No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Local File Management

Local File Management

Users can use a terminal to log in to the device or use the FTP, SFTP or SCP mode to manage local files.

Context

When downloading files to the device or performing other operations on the device, ensure that the power supply of the device is workig properly; otherwise, the downloaded file or the file system may be damaged. As a result, the storage medium on the device may be damaged or the device cannot be properly started.

Logging In to the Device to Manage Files

Users can log in to the device through the console port, Telnet, or STelnet to manage storage devices, directories, and files.

Pre-configuration Tasks

Before logging in to the device to manage files, complete the following tasks:

  • Ensuring that routes are reachable between the terminal and the device.
  • Ensuring that a user have logged in to the device using a terminal.
Configuration Process

After a user logs in to the device on a terminal, the user can perform operations on storage devices, directories, and files.

Users can perform the following operations in any sequence.

Procedure

  • Perform operations on directories.

    Table 1-52 Performing operations on directories

    Operation

    Command

    Description

    Display the current directory.

    pwd

    -

    Change the current directory.

    cd [ directory ]

    -

    Display files and subdirectories in a specified directory.

    dir [ /all ] [ filename | directory ]

    -

    Create a directory.

    mkdir directory

    -

    Delete a directory.

    rmdir directory

    • The directory to be deleted must be empty.

    • A deleted directory and its files cannot be restored from the recycle bin.

  • Perform operations on files.

    Table 1-53 Performing operations on files

    Operation

    Command

    Description

    Display the file content.

    more filename [ offset ]

    -

    Copy a file.

    copy source-filename destination-filename [ all ]

    • Before copying a file, ensure that the storage space is sufficient for the file.
    • If the destination file has the same name as an existing file, the system prompts you whether to overwrite the existing file.

    Move a file.

    move source-filename destination-filename

    If the destination file has the same name as an existing file, the system prompts you whether to overwrite the existing file.

    Rename a file.

    rename old-name new-name

    -

    Compress a file.

    zip source-filename destination-filename

    -

    Decompress a file.

    unzip source-filename destination-filename

    -

    Delete a file.

    delete [ /unreserved ] [ /quiet ] { filename | devicename } [ all ]

    This command cannot delete a directory.

    NOTICE:

    In this command, /unreserved indicates that the file cannot be restored.

    Restore a file.

    undelete { filename | devicename }

    If you run delete command without the /unreserved keyword, the file is moved to the recycle bin. You can run this command to restore the files in the recycle bin.

    Remove a file from the recycle bin.

    reset recycle-bin [ /f | filename | devicename ]

    To delete a file permanently, remove the file from the recycle bin.

    Enter the system view.

    system-view

    To perform multiple operations at one time, run the execute batch-filename command in the system view. The batch file must be stored in the storage device first.

    Execute a batch file or VRP Shell Languages (VSL) script.

    execute batch-filename [ parameter &<1-8> ]

Managing Files When the Device Functions as an FTP Server

Users can connect the local terminal to a remote device to manage files using FTP. FTP is widely used for file service operations such as version upgrade.

Pre-configuration Tasks

Before connecting to the FTP server to manage files, complete the following tasks:

  • Ensuring that routes are reachable between the terminal and the device.
  • Ensuring that the terminal functions as the FTP client.
Configuration Process
NOTE:

The FTP protocol will bring risk to device security. The SFTP V2 or SCP mode is recommended.

Table 1-54 describes the procedure for managing files when the device functions as an FTP server.

Table 1-54 Managing files when the device functions as an FTP server

No.

Task

Description

Remarks

1

Set FTP server parameters

Configure FTP server parameters including the port number, source address, and timeout duration.

The three steps can be performed in any sequence.

2

Configure local FTP user information

Configure local FTP user information including the service type, user level, and authorized directory.

3

(Optional) Configure the FTP ACL

Configure the ACL rule and FTP basic ACL, improving FTP access security.

4

Connect to the device using FTP

Connect to the device using FTP on the terminal.

-

Default Parameter Settings
Table 1-55 Default parameter settings

Parameter

Default Value

FTP server function

Disabled

Listening port number

21

FTP user

No local user is created

Procedure

  • Set FTP server parameters.

