No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
File Management on Other Devices

File Management on Other Devices

Context

When downloading files to the device or performing other operations on the device, ensure that the power supply of the device is workig properly; otherwise, the downloaded file or the file system may be damaged. As a result, the storage medium on the device may be damaged or the device cannot be properly started.

Managing Files When the Device Functions as a TFTP Client

Pre-configuration Tasks

Before connecting to a device as a TFTP client to manage files, complete the following tasks:

  • Ensure that routes are reachable between the current device and the TFTP server.
  • Obtain the host name or IP address of the TFTP server and the directory for storing files to download or upload.
NOTE:
You must choose a TFTP server with a long packet transmission timeout period, such as 3CDaemon and tftpd32; otherwise, file transfer may fail.
Configuration Process
NOTE:

The TFTP protocol will bring risk to device security. The SFTP V2 mode is recommended.

Table 3-54 describes the procedure for managing files when the device functions as a TFTP client.

Table 3-54  Procedure for managing files when the device functions as a TFTP client
No. Task Description Remarks
1 (Optional) Configure the TFTP client source address

Configure the TFTP client source address. The source address can be set to a source IP address or source interface information, ensuring communication security.

You can configure the TFTP client source address and TFTP ACL rule in any sequence.
2 (Optional) Configure the TFTP ACL

Configure the ACL rule and TFTP basic ACL, improving TFTP access security.

3 Run TFTP commands to upload or download files

Upload and download files.

Procedure

  • (Optional) Configure the TFTP client source address.

    The source interface, for example, the loopback interface, must provide stable performance. Using the loopback interface as the source interface simplifies the ACL rule and security policy configuration. After the client source address is configured as the source or destination address in the ACL rule, IP address differences and interface status impact are shielded, and incoming and outgoing packets are filtered.

    Table 3-55  Configuring the TFTP client source address
    Operation Command Description
    Enter the system view. system-view -
    Configure the TFTP client source address. tftp client-source { -a source-ip-address | -i interface-type interface-number }

    The TFTP client source address can be set to a source IP address or source interface information. If the source address is set to source interface information, configure an IP address for the interface for establishing TFTP connections.

  • (Optional) Configure the TFTP ACL.

    An ACL is composed of a list of rules such as the source address, destination address, and port number of packets. ACL rules are used to classify packets. After these rules are applied to routing devices, the routing devices determine the packets to be received and rejected.

    An ACL can define multiple rules. ACLs are classified into basic ACLs, advanced ACLs, and Layer 2 ACLs.

    NOTE:

    TFTP supports only the basic ACL whose number ranges from 2000 to 2999.

    ACL rule:
    • The local device can establish TFTP connections with other devices that match the ACL rule only when permit is used in the ACL rule.

    • When deny is used in the ACL rule, the local device cannot establish TFTP connections with other devices that match the ACL rule.

    • When the ACL rule is configured but packets from other devices do not match the rule, the local device cannot establish TFTP connections with other devices.

    • When the ACL contains no rule, the local device can establish TFTP connections with any other devices.

    Table 3-56  Configuring the TFTP ACL
    Operation Command Description
    Enter the system view. system-view -
    Create an ACL and enter the ACL view.

    acl [ number ] acl-number

    By default, no ACL is created.

    Configure the ACL rule. rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | time-range time-name ] *

    By default, no rule is configured for an ACL.

    Return to the system view. quit -
    Configure the TFTP ACL.

    tftp-server acl acl-number

    -

  • Run TFTP commands to upload or download files.

    Operation Command Description

    Run the TFTP command to operate files.

    tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server { get | put } source-filename [ destination-filename ]
    • get: downloads a file.

    • put: uploads a file.

    The source address or interface specified in the tftp command takes priority over that specified in the tftp client-source command. If you specify different source addresses or interfaces in the tftp client-source and tftp commands, the source address or interface specified in the tftp command is used for communication. The source address or interface specified in the tftp client-source command applies to all TFTP connections. The source address or interface specified in the tftp command applies only to the current TFTP connection.

Checking the Configuration
  • Run the display tftp-client command to check source configurations of the TFTP client.
  • Run the display acl { acl-number | all } command to check the ACL configurations of the TFTP client.

Managing Files When the Device Functions as an FTP Client

Pre-configuration Tasks

Before connecting to a device as an FTP client to manage files, complete the following tasks:

  • Ensure that routes are reachable between the current device and the FTP server.
  • Obtain the host name or IP address of the FTP server, FTP user name, and password.
  • Obtaining the listening port number of the FTP server if the default listening port number is not used.
Configuration Process
NOTE:

The FTP protocol will bring risk to device security. The SFTP V2 mode is recommended.

