Date post: | 06-Nov-2015 |
Category: |
Documents |
Upload: | alex-roalakona |
View: | 30 times |
Download: | 7 times |
HUAWEI NE40E-X1/NE40E-X2 Universal ServiceRouterV600R005C00
Feature Description - BasicConfigurations
Issue 03Date 2013-08-15
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd.Address: Huawei Industrial Base
Bantian, LonggangShenzhen 518129People's Republic of China
Website: http://www.huawei.comEmail: [email protected]
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
i
About This Document
PurposeThis document describes the basic configurations in terms of its overview, principles, andapplications.This document together with other types of documents helps intended readers get a deepunderstanding of the basic configurations.
CAUTIONNote the following precautions:l Currently, the device supports the AES and SHA2 encryption algorithms. AES is reversible,
while SHA2 is irreversible. A protocol interworking password must be reversible, and a localadministrator password must be irreversible.
l If the plain parameter is specified, the password will be saved in plaintext in the configurationfile, which has a high security risk. Therefore, specifying the cipher parameter isrecommended. To further improve device security, periodically change the password.
l Do not set both the start and end characters of a password to "%$%$." This causes thepassword to be displayed directly in the configuration file.
Related VersionsThe following table lists the product versions related to this document.
Product Name VersionHUAWEI NE40E-X1 &NE40E-X2 Universal ServiceRouter
V600R005C00
Intended AudienceThis document is intended for:
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations About This Document
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
ii
l Network planning engineersl Commissioning engineersl Data configuration engineersl System maintenance engineers
Symbol ConventionsThe symbols that may be found in this document are defined as follows.
Symbol Description
DANGERDANGER indicates a hazard with a high level or mediumlevel of risk which, if not avoided, could result in death orserious injury.
WARNINGWARNING indicates a hazard with a low level of riskwhich, if not avoided, could result in minor or moderateinjury.
CAUTIONCAUTION indicates a potentially hazardous situationthat, if not avoided, could result in equipment damage, dataloss, performance deterioration, or unanticipated results.
TIP TIP indicates a tip that may help you solve a problem orsave time.
NOTE NOTE provides additional information to emphasize orsupplement important points of the main text.
Change HistoryChanges between document issues are cumulative. The latest document issue contains all thechanges made in earlier issues.
Changes in Issue 03 (2013-08-15)The third commercial release.
Changes in Issue 02 (2012-11-15)The second commercial release.
Changes in Issue 01 (2012-08-15)Initial field trial release. Compared with V600R005C00SPC700, this document has thefollowing updates:
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations About This Document
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
iii
Section Section DescriptionDynamic Module Load 1.4.12 Dynamic Module
LoadAdded dynamic moduleloading
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations About This Document
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
iv
Contents
About This Document.....................................................................................................................ii1 Basic Configuration.......................................................................................................................11.1 Introduction to Basic Configuration...............................................................................................................................21.2 References......................................................................................................................................................................21.3 Feature Enhancements....................................................................................................................................................41.4 Principles........................................................................................................................................................................41.4.1 FTP..............................................................................................................................................................................41.4.2 TFTP............................................................................................................................................................................91.4.3 Introduction to Telnet................................................................................................................................................101.4.4 SSH............................................................................................................................................................................161.4.5 User Management......................................................................................................................................................221.4.6 Virtual File System....................................................................................................................................................251.4.7 Pipe Character............................................................................................................................................................271.4.8 Daylight Saving Time................................................................................................................................................271.4.9 Timing Restart...........................................................................................................................................................281.4.10 MIB Interface Is Used to Optimize System Upgrade..............................................................................................281.4.11 NAP.........................................................................................................................................................................291.4.12 Dynamic Module Load............................................................................................................................................321.5 Applications..................................................................................................................................................................331.5.1 Applications of FTP...................................................................................................................................................331.5.2 Applications of TFTP................................................................................................................................................341.5.3 Applications of Telnet...............................................................................................................................................341.5.4 Applications of SSH..................................................................................................................................................351.6 Terms, Acronyms, and Abbreviations..........................................................................................................................382 Fast Startup...................................................................................................................................402.1 Introduction to Fast Startup..........................................................................................................................................412.2 References....................................................................................................................................................................412.3 Principles......................................................................................................................................................................412.3.1 Fast Startup After a Software Fault...........................................................................................................................422.3.2 Fast Startup After a Hardware Fault..........................................................................................................................422.3.3 Upgrade and Cold Startup.........................................................................................................................................422.3.4 Performance Statistics for Software-based Fast Startup............................................................................................42
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations Contents
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
v
2.4 Applications..................................................................................................................................................................422.5 Terms, Acronyms, and Abbreviations..........................................................................................................................423 Clock Synchronization...............................................................................................................433.1 Introduction..................................................................................................................................................................443.2 References....................................................................................................................................................................443.3 Principles......................................................................................................................................................................443.3.1 Basic Concepts..........................................................................................................................................................443.3.2 Clock Protection Switching.......................................................................................................................................473.3.3 Synchronization Mode and Issues of Concern..........................................................................................................493.3.4 Networking Mode for Clock Synchronization..........................................................................................................513.4 Application...................................................................................................................................................................523.5 Terms, Acronyms, and Abbreviations..........................................................................................................................554 1588 ACR.......................................................................................................................................564.1 Introduction to 1588 ACR............................................................................................................................................574.2 References....................................................................................................................................................................574.3 Enhancement................................................................................................................................................................584.4 Principles......................................................................................................................................................................584.4.1 Basic Principles of 1588 ACR...................................................................................................................................584.5 Applications..................................................................................................................................................................614.6 Terms and Abbreviations..............................................................................................................................................625 1588v2.............................................................................................................................................635.1 Introduction to 1588v2.................................................................................................................................................645.2 References....................................................................................................................................................................665.3 Principles......................................................................................................................................................................675.3.1 Basic Concepts..........................................................................................................................................................675.3.2 Principle of Synchronization.....................................................................................................................................705.4 Application Environment.............................................................................................................................................805.5 Terms and Abbreviations..............................................................................................................................................846 CES ACR Clock Synchronization.............................................................................................876.1 Introduction..................................................................................................................................................................886.2 References....................................................................................................................................................................886.3 Principles......................................................................................................................................................................886.3.1 Basic Concepts..........................................................................................................................................................886.3.2 Basic Principles.........................................................................................................................................................896.4 Applications..................................................................................................................................................................896.5 Terms and Abbreviations..............................................................................................................................................907 Plug-and-Play...............................................................................................................................917.1 Introduction to Plug-and-Play......................................................................................................................................927.2 References....................................................................................................................................................................92
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations Contents
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
vi
7.3 Principles......................................................................................................................................................................927.3.1 Principle of DHCP.....................................................................................................................................................927.3.2 Operation Principle of a DHCP Client......................................................................................................................937.3.3 Basic Principles of DHCP.........................................................................................................................................947.3.4 Operation Process of PnP........................................................................................................................................1017.4 Applications................................................................................................................................................................1027.5 Terms, Acronyms, and Abbreviations........................................................................................................................103
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations Contents
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
vii
1 Basic ConfigurationAbout This Chapter
1.1 Introduction to Basic Configuration1.2 References1.3 Feature Enhancements1.4 Principles1.5 Applications1.6 Terms, Acronyms, and Abbreviations
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
1
1.1 Introduction to Basic ConfigurationDefinition
In configuration management, the terminal service provides the access interface and human-machine interfaces (HMIs) for users to configure devices.The login mode includes:l Login through the console portl Remote login through the AUX portl Telnet server/clientl Login through Secure Shell (SSH), with a password, with Revest-Shamir-Adleman
Algorithm (RSA) authentication, and with the Digital Signature Algorithm (DSA)l Login through customized user interfaces providing multiple user authentications and
authorization modesThe file transfer mode provides transmission control for system files and configuration files,and simple remote management for the file system.The file transfer mode includes:l FTP client/serverl TFTP clientl SSH FTP (SFTP) client/serverThe following describes the principles of every protocol feature according to the type, includingthe following parts:l FTPl TFTPl Telnetl SSHl User managementl Virtual file systeml Daylight saving timel Timing restart
PurposeThe terminal service provides the access interface and HMIs for users to configure devices. Filetransfer provides transmission control for system files and configuration files, and simple remotemanagement for the file system.
