Download
1 / 235
E N D
HUAWEI NetEngine5000E Core Router V800R002C01 Configuration Guide - Basic Configurations Issue 01 Date 2011-10-15 HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. i
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations About This Document About This Document Intended Audience This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic Configurations feature supported by the NE5000E device. This document describes how to configure the Basic Configurations feature. This document is intended for: l l l l Data configuration engineers Commissioning engineers Network monitoring engineers System maintenance engineers Related Versions (Optional) The following table lists the product versions related to this document. Product Name Version HUAWEI NetEngine5000E Core Router V800R002C01 Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. ii
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations About This Document Symbol Description Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text. Command Conventions (Optional) The command conventions that may be found in this document are defined as follows. Convention Description Boldface The keywords of a command line are in boldface. Italic Command arguments are in italics. [ ] Items (keywords or arguments) in brackets [ ] are optional. { x | y | ... } Optional items are grouped in braces and separated by vertical bars. One item is selected. [ x | y | ... ] Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. { x | y | ... }* Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. [ x | y | ... ]* &<1-n> The parameter before the & sign can be repeated 1 to n times. # A line starting with the # sign is comments. Change History Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues. Changes in Issue 01 (2011-10-15) The initial commercial release. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iii
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations Contents Contents About This Document.....................................................................................................................ii 1 Logging In to the System for the First Time............................................................................1 1.1 Overview of Logging In to the System for the First Time.................................................................................2 1.2 Logging In to the router Through the Console Port...........................................................................................2 1.2.1 Logging In to the router Through the Console Port..................................................................................3 1.2.2 Logging In to the router.............................................................................................................................3 2 Configure the User Interface.......................................................................................................6 2.1 User Interface Overview.....................................................................................................................................7 2.2 Configuring the Console User Interface.............................................................................................................8 2.2.1 Configuring Physical Attributes for the Console User Interface...............................................................9 2.2.2 Configuring Terminal Attributes for the Console User Interface............................................................10 2.2.3 Configuring the User Priority for the Console User Interface.................................................................11 2.2.4 Configuring Authentication for the Console User Interface....................................................................12 2.2.5 Checking the Configuration.....................................................................................................................13 2.3 Configuring VTY User Interfaces....................................................................................................................14 2.3.1 Configuring the Maximum Number of VTY User Interfaces.................................................................15 2.3.2 Configuring the Limit on Incoming and Outgoing Calls for VTY User Interfaces................................16 2.3.3 Configuring Terminal Attributes for VTY User Interfaces.....................................................................16 2.3.4 Configuring the User Priority for a VTY User Interface.........................................................................17 2.3.5 Configuring Authentication for a VTY User Interface............................................................................18 2.3.6 Checking the Configuration.....................................................................................................................20 2.4 Configuration Examples...................................................................................................................................21 2.4.1 Example for Configuring the Console User Interface.............................................................................21 2.4.2 Example for Configuring VTY User Interfaces......................................................................................23 3 Configuring User Login.............................................................................................................26 3.1 User Login Overview.......................................................................................................................................27 3.2 Logging In to the System Through the Console Port.......................................................................................30 3.2.1 Configuring the Console User Interface..................................................................................................30 3.2.2 Logging In to the System Through the Console Port..............................................................................31 3.2.3 Checking the Configuration.....................................................................................................................31 3.3 Logging In to the System by Using Telnet.......................................................................................................32 3.3.1 Configuring VTY User Interfaces...........................................................................................................33 Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. iv
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations Contents 3.3.2 (Optional) Configuring Local Telnet Users.............................................................................................33 3.3.3 Enabling the Telnet Server Function.......................................................................................................34 3.3.4 (Optional) Configuring the Listening Port Number for the Telnet Server..............................................35 3.3.5 Logging In to the System by Using Telnet..............................................................................................36 3.3.6 Checking the Configuration.....................................................................................................................37 3.4 Logging In to the System by Using STelnet.....................................................................................................37 3.4.1 Configuring VTY User Interfaces...........................................................................................................38 3.4.2 Configuring VTY User Interfaces to Support SSH.................................................................................39 3.4.3 Configuring an SSH User and Specifying the Service Type...................................................................39 3.4.4 Enabling the STelnet Server Function.....................................................................................................42 3.4.5 (Optional) Configuring STelnet Server Parameters................................................................................42 3.4.6 Logging In to the System by Using STelnet............................................................................................43 3.4.7 Checking the Configuration.....................................................................................................................44 3.5 Configuration Examples...................................................................................................................................46 3.5.1 Example for Logging In to the System Through the Console Port.........................................................46 3.5.2 Example for Logging In to the System by Using Telnet.........................................................................48 3.5.3 Example for Logging In to the System by Using STelnet.......................................................................51 4 Transferring Files........................................................................................................................55 4.1 File Transfer Overview.....................................................................................................................................56 4.2 File Transfer Modes Supported by the HUAWEI NetEngine5000E................................................................57 4.3 Operating Files After Logging In to the System..............................................................................................58 4.3.1 Managing Directories..............................................................................................................................59 4.3.2 Managing Files........................................................................................................................................59 4.4 Using FTP to Operate Files..............................................................................................................................61 4.4.1 Configuring a Local FTP User................................................................................................................62 4.4.2 (Optional) Changing the Listening Port Number of the FTP Server.......................................................63 4.4.3 Enabling the FTP Server Function..........................................................................................................63 4.4.4 (Optional) Configuring FTP Server Parameters......................................................................................64 4.4.5 (Optional) Configuring FTP Access Control...........................................................................................65 4.4.6 Using FTP to Access the System.............................................................................................................65 4.4.7 Using FTP to Operate Files.....................................................................................................................66 4.4.8 Checking the Configuration.....................................................................................................................69 4.5 Using SFTP to Operate Files............................................................................................................................70 4.5.1 Configuring an SSH User and Specifying the Service Type...................................................................71 4.5.2 Enabling the SFTP Server Function........................................................................................................73 4.5.3 (Optional) Configuring SFTP Server Parameters....................................................................................74 4.5.4 Using SFTP to Access the System..........................................................................................................76 4.5.5 Using SFTP to Operate Files...................................................................................................................77 4.5.6 Checking the Configuration.....................................................................................................................78 4.6 Configuration Examples...................................................................................................................................80 4.6.1 Example for Operating Files After Logging In to the System................................................................80 4.6.2 Example for Using FTP to Operate Files................................................................................................80 Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. v