    Table 1-56 Setting FTP server parameters

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    (Optional) Specify a port number for the FTP server.

    ftp [ ipv6 ] server port port-number

    The default port number is 21.

    If a new port number is configured, the FTP server disconnects from all FTP clients and uses the new port number to listen to connection requests. Attackers do not know the port number and cannot access the listening port of the FTP server.

    Enable the FTP server function.

    ftp [ ipv6 ] server enable

    By default, the FTP server function is disabled.

    (Optional) Configure the source address of the FTP server.

    ftp server source { -a source-ip-address | -i interface-type interface-number }

    After the source address of the FTP server is configured, incoming and outgoing packets are filtered, ensuring the device security.

    After the source address of the FTP server is configured, you must enter the source address to log in to the FTP server.

    (Optional) Configure the timeout duration of the FTP server.

    ftp [ ipv6 ] server timeout minutes

    By default, the idle timeout duration is 30 minutes.

    During the timeout duration, if no operation is performed on the FTP server, the FTP client disconnects from the FTP server automatically.

    Submit the configurations.

    commit

    -

    NOTE:
    • If the FTP service is enabled, the port number of the FTP service cannot be changed. To change the port number, run the undo ftp [ ipv6 ] server command to disable the FTP service first.

    • After operations on files are complete, run the undo ftp [ ipv6 ] server to disable the FTP server function to ensure the device security.

  • Configure local FTP user information.

    Before performing operations on files using FTP, configure the local user name and password, service type, and authorized directory on the FTP server.

    Table 1-57 Configuring local FTP user information

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Enter the AAA view.

    aaa

    -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher irreversible-cipher-password

    -

    Configure the local user level.

    local-user user-name level level

    NOTE:

    The user level must be set to 3 or upper levels to ensure successful connection establishment.

    Configure the service type for local users.

    local-user user-name service-type ftp

    By default, a local user can use any access type.

    Configure authorized directory.

    local-user user-name ftp-directory directory

    By default, the FTP directory of a local user is empty.

    When multiple FTP users use the same authorized directory, you can use the ftp server default-directory directory command to configure a default directory for these FTP users. In this case, you do not need run the local-user user-name ftp-directory directory command to configure an authorized directory for each user.

    Submit the configurations.

    commit

    -

  • (Optional) Configure the FTP ACL.

    An ACL is composed of a list of rules such as the source address, destination address, and port number of packets. ACL rules are used to classify packets. After these rules are applied to routing devices, the routing devices determine the packets to be received and rejected.

    Users can configure a basic ACL to allow only specified clients to connect to the FTP server.

    NOTE:
    The ACL rules are as follows:
    • Other devices that match the ACL rule can establish an FTP connection with the local device only when permit is used in the ACL rule.

    • When deny is used in the ACL rule, other devices that match the ACL rule cannot establish FTP connections with the local device.

    • When the ACL rule is configured but packets from other devices do not match the rule, other devices cannot establish FTP connections with the local device.

    • When the ACL contains no rule, any other devices can establish FTP connections with the local device.

    Table 1-58 (Optional) Configuring the FTP ACL

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Enter the ACL view.

    acl { [ number ] acl-number | name acl-name }

    -

    Configure the ACL rule.

    rule [ rule-id ] { deny | permit } [ fragment-type fragment | source { source-ip-address { source-wildcard | src-netmask } | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    -

    Return to the system view.

    quit

    -

    Configure basic FTP ACLs.

    ftp [ ipv6 ] server acl { acl-number | acl-name }

    -

    Submit the configurations.

    commit

    -

  • Connect to the device using FTP.

    Users can use the Windows CLI or third-party software to connect to the device from a terminal using FTP. The following describes how to connect to the device using the Windows CLI:

    • Run the ftp ip-address command to connect to the device using FTP.

      In the preceding command, ip-address indicates the IP address configured on the device. Routes between the terminal and the device are reachable.

    • Enter the user name and password as prompted and press Enter. If command prompt ftp> is displayed in the FTP client view, the user accesses the working directory on the FTP server. (The following information is only for reference.)

