No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
UI Configuration Commands

UI Configuration Commands

acl (user interface view)

Function

The acl command uses an ACL to restrict login rights of users on a terminal.

The undo acl command cancels the configuration.

By default, login rights are not restricted.

Format

acl [ ipv6 ] { acl-number | acl-name } { inbound | outbound }

undo acl [ ipv6 ] { inbound | outbound }

Parameters

Parameter Description Value
ipv6

Indicates an ACL6 number.

-
acl-number

Specifies the number of an ACL.

The value is an integer ranging from 2000 to 3999.
  • 2000-2999: restricts the source address using the basic ACL.
  • 3000-3999: restricts the source and destination addresses using the advanced ACL.
acl-name

Specifies the name of an ACL.

The value is a string of 1 to 32 case-sensitive characters except spaces. The value must start with a letter (case-sensitive).
inbound

Restricts users with an address or within an address segment to log in to the device.

-
outbound

Restricts users who have logged in to the device from logging in to other devices.

-

Views

User interface view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command restricts the login rights of a user interface based on the source IP address, destination IP address, source port, or destination port. You can use this command to permit or deny access to a destination or from a source.

Prerequisites

Before running this command, run the acl (system view) in the system view and run the rule (ACL view) command to configure an ACL.

If no rule is configured, login rights on the user interface are not restricted when the acl command is executed.

Precautions

After the configurations of the ACL take effect, all users on the user interface are restricted by the ACL.

You can configure all of the following ACL types: IPv4 inbound, IPv4 outbound, IPv6 inbound, and IPv6 outbound on a user interface. Only one ACL of each type can be configured on a user interface, and only the latest configuration of an ACL takes effect.

Example

# Restrict the Telnet login rights on user interface VTY 0.

<HUAWEI> system-view
[~HUAWEI] acl 3001
[*HUAWEI-acl4-advance-3001] rule deny tcp source any destination-port eq telnet
[*HUAWEI-acl4-advance-3001] quit
[*HUAWEI] user-interface vty 0
[*HUAWEI-ui-vty0] acl 3001 outbound

# Remove the restriction on the Telnet login rights on user interface VTY 0.

<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[*HUAWEI-ui-vty0] undo acl outbound
Related Topics

activate vty ip-block ip-address

Function

The activate vty ip-block ip-address command unlocks the IP address of a user that fails the authentication through the VTY user interface.

Format

activate vty ip-block ip-address ip-address [ vpnname vpn-name ]

Parameters

Parameter Description Value
ip-address

Specifies a locked IP address.

  • For IPv4 address, the value is in the decimal format.
  • For IPv6 address, the value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
vpnname vpn-name

Specifies the name of a VPN to which the locked user belongs.

The value is a string of 1 to 31 case-sensitive characters.

Views

User view

Default Level

3: Management level

Usage Guidelines

In the VTY user interface, if a user enters incorrect passwords for six consecutive times in 5 minutes, the IP address of this user is locked for 5 minutes. To unlock the IP address of this user in advance, run the activate vty ip-block ip-address command.

Example

# Unlock the IP address 10.1.2.3.

<HUAWEI> activate vty ip-block ip-address 10.1.2.3

activate ssh server ip-block ip-address

Function

The activate ssh server ip-block ip-address command unlocks the IP address of a user that fails the SSH connection authentication.

Format

activate ssh server ip-block ip-address ip-address [ vpn-instance vpn-name ]

Parameters

Parameter Description Value
ip-address

Specifies a locked IP address.

  • For IPv4 address, the value is in the decimal format.
  • For IPv6 address, the value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
vpn-instance vpn-name

Specifies the name of a VPN to which the locked user belongs.

The value is a string of 1 to 31 case-sensitive characters.

Views

User view

Default Level

3: Management level

Usage Guidelines

In an SSH connection, if a user enters incorrect passwords for six consecutive times in 5 minutes, the IP address of this user will be blocked for 5 minutes. To unlock the IP address of this user in advance, run the activate ssh server ip-block ip-address command.

Example

# Unlock the IP address 10.1.2.3.

<HUAWEI> activate ssh server ip-block ip-address 10.1.2.3

authentication-mode (user interface view)

Function

The authentication-mode command configures the authentication mode for accessing the user interface.

The undo authentication-mode command deletes the authentication mode for accessing the user interface.

By default, no authentication method is configured for the user interface. For the users logging in to the VTY interface, an authentication method must be configured; otherwise, users cannot log in.

Format

authentication-mode { aaa | password | none }

undo authentication-mode

Parameters

Parameter Description Value
aaa Indicates the AAA authentication mode. -
password Indicates the password authentication mode. -
none

Indicates the non-authentication mode.

NOTE:

The non-authentication mode has potential security risks. Therefore, exercise caution when deciding to configure this mode.

-

Views

User interface view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a user logs in to the device using the console interface for the first time, the system prompts the user to set the login password. After the user logs in to the device, the user can run the authentication-mode command to change the authentication mode. The none mode is not recommended because system security is low. It is recommended that you configure AAA or password authentication to enhance system security.

Before Telnet or SSH users log in to the device using VTY user interface, they must run the authentication-mode command to configure the authentication mode.

If SSH is configured for the user interface using the protocol inbound ssh command, you must configure the authentication-mode aaa authentication mode to ensure successful logins. If the password authentication mode is configured, the protocol inbound ssh command cannot be executed.