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations Contents 4.6.3 Example for Using SFTP to Operate Files..............................................................................................83 5 Accessing Other Devices............................................................................................................86 5.1 Overview..........................................................................................................................................................87 5.2 Using Telnet to Log In to Other Devices.........................................................................................................89 5.3 Using STelnet to Log In to Other Devices.......................................................................................................91 5.3.1 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH Client)...............................................................................................................................................................92 5.3.2 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key Generated on the SSH Server)..........................................................................................................................93 5.3.3 Using STelnet to Log In to Other Devices..............................................................................................94 5.3.4 Checking the Configuration.....................................................................................................................95 5.4 Using TFTP to Access Other Devices..............................................................................................................95 5.4.1 Configuring the Source Address for the TFTP Client.............................................................................96 5.4.2 Configuring TFTP Access Control..........................................................................................................96 5.4.3 Using TFTP to Download Files from Other Devices..............................................................................97 5.4.4 Using TFTP to Upload Files to Other Devices........................................................................................98 5.4.5 Checking the Configuration.....................................................................................................................98 5.5 Using FTP to Access Other Devices................................................................................................................99 5.5.1 (Optional) Configuring the Source Address for the FTP Client............................................................100 5.5.2 Using FTP to Connect the FTP Client to Other Devices.......................................................................100 5.5.3 Using FTP to Operate Files...................................................................................................................101 5.5.4 (Optional) Changing the User Login.....................................................................................................103 5.5.5 Terminating a Connection to the FTP Server........................................................................................104 5.5.6 Checking the Configuration...................................................................................................................105 5.6 Using SFTP to Access Other Devices............................................................................................................105 5.6.1 (Optional) Configuring the Source Address for the SFTP Client.........................................................106 5.6.2 Configuring Login to Another Device for the First Time (Enabling First-Time Authentication on the SSH Client).............................................................................................................................................................107 5.6.3 Configuring Login to Another Device for the First Time (Binding the SSH Client to the RSA Public Key Generated on the SSH Server)........................................................................................................................107 5.6.4 Using SFTP to Connect the SSH Client to the SSH Server..................................................................109 5.6.5 Using SFTP to Operate Files.................................................................................................................109 5.6.6 Checking the Configuration...................................................................................................................111 5.7 Configuration Examples.................................................................................................................................111 5.7.1 Example for Using Telnet to Log In to Other Devices..........................................................................111 5.7.2 Example for Using STelnet to Log In to Other Devices.......................................................................113 5.7.3 Example for Using TFTP to Access Other Device................................................................................120 5.7.4 Example for Using FTP to Access Other Devices................................................................................123 5.7.5 Example for Using SFTP to Access Other Devices..............................................................................125 5.7.6 Example for Accessing the SSH Server by Using a Non-default Listening Port Number....................131 5.7.7 Example for Configuring SSH Clients on the Public Network to Access an SSH Server on a Private Network..........................................................................................................................................................137 6 Using the Command Line Interface.......................................................................................148 Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. vi
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations Contents 6.1 Overview of the Command Line Interface.....................................................................................................149 6.2 Establishing the Running Environment for the Command Line....................................................................149 6.2.1 Configuring the Login Alert..................................................................................................................150 6.2.2 Setting a Device Name..........................................................................................................................150 6.2.3 Configuring Command Levels..............................................................................................................151 6.2.4 Lock the User Interface.........................................................................................................................152 6.3 How to Use Command Lines..........................................................................................................................152 6.3.1 Entering a Command View...................................................................................................................153 6.3.2 Editing Command Lines........................................................................................................................153 6.3.3 Checking the Configuration...................................................................................................................154 6.3.4 Checking the Diagnostic Information....................................................................................................155 6.3.5 Display Mode of Command Lines.........................................................................................................155 6.3.6 Error Information in Command Lines...................................................................................................159 6.4 How to Obtain Command Help......................................................................................................................159 6.5 How to Use Shortcut Keys.............................................................................................................................160 6.5.1 Classification of Shortcut Keys.............................................................................................................161 6.5.2 Defining Shortcut Keys.........................................................................................................................161 6.5.3 Displaying Shortcut Keys and Their Functions.....................................................................................162 6.6 Configuration Examples.................................................................................................................................163 6.6.1 Example for Using Tab..........................................................................................................................163 6.6.2 Example for Defining Shortcut Keys....................................................................................................164 7 Device Upgrade..........................................................................................................................166 7.1 Overview of Device Upgrade.........................................................................................................................167 7.2 Upgrade Modes Supported by the NE5000E.................................................................................................167 8 Patch Installation.......................................................................................................................169 8.1 Overview........................................................................................................................................................170 8.2 Patch Installation Modes Supported by the NE5000E...................................................................................170 9 Configuration Management....................................................................................................171 9.1 Introduction to Configuration Management...................................................................................................172 9.2 Configuration Management Features that the NE5000E Supports................................................................173 9.3 Selecting a Configuration Validation Mode...................................................................................................173 9.3.1 Configuring Immediate Configuration Validation Mode......................................................................174 9.3.2 Configuring Two-Phase Configuration Validation Mode.....................................................................175 9.4 Managing Configuration Files........................................................................................................................177 9.4.1 Saving Configurations...........................................................................................................................178 9.4.2 Comparing Configuration Files.............................................................................................................179 9.4.3 Specifying the System Configuration File to Be Loaded at the Next Startup.......................................179 9.4.4 Clearing the System Configuration File Loaded at the Current Startup................................................180 9.4.5 Checking the Configuration...................................................................................................................181 9.5 Configuration Examples.................................................................................................................................183 9.5.1 Example for Configuring User Services in Immediate Configuration Validation Mode......................183 Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. vii