    C:\Users\Administrator> ftp 192.168.150.208
    Connected to 192.168.150.208.
    220 FTP service ready.
    User(192.168.150.208:(none)):huawei
    331 Password required for huawei.
    Password:
    230 User logged in.
    ftp>

  • Run FTP commands to perform file-related operations.

    After connecting to the FTP server, users can run FTP commands to perform file-related operations including performing operations on directories and files, configuring the file transfer mode, and viewing the online help about FTP commands.

    NOTE:

    User rights are configured on the FTP server.

    Users can perform the following operations in any sequence.

    Table 1-59 Running FTP commands to perform file-related operations

    Operation

    Command

    Description

    Change the working directory on the server.

    cd remote-directory

    -

    Change the current working directory to its parent directory.

    cdup

    -

    Display the working directory on the server.

    pwd

    -

    Display or change the local working directory.

    lcd [ local-directory ]

    The lcd command displays the local working directory on the client, and the pwd command displays the working directory on the remote server.

    Create a directory on the server.

    mkdir remote-directory

    The directory name can consist of letters and digits. The following special characters are forbidden: < > ? \ :

    Delete a directory from the server.

    rmdir remote-directory

    -

    Display information about the specified directory or file on the server.

    dir/ls [ remote-filename [ local-filename ] ]

    • The ls command displays only the directory or file name, and the dir command displays detailed directory or file information such as name, size, and date when the directory or file is created.
    • If no directory is specified in the command, the system searches for the file in user's authorized directories.

    Delete a file from the server.

    delete remote-filename

    -

    Upload one or more files.

    put local-filename [ remote-filename ]

    Or

    mput local-filenames

    • To upload a file, run the put command.
    • To upload multiple files, run the mput command.

    Download one or more files.

    get remote-filename [ local-filename ]

    Or

    mget remote-filenames

    • To download a file, run the get command.
    • To download multiple files, run the mget command.

    Configure the file transfer mode is ASCII.

    ascii

    Either operation is feasible.

    • The default file transfer mode is ASCII.

    • The ASCII mode is used to transfer text files, and the binary mode is used to transfer programs, system software, and database files.

    Configure the file transfer mode is Binary.

    binary

    Configure the data transmission mode is passive.

    passive

    Either operation is feasible.

    The default data transmission mode is active.

    Configure the data transmission mode is active.

    undo passive

    View the online help about FTP commands.

    remotehelp [ command ]

    -

    Enable the system prompt function.

    prompt

    By default, the prompt function is disabled.

    Enable the verbose function.

    verbose

    After the verbose function is enabled, all FTP response messages are displayed on the FTP client.

  • (Optional) Change the login user.

    The current user can switch to another user in the FTP client view. The new FTP connection is the same as that established by running the ftp command.

    Operation

    Command

    Description

    Change the current user in the FTP client view.

    user user-name

    When the login user is switched to another user, the original user is disconnected from the FTP server.

  • Disconnect the FTP client from the FTP server.

    Users can run different commands in the FTP client view to disconnect the FTP client from the FTP server.

    Operation

    Command

    Description

    Disconnect the FTP client from the FTP server and return to the user view.

    bye or quit

    Either operation is feasible.

    Disconnect the FTP client from the FTP server and display the FTP client view.

    close or disconnect

Checking the Configurations
  • Run the display ftp server command to check the FTP server configuration and status.

  • Run the display ftp server users command to view information about the FTP users that log in to the FTP server.

Managing Files When the Device Functions as an SFTP Server

SFTP allows a terminal to connect to the remote device using SSH and ensures the security of data transfer.

Pre-configuration Tasks

Before connecting to the SFTP server to manage files, complete the following tasks:

  • Ensuring that routes are reachable between the terminal and the device.
  • The SSH client software has been installed on the terminal.
Configuration Process
NOTE:

The SFTP V1 protocol will bring risk to device security. The SFTP V2 mode is recommended.

Table 1-60 describes the procedure for managing files when the device functions as an SFTP server.

Table 1-60 Managing files when the device functions as an SFTP server

No.