Precautions

The authentication mode must be configured for login through the VTY user interface; otherwise, users cannot log in to the device.

For the users logging in to the VTY interface, an authentication method must be configured; otherwise, users cannot log in.

  • After you set the authentication mode for accessing a user interface to password, run the set authentication password command to configure an authentication password. Keep the password safe. You need to enter the password when logging in to the device. The levels of commands accessible to a user depend on the level configured for the user interface to which the user logs in.

  • When the authentication mode is set to aaa, the authentication password is deleted at the same time. Users are required to enter the login user name and password to log in to the device. After login, the level of the commands the user can run depends on the level of the local user specified in AAA configuration.

  • When you run the undo authentication-mode command to delete the authentication mode, the system asks you whether to delete the authentication mode.

  • If the AAA authentication mode is used, run the local-user user-name password command to configure the local user accountand login password. Otherwise, user login fails.

Example

# Configure the authentication mode for accessing the user interface.

<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] authentication-mode aaa

databits

Function

The databits command sets the number of data bits of the user interface.

The undo databits command restores the default number of data bits.

By default, the number of data bits of the user interface is 8.

Format

databits { 5 | 6 | 7 | 8 }

undo databits

Parameters

Parameter Description Value
5 Indicates that the number of data bits is 5. -
6 Indicates that the number of data bits is 6. -
7 Indicates that the number of data bits is 7. -
8 Indicates that the number of data bits is 8. -

Views

User interface view

Default Level

3: Management level

Usage Guidelines

Use this command only when necessary. If the number of data bits of a device's user interface is changed, ensure that the same number of data bits is set on the HyperTerminal used for login.

The setting is valid only when the serial port is configured to work in asynchronous mode.

Example

# Set the number of data bits to 5.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] databits 5

display ssh server ip-block all

Function

The display ssh server ip-block all command displays information about the IP addresses of all the clients that fail to pass authentication.

Format

display ssh server ip-block all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

To check information about the IP addresses of all the clients that fail to pass authentication, run the display ssh server ip-block all command. The command output includes the names of VPN instances to which the IP addresses belong, IP address status, numbers of authentication failures, and the IP addresses that fails to pass authentication will not be adopted to make invalid authentication.

If a user logs in using SSH, the user's IP address will be locked for 5 minutes upon 6 incorrect password attempts within 5 minutes. After the IP address is locked, the IP address status displayed in the display ssh server ip-block all command output changes from AUTH FAILED to BLOCKED.

Example

# Display information about the IP addresses of all the clients that fail to pass authentication.

<HUAWEI> display ssh server ip-block all
-------------------------------------------------------------------------------------
 IP Address                 VPN Name                   State           Auth-fail Count
--------------------------------------------------------------------------------------
 192.168.10.1               _public_                   BLOCKED             6          
--------------------------------------------------------------------------------------
Table 3-9  Description of the display ssh server ip-block all command output

Item

Description

IP Address

Locked client IP address

VPN Name

Name of a VPN instance to which a locked client IP address belongs

State

Status of a locked client IP address:
  • BLOCKED: The IP address is locked.
  • AUTH FAILED: The IP address fails to pass authentication.

Auth-fail Count

Number of consecutive authentication failures within 5 minutes

display ssh server ip-block list

Function

The display ssh server ip-block list command displays information about client IP addresses that are locked because of authentication failures.

Format

display ssh server ip-block list

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

To check information about client IP addresses that are locked because of authentication failures, run the display ssh server ip-block list command. The command output includes the names of VPN instances to which the locked client IP addresses belong and the remaining locking period.

Example

# Display information about client IP addresses that are locked because of authentication failures.

<HUAWEI> display ssh server ip-block list
-------------------------------------------------------------------------------------
 IP Address                 VPN Name                   UnBlock Interval(Seconds)     
-------------------------------------------------------------------------------------
 192.168.10.1               _public_                          36                     
-------------------------------------------------------------------------------------
Table 3-10  Description of the display ssh server ip-block list command output

Item

Description

IP Address

Locked client IP address

VPN Name

Name of a VPN instance to which a locked client IP address belongs

UnBlock Interval(Seconds)

Remaining locking period, in seconds

display user-interface

Function

The display user-interface command displays information about a user interface.

Format

display user-interface [ ui-type ui-number1 | ui-number ] [ summary ]

Parameters

Parameter Description Value
ui-type Displays information about a specified user interface. The value can be Console, VTY, or NCA.
ui-number1 Displays information about a user interface with a specified relative number. The minimum value is 0. The maximum value is smaller by 1 than the number of user interfaces the system supports.
ui-number Displays information about a user interface with a specified absolute number.

The value is an integer ranging from 0 to 104. The value varies according to the device type.

summary Displays the summary of a user interface. -

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display user-interface command to view detailed configuration information about all user interfaces or a specified user interface. To obtain the relative number and absolute number of a user interface, run the display users command and view the User-Intf field in the command output.