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations Contents 9.5.2 Example for Configuring Services When Configurations Have Been Locked by Another User in Two- Phase Configuration Validation Mode...........................................................................................................184 9.5.3 Example for Multiple Users to Configure a Same Service in Two-Phase Configuration Validation Mode ........................................................................................................................................................................186 9.5.4 Example for Multiple Users to Configure a Service in Two-Phase Configuration Validation Mode ........................................................................................................................................................................187 9.5.5 Example for Configuring Different Services by Multiple Users in Two-Phase Configuration Validation Mode...............................................................................................................................................................189 9.5.6 Example for Managing Configuration Files..........................................................................................191 10 File System Management.......................................................................................................193 10.1 File System Overview..................................................................................................................................194 10.2 File System Supported by the NE5000E......................................................................................................194 10.3 Managing the Directory................................................................................................................................194 10.4 Managing Files.............................................................................................................................................195 10.5 Configuration Examples...............................................................................................................................197 10.5.1 Example for Managing a Directory.....................................................................................................197 10.5.2 Example for Managing Files...............................................................................................................198 11 Clock Synchronization Configuration................................................................................200 11.1 Clock Synchronization Overview.................................................................................................................201 11.2 Clock Synchronization Features Supported by the NE5000E(NE5000E-X16)...........................................202 11.3 Configuring an External BITS Clock Reference Source..............................................................................206 11.3.1 Configuring an External Clock Reference Source for the router and the Clock Signal Type.............207 11.3.2 Configuring a Mapping from an External Clock Reference Source to the Index of a User Clock Source for the router...................................................................................................................................................207 11.3.3 Checking the Configuration.................................................................................................................208 11.4 Specifying a Clock Source Manually...........................................................................................................209 11.5 Configuring Automatic Clock Source Selection to Be Based on Priorities.................................................210 11.5.1 Configuring the System to Automatically Select a Clock Source.......................................................211 11.5.2 Configuring Clock Source Selection Not to Be Based on SSM Levels..............................................212 11.5.3 Setting the Priority of a Clock Source.................................................................................................212 11.5.4 Checking the Configuration.................................................................................................................213 11.6 Configuring Automatic Clock Source Selection to Be Based on SSM Levels............................................214 11.6.1 Configuring the System to Automatically Select a Clock Source.......................................................215 11.6.2 Configuring Clock Source Selection to Be Based on SSM Levels.....................................................216 11.6.3 (Optional) Setting the SSM Level of a 2.048 MHz BITS Clock Source.............................................216 11.6.4 Configuring SA Timeslots in 2.048 Mbit/s BITS Clock Source Signals to Bear SSM Levels...........217 11.6.5 Checking the Configuration.................................................................................................................218 11.7 Configuration Examples...............................................................................................................................219 11.7.1 Example for Configuring Protection Switching Among Clock Sources.............................................219 Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. viii
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time 1 Logging In to the System for the First Time About This Chapter To configure a new device, the device must be logged in to the console port. 1.1 Overview of Logging In to the System for the First Time User can log in to a device that is powered on for the first time only through the console port. Other login modes can be configured after the user logged in to the device for the first time. 1.2 Logging In to the router Through the Console Port A terminal can be connected to the console port on the router to establish the configuration environment. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 1
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time 1.1 Overview of Logging In to the System for the First Time User can log in to a device that is powered on for the first time only through the console port. Other login modes can be configured after the user logged in to the device for the first time. The console port is a linear port on the main control board. Each main control board provides one console port that conforms to the EIA/TIA-232 standard. The console port is a type of Data Connection Equipment (DCE) interface. Users can directly connect a serial interface from a terminal to the console port to configure the device. The console port has the following states: l Connected: The console port is being connected. l Disconnected: The console port is disconnected. 1.2 Logging In to the router Through the Console Port A terminal can be connected to the console port on the router to establish the configuration environment. Applicable Environment When the router is powered on for the first time, you must use the console port to log in to the router to configure and manage the router. Pre-configuration Tasks Before logging in to the router through the console port, complete the following tasks: l Preparing a PC or a terminal, including a serial interface and an RS-232 cable l Installing a terminal emulator on the PC, such as Windows XP HyperTerminal Configuration Procedures Figure 1-1 Logging in to the router through the console port Establish a physical connection Log in to the device Mandatory procedure Optional procedure Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 2
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time 1.2.1 Logging In to the router Through the Console Port A terminal can be connected to the console port on the router to establish the configuration environment. Applicable Environment When the router is powered on for the first time, you must use the console port to log in to the router to configure and manage the router. Pre-configuration Tasks Before logging in to the router through the console port, complete the following tasks: l Preparing a PC or a terminal, including a serial interface and an RS-232 cable l Installing a terminal emulator on the PC, such as Windows XP HyperTerminal Configuration Procedures Figure 1-2 Logging in to the router through the console port Establish a physical connection Log in to the device Mandatory procedure Optional procedure 1.2.2 Logging In to the router You can use a PC (connected to the console port on the router) to log in to the router that is powered on for the first time to configure and manage the router. Context Configure physical attributes for the PC according to the attributes configured for the console port on the router, including the transmission rate, data bits, parity bit, stop bits, and flow control mode. As the router is logged in for the first time, terminal attributes use the default values. Procedure Step 1 Start a terminal emulator (such as HyperTerminal of Windows XP) on the PC to establish a connection. Follow the instructions as shown in Figure 1-3 and click OK. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 3
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time Figure 1-3 Establishing a connection Step 2 Set the COM port. Follow the instructions as shown in Figure 1-4 and click OK. Figure 1-4 Setting the COM port Step 3 Set communication parameters for the COM port to the default values of the router, as shown in Figure 1-5 and click OK. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 4
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 1 Logging In to the System for the First Time Figure 1-5 Setting communication parameters A command prompt such as <HUAWEI> appears, the user view is displayed, and you can start the configuration on the HUAWEI device. In the user view, configure the device or check its operating status, or enter a question mark (?) for online help. ----End Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 5
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface 2 Configure the User Interface About This Chapter When a user logs in to the router through the console port or using Telnet or Secure Shell (SSH), the system uses a corresponding user interface to manage and monitor the session between the router and the user. 2.1 User Interface Overview The system supports console and Virtual Type Terminal (VTY) user interfaces. 2.2 Configuring the Console User Interface The console user interface manages and monitors users logging in to a device through the console port. 2.3 Configuring VTY User Interfaces VTY user interfaces manage and monitor users logging in to the device by using VTY. 2.4 Configuration Examples This section provides examples for configuring console and VTY user interfaces. These examples explain networking requirements, configuration roadmap, and configuration notes. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 6