1.2 ReferencesThe following table lists the references.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
2
DocumentNo.
Document Name Remarks
RFC 775 Directory oriented FTP commands -RFC 959 File Transfer Protocol -RFC 1635 How to Use Anonymous FTP -RFC 1350 The TFTP Protocol (Revision 2) -RFC 698 Telnet Extended ASCII Option -RFC 775 Directory oriented FTP commands -RFC 854 Telnet Protocol Specification -RFC 855 Telnet Option Specification -RFC 930 Telnet Terminal Type Option -RFC 1091 Telnet Terminal-Type Option -RFC 2119 Key words for use in RFCs to Indicate
Requirement Levels-
RFC 4250 The Secure Shell (SSH) ProtocolAssigned Numbers
-
RFC 4251 The Secure Shell (SSH) ProtocolArchitecture
-
RFC 4252 The Secure Shell (SSH)Authentication Protocol
-
RFC 4253 The Secure Shell (SSH) TransportLayer Protocol
This protocol supports neithercompression nor the ssh-dss publickey format.
RFC 4254 The Secure Shell (SSH) ConnectionProtocol
This protocol does not support somepackets and functions, such as NP-3forwarding, Env channel requestpackets, xon-xoff channel requestpackets, signal channel requestpackets, exit-status channel requestpackets, exit-signal channel requestpackets, and port forwarding.
RFC 4344 The Secure Shell (SSH) TransportLayer Encryption Modes
-
RFC 4345 Improved Arcfour Modes for theSecure Shell (SSH) Transport Layer
-
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
3
DocumentNo.
Document Name Remarks
draft-ietf-secsh-publickey-subsystem-01
Authentication Mechanism that IsBased on Public Keys
-
1.3 Feature EnhancementsVersion Feature EnhancementV600R005C00SPC700 l Now supports SSL.
l Now supports FTPS in SSL.l Now supports HTTPS inSSL.l New supports DSA.l When users access a device, they must be
authenticated.V600R005C00SPC900 New supports dynamic module loading.
1.4 Principles1.4.1 FTP
As a protocol in the TCP/IP protocol suite, the File Transfer Protocol (FTP), running at theapplication layer, is used for transferring files between local and remote hosts over the Internet.FTP, which is implemented based on the file system, has been widely used during versionupgrade, log downloading and configuration saving.FTP is built on the client-server architecture, as shown in Figure 1-1.
Figure 1-1 FTP client/server architecture
Server ClientIP Network
The NE40E provides the following FTP functions:
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
4
l FTP server: indicates that the router functions as an FTP server to which users can log into access files by running the FTP client program.
l FTP client: indicates that the router functions as an FTP client that can access files savedon a remote server. After running the terminal emulation program or using the Telnetprogram on a PC to set up a connection to the router, a user can set up a connection to aremote FTP server by using the FTP commands and access files saved on the remote server.
In addition to file transfer, FTP supports interactive access, format specifications, andauthentication control.FTP provides common file operation s to help users perform simple management over the filesystem as well as supporting file transfer between hosts. Users can use a PC running the FTPclient program to upload files, download files, and access file directories on the router thatfunctions as an FTP server, or, use the FTP client program on the router that functions as an FTPclient to transfer files to an FTP server.At present, an FTP client can access the IPv6 address of an FTP server, and an FTP serversupports IPv6 connections.
Basic Concepts of FTPBefore using FTP, familiarize yourself with the following basic concepts about file transfer:l File type
ASCII mode is used for text. Data is converted from the sender's character representationto "8-bit ASCII" before transmission, and to the receiver's character representation.
Extended Binary-Coded Decimal Interchange Code (EBCDIC) mode requires that bothends use the EBCDIC character set.
Binary mode requires that the sender sends each file byte for byte. This mode is oftenused to transfer image files and program files.
Local mode allows two hosts using different file systems to send files in binary bitstreams. The bit stream of each byte is defined by the sender.NOTE
The NE40E supports the ASCII and binary modes. Differences between these two modes are asfollows:l ASCII characters are used to separate carriage returns from line feeds.l Binary characters can be transferred without format converting.The client can select an FTP transmission mode, but by default the ASCII mode is used. The clientcan use a mode switch command to switch between the two modes.
l File structure Byte stream structure is also called the file structure. A file is considered as a continuous
byte stream. Record structure is used only for text files in either ASCII or EBCDIC mode. Page structure files are transferred page for page with the pages numbered so the receiver
can save them without worrying about the pages being out of order.NOTE
The NE40E supports both the record structure and the byte stream structure.l Transfer mode
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
5
Stream modeData is sent as a continuous stream. For the file structure, the sender sends an End-Of-File (EOF) indicator at the end of file transfer to prompts the receiver to close the dataconnection. For the record structure, a two-byte sequence number is used to indicatethe end of the record and file.
Block modeFTP breaks a file into several blocks and each block starts with a block header.