Example

# Display detailed information about the user interface with the absolute number 0.

<HUAWEI> display user-interface 0
  Idx  Type     Tx/Rx      Modem Privi ActualPrivi Auth  Int
+ 0    CON 0    9600       -     15    15          -     6
UI(s) not in async mode -or- with no hardware support:
20-32
  +    : Current UI is active.
  F    : Current UI is active and work in async mode.
  Idx  : Absolute index of UIs.
  Type : Type and relative index of UIs.
  Privi: The privilege of UIs.
  ActualPrivi: The actual privilege of user-interface.
  Auth : The authentication mode of UIs.
      A: Authenticate use AAA.
      N: Current UI need not authentication.
      P: Authenticate use current UI's password.
  Int  : The physical location of UIs.

# Display detailed information about all user interfaces.

<HUAWEI> display user-interface
  Idx  Type     Tx/Rx      Modem Privi ActualPrivi Auth  Int
+ 0    CON 0    9600       -     15    15          -     6
  34   VTY 0               -     15    -           A     -
  35   VTY 1               -     15    -           A     -
  36   VTY 2               -     15    -           A     -
  37   VTY 3               -     15    -           A     -
  38   VTY 4               -     15    -           A     -
  39   VTY 5               -     15    -           -     -
+ 40   VTY 6               -     15    15          N     -
  41   VTY 7               -     15    -           -     -
  42   VTY 8               -     15    -           -     -
  43   VTY 9               -     15    -           -     -
+ 44   VTY 10              -     15    15          N     -
+ 45   VTY 11              -     15    15          N     -
+ 46   VTY 12              -     15    15          N     -
+ 47   VTY 13              -     15    15          N     -
+ 48   VTY 14              -     15    15          N     -
  100  NCA 0               -     -     -           A     -
+ 101  NCA 1               -     -     3           A     -
+ 102  NCA 2               -     -     3           A     -
  103  NCA 3               -     -     -           A     -
  104  NCA 4               -     -     -           A     -
UI(s) not in async mode -or- with no hardware support:
21-32
  +    : Current UI is active.
  F    : Current UI is active and work in async mode.
  Idx  : Absolute index of UIs.
  Type : Type and relative index of UIs.
  Privi: The privilege of UIs.
  ActualPrivi: The actual privilege of user-interface.
  Auth : The authentication mode of UIs.
      A: Authenticate use AAA.
      N: Current UI need not authentication.
      P: Authenticate use current UI's password.
  Int  : The physical location of UIs.
Table 3-11  Description of the display user-interface command output

Parameter

Description

+

Active user interface.

F

Active user interface in asynchronous mode.

Idx

Absolute number of a user interface.

Type

Type and relative number of a user interface.

Tx/Rx

Data transfer rate of the user interface.

Modem

Type of the modem.

Privi

Authority configured on a user interface.

ActualPrivi

Actual permission of a user interface. (In the case of the AAA authentication mode, the level of a local user in AAA configuration is the actual permission. You can run the display aaa access-user command to check the user level.)

Auth

Authentication mode on a user interface.
  • A: AAA authentication.

  • N: No authentication on the current user interface.

  • P: Password authentication.

Int

User interface.

display user-interface maximum-vty

Function

The display user-interface maximum-vty command displays the maximum number of VTY users.

Format

display user-interface maximum-vty

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display user-interface maximum-vty command to view the maximum number of users who connect to the device using Telnet or SSH. By default, the total number of Telnet users and SSH users is five maximum.

Example

# Display the maximum number of VTY users.

<HUAWEI> display user-interface maximum-vty
Maximum of VTY user : 5
Table 3-12  Description of the display user-interface maximum-vty command output

Parameter

Description

Maximum of VTY user

Maximum number of VTY users.

The maximum number of VTY users can be configured using the user-interface maximum-vty command.

display users

Function

The display users command displays login information for each user interface.

Format

display users [ all ]

Parameters

Parameter Description Value
all Displays information about all users who log in to the device through user interfaces, including information about user interfaces that are not used. If the all parameter is not used, the command displays only information about user interfaces that have been connected. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view information about users who are connected to the device. The information includes the user name, IP address, and authentication and authorization information.

Example

# Run the display users command to view information about users who log in to the device through the user interface.

<HUAWEI> display users
NOTE:                                                                           
User-Intf: The absolute number and the relative number of user interface        
Authen: Whether the authentication passes                                       
Author: Command line authorization flag                                         
--------------------------------------------------------------------------------
  User-Intf   Delay     Type   Network Address   Authen    Author   Username
--------------------------------------------------------------------------------
  34  VTY 0   16:07:36  TEL    10.135.34.246     pass      yes      root123

  35  VTY 1   00:00:00  TEL    10.135.37.80      pass      yes      root123

  36  VTY 2   24:03:21  TEL    10.135.32.164     pass      yes      root123

* 37  VTY 3   23:33:44  TEL    10.135.23.55      pass      yes      root123
Table 3-13  Description of the display users command output

Item

Description

*

Current user interface. If the all parameter is specified, information about user interfaces that have login users is displayed.

User-Intf

The number in the first column indicates the absolute number of the user interface, and the number in the second column indicates the relative number of the user interface.

  • CON: indicates that the user logs in to the device through the console interface.

  • VTY: indicates that the user logs in to the device using Telnet or STelnet.

  • NCA: indicates that the user logs in to the device using NETCONF.

Delay

Interval from the user's latest input to the current time, in seconds.