Task

Description

Remarks

1

Set SFTP server parameters

Generate local key pair, enable the SFTP server, and configure SFTP server parameters, including the port number, key pair updating time, SSH authentication timeout duration, and number of SSH authentication retries.

The two steps can be performed in any sequence.

2

Configure SSH user information

Configure SSH user information including the SSH user creation, authentication mode, service type, and authorized directory on the SFTP server.

3

Connect to the device using SFTP

Connect to the device using the SSH client software on the terminal.

-

Default Parameter Settings
Table 1-61 Default parameter settings

Parameter

Default Value

SFTP server function

Disabled

Listening port number

22

Time for updating the key pair of the server

0, indicating the key pair of the server is never updated

SSH authentication timeout duration

60 seconds

Number of SSH authentication retries

3

SSH user

No SSH user is created

Type of service for SSH users

No service type supported

Authorized directory for SSH users

flash:

Procedure

  • Set SFTP server parameters.

    Table 1-62 Setting SFTP server parameters

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Generate a local key pair.

    Method 1:

    Run the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command to generate a local RSA, DSA, or ECC key pair.

    Method 2:
    1. Run the rsa key-pair label label-name [ modulus modulus-bits ], dsa key-pair label label-name [ modulus modulus-bits ], or ecc key-pair label label-name [ modulus modulus-bits ] command to generate an RSA, a DSA, or a ECC key pair with a specific label name.

    2. Run the ssh server assign { rsa-host-key | rsa-server-key | dsa-host-key | ecc-host-key } label-name command to assign the generated RSA host key, RSA server key, DSA host key, or ECC host key to the SSH server.
    NOTE:

    The device can generate a maximum of 20 key pairs in method 2. You can use different key pairs in different periods to ensure a higher communication security. The maximum number of key pairs the device can generate is specified by the rsa key-pair maximum, dsa key-pair maximum, and ecc key-pair maximum command.

    In method 1:

    After the key pair is generated, you can run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view the public key in the local RSA, DSA, or ECC key pair.

    In method 2:

    After the key pair is generated, you can run the display rsa key-pair [ brief | label label-name ], display dsa key-pair [ brief | label label-name ], or display ecc key-pair [ brief | label label-name ] command to view the RSA, DSA, or ECC key pair with a specific label.
    NOTE:

    A longer key pair provides higher security. The key pair of the maximum length is recommended.

    Enable the SFTP server function.

    sftp server enable

    By default, the SFTP server function is disabled.

    (Optional) Configure the listening port number.

    ssh server port port-number

    By default, the listening port number is 22.

    If a new port number is configured, the SSH server disconnects from all SSH clients and uses the new port number to listen to connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.

    (Optional) Configure the time for updating the key pair of the server.

    ssh server rekey-interval hours

    By default, the time for updating the key pair is 0. The value 0 indicates that the key pair is never updated.

    When the specified time is up, the key pair of the SSH server is updated, ensuring the server security.

    (Optional) Configure the SSH authentication timeout duration.

    ssh server timeout seconds

    By default, the SSH authentication timeout duration is 60 seconds.

    (Optional) Configure the number of SSH authentication retries.

    ssh server authentication-retries times

    By default, the number of SSH authentication retries is 3.

    (Optional) Enable earlier versions to be compatible.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    (Optional) Configure an ACL.

    ssh [ ipv6 ] server acl { acl-number | acl-name }

    By default, no ACL is configured for the SSH server.

    An ACL is configured to determine which clients can log in to the current device through SSH.

    (Optional) Enable the keepalive function on the SSH server.

    undo ssh server keepalive disable

    By default, the keepalive function is enabled on the SSH server.

    After the keepalive function is enabled on the SSH server, the server responds to keepalive packets received from the SSH client. If the keepalive function is disabled on the SSH server, the server will disconnect from the SSH client when there is no data exchange, which causes server resource waste due to reconnections.

    (Optional) Configuring the source IP address of the SSH server.

    ssh server-source -i loopback interface-number

    By default, the source interface of a SSH server is not specified.

    NOTE:

    Before specifying the source interface of the SSH server, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, this command cannot be correctly executed.