Compressed modeFTP compresses the bytes that are the same and consecutively sent.NOTEThe NE40E supports the stream mode.
l port commandThe port command enables an interface. The command format is port a,b,c,d,e,f. a,b,c,dspecifies the IP address of an interface, in dotted decimal notation; e,f, which consists oftwo decimal numbers, specifies the interface number calculated based on the formula ofe x 256 + f. For example:ftp> debugDebugging On .ftp> ls---> PORT 10,164,9,96,5,28Here, 10.164.9.96 is an IP address; the values 5 and 28 are used to calculate the interfacenumber 1308 (5 x 256 + 28 = 1308).
FTP ConnectionsFigure 1-2 shows the process of file transfer through FTP.
Figure 1-2 File transfer through FTP
User DataTransferFunction
User
FileSystem
User Interface
User ProtocolInterpreter
Server ProtocolInterpreter
Server DataTransferFunction
FileSystem
Client Server
ControlConnection
DataConnection
FTP uses two TCP connections to transfer files. They are:
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
6
l Control connectionA control connection is set up between the FTP client and the FTP server. The server enablescommon port 21 and then waits for a connection request from the client; the client enablescommon port 21 and then sends a request for setting up a connection to the server.A control connection always waits for communication between the client and the server,transmits related commands from the client to the server, and then responses from the serverto the client.
l Data connectionThe server uses port 20 for data connections. Generally, the server can either open or closea data connection actively. For files sent from the client to the server in the form of streams,however, only the client can close a data connection.FTP transfers each file in streams, using an EOF indicator to identify the end of a file.Therefore, a new data connection is required for each file or directory list to be transferred.When a file is being transferred between the client and the server, it indicates that a dataconnection is set up.
FTPIn the current system, FTP manages the control connection by using User Protocol Interpretation(User-PI) and Server Protocol Interpretation (Server-PI) and transfers files by using the UserData Transport Process (User-DTP) and Server Data Transport Process (Server-DTP).l FTP client
The FTP User Interface (UI) provides an interactive command line interface (CLI) for users,which receives and interprets command lines input by users and offers help information.After receiving a command on the UI, FTP triggers User-PI to convert the command intoa standard FTP command, and then manages the control connection to the FTP client. After a login command is input, User-PI creates a control connection between the client
and the server. After a directory operation command is input, User-PI sends and receives control data
between the client and the server. After a file transfer command is input, User-PI enables User-DTP to transfer files
between the client and the server. User-DTP is responsible for creating a data connectionto the FTP server for data exchange. The data connection is temporarily set up. That is,a data connection is set up when files or directory lists need to be transferred anddisconnected when the transfer process is complete or a disconnection request isreceived.
l FTP serverServer-PI listens to FTP standard port 21 to wait for connection requests from the FTPclient. After receiving a login connection request from the FTP client, the FTP serverhandles the request and sends a reply. After a login command is received, the login authentication process is triggered. If the
login authentication succeeds, a control connection to the FTP client is set up. After files are received, Server-DTP and User-DTP are triggered to create a data
connection to transfer files.Server-DTP supports both active and passive data connection requests. By default, Server-DTP is in the active state.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
7
When Server-DTP is transferring data, a user can forcibly disconnect the connection. Uponreceiving a disconnection request, Server-DTP stops transferring data and disconnects theconnection. Normally, a data connection is automatically disconnected when file transferis complete.
Process of Setting Up an FTP ConnectionThe process of setting up an FTP data connection by using active mode is as follows:1. The server enables port 21 to wait for a connection request from the client.2. The client sends a connection request to the server.3. After the request is received, a control connection is set up between the temporary port on
the client and port 21 on the server.4. The client sends a command for setting up a data connection to the server.5. The client chooses a temporary port for the data connection and sends the port number by
using the port command to the server over the control connection.6. The server sends a request to the client for setting up a data connection to the temporary
port on the client.7. After the request is received by the client, the data connection between the temporary port
on the client and port 20 on the server is set up.The process of setting up an FTP data connection by using passive mode is as follows:1. The server enables port 21 to wait for a connection request from the client.2. The client sends a connection request to the server.3. After the request is received, a control connection is set up between the temporary port on
the client and port 21 on the server.4. The client sends a command for setting up a data connection to the server.5. The client sends a command string PASV to the server to request the port number.6. The server chooses a temporary port for the data connection and sends the port number to
the client over the control connection.7. The server sends a request to the client for setting up a data connection.8. The data connection between the temporary port on the client and the temporary port for
the data connection on the server is set up.
Figure 1-3 Process of setting up an FTP connection
Port 2345
Port 2346
Port 21
Port 20
FTP Client FTP Server10.168.2.45/32
PORT 10,168,2,45,9,42->
Figure 1-3 shows the process of setting up an FTP connection, assuming that the number of thetemporary port for the control connection is 2345 and the number of the temporary port for thedata connection is 2346.
1.4.2 TFTPThe Trivial File Transfer Protocol (TFTP) is a simple protocol for file transfer.The TFTP client supports file upload and download by using TFTP. To ensure simpleimplementation, TFTP utilizes the User Datagram Protocol (UDP) as its transport protocol.Compared with FTP, TFTP does not require complicated interaction interfaces andauthentication control. Therefore, TFTP is applicable in a networking environment withoutcomplicated interactions between the client and the server. For example, you can obtain thememory image of the system through TFTP when the system is started up. To preserve the smallsize of TFTP packets, TFTP is realized based on UDP.Presently, the NE40E implements the TFTP client rather than the TFTP server. The TFTP clientcan upload and download files.
Basic Concepts of TFTPl Operation code
TFTP packet header contains a two-byte operation code, with values defined as follows: 1: Read request (RRQ): indicates a read request (RRQ). 2: Write request (WRQ): indicates a write request (WRQ). 3: Data (DATA): indicates data packets. 4: Acknowledgment (ACK): indicates a positive reply packet. 5: Error (ERROR): indicates error packets.
l File typeTFTP supports the following file types: Binary type: is used to transfer program files. ASCII type: is used to transfer text files.
Currently, the NE40E can act only as the TFTP client and only the binary transfer type isavailable.
Basic Principle of TFTPl A user name and password are not required.
This is because TFTP is designed for the bootstrap process.l TFTP transfer
The client initiates the TFTP transfer. To download files, the client sends an RRQ to the server. The server then accepts the
request and sends a data packet to the client. After receiving the data packet, the clientsends an ACK packet to the server.
To upload files, the client sends a WRQ to the server. After the server accepts the request,the client sends a data packet to the server and waits for an ACK packet from the server.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
9
l Support for IPv6At present, the TFTP client supports access to the IPv6 host address.
1.4.3 Introduction to TelnetThe Telecommunication Network Protocol (Telnet) is derived from ARPANET, which is oneof the earliest Internet applications released in 1969. Telnet enables a terminal to remotely login to a server and provides an interactive operation interface. Through Telnet, a login user ofone host can log in to other hosts to configure and manage them without being physicallyconnected to each of them.