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface 2.1 User Interface Overview The system supports console and Virtual Type Terminal (VTY) user interfaces. Users can log in to a device to configure, monitor, and maintain local or remote network devices only after user interfaces, user management, and terminal services are configured. User interfaces provide the login entrance. User management ensures login security. Terminal services offer login protocols. Each user interface has a corresponding user interface view. A network administrator can configure a set of parameters in a user interface view to determine whether authentication is required and the level of logged in users. This allows uniform management of various user sessions. Currently, the following user interfaces are supported: l Console: manages and monitors users logging in through the console port. The type of the console port is EIA/TIA-232 DCE. l VTY: manages and monitors users logging in using VTY. A VTY connection is set up when a user uses Telnet or SSH to log in to the device. A maximum of 18 users can log in to the device by using VTY. NOTE A user using different login modes to log in is allocated different user interfaces. A user logging in several times using the same way may be allocated different user interfaces. User Interface Numbering After a user logs in to a device, the system allocates an idle user interface with the smallest number to the user based on the login mode of the user. The login process is restricted by the configurations for the user interface. User interface can be numbered in the following manners: l Relative numbering The relative numbering uniquely specifies a user interface or a group of user interfaces of the same type. The numbering format is user interface type + number, adhering to the following rules: – Console port numbering: CON0. – VTY user interface numbering: The first VTY is 0, the second VTY is 1, and so on. l Absolute numbering The absolute numbering uniquely specifies a user interface or a group of user interfaces. The number starts with 0, increasing by 1. The console port is numbered before VTY user interfaces. There are 20 consoles and 18 VTY user interfaces. You can run the user-interface maximum-vty command in the system view to set the maximum number of VTY user interfaces. The default value is 5. Table 2-1 shows the default absolute numbers of the console and VTY user interfaces. Numbers 1 to 32 are reserved for TTY user interfaces. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 7
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface Table 2-1 Example of absolute numbers for user interfaces Absolute Number User Interface 0 CON0 34 VTY0: the first VTY 35 VTY1: the second VTY 36 VTY2: the third VTY 37 VTY3: the fourth VTY 38 VTY4: the fifth VTY Authentication for User Interfaces After authentication mode is configured for a user interface, the system authenticates users to log in through this user interface. Authentication modes are as follows: l No-authentication: Users can log in to the device without entering user names or passwords. This mode is insecure and is not recommended. l Password authentication: Users need to enter passwords but not user names for login. l AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails. Telnet users are usually authenticated in AAA mode. User Priorities for User Interfaces Users log in to the device are managed based on the user levels. Like command levels, users are classified into 18 levels from 0 to 17. The greater the value, the higher the user level. The level of commands that a user can use is determined by the user level. l If no-authentication or password authentication is configured, the level of commands that a user can use depends on the level of the user interface through which the user logs in. l If AAA authentication is configured, the level of commands that a user can use depends on the local user priority specified in the AAA configuration. 2.2 Configuring the Console User Interface The console user interface manages and monitors users logging in to a device through the console port. Applicable Environment If you need to log in to a device through the console port for local maintenance, configure the console user interface, including the physical attributes, terminal attributes, user priority, and user authentication mode. Configure parameters based on the use and security requirements. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 8
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface Pre-configuration Tasks Before configuring the console user interface, complete the following task: l Logging In to the router Through the Console Port Configuration Procedures Choose one or more configuration tasks (excluding "Checking the Configuration") as needed. 2.2.1 Configuring Physical Attributes for the Console User Interface Physical attributes of the console user interface include the baud rate, flow control mode, parity bit, stop bits, and data bits for the console port. Context When a user logs in a device through the console port, physical attributes set on the HyperTerminal for the console port must be consistent with the attributes of the console user interface on the device. Otherwise, the user cannot log in to the device. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interfaceconsoleui-number The console user interface is displayed. Step 3 Run: speedline-speed The transmission rate is set. The value can be 300, 600, 1200, 2400, 4800, 9600, 19200, 38400, 57600, or 115200, in bit/s. By default, the value is 9600. Step 4 Run: flow-control { hardware | none | software } The flow control mode is set. By default, the value is none. The none mode indicates that the flow control function does not take effect on the console port. Step 5 Run: parity { even | mark | none | odd | space } The parity bit is set. By default, the value is none. Step 6 Run: stopbits { 1.5 | 1 | 2 } Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 9
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface The stop bits are set. By default the value is 1. Step 7 Run: databits { 5 | 6 | 7 | 8 } The data bits are set. By default, the value is 8. Step 8 Run: commit The configuration is committed. ----End 2.2.2 Configuring Terminal Attributes for the Console User Interface Terminal attributes of the console user interface include the timeout period of an idle connection, number of lines displayed on a terminal screen, and buffer size for previously used commands. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interfaceconsoleui-number The console user interface view is displayed. Step 3 Run: shell The terminal service is started. Step 4 Run: idle-timeoutminutes [ seconds ] The timeout period is set. By default, idle timeout period on the user interface is 10 minutes. Step 5 Run: screen-lengthscreen-length Screen length of the console terminal is set. By default, the length of a terminal screen is 24 rows. Step 6 Run: screen-widthscreen-width Screen width of the console terminal is set. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 10
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface By default, the value is 80. Step 7 Run: history-command max-sizesize-value The buffer of the history command is set. By default, the size of history command buffer on a user interface is 10 entries. Step 8 Run: commit The configuration is committed. ----End 2.2.3 Configuring the User Priority for the Console User Interface You can set user priorities for user interfaces to manage users based on their levels. This section describes how to set the user priority for the console user interface. Context User levels correspond to command levels. User can use commands of the corresponding level or lower after log in to the system. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interfaceconsoleui-number The console user interface view is displayed. Step 3 Run: user privilege levellevel The user priority is set. By default, users logging in through the console user interface can use commands at level 3, and users logging in through other user interfaces can use commands at level 0. NOTE If the user priority configured for the user interface and the user priority configured for the user conflict, the user level takes precedence. For example, user 001 can use commands at level 3, and the user level configured in the user interface view Console 0 for the user is 2. After user 001 logs in through Console 0, the user can use commands at level 3 or lower. Step 4 Run: commit The configuration is committed. ----End Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 11
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface 2.2.4 Configuring Authentication for the Console User Interface The system provides three authentication modes: AAA, password authentication, and no- authentication. Configuring authentication improves system security. Procedure l Configure AAA authentication. 1. Run: system-view The system view is displayed. Run: user-interfaceconsoleui-number 2. The console user interface view is displayed. Run: authentication-modeaaa 3. The authentication mode is set to AAA. Run: quit 4. Exit from the console user interface. Run: aaa 5. The AAA view is displayed. Run: local-useruser-namepassword { simple | cipher } password 6. The user name and password is set. – If the password is in the form of simple, the password must be in the plain text. – If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. Run: commit 7. The configuration is committed. Configure password authentication. 1. Run: system-view l The system view is displayed. Run: user-interfaceconsoleui-number 2. The console user interface view is displayed. Run: authentication-modepassword 3. Password authentication is set. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 12
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface 4. Run: set authentication password { cipher | simple } password Authentication password is set. – If the password is in the form of simple, the password must be in the plain text. – If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. 5. Run: commit The configuration is committed. l Configure no-authentication. 1. Run: system-view The system view is displayed. 2. Run: user-interfaceconsoleui-number The console user interface view is displayed. 3. Run: authentication-modenone No-authentication is set. 4. Run: commit The configuration is committed. ----End 2.2.5 Checking the Configuration After configuring the console user interface, you can view user login information about the user interface, physical attributes and configurations of the user interface, the local user list, and online users. Prerequisite The configurations of the console user interface are complete. Procedure l Run the display users [ all ] command to check user login information about user interfaces. l Run the display user-interfaceconsole 0 command to check physical attributes and configurations of the user interface. l Run the display local-user command to check the local user list. l Run the display access-user command to check information about logged-in users. ----End Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 13