Table 3-57 describes the procedure for managing files when the device functions as an FTP client.

Table 3-57  Procedure for managing files when the device functions as an FTP client
No. Task Description Remarks
1 (Optional) Configure the FTP client source address

Configure the FTP client source address. The source address can be set to a source IP address or source interface information, ensuring communication security.

Perform steps 1 and 2 in sequence. After the FTP connection is established, perform steps 3 and 4 in any sequence. To disconnect from the FTP server, perform step 5.
2 Run FTP commands to connect to the FTP server

-

3 Run FTP commands to perform file-related operations

Run FTP commands to perform file-related operations including performing operations on directories and files, configuring the file transfer mode, and viewing the online help about FTP commands.

4 (Optional) Change the login user

-

5 Disconnect the FTP client from the FTP server

-

Procedure

  • (Optional) Configure the FTP client source address.

    The source interface, for example, the loopback interface, must provide stable performance. Using the loopback interface as the source interface simplifies the ACL rule and security policy configuration. After the client source address is configured as the source or destination address in the ACL rule, IP address differences and interface status impact are shielded, and incoming and outgoing packets are filtered.

    The FTP client source address must be set to the loopback interface IP address or loopback interface information.

    Table 3-58  Configuring the FTP client source address
    Operation Command Description
    Enter the system view. system-view -
    Configure the FTP client source address. ftp client-source { -a source-ip-address | -i interface-type interface-number }

    You are advised to use the loopback interface IP address.

    When the FTP client source address is set to loopback interface information, configure an IP address for the loopback interface for establishing FTP connections.

  • Run FTP commands to connect to the FTP server.

    Run the corresponding command in the user view or FTP client view to connect to the FTP server.

    Table 3-59  Running FTP commands to connect to the FTP server
    Operation Command Description

    Connect to the FTP server in the user view when the server IP address is an address.

    ftp [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]

    Either operation is feasible.

    To enter the FTP client view, run the ftp command.

    Connect to the FTP server in the FTP client view when the server IP address is an IPv4 address.

    ftp
    open [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]
    NOTE:
    • The source address specified in the ftp command takes priority over that specified in the ftp client-source command on an IPv4 network. If you specify different source addresses in the ftp client-source and ftp commands, the source address specified in the ftp command is used for communication. The source address specified in the ftp client-source command applies to all TFTP connections. The source address specified in the ftp command applies only to the current TFTP connection.

    Users must enter the correct user name and password to connect to the server.

  • Run FTP commands to perform file-related operations.

    After connecting to the FTP server, users can run FTP commands to perform file-related operations including performing operations on directories and files, configuring the file transfer mode, and viewing the online help about FTP commands.

    NOTE:

    User rights are configured on the FTP server.

    Users can perform the following operations in any sequence.

    Table 3-60  Running FTP commands to perform file-related operations
    Operation Command Description
    Change the working directory on the server. cd remote-directory -
    Change the current working directory to its parent directory. cdup -
    Display the working directory on the server. pwd -
    Display or change the local working directory. lcd [ local-directory ]

    The lcd command displays the local working directory on the client, and the pwd command displays the working directory on the remote server.

    Create a directory on the server. mkdir remote-directory

    The directory name can consist of letters and digits. The following special characters are forbidden: < > ? \ :

    Delete a directory from the server. rmdir remote-directory -
    Display information about the specified directory or file on the server. dir/ls [ remote-filename [ local-filename ] ]
    • The ls command displays only the directory or file name, and the dir command displays detailed directory or file information such as size and date when the directory or file is created.
    • If no directory is specified in the command, the system searches for the file in user's authorized directories.
    Delete a file from the server. delete remote-filename -

    Upload a file.

    put local-filename [ remote-filename ]

    -

    Download a file.

    get remote-filename [ local-filename ]

    -

    Configure the file transfer mode is ASCII. ascii

    Either operation is feasible.

    • The default file transfer mode is ASCII.

    • The ASCII mode is used to transfer text files, and the binary mode is used to transfer programs, system software(such as files with name extension .cc, .bin, and .pat.), and database files.

    Configure the file transfer mode is Binary. binary
    Configure the data transmission mode is passive. passive

    Either operation is feasible.

    The default data transmission mode is active.

    Configure the data transmission mode is active. undo passive
    View the online help about FTP commands. remotehelp [ command ] -
    Enable the verbose function. verbose

    After the verbose function is enabled, all FTP response messages are displayed on the FTP client.

  • (Optional) Change the login user.

    The current user can switch to another user in the FTP client view. The new FTP connection is the same as that established by running the ftp command.