Basic Concepts of Telnetl NVT
The Network Virtual Terminal (NVT) is a virtual device from which both ends of a Telnetconnection, the client and the server, map their real terminal to and from. By using theNVT, Telnet can operate between any hosts (any operating systems) or terminals.That is, the client operating system must map to the NVT whatever type of terminal theuser is using. The server must then map the NVT to whatever terminal type the serversupports.Figure 1-4 shows conversion between physical terminals and the NVT.
Figure 1-4 Conversion between physical terminals and the NVTTerminal Telnet client Telnet server Terminal driver
Internet
Localcharacter set
NVTcharacter set
Remotecharacter set
l NVT ASCII
NVT ASCII is a 7-bit ASCII character set. Each 7-bit character is sent as an 8-bit byte,with the high-order bit set to 0. The Internet protocol suite including FTP and the SimpleMail Transfer Protocol (SMTP) uses NVT ASCII.
l IACTelnet uses in-band signaling in both directions. The byte 0xff is called the Interpret AsCommand (IAC). The next byte is the command byte.Commands and their meanings are listed as follows: SE: suboption end SB: suboption begin WILL: option negotiation WONT: option negotiation DO: option negotiation DONT: option negotiation
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
10
IAC: data byte 255
Table 1-1 Telnet command set defined in RFCsName Code (Decimal Notation) DescriptionEOF 236 End of fileSUSP 237 Suspend current process (job
control)ABORT 238 Abort processEOR 239 End of recordSE 240 Suboption endNOP 241 No operationDM 242 Data markBRK 243 BreakIP 244 Interrupt processAO 245 Abort outputAYT 246 Are you there?EC 247 Escape characterEL 248 Erase lineGA 249 Go aheadSB 250 Suboption beginWILL 251 Option negotiationWONT 252 Option negotiationDO 253 Option negotiationDONT 254 Option negotiationIAC 255 Data byte 255
l Telnet connectionA Telnet connection is a TCP connection used to transmit data with Telnet controlinformation.
l Telnet client/server modeTelnet adopts the client/server mode. Figure 1-5 shows the schematic diagram of the Telnetclient/server mode.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
11
Figure 1-5 Schematic diagram of the Telnet client/server mode
Kernel
Login shell
Telnet server
Pseudoterminal driver
TCPconnectionTCP/IP
User at aterminal
Telnet client
Kernel
TCP/IP Terminaldriver
The preceding diagram shows that: Telnet uses TCP. All echo messages of the Telnet connection are output to the terminal. The server interacts directly with the pseudo terminal. Commands and data are transmitted between the server and the client through the TCP
connection. The client logs in to the server.
Principle of TelnetTelnet is designed to operate between any two hosts or terminals. The client operating systemmaps to the NVT whatever type of terminal the user is using. The server then maps the NVT towhatever terminal type the server supports. The types of clients and terminals are ignored.Communication ends are simply assumed as being connected to the NVTs.
NOTE
Telnet adopts the symmetric mode. Theoretically, there must be an NVT at each of the two ends of a Telnetconnection.
The two ends of a Telnet connection send WILL, WONT, DO, or DONT requests for optionnegotiation. The options to be negotiated include echo, character set of command change, andline mode.This section describes the operating principles of Telnet:l Requests in a Telnet connection
Either end of a Telnet connection can initiate a request to the other end. Table 1-2 showsdifferent requests and their meanings.
Table 1-2 Description of requests for a Telnet connectionRequest Description Response WILL WONT DO DONT
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
12
Request Description ResponseWILL Sender wants to
enable option- - Receiver
says OKReceiversays NO
WONT Sender wants todisable option
- - - Receivermust sayOK
DO Sender wantsreceiver to enableoption
Receiversays OK
Receiversays NO
- -
DONT Sender wantsreceiver todisable option
- Receivermust sayOK(1)
- -
NOTE
When the sender sends an "option disable" request, such as WONT and DONT, the receiver mustaccept the request.When the sender sends an "option enable" request, such as WILL and DO, the receiver can eitheraccept or reject the request.l If the receiver accepts the request, the option is enabled immediately.l If the receiver rejects the request, the option remains disabled, but the sender can retain the
features as the NVT.l Option negotiation
Option negotiation requires three bytes:The IAC type, the byte for WILL, DO, WONT or DONT, and the option ID.The following example illustrates the process of option negotiation.The server needs to enable the "remote traffic control" with the option ID 33, and the clientgrants the request. The commands exchanged between the server and client are as follows: On the server: On the client:
l Suboption negotiationCertain options require more information than the option ID. For example, if the senderrequires the receiver to specify the terminal type, the receiver must respond with an ASCIIstring to specify the terminal type.The format of the commands for suboption negotiation is as follows:< IAC, SB, option code, contents of suboption, IAC, SE >A complete process of suboption negotiation is as follows: The sender sends a DO or WILL command carrying an option ID to request that the
option be enabled. The receiver returns a WILL or DO command carrying the option ID to accept the
request.After the preceding two steps, both ends agree to enable the option.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
13
One end of the connection starts suboption negotiation by sending a request composedof the SB, suboption ID, and SE in sequence.
The opposite end responds to the request for suboption negotiation by sending acommand composed of the SB, suboption ID, related negotiation information, and SEin sequence.
The receiver returns a DO or WILL command to accept the negotiation informationabout the suboption.
If there are no additional suboptions to be negotiated, the negotiation ends.NOTE
In the preceding process, the receiver is assumed to accept the request from the sender. In practice,the receiver can reject requests from the sender at any time as required.
The following example illustrates the process of terminal type negotiation.The client needs to enable the "terminal type" with the option ID 24. The server grants therequest and sends a request for querying the client terminal type. The client then sends tothe server another request carrying its terminal type "DELL PC". The commands exchangedbetween the server and client are as follows: On the client: On the server: On the server: On the client:
NOTE
l Only the sender that sends the DO command can request terminal type information.l Only the sender that sends the WILL command can provide terminal type information.Terminal type information cannot be sent automatically but only in request-response mode.The terminal type is an NVT ASCII string of case insensitive characters.
l Operating modesTelnet has the following operating modes: Half-duplex Character at a time Line at a time Line mode
IPv6 Telnet Features Supported by the routerAt present, the Telnet client can access hosts with IPv6 addresses; the Telnet server can receiverequests for connections from hosts with IPv6 addresses.
