTY user interface is VTY 1, and so on.
● Absolute numbering
This method uniquely specifies a user interface or a group of user interfaces.
You can run the display user-interface command without specifying
parameters to view user interfaces and their absolute numbers supported by
the current device.
Only one console user interface and 21 VTY user interfaces are supported. You
can run the user-interface maximum-vty command in the system view to set
the maximum number of available VTY user interfaces.
Table 4-4 lists the default relative and absolute numbers of the console and
VTY user interfaces.
VTY user Manages and 34–54 The first VTY user interface is VTY
interface controls users 0, the second VTY user interface
who log in to is VTY 1, and so on. By default,
the device using VTY 0 to VTY 4 are available.
Telnet or Absolute numbers 34 to 54
STelnet. correspond to relative numbers
VTY 0 to VTY 20, respectively.
Prerequisites
To locally maintain a device through the console port, configure attributes for the
console user interface as needed.
Before configuring the console user interface, you have completed the following
task:
Procedure
Table 4-5 Configuring physical attributes for the console user interface
Set the flow control flow-control { hardware | By default, the flow control
mode. none | software } mode is none.
Set the parity bit. parity { even | mark | none By default, the parity bit is
| odd | space } none.
Set the stop bit. stopbits { 1.5 | 1 | 2 } By default, the stop bit is 1.
NOTE
The settings of the preceding physical attributes on the device must be the same as those
on the terminal. Otherwise, the device cannot be logged in.
Table 4-6 Configuring terminal attributes for the console user interface
Operation Command Description
Table 4-7 Configuring the user privilege level for the console user interface
Operation Command Description
Table 4-8 Configuring the AAA authentication mode for the console user interface
Operation Command Description
Table 4-9 Configuring the password authentication mode for the console user
interface
Operation Command Description
Procedure
Table 4-12 Configuring the user privilege level for a VTY user interface
Operation Command Description
Set the user user privilege level level By default, the user
privilege level. privilege level of a VTY user
interface is 0.
If the command privilege
level configured for a user
interface conflicts with the
user privilege level
configured for a user, the
configured user privilege
level takes precedence.
Table 4-13 Configuring the AAA authentication mode for a VTY user interface
Operation Command Description
Set the access type local-user user-name The Telnet protocol has
of the local user to service-type { telnet | ssh } security risks. You are
Telnet or SSH. advised to use the secure
SSHv2 protocol.
Procedure
● Run the display users [ all ] command to check information about users who
have logged in to a device through the user interfaces.
● Run the display user-interface console ui-number [ summary ] command to
check information of the console user interface.
● Run the display user-interface maximum-vty command to check the
maximum number of VTY user interfaces.
● Run the display user-interface vty ui-number1 [ summary ] command to
check information of the VTY user interface.
● Run the display ssh server ip-block all command to view all client IP
addresses that fail authentication.
● Run the display ssh server ip-block list command to view client IP addresses
that are locked out due to authentication failure.
● Run the display vty ip-block list command to check the list of IP addresses
that are blocked due to authentication failures.
● Run the display vty ip-block all command to check all IP addresses that fail
to be authenticated.
● Run the display vty mode command to check the VTY mode.
----End
Prerequisites
Before configuring device login through a console port, you have completed the
following tasks:
If the system does not provide terminal emulation software, obtain it from a third
party. For details about how to use the software, see the software user guide or online
help.
Default Settings
Stop bits 1
Data bits 8
Procedure
Step 1 Connect the DB9 connector of the prepared console cable to the PC's serial port
(COM), and the RJ45 connector to the device's console port. If there is no DB9
serial port on your terminal (PC), use a DB9-to-USB cable to connect the USB port
to the terminal.
Step 2 Start PuTTY on the PC (PuTTY is an example terminal emulator). Create a
connection, select the connection port, and set communication parameters.
1. Click Session to create a connection, as shown in Figure 4-2.
2. Click Serial and set the port to be connected and the communication
parameters, as shown in Figure 4-3.
a. Select the port according to your requirements. For example, in a
Windows operating system, you can open Device Manager to view port
information and select the port to be connected.
b. Ensure that the communication parameters you set in the terminal
emulation software are consistent with the default parameter settings of
the device's console port.
c. Click Open.
NOTE
A PC may have multiple ports that can be connected to the device. In this step, the
port to be connected to a console cable must be selected. In most cases, COM1 is
used.
If the device's communication parameters are modified, those on the PC must be
modified accordingly and the connection must be re-established.
Step 3 Press Enter until the system prompts you to enter the password. (During AAA
authentication, the system asks you to enter the user name and password. The
following information is for reference only.)
Login authentication
Password:
You can run commands to configure the device. Enter a question mark (?) if you
need help.
----End
Configuration Roadmap
The configuration roadmap is as follows:
1. Use the terminal emulation software to log in to the device through the
console port.
2. Configure the authentication mode for the console user interface.
NOTE
If the system does not provide terminal emulation software, obtain it from a third party. For
details about how to use the software, see the software user guide or online help.
Procedure
Step 1 Connect the DB9 connector of the prepared console cable to the PC's serial port
(COM), and the RJ45 connector to the device's console port. If there is no DB9
serial port on your terminal (PC), use a DB9-to-USB cable to connect the USB port
to the terminal.
Step 2 Start PuTTY on the PC (PuTTY is an example terminal emulator). Create a
connection, select the connection port, and set communication parameters.
2. Click Serial and set the port to be connected and the communication
parameters, as shown in Figure 4-6.
a. Select the port according to your requirements. For example, in a
Windows operating system, you can open Device Manager to view port
information and select the port to be connected.
b. Ensure that the communication parameters you set in the terminal
emulation software are consistent with the default parameter settings of
the device's console port.
c. Click Open.
NOTE
A PC may have multiple ports that can be connected to the device. In this step, the
port to be connected to a console cable must be selected. In most cases, COM1 is
used.
If the device's communication parameters are modified, those on the PC must be
modified accordingly and the connection must be re-established.
Step 3 Press Enter until the system prompts you to enter the password. (During AAA
authentication, the system asks you to enter the user name and password. The
following information is for reference only.)
Login authentication
Password:
You can run commands to configure the device. Enter a question mark (?) if you
need help.
Step 4 Configure the authentication mode for the console user interface.
<HUAWEI> system-view
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode aaa
[HUAWEI-ui-console0] user privilege level 3
[HUAWEI-ui-console0] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234 password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters,
uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[Device-aaa] local-user admin1234 privilege level 3
[HUAWEI-aaa] local-user admin1234 service-type terminal
----End
Configuration Scripts
#
aaa
local-user admin1234 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
$UF-.fQ,Q}>^)OBzgoU$
local-user admin1234 service-type terminal
local-user admin1234 privilege level 3
#
user-interface con 0
authentication-mode aaa
#
return
Prerequisites
Before configuring Telnet login, you have completed the following task:
● Ensure that there are reachable routes between the terminal and the device.
● Run the install feature-software WEAKEA command to install the weak
security algorithm/protocol feature package (WEAKEA).
Context
NOTE
Table 4-16 describes the tasks involved in the Telnet login configuration process.
Default Settings
Procedure
● Enable the Telnet server function and configure related parameters.
Before telneting to the device from a user terminal, ensure that the Telnet
server function is enabled on the device.
Table 4-18 Enabling the Telnet server function and configuring related
parameters
Operation Command Description
By default, no ACL is
configured.
(Optional) telnet [ ipv6 ] server acl An ACL is configured to
Configure an ACL. { acl-number | acl-name } determine which clients
can access the device
using Telnet.
By default, no source
● telnet server-source -i interface is specified for a
{ interface-type Telnet server.
interface-number | NOTE
Configure the interface-name } ● If the specified source
source interface ● telnet ipv6 server- interface is a loopback
for the Telnet source -a ipv6-address interface, the loopback
server. [ -vpn-instance vpn- interface must have been
created. Otherwise, the
instance-name ] configuration cannot be
● telnet [ ipv6 ] server- executed.
source all-interface ● You can run one of the
commands as required.
Configure a local user name and password for the administrator to ensure
that only the administrator can log in to the device.
Configure the
local-user user-name
service type for the -
service-type telnet
local user.
----End
Context
NOTE
Table 4-21 describes the tasks involved in configuring a device to access another
device as a Telnet client.
Procedure
1. (Optional) Configure Telnet client parameters.
Networking Requirements
Users want to easily configure and manage the device shown in Figure 4-7. AAA
authentication needs to be configured for Telnet users on the server, and an ACL
policy needs to be configured to ensure that only the users matching the ACL can
log in to the device.
Configuration Roadmap
The configuration roadmap is as follows:
3. Configure the user name and password for the administrator, and configure
an AAA authentication policy to ensure that only users passing the
authentication can log in to the device.
Configuration Precautions
In insecure network environments, you are advised to use a secure password
authentication mode, encryption authentication algorithm, or protocol. For details
about secure configuration examples, see 4.6.3 Example for Configuring STelnet
Login.
Procedure
Step 1 Run the install feature-software WEAKEA command in the user view to install
the weak security algorithm/protocol feature package (WEAKEA).
Step 2 Configure an IP address for the management interface on the Telnet server.
<HUAWEI> system-view
[HUAWEI] sysname Telnet Server
[Telnet Server] interface meth 0/0/0
[Telnet Server-MEth0/0/0] ip address 10.137.217.177 255.255.255.0
[Telnet Server-MEth0/0/0] quit
Step 3 Set the server port number and enable the server function.
[Telnet Server] telnet server enable
[Telnet Server] telnet server port 1025
[Telnet Server] telnet server-source -i meth 0/0/0
----End
# Press Enter, and enter the user name and password configured for AAA
authentication in the login window. If the authentication is successful, the
command line prompt for the user view is displayed, indicating that you have
successfully logged in to the device.
Username:admin1234
Password:
Info: The max number of VTY users is 8, the number of current VTY users online is 1, and total number of
terminal users online is 1.
<Telnet Server>
Configuration Scripts
#
sysname Telnet Server
#
telnet server-source -i MEth0/0/0
telnet server port 1025
#
acl number 2001
rule 5 permit source 10.137.217.10 0
rule 10 deny source 10.137.217.20 0
#
aaa
local-user admin1234 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
$UF-.fQ,Q}>^)OBzgoU$
local-user admin1234 service-type telnet
local-user admin1234 privilege level 3
#
interface MEth0/0/0
ip address 10.137.217.177 255.255.255.0
#
user-interface maximum-vty 8
#
user-interface vty 0 7
acl 2001 inbound
authentication-mode aaa
history-command max-size 20
idle-timeout 20 0
screen-length 30
#
return
Device2. However, there is no reachable route between the PC and Device2, and
therefore users cannot directly log in to Device2 using Telnet. To address this issue,
users can use Telnet to log in to Device1 and then use Telnet to log in to Device2
from Device1. An ACL rule also needs to be configured to only allow Device1 to
access Device2 using Telnet, preventing unauthorized devices from telneting to
Device2.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the authentication mode and password for Telnet access on
Device2.
2. Configure an ACL rule on Device2 to allow access from Device1.
3. Telnet to Device2 from Device1.
Configuration Precautions
In insecure network environments, you are advised to use a secure password
authentication mode, encryption authentication algorithm, or protocol. For details
about secure configuration examples, see 4.6.4 Example for Configuring a
Device to Access Another Device as an STelnet Client .
Procedure
Step 1 Run the install feature-software WEAKEA command in the user view to install
the weak security algorithm/protocol feature package (WEAKEA).
Step 2 Configure the authentication mode and password for Telnet access on Device2.
<HUAWEI> system-view
[HUAWEI] sysname Device2
[Device2] user-interface vty 0 4
[Device2-ui-vty0-4] authentication-mode aaa
[Device2-ui-vty0-4] quit
NOTE
----End
Configuration Scripts
Device2
#
sysname Device2
#
acl number 2000
rule 5 permit source 10.1.1.1 0
#
aaa
local-user admin1234 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
$UF-.fQ,Q}>^)OBzgoU$
local-user admin1234 privilege level 3
local-user admin1234 service-type telnet
#
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
#
return
Default Settings
Procedure
Step 1 Enable the STelnet server function and configure related parameters.
For details, see "Configuring the SSH Server Function and Related Parameters" in
CLI Configuration Guide > Security Configuration.
Step 2 Configure the VTY user interface for SSH users to log in to the device.
For details, see "Configuring a VTY User Interface to Support SSH" in CLI
Configuration Guide > Security Configuration.
Step 3 Configure SSH user information.
For details, see "Configuring an SSH User" in CLI Configuration Guide > Security
Configuration.
Step 4 Log in to the device using STelnet.
Use the SSH client software to log in to the device using STelnet from a terminal.
The third-party software OpenSSH and Windows CLI are used in the following
example.
● For details about how to install OpenSSH, see the OpenSSH installation guide.
● To use OpenSSH to connect to the device using STelnet, run the OpenSSH
commands. For details about OpenSSH commands, see the OpenSSH help.
● The Windows CLI can identify OpenSSH commands only when OpenSSH is
installed on the terminal.
Access the Windows CLI and run the OpenSSH commands to connect to the
device. (The following information is for reference only.)
C:\Users\User1>ssh admin@10.136.195.11
admin@10.136.195.11's password:
Info: The max number of VTY users is 21, the number of current VTY users online is 5, and total number of
terminal users online is 5.
The current login time is 2020-12-15 14:23:00.
<HUAWEI>
----End
Prerequisites
Before configuring a device to access another device as an STelnet client, you have
completed the following tasks:
Procedure
Step 1 Configure the mode for connecting the device (SSH client) to the SSH server
for the first time.
For details, see "Configuring the Mode for Connecting a Device to the SSH Server
for the First Time" in CLI Configuration Guide > Security Configuration.
For details, see "Setting SSH Client Parameters" in CLI Configuration Guide >
Security Configuration.
Table 4-25 Logging in to another device using STelnet (normal Layer 3 network
connection)
Operation Command Description
Run either
command
depending on the
network address
type.
The STelnet client
can connect to
the server
successfully with
no port number
specified only
when the server
is listening on
port 22. If the
server is listening
on another port,
stelnet [ -a source-ip-address | -i
the port number
interface-type interface-number ] [ - must be specified
force-receive-pubkey ] host-ip-address
upon login.
[ server-port ] [ [ prefer_kex
prefer_kex ] | [ prefer_ctos_cipher When connecting
Log in to the prefer_ctos_cipher ] | to the SSH server,
SSH server [ prefer_stoc_cipher prefer_stoc_cipher ] the STelnet client
through an IPv4 | [ prefer_ctos_hmac prefer_ctos_hmac ] can carry the
address using | [ prefer_stoc_hmac prefer_stoc_hmac ] source IP address,
STelnet. | [ prefer_ctos_compress zlib ] | VPN instance
[ prefer_stoc_compress zlib ] | [ -vpn- name, a key
instance vpn-instance-name ] | [ -ki exchange
interval ] | [ -kc count ] | [ identity-key algorithm, an
identity-key-type ] | [ user-identity-key encryption
algorithm, a
user-key ] ] *
compression
algorithm, and an
HMAC algorithm,
and be
configured with
the keepalive
function.
If the source
interface is
specified using -i
interface-type
interface-number,
the public-net
and -vpn-
instance vpn-
instance-name
----End
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address for the management interface on the SSH server.
2. Generate a local key pair on the SSH server.
3. Configure a VTY user interface on the SSH server.
4. Create a local user and configure the service type for the user.
5. Create an SSH user and configure the authentication mode for the user.
6. On the SSH client, create a key pair based on the configured SSH user
authentication mode and copy the public key to the SSH server.
7. On the SSH server, edit the public key and assign it to the user.
8. Enable STelnet on the SSH server and set the service type of the SSH user to
STelnet.
9. On the SSH server, configure an ACL to allow access of the STelnet client.
10. Set parameters for STelnet login to the server.
Data Preparation
To complete the configuration, ensure that the following configurations have been
completed:
NOTE
To ensure high security, you are advised to use the RSA key pair whose length is 3072 bits
or longer.
● OpenSSH has been installed on the SSH client.
● The IP address 10.248.103.194/24 has been assigned to the management
interface of the SSH server.
● The local user's authentication mode is set to password authentication, and
the user name and password are admin123 and YsHsjx_202206, respectively.
● The SSH user's authentication mode is RSA.
● ACL 2000 is configured to allow the clients on the network segment
10.248.103.0/24 to access the SSH server.
Procedure
Step 1 Configure an IP address for the management interface on the SSH server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] interface meth 0/0/0
[SSH Server-MEth0/0/0] ip address 10.248.103.194 255.255.255.0
[SSH Server-MEth0/0/0] quit
NOTE
If SSH is configured as the login protocol, the device automatically disables the Telnet
function.
Step 4 On the server, create a local user and configure the service type for the user.
[SSH Server] aaa
[SSH Server-aaa] local-user admin123 password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters,
uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[SSH Server-aaa] local-user admin123 service-type ssh
[SSH Server-aaa] local-user admin123 privilege level 3
[SSH Server-aaa] quit
Step 5 Create an SSH user on the server and configure the authentication mode for the
user.
[SSH Server] ssh user admin123
[SSH Server] ssh user admin123 authentication-type rsa
Step 6 Configure the public key algorithm, encryption algorithm, key exchange algorithm
list, HMAC authentication algorithm, and minimum key length on the SSH server.
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SSH Server] ssh server hmac sha2_256 sha2_512
[SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[SSH Server] ssh server dh-exchange min-len 3072
Step 7 Use OpenSSH to create an RSA key pair on the SSH client and copy the public key
to the SSH server.
Access the Windows CLI, create an RSA key pair, and save it to the local
id_rsa.pub file. (The following information is for reference only.)
C:\Users\User1>ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\User1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\User1/.ssh/id_rsa.
Your public key has been saved in C:\Users\User1/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:c43yubJjCUjY3JqH0aVZwJFM3gWJcH4YI5+4HUDAIqo
The key's randomart image is:
+---[RSA 3072]----+
| ..o==B=.o. |
|o . O=*+. |
|o. +.oB=o |
|. . =o=o o |
|. ..*. S o . |
|E = o = . |
| . . .o |
| = . |
| ..+. |
+----[SHA256]-----+
Step 8 On the SSH server, edit the public key generated using OpenSSH on the SSH client
and assign it to the user.
Step 9 Enable the STelnet function and set the user service type to STelnet.
[SSH Server] stelnet server enable
[SSH Server] ssh server-source all-interface
[SSH Server] ssh user admin123 service-type stelnet
----End
Configuration Scripts
#
sysname SSH Server
#
acl number 2000
rule 5 permit source 10.248.103.0 0.0.0.255
#
rsa peer-public-key rsa01 encoding-type openssh
public-key-code begin
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCg5Ag490i6ilB7QuCVb35B8RJEh1DIYB88h2p1qjdh7qdMQv8rpJaVA
gQWxwzKZO0XdFuz4ReGQzTCSf7Det7Ajicddw3qi+6P8hRqZj6MPdLg/o3RN4aPCfr/
LFWCwqJ3gWGHlOC7qqjRk+6pySVoiWcSk5/elBkU7WVk/
cSWrt4qFXJV373OCesKcEVeDvAa1Tvx6L3LQroBqUO0EXzDgOthPCmOqiqvS5h3JipzqVsesdSKjeInooCQzSOv5e
ePpBcFcIvU6wFiLIZ5vnf6YtypgTVzHuje/sh4xM7Iuuon7AYXKHT8NpO9jd9zA/lKaRPXyDtei1O1Bt/5lxnn rsa-key
public-key-code end
peer-public-key end
#
aaa
local-user admin123 password irreversible-cipher $1d$+,JS+))\\2$KVNj(.
3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user admin123 service-type terminal ssh
local-user admin123 privilege level 3
#
interface MEth0/0/0
ip address 10.248.103.194 255.255.255.0
#
stelnet server enable
ssh user admin123
ssh user admin123 authentication-type rsa
ssh user admin123 assign rsa-key rsa01
ssh user admin123 service-type stelnet
ssh server-source all-interface
ssh server acl 2000
#
ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh server hmac sha2_256 sha2_512
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh server publickey rsa_sha2_256 rsa_sha2_512
ssh server dh-exchange min-len 3072
#
user-interface vty 0 4
authentication-mode aaa
idle-timeout 120 0
protocol inbound ssh
#
return
Networking Requirements
The customer requires secure data exchange between the server and client. As
shown in Figure 4-10, two login users Client001 and Client002 are configured
and they use the password and RSA authentication modes respectively to log in to
the SSH server. A new port number is configured, and the default port number is
not used.
Figure 4-10 Network diagram for login to another device using STelnet
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server to secure data exchange between
the server and client.
2. Configure different authentication modes for the SSH users client001 and
client002 on the SSH server.
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be:Host
The range of public key size is (2048, 4096).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] rsa local-key-pair create
The key name will be: client002_Host
The range of public key size is (2048, 4096).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:
# Configure the encryption algorithm, HMAC authentication algorithm, key
exchange algorithm list, and public key algorithm on Client002.
[client002] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[client002] ssh client hmac sha2_256 sha2_512
[client002] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
[client002] ssh client publickey rsa_sha2_256 rsa_sha2_512
# Check the public key in the RSA key pair generated on the client.
[client002] display rsa local-key-pair public
======================Host key==========================
Time of key pair created : 2019-11-03 08:56:38
Key name : client002_Host
Key type : RSA encryption key
========================================================
Key code:
3082010A
02820101
00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707
E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709
3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D
BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1
13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98
8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8
DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527
FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268
4345131D 431419D2 DD5E4003 6A7D3295 145F3175
22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836
F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14
9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142
4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D0203
010001
======================Server key========================
3081B9
0281B1
00B9AE42 B8419F19 35C49A7B A55DBB6F 67D931F3
9C19ECF9 9E17961B D01ED5DD 3AE68CFA 38C57113
C93663F2 86768B19 AD0F603E 98F2C6AB A71A6C26
8813411D 4AA56BC4 6505EC15 94647621 AB7D03BB
79DA9B24 09BB1FD2 3927E2F9 00F79116 466411CD
AC3D8FF6 A051FA5A 9BCE84CE 20842134 D2D27B4A
219CB801 9F5A90E0 518DEEFC F48F5ED4 49215B1F
11E1AC81 5E168A97 3AA5320D 7B158556 AF5CC95C
9B508BBC 6EEFEEF9 0E23AA13 59E1F746 D5
0203
010001
# Copy the RSA public key (the information in bold in the display command
output) generated on the client to the server.
[SSH Server] rsa peer-public-key rsakey001
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-public-key-rsa-key-code] 3082010A
[SSH Server-rsa-public-key-rsa-key-code] 2820101
[SSH Server-rsa-public-key-rsa-key-code] 00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707
[SSH Server-rsa-public-key-rsa-key-code] E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709
[SSH Server-rsa-public-key-rsa-key-code] 3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D
[SSH Server-rsa-public-key-rsa-key-code] BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1
[SSH Server-rsa-public-key-rsa-key-code] 13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98
[SSH Server-rsa-public-key-rsa-key-code] 8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8
[SSH Server-rsa-public-key-rsa-key-code] DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527
[SSH Server-rsa-public-key-rsa-key-code] FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268
[SSH Server-rsa-public-key-rsa-key-code] 4345131D 431419D2 DD5E4003 6A7D3295 145F3175
[SSH Server-rsa-public-key-rsa-key-code] 22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836
[SSH Server-rsa-public-key-rsa-key-code] F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14
[SSH Server-rsa-public-key-rsa-key-code] 9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142
[SSH Server-rsa-public-key-rsa-key-code] 4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D
[SSH Server-rsa-public-key-rsa-key-code] 203
[SSH Server-rsa-public-key-rsa-key-code] 10001
[SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
# On the server, bind the RSA public key of the STelnet client to the SSH user
client002.
[SSH Server] ssh user client002 assign rsa-key rsakey001
Step 3 Enable the STelnet service on the SSH server and specify the source interface for
the SSH server.
Step 4 Configure the STelnet service type for the SSH users client001 and client002.
[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet
Enter the password. The following information indicates that the login is
successful:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]:n
Info: The max number of VTY users is 21, the number of current VTY users online
is 4, and total number of terminal users online is 4.
The current login time is 2013-12-31 11:22:06.
The last login time is 2013-12-31 10:24:13 from 10.1.2.2 through SSH.
<SSH Server>
Info: The max number of VTY users is 21, the number of current VTY users online
is 4, and total number of terminal users online is 4.
The current login time is 2013-12-31 11:36:06.
<SSH Server>
If the user view is displayed, the login is successful. If the message Session is
disconnected is displayed, the login fails.
----End
The display ssh server status command output indicates that the STelnet server
function has been enabled. The display ssh user-information command output
contains information about SSH users on the server.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) :3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Disable
SSH server keepalive : Enable
SFTP server : Enable
STelnet server : Enable
SNETCONF server : Disable
SNETCONF server port(830) : Enable
SCP server : Disable
SSH server port : 1025
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
SSH server source address : 0.0.0.0
Configuration Scripts
● SSH Server
#
sysname SSH Server
#
#
return
those on the device. You can run the configuration exclusive by-user-name
command to lock the system configuration for a specified controller user,
preventing configuration inconsistency between the device and controller.
When multiple users manage a device, you can lock the device for a specified
user name, so that only users who log in to the device using this user name
can modify device configurations.
a. Enter the system view.
system-view
● The system configuration can be locked for one user name at a time.
● Only users of the management privilege level can lock and unlock the system
configuration.
● After the system configuration is locked for a specified user name, only users
with this user name can perform configuration operations. The configuration
operations performed by other users cannot take effect. To make other users'
configurations take effect, run the undo configuration exclusive by-user-
name user-name command to unlock the configuration.
● When running the undo configuration exclusive by-user-name user-name
command, ensure that user-name is set to the user name for which the
configuration is locked.
● Run the display configuration exclusive by-user-name command to view
lock information about system configuration that is locked or unlocked based
on the user name.
After running the lock command, you are prompted to enter and then
confirm the lock password. If the two passwords are the same, the user
interface is locked.
To unlock the user interface, press Enter, and then enter the login password
as prompted.
NOTE
After the weak password dictionary maintenance function is enabled, the passwords
(which can be queried using the display security weak-password-dictionary
command) defined in the weak password dictionary cannot be specified in this
command.
Procedure
Step 1 Check whether the number of users who have logged in to the Telnet server
reaches the upper limit.
Log in to the device through the console port. Then, run the display users
command to check whether the current VTY user interfaces are all occupied. You
can run the display user-interface maximum-vty command to check the
maximum number of VTY user interfaces.
If the number of current VTY user interfaces reaches the upper limit, run the user-
interface maximum-vty 21 command to increase the maximum number of VTY
user interfaces to 21.
Step 2 Check whether an ACL has been configured on the VTY user interface of the
device.
Run the user-interface vty command on the Telnet server to enter the user
interface view. Run the display this command to check whether an ACL has been
configured on the VTY user interface. If so, record the ACL number.
Run the display acl acl-number command on the Telnet server to check whether
the Telnet client IP address is denied in the ACL. If so, run the undo rule rule-id
command in the ACL view to delete the deny rule, and then run the rule permit
source source-ip-address source-wildcard command in the ACL view to permit the
client IP address.
Step 3 Check the protocol configuration in the VTY user interface view.
Run the user-interface vty command on the Telnet server to enter the user
interface view. Run the display this command to check whether protocol
inbound of the VTY user interface is telnet or all. (By default, the user interface
supports all protocol types, including SSH and Telnet.) If not, run the protocol
inbound { telnet | all } command to allow Telnet users to access the device.
Step 4 Check whether the login authentication mode is configured in the VTY user
interface view.
----End
Fault Description
A user fails to log in to the SSH server using STelnet.
Procedure
Step 1 Check whether the SSH service is enabled on the SSH server.
Log in to the SSH server through the console port or Telnet. Run the display ssh
server status command to check the configuration on the SSH server.
If STelnet is disabled, run the stelnet server enable command to enable the
STelnet server function on the SSH server.
Step 2 Check whether the access protocol is correctly configured in the VTY user interface
view on the SSH server.