Type

Connection type. If the all parameter is specified and this field is empty, the user interface is not used. If the all parameter is not specified:
  • An empty field or -- indicates the console type.
  • TEL indicates the Telnet type.
  • SSH indicates the SSH type.

Network Address

  • Console user interface: The value is the slot ID of the main control card.

  • VTY user interface: The value is the IP address of the login user.

Username

User name for logging in to the device. If the user name is not specified, Unspecified is displayed.

Authen

Whether the authentication succeeds.

Author

Command line authorization status.
  • yes: Command line authentication is enabled.
  • no: Command line authentication is disabled.

display vty ip-block vty-password-mode all

Function

The display vty ip-block vty-password-mode all command displays all IP addresses that fail to be authenticated.

Format

display vty ip-block vty-password-mode all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

To check IP addresses that fail to be authenticated, run the display vty ip-block vty-password-mode all command.

Example

# Display all IP addresses that fail to be authenticated.

<HUAWEI> system-view
[~HUAWEI] diagnose
[~HUAWEI-diagnose] display vty ip-block vty-password-mode all
-------------------------------------------------------------------------------------
 IP Address                 VPN Name                   State           Auth-fail Count
--------------------------------------------------------------------------------------
 192.168.10.1               _public_                   BLOCKED             6          
--------------------------------------------------------------------------------------
Table 3-14  Description of the display vty ip-block vty-password-mode all command output

Item

Description

IP Address

Blocked IP address

VPN Name

Name of the VPN to which the blocked IP address belongs

State

State of an IP address
  • BLOCKED: The IP address is blocked.
  • AUTH FAILED: The IP address fails to be authenticated.

Auth-fail Count

Number of IP address authentication failures in the latest 5 minutes

display vty ip-block vty-password-mode list

Function

The display vty ip-block vty-password-mode list command displays IP addresses that are blocked due to authentication failures.

Format

display vty ip-block vty-password-mode list

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

To check information, such as the remaining block time, about IP addresses that are blocked due to authentication failures, run the display vty ip-block vty-password-mode list command.

Example

# Display IP addresses that are blocked due to authentication failures.

<HUAWEI> display vty ip-block vty-password-mode list
-------------------------------------------------------------------------------------
 IP Address                 VPN Name                   UnBlock Interval(Seconds)     
-------------------------------------------------------------------------------------
 192.168.10.1               _public_                          36                     
-------------------------------------------------------------------------------------
Table 3-15  Description of the display vty ip-block vty-password-mode list command output

Item

Description

IP Address

Blocked IP address

VPN Name

Name of the VPN to which the blocked IP address belongs

UnBlock Interval(Seconds)

Remaining block time after which the IP address will be unblocked

flow-control

Function

The flow-control command configures the traffic control mode.

The undo flow-control command restores the default traffic control mode.

By default, none mode is used, that is, disable traffic control.

Format

flow-control { hardware | none | software }

undo flow-control

Parameters

Parameter Description Value
hardware Indicates the hardware traffic control. -
none Indicates non-traffic control. -
software Indicates the software traffic control. -

Views

Console user interface view

Default Level

3: Management level

Usage Guidelines

The configuration is effective only when the corresponding serial interface works in console interface view.

Example

# Set software traffic control in the user interface view.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[*HUAWEI-ui-console0] flow-control software

kill user-interface

Function

The kill user-interface command disconnects the device from a specified user interface.

Format

kill user-interface { ui-number | ui-type ui-number1 }

Parameters

Parameter Description Value
ui-number Specifies the absolute number of a user interface.

The value is an integer ranging from 0 to 104. The value varies according to the device type.

ui-type Specifies the type of a user interface. The value can be NCA, Console, and VTY.
ui-number1 Specifies the relative number of a specified user interface.
  • If the ui-type is console, the value of ui-number is 0.
  • If the ui-type is vty, the value of ui-number is 0 to 20.
  • If the ui-type is nca, the value of ui-number is 0 to 4.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user logs in to the device and does not perform any operation or you want to forbid a user from performing operations on the device, you can run the kill user-interface command to delete a specified user. After the command is executed, the user logs out from the device.

Precautions

The kill user-interface command cannot be executed on the current user interface. If the current user interface is VTY 2, the kill user-interface vty 2 fails to be executed.

Example

# Disconnect the VTY3 user's terminal from the device.

<HUAWEI> kill user-interface vty 3
Warning: User interface VTY3 will be freed. Do you want to continue? [Y/N]:y
Info: User interface VTY3 is free.

history-command max-size

Function

The history-command max-size command sets the size of the historical command buffer.

The undo history-command max-size command restores the default size of the historical command buffer.

By default, a maximum of 10 previously-used commands can be saved in the buffer.

Format

history-command max-size size-value

undo history-command max-size

Parameters

Parameter Description Value
size-value Specifies the size of the historical command buffer. The value is an integer ranging from 0 to 256.

Views

User interface view

Default Level

3: Management level

Usage Guidelines

The CLI can automatically save the historical commands that you enter. This function is similar to that of Doskey. You can invoke and run the historical commands at any time.

Example

# Set the size of the historical command buffer to 20.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] history-command max-size 20

idle-timeout

Function

The idle-timeout command sets the timeout duration for disconnection from a user interface.

The undo idle-timeout command restores the default timeout duration.

By default, the timeout duration is 10 minutes in vty user interface view, and 5 minutes in console user interface view.