Telnet Services Provided by the routerThe router provides the following Telnet services:l Telnet server
A user runs the Telnet client application on a PC to log in and configure and manage therouter.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
14
The standard port number for a Telnet server is 23. If attackers access the standard portcontinuously, the bandwidth is consumed and the performance of the server is degraded.As a result, legitimate users cannot access the port.In this case, you can configure another port number to replace the standard port number23. Attackers who do not know the new port number will still send requests for socketconnections to port 23. The Telnet server will reject the requests after detecting the wrongport number. This effectively prevents bandwidth consumption and waste of systemresources caused by an attack on the standard Telnet server port.
l Telnet clientAfter running the emulation terminal program or Telnet client application on a PC toconnect to the router, a user runs the telnet command to log in to the device and manageit. As shown in Figure 1-6, Router A can function as both a Telnet server and a Telnetclient.
Figure 1-6 Router A functioning as a Telnet client
PC RouterA RouterB
Telnet Server
Telnet Session 1 Telnet Session 2
l Terminal redirection
As shown in Figure 1-7, a user runs the Telnet client application and logs in to the routerthrough a specified port, and then sets up connections with the devices connected to therouter through asynchronous serial interfaces. The typical application is that the devicesdirectly connected to the router through asynchronous serial interfaces are remotelyconfigured and maintained.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
15
Figure 1-7 Terminal redirectionPC
Router
Ethernet
Router 2Router 1 Lan Switch Modem
Async0Async2
Async8/16Async1
NOTE
Only the routers having asynchronous serial interfaces support terminal redirection.
1.4.4 SSHSSH is short for Secure Shell. Its standard port number is 22.Data transmission in Telnet mode is prone to attack, because it does not have a secureauthentication mode and use TCP to transmit data in plain text. Simple Telnet access is alsovulnerable to Denial of Service (DoS) attacks, IP address spoofing, and route spoofing.With the increasing emphasis on network security, data transmission in plain text used bytraditional Telnet and FTP is becoming unacceptable. SSH is a network security protocol thatprovides secure remote access and other secure network services on an insecure network byencrypting network data.SSH uses TCP to exchange data and builds a secure channel based on TCP. In addition to standardport 22, SSH supports access through other service ports to prevent attacks.SSH supports password authentication, Digital-Signature Algorithm (DSA) and Revest-Shamir-Adleman Algorithm (RSA) authentication. It uses DES, 3DES, and AES encryption to preventpassword interception, ensuring the integrity and reliability of the data and guarantee the securedata transmission. In particular, RSA and DSA authentication supports the combined use ofsymmetric and asymmetric encryption. This implements secure key exchange and finally securesthe session process.By virtue of data encryption in transmission and more secure authentication, SSH is widely usedand has become one of the more important network protocols.SSH has two versions: SSH1 (SSH 1.5) and SSH2 (SSH 2.0). Both are different andincompatible. SSH2.0 is superior to SSH 1.5 in security, functions, and performance.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
16
Devices that can function as the STelnet client and server support both SSH1 (SSH 1.5) andSSH2 (SSH 2.0). Devices that can function as the SFTP client and server support SSH2 (SSH2.0).Secure Telnet (STelnet) enables users to remotely and securely log in to the device, and providesthe interactive configuration interface. All data exchanges based on STelnet are encrypted. Thisensures the security of sessions.The SSH File Transfer Protocol (SFTP) enables users to log in to the device securely for filemanagement from a remote device. This improves the security of data transmission for theremote system update. Meanwhile, the client function provided by SFTP enables users to log into the remote device for secure file transmission.
Basic Concepts of SSHl SFTP
SFTP guarantees secure file transfer over an insecure network by authenticating the clientand encrypting data in bidirectional mode.
l STelnetSTelnet ensures secure Telnet services. It guarantees secure file transfer on a traditionalinsecure network by authenticating the client and encrypting data in bidirectional mode.
l RSA authenticationRSA authentication is based on the private key of the client. It is a public key encryptionarchitecture and an asymmetric encryption algorithm. RSA is mainly used to help solve theproblem of factoring large numbers by transmitting the keys of the symmetric encryptionalgorithm, which can improve encryption efficiency and simplify key management.The server checks whether the SSH user, public key, and digital user signature are valid.If all of them are valid, the user is permitted to access the server; if any of them is invalid,the authentication fails and the user is denied access.
l DSA authenticationThe digital signature algorithm (DSA) is an asymmetric encryption algorithm used theauthenticating clients. DSA algorithm consists of a public key and a private key.Like RSA, the server checks whether the SSH user, public key, and digital user signatureare valid. If all of them are valid, the user is permitted to access the server; if any of themis invalid, the authentication fails and the user access is denied.Compared with RSA authentication, DSA authentication adopts the DSA encryption modeand is widely used. In many cases, SSH only supports DSA to authenticate the server and the client. In SSH, DSA authentication takes precedence over RSA authentication.
l Password authenticationPassword authentication is based on the user name and password.On the server, the AAA module assigns a login password to each authorized user. Theserver has the mappings between user names and passwords. When a user requests accessthe server, the server authenticates the user name and password. If either of them fails topass authentication, the access is denied.
l RSA-password authentication and DSA-Password authentication
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
17
The server can authenticate the client by checking both the public key and the password.It allows user access only when both public key and password are consistent with thoseconfigured on the server.
l ALL authenticationThe server can authenticate the client by checking both the public key and the password.It allows user access when either the public key or the password is consistent with thoseconfigured on the server.
SSH Features Supported by the Devicel Basic SSH functions
Different encryption algorithms for incoming and outgoing data Different MAC algorithms for incoming and outgoing data Encryption algorithms of 3DES-cbc, DES and Advanced Encryption Standard
(AES128) HMAC-sha1 authentication algorithm
HMAC algorithm, including shal, shal-96,sha2-256,sha2-256-96, md5, and md5-96. diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1 algorithms for key
exchange Public key format of SSH-RSA Public key format of SSH-DSA Key re-exchange (It indicates renegotiation of the key. During this process, the
algorithm and the key used for the algorithm are negotiated.) Public key authentication and password authentication
l SSH client functionThe SSH client function allows users to establish SSH connections with a UNIX host orthe device supporting the SSH server. Figure 1-8 and Figure 1-9 show the establishmentof an SSH connection in the Local Area Network (LAN) and in the Wide Area Network(WAN) respectively.
