No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S7700 and S9700 V200R010C00

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
File Management Modes

File Management Modes

The device can function as a server or client to manage files.

  • When the device functions as a server, you can access the device from a terminal to manage files on the device and transfer files between the device and the terminal.
  • When the device functions as a client, you can use the device to manage files on other devices and transfer files between the device and other devices.

In Trivial File Transfer Protocol (TFTP) mode, the device can function only as a client. In File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), Secure Copy Protocol (SCP), or File Transfer Protocol over SSL (FTPS) mode, the device can function both as a server and a client.

Table 7-1 describes advantages and disadvantages of different file management modes.

Table 7-1  Advantages and disadvantages of file management modes
Mode Usage Scenario Advantage Disadvantage
Device login

In the scenario of managing storage media, directories, and files, log in to the device through the console port, Telnet, or STelnet. This login mode is mandatory for storage medium management.

You can log in to the device directly to manage storage media, directories, and files.

After logging in to the switch through the console port, you can use the xmodem get command to transfer files from the PC to the switch.

After logging to the switch through Telnet or STelnet, you can only manage local files and cannot transfer files from or to the switch.

FTP

The FTP mode is applicable to file transfer scenarios with low network security requirements. The FTP mode is widely used in version upgrade.

  • The FTP mode is easy to configure and supports file transfer and operations on directories.
  • The FTP mode supports file transfer between two file systems.
  • Authorization and authentication functions are provided.

In FTP mode, data is transmitted in plain text, causing security risks.

TFTP

On the LAN of a lab, the TFTP mode can be used to load or upgrade versions online. The TFTP mode is applicable to an environment without complicated interactions between a client and a server.

Compared with FTP mode, TFTP mode consumes less memory usage.

  • In TFTP mode, the device can function only as a client.
  • The TFTP mode supports only file transfer, but does not support interaction.
  • In TFTP mode, data is transmitted in plain text, causing security risks, and no authorization or authentication function is provided.
SFTP The SFTP mode is applicable to scenarios with high network security requirements. The SFTP mode is widely used in log download and file backup.
  • Data is encrypted and protected.
  • The SFTP mode supports file transfer and operations on directories.
  • In SFTP mode, SFTP and FTP functions are available on the device. (In FTPS mode, FTPS and FTP cannot be configured simultaneously.)
Configurations are complicated.
SCP The SCP mode is applicable to highly-efficient file upload and download scenarios with high network security requirements.
  • Data is encrypted and protected.
  • In SCP mode, files are uploaded or downloaded when the client is connected to the server, which is efficient.
Configurations are complicated (similar to SFTP configurations), and interactions are not supported.
FTPS The FTPS mode is applicable to scenarios with high network requirements and no FTP functions. The FTPS mode uses data encryption, user identity authentication, and message integrity check mechanisms to ensure the security of TCP-based application-layer protocols.
  • Configurations are complicated, and a set of certificates must be obtained from Certificate Authority (CA).
  • To enable the FTPS function, disable the FTP function first.

Device login, FTP, and TFTP are easy to learn and configure. The following section describes the remaining modes in more detail.

SFTP Mode

As part of Secure Shell (SSH), SFTP allows remote users to securely log in to the device and perform file management and transmission through the security channel provided by SSH. Therefore, SFTP improves data transmission security. In addition, the device can function as an SSH client to connect to the remote SSH server for secure file transmission.

SSH security features:

  • Encrypted transmission: When an SSH connection is established, two devices negotiate an encryption algorithm and a session key to ensure secure communications between them.
  • Public key-based authentication: The device supports the RSA, DSA, or ECC authentication mode.
  • Server authentication: The SSH protocol authenticates a server based on the public key to defend against attacks from bogus servers.
  • Interaction data check: The SSH protocol uses the CRC (for SSH1.5) or MD5-based MAC algorithm (for SSH2.0) to check data integrity and authenticity. This mechanism protects the system from man-in-the-middle attacks.

Establishment of an SSH connection:

  1. Negotiate the SSH version.

    The client and server negotiate an SSH version by exchanging character strings that specify the SSH version.

  2. Negotiate the algorithm.

    The server and client negotiate key exchange, encryption, and MAC algorithms for subsequent communications.