    (Optional) Maximum number of clients that can connect to the SSH server.

    sftp max-sessions max-session-count

    By default, a maximum of five clients can connect to the SSH server.

    If the maximum number is changed to a value smaller than the number of login users, login users' connections retain, but new access requests are rejected.

    (Optional) Idle timeout period for disconnecting an SFTP client from the SFTP server.

    sftp idle-timeout minutes [ seconds ]

    The default idle timeout period is 10 minutes.

    You can run the sftp idle-timeout 0 0 command to disable the function of disconnecting the client from the SFTP server in case of timeout.

    Submit the configurations.

    commit

    -

    NOTE:
    • When the local RSA key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs ranges from 512 bits to 2048 bits. The default length is 2048 bits.
    • When the local DSA key pair is generated, only the host key pair is generated. The length of the host key pair can be 512, 1024, or 2048 bits. The default length is 2048 bits.
    • When the local ECC key pair is generated, only the host key pair is generated. The length of the host key pair can be 256, 384, or 521 bits. The default length is 521 bits.

  • Configure SSH user information.

    Configure SSH user information including the authentication mode. Authentication modes including RSA, password, password-rsa, DSA, password-dsa, ECC, password-ecc, and all are supported.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The password-dsa authentication mode consists of the password and DSA authentication modes.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users only need to authenticated by DSA, ECC, password, or RSA.
    Table 1-63 Configuring SSH user information

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Create SSH users.

    ssh user user-name

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | password-rsa | all | dsa | password-dsa | ecc | password-ecc }

    If SSH users are not created using the ssh user command, directly run the ssh authentication-type default password command to configure the default password authentication mode for users. This mode simplifies the configurations if a large number of users exist, because you need to configure only AAA users.

    Set the service type to SFTP or all for SSH users.

    ssh user username service-type { sftp | all }

    By default, the service type of SSH users is empty.

    Configure the authorized directory for SSH users.

    ssh user username sftp-directory directoryname

    By default, the authorized directory of SSH users on the SFTP server is flash:.

    Submit the configurations.

    commit

    -

    NOTE:
    • The password authentication mode is implemented based on the AAA. To log in to the device in the password-dsa, password-ecc, password, or password-rsa authentication mode, create a local user with the same user name in the AAA view.
    • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, DSA, or ECC key. If the SSH user uses the RSA, DSA, or ECC authentication mode, both the SSH server and client need to generate the RSA, DSA, or ECC key and save and configure the public key of the peer end locally.
    Perform any of the following configurations according to authentication mode you select:
    • To configure password authentication for the SSH user, see Table 1-64.

    • To configure RSA, DSA, or ECC authentication for the SSH user, see Table 1-65.

    • To configure password-RSA, password-dsa, or password-ecc authentication for the SSH user, configure an AAA user and set the RSA, DSA, or ECC public key. See Table 1-64 and Table 1-65.

    Table 1-64 Configuring password, password-dsa, password-ecc, or password-rsa authentication for the SSH user

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Enter the AAA view.

    aaa

    -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher irreversible-cipher-password

    -

    Configure the service type for the local user.

    local-user user-name service-type ssh

    -

    Configure the level for the local user.

    local-user user-name level level

    -

    Return to the system view.

    quit

    -

    Commit the configuration.

    commit

    -

    NOTE:

    The level for the local user must be set to 3 or upper levels to ensure successful connection establishment.

    Table 1-65 Configuring DSA, ECC, RSA, password-dsa, password-ecc, or password-rsa authentication for the SSH user

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Display the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    or

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    or

    ecc peer-public-key key-name

    -

    Display the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the client software that supports SSH. For detailed operations, see the SSH client software help.
    • You must enter the RSA, DSA, or ECC public key on the device that works as the SSH server.

    Exit the public key editing view.

    public-key-code end

    • If no key public code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted in another view, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view from the public key view.

    peer-public-key end

    -

    Assign an RSA, DSA, or ECC public key to an SSH user.

    ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name

    -

    Commit the configuration.

    commit

    -

  • Connect to the device using SFTP.

    The SSH client software supporting SFTP must be installed on the terminal to ensure that the terminal can connect to the device using SFTP to manage files. The following describes how to connect to the device using the OpenSSH and the Windows CLI.