Run the user-interface vty command on the SSH server to enter the user
interface view. Run the display this command to check whether protocol
inbound of the VTY user interface is ssh or all. (By default, the user interface
supports all protocol types, including SSH and Telnet.) If not, run the protocol
inbound { ssh | all } command to allow STelnet users to access the device.
Run the display ssh user-information command to check the SSH user
configuration. If no user is configured, run the ssh user, ssh user authentication-
type, and ssh user service-type commands in the system view to create an SSH
user and configure its authentication mode and service type.
Step 4 Check whether the number of users who have logged in to the SSH server reaches
the upper limit.
Log in to the device through the console port. Then, run the display users
command to check whether the current VTY user interfaces are all occupied. You
can run the display user-interface maximum-vty command to check the
maximum number of VTY user interfaces.
If the number of current VTY user interfaces reaches the upper limit, run the user-
interface maximum-vty 21 command to increase the maximum number of VTY
user interfaces to 21.
Step 5 Check whether an ACL is bound to the VTY user interface of the SSH server.
Run the user-interface vty command on the SSH server to enter the SSH user
interface view. Run the display this command to check whether an ACL has been
configured on the VTY user interface. If so, record the ACL number.
Run the display acl acl-number command on the SSH server to check whether the
IP address of the STelnet client is denied in the ACL. If so, run the undo rule rule-
id command in the ACL view to delete the deny rule, and then run the rule
permit source source-ip-address soucer-wildcard command in the ACL view to
permit the client IP address.
Step 6 Check the SSH versions of the SSH client and server.
Run the display ssh server status command on the SSH server to check the SSH
version information.
Step 7 Check whether first login is enabled for the SSH client.
Run the display this command in the system view of the SSH client to check
whether first login is enabled for the SSH client.
If not, the initial login of the STelnet client to the SSH server fails because validity
check on the RSA public key of the SSH server fails. Therefore, you need to run the
ssh client first-time enable command to enable first login for the SSH client.
----End
Purpose
The built-in web server function of a device provides a GUI, through which users
can log in to the device from a terminal using HTTPS for management and
maintenance.
Hardware Requirements
Series Models
Feature Requirements
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
T-V2/S5735I-
S24T4XE-V2/
S5735I-S24U4XE-
T-V2/S5735I-
S24U4XE-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2
Context
Using local authentication as an example, this section describes how to configure
web UI-based login through HTTPS. For details about how to configure this
function when server authentication is used, see "AAA Configuration" in CLI
Configuration Guide > User Access and Authentication Configuration.
Procedure
Step 1 Create a local account. (This step is required upon first login, as there is no default
account.)
1. Enter the system view.
system-view
Users with a privilege level of 3 can access all the pages by default. If you
need to set up different users to access different levels of pages, please see
"Creating an Administrator Role" in Web Configuration Guide > System >
Administrator.
6. Return to the system view.
quit
By default, this function is enabled. With this function enabled, a device will
automatically display the web UI using HTTPS — a secure version of HTTP — if a
user attempts to log in to the device's management interface at http://ip-address
using HTTP. If this function is disabled, you cannot use HTTP to access the web UI.
Step 4 Configure the certificate sent by the device functioning as a server to the terminal
functioning as a client.
web-manager security server-certificate server-certificate-file
If no certificate is specified, the server sends the default certificate to the client for
authentication when the client attempts to log in to the server through HTTPS. If
a certificate is specified, the server sends the specified certificate to the client for
authentication. You can obtain the CA certificate from the device's web UI or CA
server and import it to the client's browser. The client then uses the imported CA
certificate to verify the identity of the device.
The specified certificate needs to be applied for from the CA server. After the CA
server generates the requested certificate, download the certificate to the device's
storage path and then import it to the memory for the certificate to take effect.
For details, see "PKI Configuration" in CLI Configuration Guide > Security
Configuration.
NOTE
Step 5 Configure two-way authentication. Before enabling this function, import the client
certificate to the browser and import the matching CA certificate to the server.
When logging in to the server using HTTPS, the client sends its certificate to the
server, which then uses the CA certificate to verify the client certificate.
1. Enable two-way authentication between the server and client.
web-manager security verify-ssl-peer
2. Specify the CA certificate used by the server to verify the client certificate.
web-manager security ca-certificate ca-certificate
Step 6 Configure the device IP address that can be used to access the web UI.
web-manager { ipv4 | ipv6 } server-source -a ip-address [ vpn-instance vpn-instance ]
By default, no IP address is configured for accessing the web UI. That is, all IP
addresses can be used to access the web UI.
Step 7 Configure the device interface that can be used to access the web UI.
● Configure an interface to be used to access the web UI.
web-manager server-source -i interface-type interface-num
NOTE
If you have configured an IP address that can be used to access the web UI, you do not
need to configure the interface for accessing the web UI. Select either of them.
Step 8 Use an Ethernet cable to connect the network interface of the terminal to the
interface of the device, either directly or via a Layer 2 switch.
Step 9 Open a browser on the terminal and log in to the device by entering https://
Device's management interface IP address:port number. Use the account and
password configured in Step 1 to log in to the web UI of the device. During the
first login, the device prompts you to change the password.
----End
Procedure
Step 1 Enter the system view.
system-view
Step 2 Enable the CAPTCHA code check function of the web authentication page.
web-manager captcha enable
If no operation is performed on the web UI within the timeout interval, the current
user is automatically logged out.
Step 5 Set abnormal packet check parameters for HTTP low-rate attack defense.
web-manager slow-attack check [ content-length content-length | payload-length payload-length |
packet-number packet-number ] *
Step 6 Enable the function of displaying login warning information. After this function is
enabled, the system displays a warning about possible consequences of
unauthorized device use when you enter a user name and password to log in to
the web UI. You can access the web UI only after confirming the warning.
1. Enable the function of displaying login warning information.
web-manager warning-banner enable
The device provides default warning information. You can choose to modify it.
By default, the device does not respond when the client browser accesses a non-
existent URL, and the client browser returns error 404. After this command is
configured, the device returns a blank page when the client browser accesses a
non-existent URL. This function makes it difficult for hackers to traverse web
server resources.
Step 8 Enable the IP address lockout function. If the maximum number of consecutive
failed login attempts of an IP address is reached within the retry interval, the IP
address is locked out and cannot be used for login within the lockout period.
web-manager lock-ip retry-interval retry-interval retry-time retry-time block-time block-time
----End
Networking Requirements
In Figure 5-1, the local account admin123 is configured for DeviceA, which can be
used to log in to the web UI of DeviceA through HTTPS.
Figure 5-1 Network diagram for logging in to the web UI through HTTPS (default
certificate)
NOTE
Data Planning
Item Data
Password YsHsjx_202206
Configuration Roadmap
1. Configure all interfaces to be used to access the web UI.
2. Configure a login interface for the device.
3. Create a local user account for logging in to the web UI of the device.
4. Enable the web service function on the device.
5. Use the local user account to log in to the web UI of the device.
Procedure
Step 1 Configure all interfaces to be used to access the web UI.
<HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] web-manager server-source all-interface
By default, the HTTPS service is enabled and the corresponding port number
is 8443.
2. Enable forcible redirection from HTTP to HTTPS.
[DeviceA] web-manager http forward enable
----End
Configuration Scripts
#
sysname DeviceA
#
web-manager server-source all-interface
web-manager enable port 8443
web-manager http forward enable
#
interface Vlanif10
ip address 10.3.0.1 255.255.255.0
#
aaa
local-user admin123 password irreversible-cipher $1d$OwseVRh@LH}ZeTBm$1nH4$ab>d(N{-%0!
ab48y=Ic*xEUR4pVhR2"9-~,$
local-user admin123 service-type http
local-user admin123 privilege level 3
#
return
Figure 5-2 Network diagram for logging in to the web UI through HTTPS
(specified certificate)
NOTE
Data Planning
Item Data
Password YsHsjx_202206
Configuration Roadmap
1. Configure a certificate for login authentication.
2. Configure a login interface for the device.
3. Create a local user account for logging in to the web UI of the device.
4. Enable the web service function on the device.
5. Use the local user account to log in to the web UI of the device.
Procedure
Step 1 Configure a certificate.
1. Generate a certificate request file on DeviceA and send the file to the CA
server using methods such as the web UI, disks and emails. After the
application is approved, the CA server will generate certificates. You can use
HTTP, LDAP, or other methods to download the CA certificate and local
certificate from the CA server to DeviceA and install them for them to take
effect. For details, see "PKI Configuration" in CLI Configuration Guide >
Security Protection.
NOTE
In the local certificate, the value of Subject Alternative Name must be the same as
the IP address for logging in to the web UI of the device. If a domain name is used to
access the web UI, set Subject Alternative Name to the domain name.
Assume that the CA certificate and local certificate are cep_ca.cer and cep_local.cer,
respectively.
2. Obtain the CA certificate of the CA server that issues certificates to the device
and import it to the browser of the PC (client) used for web UI login.
NOTE
If the CA certificate is not imported to the browser, the client can still log in to the
device through HTTPS. In this case, the client cannot verify the validity of the server's
certificate and is vulnerable to attacks.
3. Configure the certificate sent by the device to the client during the client's
login to the device through HTTPS.
<HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] web-manager security server-certificate cep_local.cer
By default, the HTTPS service is enabled and the corresponding port number
is 8443.
2. Enable forcible redirection from HTTP to HTTPS.
[DeviceA] web-manager http forward enable
Configuration Scripts
#
sysname DeviceA
#
web-manager server-source all-interface
web-manager enable port 8443
web-manager http forward enable
web-manager security server-certificate cep_local.cer
#
interface Vlanif10
ip address 10.3.0.1 255.255.255.0
#
aaa
local-user admin123 password irreversible-cipher $1d$OwseVRh@LH}ZeTBm$1nH4$ab>d(N{-%0!
ab48y=Ic*xEUR4pVhR2"9-~,$
local-user admin123 service-type http
local-user admin123 privilege level 3
#
return
Figure 5-3 Networking diagram for web UI login through HTTPS (two-factor
authentication)
NOTE
Data Planning
Item Data
Password YsHsjx_202206
Configuration Roadmap
1. Configure all interfaces to be used to access the web UI.
2. Configure a login interface for the device.
3. Configure the interface connecting the device to the RADIUS server.
4. Configure a RADIUS server template.
5. Configure an authentication scheme.
6. Configure an authentication domain and references a RADIUS server template
and authentication scheme.
7. Configure the RADIUS server.
8. Use the administrator account to log in to the web UI of the device.
NOTE
This example describes only the configurations of the administrator on the device.
Procedure
1. Configure all interfaces to be used to access the web UI.
<HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] web-manager server-source all-interface
5. Configure a RADIUS server template and realize the connectivity between the
device and RADIUS server.
Configuration Scripts
#
sysname DeviceA
#
web-manager server-source all-interface
web-manager enable port 8443
web-manager http forward enable
#
interface vlanif10
ip address 10.3.0.1 255.255.255.0
#
interface vlanif20
ip address 172.16.0.1 255.255.255.0
#
radius-server template radius_server
radius-server authentication 172.16.0.2 1812
radius-server shared-key cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@
#
aaa
authentication-scheme auth1
authentication-mode radius
domain huawei.com
authentication-scheme auth1
radius-server radius_server
#
return
Possible Causes
1. The HTTPS service is disabled.
2. The number of online web users reaches the upper limit.
3. The service type of the web user is incorrect.
Procedure
Step 1 Check whether the HTTPS service is enabled.
By default, the HTTPS service is enabled. To check whether it is enabled, run the
display web-manager configuration command in the system view. If it is not
enabled, run the web-manager enable command in the system view to enable it.
Step 2 Check whether the number of online web users reaches the upper limit.
1. Run the display web-manager users command in the system view to check
the number of online users.
2. Run the display this command in the system view to check the web-
manager max-user-number configuration.
3. Determine whether the number of online users reaches the upper limit. If it
does, you can increase the maximum number of web users using the web-
manager max-user-number command.
Step 3 Check whether the access type of the web user is correct.
Run the display this command in the AAA view to check whether the access type
of the web user is HTTPS. If the local-user user-name service-type http
configuration exists, the access type of the user specified by user-name is HTTPS.
Otherwise, run the local-user user-name service-type http command in the AAA
view to set the access type of the web user to HTTPS.
----End
6 ZTP Configuration
Purpose
After devices are installed on the live network, engineers usually need to perform
onsite configurations for the devices. Typically, this requires engineers to configure
each device locally, which is inefficient and costly, especially if there are a large
number of sparsely deployed devices.
To overcome such efficiency and cost challenges, the ZTP function can be enabled
on a device. ZTP allows the device to obtain and automatically load deployment
files from the USB flash drive or file server. This ultimately frees engineers from
having to carry out onsite configuration and deployment.
Deployment Modes
Currently, the device supports DHCP-based, and USB-based deployment. You can
select a proper deployment mode as required. DHCP-based ZTP can be classified
into DHCP-based ZTP with a controller deployed and DHCP-based ZTP without a
controller deployed.
If a controller is deployed, DHCP-based ZTP can be classified into DHCP option
parameter-based ZTP and registration query center-based ZTP.
If no controller is deployed, DHCP-based ZTP can be classified into intermediate
file-based ZTP and option parameter-based ZTP.
DHCP-based ZTP is simple. You can use this deployment mode as long as a DHCP
server is deployed. However, this deployment mode may cause data leakage and
interception, which poses security risks. In deployment scenarios that require high
security, you can deploy a dedicated bootstrap server and use two-way
authentication and data encryption to ensure the data reliability for DHCP-based
ZTP. For details, see 6.2.2 SZTP Fundamentals and 6.6 Configuring DHCP-based
ZTP (Without a Controller)
When multiple deployment modes are available, their priorities are as follows:
USB-based deployment > SZTP > DHCP option parameter-based ZTP with a
controller > option parameter-based ZTP without a controller > intermediate file-
based ZTP without a controller > registration query center-based ZTP with a
controller
Deployment Process
Device deployment processes include the deployment processes for devices with
factory configurations and with non-factory configurations.
● Figure 6-2 shows the deployment process for a device that starts with factory
configurations. After the device is powered on and starts, it checks whether a
USB flash drive is inserted. If a USB flash drive is inserted and the usb.ini file
exists in the root directory of the USB flash drive, the device starts USB-based
deployment. If no USB flash drive is available or no usb.ini file exists in the
root directory of the USB flash drive, the device functions as a DHCP client
and sends a DHCP request packet to the DHCP server. If the device receives a
packet carrying option 143 from the DHCP server, the device starts the Secure
Zero Touch Provisioning (SZTP) process. Otherwise, the device starts the
DHCP-based ZTP process. You can select a deployment mode based your site
requirements.
NOTE
● If a user logs in to the device during the ZTP process, the ZTP process will be
terminated.
● When deploying a device with factory configurations, you are advised not to manually
deliver the same configurations as those delivered during ZTP. If the deployment fails,
the configurations will be deleted.
Context
SZTP applies to scenarios that require high security. DHCP-based ZTP is easy to
implement because you only need to deploy a DHCP server. However, it may lead
to data leakage or interception, posing security risks. To mitigate the security risks,
you can deploy a DHCP server and a dedicated bootstrap server and use two-way
authentication and data encryption.
Basic Networking
In Figure 6-3, the device functions as a DHCP client to periodically send DHCP
request packets to the DHCP server in order to obtain configuration information.
The DHCP server responds with DHCP reply packets that contain information
about the IP address allocated to the device, as well as the IP address or domain
name of the bootstrap server. After obtaining such information, the device
establishes an HTTPS connection with the bootstrap server through two-way
authentication based on a preconfigured certificate. The device then obtains
information about deployment files from the bootstrap server, connects to the
deployment file server, obtains the deployment files, and sets them as the files to
be loaded for the next startup. These deployment files are then automatically
loaded by the device upon restart.
Trusted Connection
During SZTP, the device establishes a trusted connection with the bootstrap server
through two-way authentication and obtains deployment file information from
the server. The device then functions as an HTTPS client to establish an HTTPS
connection with the deployment file server and download deployment files.
Certificates listed in Table 6-2 are required for establishing a secure connection
between the device and bootstrap server.
NOTE
The ownership voucher is valid only when the Huawei level-2 CA certificate is pre-
configured on the bootstrap server.
The bootstrap server has a built-in Huawei level-2 CA certificate, an ownership voucher, and
an owner certificate. The device has a built-in identity certificate, a Huawei root CA
certificate, and a Huawei level-2 CA certificate.
● You can configure deployment file information (such as the deployment file
server address and deployment file name) on the bootstrap server. The
deployment file information is stored in onboarding information.
● If the device does not have a built-in trust root certificate, it establishes an
untrusted connection with the bootstrap server. The bootstrap server
encapsulates the onboarding information, ownership voucher, and owner
certificate into bootstrapping data and sends the data to the device.
● After verifying the signature of the ownership voucher, the device performs
operations shown in Figure 6-4: It uses the built-in Huawei root level-2 CA
certificate to authenticate the owner certificate to form a complete trust
chain, and then verifies the signature of the onboarding information. The
device parses the deployment file information from the onboarding
information, establishes an HTTPS connection with the deployment file server,
and downloads the deployment files.
In practice, you can deploy one or more bootstrap servers based on security
requirements. If multiple bootstrap servers are deployed, a redirect-to
bootstrap server address may be configured on a bootstrap server. Redirection
information is stored in Redirect Information. When an untrusted connection
is established between the device and bootstrap server, the bootstrap server
encapsulates the Redirect Information, ownership voucher, and owner
certificate into bootstrapping data and sends the data to the device to
establish a trusted connection. The device then obtains the IP address of the
redirect-to bootstrap server and the trust anchor certificate from the Redirect
Information. After the trust anchor certificate is installed, the device
establishes a trusted connection with the redirect-to bootstrap server until the
device obtains the onboarding information, which contains deployment file
information.
Deployment Process
Figure 6-5 shows the SZTP process.
NOTE
● If a user logs in to the device during the SZTP process, the SZTP process will be
terminated.
● When deploying a device with factory configurations, you are advised not to manually
deliver the same configurations as those delivered during ZTP. If the deployment fails,
the configurations will be deleted.
Hardware Requirements
Series Models
Feature Requirements
The file path and name for option parameter- S5735-S- S5735-S24P4XE-
based deployment cannot contain the V2 series V2/S5735-
following special characters: # & > < " ' | · $ ; S5735-L- S24T4XE-V2/
( ) [ ] { } ~ * ? ! \n # % , \ V2 series S5735-S24U4XE-
V2/S5735-
S3710-H S48P4XE-V2/
series S5735-S48T4XE-
S5735I-L- V2/S5735-
V2 series S48U4XE-V2
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2 series S5735-L16T4S-A-
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2 series S5735-L24P4S-A-
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
Service interfaces are used for ZTP, but this S5735-S- S5735-S24P4XE-
deployment mode may cause isolation of the V2 series V2/S5735-
service plane, management plane, and control S5735-L- S24T4XE-V2/
plane. Security hardening has been performed V2 series S5735-S24U4XE-
on the system by default during deployment. V2/S5735-
Users need to perform deployment in a secure S3710-H S48P4XE-V2/
networking environment. series S5735-S48T4XE-
S5735I-L- V2/S5735-
V2 series S48U4XE-V2
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2 series S5735-L16T4S-A-
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2 series S5735-L24P4S-A-
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
Fundamentals
If a controller is deployed, DHCP-based ZTP can be classified into DHCP option
parameter-based ZTP and registration query center-based ZTP.
In Figure 6-6, Option 148 or Option 17 is configured on the DHCP server on the
network. This option parameter contains the controller address information.
Devices obtain the information through DHCP. The device establishes a NETCONF
connection with the controller based on the obtained controller information. Then
you can perform deployment configuration on the device through the controller.
address, bootstrap server's IP address and port number, and Syslog server's IP
address to the device that performs ZTP.
● DNS server: provides mappings between domain names and IP addresses,
and resolves the domain name of the bootstrap server to an IP address.
● Bootstrap server: stores CA certificates applied by users. For security
purposes, no certificate is preconfigured on iMaster NCE-Campus. For this
reason, the device needs to download a CA certificate from the bootstrap
server so that two-way authentication for establishing a NETCONF connection
between the device and iMaster NCE-Campus can be successfully performed.
Currently, iMaster NCE-Campus integrates the bootstrap server function.
● Syslog server: uploads user logs recorded during the ZTP process to the NMS.
● DHCP relay agent: forwards packets exchanged between the device to be
deployed and the DHCP server when they are located on different network
segments.
In Figure 6-7, a device accesses the Huawei device registration query center
through the preconfigured URL/IP address and port number of the Huawei device
registration query center, and then obtains the controller address based on the
device ESN or MAC address. The device establishes a NETCONF connection with
the controller based on the obtained controller information. Then you can perform
configurations on the device through the controller.
ZTP Process
Figure 6-8 shows the flowchart of DHCP option parameter-based ZTP when a
controller is deployed.
certificate sent by the bootstrap server has been signed, the device
verifies the signature of the certificate. After the signature verification is
successful, the device verifies the certificate. If the CA certificate sent by
the bootstrap server has not been signed, the device determines whether
to trust the certificate based on the option field setting. If the option field
specifies that the certificate can be trusted, the device verifies the
certificate. Otherwise, the device verifies the signature first. In this case,
signature verification will fail.
The device verifies the certificate based on the certificate verification
mode specified by an option field. If the certificate verification mode is
ESN, the device verifies the certificate based on the device ESN. If the
certificate authentication mode is DOMAIN_IP, the device verifies the
certificate based on the IP address of the bootstrap server. If the
verification fails, the device fails to obtain a CA certificate.
e. The device imports the obtained CA certificate to the default realm.
5. Establishing a NETCONF connection with the controller
After receiving a packet carrying the controller address from the registration
query center, the device enables NETCONF, enables proactive NETCONF
registration, and creates an SSH user (huawei) and VLAN1 for management.
The device establishes a NETCONF connection with the controller based on
the obtained IP address and port number of the controller.
Context
The DHCP server uses option fields to carry network configuration parameters
that are required for ZTP. The device can function as a DHCP server. If a controller
is deployed, you can enable the built-in DHCP function of iMaster NCE-Campus or
deploy an independent DHCP server.
Table 6-5 describes DHCPv4 option fields used for controller-based ZTP, and Table
6-6 describes the DHCPv6 option fields.
If the device to be deployed and DHCP server are on different network segments,
configure a DHCP relay agent to forward DHCP packets exchanged between them.
CAUTION
● The DHCP server does not support authentication and may be spoofed. You are
advised to use a trusted DHCP server for deployment on a secure network.
example, https://
[2001:db8:1::2]:200.
● bootstrap-trust:
indicates whether to
trust the downloaded
CA certificate. The
value can be true or
false. The value true
indicates that the
device trusts the CA
certificate and will
verify the signature of
the CA certificate only
when the CA
certificate sent by the
bootstrap server is
signed. The value
false indicates that
the device does not
trust the CA
certificate and will
always verify the
signature of the CA
certificate. If
bootstrap-trust is not
specified, the default
value false is used.
● bootstrap-voucher:
specifies the CA
certificate verification
mode. The value can
be DOMAIN_IP or
ESN. The value
DOMAIN_IP indicates
that the IP address is
used to verify the
validity of the
certificate, and the
value ESN indicates
that the device ESN is
used to verify the
validity of the
certificate. The CA
certificate can be
obtained only after
being successfully
verified.
NOTE
If the registration query center is used for deployment, Option 148 or Option 17 (suboption
1) does not need to be configured on the DHCP server, but Option 6 needs to be configured
to obtain the IP address of the DNS server. The device accesses the Huawei device
registration query center through the preconfigured URL/IP address and port number of the
Huawei device registration query center, obtains the controller address based on the device
ESN or MAC address, and obtains the IP address and port number of the bootstrap server.
Procedure
Step 1 Configure the DHCP server.
Step 2 (Optional) Configure the DHCP relay agent.
NOTE
If a Huawei device is used as the DHCP relay agent, see "DHCPv4 Configuration" or
"DHCPv6 Configuration" in CLI Configuration Guide > IP Address and Service Configuration.
If a third-party device is used as the DHCP relay agent, see the operation guide of the third-
party DHCP server and DHCP relay agent.
----End
Prerequisites
To implement ZTP through iMaster NCE-Campus, you need to log in to iMaster
NCE-Campus and import the ESN, device type, and CA certificate of each device in
advance. If the registration query center is used for deployment, you need to
connect iMaster NCE-Campus to the registration query center. For details about
how to configure iMaster NCE-Campus, see the iMaster NCE-Campus product
documentation.
Context
A device with factory configurations has never started ZTP before. In its factory
configurations, the ZTP function is enabled by default. To start ZTP, you only need
to power on the device. The ZTP function can be disabled on a device. If you log in
to a device through the console port and disable the ZTP function when the device
starts with factory configurations, the ZTP process is terminated. To enable the
device to execute the ZTP process when it starts with factory configurations next
time, you need to enable the ZTP function.
Procedure
Step 1 Power on the device.
Step 2 (Optional) Enable the ZTP function on the device.
set ztp enable
----End
Procedure
Step 1 The device completes the ZTP process in about 15 minutes after it is powered on.
Yu can then log in to the device to check the status of the NETCONF connection
between the device and iMaster NCE-Campus.
display netconf session
----End
Follow-up Procedure
If deployment fails, analyze ZTP logs on the device to determine the cause. ZTP
logs are saved in the file named ztp_YYYYMMHHMMSS.log in the flash:/
directory.
The DHCP server responds with DHCP reply packets that contain information
about the IP address allocated to the device, IP address of the intermediate file
server, and intermediate file server login method. After receiving the DHCP reply
packets, the device connects to the intermediate file server to obtain the
configuration information about the deployment files, based on which the device
then automatically obtains deployment files from the specified deployment file
server and sets them as the files to be loaded for the next startup. These
deployment files are then automatically loaded by the device upon restart.
In Figure 6-11, the device functions as a DHCP client to periodically send DHCP
request packets to the DHCP server in order to obtain configuration information.
The DHCP server responds with DHCP reply packets that contain information
about the IP address allocated to the device, deployment file server login method,
deployment file information. After receiving the DHCP reply packets, the device
connects to the deployment file server to obtain the deployment files, and sets
them as the files to be loaded for the next startup. These deployment files are
then automatically loaded by the device upon restart.
Deployment Process
● Figure 6-12 shows the intermediate file-based ZTP process.
address, IP address of the file server, IP address of the Syslog server, and
deployment file information. The device obtains the IPv4 address of the Syslog
server from the DHCP reply packet to enable the Syslog server function.
Information about important phases during ZTP is recorded in user logs,
which the Syslog server will upload to the NMS.
3. Enabling the Syslog server
The device obtains the IPv4 address of the Syslog server from the DHCP reply
packet to enable the Syslog server function. Information about important
phases during ZTP is recorded in user logs, which the Syslog server will upload
to the NMS.
4. Obtaining deployment files
The device downloads deployment files from the deployment file server based
on the information obtained from the DHCP reply packet.
5. Restarting the device
The device automatically sets the downloaded deployment files as those to be
loaded for its next startup. The device then restarts to complete automatic
deployment.
Context
Before DHCP-based ZTP, you need to prepare deployment files, including the
configuration file and intermediate file.
The configuration file name is a string of 5 to 64 characters and suffixed with *.zip,
*.cfg, or *.dat. The configuration file is used for the next startup. The configuration
file can be manually edited or copied from other devices. You can use either of the
following methods to obtain the configuration file:
● Saving the configuration file: Run the save shareable-configuration
command on the device that provides the configuration file to save the
configuration file, and then export the configuration file using SFTP or other
methods.
● Changing the system master key: Run the set master-key command to
change the system master key, save the configuration file, and export the
configuration file using SFTP or other methods.
NOTE
To ensure security, you are advised to perform the following operations to export the
configuration file and not advised to manually edit the configuration file.
Ensure that the configuration file for deployment contains the console password or an
AAA user name that can be used to log in to the device remotely. Otherwise, the
configuration file cannot be successfully set, causing a deployment failure.
The name extension of the intermediate file is .ini or .python. By parsing the
intermediate file, the device to be deployed obtains information about the
deployment file server address and deployment files. The intermediate file needs
to be manually edited.