  3. Exchange keys.

    Based on the key exchange algorithm, the server and client obtain the same session key and session ID after calculation.

  4. Authenticate users.

    The client sends an authentication request that contains user identity information to the server. If the authentication succeeds or expires, the client is disconnected from the server.

    Public key-based and password-based authentication modes are supported.

    • In public key-based (RSA, DSA, or ECC) authentication mode, the client must generate an RSA, DSA, or ECC key and send it to the server. When a user initiates an authentication request, the client randomly generates a text that is encrypted with a private key and sends it to the server. The server decrypts the text by using the public key. If decryption succeeds, the server considers this user trusted and grants access rights to this user. If decryption fails, the client is disconnected from the server.
    • Password-based authentication is implemented by Authentication, Authorization and Accounting (AAA). Similar to Telnet and FTP, SSH supports local database authentication and remote RADIUS server authentication. The SSH server compares the user name and password of an SSH client with the preset user name and password. Authentication succeeds if both match.
  5. Request a session.

    After user authentication is complete, the client sends a session request to the server. After receiving the request, the server processes it.

  6. Enter the interactive session.

    After a session request is accepted, the SSH connection enters the interactive session mode. In this mode, data is transmitted bidirectionally.

NOTE:

Before an SSH connection is established, the local key pair (RSA, DSA, or ECC key pair) must be generated on the server. The key pair is used to generate the session key and session ID and authenticate the server. This step is the key to SSH server configuration.

To improve security, it is not recommended that you use RSA or DSA as the authentication algorithm.

SCP Mode

Based on the SSH remote file copy function, SCP is used to copy, upload, and download files. SCP commands are easy to use, improving network maintenance efficiency.

FTPS Mode

FTPS combines FTP and Secure Sockets Layer (SSL). A client and server use SSL to authenticate each other and encrypt data to be transmitted. SSL ensures secure connections to FTP servers and greatly improves the security of common FTP servers. This enables files on the device to be managed securely.

Concepts to learn before configuring the FTPS mode:

  • CA

    CA is an entity that issues, manages, and abolishes digital certificates, and it authenticates identities of digital certificate owners. Root CAs are widely trusted in the world and authorize other lower-level CAs. CA identity information is provided in the file of a trusted CA.

    For example, CA1 is a root CA that issues a certificate to lower-level CA2, and CA2 issues the certificate to lower-level CA3. The certificate used by the server is issued by the lowest-level CA.

    If the certificate of the server is issued by CA3, the certificate is authenticated as follows: CA3 authenticates the certificate of the server. If the authentication succeeds, CA2 authenticates the certificate of CA3. If the authentication succeeds, the root CA authenticates the certificate of CA2. Only when the root authentication succeeds, the certificate used by the server is valid.

    Figure 7-1 shows certificate issuing process and certificate authentication processes.

    Figure 7-1  Certificate issuing and certificate authentication processes
  • Digital certificate

    A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity. A digital certificate contains information such as the name of a person or an organization and the address. The digital certificate can be used to verify that a public key belongs to an individual.

    Users must obtain the public key of the message sending party to decode messages, and obtain the CA certificate of the message sending party to authenticate its identity.

  • CRL

    The CA issues the Certificate Revocation List (CRL), containing a set of certificates that the CA regards as invalid.

    The CA can shorten the validity period of a certificate using a CRL. The certificate validity period specified by the CRL is shorter than the original certificate validity period. If the CA revokes a certificate in a CRL, the declaration about the authorized key pair is revoked before the certificate expires. When the certificate expires, related data is cleared from the CRL.

    Before using a certificate, the client checks the corresponding CRL.

Accessing a device functioning as a server or client:

  • Access the device that functions as an FTP server on a terminal.

    Configure an SSL policy, load the digital certificate, and enable the FTPS server function on the device that functions as an FTP server. Use the FTP client that supports SSL to access the FTP server to manage files.

  • Access the FTP server using the device that functions as an FTP client.

    Configure an SSL policy on the device that functions as an FTP client and load the trusted CA certificate to check the owner's identity.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141895

Views: 57929

Downloads: 214

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next