    NOTE:
    • For details how to install the OpenSSH, see the OpenSSH installation description.

    • To use the OpenSSH to connect to the device using SFTP, run the OpenSSH commands. For details about OpenSSH commands, see OpenSSH help.

    • Windows command prompt can identify commands supported by the OpenSSH only when the OpenSSH is installed on the terminal.

    Access the Windows CLI and run the commands supported by the OpenSSH to connect to the device using SFTP to manage files.

    If command prompt sftp> is displayed in the SFTP client view, the user accesses the working directory on the SFTP server. (The following information is only for reference.)

    C:/Documents and Settings/Administrator> sftp client001@10.136.23.4
    Connecting to 10.136.23.4...
    The authenticity of host "10.136.23.4 (10.136.23.4)" can't be established.
    RSA key fingerprint is 0d:48:82:fd:2f:52:1c:f0:c4:22:70:80:8f:7b:fd:78.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added "10.136.23.4" (RSA) to the list of known hosts.
    client001@10.136.23.4's password:
    sftp>

  • Run SFTP commands to perform file-related operations.

    In the SFTP client view, you can perform one or more file-related operations listed in Table 1-66 in any sequence.

    Table 1-66 Running SFTP commands to perform file-related operations

    Operation

    Command

    Description

    Change the user's current working directory.

    cd [ remote-directory ]

    -

    Change the current working directory to its parent directory.

    cdup

    -

    Display the user's current working directory.

    pwd

    -

    Display the file list in a specified directory.

    dir/ls [ -l | -a ] [ remote-directory ]

    Outputs of the dir and ls commands are the same.

    Delete directories from the server.

    rmdir remote-directory &<1-10>

    A maximum of 10 directories can be deleted at one time.

    Before running the rmdir command to delete directories, ensure that the directories do not contain any files. Otherwise, the deletion fails.

    Create a directory on the server.

    mkdir remote-directory

    -

    Change the name of a specified file on the server.

    rename old-name new-name

    -

    Download a file from the remote server.

    get remote-filename [ local-filename ]

    -

    Upload a local file to the remote server.

    put local-filename [ remote-filename ]

    -

    Delete files from the server.

    remove remote-filename &<1-10>

    A maximum of 10 files can be deleted at one time.

    remove and delete have the same effect.

    View the help about SFTP commands.

    help [ command-name ]

    -

  • Disconnect the SFTP client from the SSH server.

    Operation

    Command

    Description

    Disconnect the SFTP client from the SSH server.

    quit

    The bye or exit command can also disconnect the SFTP client.

Checking the Configurations
  • Run the display ssh user-information [ username ] command to view SSH user information on the SSH server.

  • Run the display ssh server status command to view the global configuration of the SSH server.

  • Run the display ssh server session command to view the session information of the SSH client on the SSH server.

Managing Files When the Device Functions as an SCP Server

SCP allows a user terminal to upload or download files while connecting to the SCP server based on SSH.

Pre-configuration Tasks

Before connecting to the SCP server to manage files, complete the following tasks:

  • Ensuring that routes are reachable between the terminal and the device.
  • Ensuring that the SSH client software supporting SCP has been installed on the terminal.
Configuration Process

Table 1-67 describes the procedure for managing files when the device functions as an SCP server.

Table 1-67 Managing files when the device functions as an SCP server

No.

Task

Description

Remarks

1

Set SCP server parameters

Generate local key pair, enable the SCP server, and configure SCP server parameters, including the listening port number, key pair updating time, SSH authentication timeout duration, and number of SSH authentication retries.

Steps 1 and 2 can be performed in any sequence.

2

Configure SSH user information

Configure SSH users including the SSH user creation, authentication mode, and service type on the SCP server.

3

Manage files when the device functions as an SCP server

Upload and download files on the SCP client.

Default Parameter Settings
Table 1-68 Default parameter settings

Parameter

Default Value

SCP server function

Disabled

Listening port number

22

Time for updating the key pair of the server

0, indicating the key pair of the server is never updated

SSH authentication timeout duration

60 seconds

Number of SSH authentication retries

3

SSH user

No SSH user is created

Type of service for SSH users

No service type supported

Procedure

  • Set SCP server parameters.