    Operation Command Description

    Change the current user in the FTP client view.

    user user-name [ password ]

    When the login user is switched to another user, the original user is disconnected from the FTP server.

  • Disconnect the FTP client from the FTP server.

    Users can run different commands in the FTP client view to disconnect the FTP client from the FTP server.

    Operation Command Description

    Disconnect the FTP client from the FTP server and return to the user view.

    bye or quit Either operation is feasible.

    Disconnect the FTP client from the FTP server and display the FTP client view.

    close or disconnect

Checking the Configurations
  • Run the display ftp-client command to check source IP on the FTP client.

Managing Files When the Device Functions as an SFTP Client

Pre-configuration Tasks

SFTP is an SSH-based protocol that provides a secure file transfer capability. Configure the device as an SFTP client. The remote SSH server authenticates the SFTP client and encrypts data in bidirectional mode, ensuring secure file transfer and management of directories on the SSH server.

Before connecting to a device as an SFTP client to manage files, complete the following tasks:

  • Ensure that routes are reachable between the current device and the SSH server.
  • Obtain the host name or IP address of the SSH server and SSH user information.
  • Obtain the listening port number of the SSH server if the default listening port number is not used.
Configuration Process

Table 3-61 describes the procedure for managing files when the device functions as an SFTP client.

Table 3-61  Procedure for managing files when the device functions as an SFTP client
No. Task Description Remarks
1 (Optional) Configure the SFTP client source address

Configure the SFTP client source address. The source address can be set to a source IP address or source interface information, ensuring communication security.

Steps 1, 2, and 3 can be performed in any sequence. Steps 4-6 need to be performed in sequence.

2 Generate a local key pair

Generate a local key pair and configure the public key on the SSH server.

Perform this task only when the device logs in to the SSH server in RSA or ECC authentication mode.

3 Configure the initial SSH connection

To configure the initial SSH connection, enable the initial authentication function or save the public key of the SSH server on the SSH client.

4 Run SFTP commands to connect to the SSH server

-

5 Run SFTP commands to perform file-related operations

Users can perform operations on directories and files on the SSH server and view the help about SFTP commands on the SFTP client.

6 Disconnect the SFTP client from the SSH server

-

Procedure

  • (Optional) Configure the SFTP client source address.

    The source interface, for example, the loopback interface, must provide stable performance. Using the loopback interface as the source interface simplifies the ACL rule and security policy configuration. After the client source address is configured as the source or destination address in the ACL rule, IP address differences and interface status impact are shielded, and incoming and outgoing packets are filtered.

    The SFTP client source address must be set to the loopback interface IP address or loopback interface information.

    Table 3-62  Configuring the SFTP client source address
    Operation Command Description
    Enter the system view. system-view -
    Configure the SFTP client source address. sftp client-source { -a source-ip-address | -i interface-type interface-number }

    The default source address is 0.0.0.0.

    The client source address is set to the loopback interface IP address or loopback interface information.

  • Generate a local key pair.

    NOTE:

    Perform this step only when the device logs in to the SSH server in RSA authentication mode or ECC authentication mode, not the password authentication mode.

    Table 3-63  Actions for generating a local key pair
    Action Command Description

    Enter the system view.

    system-view

    -

    Generate a local key pair.

    rsa local-key-pair create, ecc local-key-pair create

    Run the display rsa local-key-pair public, display ecc local-key-pair public command to view the public key in the local RSA or ECC key pair. Configure the public key on the SSH server.

    NOTE:

    There are security risks if the configured local key pair length is smaller than 1024 bits. You are advised to use the local key pair with the default length 2048 bits.

  • Configure the initial SSH connection.

    By default, the client cannot connect to the SSH server because the client does not save the public key of the SSH server. Configure the initial SSH connection in either of the following ways:

    • Enable the initial authentication function on the client. With the function enabled, the client connects to the SSH server without checking the public key of the SSH server. When the initial SSH connection succeeds, the client automatically saves the public key of the SSH server for the next SSH connection. For details, see Table 3-64.
    • Save the public key of the SSH server on the client so that the client can authenticate the SSH server successfully. For details, see Table 3-65. This method ensures higher security but becomes more complex than the first method.
    Table 3-64  Actions for enabling first authentication for the SSH client
    Action Command Description

    Enter the system view.

    system-view

    -

    Enable first authentication for the SSH client.

    ssh client first-time enable

    By default, first authentication is disabled on the SSH client.
    Table 3-65  Actions for configuring the SSH client to assign the RSA or ECC public key to the SSH server
    Action Command Description

    Enter the system view.

    system-view

    -

    Enter the RSA or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    or

    ecc peer-public-key key-name encoding-type { der | openssh | pem }

    Perform one of the operations based on the key type.