Format

idle-timeout minutes [ seconds ]

undo idle-timeout

Parameters

Parameter Description Value
minutes Specifies the idle timeout duration, in minutes.

The value is an integer that ranges from 0 to 35791 in the VTY user interface view and from 1 to 1440 in the console user interface view, in minutes.

seconds Specifies the idle timeout duration, in seconds. The value is an integer ranging from 0 to 59, in seconds.

Views

User interface view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user logs in to the device and does not perform an operation, the user interface is occupied unnecessarily. You can run the idle-timeout command to disconnect the user's terminal from the device.

Precautions

  • If you set the time to zero, then the line connection remains alive until you close it.
  • If the user interface disconnection function is not configured, other users may fail to log in to the device.
  • If the idle timeout interval is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. You are advised to run the lock command to lock the current connection.
  • You are advised to set the timeout duration to 10-15 minutes.
  • In versions earlier than V200R002C50, the timeout period configured using the idle-timeout command for a user connection in the console user interface view ranges from 0 to 35791. If the timeout period is set to 0 minutes or is greater than 1440 minutes in a version earlier than V200R002C50, it is automatically set to 1440 minutes after the system software is upgraded to V200R002C50 or a later version.

Example

# Set the timeout duration to 1 minute and 30 seconds.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] idle-timeout 1 30
Related Topics

ip-block vty-password-mode disable

Function

The ip-block vty-password-mode disable command disables the function of blocking IP addresses in VTY access scenarios.

The undo ip-block vty-password-mode disable command restores the default configuration.

By default, the function of blocking IP addresses in VTY access scenarios is enabled.

Format

ip-block vty-password-mode disable

undo ip-block vty-password-mode disable

Parameters

None

Views

Security password view

Default Level

3: Management level

Usage Guidelines

If the function of blocking IP addresses in VTY access scenarios is enabled, the device blocks IP addresses that fail to be authenticated and rejects VTY access requests that use the blocked IP addresses. The device also records the blocked IP addresses in a list.

After the function is disabled, the device deletes the blocked IP addresses from the list and does not record new IP addresses that fail to be authenticated. To disable the function, run the ip-block vty-password-mode disable command.

Example

# Disable the function of blocking IP addresses in VTY access scenarios.

<HUAWEI> system-view
[~HUAWEI] security password
[*HUAWEI-security-password] ip-block vty-password-mode disable
Warning: It is not recommended to disable ip block feature. This operation may result in system becoming vulnerable to security threats.

# Enable the function of blocking IP addresses in VTY access scenarios.

<HUAWEI> system-view
[~HUAWEI] security password
[*HUAWEI-security-password] undo ip-block vty-password-mode disable

mmi-mode enable

Function

The mmi-mode enable command enters the machine-to-machine mode.

The undo mmi-mode enable command enters the human-to-machine mode.

By default, a VTY user is in human-to-machine mode.

Format

mmi-mode enable

undo mmi-mode enable

Parameters

None

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

After you enter the machine-to-machine mode using the mmi-mode enable command, the command output is displayed in one screen.

After you enter the machine-to-machine mode using the mmi-mode enable command, some important commands that you need to use with caution can be used directly. In human-to-machine mode, use this command with caution.

Example

# Enter the machine-to-machine mode.

<HUAWEI> mmi-mode enable

parity

Function

The parity command sets the check bit of the user interface.

The undo parity command restores the check mode of the user interface to none.

By default, no check is performed.

Format

parity { even | mark | none | odd | space }

undo parity

Parameters

Parameter Description Value
even Sets the transmission check bit to even parity. -
mark Sets the transmission check bit to mark check. -
none Sets the transmission check bit to no check. -
odd Sets the transmission check bit to odd parity. -
space Sets the transmission check bit to space check. -

Views

Console user interface view

Default Level

3: Management level

Usage Guidelines

The configuration is effective only when the corresponding serial interface works in console interface view.

Example

# Set the transmission check bit on the Console port to odd parity.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[*HUAWEI-ui-console0] parity odd

protocol inbound

Function

The protocol inbound command specifies the protocols that the VTY user interface supports.

The undo protocol inbound command restores the default protocols that the VTY user interface supports.

By default, the system supports all protocols.

Format

protocol inbound { all | ssh | telnet }

undo protocol inbound

Parameters

Parameter Description Value
all Indicates that all protocols including SSH and Telnet are supported. -
ssh Indicates that only SSH is supported. -
telnet Indicates that only Telnet is supported. -

Views

VTY user interface view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To manage and monitor login users, configure the VTY user interface for login users and run the protocol inbound command to configure the protocols that the VTY user interface supports.

Prerequisites

If SSH is configured for the user interface using the protocol inbound command, you must configure the authentication-mode aaa authentication mode to ensure successful logins. If the password authentication mode is configured, the protocol inbound ssh command cannot be executed.

Precautions

  • The configuration takes effect at the next login.

  • Telnet is an insecure protocol. Using SSH is recommended.
  • When SSH is specified for the VTY user interface, if the SSH server has been enabled and the RSA/DSA/ECC key is not configured then the users can log in to the SSH server using temporary key.
    NOTE:

    You are advised to use a securer ECC authentication algorithm for higher security.