    Table 1-69 Setting SCP server parameters

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Generate a local key pair.

    Method 1:

    Run the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command to generate a local RSA, DSA, or ECC key pair.

    Method 2:
    1. Run the rsa key-pair label label-name [ modulus modulus-bits ], dsa key-pair label label-name [ modulus modulus-bits ], or ecc key-pair label label-name [ modulus modulus-bits ] command to generate an RSA, a DSA, or a ECC key pair with a specific label name.

    2. Run the ssh server assign { rsa-host-key | rsa-server-key | dsa-host-key | ecc-host-key } label-name command to assign the generated RSA host key, RSA server key, DSA host key, or ECC host key to the SSH server.
    NOTE:

    The device can generate a maximum of 20 key pairs in method 2. You can use different key pairs in different periods to ensure a higher communication security. The maximum number of key pairs the device can generate is specified by the rsa key-pair maximum, dsa key-pair maximum, and ecc key-pair maximum command.

    In method 1:

    After the key pair is generated, you can run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view the public key in the local RSA, DSA, or ECC key pair.

    In method 2:

    After the key pair is generated, you can run the display rsa key-pair [ brief | label label-name ], display dsa key-pair [ brief | label label-name ], or display ecc key-pair [ brief | label label-name ] command to view the RSA, DSA, or ECC key pair with a specific label.
    NOTE:

    A longer key pair provides higher security. The key pair of the maximum length is recommended.

    Enable the SCP server function.

    scp server enable

    By default, the SCP server function is disabled.

    (Optional) Setting the maximum number of SCP clients allowed to connect to a SCP server concurrently

    scp max-sessions max-session-count

    By default, a maximum of 2 SCP clients are allowed to connect to an SCP server concurrently.

    (Optional) Configure the listening port number.

    ssh server port port-number

    By default, the listening port number is 22.

    If a new port number is configured, the SSH server disconnects from all SSH clients and uses the new port number to listen to connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.

    (Optional) Configure the time for updating the key pair of the server.

    ssh server rekey-interval hours

    By default, the time for updating the key pair is 0. The value 0 indicates that the key pair is never updated.

    When the specified time is up, the key pair of the SSH server is updated, ensuring the server security.

    (Optional) Configure the SSH authentication timeout duration.

    ssh server timeout seconds

    By default, the SSH authentication timeout duration is 60 seconds.

    (Optional) Configure the number of SSH authentication retries.

    ssh server authentication-retries times

    By default, the number of SSH authentication retries is 3.

    (Optional) Enable earlier versions to be compatible.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    (Optional) Configure an ACL.

    ssh [ ipv6 ] server acl { acl-number | acl-name }

    By default, no ACL is configured for the SSH server.

    An ACL is configured to determine which clients can log in to the current device through SSH.

    (Optional) Enable the keepalive function on the SSH server.

    undo ssh server keepalive disable

    By default, the keepalive function is enabled on the SSH server.

    After the keepalive function is enabled on the SSH server, the server responds to keepalive packets received from the SSH client. If the keepalive function is disabled on the SSH server, the server will disconnect from the SSH client when there is no data exchange, which causes server resource waste due to reconnections.

    (Optional) Configuring the source IP address of the SSH server

    ssh server-source -i loopback interface-number

    By default, the source interface of an SSH server is not specified.

    NOTE:

    Before specifying the source interface of the SSH server, ensure that the loopback interface to be specified as the source interface has been created.

    Submit the configurations.

    commit

    -

    NOTE:
    • When the local RSA key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs ranges from 512 bits to 2048 bits. The default length is 2048 bits.
    • When the local DSA key pair is generated, only the host key pair is generated. The length of the host key pair can be 512, 1024, or 2048 bits. The default length is 2048 bits.
    • When the local ECC key pair is generated, only the host key pair is generated. The length of the host key pair can be 256, 384, or 521 bits. The default length is 521 bits.

  • Configure SSH user information.