● The intermediate file in .ini format is used to save information about the
device and its deployment files. For details about the file example, see 6.6.3
Intermediate File in the INI Format.
● The intermediate file in Python format (known as a Python script) is used to
download deployment files. For details about the file example, see 6.6.4
Intermediate File in the Python Format.
The password in the intermediate file is used to decrypt the ciphertext in the
configuration file so that the device can identify the ciphertext at next startup. The
file name extension is .ini, and the file name contains 5 to 64 characters.
Procedure
Step 1 Prepare the configuration file.
● Configuration file saving mode
1. Save the configuration file on the device that provides the configuration file.
save shareable-configuration configuration-file [ password ]
If the password parameter is not specified, the configuration file uses the
default key information. If the password parameter is specified, the device
generates key information in the configuration file based on the password
entered in interactive mode.
2. Export the configuration file using SFTP.
● System master key changing mode
1. Change the system master key.
<HUAWEI> set master-key
Enter the user password: //Password of the current user, not the master key of the current system
Warning: This operation will automatically save configurations. Are you sure you want to perform it?
[Y/N]:y
Whether to enter the master key? (If you enter Y, then you need to enter a master key. If you enter N,
the master key will be automatically generated by the system.) [Y/N]:y
Enter a new master key: //System master key
Confirm the new master key:
Info: Keep the new master key well.
Info: Operating, please wait for a moment......
Info: Operation success.
For details, see "System Master Key Configuration" in CLI Configuration Guide
> User Access and Authentication Configuration.
2. Export the configuration file using SFTP.
The intermediate file can be an .ini file or a Python script. You can select either
format to configure related fields. In addition, the configuration of some fields in
the intermediate file is related to the method of obtaining the configuration file.
For details, see Table 6-7 and Table 6-8. For more information about the fields in
an intermediate file, see 6.6.3 Intermediate File in the INI Format and 6.6.4
Intermediate File in the Python Format.
1. Create a .txt file and change the file name to *.ini, for example, masterkey.ini.
[BEGIN]
EXPORTCFG=
SET_MASTER=
CLEAR_MASTER=
[END]
2. Set fields in the intermediate file. For details about the fields, see Table 6-7.
----End
[DEVICE_TYPE_1 DESCRIPTION]
DEVICE_TYPE=S6700
ESN=
MAC=
VRPVER=
SYSLOG_INFO=UDP
SPACE_CLEAR=1
DIRECTORY=folder/
ACTIVE_DELAYTIME=60
ACTIVE_INTIME=
*FILETYPENUM=5
*FILENAME_1=software_file1.cc
*TYPE_1=SOFTWARE
*EFFECTIVE_MODE_1=0
ISBATCHPROCESS_1=0
SHA256_1=a7638ea0a69933ac20df66ea9bf6ea301de8155684d81fbcdf00f6ca07261d7c
*FILENAME_2=cfg_file1.cfg
*TYPE_2=CFG
*EFFECTIVE_MODE_2=0
ISBATCHPROCESS_2=0
SHA256_2=a7638ea0a69933ac20df66ea9bf6ea301de8155684d81fbcdf00f6ca07261d7c
*FILENAME_3=pat_file1.pat
*TYPE_3=PAT
*EFFECTIVE_MODE_3=1
ISBATCHPROCESS_3=0
SHA256_3=a7638ea0a69933ac20df66ea9bf6ea301de8155684d81fbcdf00f6ca07261d7c
*FILENAME_4=lic_file1.xml
*TYPE_4=LIC
*EFFECTIVE_MODE_4=1
ISBATCHPROCESS_4=0
SHA256_4=a7638ea0a69933ac20df66ea9bf6ea301de8155684d81fbcdf00f6ca07261d7c
*FILENAME_5=user_file1.txt
*TYPE_5=USER
*EFFECTIVE_MODE_5=2
ISBATCHPROCESS_5=0
SHA256_5=a7638ea0a69933ac20df66ea9bf6ea301de8155684d81fbcdf00f6ca07261d7c
SPACE_CLEAR No Whether to
automatically clean up
the system storage space
in the case of space
insufficiency. The value is
of the enumerated type.
● 0: The system storage
space is not cleaned
up.
● 1: Only system
software among
deployment files is
deleted.
● 2: In-depth cleanup is
performed. System
software among
deployment files is
deleted first. If the
available space is still
insufficient,
unnecessary files are
deleted.
If this field is left empty
or set to DEFAULT, the
space is not cleaned up.
The default value is
DEFAULT.
NOTE
In-depth cleanup involves
some inherent risks. As
such, you are advised to
back up required files
locally before performing
in-depth cleanup.
<LSN>LIC202005183TCG5M</
LSN>
<Esn>102050157695</
Esn>
</Lic>
<Lic name="LIC_file2.dat"
sha256="6a2690e7a08e3df844
ba86e1f48dc3c504af3b760dd0
e38134771e1024fe1a5f">
<LSN>LIC202005183TCI50</
LSN>
<Esn>2102311LDL0000000805
</Esn>
</Lic>
</Index>
NOTE
The Python script can invoke the script defined using open programmability system (OPS)
APIs. The invoked script defines automatic service deployment upon device startup. To
configure more service functions for ZTP, edit the Python script by referring to the following
file example and "Writing an OPS API-based Script" in CLI Configuration Guide > System
Management Configuration.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Copyright (C) Huawei Technologies Co., Ltd. 2020-2030. All rights reserved.
# ----------------------------------------------------------------------------------------------------------------------
# History:
# Date Author Modification
# 202005
"""
Zero Touch Provisioning (ZTP) enables devices to automatically load version files including system software,
patch files, configuration files when the device starts up, the devices to be configured must be new devices
or have no configuration files.
This is a sample of a Zero Touch Provisioning user script. You can customize it to meet the requirements of
your network environment.
"""
import http.client
import string
import re
import os
import sys
import xml.etree.ElementTree as etree
import stat
import logging
import traceback
import glob
import ops
import ipaddress
#
======================================================================================
================================
# Script configuration information start
# error code
OK = 0
ERR = 1
FILE_TYPE_SOFTWARE = 'software'
FILE_TYPE_CFG = 'cfg'
FILE_TYPE_PAT = 'pat'
FILE_TYPE_MOD = 'mod'
FILE_TYPE_LIC = 'lic'
FILE_TYPE_USER = 'user'
FILE_TYPE_FEATURE_PLUGIN = 'feature-plugin'
# Log level.
LOG_INFO_TYPE = 'INFO'
LOG_WARN_TYPE = 'WARNING'
LOG_ERROR_TYPE = 'ERROR'
# File name extension of the deployment file, which is used for file name verification
FILE_EXTENSION = {
FILE_TYPE_SOFTWARE: ('.cc', ),
FILE_TYPE_CFG: ('.cfg', '.zip', '.dat'),
FILE_TYPE_PAT: ('.pat', ),
FILE_TYPE_MOD: ('.mod', ),
FILE_TYPE_LIC: ('.xml', '.dat', '.zip'),
FILE_TYPE_FEATURE_PLUGIN : ('.ccx', ),
FILE_TYPE_USER: (None, )
}
FLASH_HOME_PATH = '{}'.format('/opt/vrpv8/home')
# Record the name of the startup information file.
STARTUP_INFO_FILE_NAME = 'ztp_startupInfo.txt'
# License list file used for batch license deployment.
LICENSE_LIST_FILE_NAME = 'ztp_license_list.xml'
SET_MASTER_FILE_NAME = 'ztp_master.txt'
# One hour
> #One minute
>
# ZTP status
ZTP_STATUS_RUNNING = 'false'
ZTP_STATUS_END = 'true'
#
======================================================================================
================================
# User configuration information start
'sha256': '',
},
}
}
# File information of the patch file on the file server. The file name extension is '.mod.'
REMOTE_MOD = {
'product-name': {},
'esn': {},
'mac': {
'xxxx-xxxx-xxxx' : {
'path': '/patch/S6700.MOD',
'effective_mode': EFFECTIVE_MODE_NO_REBOOT,
'sha256': '',
},
}
}
# File information of the license list file. The file name extension is '.xml.'
REMOTE_LICLIST = {
'path': '/{}'.format(LICENSE_LIST_FILE_NAME),
'sha256': 'a7638ea0a69933ac20df66ea9bf6ea301de8155684d81fbcdf00f6ca07261d7c',
}
# File information of the user file on the file server.
REMOTE_USER = {
'product-name': {},
'esn': {
'BARCODETEST20200620' : [
{
'path': '',
'sha256': '',
},
],
'BARCODETEST20200000' : [
{
'path': '/user/ztp_user.txt',
'sha256': '',
},
{
'path': '/user/ztp_user1.txt',
'sha256': '',
},
],
},
'mac': {}
}
# File server that stores the necessary system software, configuration and patch files.
# (1) Specify the file server that supports the following format.
# sftp://[username[:password]@]hostname[:port]
# (2) Do not add a trailing slash at the end of the file server path.
FILE_SERVER = 'sftp://sftp_user:sftp_pwd@xx.xx.xx.xx'
# TIME_SN is a string consisting of the year, month, day, hour, minute, and second.
TIME_SN = '20200526120159'
# device info
SYSLOG_INFO = 'UDP'
SPACE_CLEAR = ZTP_SPACE_CLEAR_NO_NEED
ACTIVE_DELAYTIME = '60'
#ACTIVE_INTIME is a string consisting of hour and minute
ACTIVE_INTIME = None
#VRPVER indicates the software version
VRPVER = None
#DHCP_TYPE means using dhcpv4 or v6 to download file
DHCP_TYPE = 'DHCPv4'
# User configuration information end
#
======================================================================================
================================
# OPS objects
slog = ops.ops()
# Log file name
LOG_FILE = ''
# python file name
PYTHON_FILE = os.path.basename(__file__)
SYSTEM_FILE_INIT =0
SYSTEM_FILE_SETTING_END = 1
system_file_state = SYSTEM_FILE_INIT
SYSTEM_STARUPINFO_INIT = 0
SYSTEM_STARUPINFO_END = 1
system_startupInfo_state = SYSTEM_STARUPINFO_INIT
system_reboot_needed = True
SFTP_DEFAULT_PORT = 22
HTTP_DEFAULT_PORT = 80
SET_SOFTWARE = 'SET_SOFTWARE'
SET_CFG = 'SET_CFG'
SET_PATCH = 'SET_PATCH'
SET_MOD_PATCH = 'SET_MOD_PATCH'
SET_FEATURE_PLUGIN = 'SET_FEATURE_PLUGIN'
TIMES_STARTUP_RETRY = 60
DELAY_INTERVAL_SET_INFO = 2
CLI_TYPE_YANG = 'YANG'
is_set_master = None
is_clear_master = False
master_exportcfg = None
flash_home_path_master = None
flash_home_path_slave = None
item_str = lambda key, value: f'<{key}>{value}</{key}>'
class OPIExecError(Exception):
"""OPI executes error."""
pass
class ZTPErr(Exception):
"""ZTP error."""
pass
class ExecFileErr(Exception):
"""Execute file error."""
pass
class ZTPAbort(Exception):
"""Abort ZTP automatically."""
pass
class ZTPRollback(Exception):
"""ZTP startup info rollback."""
pass
def ops_conn_operation(func):
def wapper(*args, **kwargs):
ops_conn = ops.OPSConnection("localhost")
kwargs.update({"ops_conn": ops_conn})
try:
ret = func(*args, **kwargs)
return ret
except OPIExecError as reason:
raise OPIExecError(reason)
except Exception as reason:
exception_info = \
"{} failed, reason = {}".format(func.__name__, reason)
raise Exception(exception_info)
finally:
ops_conn.close()
return wapper
def cli_operation(func):
def wapper(*args, **kwargs):
ops_obj = ops.ops()
ops_obj.set_model_type(CLI_TYPE_YANG)
handle, result = ops_obj.cli.open()
if handle is None or result != "Success":
return ERR, result
kwargs.update({"ops_obj": ops_obj})
kwargs.update({"handle": handle})
try:
return func(*args, **kwargs)
except Exception as reason:
return ERR, str(reason)
finally:
ret, result = ops_obj.cli.close(handle)
if ret != OK:
logging.warning(f"Failed to close cli channel, handle = {handle}.")
return wapper
class cli():
""" Command operations """
@staticmethod
@cli_operation
def patch_delete_all(ops_obj=None, handle=None):
ops_obj.cli.execute(handle, "return")
choice = {"[Y/N]": "y"}
ret, _, result = ops_obj.cli.execute(handle, f'patch delete all', choice)
if ret is None:
return ERR, result
return OK, ret
@staticmethod
@cli_operation
def reset_next_feature_plugin(file_path, ops_obj=None, handle=None):
ops_obj.cli.execute(handle, "return")
ret, _, result = ops_obj.cli.execute(handle, f'reset feature-software next-startup {file_path}')
if ret is None:
return ERR, result
return OK, ret
def ops_return_result(ret):
return ((ret != http.client.OK) and \
(ret != http.client.CREATED) and \
(ret != http.client.NO_CONTENT))
@ops_conn_operation
def file_exist_on_slave(file_path='', ops_conn=None):
@ops_conn_operation
def get_home_path(ops_conn=None):
""" Get the full filename of the home directory """
uri = '{}'.format('/restconf/data/huawei-file-operation:file-operation/disk-usages')
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ops_return_result(ret) or rsp_data == '':
logging.error('Failed to get the current working directory.')
raise OPIExecError('Failed to get the home directory.')
root_elem = etree.fromstring(rsp_data)
namespaces = {'file-operation': 'urn:huawei:yang:huawei-file-operation'}
usb_dirs = []
slave_dir_list = []
master_dir = None
for disk_usage in root_elem.findall('file-operation:disk-usage', namespaces):
elem = disk_usage.find("file-operation:path", namespaces)
if elem is None or elem.text is None:
continue
if elem.text.lower().find('usb') >= 0:
usb_dirs.append(elem.text)
else:
if elem.text.lower().startswith('flash'):
master_dir = elem.text
else:
slave_dir_list.append(elem.text)
usb_dirs.sort(reverse=True)
return master_dir, slave_dir_list, usb_dirs
@ops_conn_operation
def file_exist_on_master(file_path='', ops_conn=None):
home_dir, _, _ = get_home_path()
if home_dir is None:
logging.error("Failed to get the home directory.")
return False
if file_path.startswith(home_dir):
file_path_real = file_path
else:
file_path_real = os.path.join(home_dir, file_path)
def file_exist(file_path=''):
""" Check whether a file exists on the main control board. """
if file_path.lower().startswith('flash'):
return file_exist_on_master(file_path)
else:
return file_exist_on_slave(file_path)
@ops_conn_operation
def file_delete(file_path='', ops_conn=None):
if file_path is None or file_path == '':
logging.warning("The path of file is none or ''.")
return ERR
def del_list_file(files_list):
""" Deleted all files in the specified file list. """
for key in files_list.keys():
for filename in files_list.get(key):
file_delete(os.path.join(key, filename))
@ops_conn_operation
def copy_file(src_path='', dest_path='', ops_conn=None):
"""Copy a file.
def get_file_list_cur(types=0):
filelist = []
fileNames = glob.glob(FLASH_HOME_PATH + r"/*.*")
try:
for fileName in fileNames:
name = os.path.basename(fileName)
filelist.append(name)
except Exception as reason:
logging.error("Failed to get file list! reason = {} ".format(reason))
return filelist
return filelist
@ops_conn_operation
def get_file_list(file_dir='', ops_conn=None):
"""Obtain the file list. """
file_list = []
home_dir, _, _ = get_home_path()
if home_dir == file_dir:
file_list = get_file_list_cur()
return file_list
if not file_dir.endswith('/'):
file_dir = '{}{}'.format(file_dir, '%2F')
file_dir = file_dir.replace('/', '%2F')
uriTmp = '{}'.format('/restconf/data/huawei-file-operation:file-operation/dirs/dir=')
uri = '{}{}{}'.format(uriTmp, ',', file_dir)
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ops_return_result(ret) or rsp_data == '':
logging.error('Failed to get file list')
return file_list
root_elem = etree.fromstring(rsp_data)
namespaces = {'file-operation': 'urn:huawei:yang:huawei-file-operation'}
mpath = '{}'.format('dir')
for file_tmp in root_elem.findall(mpath, namespaces):
file_name = file_tmp.find("file-name", namespaces)
elem = file_tmp.find("dir-name", namespaces)
@ops_conn_operation
def get_file_size_form_dir(file_path='', file_dir='', ops_conn=None):
"""Return the size of a file in the directory under the home directory. """
file_size = 0
src_file_name = os.path.basename(file_path)
uriTmp = '{}'.format('/restconf/data/huawei-file-operation:file-operation/dirs/dir=')
uri = '{}{}{}{}'.format(uriTmp, src_file_name, ',', file_dir)
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ops_return_result(ret) or rsp_data == '':
return file_size
else:
root_elem = etree.fromstring(rsp_data)
namespaces = {'file-operation': 'urn:huawei:yang:huawei-file-operation'}
uriTmp = '{}'.format('/size')
uriTmp = uriTmp.replace('/', '/file-operation:')
mpath = uriTmp[1:]
elem = root_elem.find(mpath, namespaces)
if elem is None:
return file_size
file_size = int(elem.text) / 1024
return file_size
def get_file_size_cur(file_path=''):
file_size = 0
if file_path == '' or file_path == None:
return file_size
src_file_name = os.path.basename(file_path)
fileName = '{}{}{}'.format(FLASH_HOME_PATH, '/', src_file_name)
try:
fileinfo = os.stat(fileName)
file_size = int(fileinfo.st_size)/1024
return file_size
except Exception as reason:
print_ztp_log(f"Get file size failed. reason = {reason}", LOG_ERROR_TYPE)
return file_size
def get_file_size(file_path=''):
"""Return the size of a file in the home directory."""
if file_path == '' or file_path == None:
return 0
home_dir, _, _ = get_home_path()
file_dir, _ = os.path.split(file_path)
if home_dir == file_dir:
return get_file_size_cur(file_path)
return size
@ops_conn_operation
def _sftp_download_file(ops_conn=None, url='', local_path=''):
"""Download files using SFTP.
Args:
url: URL of a remote file, for example, sftp://sftp_user:sftp_pwd@xx.xx.xx.xx:port/test/vrpcfg.cfg
local_path: The path must start with the root directory flash:, for example, flash:/vrpcfg.cfg or
vrpcfg.cfg.
"""
print_ztp_log(f'SFTP download {os.path.basename(url)} to {local_path}.', LOG_INFO_TYPE)
uri = '{}'.format('/restconf/operations/huawei-sshc:ssh-transfer-file')
str_temp = string.Template('''\
<input>
<server-port>$serverPort</server-port>
<host-addr-ipv4>$serverIp</host-addr-ipv4>
<command-type>get</command-type>
<user-name>$username</user-name>
<password>$password</password>
<local-file-name>$localPath</local-file-name>
<remote-file-name>$remotePath</remote-file-name>
</input>
''')
url_tuple = urlparse(url)
if re.match(r"\d+\.\d+\.\d+\.\d+", url_tuple.hostname):
server_ip = url_tuple.hostname
else:
server_ip = get_addr_by_hostname(host=url_tuple.hostname)
global sftp_server
sftp_server = server_ip
if url_tuple.port == None:
server_port = SFTP_DEFAULT_PORT
else:
server_port = url_tuple.port
req_data = str_temp.substitute(serverIp=server_ip,
serverPort=server_port,
username=url_tuple.username,
password=url_tuple.password,
remotePath=url_tuple.path[1:],
localPath=local_path)
try:
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error('Failed to download file "%s" using SFTP ret %s' %
(os.path.basename(local_path),ret))
ret = ERR
else:
ret = OK
return ret
except Exception:
print_ztp_log(f'Failed to download file {os.path.basename(local_path)} using SFTP. (reason={reason})',
LOG_ERROR_TYPE)
return ERR
@ops_conn_operation
def _sftp_download_v6_file(ops_conn=None, url='', local_path=''):
print_ztp_log(f'SFTP ipv6 download {os.path.basename(url)} to {local_path}.', LOG_INFO_TYPE)
uri = '{}'.format('/restconf/operations/huawei-sshc:ssh-transfer-file')
str_temp = string.Template('''\
<input>
<server-port>$serverPort</server-port>
<host-addr-ipv6>$serverIp</host-addr-ipv6>
<command-type>get</command-type>
<user-name>$username</user-name>
<password>$password</password>
<local-file-name>$localPath</local-file-name>
<remote-file-name>$remotePath</remote-file-name>
</input>
''')
url_tuple = urlparse(url)
if check_addr(url_tuple.hostname) == 'DHCPv6':
server_ip = url_tuple.hostname
else:
server_ip = get_ipv6_addr_by_hostname(host=url_tuple.hostname)
global sftp_server
sftp_server = server_ip
if url_tuple.port == None:
server_port = SFTP_DEFAULT_PORT
else:
server_port = url_tuple.port
req_data = str_temp.substitute(serverIp=server_ip,
serverPort=server_port,
username=url_tuple.username,
password=url_tuple.password,
remotePath=url_tuple.path[1:],
localPath=local_path)
try:
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error('Failed to download file "%s" using SFTP ret %s' %
(os.path.basename(local_path),ret))
ret = ERR
else:
ret = OK
return ret
except Exception as reason:
print_ztp_log(f'Failed to download file {os.path.basename(local_path)} using SFTP. (reason={reason})',
LOG_ERROR_TYPE)
return ERR
@ops_conn_operation
def _http_download_file(ops_conn=None, url='', local_path=''):
"""Download files using HTTP.
Args:
url: URL of a remote file, for example,http://hostname[:port]/path
local_path: The path must start with the root directory flash:, for example, flash:/vrpcfg.cfg or
vrpcfg.cfg.
"""
print_ztp_log(f'HTTP download {os.path.basename(url)} to {local_path}.', LOG_INFO_TYPE)
uri = "{}".format('/restconf/operations/huawei-sztp:ztp-http-download')
req_template = string.Template('''
<input>
<fileurl>$file_url</fileurl>
<filepath>$file_path</filepath>
</input>
''')
file_dir, _, _ = get_home_path()
local_path = '{}{}'.format(file_dir, '/')
url_tuple = urlparse(url)
if not re.match(r"\d+\.\d+\.\d+\.\d+", url_tuple.hostname):
ip_address = get_addr_by_hostname(url_tuple.hostname)
if url_tuple.port is None:
url = f'{url_tuple.scheme}://{ip_address}:{HTTP_DEFAULT_PORT}{url_tuple.path}'
else:
url = f'{url_tuple.scheme}://{ip_address}:{url_tuple.port}{url_tuple.path}'
req_data = req_template.safe_substitute(file_url=url, file_path=local_path)
try:
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error('Failed to download file "%s" using HTTP ret %s' %
(os.path.basename(local_path),ret))
ret = ERR
else:
ret = OK
return ret
except Exception as reason:
Returns:
A integer of return code
"""
url_tuple = urlparse(url)
print_ztp_log(f"Download {url_tuple.path[1:]} to {local_path}...", LOG_INFO_TYPE)
func_dict = {
'sftp': _sftp_download_file,
'http': _http_download_file,
}
scheme = url_tuple.scheme
if scheme not in func_dict.keys():
raise ZTPErr('Unknown file transfer scheme %s' % scheme)
ret = OK
cnt = 0
while (cnt < 1 + retry_times):
if cnt:
print_ztp_log('Retry downloading...', LOG_INFO_TYPE)
ret = func_dict[scheme](url=url, local_path=local_path)
if ret is OK:
break
cnt += 1
return OK
return OK
class StartupInfo(object):
""" Startup configuration information
if self.feature_plugin_list != obj.feature_plugin_list:
return False
if self.mod_list != obj.mod_list:
return False
return True
class Startup(object):
"""Startup configuration information
def print_startup_info(self):
def get_info_str(info):
return str(info)
current_mod_info_len = len(self.current.mod_list)
next_mod_info_len = len(self.next.mod_list)
mod_info_len = max(current_mod_info_len, next_mod_info_len)
if mod_info_len == 0:
print_info += "{: <26}{: <68}{: <68}\n".format("module information", "None", "None")
else:
current_mod_info_print = [self.current.mod_list[i] if i < current_mod_info_len else "" for i in
range(mod_info_len)]
next_mod_info_print = [self.next.mod_list[i] if i < next_mod_info_len else "" for i in
range(mod_info_len)]
flag = True
for i in range(mod_info_len):
_item_name = "module information"
if not flag:
_item_name = ""
print_info += "{: <26}{: <68}{: <68}\n".format(_item_name, current_mod_info_print[i],
next_mod_info_print[i])
flag = False
current_feature_plugin_info_len = len(self.current.feature_plugin_list)
next_feature_plugin_info_len = len(self.next.feature_plugin_list)
feature_plugin_info_len = max(current_feature_plugin_info_len, next_feature_plugin_info_len)
if feature_plugin_info_len == 0:
print_info += "{: <26}{: <68}{: <68}\n".format("feature software", "None", "None")
else:
current_feature_plugin_info_print = [self.current.feature_plugin_list[i] if i <
current_feature_plugin_info_len else "" for i in range(feature_plugin_info_len)]
next_feature_plugin_info_print = [self.next.feature_plugin_list[i] if i < next_feature_plugin_info_len
else "" for i in range(feature_plugin_info_len)]
flag = True
for i in range(feature_plugin_info_len):
_item_name = "feature software"
if not flag:
_item_name = ""
print_info += "{: <26}{: <68}{: <68}\n".format(_item_name, current_feature_plugin_info_print[i],
next_feature_plugin_info_print[i])
flag = False
logging.info(print_info)
@staticmethod
def get_startup_info_by_type(file_type):
def func_execption_retry_policy(sleep_interval, try_times, func, *argv):
for _ in range(try_times):
try:
return func(*argv)
except OPIExecError as reason:
logging.warning(f"{reason}, retry...")
sleep(sleep_interval)
raise OPIExecError(f"Failed to get startup {file_type} information for many times.")