Figure 1-8 Establishing an SSH connection in a LAN
PCLapTopServer
Ethernet 100BASE-TX
PC running SSH client
RouterWorkStation
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
18
Figure 1-9 Establishing an SSH connection in a WAN
WAN
Router SSH Router
PC run SSH client PC
Local LAN Remote LAN
l SSH for SFTP
SFTP is based on SSH2.0. It guarantees secure file transfer on a traditional insecure networkby authenticating the client and encrypting data in bidirectional mode.An SFTP-enabled device can provide the following functions: Acting as the SFTP client or the SFTP server Being enabled with or disabled from SFTP services (By default, SFTP services are
disabled.) Setting the default directory that the SFTP client is allowed to access
l SSH for STelnetAn STelnet-enabled device can provide the following functions: Acting as the STelnet client or the STelnet server Being enabled with or disabled from STelnet services. (By default, STelnet services are
disabled.)l SSH for non-standard ports
The standard SSH listening port number is 22. When attackers continuously access the port,the bandwidth and performance of the server is reduced and authorized users are preventedfrom accessing this port. This is known as a DoS attack.To address the problem, you can change the listening port to another port on the SSH server.This prevents attackers from consuming bandwidth and system resources. Authorized userscan still access the SSH server through non-standard ports to decrease DoS attacks.Applications of this function are as follows: The STelnet client can access the server using a non-standard port. The listening port can be set on the SSH server.
l SSH for IPv6At present, the SSH client can access an IPv6 host address and the SSH server can set upan IPv6 connection.
Principles of SSHSSH uses the traditional client/server (C/S) application model. Its security is guaranteed by usingthe following modes:Data encryption: Through the negotiation between the client and the server, an encryption keyis generated and used in data symmetric encryption. This ensures confidentiality during datatransmission.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
19
Data integrity: Through the negotiation between the client and the server, an integrity key isgenerated and used to uniquely identify a session link. All session packets are identified by theintegrity key. Any modifications made by the third party during transmission can be discoveredby the receiver based on the integrity key. The receiver can discard these modified packets toensure the data integrity.Authority authentication: There are multiple authentication modes. Authority authenticationallows only valid users to have a session with the server, improving system security andsafeguarding the benefits of valid users.
Establishment of an SSH ConnectionThe SSH connection goes through six phases during the entire communication process, as shownin Figure 1-10. The SSH connection is established through negotiation. The following is theentire SSH negotiation procedure.
Figure 1-10 Establishment of an SSH connection
Version Negotiation
Algorithm Negotiation
Key Exchange
User Authentication
Session request
Interactive session
1. Version negotiation
In the version negotiation phase, the SSH client sends a request for setting up a TCPconnection to the SSH server. After the TCP connection is set up, the SSH server and SSHclient negotiate the SSH version. After a matched version protocol is obtained, differentversion protocols correspond to different state machine processes. If the version of the clientmatches that of the server, the key negotiation starts; otherwise, the SSH server tears downthe TCP connection.
2. Algorithm negotiationIn the algorithm negotiation phase, the sender sends algorithm negotiation messages to thereceiver, together with their parameters, such as the random cookie, key exchangealgorithm, host key algorithm, Message Authentication Code (MAC) method, andsupported language.After receiving these algorithm negotiation messages, the receiver compares the receivedalgorithm list set with the local algorithm list set. If the key exchange algorithm, public key
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
20
encryption algorithm, or MAC algorithm is not found, the receiver tears down theconnection with the sender and the algorithm negotiation fails.
3. Key exchangeAfter the server and client negotiate the version, the server sends the client a packetcontaining the server's host public key, the server public key, the supported encryptionalgorithm, the authentication algorithm, the protocol extension flag, and an 8-byte cookie.This packet is sent in simple text.Then, the server and client calculate a 16-byte session IDusing the same parameter. The client also randomly generates a 32-byte session key usedto encrypt data. The client does not send the session key to the server, but use the most-significant 16 bytes of the session key to XOR the 16-byte session ID to obtain a result.The client then arranges the result using the Most Significant Bit (MSB) first rule andobtains a multiple precision (MP) integer. Then the client encrypts the MP integer using apublic key with a smaller module value, arranges the result using the MSB first rule again,and obtains a new value. Then the client uses a public key with a larger module value toencrypt the new value.The server is now in the waiting state. When receiving a key generation message from theclient, the server then returns a key generation message to the client, which indicates thatkey exchange is complete and that the new key should be used for communications. If theserver fails to receive a key generation message from the client, it returns a key exchangefailure message and tears down the connection.
4. User authenticationAfter obtaining the session key, the SSH server authenticates the SSH client. The SSHclient sends the identity information to the SSH server. After a specific authentication modeis configured on the SSH server, the client sends an authentication request. If theauthentication succeeds or the connection with the server expires, the connection isterminated.The SSH server authenticates a user in one of the following methods:l In RSA, DSA authentication, the client generates an RSA, DSA key pair and sends the
public key to the server. When a user initiates an authentication request, the clientrandomly generates a text encrypted with the private key and sends it to the server. Theserver decrypts it by using the public key. If decryption succeeds, the server considersthis user trustable and grants access rights. If decryption fails, the server tears down theconnection.
l Password authentication is implemented based on AAA. Like Telnet and FTP, SSHsupports local database authentication and remote RADIUS server authentication. TheSSH server compares the user name and password of an SSH client with the pre-configured ones. If both are matched, authentication succeeds.
5. Session requestAfter user authentication is completed, the client sends a session request to the server. Thesession requests include the running of Shell and commands. At the same time, the serverwaits to process the request from the client. During this phase, the server responds to theclient with an SSH_SMSG_SUCCESS message after successfully processing a requestfrom the client. If the server fails to process or identify the request, it responds with anSSH_SMSG_FAILURE message.Possible causes for the authentication failure are as follows:l The server fails to process the request.l The server cannot identify the request.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
21
6. Interactive sessionAfter the session request is accepted, the SSH connection enters the interactive sessionmode. In this phase, data is transmitted bidirectionally.a. The client sends a packet with the encrypted command to the server.b. After receiving the packet, the server decrypts the packet and runs the command. Then,
the server packages the encrypted command execution results and sends the packet tothe client.
c. Upon receiving the packet, the client decrypts it and displays the command executionresults on the terminal.
1.4.5 User ManagementUsers can log in to the device to configure, monitor, and maintain local or remote network devicesonly after user interfaces, user management, and terminal services are configured. Userinterfaces provide the login place, user management ensures login security, and terminal servicesoffer login protocols.The device supports the following login modes:l Login through the console portl Local or remote login through the AUX portl Local or remote login through Telnet or SSHUser management (consisting of user interface configurations, user view configurations, andterminal services) provides secure login and operations, implementing unified management overdifferent user interfaces.
User InterfaceA User Interface (UI), which is presented as a user interface view, enables users to log in to thedevice. Through the user interface, you can configure the parameters on all physical and logicalinterfaces that work in asynchronous and interactive modes. In this manner, you can manage,authenticate, and authorize the login users.l The system supports the following user interfaces:
Console port: is a linear port on the device's main control board.Each main control board provides a console port that conforms to the EIA/TIA-232standard, type DCE. The serial port of the user terminal can directly connect to theconsole port of the device to implement local device configurations.