    Configure SSH user information including the authentication mode. Authentication modes including RSA, password, password-rsa, DSA, password-dsa, ECC, password-ecc, and all are supported.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The password-dsa authentication mode consists of the password and DSA authentication modes.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users only need to authenticated by DSA, ECC, password, or RSA.
    Table 1-70 Configuring SSH user information

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Create SSH users.

    ssh user user-name

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | password-rsa | all | dsa | password-dsa | ecc | password-ecc }

    If SSH users are not created using the ssh user command, directly run the ssh authentication-type default password command to configure the default password authentication mode for users. This mode simplifies the configurations if a large number of users exist, because you need to configure only AAA users.

    Set the service type to all for SSH users.

    ssh user username service-type all

    By default, the service type of SSH users is empty.

    Submit the configurations.

    commit

    -

    NOTE:
    • The password authentication mode is implemented based on the AAA. To log in to the device in the password-dsa, password-ecc, password, or password-rsa authentication mode, create a local user with the same user name in the AAA view.
    • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, DSA, or ECC key. If the SSH user uses the RSA, DSA, or ECC authentication mode, both the SSH server and client need to generate the RSA, DSA, or ECC key and save and configure the public key of the peer end locally.
    Perform any of the following configurations according to authentication mode you select:
    • To configure password authentication for the SSH user, see Table 1-71.

    • To configure RSA, DSA or ECC authentication for the SSH user, see Table 1-72.

    • To configure password-rsa, password-dsa or password-ecc authentication for the SSH user, configure an AAA user and set the RSA, DSA or ECC public key. See Table 1-71 and Table 1-72.

    Table 1-71 Configuring password, password-dsa, password-ecc, or password-rsa authentication for the SSH user

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Enter the AAA view.

    aaa

    -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher irreversible-cipher-password

    -

    Configure the service type for the local user.

    local-user user-name service-type ssh

    -

    Configure the level for the local user.

    local-user user-name level level

    -

    Return to the system view.

    quit

    -

    Commit the configuration.

    commit

    -

    Table 1-72 Configuring DSA, ECC, RSA, password-dsa, password-ecc, or password-rsa authentication for the SSH user

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Display the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    or

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    or

    ecc peer-public-key key-name

    -

    Display the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the client software that supports SSH. For detailed operations, see the SSH client software help.
    • You must enter the RSA, DSA, or ECC public key on the device that works as the SSH server.

    Exit the public key editing view.

    public-key-code end

    • If no key public code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted in another view, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view from the public key view.

    peer-public-key end

    -

    Assign an RSA, DSA, or ECC public key to an SSH user.

    ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name

    -

    Commit the configuration.

    commit

    -

  • Manage files when the device functions as an SCP server.

    The SSH client software supporting SCP must be installed on the terminal to ensure that the terminal can connect to the device using SCP to upload or download files. The following describes how to connect to the device using the OpenSSH and the Windows CLI.

    NOTE:
    • For details how to install the OpenSSH, see the OpenSSH installation description.

    • To use the OpenSSH to connect to the device using SFTP, run the OpenSSH commands. For details about OpenSSH commands, see OpenSSH help.

    • Windows command prompt can identify commands supported by the OpenSSH only when the OpenSSH is installed on the terminal.

    Access the Windows CLI and run the commands supported by the OpenSSH to connect to the device using SCP to manage files. (The following information is only for reference.)

    C:\Documents and Settings\Administrator> scp scpuser@10.136.23.5:flash:/vrpcfg.zip vrpcfg-backup.zip
    The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
    RSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.136.23.5' (RSA) to the list of known hosts.
    scpuser@10.136.23.5's password:
    vrpcfg.zip                                    100% 1257     1.2KB/s   00:00
    Read from remote host 10.136.23.5: Connection reset by peer
    
    C:\Documents and Settings\Administrator>

    The user terminal uploads or downloads files while connecting to the SCP server and access the user local directory.

Checking the Configurations
  • Run the display ssh user-information [ username ] command to view SSH user information on the SSH server.

  • Run the display ssh server status command to view the global configuration of the SSH server.

  • Run the display ssh server session command to view the session information of the SSH client on the SSH server.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58389

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next