func_dict = {
FILE_TYPE_CFG: Startup.get_cfg_info,
FILE_TYPE_PAT: Startup.get_patch_info,
FILE_TYPE_SOFTWARE: Startup.get_software_info,
FILE_TYPE_MOD: Startup.get_mod_patch_info,
FILE_TYPE_FEATURE_PLUGIN: Startup.get_feature_plugin_info
}
func = func_dict.get(file_type)
if func is None:
return None, None
return func_execption_retry_policy(GET_STARTUP_INTERVAL, MAX_TIMES_GET_STARTUP, func)
@staticmethod
@ops_conn_operation
def get_cfg_info(ops_conn=None):
items = ['current-cfg-file', 'next-cfg-file']
filtering_str = ';'.join(items)
uri = "{}".format(f'/restconf/data?fields=/huawei-cfg:cfg/startup-infos/startup-info({filtering_str})')
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ops_return_result(ret) or rsp_data == '':
raise OPIExecError('Failed to get the current config file information')
node_dict = {}
root_elem = etree.fromstring(rsp_data)
namespaces = {'cfg': 'urn:huawei:yang:huawei-cfg'}
elems = root_elem.find('cfg:cfg/cfg:startup-infos/cfg:startup-info', namespaces)
if elems is None:
return None, None
nslen = len(namespaces.get('cfg'))
for elem in elems:
tag_name = elem.tag[nslen + 2:]
if elem.text is None or elem.text == 'NULL':
continue
node_dict[tag_name] = elem.text
current_cfg = node_dict.get('current-cfg-file')
if current_cfg is not None:
current_cfg = os.path.basename(current_cfg)
next_cfg = node_dict.get('next-cfg-file')
if next_cfg is not None:
next_cfg = os.path.basename(next_cfg)
@staticmethod
@ops_conn_operation
def get_software_info(ops_conn=None):
items = ['current-package', 'next-package']
filtering_str = ';'.join(items)
uri = "{}".format(f'/restconf/data?fields=/huawei-software:software/startup-packages/startup-
package({filtering_str})')
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ret == http.client.NOT_FOUND:
rsp_data = '<software xmlns="urn:huawei:yang:huawei-software"></software>'
else:
if ops_return_result(ret) or rsp_data == '':
raise OPIExecError('Failed to get the startup software information')
root_elem = etree.fromstring(rsp_data)
namespaces = {'software': 'urn:huawei:yang:huawei-software'}
elems = root_elem.find('software:software/software:startup-packages/software:startup-package',
namespaces)
if elems is None:
return None, None
node_dict = {}
nslen = len(namespaces.get('software'))
for elem in elems:
tag_name = elem.tag[nslen + 2:]
if elem.text is None or elem.text == 'NULL':
continue
node_dict[tag_name] = elem.text
cur_image = node_dict.get('current-package')
if cur_image is not None:
cur_image = os.path.basename(cur_image)
next_image = node_dict.get('next-package')
if next_image is not None:
next_image = os.path.basename(next_image)
@staticmethod
@ops_conn_operation
def get_patch_info(ops_conn=None):
items = ['patch-infos', 'next-startup-patchs']
filtering_str = ';'.join(items)
uri = "{}".format(f'/restconf/data?fields=/huawei-patch:patch({filtering_str})')
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ret == http.client.NOT_FOUND:
return None, None
root_elem = etree.fromstring(rsp_data)
namespaces = {'patch': 'urn:huawei:yang:huawei-patch'}
elems = root_elem.find('patch:patch/patch:patch-infos/patch:patch-info', namespaces)
node_dict = {}
cur_pat_file = None
if elems is not None:
nslen = len(namespaces.get('patch'))
for elem in elems:
tag_name = elem.tag[nslen + 2:]
node_dict[tag_name] = elem.text
cur_pat_file = node_dict.get("name")
if cur_pat_file is not None:
cur_pat_file = os.path.basename(cur_pat_file)
node_dict = {}
nslen = len(namespaces.get('patch'))
for elem in elems:
tag_name = elem.tag[nslen + 2:]
node_dict[tag_name] = elem.text
next_pat_file = node_dict.get("name")
if next_pat_file is not None:
next_pat_file = os.path.basename(next_pat_file)
@staticmethod
@ops_conn_operation
def get_mod_patch_info(ops_conn=None):
items = ['module-infos', 'next-startup-modules']
filtering_str = ';'.join(items)
uri = "{}".format(f'/restconf/data?fields=/huawei-module-management:module-
management({filtering_str})')
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ret == http.client.NOT_FOUND:
return [] ,[]
root_elem = etree.fromstring(rsp_data)
namespaces = {'module-management' : 'urn:huawei:yang:huawei-module-management'}
cur_mod_patch_files = []
node_path = 'module-management:module-management/module-management:module-infos/module-
management:module-info'
elems = root_elem.findall(node_path, namespaces)
if elems is not None:
for elem in elems:
elem_text = elem.find('module-management:package-name', namespaces)
cur_mod_patch_files.append(elem_text.text)
next_mod_patch_files = []
node_path = 'module-management:module-management/module-management:next-startup-modules/
module-management:next-startup-module'
elems = root_elem.findall(node_path, namespaces)
if elems is not None:
for elem in elems:
elem_text = elem.find('module-management:name', namespaces)
next_mod_patch_files.append(elem_text.text)
@staticmethod
@ops_conn_operation
def get_feature_plugin_info(ops_conn=None):
items = ['current-feature-packages', 'next-feature-packages']
filtering_str = ';'.join(items)
uri = "{}".format(f'/restconf/data?fields=/huawei-software:software/startup-packages/startup-
package({filtering_str})')
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ret == http.client.NOT_FOUND:
rsp_data = '<software xmlns="urn:huawei:yang:huawei-software"></software>'
else:
if ops_return_result(ret) or rsp_data == '':
raise OPIExecError('Failed to get the startup software information')
root_elem = etree.fromstring(rsp_data)
node_path = 'software:software/software:startup-packages/software:startup-package'
namespaces = {'software' : 'urn:huawei:yang:huawei-software'}
elems = root_elem.findall(node_path, namespaces)
if elems is None:
return [], []
cur_feature_files = []
next_feature_files = []
nlen = len(namespaces['software'])
for elem in elems:
for child in elem:
if child.tag[nlen + 2:] == 'current-feature-packages':
feature_plugin = os.path.basename(child.text)
cur_feature_files.append(feature_plugin)
elif child.tag[nlen + 2:] == 'next-feature-packages':
feature_plugin = os.path.basename(child.text)
next_feature_files.append(feature_plugin)
else:
pass
break
return cur_feature_files, next_feature_files
def get_startup_info(self):
"""Get the startup information."""
print_ztp_log("Start to get the startup information...", LOG_INFO_TYPE)
current = StartupInfo()
curnext = StartupInfo()
@staticmethod
@ops_conn_operation
def set_mod_patch_file(file_path, ops_conn=None):
uri = '/restconf/operations/huawei-module-management:install-module'
req_template = string.Template('''
<input>
<name>$fileName</name>
</input>
''')
req_data = req_template.substitute(fileName=file_path)
ret, _, rsp_data = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error(f'set_mod_patch_file failed. (reason={rsp_data})')
raise OPIExecError('Failed to set the mod patch file')
def clean_next_config_file(self):
if self.is_need_clear_config == False:
return
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
@ops_conn_operation
def set_next_mod_patch_file(self, file_path, ops_conn=None):
uri = '/restconf/operations/huawei-module-management:startup-module'
req_template = string.Template('''
<input>
<name>$fileName</name>
</input>
''')
req_data = req_template.substitute(fileName=file_path)
ret, _, rsp_data = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error(f'set_next_mod_patch_file failed. (reason={rsp_data})')
raise OPIExecError('Failed to set the next mod patch file')
@ops_conn_operation
def startup_next_feature_software(self, file_path, ops_conn=None):
""" Set next feature software file """
uri = '/restconf/operations/huawei-software:startup-feature-software'
req_template = string.Template('''
<input>
<feature-package-name>$fileName</feature-package-name>
</input>
''')
req_data = req_template.substitute(fileName=file_path)
ret, _, rsp_data = ops_conn.create(uri, req_data)
if ops_return_result(ret):
raise OPIExecError(f"Failed to set next feature plugin {rsp_data}.")
@ops_conn_operation
def unset_mod_patch_file(self, file_path, ops_conn=None):
uri = '/restconf/operations/huawei-module-management:uninstall-module'
req_template = string.Template('''
<input>
<action-type>single</action-type>
<name>$fileName</name>
</input>
''')
req_data = req_template.substitute(fileName=file_path)
ret, _, rsp_data = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error(f'unset_mod_patch_file failed. (reason={rsp_data})')
raise OPIExecError('Failed to unset the mod patch file')
@staticmethod
@ops_conn_operation
def set_feature_software(file_path, ops_conn=None):
uri = '/restconf/operations/huawei-software:install-feature-software'
req_template = string.Template('''
<input>
<name>$fileName</name>
</input>
''')
req_data = req_template.substitute(fileName=file_path)
ret, _, rsp_data = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error(f'Failed to set the feature software file. (reason={rsp_data})')
raise OPIExecError('Failed to set the feature software file')
@ops_conn_operation
def uninstall_feature_software(self, file_path, ops_conn=None):
""" Install feature software file """
uri = '/restconf/operations/huawei-software:uninstall-feature-software'
req_template = string.Template('''
<input>
<name>$fileName</name>
</input>
''')
req_data = req_template.substitute(fileName=file_path)
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
return ERR
return OK
@ops_conn_operation
def _set_startup_image_file(self, file_path, ops_conn=None):
"""Set the next startup system software."""
logging.info("Set the next startup system software "
"to {}...".format(file_path))
uri = '/restconf/operations/huawei-software:startup-by-mode'
str_temp = string.Template('''\
<input>
<name>$fileName</name>
<mode>all</mode>
</input>
''')
req_data = str_temp.substitute(fileName=file_path)
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
slog.syslog("Set the next startup system software to {} failed."\
.format(file_path), ops.ERROR, ops.SYSLOG)
raise OPIExecError("Failed to set startup system software.")
@ops_conn_operation
def _set_startup_config_file(self, file_path, exportcfg=None, ops_conn=None):
"""Set the configuration file for the next startup."""
logging.info("Set the next startup saved-configuration file "
"to {}...".format(file_path))
uri = '/restconf/operations/huawei-cfg:set-startup'
req_data = ''
if exportcfg is not None:
exportcfg_change = ops.opscharacterEncode(exportcfg)
items = {'filename': file_path, 'shareable-mode': 'password', 'password': exportcfg_change}
else:
items = {'filename': file_path, 'shareable-mode': 'default'}
req_data=item_str('input', req_data)
ret, _, data = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error(f"Set the next startup saved-configuration file to {data} failed")
slog.syslog("Set the next startup saved-configuration file to {} failed."\
.format(file_path), ops.ERROR, ops.SYSLOG)
raise OPIExecError("Failed to set startup configuration file.")
@ops_conn_operation
def _del_startup_config_file(self, ops_conn=None):
"""Clear the startup configuration file."""
logging.info("Delete the next startup config file...")
uri = '/restconf/operations/huawei-cfg:clear-startup'
req_data = '''
<input>
</input>
'''
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
raise OPIExecError("Failed to clear startup configuration file.")
@ops_conn_operation
def _set_startup_patch_file(self, file_path, ops_conn=None):
"""Set the next startup patch file."""
logging.info("Set the next startup patch file "
"to {}...".format(file_path))
uri = '/restconf/operations/huawei-patch:startup-next-patch'
str_temp = string.Template('''\
<input>
<name>$fileName</name>
</input>
''')
req_data = str_temp.substitute(fileName=file_path)
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
slog.syslog("Set the next startup patch file to {} failed."\
.format(file_path), ops.ERROR, ops.SYSLOG)
try:
self.set_next_mod_patch_file(mod_patch_file)
ret = self._check_set_startup_schedule(set_type=SET_MOD_PATCH, phase_item="startup-module",
retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
raise Exception("Set startup info {} failed".format(SET_MOD_PATCH))
if self.is_need_clear_config:
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
except Exception as reason:
logging.error(reason)
self.reset_startup_info(slave)
file_delete(f'flash:/{mod_patch_file}')
file_delete(f'flash:/$_install_mod/{mod_patch_file}')
raise
try:
logging.info("Set the next feature plugin file...")
self.startup_next_feature_software(file_name)
self.clean_next_config_file()
except Exception as reason:
logging.error(reason)
self.reset_startup_info(slave)
raise
file_delete(src_file_path)
file_delete(dest_file_path)
except Exception as reason:
logging.error(reason)
if self.is_need_clear_config:
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
reset_file_list = [file for file in configured_next_file_list if file not in pre_next_file_list and file not in
configured_cur_file_list]
self.reset_next_feature_file_list(reset_file_list, slave)
self.clean_next_config_file()
self.clean_next_config_file()
if self.is_need_clear_config:
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
@ops_conn_operation
def _reset_startup_patch_file(self, ops_conn=None):
"""Reset the patch file for system startup."""
logging.info("Reset the next startup patch file...")
uri = '/restconf/operations/huawei-patch:reset-startup-patch'
req_data = '''\
<input>
<delete-type>all</delete-type>
</input>
'''
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to reset patch.')
self.is_need_clear_config = True
if self.next.config is not None:
self.is_need_clear_config = False
if configured.patch != self.next.patch:
if self.next.patch is None:
self._reset_startup_patch_file()
ret = self._check_set_startup_schedule(set_type=SET_PATCH, phase_item="reset-startup-
patch", retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
logging.warning("Reset startup info {} failed".format(SET_PATCH))
else:
self._set_startup_patch_file(self.next.patch)
ret = self._check_set_startup_schedule(set_type=SET_PATCH, phase_item="startup-next-patch",
retry_times=MAX_TIMES_GET_STARTUP)
if ret == ERR:
logging.warning("Set startup info {} failed".format(SET_PATCH))
if self.is_need_clear_config:
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
if configured.patch is not None:
file_delete_on_MPUs(configured.patch, slave)
if self.is_need_clear_config:
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
sleep(90)
file_delete_on_MPUs(configured.image, slave)
except Exception as reason:
logging.error(reason)
if self.is_need_clear_config:
_, nextcfg = self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
except Exception as reason:
logging.error(reason)
file_delete_on_MPUs(image_file, slave)
self.reset_startup_info(slave)
raise
if self.is_need_clear_config:
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
except Exception as reason:
logging.error(reason)
file_delete_on_MPUs(patch_file, slave)
self.reset_startup_info(slave)
raise
self.set_next_feature_plugin(feature_plugin, slave)
self.is_need_clear_config = True
if config_file is not None:
self.is_need_clear_config = False
# 1. Reset next startup config file
try:
if configured.config != config_file:
if config_file is None:
self._del_startup_config_file()
sleep(15)
else:
self._set_startup_config_file(config_file)
ret = self._check_set_startup_info(set_type=SET_CFG, file_path=config_file,
retry_times=TIMES_STARTUP_RETRY)
if ret == ERR:
logging.warning("Set startup info {} failed".format(SET_CFG))
except Exception as reason:
logging.error(reason)
if self.is_need_clear_config:
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
except Exception as reason:
logging.error(reason)
if self.is_need_clear_config:
_, nextcfg= self.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
self._del_startup_config_file()
sleep(5)
except Exception as reason:
logging.error(reason)
@ops_conn_operation
def _get_set_next_software_status(self, file_path, ops_conn=None):
"""Get the next software information."""
root_elem = etree.fromstring(rsp_data)
namespaces = {'software': 'urn:huawei:yang:huawei-software'}
elems = root_elem.find('software:software/software:startup-packages/software:startup-package',
namespaces)
if elems is None:
return ERR
node_dict = {}
nslen = len(namespaces.get('software'))
for elem in elems:
tag_name = elem.tag[nslen + 2:]
if elem.text is None and elem.text == 'NULL':
continue
node_dict[tag_name] = elem.text
next_image = node_dict.get('next-package')
if next_image is not None:
next_image = os.path.basename(next_image)
file_name = os.path.basename(file_path)
return OK if file_name == next_image else ERR
@ops_conn_operation
def _get_set_next_cfg_status(self, file_path, ops_conn=None):
"""Get the next cfg file information."""
print_ztp_log("Get the next cfg file information...", LOG_INFO_TYPE)
file_name = os.path.basename(file_path)
uri = '/restconf/data?fields=/huawei-cfg:cfg/startup-infos/startup-info(next-cfg-file)'
req_data = None
root_elem = etree.fromstring(rsp_data)
return OK
@ops_conn_operation
def _get_patch_progress(self, phase_item, ops_conn=None):
"""Get the next patch file information."""
uri = f'/restconf/data?fields=/huawei-patch:patch/operation-schedules(operation-schedule)'
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
schedule_dict = {}
if ops_return_result(ret) or rsp_data == '':
logging.warning('Failed to get the next patch operation schedule')
return schedule_dict
schedule_dict['schedule'] = schedule_node.text
break
return schedule_dict
@ops_conn_operation
def _get_mod_patch_progress(self, phase_item, ops_conn=None):
"""Get the next patch file information."""
uri = f'/restconf/data?fields=/huawei-module-management:module-management/operation-
schedules(operation-schedule)'
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
schedule_dict = {}
if ops_return_result(ret) or rsp_data == '':
logging.warning('Failed to get the next mod patch operation schedule')
return schedule_dict
ret = ERR
cnt = 0
while cnt < retry_times:
schedule_dict = func_dict[set_type](phase_item=phase_item)
status = schedule_dict.get('status')
schedule = schedule_dict.get('schedule')
print_ztp_log(f"Now schedule is {schedule}, status is {status}...", LOG_INFO_TYPE)
if schedule == "100" and status == "successful":
ret = OK
break
elif schedule == "100" and status == "failed":
break
else:
cnt += 1
sleep(10)
sleep(10)
return ret
@ops_conn_operation
def patch_active_proc(self, patch_name='', ops_conn=None):
"""patch active"""
if patch_name is None:
return OK
curpat, _ = self.get_startup_info_by_type(FILE_TYPE_PAT)
if curpat is not None:
cli.patch_delete_all()
uri = '/restconf/operations/huawei-patch:load-patch'
req_template = string.Template('''
<input>
<name>$patchName</name>
<load-type>run</load-type>
</input>
''')
req_data = req_template.substitute(patchName=patch_name)
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to execute the patch active operation.')
@ops_conn_operation
def mod_patch_active_proc(self, module_name='', ops_conn=None):
"""MOD active"""
if module_name is None:
return OK
uri = '/restconf/operations/huawei-module-management:install-module'
req_template = string.Template('''
<input>
<name>$fileName</name>
</input>
''')
req_data = req_template.substitute(fileName=module_name)
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to execute the mod active operation.')
@ops_conn_operation
def feature_plugin_active_proc(self, feature_name='', ops_conn=None):
"""feature plugin active"""
if feature_name is None:
return OK
uri = '/restconf/operations/huawei-software:install-feature-software'
req_template = string.Template('''
<input>
<name>$fileName</name>
</input>
''')
req_data = req_template.substitute(fileName=feature_name)
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to execute the feature plugin active operation.')
sleep(30)
return ret
@ops_conn_operation
def license_active_proc(self, license_name='', ops_conn=None):
"""license active"""
if license_name is None:
return OK
uri = '/restconf/operations/huawei-license:license-active'
req_template = string.Template('''
<input>
<filename>$licenseName</filename>
</input>
''')
req_data = req_template.substitute(licenseName=license_name)
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to execute the license active operation.')
sleep(120) # license sleep 120s
return ret
file_type = file_info.get('*TYPE').lower()
func = active_startup_func_dict.get(file_type)
if func is None:
continue
logging.info(f"{file_type} active...")
ret = func(file_name_dict.get(file_type))
if ret == ERR:
raise ZTPErr(f"Active {file_type} file failed")
@ops_conn_operation
def get_disk_free_size(path='', ops_conn=None):
"""return list of disk free size, types = 0: main, types = 1: slave"""
uri = '{}'.format('/restconf/data/huawei-file-operation:file-operation/disk-usages')
disk_info = 0
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ops_return_result(ret) or rsp_data == '':
logging.error('Failed to get disk free size')
return disk_info
root_elem = etree.fromstring(rsp_data)
namespaces = {'file-operation': 'urn:huawei:yang:huawei-file-operation'}
for disk_usage in root_elem.findall("file-operation:disk-usage", namespaces):
elem = disk_usage.find("file-operation:path", namespaces) # Path of the file system partition
if elem is None or elem.text is None:
continue
if not elem.text.lower().startswith(path):
continue
return disk_info
@ops_conn_operation
def del_recycle_bin(ops_conn=None):
"""Delete files from the recycle bin."""
uri = '{}'.format('/restconf/operations/huawei-file-operation:reset-recycle-bin')
req_data = '''\
<input>
<reset-type>all</reset-type>
</input>
'''
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error('Delete recycle bin failed.')
return ERR
return OK
return ERR
return OK
else:
return ERR
def get_space_mode_str(space_clear):
check_print = 'undefined'
if space_clear in ['0', None]:
check_print = 'no cleanup'
elif space_clear == '1':
check_print = 'normal cleanup'
elif space_clear == '2':
check_print = 'deep cleanup'
return check_print
def get_residual_space(all_devices_paths=[]):
"""Obtain the available space of the master and slave MPUs."""
devices_space = {}
if len(all_devices_paths) == 0:
return devices_space
for path in all_devices_paths:
path_space = get_disk_free_size(path)
devices_space.update({path : path_space})
return devices_space
def get_mpus_files_list(all_devices_paths):
return devices_files
def get_space_of_files_list(files_list):
all_files_space = {}
space_temp = 0
for key in files_list.keys():
for filename in files_list.get(key):
space_temp = space_temp + get_file_size(os.path.join(key, filename))
all_files_space.update({key:space_temp})
space_temp = 0
return all_files_space
devices_res_space = get_residual_space(all_devices_paths)
ret = check_devices_space(devices_res_space, need_space)
if ret == OK:
print_ztp_log("Empty recycle bin, the space enough and continue ztp...", LOG_INFO_TYPE)
return OK
devices_files_list = get_mpus_files_list(all_devices_paths)
files_removes_device_images, devices_images_list = get_devices_images_files(devices_files_list, cc_image)
all_files_list_space = get_space_of_files_list(files_removes_device_images)
all_images_list_space = get_space_of_files_list(devices_images_list)
space_not_enough_path = []
space_enough_del = []
need_del_all_file = {}
need_del_images_file = {}
if len(space_not_enough_path) == 0:
del_list_file(devices_images_list)
print_ztp_log("Delete the system software packages on the master, continue the ZTP process.",
LOG_INFO_TYPE)
ret, _ = check_if_space_enough(master_path, cc_image, all_devices_paths)
if ret == ERR:
for path in space_enough_del:
need_del_all_file.update({path : files_removes_device_images.get(path)})
del_list_file(need_del_all_file)
elif len(space_not_enough_path) != 0 and space_clear_strategy == ZTP_SPACE_CLEAR_NORMAL:
print_ztp_log(f"The space of the following {space_not_enough_path} devices is insufficient.",
LOG_ERROR_TYPE)
return ERR
else:
for path in space_not_enough_path:
if all_files_list_space.get(path) + devices_res_space.get(path) < need_space:
print_ztp_log(f"The space of the following {path} devices is insufficient.", LOG_ERROR_TYPE)
return ERR
need_del_all_file.update({path : files_removes_device_images.get(path)})
del_list_file(need_del_all_file)
del_list_file(need_del_images_file)
print_ztp_log("Delete files on master and standby, continue the ZTP process.", LOG_INFO_TYPE)
# If some files fail to be deleted, check the space after the delete operation.
ret, _ = check_if_space_enough(master_path, cc_image, all_devices_paths)
if ret == ERR:
logging.error('Try to clean file failed, the space is still not enough.')
return ret
return OK
_file_name_real = os.path.basename(_license_name)
_file_path = _license_name.lstrip('/')
_file_sha256 = _license_sha256
file_name_dict['license'] = _file_name_real
else:
pass
chg_flag = False
@ops_conn_operation
def get_syslog_config(ops_conn=None, ip_type='ipv4'):
"""Obtain the log server configuration."""
ip_addresses = []
uri = '/restconf/data?fields=/huawei-syslog:syslog/servers/server(ipaddress)'
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
root_elem = etree.fromstring(rsp_data)
namespaces = {
'syslog': 'urn:huawei:yang:huawei-syslog',
}
return ip_addresses
@ops_conn_operation
def set_syslog_config(ops_conn=None, ip_addresses=[], ipaddr_type='ipv4', syslog_trans=''):
"""Configure the log server."""
syslog_tran = syslog_trans.lower()
if syslog_tran in ['tcp']:
for ip_address in ip_addresses:
xpath = '/restconf/data/huawei-syslog:syslog/servers/server'
str_temp = string.Template('''\
<server>
<ip-type>$ip_type</ip-type>
<ipaddress>$ip_addr</ipaddress>
<is-default-vpn>true</is-default-vpn>
<vrf-name>_public_</vrf-name>
<level>debugging</level>
<port>514</port>
<facility>local2</facility>
<channel-id>2</channel-id>
<timestamp>UTC</timestamp>
<transport-mode>$syslog_tran</transport-mode>
</server>
''')
req_data = str_temp.substitute(ip_type=ipaddr_type, ip_addr=ip_address, syslog_tran=syslog_tran)
ret, _, _ = ops_conn.set(xpath, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to change the transmission mode')
return OK
@ops_conn_operation
def get_addr_by_hostname(ops_conn=None, host='', addr_type='1'):
"""Convert the host name into an IP address."""
root_elem = etree.fromstring(rsp_data)
uriTmp = '{}'.format('/ip-address')
uriTmp = uriTmp.replace('/', '/dns:')
mpath = uriTmp[1:]
namespaces = {'dns': 'urn:huawei:yang:huawei-dns'}
elem = root_elem.find(mpath,namespaces)
if elem is None:
raise OPIExecError('Failed to get IP address by host name')
return elem.text
@ops_conn_operation
def get_ipv6_addr_by_hostname(ops_conn=None, host=''):
print_ztp_log("Get IPv6 address by host name...", LOG_INFO_TYPE)
xpath = '{}{}'.format('/restconf/data/huawei-dns:dns/query-host-ipv6s/query-host-ipv6=', host)
req_data = None
ret, _, rsp_data = ops_conn.get(xpath, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to get IPv6 address by host name')
root_elem = etree.fromstring(rsp_data)
namespaces = {'dns': 'urn:huawei:yang:huawei-dns'}
elem = root_elem.find('dns:ipv6-address', namespaces)
if elem is None:
raise OPIExecError('Failed to get IPv6 address by host name.')
return elem.text
@ops_conn_operation
def ztp_status_set(envValue=ZTP_STATUS_END, ops_conn=None):
"""Set the ZTP process status.
input: envValue int Environment variable value, which can be true or false
output: ret int Operation result
"""
logging.info("Set the value of envZtpStatus to {} .".format(envValue))
if envValue not in ['true', 'false']:
logging.error("The envValue:%s is invalid, not in ['true', 'false']!" % envValue)
return ERR
xpath = '{}'.format('/restconf/operations/huawei-ztp:set-enable-status')
str_temp = string.Template('''\
<input>
<enable>$enableSta</enable>
</input>
''')
req_data = str_temp.substitute(enableSta=envValue)
ret, _, _ = ops_conn.create(xpath, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to set the value of envZtpStatus.')
return OK
@ops_conn_operation
def ztp_status_get(ops_conn=None):
"""Obtain the ZTP process status.
root_elem = etree.fromstring(rsp_data)
namespaces = {'data':'urn:ietf:params:xml:ns:yang:ietf-restconf', 'ztp':'urn:huawei:yang:huawei-ztp'}
uriTmp = '{}'.format('/ztp/status/enable')
uriTmp = uriTmp.replace('/', '/ztp:')
mpath = uriTmp[1:]
elem = root_elem.find(mpath, namespaces)
if elem is None:
return ERR, ''
@ops_conn_operation
def has_slave_mpu(ops_conn=None, mpu_slot={}):
"""Whether device has slave MPU, returns a bool value"""
has_slave = False
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ops_return_result(ret) or rsp_data == '':
raise OPIExecError('Failed to get the device slave information')
return has_slave
@ops_conn_operation
def get_system_info(ops_conn=None):
"""Get system info, returns a dict"""
return sys_info
def convert_file_list_info(file_list):
if not isinstance(file_list, list):
return ""
return ",".join(file_list)
str_temp = string.Template('TIME_SN=$sn\n'
'SOFTWARE=$image_name\n' \
'CFG=$config_name\n' \
'PAT=$patch_name\n'
'MOD=$mod_list\n'
'FEATURE_IMAGE=$feature_image_name\n')
startup_info_str = str_temp.substitute(sn=sn_value,
image_name=record_info[FILE_TYPE_SOFTWARE],
config_name=record_info[FILE_TYPE_CFG],
patch_name=record_info[FILE_TYPE_PAT],
mod_list=record_info[FILE_TYPE_MOD],
feature_image_name=record_info[FILE_TYPE_FEATURE_PLUGIN])
try:
file_path = os.path.join(FLASH_HOME_PATH, STARTUP_INFO_FILE_NAME)
if os.path.islink(file_path) != False:
raise Exception("This is a soft link file. Please chack.")
def revert_file_list_info(file_info):
return file_info.split(",")
def get_startup_info_from_file():
"""Get startup information from file"""
try:
file_path = os.path.join(FLASH_HOME_PATH, STARTUP_INFO_FILE_NAME)
if os.path.islink(file_path) != False:
raise Exception("This is a soft link file. Please chack.")
def set_file_effectiveMode(startup_info):
"""Set the mode for activating version files.
Traverse the information in the startup_info file and read the *EFFECTIVE_MODE field.
If it has been set, no processing is required. If it is set to None, the default
activation mode is used based on the file type. The system software package and
configuration file take effect only after the device is restarted.Therefore, only the
default activation mode can be configured for them. Activation is not required for
customized files.