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface Example Run the display users command to view user login information about the current user interface. <HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0 Username : Unspecified + 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no Username : Unspecified 259 VTY 1 Username : Unspecified Run the display user-interfaceconsole 0 command to view physical attributes and configurations of the user interface. <HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 3 - N - 1 CON 0 9600 - 3 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Run the display local-user command to view the local user list. <HUAWEI> display local-user ---------------------------------------------------------------------------- Username State Type Online ---------------------------------------------------------------------------- user123 Active All 0 ll Active F 0 user1 Active F 0 ---------------------------------------------------------------------------- Total 3,3 printed Run the display access-user command to view information about logged-in users. <HUAWEI> display access-user ----------------------------------------- User-name domain-name userid ----------------------------------------------- root default 1 abcd default 2 ----------------------------------------------- Total users : 2 Wait authen-ack : 0 Authentication success : 2 2.3 Configuring VTY User Interfaces VTY user interfaces manage and monitor users logging in to the device by using VTY. Applicable Environment If you need to log in to a device for local or remote configuration and maintenance by using Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user authentication mode. Configure parameters based on the user and security requirements. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 14
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface Pre-configuration Tasks Before configuring VTY user interfaces, complete the following task: l Logging In to the router Through the Console Port Configuration Procedures Choose one or more configuration tasks (excluding "Checking the Configuration") as needed. 2.3.1 Configuring the Maximum Number of VTY User Interfaces Configuring the maximum number of VTY user interfaces limits the number of simultaneous login users. Context The maximum number of VTY user interfaces is the total number of users that use Telnet and SSH to log in. CAUTION If the maximum number of VTY user interfaces is set to zero on a device, no user can log in to the device. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interface maximum-vtynumber The maximum number of VTY user interfaces is set. l If the configured maximum number is smaller than the original, logged in users are not affected and no additional configuration is needed. l If the configured maximum number is greater than the original, configure the authentication mode and password for additional users. The system uses password authentication to authenticate users logging in through newly-added user interfaces. For example, run the authentication-mode and set authentication password commands to increase allowed login users to 18 from 5. <HUAWEI> system-view [~HUAWEI] user-interface maximum-vty 18 [~HUAWEI] user-interface vty 5 17 [~HUAWEI-ui-vty5-17] authentication-mode password [~HUAWEI-ui-vty5-17] set authentication password cipher huawei Step 3 Run: commit Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 15
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface The configuration is committed. ----End 2.3.2 Configuring the Limit on Incoming and Outgoing Calls for VTY User Interfaces An Access Control List (ACL) can be configured to limit incoming and outgoing calls for VTY user interfaces. Context An ACL can be configured to either allow or deny Telnet connections based on source or destination IP addresses: l A basic ACL, with number ranging from 2000 to 2999, controls Telnet connections based on source IP addresses. l An advanced ACL, with number ranging from 3000 to 3999, controls Telnet connections based on both source and destination IP addresses. Before configuring the limit on incoming and outgoing calls for VTY user interfaces, run the acl command in the system view to create an ACL and enter the ACL view. Then, run the rule command to add rules to the ACL. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interfacevtyfirst-ui-number [ last-ui-number ] A VTY user interface view is displayed. Step 3 Run: aclacl-number | nameacl-name { inbound | outbound } The limit on incoming and outgoing calls is set for the VTY user interface. l Choose inbound if users at a specified IP address or within a specified address range are either allowed to log in to the device or prohibited from logging in to the device. l Choose outbound if logged-in users are either allowed to log in to other devices or prohibited from logging in to other devices. Step 4 Run: commit The configuration is committed. ----End 2.3.3 Configuring Terminal Attributes for VTY User Interfaces Terminal attributes of VTY user interfaces include the timeout period of an idle connection, number of rows displayed on a terminal screen, and buffer size for previously-used commands. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 16
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interfacevtyfirst-ui-number [ last-ui-number ] A VTY user interface view is displayed. Step 3 Run: shell The VTY terminal service is enabled. Step 4 Run: idle-timeoutminutes [ seconds ] The timeout period of an idle connection is set. If the connection is idle within the timeout period, the system automatically terminates the connection when the timeout period expires. By default, the timeout period is 10 minutes. Step 5 Run: screen-lengthscreen-length The number of rows displayed on a terminal screen is set. By default, a terminal screen displays 24 rows. Step 6 Run: history-command max-sizesize-value The buffer size is set for previously-used commands. By default, a maximum of 10 previously-used commands can be cached in the buffer. Step 7 Run: commit The configuration is committed. ----End 2.3.4 Configuring the User Priority for a VTY User Interface To improve security, user priorities can be set for user interfaces to manage users based on their levels. This section describes how to set a user priority for a VTY user interface. Context User levels correspond to command levels. User can use commands of the corresponding level or lower after log in to the system. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 17
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interfacevtyfirst-ui-number [ last-ui-number ] A VTY user interface view is displayed. Step 3 Run: user privilegelevellevel The user priority is set. By default, users logging in from a VTY user interface can use commands at level 0. NOTE If the user priority configured for the user interface and the user priority configured for the user conflict, the user level takes precedence. For example, a user can use commands at level 3, and the user level configured in the user interface view VTY0 for the user is 2. After the user logs in through VTY0, the user can use commands at level 3 or lower. Step 4 Run: commit The configuration is committed. ----End 2.3.5 Configuring Authentication for a VTY User Interface The system provides three authentication modes: AAA, password authentication, and no- authentication. Configuring authentication improves system security. Procedure l Configure AAA authentication. 1. Run: system-view The system view is displayed. 2. Run: user-interfacevtyfirst-ui-number [ last-ui-number ] A VTY user interface view is displayed. 3. Run: authentication-modeaaa Authentication mode is set to AAA. 4. Run: commit The configuration is committed. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 18
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface 5. Run: quit Exit from the VTY user interface view. 6. Run: aaa The AAA view is displayed. 7. Run: local-useruser-namepassword { simple | cipher } password The user name and password is set. – If the password is in the form of simple, the password must be in the plain text. – If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. 8. Run: commit The configuration is committed. l Configure password authentication. 1. Run: system-view The system view is displayed. 2. Run: user-interfacevtyfirst-ui-number [ last-ui-number ] A VTY user interface view is displayed. 3. Run: authentication-modepassword Authentication mode is set to password authentication. 4. Run: set authentication password { cipher | simple } password Local authentication password is set. – If the password is in the form of simple, the password must be in the plain text. – If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. 5. Run: commit The configuration is committed. l Configure no-authentication. 1. Run: system-view The system view is displayed. 2. Run: user-interfacevtyfirst-ui-number [ last-ui-number ] Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 19
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface A VTY user interface view is displayed. Run: authentication-modenone 3. Authentication mode is set to no-authentication. Run: commit 4. The configuration is committed. ----End 2.3.6 Checking the Configuration After configuring the VTY user interfaces, you can view user login information about the VTY user interfaces, the maximum number of the VTY user interfaces, and the physical attributes and configuration of the VTY user interfaces. Prerequisite The configuration of VTY user interfaces are complete. Procedure l l Run the display users [ all ] command to check user login information about user interfaces. Run the display user-interface maximum-vty command to check the configured maximum number of VTY user interfaces. Run the display user-interfacevtyui-number command to check physical attributes and configuration of the user interface. Run the display local-user command to check the local user list. Run the display vty mode command to check the VTY mode. l l l ----End Example Run the display users command to view user login information about the current user interface. <HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0 Username : Unspecified + 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no Username : Unspecified 259 VTY 1 Username : Unspecified Run the display user-interface maximum-vty command to view the configured maximum number of VTY user interfaces. <HUAWEI> display user-interface maximum-vty Maximum of VTY user:15 Run the display user-interfacevty command to view the configured user interface information. <HUAWEI> display user-interface vty Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int + 34 VTY 0 - 15 15 N - + : Current UI is active. F : Current UI is active and work in async mode. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 20
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Run the display access-user command to view information about logged-in users. <HUAWEI> display access-user ----------------------------------------- User-name domain-name userid ----------------------------------------------- root default 1 abcd default 2 ----------------------------------------------- Total users : 2 Wait authen-ack : 0 Authentication success : 2 Run the display vty mode command to view the configured VTY mode. For example: <HUAWEI> display vty mode current VTY mode is Human-Machine interface 2.4 Configuration Examples This section provides examples for configuring console and VTY user interfaces. These examples explain networking requirements, configuration roadmap, and configuration notes. 2.4.1 Example for Configuring the Console User Interface In this configuration example, the physical attributes, terminal attributes, user priority, user authentication mode, and password are set for the console user interface. This allows users to log in to a device through the console port in password authentication mode. Networking Requirements To initialize the configurations of a new device or locally maintain the device, the device must be logged in to through the console user interface. Attributes are set for the console user interface based on user and security requirements. Configuration Notes By default, terminal services are enabled on all user interfaces. If terminal services are disabled, use Telnet to log in to the system through the console port and run the shell command to enable terminal services. Configuration Roadmap The configuration roadmap is as follows: 1. 2. 3. Configure physical attributes for the console user interface. Configure terminal attributes for the console user interface. Set the user priority. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 21