AUX port: is also a linear port on the device's main control board.Each main control board provides an AUX port that conforms to the EIA/TIA-232standard, type DTE. The terminal can perform remote access to the device through theModem on the AUX port.
Virtual Terminal (VTY) is a kind of virtual interface indicating a logical terminal line.When you set up a Telnet or SSH connection with the device through a terminal, youset up a VTY. You can also perform local or remote access to the device through thevirtual connection established through VTY.
l Numbering of user interfacesYou can number a user interface using one of the following methods:
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
22
Relative numberingThe format of relative numbering is: user interface type + number.Relative numbering indicates that the interfaces of the same type are numbered. Relativenumbering uniquely specifies a user interface of the same type. Relative numberingmust comply with the following rules:Number of the CON port: CON 0Number of the AUX port: AUX 0Number of the VTY: The first VTY is 0, the second VTY is 1, and so on
Absolute numberingAbsolute numbering uniquely specifies a user interface or a group of user interfaces.Absolute numbers start with 0 and are allocated in the sequence of the CON port, theAUX port, and the VTY.On a main control board, only one CON port or AUX port is present but a maximumof 20 VTYs are present. (The VTYs ranging from 1 to 14 are provided for ordinaryTelnet or SSH users and those ranging from 16 to 20 are reserved for NetworkManagement System (NMS) users.) In the system view, the allowable maximumnumber of user interfaces can be set; the default value is 5.By default, the absolute numbering of the CON port, the AUX port, and the VTY isshown in Table 1-3.
Table 1-3 Example for the absolute numbering of user interfacesAbsoluteNumbering
User Interface
0 CON033 AUX034 VTY0: the first VTY35 VTY1: the second VTY36 VTY2: the third VTY37 VTY3: the fourth VTY38 VTY4: the fifth VTY
NOTE
Different devices may have different absolute numbering methods for AUX ports and VTYs. In theprevious examples, the numbers ranging from 1 to 32 are reserved for VTYs. TTY is a synchronousor asynchronous terminal line, which is related to specific physical devices. In this document, thecommands for viewing absolute numbering and relative numbering have been provided.
User LoginIn the absence of user authentication, any user can configure a device after it is connected to thePC through the console port.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
23
After the IP address is assigned to the main control board or the interface board, any remote usercan use Telnet or SSH to log in to the device, or set up the PPP connection with the device toaccess the network.Therefore, the device and network are vulnerable to attacks. In this case, users should be createdfor the device and passwords should be set for users so that the device can manage users. SSHusers are configured with RSA authentication and other users are configured with AAA. Formore information, refer to the AAA Feature Description.
User ClassificationUsers of the device can be classified into the following types based on the type of service used.l HyperTerminal users: indicate those who log in to the device through the console port or
AUX port.l Telnet users: indicate those who log in to the device through Telnet.l FTP users: indicate those who transfer files by setting up the FTP connection with the
device.l PPP users: indicate those who access the network by setting up the PPP connection, such
as dialup and PPPoA, with the device.l SSH users: indicate those who perform remote access to the network by setting up the SSH
connection with the device, including the STelnet mode and the SFTP mode.l NMS users: indicate those who set up a connection with the device through SNMP or Telnet
to manage devices in machine-to-machine mode.One user can obtain multiple services simultaneously to perform multiple functions. VTY users,namely, Telnet or SSH users, need to be bound to admission protocols in the user interface viewbefore they log in.
User PrioritiesThe system supports hierarchical management over HyperTerminal users and VTY users.The greater the number, the higher the user level. The level of the command that a user can runis determined by the user's level.l In the case of password authentication, the level of the command that the user can run
depends on the level of the user interface.l In the case of AAA authentication, the command the user can run depends on the level of
the local user specified in the AAA configuration.A user can run the commands whose levels are equal to or lower than the user's level. Forexample, the level 2 user can access the commands at levels 0, 1, and 2. The level 3 user canaccess the commands at levels 0, 1, 2, and 3.Through the super command, the user can be switched from a lower level to a higher level. Theswitched user level is determined by the level of the command configured by the supercommand.
NOTE
One-to-one mapping exists between user levels and command lines.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
24
User AuthenticationAfter users are configured, the system authenticates them when they log in to the device.l Password authentication: In this mode, users can log in to the device by entering passwords
rather than usernames. This mode is configured based on the terminal line. A password canbe configured for a terminal line or a group of terminal lines.
l AAA authentication: includes AAA local and AAA remote authentication. In AAA localauthentication, users need enter both the usernames and passwords on the local device. Ifnecessary, users also need to enter user attributes, such as user rights and FTP paths. InAAA remote authentication, user information needs to be configured on the AAA server.In general, AAA server authentication is used for VTY users; AAA local authentication isused for console users. For more information, refer to the AAA Feature Description.
Planning UsersThe network administrator can plan the users of the device as required.l Usually, at least a HyperTerminal user needs to be created on the device.l Telnet or SSH users need to be configured to implement remote login to the device through
Telnet or SSH.l FTP or SFTP users need to be configured to enable remote users to upload or download
files to or from the device.l PPP users need to be configured to enable users to access the network through the PPP
connection established with the device.
1.4.6 Virtual File SystemThe virtual file system, that is easy-to-use and tailorable, has two functions, namely, managingthe storage device and managing the files that are stored on the device. In the file system, userscan create, delete, modify, and rename a file or a directory, and view the contents of a file. Tomanage mass storage devices more effectively and ignore the differences of bottom-layer storagedevices, the mass storage device must support the virtual file system that is easy-to-use andtailorable.
Basic Conceptsl Storage device: a hardware device used to store datal File: a mechanism used for the system to store and manage informationl Directory: a mechanism used by the system to integrate and organize files and to provide
a logical container of files
Managing Storage Devicesl Repairing the storage device with the abnormal file system
When the file system on a storage device fails, the device terminal prompts that the faultshould be rectified.
l Formatting the storage deviceWhen the repair of the file system fails or when the data on the storage device is no longerneeded, the storage device can simply be reformatted. However, all data on the device willbe lost.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
25
If reformatting the storage device fails, a physical fault may occur.
Managing File DirectoriesWhen transmitting files between the client and the server, directories needs to be set up in thefile system. The specific operations are as follows:l Display the current directory.l Change the current directory.l Display directories or file information.l Create a directory.l Delete a directory.
NOTE
Either the absolute path or relative path is applicable.
Managing FilesYou can perform the following operations for files:l Display file contents.l Copy files.l Move files. Changing the file storage location.l Rename files. Changing the names of existing files.l Delete files. Deleting existing files and actually moving files to the recycle bin. This
operation is reversible. The wildcard (*) can be used to delete multiple files at a time.l Delete files from the recycle bin. This operation is irreversible.l Restore deleted files. Restoring files from the recycle bin. Restoring deleted files is a reverse
operation of deleting files.