"""
file_info_list = startup_info.get('FILE_INFO')
if not isinstance(file_info_list, list):
logging.error("Parameters is invalid.")
return
for i in range(len(file_info_list)):
file_type = file_info_list[i].get('*TYPE').lower()
effective_mode = file_info_list[i].get('*EFFECTIVE_MODE')
if effective_mode is None or file_type in [FILE_TYPE_SOFTWARE, FILE_TYPE_CFG, FILE_TYPE_LIC,
FILE_TYPE_USER] or \
(file_type in [FILE_TYPE_PAT, FILE_TYPE_MOD, FILE_TYPE_FEATURE_PLUGIN] and effective_mode
== EFFECTIVE_MODE_NO_NEED):
file_info_list[i].update({
'*EFFECTIVE_MODE': FILE_DEFAULT_EFFECTIVE_MODE.get(file_type.lower())
})
The license file name and SHA256 value of the file are returned.
"""
if not isinstance(file_path_xml, str):
logging.error("File path is invalid.")
return None, None
# Check the file name.
file_name = os.path.basename(file_path_xml)
if file_name != LICENSE_LIST_FILE_NAME:
@ops_conn_operation
def patch_active_proc(ops_conn=None, patch_name=''):
"""Activate the patch file."""
uri = '/restconf/operations/huawei-patch:load-patch'
str_temp = string.Template('''\
<input>
<name>$patchName</name>
<load-type>run</load-type>
</input>
''')
req_data = str_temp.substitute(patchName=patch_name)
ret, _, _ = ops_conn.create(uri, req_data)
if ops_return_result(ret):
raise OPIExecError('Failed to execute the patch active operation.')
@ops_conn_operation
def license_active_proc(ops_conn=None, license_name=''):
"""Activate the license file."""
@ops_conn_operation
def delete_startup_patch_file(ops_conn=None):
"""Delete patch file for system to startup"""
uri = '/restconf/operations/huawei-patch:delete-patch'
req_data = '''\
<input>
<delete-type>all</delete-type>
</input>
'''
# it is a action operation, so use create for HTTP POST
ret, _, rsp_data = ops_conn.create(uri, req_data)
if ops_return_result(ret):
logging.error("delete_startup_patch_file failed, rsp_data = \n{}".format(rsp_data))
raise OPIExecError('Failed to delete patch.')
@ops_conn_operation
def get_active_intime(ops_conn=None):
"""Obtain the number of seconds to be delayed based on the activation delay configured in the .ini
file."""
time_sys = '0:0'
uri = '/restconf/data?fields=/huawei-tm:tm/date-and-time(current-time)'
req_data = None
ret, _, rsp_data = ops_conn.get(uri, req_data)
if ops_return_result(ret) or rsp_data == '':
logging.warning("Get active in time failed!")
return time_sys
root_elem = etree.fromstring(rsp_data)
namespaces = {'tm': 'urn:huawei:yang:huawei-tm'}
elem = root_elem.find('tm:tm/tm:date-and-time/tm:current-time', namespaces)
if elem is not None:
text_list = re.findall(".*T(.*)Z.*", elem.text)
if text_list is not None:
text_list_member = text_list[0]
time_sys = text_list_member[0:5]
return time_sys
def get_active_intime_delay(active_in_time):
if re.match(r'^(0[0-9]|1[0-9]|2[0-3]|[0-9])\:(0[0-9]|1[0-9]|2[0-9]|3[0-9]|4[0-9]|5[0-9]|[0-9])$',
active_in_time):
# The time is entered, for example, 23:59.
h_intime, m_intime = active_in_time.split(":")
m_intime_count = int(h_intime) * ONEMINUTE + int(m_intime)
time_now = get_active_intime()
h_timenow, m_timenow = time_now.split(":")
m_timenow_count = int(h_timenow) * ONEMINUTE + int(m_timenow)
def get_delay_time_sec(active_delay_time):
if re.match(r'(\d+)$', active_delay_time):
# The delay is entered, for example, 60.
delay_time_sec = int(active_delay_time)
if delay_time_sec > (ONEHOUR * 24):
logging.error("The active delay time over 24 hours!")
delay_time_sec = ONEHOUR * 24
return delay_time_sec
else:
logging.warning("The field of ACTIVE_DELAYTIME is invalid!")
return None
delay_time = get_delay_time_sec(active_delay_time)
if delay_time is not None:
return delay_time
delay_time = get_active_intime_delay(active_in_time)
if delay_time is not None:
return delay_time
input: file_path str Path of the file for which the SHA256 needs to be calculated.
is_config_file int Indicates whether a file is an intermediate file.
output: ret int Indicates whether the calculation is successful.
outStr str SHA256 value.
"""
def read_chunks(fhdl):
"""read chunks"""
chunk = fhdl.read(8096)
while chunk:
yield chunk
chunk = fhdl.read(8096)
else:
fhdl.seek(0)
file_name = os.path.basename(file_path)
file_path_real = os.path.join(FLASH_HOME_PATH, file_name)
if os.path.islink(file_path_real) != False:
raise Exception("This is a soft link file. Please chack.")
if not os.path.exists(file_path_real):
logging.error("File does not exist.")
return ERR, ""
sha256_obj = sha256()
with open(file_path_real, "rb") as fhdl:
if is_config_file is True:
# skip the first line
fhdl.seek(0)
fhdl.readline()
for chunk in read_chunks(fhdl):
sha256_obj.update(chunk)
sha256_value = sha256_obj.hexdigest()
return OK, sha256_value
def get_file_info_str(file_info_list):
if len(file_info_list) == 0:
return None
str_tmp = ''
for file_info in file_info_list:
str_tmp = '{}{} {}'.format(str_tmp, '\n', str(file_info))
return str_tmp
if cnt == 1:
return _key, user_config_dict.get(_key)
elif cnt > 1:
logging.warning("User configuration information {} is invalid, "
"please check!".format(dict_name_str))
return None, None
else:
return None, None
def print_product_infos(sys_info):
product_name = sys_info.get('product-name')
product_esn = sys_info.get('esn')
product_mac = sys_info.get('mac')
file_info_list = []
print_product_infos(sys_info)
# REMOTE_IMAGE
if len(REMOTE_IMAGE) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_IMAGE, 'REMOTE_IMAGE')
if _infos != None:
image_info = _infos.get(sys_info.get(_key))
if image_info != None:
image_path = image_info.get('path')
if image_path != None:
file_info = {}.fromkeys(('*FILENAME', '*TYPE', '*EFFECTIVE_MODE', 'ISBATCHPROCESS',
'SHA256', 'PATH'))
file_info['*FILENAME'] = os.path.basename(image_path)
file_info['PATH'] = image_path.lstrip('/')
if file_info['*FILENAME'] not in [None, '']:
file_info['*TYPE'] = FILE_TYPE_SOFTWARE
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_REBOOT
file_info['ISBATCHPROCESS'] = '0'
file_info['SHA256'] = image_info.get('sha256')
if file_info['SHA256'] == '':
file_info['SHA256'] = None
# REMOTE_CONFIG
if len(REMOTE_CONFIG) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_CONFIG, 'REMOTE_CONFIG')
if _infos != None:
config_info = _infos.get(sys_info.get(_key))
if config_info != None:
config_path = config_info.get('path')
if config_path != None:
file_info = {}.fromkeys(('*FILENAME', '*TYPE', '*EFFECTIVE_MODE', 'ISBATCHPROCESS',
'SHA256', 'PATH'))
file_info['*FILENAME'] = os.path.basename(config_path)
file_info['PATH'] = config_path.lstrip('/')
if file_info['*FILENAME'] not in [None, '']:
file_info['*TYPE'] = FILE_TYPE_CFG
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_REBOOT
file_info['ISBATCHPROCESS'] = '0'
file_info['SHA256'] = config_info.get('sha256')
if file_info['SHA256'] == '':
file_info['SHA256'] = None
file_info_list.append(file_info)
# REMOTE_PATCH
if len(REMOTE_PATCH) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_PATCH, 'REMOTE_PATCH')
if _infos != None:
patch_info = _infos.get(sys_info.get(_key))
if patch_info != None:
patch_path = patch_info.get('path')
if patch_path != None:
file_info = {}.fromkeys(('*FILENAME', '*TYPE', '*EFFECTIVE_MODE', 'ISBATCHPROCESS',
'SHA256', 'PATH'))
file_info['*FILENAME'] = os.path.basename(patch_path)
file_info['PATH'] = patch_path.lstrip('/')
if file_info['*FILENAME'] not in [None, '']:
file_info['*TYPE'] = FILE_TYPE_PAT
file_info['*EFFECTIVE_MODE'] = patch_info.get('effective_mode')
if file_info['*EFFECTIVE_MODE'] in [None, '']:
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_NO_REBOOT
file_info['ISBATCHPROCESS'] = '0'
file_info['SHA256'] = patch_info.get('sha256')
if file_info['SHA256'] == '':
file_info['SHA256'] = None
file_info_list.append(file_info)
# REMOTE_PATCH
if len(REMOTE_MOD) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_MOD, 'REMOTE_MOD')
if _infos != None:
patch_info = _infos.get(sys_info.get(_key))
if patch_info != None:
patch_path = patch_info.get('path')
if patch_path != None:
# REMOTE_LICLIST
license_info = REMOTE_LICLIST
license_path = license_info.get('path')
if license_path != None:
file_info = {}.fromkeys(('*FILENAME', '*TYPE', '*EFFECTIVE_MODE', 'ISBATCHPROCESS', 'SHA256',
'PATH'))
file_info['*FILENAME'] = os.path.basename(license_path)
file_info['PATH'] = license_path.lstrip('/')
if file_info['*FILENAME'] not in [None, '']:
file_info['*TYPE'] = FILE_TYPE_LIC
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_NO_REBOOT
file_info['ISBATCHPROCESS'] = '1'
file_info['SHA256'] = license_info.get('sha256')
if file_info['SHA256'] == '':
file_info['SHA256'] = None
file_info_list.append(file_info)
# REMOTE_USER
if len(REMOTE_USER) != 0:
_key, _infos = get_file_infos_from_user_config(REMOTE_USER, 'REMOTE_USER')
if _infos != None:
user_info_list = _infos.get(sys_info.get(_key))
if user_info_list != None:
for user_info in user_info_list:
if len(file_info_list) >= 9:
logging.warning("Too many user files, please check!")
break
user_path = user_info.get('path')
if user_path != None:
file_info = {}.fromkeys(('*FILENAME', '*TYPE', '*EFFECTIVE_MODE', 'ISBATCHPROCESS',
'SHA256', 'PATH'))
file_info['*FILENAME'] = os.path.basename(user_path)
file_info['PATH'] = user_path.lstrip('/')
if file_info['*FILENAME'] not in [None, '']:
file_info['*TYPE'] = FILE_TYPE_USER
file_info['*EFFECTIVE_MODE'] = EFFECTIVE_MODE_NO_NEED
file_info['ISBATCHPROCESS'] = '0'
file_info['SHA256'] = user_info.get('sha256')
if file_info['SHA256'] == '':
file_info['SHA256'] = None
file_info_list.append(file_info)
def check_parameter(aset):
seq = ['&', '>', '<', '"', "'", "|", '`', '$', ';', '(', ')', '[', ']', '{', '}', '~', '*', '?']
if aset:
for c in seq:
if c in aset:
return True
return False
def check_number(aset):
nums = ['1', '2', '3', '4', '5', '6', '7', '8', '9', '0']
if aset:
for num in aset:
if num not in nums:
return True
return False
def check_filename_and_extension(startup_info):
file_info_list = startup_info.get('FILE_INFO')
for file_info in file_info_list:
file_name = file_info.get('*FILENAME')
file_type = file_info.get('*TYPE')
if file_name not in ['', None] and check_parameter(file_name):
raise ZTPErr('Invalid filename of {} file, the name should not contain: {} {} {} {} {} {} {} {} .'\
.format(file_type, '&', '>', '<', '"', "'", "|", '`', '$'))
_, ext = os.path.splitext(file_name)
if (file_type != FILE_TYPE_USER) and (ext.lower() not in FILE_EXTENSION.get(file_type)):
raise ZTPErr('Invalid filename extension of {} file.'.format(file_type))
def check_SN_config(startup_info):
sn = startup_info.get('*TIME_SN')
if not isinstance(sn, str):
raise ZTPErr('Invalid type of TIME_SN value.')
if len(sn) != 14:
raise ZTPErr('Invalid length of TIME_SN value.')
if check_number(sn):
raise ZTPErr('Invalid value of TIME_SN, the value should only contain numbers.')
def check_user_config(startup_info):
check_filename_and_extension(startup_info)
check_SN_config(startup_info)
if flag1 > 0:
record_startup_info_to_file(startup_info, startup)
if flag == flag1:
logging.warning('The current device was successfully deployed last time, '
'and the system software or patch configured this time '
'is the same as that of the current device. Please check!')
raise ZTPAbort('There is no need to continue!')
else:
logging.warning('The current device is successfully started last time. '
'The system software package and patch in the intermediate file for '
'this deployment are the same as those of the current device. Please check.')
raise ZTPErr('The intermediate file system software package or patch is the same as '
'the device system software package or patch!')
def check_if_reboot_needed(startup_info):
file_info_list = startup_info.get('FILE_INFO')
if not isinstance(file_info_list, list):
logging.error("The type of FILE_INFO is invalid.")
return True
reboot_flag = False
for i in range(len(file_info_list)):
effective_mode = file_info_list[i].get('*EFFECTIVE_MODE')
if effective_mode == EFFECTIVE_MODE_REBOOT:
reboot_flag = True
break
return reboot_flag
@ops_conn_operation
def set_master_key(masterkey='', ops_conn=None):
"""set masterkey"""
def record_clear_master_key_to_file():
"""Record the startup information to file."""
if os.path.islink(file_path) != False:
raise Exception("This is a soft link file. Please chack.")
def copy_mod_file_to_dest(mod_name):
if mod_name is None:
return OK
src_file_path = f'flash:/{mod_name}'
dest_file_path = f'flash:/$_install_mod/{mod_name}'
ret = file_delete(dest_file_path)
if ret != OK:
return ERR
ret = copy_file(src_file_path, dest_file_path)
if ret != OK:
return ERR
return OK
def check_addr(address):
try:
version = ipaddress.ip_address(address).version
if version == 4:
return 'DHCPv4'
elif version == 6:
return 'DHCPv6'
else:
return None
except Exception as e:
return None
def check_filserver_dhcp_type(url):
url_tuple = urlparse(url)
ipaddr = url_tuple.hostname
cur_type = check_addr(ipaddr)
return cur_type
def clean_download_temp_file(file_path):
ret1 = file_delete(file_path)
ret2 = file_delete(f"{file_path}.tmp")
if ret1 != OK or ret2 != OK:
return ERR
return OK
def main_proc():
"""Main processing"""
check_user_config(startup_info)
# Configure the log server based on the configured log transfer protocol.
syslog_trans_protocol = startup_info.get('SYSLOG_INFO')
addr_type = 'ipv4'
if DHCP_TYPE == 'DHCPv6':
addr_type = 'ipv6'
ip_addresses = get_syslog_config(ip_type = addr_type)
set_syslog_config(ip_addresses=ip_addresses, ipaddr_type=addr_type, syslog_trans=syslog_trans_protocol)
check_starupinfo_txt(startup_info, startup)
global system_startupInfo_state
system_startupInfo_state = SYSTEM_STARUPINFO_END
url = startup_info['*FILESERVER']
cur_dhcp_type = check_filserver_dhcp_type(url)
if cur_dhcp_type is not None and cur_dhcp_type != DHCP_TYPE:
print_ztp_log("The IP version in ini file is inconsistant with bootfile server.", LOG_ERROR_TYPE)
return ERR
if delay_time_sec == None:
slog.syslog("Get delay time failed.", ops.INFORMATIONAL, ops.SYSLOG)
return ERR
# Download the version files.
ret, chg_flag= ztp_file_download(file_list, startup_info, slave)
if ret != OK or chg_flag is False:
return ERR
# Set the mode for activating the file.
set_file_effectiveMode(startup_info)
global system_reboot_needed
system_reboot_needed = check_if_reboot_needed(startup_info)
image_name = file_name_dict.get(FILE_TYPE_SOFTWARE)
config_name = file_name_dict.get(FILE_TYPE_CFG)
patch_name = file_name_dict.get(FILE_TYPE_PAT)
mod_name = file_name_dict.get(FILE_TYPE_MOD)
feature_name = file_name_dict.get(FILE_TYPE_FEATURE_PLUGIN)
# Activate the file.
print_ztp_log(f"After {delay_time_sec} seconds activation will be performed.", LOG_INFO_TYPE)
slog.syslog("After {} seconds activation will be performed.".format(delay_time_sec),
ops.INFORMATIONAL, ops.SYSLOG)
sleep(delay_time_sec)
# copy the mod file.
ret = copy_mod_file_to_dest(mod_name)
if ret != OK:
logging.error("Failed to copy mod file to destination path.")
return ERR
# set masterkay
if master_exportcfg is None and config_name is not None and is_set_master is not None :
ret, _= set_master_key(is_set_master)
_, nextcfg = startup.get_startup_info_by_type(FILE_TYPE_CFG)
if nextcfg is not None:
startup._del_startup_config_file()
if ret == OK:
print_ztp_log('Now set master key success...', LOG_INFO_TYPE)
else:
raise ZTPErr('Failed to set master key.')
if is_clear_master == True:
record_clear_master_key_to_file()
ZTP_DOWNLOAD_FILE_LIST.append(SET_MASTER_FILE_NAME)
file_info_list = startup_info.get('FILE_INFO')
if not isinstance(file_info_list, list):
logging.error("Parameters is invalid.")
return ERR
file_type = file_info.get('*TYPE').lower()
if file_type == FILE_TYPE_PAT:
patch_name = None
if file_type == FILE_TYPE_MOD:
mod_name = None
if file_type == FILE_TYPE_FEATURE_PLUGIN:
feature_name = None
startup.set_exportcfg(master_exportcfg)
# Specify the version files for the next startup.
startup.set_startup_info(image_name, config_name, patch_name, mod_name, feature_name, slave)
global system_file_state
system_file_state = SYSTEM_FILE_SETTING_END
startup.file_effective_proc(file_info_list, file_name_dict)
return OK
Args:
Raises:
Returns: user script processing result
"""
try:
global LOG_FILE
LOG_FILE = logfile_name
global flash_home_path_master
global flash_home_path_slave
flash_home_path_master, flash_home_path_slave, _= get_home_path()
ret = main_proc()
finally:
download_file_list.extend(ZTP_DOWNLOAD_FILE_LIST)
if __name__ == "__main__":
main()
NOTE
In Table 6-10, the bold content in the Script Content column can be modified based on
the actual running environment.
CAUTION
● The DHCP server does not support authentication and may be spoofed. You are
advised to use a trusted DHCP server for deployment on a secure network.
● DHCP uses a non-encrypted transmission protocol, so the user name and
password of the SFTP file server carried in DHCP option 59, option 66, and
option 67 fields have security risks. You are advised to use this protocol on a
secure network.
● vrpfile: system
software name,
including the file path
and file name. The
value is a string of 4
to 69 characters. The
system software
package name
excluding the file path
can contain a
maximum of 64
characters.
● vrpver: system
software version.
● patchfile: patch file
name, including the
path and file name.
The value is a string
of 5 to 69 characters.
The patch file name
excluding the file path
can contain a
maximum of 63
characters
● masterfile: masterkey
file name, including
the file path and file
name. The value is a
string of 5 to 32
characters.
Procedure
Step 1 Configure the DHCP server.
Step 2 (Optional) Configure the DHCP relay agent.
NOTE
If a Huawei device is used as the DHCP relay agent, see "DHCPv4 Configuration" or
"DHCPv6 Configuration" in CLI Configuration Guide > IP Address and Service Configuration.
If a third-party device is used as the DHCP relay agent, see the operation guide of the third-
party DHCP server and DHCP relay agent.
----End
Procedure
Step 1 Obtain the ownership voucher issued by Huawei for the ZTP device to be
deployed.
Step 2 Install the ownership voucher on the bootstrap server.
Step 3 Configure the bootstrap server.
For SZTP, you need to create and upload bootstrapping data on the bootstrap
server. Bootstrapping data is a set of data obtained by the device from the
bootstrap server during SZTP. For details, see RFC 8572.
The following is an example of the interaction process between the device to be
deployed and the bootstrap server:
The device to be deployed requests bootstrapping data:
POST:/restconf/operations/ietf-sztp-bootstrap-server:get-bootstrapping-data
Content-Type: application/yang.data+xml
<input xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-bootstrap-server">
<signed-data-preferred/>
</input>
+--:(redirect-information)
| +-- redirect-information
| +-- bootstrap-server* [address]
| +-- address inet:host
| +-- port? inet:port-number
| +-- trust-anchor? cms
+--:(onboarding-information)
+-- onboarding-information
+-- boot-image
| +-- os-name? string
| +-- os-version? string
| +-- download-uri* inet:uri
| +-- image-verification* [hash-algorithm]
| +-- hash-algorithm identityref
| +-- hash-value yang:hex-string
+-- configuration-handling? enumeration
+-- pre-configuration-script? script
+-- configuration? binary
+-- post-configuration-script? script
– Redirect information: is used to redirect a device to another bootstrap
server. The redirect information contains a list of bootstrap servers, as
well as the host name, optional port, and optional trust anchor certificate
used by the device to authenticate the bootstrap server.
Example:
<conveyed-information xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-conveyed-info">
<redirect-information>
<bootstrap-server>
<address>https://sztp1.example.com</address>
<port>90</port>
<trust-anchor>base64encodedvalue==</trust-anchor>
</bootstrap-server>
<bootstrap-server>
<address>https://sztp2.example.com</address>
<port>90</port>
<trust-anchor>base64encodedvalue==</trust-anchor>
</bootstrap-server>
<bootstrap-server>
<address>https://sztp3.example.com</address>
<port>90</port>
<trust-anchor>base64encodedvalue==</trust-anchor>
</bootstrap-server>
</redirect-information>
</conveyed-information>
– Onboarding information: provides detailed information about the image,
configuration file, and other deployment files of the device to be
deployed.
Example:
<conveyed-information xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-conveyed-info">
<onboarding-information>
<boot-image>
<os-name></os-name>
<os-version></os-version>
<download-uri>https://example.com/path/to/image/cfg_file_name.cfg</download-uri>
<image-verification>
<hash-algorithm>ietf-sztp-conveyed-info:sha-256</hash-algorithm>
<hash-
value>ee0d0a46ebb2db92762eedba2c0afd9543bf3c3a983dab2e00c559ba9e62196f</hash-value>
</image-verification>
</boot-image>
<configuration-handling>merge</configuration-handling>
<pre-configuration-script>base64encodedvalue==</pre-configuration-script>
<configuration>base64encodedvalue==</configuration>
<post-configuration-script>base64encodedvalue==</post-configuration-script>
</onboarding-information>
</conveyed-information>
2. Owner certificate: contains the public key certificate of the customer. The
device can use this certificate to verify the signature of the conveyed
information.
3. Ownership voucher: is signed by Huawei. The customer needs to provide the
pinned domain certificate and the ESN of the device to be deployed. Huawei
generates and provides the ownership voucher for the customer. For details
about the ownership voucher, see RFC 8366.
Example:
{
"ietf-voucher:voucher": {
"created-on": "2023-05-30T19:31:42Z",
"expires-on": "2023-09-30T19:31:42Z",
"assertion": "verified",
"serial-number": "BARCODETEST20200620",
"idevid-issuer": "base64encodedvalue==",
"pinned-domain-cert": "base64encodedvalue==",
"domain-cert-revocation-checks": "false",
"last-renewal-date": ""
}
}
----End
Context
A file server stores the files to be downloaded to devices with factory
configurations, including intermediate files and deployment files. If a device is
configured as the file server, those files will occupy a significant amount of device
storage resources. To ensure the device performance, a third-party file server is
typically used on a ZTP network. For details about how to configure a third-party
file server, see the third-party server operation guide.
The intermediate file server and deployment file server can be the same file server.
The file server must be an SFTP file server. Currently, the device uses the SHA2
algorithm by default. The file server must also support the SHA2 algorithm. You
can run the display this include-default | include ssh command to check the
algorithms used by the client and server. At least one algorithm supported by the
file server must be the same as that supported by the device.
Procedure
Step 1 Configure the file server. SFTP and HTTPS file servers are recommended because
they are more secure than FTP and HTTP file servers.
NOTE
● If a Huawei device is used as the file server, see "Managing Files Using SFTP" in CLI
Configuration Guide > Basic Configuration.
● If a third-party device is used as the file server, see the operation guide of the third-
party SFTP or HTTPS file server.
● The file server used for SZTP must have the HTTPS server capability, but Huawei devices
do not provide the capability. Therefore, a third-party server needs to be deployed. For
details about how to configure a third-party server, see the third-party server operation
guide.
Step 2 Place the intermediate file and deployment files to the working directory of the
file server.
The HTTPS deployment file server has certain requirements on the length of the
deployment file name. Ensure that the following requirements are met:
To ensure security of the file server, configure a unique user name for the file server and
assign the read-only permission to the user to prevent unauthorized modification of the
files. After the ZTP process is complete, disable the file server function.
----End
Context
A device with factory configurations has never started ZTP before. In its factory
configurations, the ZTP function is enabled by default. To start ZTP, you only need
to power on the device. The ZTP function can be disabled on a device. If you log in
to a device through the console port and disable the ZTP function when the device
starts with factory configurations, the ZTP process is terminated. To enable the
device to execute the ZTP process when it starts with factory configurations next
time, you need to enable the ZTP function.
Procedure
Step 1 Power on the device.
To disable a device from running the ZTP process upon startup with factory
configurations, run the set ztp disable command on the device.
reboot fast
----End
----End
Follow-up Procedure
If deployment fails, analyze ZTP logs on the device to determine the cause. ZTP
logs are saved in the file named ztp_YYYYMMHHMMSS.log in the flash:/
directory.
Prerequisites
The device has been deployed.
Context
In the scenario where no certificate is preconfigured on iMaster NCE-Campus if
the device needs to be managed by the controller, you need to import the CA
certificate trusted by the controller to the device.
The bootstrap server stores the CA certificate trusted by the controller. Currently,
iMaster NCE-Campus integrates the function of the bootstrap server. The device
needs to download the CA certificate NCE-bootstrap.pem from the bootstrap
server and import the certificate to the default domain.
A maximum of 10 bootstrap servers can be configured for the device. The
bootstrap servers with the same IP address and VPN instance name are considered
as one bootstrap server. The interaction process between the device and bootstrap
server is as follows:
1. The device proactively establishes an HTTPS connection with a bootstrap
server.
2. The device sends a request packet to the bootstrap server to download a CA
certificate. The request packet carries the device ESN or the IP address of the
bootstrap server.
3. The bootstrap server searches for the CA certificate based on the ESN or IP
address in the request packet and sends a response packet carrying the CA
certificate to the device. The response packet also carries the device ESN or
the IP address of the bootstrap server.
4. After receiving the response packet from the bootstrap server, the device
terminates the HTTPS connection with the bootstrap server, parses the
response packet, and verifies the validity of the certificate. If the verification
fails, the device cannot obtain the CA certificate. In this case, the device
attempts to obtain the CA certificate from the next bootstrap server. The
device will keep doing so until it successfully obtains a CA certificate.
Procedure
Step 1 Enter the system view.
system-view
Step 3 Configure the device to download a CA certificate from the bootstrap server.
ztp certificate-remote { ipv4-addr | ipv6 ipv6-addr } [ vpn-instance vpnvalue ] port portvalue ssl-policy
policyname [ verify-type esn ]
----End
Networking Requirements
In Figure 6-14, DeviceA and DeviceB are two devices with factory configurations
on the network, and both are connected to DeviceC, which functions as the egress
gateway of DeviceA and DeviceB. There are reachable routes between DeviceC
and the DHCP server, and between DeviceC and the file server.
The customer requires that DeviceA and DeviceB automatically load the system
software and configuration files after they are powered on to reduce labor costs
and device deployment time.
Table 6-15 lists information about DeviceA and DeviceB, and the files to be
loaded to them.
In this example, interface1, interface2, and interface3 represent 10GE1/0/1, 10GE1/0/2, and
10GE1/0/3, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Edit the intermediate file.
2. Configure the DHCP server.
3. Configure the DHCP relay agent.
4. Configure the file server.
5. Power on DeviceA and DeviceB to start the ZTP process.
Procedure
Step 1 Edit the intermediate file according to 6.6.4 Intermediate File in the Python
Format, and name the file ztp_script.py. For details about the file content, see
Configuration Scripts.