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface 4. Set the user authentication mode and password. NOTE The user name and password do not have default values. Other parameters have default values, which are recommended. Data Preparation To complete the configuration, you need the following data: l Transmission rate of a connection: 4800 bit/s l Flow control mode: none l Parity bit: even l Stop bits: 2 l Data bits: 6 l Timeout period of an idle connection: 30 minutes l Number of lines displayed on a terminal screen: 30 l Buffer size for previously-used commands: 20 l User priority value: 15 l User authentication mode: password (password is huawei) Procedure Step 1 Configure physical attributes for the console user interface. <HUAWEI> system-view [~HUAWEI] user-interface console 0 [~HUAWEI-ui-console0] speed 4800 [~HUAWEI-ui-console0] flow-control none [~HUAWEI-ui-console0] parity even [~HUAWEI-ui-console0] stopbits 2 [~HUAWEI-ui-console0] databits 6 [~HUAWEI-ui-console0] commit Step 2 Configure terminal attributes for the console user interface. [~HUAWEI-ui-console0] shell [~HUAWEI-ui-console0] idle-timeout 30 [~HUAWEI-ui-console0] screen-length 30 [~HUAWEI-ui-console0] history-command max-size 20 [~HUAWEI-ui-console0] commit Step 3 Set a user priority for the console user interface. [~HUAWEI-ui-console0] user privilege level 15 [~HUAWEI-ui-console0] commit Step 4 Configure password authentication for the console user interface. [~HUAWEI-ui-console0] authentication-mode password [~HUAWEI-ui-console0] set authentication password simple huawei [~HUAWEI-ui-console0] commit [~HUAWEI-ui-console0] quit After the console user interface has been configured, users can log in to the device through the console port in password authentication mode. For information about how to log in to the system through the console port, see 3.2 Logging In to the System Through the Console Port. Step 5 Verify the configuration. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 22
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface After completing the configurations, run the display_user-interface command to view the configuration of Console 0. <HUAWEI> display user-interface 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int +0 CON 0 9600 - 3 - N - + : Current user-interface is active. F : Current user-interface is active and work in async mode. Idx : Absolute index of user-interface. Type : Type and relative index of user-interface. Privi : The privilege of user-interface. ActualPrivi : The actual privilege of user-interface. Auth : The authentication mode of user-interface. A : Authenticate use AAA. N : Current user-interface need not authentication. P : Authenticate use current UI's password. Int : The physical location of UIs. ----End Configuration Files # sysname HUAWEI # user-interface con 0 authentication-mode password user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 databits 6 parity even stopbits 2 speed 4800 screen-length 30 # admin return 2.4.2 Example for Configuring VTY User Interfaces In this configuration example, the maximum number of VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, authentication mode, and password are set. This allows users to use Telnet or SSH (Stelnet) to log in to a device in password authentication mode. Networking Requirements If you need to log in to a device for local or remote configuration and maintenance by using Telnet or SSH, configure VTY user interfaces, including the maximum number of VTY user interfaces, limit on incoming and outgoing calls, terminal attributes, user priority, and user authentication mode. Configure parameters based on the user and security requirements. Configuration Roadmap The configuration roadmap is as follows: 1. Set the maximum number of VTY user interfaces. 2. Configure the limit on incoming and outgoing calls for VTY user interfaces. 3. Configure terminal attributes for VTY user interfaces. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 23
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface 4. 5. Set user priorities for VTY user interfaces. Configure the authentication mode and password for the VTY user interface. Data Preparation To complete the configuration, you need the following data: l l l l l l l Maximum number of VTY user interfaces: 18 Number of the ACL applied to limit incoming calls on the VTY user interface: 2000 Timeout period of an idle connection: 30 minutes Number of lines displayed on a terminal screen: 30 Buffer size for previously-used commands: 20 User priority: 15 User authentication mode: password (password is huawei) NOTE The ACL number for limiting incoming and outgoing calls in VTY user interfaces, password, and user name do not have default values. Other parameters have default values, which are recommended. Procedure Step 1 Set the maximum number of VTY user interfaces. <HUAWEI> system-view [~HUAWEI] user-interface maximum-vty 18 [~HUAWEI] commit Step 2 Configure the limit on incoming and outgoing calls for VTY user interfaces. [~HUAWEI] acl 2000 [~HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0 [~HUAWEI-acl-basic-2000] quit [~HUAWEI] user-interface vty 0 17 [~HUAWEI-ui-vty0-17] acl 2000 inbound [~HUAWEI-ui-vty0-17] commit Step 3 Configure terminal attributes for VTY user interfaces. [~HUAWEI-ui-vty0-17] shell [~HUAWEI-ui-vty0-17] idle-timeout 30 [~HUAWEI-ui-vty0-17] screen-length 30 [~HUAWEI-ui-vty0-17] history-command max-size 20 [~HUAWEI-ui-vty0-17] commit Step 4 Set user priorities for VTY user interfaces. [~HUAWEI-ui-vty0-17] user privilege level 15 [~HUAWEI-ui-vty0-17] commit Step 5 Configure the authentication mode and password for VTY user interfaces. [~HUAWEI-ui-vty0-17] authentication-mode password [~HUAWEI-ui-vty0-17] set authentication password simple huawei [~HUAWEI-ui-vty0-17] commit [~HUAWEI-ui-vty0-17] quit After a VTY user interface is configured, a user can use Telnet or SSH to log in to the device in password authentication mode to maintain the device locally or remotely. For information about how to use Telnet or SSH to log in to a device, see 3.3 Logging In to the System by Using Telnet or 3.4 Logging In to the System by Using STelnet. Step 6 Verify the configuration. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 24
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 2 Configure the User Interface After completing the configurations, run the display user-interface command to view the configurations of VTY user interfaces. Use VTY14 as an example: [~HUAWEI] display user-interface vty 14 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int + 34 VTY 14 - 15 15 password - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. ----End Configuration Files # sysname HUAWEI # user-interface maximum-vty 18 # acl number 2000 rule 5 deny source 10.1.1.1 0 # user-interface vty 0 17 user privilege level 15 set authentication password simple huawei history-command max-size 20 idle-timeout 30 0 screen-length 30 acl 2000 inbound # admin return Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 25
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login 3 Configuring User Login About This Chapter A user can log in to a device by using the console port, Telnet, or SSH (STelnet) to maintain the device locally or remotely. 3.1 User Login Overview Users can log in to devices by using the console port, Telnet, or STelnet. 3.2 Logging In to the System Through the Console Port To configure a device that is powered on for the first time or locally maintain the device, log in to the device through the console port. 3.3 Logging In to the System by Using Telnet Telnet allows users to log in to remote devices to manage and maintain the devices. 3.4 Logging In to the System by Using STelnet STelnet based on SSH2 provides secure remote access over an insecure network. 3.5 Configuration Examples This section provides configuration examples for logging in to the system through the console port or by using Telnet or STelnet. These configuration examples explain networking requirements, configuration roadmap, and precautions. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 26
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login 3.1 User Login Overview Users can log in to devices by using the console port, Telnet, or STelnet. Users can log in to devices to configure, monitor, and maintain the devices locally or remotely only after user interfaces, user management, and terminal services have been configured. User interfaces provide the login entrance. User management ensures login security. Terminal services offer login protocols. Users can log in by using any of the login modes listed in Table 3-1 to configure and manage the router. Table 3-1 User login modes Login Mode Application Logging In to the System Through the Console Port Users log in through the console port to configure a device locally. This login mode is required when a device is powered on for the first time. Logging In to the System by Using Telnet Users log in by using Telnet to maintain a device locally or remotely. Telnet helps users maintain remote devices but brings security threats. Logging In to the System by Using STelnet STelnet provides protection for users logging in to a device to maintain the device locally or remotely. Console Port Overview For information about the console port, see Overview of Logging In to the System for the First Time. Telnet Overview Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote login and virtual terminal services. The NE5000E provides the following Telnet services: l Telnet server: A user runs the Telnet client program on a PC to log in to the router to configure and manage the router. The router functions as a Telnet server. Telnet client: After using the terminal emulator or Telnet client program on a PC to connect to the router, a user runs the telnet command to log in to another device for configuration and management. The router functions as a Telnet client. In Figure 3-1, the CE functions as both a Telnet server and a Telnet client. l Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 27
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login Figure 3-1 Telnet server providing the Telnet client service Telnet session 2 Telnet session 1 PE PC CE Telnet server l Telnet service interruption Figure 3-2 Usage of Telnet shortcut keys Telnet session 2 Telnet session 1 P3 P1 P2 Telnet server Telnet client Two pairs of shortcut keys can be used to interrupt Telnet connections. As shown in Figure 3-2, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2. P2 is the Telnet client of P3. The usage of shortcut keys is described as follows: – Ctrl_]: Instructs the server to disconnect a Telnet connection. If the shortcut keys Ctrl_] are used when the network works properly, the Telnet server interrupts the current Telnet connection. For example, enter Ctrl_] on P3, and the P2 prompt is displayed. <P3> Select Ctrl_] to return to the prompt of P2 The connection was closed by the remote host. <P2> Select Ctrl_] to return to the prompt of P1 <P2> Ctrl_] The connection was closed by the remote host. <P1> NOTE If the network connection is disconnected, shortcut keys do not take effect. – Ctrl_K: Instructs the client to disconnect the connection. When the server fails and the client is unaware of the failure, the server does not respond to the client for input. In this case, if you select Ctrl_K, the Telnet client interrupts the connection and quits the Telnet connection. For example, select Ctrl_K on P3 to quit the Telnet connection. <P3> Select Ctrl_K to abort <P1> Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 28