    Enter the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the SSH server.
    • After entering the public key editing view, you must enter the RSA or ECC public key that is generated on the server to the client.

    Quit the public key editing view.

    public-key-code end

    • If no key public code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view.

    peer-public-key end

    -

    Bind the RSA or ECC public key to the SSH server.

    ssh client servername assign { rsa-key | ecc-key } keyname

    If the SSH server public key saved in the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | ecc-key } command to cancel the binding between the SSH server and RSA or ECC public key, and run this command to assign a new RSA or ECC public key to the SSH server.

  • Run SFTP commands to connect to the SSH server.

    The SFTP client connect command has the same function with the STelnet client connect command. Both the clients can carry the source address, configure the keepalive function, and select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm.

    Table 3-66  Running SFTP commands to connect to the SSH server
    Operation Command Description

    Enter the system view.

    system-view

    -

    (Optional) Set the encryption algorithm list for the SSH client.

    ssh client secure-algorithms cipher { 3des | aes128 | aes256_cbc | aes128_ctr | aes256_ctr } *

    By default, an SSH client supports two encryption algorithms: AES128_CTR and AES256_CTR.

    An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh client secure-algorithms cipher command to configure an encryption algorithm list for an SSH client. After the list is configured, the client sends a packet carrying it to the server. Upon receipt of the packet, the server matches the list against the local list and selects the first encryption algorithm that matches the local list. If no encryption algorithms in the list of the client match the local list, the negotiation fails.

    NOTE:

    Do not add 3des to the list because they provide the lowest security among the supported encryption algorithms.

    (Optional) Set the HMAC algorithm list for the SSH client.

    ssh client secure-algorithms hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    By default, an SSH client supports the SHA2_256 HMAC algorithm.

    An SSH server and a client need to negotiate an HMAC algorithm for the packets exchanged between them. You can run the ssh client secure-algorithms hmac command to configure an HMAC algorithm list for an SSH client. After the list is configured, the client sends a packet carrying it to the server. Upon receipt of the packet, the server matches the list against the local list and selects the first HMAC algorithm that matches the local list. If no HMAC algorithms in the list of the client match the local list, the negotiation fails.

    NOTE:

    Do not add md5, sha1, md5_96, sha1_96, or sha2_256_96 to the HMAC algorithm list because they provide the lowest security among the supported HMAC algorithms.

    (Optional) Set the key exchange algorithm list for the SSH client.

    ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    By default, an SSH client supports the Diffie-hellman-group-exchange-sha1 and Diffie-hellman-group14-sha1 algorithm.

    The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh client key-exchange command to configure a key exchange algorithm list on the SSH server. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.

    NOTE:

    The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha1 algorithm is recommended.

    Access the server.

    sftp [ -a source-address | -i interface-type interface-number ] host-ip [ port ] [ [ prefer_kex prefer_key-exchange ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

    In most cases, only the IP address is specified in the commands.

    Command example:
    [Huawei] sftp 10.137.217.201

    When the SSH connection succeeds, sftp-client> is displayed, indicating the SFTP client view.

  • Run SFTP commands to perform file-related operations.

    In the SFTP client view, you can perform one or more file-related operations listed in Table 3-67 in any sequence.

    NOTE:

    In the SFTP client view, the system does not support predictive command input. Therefore, you must type commands in full name.

    Table 3-67  Running SFTP commands to perform file-related operations
    Operation Command Description
    Change the user's current working directory. cd [ remote-directory ] -
    Change the current working directory to its parent directory. cdup -
    Display the user's current working directory. pwd -
    Display the file list in a specified directory. dir/ls [ -l | -a ] [ remote-directory ] Outputs of the dir and ls commands are the same.
    Delete directories from the server. rmdir remote-directory &<1-10>

    A maximum of 10 directories can be deleted at one time.

    Before running the rmdir command to delete directories, ensure that the directories do not contain any files. Otherwise, the deletion fails.

    Create a directory on the server. mkdir remote-directory -
    Change the name of a specified file on the server. rename old-name new-name -
    Download a file from the remote server. get remote-filename [ local-filename ] -
    Upload a local file to the remote server. put local-filename [ remote-filename ] -
    Delete files from the server.

    remove remote-filename &<1-10>

    A maximum of 10 files can be deleted at one time.

    View the help about SFTP commands. help [ all | command-name ] -

  • Disconnect the SFTP client from the SSH server.

    Operation Command Description
    Disconnect the SFTP client from the SSH server. quit -

Checking the Configuration
Run the display sftp-client command to check source IP of the SFTP client.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118960

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next