Step 2 Configure the DHCP server.
# Configure the IP address pool that the DHCP server uses to allocate IP addresses
to DeviceA and DeviceB and set DHCP options by referring to Table 6-16. In this
example, a Huawei device is used as the DHCP server.
<HUAWEI> system-view
[HUAWEI] sysname dhcp_server
[dhcp_server] dhcp enable
[dhcp_server] ip pool pool1
[dhcp_server-ip-pool-pool1] gateway-list 10.1.1.1
[dhcp_server-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[dhcp_server-ip-pool-pool1] option 67 cipher sftp://sftp_user:Hyx_Hy1234@10.1.3.2/ztp_script.py
[dhcp_server-ip-pool-pool1] quit
[dhcp_server] vlan batch 10
[dhcp_server] interface 10ge 1/0/3
[dhcp_server-10GE1/0/3] port link-type trunk
[dhcp_server-10GE1/0/3] port trunk allow-pass vlan 10
[dhcp_server-10GE1/0/3] quit
[dhcp_server] interface vlanif 10
[dhcp_server-Vlanif10] ip address 10.1.2.2 24
[dhcp_server-Vlanif10] quit
[DeviceC-1/0/2] quit
[DeviceC] interface vlanif 10
[DeviceC-Vlanif10] ip address 10.1.1.1 24
[DeviceC-Vlanif10] quit
[DeviceC] dhcp enable
[DeviceC] interface vlanif 10
[DeviceC-Vlanif10] dhcp select relay
[DeviceC-Vlanif10] dhcp relay server-ip 10.1.2.2
----End
Configuration Scripts
● DeviceC
#
sysname DeviceC
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.2.2
#
interface 10GE1/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface 10GE1/0/2
port link-type trunk
● DHCP server
#
sysname dhcp_server
#
dhcp enable
#
vlan batch 10
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
option 67 cipher %+%#,nl-3C^(L"r2cE=]>Z[X2Xo+<e0-S;@s"#ReXBA(h>4\4h_@P']"!t4*26):
0x31:fqp7Jz4FG'SYLo#%+%#
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
#
interface 10GE1/0/3
port link-type trunk
port trunk pvid vlan 10
#
return
● Intermediate file
For details about the intermediate file, see 6.6.3 Intermediate File in the INI
Format and 6.6.4 Intermediate File in the Python Format.
Networking Requirements
In Figure 6-15, DeviceA and DeviceB are two devices with factory configurations
on the network, and both are connected to DeviceC, which functions as the egress
gateway of DeviceA and DeviceB. There are reachable routes between DeviceC
and the DHCP server, and between DeviceC and the file server.
The customer requires that DeviceA and DeviceB automatically load the system
software and configuration files after they are powered on to reduce labor costs
and device deployment time.
Table 6-17 lists information about DeviceA and DeviceB, and the files to be
loaded to them.
In this example, interface1, interface2, and interface3 represent 10GE1/0/1, 10GE1/0/2, and
10GE1/0/3, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Edit the masterkey.ini file.
1. Create a .txt file and change the file name to masterkey.ini. The following
uses saving the configuration file as an example. The password is
YsHsjx_202206. Edit the file as follows:
[BEGIN]
EXPORTCFG=YsHsjx_202206
[END]
# Configure the IP address pool that the DHCP server uses to allocate IP addresses
to DeviceA and DeviceB and set DHCP options by referring to Table 6-18. In this
example, a Huawei device is used as the DHCP server.
<HUAWEI> system-view
[HUAWEI] sysname dhcp_server
[dhcp_server] dhcp enable
[dhcp_server] ip pool pool1
[dhcp_server-ip-pool-pool1] gateway-list 10.1.1.1
[dhcp_server-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[dhcp_server-ip-pool-pool1] option 67 cipher sftp://sftp_user:Hyx_Hy1234@10.1.3.2/conf_file.cfg
[dhcp_server-ip-pool-pool1] option 145 ascii vrpfile=software_file.cc;masterfile=masterkey.ini;
[dhcp_server-ip-pool-pool1] quit
[dhcp_server] vlan batch 10
[dhcp_server] interface 10ge 1/0/3
[dhcp_server-10GE1/0/3] port link-type trunk
[dhcp_server-10GE1/0/3] port trunk allow-pass vlan 10
[dhcp_server-10GE1/0/3] quit
[dhcp_server] interface vlanif 10
[dhcp_server-Vlanif10] ip address 10.1.2.2 24
[dhcp_server-Vlanif10] quit
# Configure the DHCP relay function on DeviceC. Set the IP address of the
interface connecting DeviceC to DeviceA and DeviceB to 10.1.1.1 to configure
DeviceC as the default gateway of DeviceA and DeviceB.
<HUAWEI> system-view
[HUAWEI] sysname DeviceC
[DeviceC] vlan batch 10
[DeviceC] interface 10ge 1/0/1
[DeviceC-10GE1/0/1] port link-type trunk
[DeviceC-10GE1/0/1] port trunk allow-pass vlan 10
[DeviceC-10GE1/0/1] port trunk pvid vlan 10
[DeviceC-10GE1/0/1] quit
[DeviceC] interface 10ge 1/0/2
[DeviceC-10GE1/0/2] port link-type trunk
[DeviceC-10GE1/0/2] port trunk allow-pass vlan 10
[DeviceC-10GE1/0/2] port trunk pvid vlan 10
[DeviceC-10GE1/0/2] quit
[DeviceC] interface vlanif 10
[DeviceC-Vlanif10] ip address 10.1.1.1 24
[DeviceC-Vlanif10] quit
[DeviceC] dhcp enable
[DeviceC] interface vlanif 10
[DeviceC-Vlanif10] dhcp select relay
[DeviceC-Vlanif10] dhcp relay server-ip 10.1.2.2
# If a device is configured as the file server, files will occupy a significant amount
of device storage resources. To ensure the device performance, a third-party file
server is typically used on a ZTP network. For details about how to configure a
third-party file server, see the third-party server operation guide.
# After configuring the file server, save the system software, configuration files,
and intermediate files to be loaded to DeviceA and DeviceB in the D:\ztp directory.
Step 5 Power on DeviceA and DeviceB to start the ZTP process.
----End
Configuration Scripts
● DeviceC
#
sysname DeviceC
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.2.2
#
interface 10GE1/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface 10GE1/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
return
● DHCP server
#
sysname dhcp_server
#
dhcp enable
#
vlan batch 10
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
option 67 cipher %+%#,nl-3C^(L"r2cE=]>Z[X2Xo+<e0-S;@s"#ReXBA(h>4\4h_@P']"!t4*26):
0x31:fqp7Jz4FG'SYLo#%+%#
option 145 ascii vrpfile=software_file.cc;masterfile=masterkey.ini;
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
#
interface 10GE1/0/3
port link-type trunk
port trunk pvid vlan 10
#
return
In this example, interface1, interface2, and interface3 represent 10GE1/0/1, 10GE1/0/2, and
10GE1/0/3, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the DHCP server.
2. Configure the DHCP relay agent.
3. Configure the bootstrap server.
4. Configure the HTTPS deployment file server.
5. Power on DeviceA and DeviceB to start the SZTP process.
Procedure
Step 1 Configure the DHCP server.
# Configure the IP address pool that the DHCP server uses to allocate IP addresses
to DeviceA and DeviceB and set DHCP options by referring to Table 6-20. In this
example, a Huawei device is used as the DHCP server.
<HUAWEI> system-view
[HUAWEI] sysname dhcp_server
[dhcp_server] dhcp enable
[dhcp_server] ip pool pool1
[dhcp_server-ip-pool-pool1] gateway-list 10.1.1.1
[dhcp_server-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[dhcp_server-ip-pool-pool1] option 143 hex 001268747470733a2f2f31302e312e342e323a31
[dhcp_server-ip-pool-pool1] quit
[dhcp_server] vlan batch 10
[dhcp_server] interface 10ge 1/0/3
[dhcp_server-10GE1/0/3] port link-type trunk
[dhcp_server-10GE1/0/3] port trunk allow-pass vlan 10
[dhcp_server-10GE1/0/3] quit
[dhcp_server] interface vlanif 10
[dhcp_server-Vlanif10] ip address 10.1.2.2 24
[dhcp_server-Vlanif10] quit
# Huawei devices do not support the bootstrap server function. In the SZTP
networking, a third-party server needs to be deployed. For details about how to
configure a third-party server, see the third-party server operation guide.
# On the bootstrap server, set the IP address of the HTTPS file server to 10.1.3.2,
and set the deployment files, configuration files, and their paths for DeviceA and
DeviceB.
# Huawei devices do not support the HTTPS server function. In the SZTP
networking, a third-party server needs to be deployed. For details about how to
configure a third-party server, see the third-party server operation guide.
# After configuring the file server, save the deployment files and configuration
files to be loaded to devices to the paths specified on the bootstrap server.
----End
Configuration Scripts
● DeviceC
#
sysname DeviceC
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.1.2.2
#
interface 10GE1/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
interface 10GE1/0/2
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
#
return
● DHCP server
#
sysname dhcp_server
#
dhcp enable
#
vlan batch 10
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
option 143 hex 001268747470733a2f2f31302e312e342e323a31
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
#
interface 10GE1/0/3
port link-type trunk
port trunk pvid vlan 10
#
return
Only products with USB ports support USB-based deployment. For product hardware
information, see "Get to Know the Product" > "Hardware Description" in the corresponding
product documentation.
Fundamentals
Before initiating USB-based deployment, create an intermediate file named usb.ini
and save it to the root directory of the USB flash drive. Then save the deployment
files to be loaded to the directory specified in the usb.ini file. Insert the USB flash
drive into the device; the device will automatically load the deployment files based
on the usb.ini file.
Implementation Process
Implementation Process shows the implementation process of USB-based
deployment.
1. Powering on the device and inserting the USB flash drive into the device
After the device is powered on and starts, it detects the USB flash drive. If the
device has no configuration file, it directly enters the USB-based deployment
process. If the device has a configuration file, it checks whether the USB-
based deployment function is enabled. A device with a configuration file can
enter the USB-based deployment process only when the function is enabled.
The device then checks whether the intermediate file usb.ini exists in the root
directory of the USB flash drive. If not, the deployment process exits.
2. Reading the intermediate file and obtaining deployment files
The device reads the usb.ini file in the root directory of the USB flash drive
and obtains deployment files from the directory specified in the usb.ini file.
If the device fails to read the intermediate file, the USB-based deployment
process exits. If no deployment file is obtained from the specified directory in
the USB flash drive, the USB-based deployment process ends due to the
exception.
3. Performing security check
– If the function of compressing deployment files with a password is
enabled in the intermediate file but the file requires the use of HMAC to
verify the integrity of the deployment files, the device decompresses the
deployment files and then performs HMAC verification. The deployment
process can continue only after the deployment files have been
decompressed and verified successfully.
– If the function of compressing deployment files with a password is
enabled in the intermediate file but the file does not require using
hashed-based message authentication (HMAC) to verify the integrity of
the deployment files, the device only decompresses the deployment files.
The deployment process continues after the deployment files have been
decompressed successfully.
– If the function of compressing the deployment files with a password is
not enabled in the intermediate file and the file requires the use of
HMAC to verify the integrity of the deployment files, the device directly
performs HMAC verification on the deployment files. The deployment
process continues after the deployment files have been verified
successfully.
4. Deployment end
The device determines whether to activate a deployment file online or
whether to set a deployment file as the system startup file according to the
deployment file type, and then restarts to complete automatic deployment.
Context
Before USB-based ZTP, you need to prepare the configuration file and
intermediate file. The configuration file can be copied from other devices, and the
intermediate file needs to be manually edited.
NOTE
To ensure security, you are advised to run the save shareable-configuration command to
export the configuration file and not advised to manually edit the configuration file.
Ensure that the configuration file for deployment contains the console password or an AAA
user name that can be used to log in to the device remotely. Otherwise, the configuration
file cannot be successfully set, causing a deployment failure.
Procedure
Step 1 Save the configuration file on the device that provides the configuration file.
save shareable-configuration configuration-file
Step 2 Export the configuration file from the device to the USB flash drive.
Step 3 Edit the intermediate file. Create a text file named usb.ini on the terminal, and
edit the intermediate file by referring to 6.7.3 Intermediate File for USB-based
Deployment.
Step 4 Copy the intermediate file usb.ini to the root directory of the USB flash drive.
NOTE
The file system format of a USB flash drive must be FAT32 or EXT4 and its interface must
be USB 2.0 compliant.
Step 5 Copy the configuration file to the directory specified by DIRECTORY in the usb.ini
file.
----End
[DEVICE_TYPE_1 DESCRIPTION]
DEVICE_TYPE=
ESN=
MAC=
VRPVER=
SPACE_CLEAR=1
DIRECTORY=
ACTIVE_DELAYTIME=10
ACTIVE_INTIME=
*FILETYPENUM=6
*FILENAME_1=software_file1.cc
*TYPE_1=SOFTWARE
*EFFECTIVE_MODE_1=1
ISBATCHPROCESS_1=0
SHA256_1=
HMAC_1=
COMPRESS_ENCRYTION_1=
*FILENAME_2=file1_cfg.zip
*TYPE_2=CFG
*EFFECTIVE_MODE_2=2
ISBATCHPROCESS_2=0
SHA256_2=
HMAC_2=
COMPRESS_ENCRYTION_2=1
*FILENAME_3=lic_file1.xml
*TYPE_3=LIC
*EFFECTIVE_MODE_3=1
ISBATCHPROCESS_3=0
SHA256_3=
HMAC_3=
COMPRESS_ENCRYTION_3=
*FILENAME_4=pat_file1.PAT
*TYPE_4=PAT
*EFFECTIVE_MODE_4=1
ISBATCHPROCESS_4=1
SHA256_4=d4b1670069a2b2b9fbe0eaaf872564c305783d438fc6a020ce8aa05f91053d5e
HMAC_4=
COMPRESS_ENCRYTION_4=
*FILENAME_5=pat_file2.MOD
*TYPE_5=PAT
*EFFECTIVE_MODE_5=0
ISBATCHPROCESS_5=0
SHA256_5=c7f70c5bd82a1ccb71eb3b6a837d8311594cba0ebf00f84bcccf2578fcf83698
HMAC_5=
*FILENAME_6=user_file1.log
*TYPE_6=USER
*EFFECTIVE_MODE_6=2
ISBATCHPROCESS_6=0
SHA256_6=
HMAC_6=
COMPRESS_ENCRYTION_6=
SPACE_CLEAR No Whether to
automatically clean up
the system storage space
in the case of space
insufficiency. The value is
of the enumerated type.
● 0: The system storage
space is not cleaned
up.
● 1: Only system
software among
deployment files is
deleted.
● 2: In-depth cleanup is
performed. System
software among
deployment files is
deleted first. If the
available space is still
insufficient,
unnecessary files are
deleted.
If this field is left empty
or set to DEFAULT, the
space is not cleaned up.
The default value is
DEFAULT.
NOTE
In-depth cleanup involves
some inherent risks. As
such, you are advised to
back up required files
locally before performing
in-depth cleanup.
Context
To ensure the security of deployment files, you can encrypt and compress the files
and configure HMAC key-based integrity verification.
To compress a deployment file and configure HMAC key-based verification, you must
calculate the hash value for the file and compress the deployment file with a password.
Procedure
Step 1 Enter the system view.
system-view
NOTE
If the weak password dictionary maintenance function is enabled, the passwords defined in
the weak password dictionary cannot be used. To view these passwords, run the display
security weak-password-dictionary command.
NOTE
If the weak password dictionary maintenance function is enabled, the passwords defined in
the weak password dictionary cannot be used. To view these passwords, run the display
security weak-password-dictionary command.
----End
Procedure
Step 1 Enter the system view.
system-view
Step 2 (Optional) Enable the ZTP function on the device. By default, a device
automatically starts the ZTP process after it is powered on and starts with factory
configurations. You can disable the ZTP function on a device. If you log in to a
device through the console port and disable the ZTP function when the device
starts with factory configurations, the ZTP process is terminated. To enable the
device to execute the ZTP process when it starts with factory configurations next
time, you need to enable the ZTP function.
set ztp enable
NOTE
This command does not take effect for USB-based deployment on a device with non-
factory configurations.
By default, the USB-based deployment function is not enabled for a device with a
non-factory configuration file.
NOTE
This command takes effect only when a USB flash drive is installed on the device that has a
configuration file.
----End
Context
When using a USB flash drive for deployment, you can observe the USB indicator
to determine the progress of USB-based deployment.
Procedure
Step 1 A device completes the USB-based process within about 15 minutes after it is
powered on. You can then log in to the device to check whether the startup files
are the required ones.
display startup
----End
Follow-up Procedure
If deployment fails, analyze USB logs on the device to determine the cause. ZTP-
related logs are saved in the ztp_YearMonthHourMinuteSecond.log file in the
flash:/ directory and in the ztp_esn_YearMonthHourMinuteSecond.log file in the
root directory of the USB flash drive.
NOTE
You can run the display device esn command to obtain the ESN of a device.
Prerequisites
The device has been deployed.
Context
In the scenario where no certificate is preconfigured on iMaster NCE-Campus if
the device needs to be managed by the controller, you need to import the CA
certificate trusted by the controller to the device.
The bootstrap server stores the CA certificate trusted by the controller. Currently,
iMaster NCE-Campus integrates the function of the bootstrap server. The device
needs to download the CA certificate NCE-bootstrap.pem from the bootstrap
server and import the certificate to the default domain.
A maximum of 10 bootstrap servers can be configured for the device. The
bootstrap servers with the same IP address and VPN instance name are considered
as one bootstrap server. The interaction process between the device and bootstrap
server is as follows:
1. The device proactively establishes an HTTPS connection with a bootstrap
server.
2. The device sends a request packet to the bootstrap server to download a CA
certificate. The request packet carries the device ESN or the IP address of the
bootstrap server.
3. The bootstrap server searches for the CA certificate based on the ESN or IP
address in the request packet and sends a response packet carrying the CA
certificate to the device. The response packet also carries the device ESN or
the IP address of the bootstrap server.
4. After receiving the response packet from the bootstrap server, the device
terminates the HTTPS connection with the bootstrap server, parses the
response packet, and verifies the validity of the certificate. If the verification
fails, the device cannot obtain the CA certificate. In this case, the device
attempts to obtain the CA certificate from the next bootstrap server. The
device will keep doing so until it successfully obtains a CA certificate.
After successfully obtaining the CA certificate NCE-bootstrap.pem from the
bootstrap server, the device automatically imports the certificate to the default
domain.
Procedure
Step 1 Enter the system view.
system-view
Step 3 Configure the device to download a CA certificate from the bootstrap server.
ztp certificate-remote { ipv4-addr | ipv6 ipv6-addr } [ vpn-instance vpnvalue ] port portvalue ssl-policy
policyname [ verify-type esn ]
----End
Networking Requirements
A new network needs to be deployed. DeviceA and DeviceB are two devices
without a configuration file, and the customer requires that they automatically
load system software and configuration files after they are powered on to reduce
labor costs and deployment time. Table 6-22 lists device information and files to
be loaded to DeviceA and DeviceB.
Configuration Roadmap
The configuration roadmap is as follows:
1. Edit the intermediate file usb.ini to enable the devices to obtain their system
software and configuration files according to the intermediate file.
2. Save the usb.ini file to the root directory of the USB flash drive and system
software and configuration files to the USB flash drive path specified in the
intermediate file.
3. Insert the USB flash drive into the devices and power them on.
Procedure
Step 1 Edit the intermediate file usb.ini according to the file format requirements in 6.7.3
Intermediate File for USB-based Deployment. The file format is as follows:
;BEGIN USB
[GLOBAL CONFIG]
*TIME_SN=20200526120159
*DEVICE_TYPE_NUM=2
[DEVICE_TYPE_1 DESCRIPTION]
DEVICE_TYPE=
ESN=2102311LDL0000000806
MAC=
VRPVER=
SPACE_CLEAR=1
DIRECTORY=
ACTIVE_DELAYTIME=10
ACTIVE_INTIME=
*FILETYPENUM=2
*FILENAME_1=software_file.cc
*TYPE_1=SOFTWARE
*EFFECTIVE_MODE_1=0
ISBATCHPROCESS_1=0
SHA256_1=
HMAC_1=
COMPRESS_ENCRYTION_1=
*FILENAME_2=conf_file1.cfg
*TYPE_2=CFG
*EFFECTIVE_MODE_2=0
ISBATCHPROCESS_2=0
SHA256_2=
HMAC_2=
COMPRESS_ENCRYTION_2=
[DEVICE_TYPE_2 DESCRIPTION]
DEVICE_TYPE=
ESN=2102311LDL0000000918
MAC=
VRPVER=
SPACE_CLEAR=1
DIRECTORY=
ACTIVE_DELAYTIME=10
ACTIVE_INTIME=
*FILETYPENUM=2
*FILENAME_1=software_file.cc
*TYPE_1=SOFTWARE
*EFFECTIVE_MODE_1=0
ISBATCHPROCESS_1=0
SHA256_1=
HMAC_1=
COMPRESS_ENCRYTION_1=
*FILENAME_2=conf_file2.cfg
*TYPE_2=CFG
*EFFECTIVE_MODE_2=0
ISBATCHPROCESS_2=0
SHA256_2=
HMAC_2=
COMPRESS_ENCRYTION_2=
;END USB CONFIG
Step 2 Save the usb.ini file to the root directory of the USB flash drive and system
software and configuration files to the USB flash drive path specified in the
intermediate file.
Step 3 Insert the USB flash drive to DeviceA and power on the device.
Step 4 After DeviceA completes automatic deployment, remove the USB flash drive and
insert it to DeviceB. Then power on DeviceB to start automatic deployment.
----End
Configuration Scripts
N/A
NOTE
Storage Medium
The device supports the flash memory and USB flash drive.
Table 7-1 describes the file list information displayed using the dir command.
Hardware Requirements
Series Models
Feature Requirements
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
The total length of the directory and file name S5735-S- S5735-S24P4XE-
in the file system cannot exceed 128 V2 series V2/S5735-
characters. The directory can contain 1 to 128 S5735-L- S24T4XE-V2/
characters, and the file name can contain 1 to V2 series S5735-S24U4XE-
128 characters. After a directory with the V2/S5735-
maximum length is created, files cannot be S3710-H S48P4XE-V2/
stored in the directory. After a file with the series S5735-S48T4XE-
maximum length is created, files cannot be S5735I-L- V2/S5735-
stored in subdirectories. V2 series S48U4XE-V2
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2 series S5735-L16T4S-A-
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2 series S5735-L24P4S-A-
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
● FTP is easy to
configure and
supports file
transfer and file
This mode applies to directory Data is transmitted
the file transfer operations. in plain text,
scenario with low
● FTP supports file resulting in potential
FTP network security
transfer between security risks. The
requirements, and is
two file systems. interactive mode is
widely used in
● The authorization supported.
version upgrade.
and
authentication
functions are
provided.
● Encryption and
This mode applies to integrity check
scenarios demanding are performed on
data to ensure The configuration is
high network
high security. complex and the
SFTP security, such as log
interactive mode is
download and ● File transfer and supported.
configuration file file directory
backup scenarios. operations are
supported.
● Encryption and
integrity check
are performed on
data to ensure
This mode applies to high security. The configuration is
scenarios demanding complex (similar to
high network ● File upload/ the configuration in
SCP download is
security and efficient SFTP mode) and the
file upload/ efficient, requiring interactive mode is
download. a single not supported.
command that
also sets up the
client-server
connection.
The direct device login, FTP, and TFTP modes are easy to understand and
configure, and are therefore not detailed here. The following only details the SFTP
and SCP modes.
SFTP
As an extension of SSH, SFTP provides a secure channel through which remote
users can log in to a device to manage and transfer files. In addition, the device
can function as an SFTP client, from which users can securely log in to an SSH
server for file transfer.
SCP
SCP is used to copy, upload, and download files based on the SSH remote copy
function. The SCP file copy command is easy to use, improving network
maintenance efficiency.
Prerequisites
Before managing files locally, complete the following tasks:
● Ensure that there are reachable routes between the terminal and the device.
● Log in to the device from the terminal.
Procedure
● Perform operations on directories.
● The directory to be
deleted must be
empty.
Delete a directory. rmdir directory ● A deleted directory
and its files cannot be
restored from the
recycle bin.
unzip source-filename
Decompress a file. destination-filename -
[ password password ]
To permanently delete a
Delete a file from reset recycle-bin [ /f |
file from the recycle bin,
the recycle bin. filename ]
run this command.
----End
Networking Requirements
A user logs in to a device using the console port, Telnet, or STelnet, and needs to
perform the following operations on the files on the device:
Procedure
Step 1 View files and subdirectories in the current directory.
<HUAWEI> system-view
[HUAWEI] sysname Device
[Device] quit
<Device> dir
Directory of flash:/
Step 2 Create a directory named test. Copy the vrpcfg.zip file to the directory test and
rename the file backup.zip.
# Copy the vrpcfg.zip file to the test directory and rename the file backup.zip.
<Device> copy vrpcfg.zip flash:/test/backup.zip
Info: Are you sure to copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
NOTE
If the destination file name is not specified, the source file name is used as the destination
file name by default. That is, the destination file has the same name as the source file.
----End
<Device> pwd
flash:/test/
Configuration Scripts
#
sysname Device
#
return
Prerequisites
You can log in to a device that functions as an FTP server from a terminal to
manage files. FTP is widely used for file service operations such as system
software upgrade.
Before configuring a device as an FTP server to manage files, you have completed
the following tasks:
● Ensure that there are reachable routes between the terminal and the device.
● Ensure that the terminal has FTP client software installed.
● Run the install feature-software WEAKEA command to install the weak
security algorithm/protocol feature package (WEAKEA).
Context
NOTICE
Table 7-7 describes the process for configuring a device as an FTP server for file
management. Tasks 1, 2, 3, and 4 can be performed in any sequence.
Default Settings
Port number 21
Procedure
● Enable the FTP server function and configure related parameters.
Table 7-9 Enabling the FTP server function and configuring related
parameters
Operation Command Description
Enable the FTP ftp [ ipv6 ] server By default, the FTP server
server function. enable function is disabled.
(Optional)
Configure the By default, an alarm is
alarm generation ftp server login-failed generated if the number of
and clearance threshold-alarm upper- login failures reaches 30
thresholds for the limit report-times within 5 minutes and is
number of FTP lower-limit resume- cleared if the number of
server login times period period-time login failures falls below 20
failures within a within the same period.
specified period.
NOTE
● The FTP service port cannot be changed after the FTP server function is enabled.
To change the port number, you must run the undo ftp [ ipv6 ] server command
to disable the FTP server function first.
● After file operations between the client and server are complete, run the undo ftp
[ ipv6 ] server command to disable the FTP server function promptly to ensure
device security.
● Configure a local FTP user.
To use FTP to manage files, configure the local user name and password for
logging in to the device that functions as an FTP server, and specify the
service type and authorized directory.
By default, no authorized
directory is configured for
the local user.
If the same authorized
directory needs to be set
for multiple FTP users, you
Configure an can run the ftp server
authorized local-user user-name ftp- default-directory directory
directory for the directory directory command to configure a
FTP user. default working directory
for these FTP users, instead
of running the local-user
user-name ftp-directory
directory command to
configure an authorized
directory for each FTP user.
IP address is locked, and this IP address cannot set up an FTP connection with
the FTP server.
Configure the
maximum number
of consecutive
By default, a maximum
authentication
ftp server ip-block failed- of 6 consecutive
failures and the
times failed-times period authentication failures is
period in which
period allowed within 5
consecutive
minutes.
authentication
failures are
counted.
Configure the
period after which
ftp server ip-block By default, the period is
the system
reactive reactive-period 5 minutes.
automatically
unlocks a user.
Return to the
quit -
system view.
NOTE
You can perform one or more operations listed in the following table, and in
any sequence.
Change the
working
cd pathname -
directory of the
FTP server.
Change the -
working
directory of the
cdup
FTP server to its
upper-level
directory.