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login CAUTION When the number of remote login users reaches the maximum number of VTY user interfaces, the system prompts subsequent users with a message, indicating that all user interfaces are in use and no more Telnet connections are allowed. STelnet Overview NOTE Currently, a device running SSH1 or SSH2 can function as an SSH server. Only devices running SSH2 can function as SSH clients. STelnet is based on SSH2. When the client and the server set up a secure connection after negotiation, the client can log in to the server in the same way as using Telnet. Logins using Telnet add security risks because Telnet does not provide any secure authentication mechanism and data is transmitted using TCP in plain text. Telnet connections are vulnerable to Denial of Service (DoS) attacks, IP address spoofing, and route spoofing. SSH provides secure remote access on an insecure network by supporting the following functions: l Remote Subscriber Access (RSA) authentication: Public and private keys are generated according to the encryption principle of the asymmetric encryption system to implement secure key exchange and ensure a secure session. l Data encryption standards: Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES). l User name and password encryption: This prevents the user name and password from being intercepted during the communication between the client and the server. l Encryption of transmitted data A device serving as an SSH server can accept connection requests from multiple SSH clients. The device can also serve as an SSH client, helping users establish SSH connections with an SSH server. This allows users to use SSH to log in to remote devices from the local device. l Local connection As shown in Figure 3-3, an SSH channel is established for a local connection. Figure 3-3 Establishing an SSH channel on a local area network (LAN) Server Ethernet 100BASE-TX PC Server LapTop PC running SSH Client Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 29
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login l Wide area network (WAN) connection As shown in Figure 3-4, an SSH channel is established for a connection on a WAN. Figure 3-4 Establishing an SSH channel on a WAN Local LAN Remote LAN Router WAN SSH Router PC running SSH Client PC 3.2 Logging In to the System Through the Console Port To configure a device that is powered on for the first time or locally maintain the device, log in to the device through the console port. Applicable Environment A device can be logged in to only through the console port when the device is powered on for the first time. Pre-configuration Tasks Before logging in to the system through the console port, complete the following tasks: l l Preparing a PC or a terminal, including a serial interface and an RS-232 cable Installing a terminal emulator on the PC, such as Windows XP HyperTerminal Configuration Procedures Figure 3-5 Logging in to the system through the console port Configure the console user interface Log in to the system through the console port Mandatory procedure Optional procedure 3.2.1 Configuring the Console User Interface To allow users to log in to the system through the console port, configure attributes for the console user interface. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 30
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login Context If you need to log in to a device through the console port for local maintenance, configure the console user interface, including the physical attributes, terminal attributes, user priority, and user authentication mode. Configure parameters based on the use and security requirements. For configurations of the console user interface, see Configuring the Console User Interface. 3.2.2 Logging In to the System Through the Console Port Users can connect a terminal to the console port on a device, and then log in to the device. Context NOTE l Communication parameters of the user terminal must be consistent with the physical attributes of the console user interface on the device. l After a user authentication mode is specified in the console user interface, a user can log in to the device only after authentication succeeds. This enhances network security. For information about logging in to the system through the console port, see Logging In to the router Through the Console Port. 3.2.3 Checking the Configuration After logging in to the system through the console port, you can view information about the console user interface, such as the usage, physical attributes and configurations, local user list, and logged-in users. Prerequisite Configurations of user login through the console port are complete. Procedure l l Run the display users [ all ] command to check user login information about user interfaces. Run the display user-interfaceconsole 0 command to check physical attributes and configurations of the user interface. Run the display local-user command to check the local user list. Run the display access-user command to check information about logged-in users. l l ----End Example Run the display users command to view user login information about the current user interface. <HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 0 CON 0 Username : Unspecified + 258 VTY 0 00:00:00 TEL 10.164.6.15 pass no Username : Unspecified 259 VTY 1 Username : Unspecified Run the display user-interfaceconsole 0 command to view physical attributes and configurations of the user interface. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 31
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login <HUAWEI> display user-interface console 0 Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int 0 CON 0 9600 - 3 - N - 1 CON 0 9600 - 3 - N - + : Current UI is active. F : Current UI is active and work in async mode. Idx : Absolute index of UIs. Type : Type and relative index of UIs. Privi: The privilege of UIs. ActualPrivi: The actual privilege of user-interface. Auth : The authentication mode of UIs. A: Authenticate use AAA. N: Current UI need not authentication. P: Authenticate use current UI's password. Int : The physical location of UIs. Run the display local-user command to view the local user list. <HUAWEI> display local-user ---------------------------------------------------------------------------- Username State Type Online ---------------------------------------------------------------------------- user123 Active All 0 ll Active F 0 user1 Active F 0 ---------------------------------------------------------------------------- Total 3,3 printed Run the display access-user command to view information about logged-in users. <HUAWEI> display access-user ----------------------------------------- User-name domain-name userid ----------------------------------------------- root default 1 abcd default 2 ----------------------------------------------- Total users : 2 Wait authen-ack : 0 Authentication success : 2 3.3 Logging In to the System by Using Telnet Telnet allows users to log in to remote devices to manage and maintain the devices. Applicable Environment If one or more devices need to be configured and managed, you do not need to connect each of the devices to a terminal to maintain the devices locally. If you have obtained the IP address of a device and logged in to the device before, you can use Telnet to log in to the device to remotely configure the device. This allows you to maintain multiple devices on one terminal, greatly facilitating device management. NOTE The IP address of a device needs to be preset through the console port. Pre-configuration Tasks Before using Telnet to log in to the system, complete the following task: l Configuring a route between a terminal and a device Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 32
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login Configuration Procedures Figure 3-6 Logging in to the system by using Telnet Configure VTY user interfaces Configure local Telnet users Enable the Telnet server function Configure the listening port number of the Telnet server Use Telnet to log in to the system from terminals Mandatory procedure Optional procedure 3.3.1 Configuring VTY User Interfaces If you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device, configure VTY user interfaces based on user and security requirements. Context The default user authentication mode for VTY user interfaces is password authentication. Before using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user interfaces. Otherwise, you cannot log in to the device. NOTE Authentication mode can be configured for VTY user interfaces by logging in to a device through the console port. For configurations about VTY user interfaces, see Configuring VTY User Interfaces. 3.3.2 (Optional) Configuring Local Telnet Users If the user authentication mode of VTY user interfaces is no-authentication or password authentication, the following configuration is not required. Context By default, a local user can use any access type. After the user access mode has been specified, only users using the specified access mode can log in to the system. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 33
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: aaa The AAA view is displayed. Step 3 Run: local-useruser-namepassword { simple | cipher } password The user name and password is set. l If the password is in the form of simple, the password must be in the plain text. l If the password is in the form of cipher, the password can be either in the encrypted text or in the plain text. The result is determined by the input. Step 4 Run: local-useruser-nameservice-typeTelnet The access mode of local users is set to Telnet. Step 5 Run: commit The configuration is committed. ----End 3.3.3 Enabling the Telnet Server Function The Telnet server can be connected only after the Telnet server function has been enabled. Choose either of the following steps based on the network protocol: Procedure l IPv4: 1. Run: system-view The system view is displayed. Run: 2. telnet server enable The Telnet server function is enabled. Run: 3. commit The configuration is committed. IPv6: l 1. Run: system-view Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 34