Example

# Configure SSH for user interfaces VTY0 to VTY4.

<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] authentication-mode aaa
[*HUAWEI-ui-vty0-4] protocol inbound ssh

screen-length

Function

The screen-length command sets the number of lines on each terminal screen after you run a command.

The undo screen-length command restores the default configuration.

By default, the number of lines to be displayed on a terminal screen is 24.

Format

In the user interface view:

screen-length screen-length [ temporary ]

undo screen-length [ temporary ]

In the user view:

screen-length screen-length temporary

undo screen-length temporary

Parameters

Parameter Description Value
screen-length Specifies the number of lines displayed on a terminal screen. The value is an integer that ranges from 0 to 512. The value 0 indicates that all command output is displayed on one screen.
temporary Specifies the number of lines temporarily displayed on a terminal screen. -

Views

User interface view, user view

Default Level

3: Management level

Usage Guidelines

If you run a command and its output is displayed in more lines than you can see on one screen, you can reduce the number of lines displayed on each screen.

In general, you do not need to change the number of lines displayed on each screen. Setting the number of lines to 0 is not recommended. The configuration takes effect after you log in to the system again.

NOTE:

In the user view, the temporary parameter is mandatory and this command is at the Management level.

Example

# Set the number of lines on each screen of the terminal to 30.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] screen-length 30

set authentication password

Function

The set authentication password command configures a local authentication password.

The undo set authentication password command cancels the local authentication password.

By default, the local authentication password is not configured for the device.

Format

set authentication password [ cipher password ]

undo set authentication password

Parameters

Parameter Description Value
cipher password

Specifies the password for the user interface.

  • When cipher is not entered, password input is in man-machine interaction mode, and the system does not display the entered password.

    The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following characters: upper-case character, lower-case character, digit, and special character.

    Special character except the question mark (?) and space. However, when double quotation marks are used around the password, spaces are allowed in the password.
    • Double quotation marks cannot contain double quotation marks if spaces are used in a password.
    • Double quotation marks can contain double quotation marks if no space is used in a password.

    For example, the password "a123"45"" is valid, but the password "a 123"45"" is invalid.

  • When cipher is entered, the password is displayed in either plaintext or ciphertext during input.

    • When being input in plaintext, the password requirements are the same as those when cipher is not entered. When you input a password in simple text, the system displays the password in simple text mode, which brings risks.
    • When being input in ciphertext, the password must be a string of 48 to 128 consecutive characters.

    The password is displayed in ciphertext in the configuration file regardless of whether it is input in plaintext or cipher text.

Views

User interface view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If password authentication is configured for users, you can run the set authentication password command to change the password or set a password in cipher text.

If cipher password is not specified, the password is entered in interactive mode and can contain 8 to 16 characters. The requirements for the password are the same as the requirements for the plaintext password when you specify the cipher password. The password you enter will not be displayed on the screen.
NOTE:

If you enter the plaintext password when specifying cipher password, security risks exist. The interactive mode is recommended when users enter the password.

Pre-configuration Tasks

Before running the set authentication password command, run the authentication-mode password command to set the authentication mode of the user interface to password authentication; otherwise, the set authentication password command cannot be configured.

Precautions

  • If a password in cipher text is configured, users must obtain the password in plain text that is required for identity authentication.
  • If the password authentication is configured but the password is not configured for the user interface, the user cannot log in to the device.

  • If the set authentication password command is executed multiple times, the latest configuration overrides the previous ones. You can run the set authentication password command to change the local authentication password. After the password is changed, a user who wants to log in to the device must enter the latest password for identity authentication.

  • Users can press CTRL_C to cancel password modification in the interaction mode.

Example

# Set the local authentication password for the user interfaces VTY 0-4.

<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] set authentication password
Warning: The "password" authentication mode is not secure, and it is strongly recommended to use "aaa" authentication mode.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
[*HUAWEI-ui-vty0-4]
# Set the local authentication password for the user interfaces VTY 0-4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] set authentication password cipher Huawei@123

shell

Function

The shell command enables terminal services on a user interface.

The undo shell command disables terminal services on a user interface.

By default, terminal services are enabled on all user interfaces.

Format

shell

undo shell

Parameters

None

Views

VTY user interface view

Default Level

3: Management level

Usage Guidelines

You can use the shell command on a user interface to enable terminal services. This command enables users to enter commands through this interface to query device information and configure the device.

You can use the undo shell command on the user interface to disable terminal services. This command does not allow users to perform any operations through this interface. After using the undo shell command in the VTY view, this user interface does not provide Telnet and STelnet access.

NOTE:

The console user interface does not support this command.

Example

# Disable terminal services on VTY 0 to VTY 4.

<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] undo shell
Warning: ui-vty0-4 will be disabled. Do you want to continue? [Y/N]:y

speed (user interface view)

Function

The speed command sets the baud rate of a user interface.

The undo speed command restores the default baud rate of a user interface.

By default, the baud rate is 9600 bit/s.

Format

speed speed-value

undo speed

Parameters

Parameter Description Value
speed-value Specifies the baud rate of a user interface.

The value is expressed in bit/s.

The asynchronous serial interface supports the following baud rates:

  • 300

  • 600

  • 1200

  • 2400

  • 4800

  • 9600

  • 19200

  • 38400

  • 57600

  • 115200

Views

Console user interface view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a user logs in to the switch through the console interface, the baud rate on the HyperTerminal must be the same as that configured on the switch; otherwise, the user cannot log in to the switch.