Display the -
working
pwd
directory of the
FTP server.
Delete a
directory from rmdir remote-directory -
the FTP server.
Delete a
specified file
delete remote-filename -
from the FTP
server.
Display online
remotehelp
help for an FTP -
[ command ]
command.
----End
Context
NOTICE
Table 7-16 describes the process for configuring a device to access files on
another device as an FTP client.
Table 7-16 Configuring a device to access files on another device as an FTP client
Procedure
● (Optional) Configure the source interface or source IP address for the FTP
client.
The source IP address to be configured must be that of a stable interface,
such as a loopback interface. This configuration makes it easier to configure
ACL rules. You simply need to specify the source or destination IP address in
an ACL rule as the interface IP address, thereby allowing the device to filter
incoming and outgoing packets.
Table 7-17 Configuring the source interface or source IP address for the FTP
client
Operation Command Description
The IP address of a
loopback interface is
recommended.
When the source
Configure the source address is set to a
ftp client source { -a ip-
IPv4 address or loopback interface, an
address | -i interface-type
source interface for IP address must be
interface-number }
the FTP client. configured for the
loopback interface in
advance. Otherwise, the
FTP connection fails to
be set up.
To only upload files to the FTP server or download files to the device, you can
run commands in the user view to complete file transfer (These commands
cannot be used to perform other FTP operations).
In the user view or FTP client view, you can run a command to log in to
the FTP server.
Table 7-19 Logging in to another device that functions as the FTP server
configured with an IPv4 address
ftp [ -a source-ip-address
Establish a
| -i { interface-type
connection
interface-number |
with the IPv4
interface-name } ] host-
FTP server in
ip [ port-number ] [ vpn-
the user
instance vpn-instance-
view. Use either method
name | public-net ]
Before setting up a
ftp connection with the FTP
server in the FTP client view,
Establish a open [ -a source-ip | -i
run the ftp command to
connection { interface-type
enter the FTP client view.
with the IPv4 interface-number |
FTP server in interface-name } ] host-
the FTP ip-address [ port-
client view. number ] [ vpn-instance
vpn-instance-name |
public-net ]
NOTE
Before logging in to the FTP server, run the set net-manager vpn-instance
command to set the default VPN instance. Then the default VPN instance will be
used in the FTP operation.
The source IP address specified in the ftp command takes precedence over the
source IP address specified in the ftp client source command. If the source IP
addresses specified in the ftp client source and ftp commands are different, the
source IP address specified in the ftp command takes effect. The source IP
address specified in the ftp client source command applies to all FTP
connections, whereas the source IP address specified in the ftp command applies
only to the current FTP connection.
Table 7-20 Logging in to another device that functions as the FTP server
configured with an IPv6 address
ftp
You must enter a correct user name and password for authentication
before you are allowed access to the FTP server.
b. Perform file operations using FTP.
After logging in to the FTP server, you can run FTP commands to perform
operations on files, including managing directories, managing files,
configuring the file transfer mode, and viewing online help of FTP
commands.
NOTE
You can perform one or more operations listed in the following table, and
in any sequence.
Change the
working
cd pathname -
directory of the
FTP server.
Change the -
working
directory of the
cdup
FTP server to its
upper-level
directory.
Display the -
working
pwd
directory of the
FTP server.
Delete a
rmdir remote-
directory from -
directory
the FTP server.
Delete a
specified file delete remote-
-
from the FTP filename
server.
Display online
remotehelp
help for an FTP -
[ command ]
command.
You can log in to the FTP server using another user name without exiting the
FTP client view. The created FTP connection is the same as the FTP connection
created by running the ftp command.
You can run different commands in the FTP client view to disconnect from the
FTP server.
----End
Networking Requirements
In Figure 7-1, PC1 connects to the device at 10.136.23.5. The device needs to be
upgraded. To be specific, the device needs to function as the FTP server so that the
system software can be uploaded from PC1 to the device and the configuration
file of the device can be saved to PC1 for backup. In addition, an ACL policy needs
to be configured so that only PC1 can access the FTP server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the FTP server function for the device and configure information
about an FTP user, including the source address, user name, password, user
privilege level, service type, and authorized directory.
2. Configure access permissions on the FTP server.
3. Save the current configuration file on the device.
4. Log in to the FTP server from PC1.
5. Upload the system software to the device and back up the configuration file
of the device to PC1.
Configuration Precautions
In insecure network environments, you are advised to use a secure password
authentication mode, encryption authentication algorithm, or protocol. For details
about secure configuration examples, see 7.6.3 Example for Configuring a
Device as an SFTP Server.
Procedure
Step 1 Run the install feature-software WEAKEA command in the user view to install
the weak security algorithm/protocol feature package (WEAKEA).
Step 2 Configure an IP address for the FTP server.
<HUAWEI> system-view
[HUAWEI] sysname FTP_Server
[FTP_Server] interface 10ge 1/0/1
[FTP_Server-10GE1/0/1] undo portswitch
[FTP_Server-10GE1/0/1] ip address 10.136.23.5 255.255.255.0
[FTP_Server-10GE1/0/1] quit
Step 3 Configure the FTP server function for the device and configure information about
an FTP user.
[FTP_Server] ftp server enable
[FTP_Server] ftp server source -i 10ge 1/0/1
[FTP_Server] aaa
[FTP_Server-aaa] local-user admin1234 password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters,
uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[FTP_Server-aaa] local-user admin1234 privilege level 3
[FTP_Server-aaa] local-user admin1234 service-type ftp
[FTP_Server-aaa] local-user admin1234 ftp-directory flash:/
[FTP_Server-aaa] quit
Step 6 Log in to the FTP server from PC1 using the user name admin1234 and password
YsHsjx_202206. Set the file transfer mode to binary.
Step 7 Upload the system software to the device and back up the configuration file of
the device to PC1.
# Upload the system software to the device.
ftp> put devicesoft.cc
200 Port command okay.
150 Opening BINARY mode data connection for /devicesoft.cc
226 Transfer complete.
ftp: 107973953 bytes sent in 151.05Seconds 560.79Kbytes/sec.
NOTE
When uploading or downloading files, you need to specify the FTP working directory of the
client. For example, the default FTP working directory of the Windows operating system is
C:\Windows\System32. Save the system software to be uploaded to this directory in
advance, and the backup configuration file is also saved to this directory.
----End
# Access the FTP user's working directory on PC1 and check for the vrpcfg.zip file.
Configuration Scripts
#
sysname FTP_Server
#
ftp server enable
ftp server source -i 10GE1/0/1
ftp server acl 2001
#
acl number 2001
rule 5 permit source 10.136.23.10 0
rule 10 deny source 10.136.23.20 0
#
aaa
local-user admin1234 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
$UF-.fQ,Q}>^)OBzgoU$
local-user admin1234 privilege level 3
local-user admin1234 ftp-directory flash:
local-user admin1234 service-type ftp
#
interface 10GE1/0/1
undo portswitch
ip address 10.136.23.5 255.255.255.0
#
return
Networking Requirements
In Figure 7-2, the remote device with IP address 10.1.1.1/24 functions as the FTP
server. The device with IP address 10.2.1.1/24 functions as the FTP client and has
reachable routes to the FTP server.
The FTP client needs to be upgraded. To be specific, you need to download the
system software from the FTP server to the FTP client and back up the current
configuration file of the FTP client to the FTP server.
Figure 7-2 Network diagram for accessing files on another device using FTP
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the FTP software on the FTP server and configure an FTP user.
2. Establish a connection between the FTP client and FTP server.
3. Upload and download files on the FTP client using FTP commands.
Configuration Precautions
In insecure network environments, you are advised to use a secure password
authentication mode, encryption authentication algorithm, or protocol. For details
about secure configuration examples, see 7.6.4 Example for Configuring a
Device as an SFTP Client.
Procedure
Step 1 Run the install feature-software WEAKEA command in the user view to install
the weak security algorithm/protocol feature package (WEAKEA).
Step 2 Run the FTP software on the FTP server and configure an FTP user. For details, see
the help document of the third-party software.
Step 3 Establish a connection between the FTP client and FTP server.
<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL + K to abort
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
[ftp]
Step 4 Download files from and upload files to the FTP server using FTP commands.
[ftp] binary
200 Type is Image (Binary)
[ftp] get devicesoft.cc
500 Unidentified command SIZE test123.cfg
200 PORT command okay
150 "D:\FTP\test123.cfg" file ready to send (3544 bytes) in IMAGE / Binary mode
..
226 Transfer finished successfully.
FTP: 107973953 byte(s) received in 151.05 second(s) 560.79Kbyte(s)/sec.
[ftp] put vrpcfg.zip
200 PORT command okay
150 "D:\FTP\vrpcfg.zip" file ready to receive in IMAGE / Binary mode
/ 100% [***********]
226 Transfer finished successfully.
FTP: 1257 byte(s) send in 0.03 second(s) 40.55Kbyte(s)/sec.
[ftp] quit
----End
# Access the working directory on the FTP server and check for the vrpcfg.zip file.
Configuration Scripts
None
Context
NOTE
Table 7-24 describes the process for configuring a device as an SFTP server for file
management.
Default Settings
Procedure
● Enable the SFTP server function and configure related parameters.
For details about how to generate the local server key pair and how to set
server parameters including the port number, key pair update interval, SSH
Table 7-26 Enabling the SFTP server function and configuring related
parameters
Operation Command Description
By default, a maximum
of five clients can
connect to the SSH
(Optional) server.
Configure the
maximum If the maximum number
sftp max-sessions max- is changed to a value
number of
session-count smaller than the number
clients that can
connect to the of current online users,
SFTP server. these users will stay
connected, but new
connection requests will
be rejected.
NOTE
When an AAA user is configured, the user privilege level must be set to 3 or higher to
ensure successful connection.
● Connect to the device using SFTP.
To connect to the device using SFTP from a terminal, the terminal must be
installed with the SSH client software. The following describes how to connect
to the device using OpenSSH and the Windows CLI.
– For details about how to install OpenSSH, see the OpenSSH installation
guide.
– To use OpenSSH to connect to the device using SFTP, run the OpenSSH
commands. For details about OpenSSH commands, see the OpenSSH
help.
– The Windows CLI can identify OpenSSH commands only when OpenSSH
is installed on the terminal.
Access the Windows CLI and run the OpenSSH commands to connect to the
device using SFTP.
If the command prompt of the SFTP client view, such as sftp>, is displayed,
you have entered the working directory of the SFTP server. (The following
information is for reference only.)
dir [ remote-directory
Display the list of [ local-filename ] ] The dir command has
files in the specified or the same effect as the ls
directory. ls [ remote-directory command.
[ local-filename ] ]
A maximum of 10
directories can be
deleted at a time.
Before running the rmdir
Delete a directory command to delete
rmdir directory-name
from the server. directories, ensure that
the directories do not
contain any files.
Otherwise, the deletion
fails.
Create a directory
mkdir remote-directory -
on the server.
A maximum of 10 files
remove path can be deleted at a time.
Delete a file from
or The remove command
the server.
delete path has the same effect as
the delete command.
Display the
command help on help [ command-name ] -
the SFTP client.
----End
● Obtain the port number configured for the server if the standard port number
is not used.
Context
Table 7-29 describes the process for configuring a device to access files on
another device as an SFTP client.
Table 7-29 Configuring a device to access files on another device as an SFTP client
SFTP client
parameters include
the interval for
sending keepalive
Configure SFTP client
3 packets and the
parameters.
maximum number of
keepalive packets Tasks 1, 2, and 3 can
sent by the SFTP be performed in any
client. sequence.
Select only one of
the two tasks.
● One-click mode:
You can upload
and download
files while the
connection is set
(One-click mode) Log up.
4 in to another device ● Interactive mode:
to perform file After the SSH
operations. server is
connected, you
can perform
operations on
directories and
files on the SSH
server and view
the help of
(Interactive mode)
Log in to another commands on the
device to perform file SFTP client.
operations.
Procedure
● (Optional) Configure the source interface or source IP address for the
SFTP client.
Table 7-30 Configuring the source interface or source IP address for the SFTP
client
sftp client-source { -a
source-ip-address [ public-
net | -vpn-instance vpn-
instance-name ] | -i
Configure the source { interface-type interface-
interface or source IP number | interface-name } } By default, the source
address for the SFTP IP address is 0.0.0.0.
or
client.
sftp ipv6 client-source -a
source-ipv6-address [ -vpn-
instance ipv6-vpn-instance-
name ]
● Configure the mode for connecting a device to the SSH server for the first
time.
For details, see "Configuring the Mode for Connecting a Device to the SSH
Server for the First Time" in CLI Configuration Guide > Security Configuration.
● Configure SFTP client parameters.
For details, see "Setting SSH Client Parameters" in CLI Configuration Guide >
Security Configuration.
● (One-click mode) Log in to another device to perform file operations.
You can run the commands listed in the following table in the system view to
download files from the server or upload files to the server while the
connection is set up.
Operati
Command Description
on
dir [ remote-directory
Display the list of [ local-filename ] ] The dir command has
files in the or the same effect as the
specified directory. ls [ remote-directory ls command.
[ local-filename ] ]
A maximum of 10
directories can be
deleted at a time.
Before running the
Delete a directory rmdir command to
rmdir directory-name delete directories,
from the server.
ensure that the
directories do not
contain any files.
Otherwise, the deletion
fails.
Create a directory
mkdir remote-directory -
on the server.
A maximum of 10 files
remove path can be deleted at a
Delete a file from time.
or
the server. The remove command
delete path has the same effect as
the delete command.
Display the
help [ command-
command help on -
name ]
the SFTP client.
----End
Figure 7-3 Network diagram for performing file operations using SFTP
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair and enable the SFTP server function on the SSH
server so that the server and client can securely exchange data.
2. Configure SSH user information including the authentication mode, service
type, authorized directory, user name, and password.
3. Configure access permissions on the SSH server to control access from SSH
users.
4. Connect to the SSH server from the PC using the third-party software
OpenSSH.
Procedure
Step 1 Configure an IP address for the SSH server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] interface 10ge 1/0/1
[SSH Server-10GE1/0/1] undo portswitch
[SSH Server-10GE1/0/1] ip address 10.136.23.4 255.255.255.0
[SSH Server-10GE1/0/1] quit
Step 2 On the SSH server, generate a local key pair and enable the SFTP server function.
[SSH Server] dsa local-key-pair create
Info: The key name will be: Host_DSA
Info: The key modulus can be any one of the following :
2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[SSH Server] sftp server enable
[SSH Server] ssh server-source all-interface
Step 3 Configure the public key algorithm, encryption algorithm, key exchange algorithm
list, HMAC authentication algorithm, and minimum key length on the SSH server.
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SSH Server] ssh server hmac sha2_256 sha2_512
[SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[SSH Server] ssh server dh-exchange min-len 3072
Step 4 Configure SSH user information including the authentication mode, service type,
authorized directory, user name, and password.
[SSH Server] ssh user client001 authentication-type password
Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client001 service-type sftp
[SSH Server] ssh user client001 sftp-directory flash:/
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, including lowercase letters,
uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type terminal ssh
[SSH Server-aaa] quit
----End
The Windows CLI can identify OpenSSH commands only when OpenSSH is
installed on the terminal.
C:/Documents and Settings/Administrator> sftp client001@10.136.23.4
Connecting to 10.136.23.4...
The authenticity of host "10.136.23.4 (10.136.23.4)" can't be established.
DSA key fingerprint is 0d:48:82:fd:2f:52:1c:f0:c4:22:70:80:8f:7b:fd:78.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added "10.136.23.4" (DSA) to the list of known hosts.
client001@10.136.23.4's password:
sftp>
After you connect to the SSH server using the third-party software, the SFTP view
is displayed. You can then perform file operations in the SFTP view.
Configuration Scripts
#
sysname SSH Server
#
acl number 2001
rule 5 permit source 10.136.23.10 0
rule 10 deny source 10.136.23.20 0
#
aaa
local-user client001 password irreversible-cipher $1d$v!=.5/:(q-$xL=\K
+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
local-user client001 service-type terminal ssh
local-user client001 privilege level 3
#
interface 10GE1/0/1
undo portswitch
ip address 10.136.23.4 255.255.255.0
#
sftp server enable
ssh server-source all-interface
ssh server acl 2001
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh server hmac sha2_256 sha2_512
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh server publickey rsa_sha2_256 rsa_sha2_512
ssh server dh-exchange min-len 3072
#
return
Networking Requirements
The SSH protocol uses encryption to secure the connection between a client and a
server. All user authentication, commands, output, and file transfers are encrypted
to protect against attacks in the network. A client can securely connect to the SSH
server and transfer files using SFTP.
In Figure 7-4, routes between the SSH server and clients client001 and client002
are reachable. In this example, a Huawei device functions as the SSH server.
The two clients are required to connect to the SSH server in password and DSA
authentication modes respectively to ensure secure access to files on the SSH
server.
Figure 7-4 Network diagram for accessing files on another device using SFTP
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair and enable the SFTP server function on the server so
that the server and client can securely exchange data.
2. On the SSH server, configure client001 and client002 to access the SSH
server in password and DSA authentication modes, respectively.
3. Generate a local key pair on client002 and configure the DSA public key of
client002 on the SSH server so that the server can authenticate the client
when the client attempts to access the server.
4. Configure client001 and client002 to connect to the SSH server using SFTP
for file access.
Procedure
Step 1 On the server, generate a local key pair and enable the SFTP server function.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[SSH Server] sftp server enable
[SSH Server] ssh server-source all-interface
Step 2 Configure the public key algorithm, encryption algorithm, key exchange algorithm
list, HMAC authentication algorithm, and minimum key length on the SSH server.
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SSH Server] ssh server hmac sha2_256 sha2_512
[SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[SSH Server] ssh server dh-exchange min-len 3072
# Create an SSH user named client002 and configure the DSA authentication
mode for the user.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa
[SSH Server] ssh authorization-type default root
[SSH Server] ssh user client002 service-type sftp
[SSH Server] ssh user client002 sftp-directory flash:/
Step 5 Generate a local key pair on client002 and configure the DSA public key of
client002 on the SSH server.
# Generate a local key pair the client.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: Host_DSA
Info: The key modulus can be any one of the following :
2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Configure the DSA public key of the client on the server. (The information in
bold in the display command output is the DSA public key of the client. Copy the
key to the server.)
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
[SSH Server-dsa-public-key-dsa-key-code] 3082010A
[SSH Server-dsa-public-key-dsa-key-code] 02820101
[SSH Server-dsa-public-key-dsa-key-code] 00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB
[SSH Server-dsa-public-key-dsa-key-code] D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415
[SSH Server-dsa-public-key-dsa-key-code] D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F
[SSH Server-dsa-public-key-dsa-key-code] E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7
[SSH Server-dsa-public-key-dsa-key-code] F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D
[SSH Server-dsa-public-key-dsa-key-code] B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B
[SSH Server-dsa-public-key-dsa-key-code] 03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278
[SSH Server-dsa-public-key-dsa-key-code] AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D
[SSH Server-dsa-public-key-dsa-key-code] FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5
[SSH Server-dsa-public-key-dsa-key-code] 26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87
[SSH Server-dsa-public-key-dsa-key-code] 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493
[SSH Server-dsa-public-key-dsa-key-code] 646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1
[SSH Server-dsa-public-key-dsa-key-code] 32693DE5 4B103442 8E0F4DAD 2598BE5E 19
[SSH Server-dsa-public-key-dsa-key-code] 0203
[SSH Server-dsa-public-key-dsa-key-code] 010001
[SSH Server-dsa-public-key-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
----End
Configuration Scripts
● SSH server
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
3082010A
02820101
00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB D8A4F785 5AD1F662 13845081
0C65F6B3 88A9C415 D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F E211F4B3
1115772D FB95D3DC 915A1858 D0DE49F7 F39DD7A7 7795F2B9 C9562E8B 598CB50F
6D39240D B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B 03AEC0A0 8A7E99F6
6C1939AA 52CC2E31 B6703278 AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D
FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5 26F5D4E5 16A15C5C D6D0018E
4EAFE055 B93FCB87 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493 646CBE96
BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1 32693DE5 4B103442 8E0F4DAD 2598BE5E
19
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
$UF-.fQ,Q}>^)OBzgoU$
local-user client001 service-type terminal ssh
local-user client001 privilege level 3
#
sftp server enable
ssh server-source all-interface
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:/
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
ssh user client002 service-type sftp
ssh user client002 sftp-directory flash:/
#
ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh server hmac sha2_256 sha2_512
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh server publickey rsa_sha2_256 rsa_sha2_512
ssh server dh-exchange min-len 3072
#
return
● client001
#
sysname client001
#
ssh client first-time enable
#
ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh client hmac sha2_256 sha2_512
ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh client publickey rsa_sha2_256 rsa_sha2_512
#
return
● client002
#
sysname client002
#
ssh client first-time enable
#
ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh client hmac sha2_256 sha2_512
ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh client publickey rsa_sha2_256 rsa_sha2_512
#
return
Context
Table 7-35 describes the process for configuring a device as an SCP server for file
management.
Default Settings
Procedure
● Enable the SCP server function and configure related parameters.
For details about how to generate the local server key pair and how to set
server parameters including the port number, key pair update interval, SSH
authentication timeout interval, and number of SSH authentication retries,
see "Configuring the SSH Server Function and Related Parameters" in CLI
Configuration Guide > Security Configuration. For details about how to
configure the SCP function, see Table 7-37.
Table 7-37 Enabling the SCP server function and configuring related
parameters
Enable the SCP scp [ ipv4 | ipv6 ] By default, the SCP server
server function. server enable function is disabled.
According to the preceding command output, the user terminal uploads files
to or downloads files from the SCP server while connecting to the SCP server
and accesses the user local directory at last.
● Disconnect from the SCP server.
----End
Prerequisites
SCP is a utility of the SSH protocol that is used to securely copy files from one
system to another. A device can be configured as an SCP client to set up a secure
connection with an SCP server to upload or download files.
Before configuring a device to access files on another device as an SCP client, you
have completed the following tasks:
● Ensure that there are reachable routes between the device and SSH server.
● Obtain the host name or IP address of the SSH server and SSH user
information.
● Obtain the port number configured for the server if the standard port number
is not used.
Context
Table 7-39 describes the process for configuring a device to access files on
another device as an SCP client.
Table 7-39 Configuring a device to access files on another device as an SCP client
Connect to another
4 device using SCP -
commands.
Procedure
● (Optional) Configure the source interface or source IP address for the SCP
client.
● Configure the mode for connecting a device to the SSH server for the first
time.
For details, see "Configuring the Mode for Connecting a Device to the SSH
Server for the First Time" in CLI Configuration Guide > Security Configuration.
● Configure SCP client parameters.
For details, see "Setting SSH Client Parameters" in CLI Configuration Guide >
Security Configuration.
● Connect to another device using SCP commands.
Different from SFTP that uses separate commands for connection setup and
file transfer, after the SCP connection is established, the client can directly
upload files to or download files from the server.
Enter
the
system-view -
system
view.
scp [ -a source-ip-address | -i
interface-type interface-number ] [ -
Connect
force-receive-pubkey ] [ [ -port
to the
server-port ] | [ public-net | vpn-
SCP
instance vpn-instance-name ] |
server
[ identity-key identity-key-type ] | Select either of the
using an
[ user-identity-key user-key ] | -r | -c | commands based on
IPv4
[ -cipher cipher ] | [ -prefer-kex the address type.
address.
prefer-kex ] ] * source-filename
If the source interface
destination-filename
is specified using -i
scp ipv6 [ [ vpn-instance vpn- interface-type
instance-name ] | public-net ] [ - interface-number, the
Connect force-receive-pubkey ] [ [ -port public-net and vpn-
to the server-port ] | [ identity-key identity- instance vpn-instance-
SCP key-type ] | [ user-identity-key user- name parameters are
server key ] | [ [ -a source-ipv6-address ] | [ - not supported.
using an oi { interface-name | interface-type
IPv6 interface-number } ] ] | -r | -c | [ -
address. cipher cipher ] | [ -prefer-kex prefer-
kex ] ] * source-filename destination-
filename
----End
Networking Requirements
Compared with SFTP, SCP simplifies file transfer operations by combining user
identity authentication and file transfer to improve configuration efficiency.
In Figure 7-5, the routes between the SCP client and SSH server are reachable.
The SCP client needs to download files from the SSH server.
Figure 7-5 Network diagram for configuring a device to access files on another
device as an SCP client
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be:Host
The range of public key size is (2048, 4096).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:
# Create an SSH user named Client, set the authentication mode to password,
and set the service type to all.
Step 4 Configure the public key algorithm, encryption algorithm, key exchange algorithm
list, HMAC authentication algorithm, and minimum key length on the SSH server.
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SSH Server] ssh server hmac sha2_256 sha2_512
[SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[SSH Server] ssh server dh-exchange min-len 3072
----End
# Download the backup.cfg file from the SSH server at 10.1.1.1 to the local
directory using the aes256_ctr encryption algorithm.
[SCP Client] scp -cipher aes256_ctr Client1@10.1.1.1:backup.cfg backup.cfg
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Continue to access it? [Y/N]:y
[Y/N]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
backup.cfg 100% 19174Bytes 7Kb/s
Configuration Scripts
● SSH server
#
sysname SSH Server
#
aaa
local-user Client password irreversible-cipher $#z$!9S<a#>H7{7dI>%0S{AcKGC=t:zjv14LlQqHO\
\P.*=<x1]u;y*P`'GR3[m}$
local-user Client service-type terminal ssh
local-user Client privilege level 3
#
scp server enable
ssh server-source all-interface
ssh user Client
ssh user Client authentication-type password
ssh user Client service-type all
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh server hmac sha2_256 sha2_512
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh server publickey rsa_sha2_256 rsa_sha2_512
ssh server dh-exchange min-len 3072
#
return
● SCP client
#
sysname SCP Client
#
ssh client first-time enable
#
ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh client hmac sha2_256 sha2_512
ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh client publickey rsa_sha2_256 rsa_sha2_512
#
return
Prerequisites
You can configure a device as a TFTP client, through which you can log in to a
TFTP server to upload and download files between the client and server.
Before configuring a device to access files on another device as a TFTP client, you
have completed the following tasks:
● Ensure that there are reachable routes between the device and TFTP server.
● Obtain the IP address of the TFTP server and the directory for storing the files
to be downloaded or uploaded.
● Run the install feature-software WEAKEA command to install the weak
security algorithm/protocol feature package (WEAKEA).
Context
NOTE
Table 7-42 describes the process for configuring a device to access files on
another device as a TFTP client.
Table 7-42 Configuring a device to access files on another device as a TFTP client
No. Task Description Remarks
Procedure
● (Optional) Configure the source interface or source address for the TFTP
client.
The source IP address to be configured must be that of a stable interface,
such as a loopback interface. This configuration makes it easier to configure
ACL rules. You simply need to specify the source or destination IP address in
an ACL rule as the interface IP address, thereby allowing the device to filter
incoming and outgoing packets.
Table 7-43 (Optional) Configuring the source interface or source address for
the TFTP client
Operation Command Description
NOTE
The TFTP supports only the basic ACL whose number ranges from 2000 to 2999.
ACL rule:
● When the permit action is defined in an ACL rule, the local device can set up
TFTP connections with devices that match the rule.
● When the deny action is defined in an ACL rule, the local device cannot set up
TFTP connections with devices that match the rule.
● If packets from other devices do not match any rule in an ACL, the local device
cannot set up TFTP connections with those devices.
● If no rule is defined in an ACL, the local device can set up TFTP connections with
any other devices.
Return to the
quit -
system view.
● Upload files to or download files from the server using TFTP commands.
----End
The TFTP client needs to be upgraded. To be specific, you need to download the
system software from the TFTP server to the TFTP client and back up the current
configuration file of the TFTP client to the TFTP server.
Figure 7-6 Network diagram for accessing files on another device using TFTP
NOTE
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the TFTP working directory.
2. Upload files from and download files to the TFTP client using TFTP
commands.
Configuration Precautions
In insecure network environments, you are advised to use a secure password
authentication mode, encryption authentication algorithm, or protocol. For details
about secure configuration examples, see 7.7.3 Example for Configuring a
Device as an SCP Client.