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login The system view is displayed. Run: 2. telnetipv6 server enable The Telnet server function is enabled. Run: 3. commit The configuration is committed. NOTE l If the undo telnet [ ipv6 ] server enable command is run to disable the Telnet server function when there are users logging in by using Telnet, the command does not take effect. l After the Telnet server function is disabled, established Telnet connections are not interrupted, and no new Telnet connection is allowed. In this situation, users can log in to the system by using SSH or through the console port. ----End 3.3.4 (Optional) Configuring the Listening Port Number for the Telnet Server The listening port number of the Telnet server can be configured and changed to ensure network security. After the listening port number is changed, only users who know the current listening port number can log in to the router. Context By default, the listening port number of the Telnet server is 23. Users can log in to the router without specifying the listening port number. Attackers may access the default listening port, reducing available bandwidth, affecting performance of the server, and causing valid users unable to access the server. After the listening port number of the Telnet server is changed, attackers do not know the new listening port number. This effectively prevents attackers from accessing the listening port. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: telnet [ ipv6 ] server portport-number The listening port number is set for the Telnet server. If a new listening port number is set, the Telnet server terminates all established Telnet connections, and then uses the new port number to listen to new requests for Telnet connections. Step 3 Run: commit The configuration is committed. ----End Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 35
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login 3.3.5 Logging In to the System by Using Telnet After the device is configured, you can use Telnet to log in to the device from a terminal to remotely maintain the device. Context If you need to log in to the system by using Telnet, use either the Windows Command Prompt or third-party software on the terminal. Use the Windows Command Prompt as an example. Do as follows on the PC: Procedure Step 1 Enter the Windows Command Prompt window. Step 2 Run the telnetip-address command to use Telnet to log in to the device. 1. Input the IP address of the Telnet server. Figure 3-7 Schematic diagram 1 for login by using Telnet Press Enter, and the command prompt of the user view is displayed, such as <HUAWEI>. This indicates that you have accessed the Telnet server. 2. Figure 3-8 Schematic diagram 2 for login by using Telnet ----End Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 36
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login 3.3.6 Checking the Configuration After logging in to the system by using Telnet, you can view information about the current user interface, every user interface, and established TCP connections. Prerequisite The configurations of logging in to the system by using Telnet are complete. Procedure l Run the display users [ all ] command to check information about user interfaces. l Run the display tcp status command to check established TCP connections. l Run the display telnet server status command to check the configuration and status of the Telnet server. ----End Example Run the display users command to view information about the current user interface. <HUAWEI]> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 00:00:12 TEL 1.1.1.1 no Username : Unspecified + 35 VTY 1 00:00:00 TEL 1.1.1.2 no Username : Unspecified Run the display tcp status command to view TCP connections. Established in the command output indicates that a TCP connection has been established. <HUAWEI> display tcp status TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State 39952df8 36 /1509 0.0.0.0:0 0.0.0.0:0 0 Closed 32af9074 59 /1 0.0.0.0:21 0.0.0.0:0 14849 LISTEN 34042c80 73 /17 10.1.1.1:23 10.2.2.2:1147 0 Established Run the display telnet server status command to view the configuration and status of the Telnet server. <HUAWEI> display telnet server status Session 1: Source ip address : 10.137.217.221 VTY Index : 14 Current number of sessions : 1 3.4 Logging In to the System by Using STelnet STelnet based on SSH2 provides secure remote access over an insecure network. Applicable Environment A large number of devices on a network need to be managed and maintained. It is impossible to connect each device to a terminal, especially when there is no reachable route between a device and the terminal. To manage and maintain remote devices, log in to other devices by using Telnet from the device that you have logged in to. Login by using Telnet brings security Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 37
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login risk because Telnet does not provide any secure authentication mechanism and data is transmitted by using TCP in plain text. STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and authentication and protects devices against attacks such as IP address spoofing and plain text password interception. Pre-configuration Tasks Before logging in to the system by using STelnet, complete the following task: l Configuring a route between a terminal and a device Configuration Procedures Figure 3-9 Logging in to the system by using STelnet Configure VTY user interfaces Configure VTY user interfaces to support SSH Configure an SSH user and specify Stelnet as the service type Enable the Stelnet server function Configure Stelnet server parameters Use Stelnet to log in to the system from a terminal Mandatory procedure Optional procedure 3.4.1 Configuring VTY User Interfaces If you need to use Telnet or SSH to log in to a device to locally or remotely maintain the device, configure VTY user interfaces based on user and security requirements. Context The default user authentication mode for VTY user interfaces is password authentication. Before using Telnet or SSH to log in to a device, configure a user authentication mode for VTY user interfaces. Otherwise, you cannot log in to the device. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 38
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login NOTE Authentication mode can be configured for VTY user interfaces by logging in to a device through the console port. For configurations about VTY user interfaces, see Configuring VTY User Interfaces. 3.4.2 Configuring VTY User Interfaces to Support SSH STelnet is based on SSH2. When the client and the server set up a secure connection after negotiation, the client can log in to the server the same way as using Telnet. Context By default, user interfaces support Telnet. If no user interface is enabled with SSH, users cannot log in to the device by using STelnet. Do as follows on the device that functions as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: user-interfacevtyfirst-ui-number [ last-ui-number ] A VTY user interface view is displayed. Step 3 Run: authentication-modeaaa AAA authentication is set. Step 4 Run: protocol inboundssh SSH is enabled on the VTY user interface. NOTE Before configuring a user interface to support SSH, set the authentication mode of the user interface to AAA. Otherwise, the protocol inboundssh command does not take effect. Step 5 Run: commit The configuration is committed. ----End 3.4.3 Configuring an SSH User and Specifying the Service Type To allow users to use STelnet to log in to a device, configure an SSH user, configure the device to generate a local RSA key pair, configure a user authentication mode, and specify a service type for the SSH user. Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 39
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login Context l SSH users can be authenticated in four modes: RSA, password, password-RSA, and All. Password authentication depends on AAA. Before a user log in to the device with password or password-RSA authentication mode, a local user with the same user name must be created in the AAA view. Configuring the system to generate a local RSA key pair is a key step for SSH login. If an SSH user log in to an SSH server with password authentication mode, configure the server to generate a local RSA key pair. If an SSH user logs in to an SSH server in RSA authentication mode, configure both the server and the client to generate local RSA key pairs. l NOTE Password-RSA authentication requires success of both password authentication and RSA authentication. The All authentication mode requires success of either password authentication or RSA authentication. Do as follows on the device that functions as an SSH server: Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ssh useruser-name An SSH user is created. If password or password-RSA authentication is configured for the SSH user, create the same SSH user in the AAA view and set the local user access type to SSH. 1. 2. Run the aaa command to enter the AAA view. Run the local-useruser-namepassword { simple | cipher } password command to configure a local user name and a password. Run the local-useruser-nameservice-typessh command to set the local user access type to SSH. Run the quit command to exit from the AAA view and enter the system view. 3. 4. By default, a local user can use any access type. You can specify an access type to allow only users configured with the specified access type to log in to the device. Step 3 Run: rsa local-key-pair create A local RSA key pair is generated. NOTE l The rsa local-key-pair create command must be used to create a local RSA key pair before other SSH- related configuration. l After the key pair is generated, run the display rsa local-key-pair public command to view information about the public key in the local key pair. Step 4 Run: ssh useruser-nameauthentication-type { password | rsa | password-rsa | all } Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 40
HUAWEI NetEngine5000E Core Router Configuration Guide - Basic Configurations 3 Configuring User Login An authentication mode is set for the SSH user. Perform either of the following operations as needed: l Configure password authentication. – Run the ssh useruser-nameauthentication-typepassword command to configure password authentication. – Run the ssh authentication-type default password command to configure default password authentication. If local or HWTACACS authentication is used and there are only a few users, use password authentication. If there are a large number of users, use default password authentication to simplify configuration. l Configure RSA authentication. 1. Run the ssh useruser-nameauthentication-typersa command to configure RSA authentication. 2. Run the rsa peer-public-keykey-name command to enter the public key view. 3. Run the public-key-code begin command to enter the public key edit view. 4. Enter hex-data to edit the public key. NOTE l In the public key edit view, only hexadecimal strings complying with the public key format can be typed in. Each string is randomly generated on an SSH client. For detailed operations, see manuals for SSH client software. l After entering the public key edit view, paste the RSA public key generated on the client to the server. Run the public-key-code end command to exit from the public key edit view. l Running the peer-public-key end command generates a key only after a valid hex- data complying with the public key format is entered. l If the peer-public-key end command is used after the key key-name specified in Step b is deleted in another window, the system prompts a message, indicating that the key does not exist, and the system view is displayed. Run the peer-public-key end command to return to the system view. Run the ssh useruser-nameassignrsa-keykey-name command to assign the SSH user a public key. 5. 6. 7. Step 5 (Optional) Configure basic authentication information for the SSH user. 1. Run the ssh server rekey-intervalhours command to set an interval at which the key of the server is updated. By default, the interval is 0, indicating that the key is never updated. Run the ssh server timeoutseconds command to set the timeout period for SSH authentication. 2. By default, the timeout period is 60 seconds. Run the ssh server authentication-retriestimes command to set the retry times of SSH authentication. 3. By default, SSH authentication retries a maximum of 3 times. Step 6 Run: ssh userusernameservice-type { stelnet | sftp | all } Issue 01 (2011-10-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. 41