The setting is valid only when the serial port is configured to work in asynchronous mode.

Precautions

In V200R002C50:
  • For switches excluding the CE6860EI, CE6870-48T6CQ-EI, CE8850-32CQ-EI, CE6880EI, CE5810EI, and CE5850HI, this command does not take effect before the V200R002C50SPH012 patch is loaded, and users log in to the switch through the serial interface using the default baud rate 9600 bit/s; all baud rates can be configured after the V200R002C50SPH012 patch is installed.
  • For the CE6860EI, CE6870-48T6CQ-EI, and CE8850-32CQ-EI, this command does not take effect before the V200R002C50SPH013 patch is loaded, and users log in to the switch through the serial interface using the default baud rate 9600 bit/s; after the V200R002C50SPH013 patch is loaded, the speed 300 or speed 600 command does not take effect, and you are advised to configure other baud rates.
  • For the CE6880EI, CE5810EI, and CE5850HI, this command does not take effect and users log in to the switch through the serial interface using the default baud rate 9600 bit/s.

In V200R001C00 and earlier versions, the speed 300 or speed 600 command does not take effect on the CE5810EI and CE5850HI, and you are advised to use other baud rates.

Therefore, when a switch is upgraded from V200R001C00 or an earlier version to V200R002C50, you are advised to perform the upgrade with the V200R002C50SPH012 patch. Otherwise, users can only log in to the switch through the serial interface using the default baud rate after the upgrade. The CE5810EI and CE5850HI do not support this patch. When the CE5810EI or CE5850HI is upgraded to V200R002C50, users can only log in to the switch through the serial interface using the default baud rate.

Example

# Set the baud rate of a user interface to 115200 bit/s.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 115200

ssh server ip-block disable

Function

The ssh server ip-block disable command disables an SSH server from locking client IP addresses.

The undo ssh server ip-block disable command enables an SSH server to lock client IP addresses.

By default, an SSH server is enabled to lock client IP addresses.

Format

ssh server ip-block disable

undo ssh server ip-block disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

If an SSH server is enabled to lock client IP addresses, locked client IP addresses fail to pass authentication and are displayed in the display ssh server ip-block list command output.

If an SSH server is disabled from locking client IP addresses, the display ssh server ip-block list command does not display any client IP address that is locked because of authentication failures.

The operation to disable an SSH server from locking client IP addresses poses system risks and is thereby not recommended.

Example

# Disable an SSH server from locking client IP addresses.

<HUAWEI> system-view
[~HUAWEI] ssh server ip-block disable
Warning: It is not recommended to disable IP block feature. This operation may result in system becoming vulnerable to security threats.

# Enable an SSH server to lock client IP addresses.

<HUAWEI> system-view
[~HUAWEI] undo ssh server ip-block disable

stopbits

Function

The stopbits command sets the stop bit of a user interface.

The undo stopbits command restores the default stop bit of a user interface.

By default, the stop bit is 1.

Format

stopbits { 1.5 | 1 | 2 }

undo stopbits

Parameters

Parameter Description Value
1.5 Sets the stop bit to 1.5. -
1 Sets the stop bit to 1. -
2 Sets the stop bit to 2. -

Views

Console user interface view

Default Level

3: Management level

Usage Guidelines

When a user logs in to the switch through the console interface, the stop bit on the HyperTerminal must be the same as that configured on the switch; otherwise, the user cannot log in to the switch.

The stop bit and the data bit configured using the databits command are related.
  • If the stop bit is 1, the corresponding data bit is 8.

  • If the stop bit is 1.5, the corresponding data bit is 5.

  • If the stop bit is 2, the corresponding data bit is 6, 7, or 8.

The setting is valid only when the serial port is configured to work in asynchronous mode.

Example

# Set the stop bit of a user interface to 2.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] stopbits 2

user privilege

Function

The user privilege command configures the user level.

The undo user privilege command restores the default user level.

By default, the command level for the console port on the user interface is 15 when the command-privilege level rearrange command is run, while is 3 when the command-privilege level rearrange command is not run, and other users are at level 0.

Format

user privilege level level

undo user privilege level

Parameters

Parameter Description Value
level level Specifies the user level.
NOTE:

The larger the value, the higher the priority.

If the command-privilege level rearrange command is configured, the value of level ranges from 0 to 15.

If the command-privilege level rearrange command is not configured, the value of level ranges from 0 to 3.

NOTE:
If the command-privilege level rearrange command configuration is changed, the value of level changes based on the level mapping.
  • If the command-privilege level rearrange command configuration is added, the levels of level-0 and level-1 commands remain unchanged, the level of level-2 commands is upgraded to 10, and that of level-3 commands is upgraded to 15.
  • If the command-privilege level rearrange command configuration is deleted, the level of level-0 commands remains unchanged, the levels of level-1 to level-9 commands are downgraded to 1, the levels of level-10 to level-14 commands are downgraded to 2, and the level of level-15 commands is downgraded to 3.

Views

User interface view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The system manages users at levels to control their access permissions. Users who log in to the device can use only commands at the same or lower level than their own levels.

Commands are classified into the visit level, monitoring level, configuration level, and management level that map levels 0, 1, 2, and 3 without command-privilege level rearrange, as listed in Table 3-16.