Procedure
Step 1 Run the install feature-software WEAKEA command in the user view to install
the weak security algorithm/protocol feature package (WEAKEA).
Step 2 Run the TFTP software on the TFTP server and set the TFTP working directory. For
details, see the help document of the third-party software.
Step 3 Upload and download files on the TFTP client using TFTP commands.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc
Info: Transfer file in binary mode.
Please wait for a while...
/ 107973953 bytes transferred
Info: Downloaded the file successfully.
<HUAWEI> tftp 10.1.1.1 put vrpcfg.zip
Info: Transfer file in binary mode.
Please wait for a while...
/ 100% [***********]
Info: Uploaded the file successfully.
----End
# Access the working directory on the TFTP server and check whether the
vrpcfg.zip file has been uploaded successfully.
Configuration Scripts
None
Possible Causes
● The FTP server function is not enabled.
● The FTP server does not use the default port number, and the port number of
the FTP server is not specified when the FTP server is accessed from the FTP
client.
● The FTP user information, working directory, and user privilege level are not
configured on the FTP server.
● The number of online FTP users reaches the upper limit.
● An ACL is configured on the FTP server to deny the access of the FTP user.
Procedure
Step 1 Check whether the FTP server function is enabled.
Run the display ftp server command in any view to check the status of the FTP
server.
● If the following information is displayed, the FTP server function is disabled:
<HUAWEI> display ftp server
Server state : Disabled
IPv6 server state : Disabled
Timeout value (mins) : 10
IPv6 Timeout value (mins) : 10
Listen port : 21
IPv6 listen port : 21
ACL name :
IPv6 ACL name :
ACL number :
IPv6 ACL number :
Current user count :0
Max user number : 15
Run the ftp server enable command in the system view to enable the FTP
server function.
<HUAWEI> system-view
[HUAWEI] ftp server enable
Warning: FTP is not a secure protocol, and it is recommended to use SFTP.
Step 2 Check whether the port number of the FTP server is the default port number.
Run the display ftp server command in any view to check the FTP server port.
<HUAWEI> display ftp server
Server state : Enabled
IPv6 server state : Disabled
Timeout value (mins) : 10
IPv6 Timeout value (mins) : 10
Listen port : 21
IPv6 listen port : 21
ACL name :
IPv6 ACL name :
ACL number :
If the FTP server port is not 21, run the ftp server port command to set the port
number to 21.
<HUAWEI> system-view
[HUAWEI] undo ftp server
Info: Succeeded in closing the FTP server.
[HUAWEI] ftp server port 21
[HUAWEI] ftp server enable
Warning: FTP is not a secure protocol, and it is recommended to use SFTP.
Alternatively, specify the port number of the FTP server on the FTP client when
connecting to the FTP server from the FTP client.
Step 3 Check whether the FTP user information, authorized directory, and user privilege
level are configured.
The user name, password, authorized directory, and user privilege level are
mandatory for an FTP user. An FTP user cannot log in to the FTP server if the FTP
authorized directory or user privilege level is not specified.
For details, see Configure a local FTP user. in "Configuring the Device as an FTP
Server."
Step 4 Check whether the number of users on the FTP server reaches the upper limit.
Run the display ftp server users command to check whether the number of FTP
users reaches 15.
Step 5 Check whether an ACL is configured on the FTP server.
Run the display ftp server command to check whether an ACL is configured on
the FTP server.
If an ACL is configured on the FTP server, the FTP server allows only access from
the IP addresses permitted by the ACL rules.
----End
Procedure
Step 1 Check whether the FTP source or destination directory name contains characters
not supported by the device.
The directory name cannot contain spaces or the following special characters: ~ * /
\:'"
If the directory name contains any of these characters, change the directory name.
Step 2 Check whether there is sufficient storage space in the root directory on the FTP
server.
Run the dir command on the FTP server to check the available space of the root
directory on the FTP server.
If the storage space is insufficient, run the delete /unreserved command in the
user view to delete unnecessary files.
----End
Purpose
Configuration file management allows you to view, save, compare, back up,
restore, and compress configuration files, as well as deleteand roll back
configurations in the files. You can also specify the configuration file to be loaded
at the next device startup. All this ensures correct configurations on the device,
prevents configuration loss, and facilitates configuration migration.
Hardware Requirements
Series Models
Feature Requirements
For security purposes, FTP and TFTP are not S5735-S- S5735-S24P4XE-
recommended. By default, the device provides V2 series V2/S5735-
the weak security algorithm/protocol feature S5735-L- S24T4XE-V2/
package WEAKEA. If you need to use the weak V2 series S5735-S24U4XE-
security algorithm/protocol feature package V2/S5735-
WEAKEA, run the install feature-software S3710-H S48P4XE-V2/
WEAKEA command to install it. series S5735-S48T4XE-
S5735I-L- V2/S5735-
V2 series S48U4XE-V2
S5732-H- S5735-L10T4X-A-
V2 series V2/S5735-
S5735I-S- L10T4X-TA-V2/
V2 series S5735-L16T4S-A-
V2/S5735-
S6730-H- L16T4X-QA-V2/
V2 series S5735-L24P4S-A-
V2/S5735-
L24P4XE-A-V2/
S5735-L24P4XE-
TA-V2/S5735-
L24T4S-A-V2/
S5735-L24T4X-
QA-V2/S5735-
L24T4XE-A-V2/
S5735-L24T4XE-
D-V2/S5735-
L48LP4S-A-V2/
S5735-L48LP4XE-
A-V2/S5735-
L48P4XE-A-V2/
S5735-L48T4S-A-
V2/S5735-
L48T4XE-A-V2/
S5735-L48T4XE-
TA-V2/S5735-
L48T4XE-D-V2/
S5735-L8P2T4X-
A-V2/S5735-
L8P2T4X-TA-V2/
S5735-L8P4S-A-
V2/S5735-L8P4X-
QA-V2/S5735-
L8T4S-A-V2/
S5735-L8T4X-QA-
V2
S3710-H24P4S-A/
S3710-H24T4S-A/
S3710-H48LP4S-
A/S3710-H48T4S-
A
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
S5735I-L10T4X-A-
V2/S5735I-L8P4X-
A-V2
S5732-
H24S4X6QZ-TV2/
S5732-
H24S4X6QZ-V2/
S5732-
H24UM4Y2CZ-
TV2/S5732-
H24UM4Y2CZ-V2/
S5732-
H44S4X6QZ-TV2/
S5732-
H44S4X6QZ-V2/
S5732-
H48UM4Y2CZ-
TV2/S5732-
H48UM4Y2CZ-V2
S5735I-S24T4XE-
V2/S5735I-
S24T4XE-T-V2/
S5735I-S24U4XE-
V2/S5735I-
S24U4XE-T-V2/
S5735I-S8T4SN-
V2/S5735I-
S8T4XN-T-V2/
S5735I-S8T4XN-
V2/S5735I-
S8U4XN-V2
S6730-H24X6C-
TV2/S6730-
H24X6C-V2/
S6730-H28X6CZ-
TV2/S6730-
H28X6CZ-V2/
S6730-H48X6C-
TV2/S6730-
H48X6C-V2/
S6730-H48X6CZ-
TV2/S6730-
H48X6CZ-V2/
S6730-H48Y6C-
TV2/S6730-
H48Y6C-V2
Next After the system starts, you can Run the display startup
startup specify a configuration file as command to check the
configurati the initial configurations for the configuration file to be used for
on next startup, known as the next the next startup.
startup configurations Run the display saved-
configuration command to
check content in the
configuration file to be used for
the next startup.
To use modified configurations as the next startup configurations, run the save
command to save them to the default storage medium.
NOTE
If a command is configured in an incomplete format, the system saves the command to the
configuration file in its complete format. As a result, the command may have more than
510 characters, which is the maximum length supported by the system. Such a command
cannot be restored after the system restarts.
Procedure
Procedure
● Enable the system to automatically save configurations.
NOTE
If the local storage medium does not have sufficient space or is damaged, or the
configuration file needs to be backed up, you can run this command to specify a file
server for saving the backup configuration file.
SFTP has higher security and is therefore recommended for saving the configuration
file to the file server.
The configuration file is saved on the server as a compressed package, named in the
YY-MM-DD.HH-MM-SS.Device name.zip format (for example,
2019-10-25.15-13-37.HUAWEI.zip). After decompression, the file with the file name
extension .cfg is the configuration file.
d. (Optional) Configure the function for uploading the configuration file at
a specific time point of a certain day every month.
configuration current backup-to-server monthly date date-value [ time time-value ]
The configuration file name extension must be .zip, .dat, or .cfg. If the
configuration file will be loaded during system startup, it must be stored
in the root directory of the storage medium.
If the configuration-file parameter is not specified, the system asks you
whether to name the configuration file vrpcfg.zip when you save the
configuration file for the first time. The vrpcfg.zip file is the default
configuration file and does not contain any configuration in the initial
state. If configurations are not saved for the first time, they will be saved
in the running configuration file. You can run the display startup
command to check the name of the running configuration file.
– Enter a password to save the configuration file.
save shareable-configuration configuration-file [ password ]
NOTE
----End
Context
When the system restarts, it uses the specified configuration file to restore
configurations.
Before specifying the file for the next startup, you can run the display startup
command to view the current specified file.
NOTE
Procedure
● Configure the configuration file for the next startup.
startup saved-configuration configuration-file
● Configure the configuration file containing key information for the next
startup.
startup shareable-configuration configuration-file [ password ]
If the configuration file configured for the next startup contains key
information, you need to enter a password for authentication before using the
file.
----End
Context
A configuration file may contain a ciphertext encrypted using a system master key.
As a system master key is automatically and randomly generated by default,
different devices have different system master keys. The ciphertext in a
configuration file of a device cannot be decrypted on another device. As a result,
the ciphertext cannot be restored on another device and will be used as a
plaintext. To decrypt the ciphertext in the configuration file on another device,
perform the following operations.
Procedure
Step 1 Export the configuration file from device A.
1. Save the configuration file.
save shareable-configuration configuration-file [ password ]
For details, see 8.3.11 Backing Up the Configuration File to an SFTP Server
or Client.
For details, see 8.3.16 Copying the Configuration File from an SFTP Server
or Client to the Device.
2. Configure the exported configuration file as the configuration file to be
loaded for the next startup of device B.
startup shareable-configuration configuration-file [ password ]
----End
Context
You can compare the current configuration file with the specified configuration file
to check whether they are consistent and determine whether to use the specified
configuration file for the next startup.
NOTE
Procedure
Context
You can copy configurations on the screen to back up them as a configuration file
to the hard disk of the PC. The backup configuration file can be used if the
configuration file restoration fails due to unexpected device damage.
Procedure
Step 1 Copy configurations on the screen. Specifically, run the following command and
copy all command output to a .txt file on the PC. The configurations are then
saved on the PC.
display current-configuration
NOTE
If the configuration of a single command is too long, the configuration may be displayed in
multiple lines on the terminal screen, depending on the terminal software. When copying a
multi-line configuration from the screen to a .txt file, ensure that the configuration occupies
one line in the .txt file. Otherwise, such a configuration may fail to be restored when
the .txt file is used.
----End
Context
You can back up the configuration file to the storage medium. The backup
configuration file can be used if the configuration file restoration fails due to
unexpected device damage.
Procedure
Step 1 (Optional) Save the configuration file.
save configuration-file
----End
Prerequisites
Before backing up the configuration file to an FTP server or client, you have
completed the following tasks:
● If the device functions as an FTP client, connect it to an FTP server. For details,
see "Configuring a Device as an FTP Client" in CLI Configuration Guide > Basic
Configuration.
● If the device functions as an FTP server, connect it to an FTP client. For details,
see "Configuring a Device as an FTP Server" in CLI Configuration Guide >
Basic Configuration.
● Run the install feature-software WEAKEA command to install the weak
security algorithm/protocol feature package (WEAKEA).
Context
If the device is unexpectedly damaged, the configuration file cannot be restored.
In this case, a backup configuration file is required for restoring the device
configurations. You can back up the configuration file through FTP using either of
the following methods:
NOTE
Backing up the configuration file through FTP is a simple process, which however may pose
security risks. In scenarios featuring high security requirements, SFTP and SCP are
recommended for configuration file backup.
In FIPS mode, FTP cannot be used to back up configuration files.
Procedure
● Back up the configuration file to the FTP server when the device functions as
an FTP client.
a. Set up an FTP connection with the FTP server.
ftp [ ipv6 ] host-ip
On the device, run the put command to upload the configuration file to
the specified path on the PC that functions as an FTP server.
put local-filename [ remote-filename ]
● Back up the configuration file to the FTP client when the device functions as
an FTP server.
a. On the PC that functions as an FTP client, initiate an FTP connection with
the device.
On the PC, run the get command to download the configuration file to
the specified path on the PC.
ftp> get remote-filename [ local-filename ]
----End
Prerequisites
Before backing up the configuration file to a TFTP server, you have completed the
following tasks:
● Ensure that the device has been connected to the TFTP server. For details, see
"Configuring a Device as a TFTP Client" in CLI Configuration Guide > Basic
Configuration.
● Run the install feature-software WEAKEA command to install the weak
security algorithm/protocol feature package (WEAKEA).
Context
If the device is unexpectedly damaged, the configuration file cannot be restored.
In this case, a backup configuration file is required for restoring the device
configurations. You can back up the configuration file through TFTP.
NOTE
Backing up the configuration file through TFTP is a simple process, which however may
pose security risks. In scenarios featuring high security requirements, SFTP and SCP are
recommended for configuration file backup.
In FIPS mode, TFTP cannot be used to back up configuration files.
Procedure
Step 1 Back up the configuration file to the TFTP server.
tftp [ ipv6 ] hostname-ip put sourcefilename [ destination-filename ]
----End
Prerequisites
Before backing up the configuration file to an SFTP server or client, you have
completed the following tasks:
● If the device functions as an SFTP client, connect it to an SFTP server. For
details, see "Configuring a Device as an SFTP Client" in CLI Configuration
Guide > Basic Configuration.
● If the device functions as an SFTP server, connect it to an SFTP client. For
details, see "Configuring a Device as an SFTP Server" in CLI Configuration
Guide > Basic Configuration.
Context
If the device is unexpectedly damaged, the configuration file cannot be restored.
In this case, a backup configuration file is required for restoring the device
configurations. You can back up the configuration file through SFTP using either of
the following methods:
● If the device functions as an SFTP client, back up the configuration file to an
SFTP server.
● If the device functions as an SFTP server, back up the configuration file to an
SFTP client.
NOTE
Backing up the configuration file through FTP or TFTP is a simple process, which however
may pose security risks. In scenarios featuring high security requirements, SFTP and SCP are
recommended for configuration file backup.
Procedure
● Back up the configuration file to the SFTP server when the device functions as
an SFTP client.
a. Enter the system view.
system-view
On the device, run the put command to upload the configuration file to
the specified path on the PC that functions as an SFTP server.
put local-filename [ remote-filename ]
● Back up the configuration file to the SFTP client when the device functions as
an SFTP server.
a. On the PC that functions as an SFTP client, initiate an SFTP connection
with the device.
On the PC, run the get command to transfer the configuration file to the
specified path on the PC.
sftp> get remote-filename [ local-filename ]
----End
Context
If the device is unexpectedly damaged, the configuration file cannot be restored.
In this case, a backup configuration file is required for restoring the device
configurations. You can back up the configuration file through SCP using either of
the following methods:
● If the device functions as an SCP client, back up the configuration file to an
SCP server.
● If the device functions as an SCP server, back up the configuration file to an
SCP client.
Select one method as required.
Procedure
● Back up the configuration file to the SCP server when the device functions as
an SCP client.
a. Enter the system view.
system-view
For example, to back up the vrpcfg.cfg file to the SCP server at 10.1.1.1
in SCP mode, run the following command. (The following information is
for reference only.)
<HUAWEI> system-view
[HUAWEI] scp vrpcfg.cfg scpuser@10.1.1.1:flash:/vrpcfg-backup.cfg
Trying 10.1.1.1...
Press CTRL+K to abort
Connected to 10.1.1.1...
The server is not authenticated. Continue to access it? [Y/N]:y
Save the server's public key? [Y/N]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please
select [R/D/E]:e
Enter password:
vrpcfg.cfg 100% 261Bytes 1Kb/s
● Back up the configuration file to the SCP client when the device functions as
an SCP server.
On the PC that functions as an SCP client, run the following command to
back up the configuration file to the specified path on the PC:
scp source-filename destination-filename
For example, to back up the vrpcfg.cfg file to the SCP client in SCP mode, run
the following command. The IP address of the device is 10.2.2.2. (The
following information is for reference only.)
C:\Documents and Settings\Administrator> scp scpuser@10.2.2.2:flash:/vrpcfg.cfg vrpcfg-backup.cfg
The authenticity of host '10.2.2.2 (10.2.2.2)' can't be established.
DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.2.2.2' (DSA) to the list of known hosts.
scpuser@10.2.2.2's password:
vrpcfg.cfg 100% 1257 1.2KB/s 00:00
Read from remote host 10.2.2.2: Connection reset by peer
----End
Procedure
Step 1 Copy the backup configuration file and specify the name for the configuration file
copy.
copy source-filename destination-filename [ all ]
Step 3 Restart the device for the configuration file to take effect.
reboot fast
----End
Prerequisites
Before copying the configuration file from an FTP server or client to the device,
you have completed the following tasks:
● If the device functions as an FTP client, connect it to an FTP server. For details,
see "Configuring a Device as an FTP Client" in CLI Configuration Guide > Basic
Configuration.
● If the device functions as an FTP server, connect it to an FTP client. For details,
see "Configuring a Device as an FTP Server" in CLI Configuration Guide >
Basic Configuration.
● Run the install feature-software WEAKEA command to install the weak
security algorithm/protocol feature package (WEAKEA).
Context
If functions do not operate properly due to incorrect configurations, you can copy
the backup configuration file of the device from an FTP server or client to restore
the configuration file using either of the following methods:
● If the device functions as an FTP client, copy the configuration file from an
FTP server to the device.
● If the device functions as an FTP server, copy the configuration file from an
FTP client to the device.
NOTE
Restoring the configuration file through FTP is a simple process, which however may pose
security risks. In scenarios featuring high security requirements, SFTP and SCP are
recommended for configuration file restoration.
In FIPS mode, FTP cannot be used to restore configuration files.
Procedure
● Copy the configuration file from the FTP server when the device functions as
an FTP client.
a. Set up an FTP connection with the FTP server.
ftp [ ipv6 ] host-ip
On the device, run the get command to copy the configuration file from
the PC that functions as an FTP server to the specified path on the device.
get remote-filename [ local-filename ]
● Copy the configuration file from the FTP client when the device functions as
an FTP server.
a. On the PC that functions as an FTP client, initiate an FTP connection with
the device.
In this example, the IP address of the device is 10.110.24.254, the FTP
user name created on the device is huawei, and the password of the FTP
user is YsHsjx_202206.
C:\Documents and Setting\Administrator> ftp 10.110.24.254
Connected to 10.110.24.254.
220 FTP service ready.
User (10.110.24.254:(none)): huawei
331 Password required for huawei.
Password:
230 User logged in.
----End
Context
If functions do not operate properly due to incorrect configurations, you can copy
the backup configuration file from the TFTP server to the device to restore the
functions.
NOTE
Restoring the configuration file through TFTP is a simple process, which however may pose
security risks. In scenarios featuring high security requirements, SFTP and SCP are
recommended for configuration file restoration.
In FIPS mode, TFTP cannot be used to restore configuration files.
Procedure
Step 1 Copy the configuration file from the TFTP server to the device.
tftp [ ipv6 ] hostname-ip get source-filename [ destination-filename ]
----End
Context
If functions do not operate properly due to incorrect configurations, you can copy
the backup configuration file of the device from an SFTP server or client to restore
the configuration file using either of the following methods:
● If the device functions as an SFTP client, copy the configuration file from an
SFTP server to the device.
● If the device functions as an SFTP server, copy the configuration file from an
SFTP client to the device.
Select one method as required.
Procedure
● Copy the configuration file from the SFTP server when the device functions as
an SFTP client.
a. Enter the system view.
system-view
----End
Context
If functions do not operate properly due to incorrect configurations, you can copy
the backup configuration file of the device from an SCP server or client to restore
the configuration file using either of the following methods:
● If the device functions as an SCP client, copy the configuration file from an
SCP server to the device.
● If the device functions as an SCP server, copy the configuration file from an
SCP client to the device.
Select one method as required.
Procedure
● Copy the configuration file from the SCP server when the device functions as
an SCP client.
a. Enter the system view.
system-view
On the device, run the following command to copy the configuration file
from the PC that functions as an SCP server to the specified path on the
device:
scp source-filename destination-filename
For example, to copy the vrpcfg.cfg file from the SCP server at 10.1.1.1 to
the device using SCP, run the following command. (The following
information is for reference only.)
<HUAWEI> system-view
[HUAWEI] scp scpuser@10.1.1.1:flash:/vrpcfg.cfg vrpcfg-backup.cfg
Trying 10.1.1.1...
Press CTRL+K to abort
Connected to 10.1.1.1...
The server is not authenticated. Continue to access it? [Y/N]:y
Save the server's public key? [Y/N]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please
select [R/D/E]:e
Enter password:
vrpcfg.cfg 100% 261Bytes 1Kb/s
● Copy the configuration file from the SCP client when the device functions as
an SCP server.
Run the following command to copy the configuration file from the PC that
functions as an SCP client to the specified path on the device:
scp source-filename destination-filename
For example, to copy the vrpcfg.cfg file from the SCP client to the device at
10.2.2.2 using SCP, run the following command. (The following information is
for reference only.)
C:\Documents and Settings\Administrator> scp vrpcfg.cfg scpuser@10.2.2.2:flash:/vrpcfg-
backup.cfg
The authenticity of host '10.2.2.2 (10.2.2.2)' can't be established.
DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.2.2.2' (DSA) to the list of known hosts.
scpuser@10.2.2.2's password:
vrpcfg.cfg 100% 1257 1.2KB/s 00:00
Read from remote host 10.2.2.2: Connection reset by peer
----End
Procedure
● Compress the configuration file.
zip source-filename destination-filename [ password password ]
----End
NOTICE
To configure an interface on a device for other uses, you need to first delete
existing configurations from the interface one by one. If the interface has a large
number of configurations, this can take a long time. A single command is
available for deleting all configurations on an interface, reducing the maintenance
workload and simplifying the deletion operation.
Procedure
● Delete configurations for the next startup.
a. Cancel the configuration file specified for the next startup to restore the
default configurations.
reset saved-configuration
NOTE
After the configuration file specified for the next startup is canceled, the device
will use default configurations for startup, unless the startup saved-
configuration command is used to specify a new configuration file, or new
configurations have been saved to the configuration file for the next startup.
Before the reset saved-configuration command is executed, the system checks
whether the configuration files used for the current startup and the next startup
are the same:
● If they are the same, running the reset saved-configuration command clears
both configuration files, and the default configuration file will be used for the
next startup.
● If they are not the same, running the reset saved-configuration command
clears the configuration file for next startup, but the current configuration file
remains unchanged.
● If the current configuration file is empty and the configuration file for next
startup is not empty, running the reset saved-configuration command clears
the configuration file for next startup.
● If the configuration file for next startup is empty and the current
configuration file is not empty, after the reset saved-configuration
command is run, the system reports an error and does not clear any
configuration file. If you run the command to restart a device, addresses
configured for management interfaces on the device will become invalid, and
you must log in to the device through a console interface to re-configure
these addresses.
b. Restart the device to validate the configuration.
reboot fast
NOTE
This command will delete all configurations of a specified interface. Exercise caution
when running this command.
Ensure that the specified interface type and number are correct. Otherwise, the
configurations of another interface may be deleted, causing service interruption.
----End
NOTE
The system configuration takes effect in immediate mode. After you enter a command line
and press Enter, the system performs a syntax check. The configuration takes effect as soon
as it passes the syntax check, and you do not need to run the commit command to commit
the configuration.
Procedure
Step 1 Check the configuration rollback points and the latest configuration changes.
Step 2 Roll back the system to the historical configuration state by specifying a
configuration rollback point.
rollback configuration { to commit-id commit-id | to label label | to file file-name }
Step 3 (Optional) Set the user label for a configuration rollback point.
set configuration commit commit-id label label-string
Step 4 (Optional) Delete the user label of the specified configuration rollback point or
the earliest configuration rollback point list generated in the system.
clear configuration commit { commit-id label | oldest number-of-commits }
Step 5 (Optional) Delete the configuration rollback point with a specified user label.
----End
Example
A user logs in to the device and finds that the configuration is incorrect. The user
then rolls back the system using a backup configuration file.
1. Check the name of the backup configuration file on the current device.
<HUAWEI> dir
Directory of flash:/
Networking Requirements
As shown in Figure 8-1, the current system software cannot meet user needs. The
device must load new software version with more features. Then the device
software needs to be upgraded remotely.
Figure 8-1 Network diagram of specifying the configuration file to be loaded for
next startup
Configuration Roadmap
The configuration roadmap is as follows:
1. Upload the new system software to the root directory of the device.
2. Save the current configuration so that it remains effective after upgrade.
3. Specify the system software to be loaded for next startup.
4. Specify the configuration file to be loaded for next startup.
5. Restart the device to complete upgrade.
Procedure
Step 1 Upload the new system software to the root directory of the device.
1. Before configuration, run the display startup command to view the files for
next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/basicsoft.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Next startup paf file: default
Startup patch package: NULL
Next startup patch package: NULL
2. Configure the device as an SFTP server.
Upload the new system software to the device. This example uses SFTP to
transfer the system software. Configure the device as an SFTP server and
upload the system software to the device from the SFTP client. Ensure that
there is enough space in the storage medium before uploading files. If the
space is insufficient, delete unnecessary files from the storage medium.
# Configure an IP address for the SFTP server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] interface 10ge 1/0/1
[SSH Server-10GE1/0/1] undo portswitch
[SSH Server-10GE1/0/1] ip address 10.248.103.194 255.255.255.0
[SSH Server-10GE1/0/1] quit
# Configure the public key algorithm, encryption algorithm, key exchange
algorithm list, HMAC authentication algorithm, and minimum key length on
the SSH server.
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SSH Server] ssh server hmac sha2_256 sha2_512
[SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[SSH Server] ssh server dh-exchange min-len 3072
# On the server, generate a local key pair and enable the SFTP server
function.
[SSH Server] dsa local-key-pair create
Info: The key name will be: Host_DSA
Info: The key modulus can be any one of the following :
2048.
Info: Key pair generation will take a short
while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
The system displays a message indicating that the current configuration will be
saved and asks you whether to continue. Enter y and the configuration will be
saved to the device.
Step 3 Specify the system software to be loaded for next startup.
<SSH Server> startup system-software newbasicsoft.cc
NOTE
In step 1, you can run the display startup command to check the configuration file for next
startup. The message "Next startup saved-configuration file: flash:/vrpcfg.zip" will be
displayed. This means that the vrpcfg.zip configuration file has been specified for next
startup, so skip this step. To specify another file for next startup, perform this step.
Run the following command to view the system software and configuration file
for next startup.
<SSH Server> display startup
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/newbasicsoft.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Next startup paf file: default
Startup patch package: NULL
Next startup patch package: NULL
# Because the configuration file has been saved, run the following command to
restart the device quickly.
<SSH Server> reboot fast
When the system asks you whether to continue with a system restart, enter y.
----End
Configuration Scripts
#
sysname SSH Server
#
acl number 2000
rule 5 permit source 10.248.103.0 0.0.0.255
#
aaa
local-user client password irreversible-cipher $1d$+,JS+))\\2$KVNj(.3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user client service-type terminal ssh
local-user client privilege level 3
#
interface 10GE1/0/1
undo portswitch
ip address 10.248.103.194 255.255.255.0
#
sftp server enable
ssh server-source all-interface
ssh server acl 2000
ssh user client
ssh user client authentication-type password
ssh user client service-type sftp
ssh user client sftp-directory flash:
#
ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh server hmac sha2_256 sha2_512
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh server publickey rsa_sha2_256 rsa_sha2_512
ssh server dh-exchange min-len 3072
#
return