Table 3-16  Relationship between command levels and user levels

User Level

Command Level

Description

0

Visit level(0)

Commands of this level include network diagnosis tool commands (such as ping and tracert), commands for accessing external devices from the local device (such as Telnet) and some display commands.

1

Visit level(0), Monitoring level(1)

Commands of this level are used for system maintenance, including display commands.

NOTE:

Some display commands are not at this level. For example, the display current-configuration and display saved-configuration commands are at level 3. For details about command levels, see the CloudEngine 8800, 7800, 6800, and 5800 Series Switches Command Reference.

2

Visit level(0), Monitoring level(1), Configuration level(2)

Commands of this level are used for service configuration to provide direct network services, including routing commands and commands of each network layer.

3

Visit level(0), Monitoring level(1), Configuration level(2), Management level(3)

Commands of this level are used for basic system operations, including file system, FTP, TFTP download, user management, command level configuration, and debugging.

If the command level configured for a user interface conflicts with that of a user, the command level of the user takes precedence. For example, if the user 001 can use commands at level 3 and the command level configured for the user interface VTY 0 is 2, the user 001 can use commands at level 3 and lower levels when logging in to the system through the user interface VTY 0.

You can run the display user-interface command to view detailed information about a user interface.

Precautions

If refined right management is required, run the command-privilege level command to upgrade command levels.

In versions earlier than V100R006C00, the user level ranges from 0 to 15. If the system software is upgraded to V100R006C00 or a later version, and the command-privilege level command is not configured, the levels of level-0 and level-1 users remain unchanged, and those of level-3 to level-15 users change to 3.

Example

# Set the user level on the VTY0 user interface to 2.

<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] user privilege level 2
[*HUAWEI-ui-vty0] commit

user-interface

Function

The user-interface command displays one or more user interface views.

Format

user-interface ui-type first-ui-number [ last-ui-number ]

Parameters

Parameter Description Value
ui-type

Specifies the type of a user interface.

The value can be console or vty.
first-ui-number Specifies the number of the first user interface.
  • If ui-type is set to console, the first-ui-number value is 0.
  • If ui-type is set to vty, the first-ui-number value ranges from 0 to the maximum number of VTY user interfaces.
last-ui-number

Specifies the number of the last user interface. When you select this parameter, you enter multiple user interface views at the same time.

This parameter is valid only when ui-type is set to VTY. The last-ui-number value must be larger than the first-ui-number number.

If the maximum number of VTY users has been set using the user-interface maximum-vty command in the system view before ui-type is selected, the last-ui-number value is less than or equal to the maximum number of VTY user interfaces minus one.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

When the network administrator logs in to the device using the console interface, Telnet, or SSH, the system manages and monitors the session between the user and the device on the corresponding user interface. Each user interface corresponds a user interface view. The network administrator can set parameters such as authentication and user level to manage sessions in a unified manner.

After you log in to the device, you can run the display user-interface command to view the supported user interfaces and the corresponding relative.

Example

# Enter the Console 0 user interface.

<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0]

# Enter the VTY 1 user interface.

<HUAWEI> system-view
[~HUAWEI] user-interface vty 1
[~HUAWEI-ui-vty1]

# Enter the VTY 1 to VTY 3 user interfaces.

<HUAWEI> system-view
[~HUAWEI] user-interface vty 1 3
[~HUAWEI-ui-vty1-3]

user-interface maximum-vty

Function

The user-interface maximum-vty command configures the maximum number of login users.

The undo user-interface maximum-vty command restores the default maximum number of login users.

By default, the maximum number of Telnet and SSH (STelnet) users is 5.

Format

user-interface maximum-vty number

undo user-interface maximum-vty

Parameters

Parameter Description Value
number Specifies the maximum number of Telnet and SSH users. The value is an integer ranging from 0 to 21.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The user-interface maximum-vty command configures the maximum number of login users. If the VTY channels are fully occupied after the configuration is committed, new connections are not allowed and the current users are not terminated.

Precautions

  • The maximum number of login users set by the user-interface maximum-vty command is the total number of Telnet and SSH (STelnet) users.

  • If the maximum number of login users is set to 0, no user is allowed to log in to the device using Telnet or SSH.

Example

# Set the maximum number of Telnet users to 7.

<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 7

user-interface vty security-policy disable

Function

The user-interface vty security-policy disable command disables the VTY user interface's security policy.

The undo user-interface vty security-policy disable command enables the VTY user interface's security policy.

By default, the VTY user interface's security policy is enabled.

Format

user-interface vty security-policy disable

undo user-interface vty security-policy disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

The undo user-interface vty security-policy disable command clears a user authentication request that has been pending for a long time to access the VTY user interface. For example, if the number of existing user authentication requests has already reached the upper limit but a new authentication request is received, the system clears the authentication request of the user that fails to pass the authentication within 15 seconds and starts authenticating the new user.

The user-interface vty security-policy disable command cannot clear any user authentication request that has been pending for a long time to access the VTY user interface.

NOTE:

It is recommended that you enable the security policy to harden the VTY user interface's security.

Example

# Disable the VTY user interface's security policy.

<HUAWEI> system-view
[~HUAWEI] user-interface vty security-policy disable
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 70466

Downloads: 376

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next