Miscellaneousl Executing batch files
A batch file is created and executed to automat several tasks. Batch files must be createdon the client and uploaded to the device.This operation need edit batch files on the client and upload batch files to the device.
l Configuring the prompt mode of the file systemIf data is lost or damaged during file management, the system should provide prompts asto corrective steps.
CAUTIONIf the prompt mode is set as quiet, the system does not provide prompts when data is lost becauseof user misoperations such as the accidentally deleting files. Therefore, this quiet mode shouldbe used with caution.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
26
1.4.7 Pipe CharacterThe pipe character is used to filter and then display the output of display commands accordingto the rules set by a user.During device maintenance, a display command may output a lot of information, only a part ofwhich has real value to the user, for example, the status of interfaces, the status of OSPF peers,and the Cyclic Redundancy Check (CRC) statistics of interfaces (used to determine or locate afault). If all the output of a display command remains unfiltered, users cannot readily obtainpertinent information. The pipe character filters out irrelevant information of the commandoutput, insuring the desired information stands out to help users rapidly determine the exactnature of the problem.Filtration rules of the pipe character are as follows:l include + regular expression
In this mode, the lines containing user-specified contents are displayed.l begin + regular expression
In this mode, the lines from the first line containing user-specified contents are displayed.l exclude + regular expression
In this mode, the lines not containing user-specified contents are displayed.l count
In this mode, the lines to be output are counted and only the line numbers are displayed.
Special Processing of the Table-form OutputThe output of certain display commands contains tables such as FIB and ARP tables. A table iscomposed of the table heading, table tail, and table text (entries). If the table heading and tailare included in the pipe character filtration, they are probably filtered out. This is not convenient.It is necessary, therefore, that table headings and tails are not included in the filtration process.Generally, all display commands need to support the pipe character. The display commandsthat meet the following requirements, however, do not necessarily support the pipe character:l Commands whose output information is stable can be displayed in current screen.l Commands whose output information does not vary with configurations, dynamic data,
and specifications.l Commands used in the diagnostic view, such as commands used to collect information.
1.4.8 Daylight Saving TimeDaylight Saving Time (DST), also referred to as summer time, is a convention established bycommunities for prolonging daylight hours and saving resources such as the cost of lightingoffice buildings and schools.In high latitude areas, the sun rises earlier in summer than in the winter. To reduce evening usageof incandescent lighting and save energy, clocks are adjusted forward one hour in the spring. Atpresent, about 110 countries around the world adopt DST.Users can customize the DST zone according to their countries' or regions' convention. Userscan set when and how clocks are adjusted forward, usually an hour. With DST enabled, the
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
27
system time is adjusted accordingly; when it is time to end DST, the system time automaticallyreturns to normal.
1.4.9 Timing RestartThe system supports timing restart when, at a specified time, the system automatically restartsand updates system files. Such a device upgrade needs to be performed at the exact right time.After a timing restart is configured, maintenance personnel just need to prepare softwarepackages, system image files, and to set the time and files for the automatic device restart.
1.4.10 MIB Interface Is Used to Optimize System UpgradeIn a cluster, version upgrading becomes complex. A user needs to download the system startupfile to the system's master board, and then to copy it to the master and slave boards of otherchassis. After copying the system startup file, the user then needs to configure the startup settingsfor each chassis. This requires a lot of work on the part of the user.During the system upgrade, how the device processes the MIB is optimized and what the NMSoperates on the device is simplified.When the user downloads the startup file to the master board through the NMS, the devicedirectly synchronizes the file to the slave board or the master and slave boards on other chassisif in a cluster. The system queries the file index according to the file type and name (includingthe startup file, PAF&License files, configuration file, and patch). The NMS then sets the filefor the next startup according to the file index. This setting is automatically synchronized to theslave boards. In a cluster, this setting can also be synchronized to the master and slave boardsof other chassis without additional configurations. This greatly reduces the user's workload onconfiguring and uploading startup-related files.Before downloading version-related files (including the startup file, PAF&License files,configuration file, and patch) from the FTP server, the device checks the remaining memory ofthe master and slave boards in each chassis. If the available memory is insufficient, the earliestcreated system file is automatically deleted to ensure sufficient memory. In the case that thedevice contains only files for the current and next startup and does not have enough memory tosave the file to be downloaded, an error message is returned and the download operation iscanceled.When the system upgrade is simplified through the MIB interface, the following functions areemphasized:l The device checks the available memory to ensure that the remaining memory is enough
to store at least one system file for the upgrade.The object hwFlhOperMemSize is added to huaweiFlhOpTable of HUAWEI-FLASH-MAN-MIB. The value of this object is used to specify the size of the reserved memory (inKB). This object is optional during file uploading, and its default value is 0. If the valueremains 0, no more memory needs to be reserved. If the value of this object is not 0, filesare deleted when available memory is insufficient. There must be two system files, namely,the currently-used system file and the rollback file. The earlier created system file is firstdeleted, and then if the available memory is still insufficient, an error message is returned.In this case, the user needs to manually delete enough remaining files until the availablememory is sufficient.
l The needed file is downloaded and synchronized between the system master and slaveboards and between chassis.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
28
After the file is successfully downloaded to the master board of the system, the file isautomatically synchronized to the slave board of the system as well as the master and slaveboards of other chassis. If the file already exists and is not the file for the current startup,the file will be automatically overwritten. If the file already exists and is the file for thecurrent startup, an error message is returned.
l The index of the specified file is queried.The system provides a MIB table for querying a file index through the real-time obtainingfile index operation. The NMS sets the file for the next startup of the device according tothe index.
l The file for the next startup is set and synchronized between the system master and slaveboards and other chassis.The NMS sets the file for next startup through hwSysReloadScheduleTable. After themaster board of the system is specified, the system automatically synchronizes the file forthe next startup to the slave board of the system as well as the master and slave boards ofother chassis.
1.4.11 NAPAs a Layer 3 protocol, the Neighbor Access Protocol (NAP) helps users to remotely log in to adevice with default configurations and then to configure the device. A NAP connection can beestablished as long as the device to be configured and the local device are physically connected.As shown in Figure 1-11, Router A and Router B are devices on the current network, andRouter C is a device with default configurations. Router B and Router C are connected via asingle hop, both supporting NAP.
Figure 1-11 Establishing a NAP connection
Network
RouterAPC RouterB RouterC
12
3Master device Slave device
Master interfaceSlave interface
123
NAP negotiation
Remote loginIP address allocation
During NAP negotiation and IP address allocation, the device on the current network and thedevice with default configurations act as the master device and slave device respectively, andthe two physical interfaces connecting the two devices are called the master interface (on themaster device) and the slave interface (on the slave device). During remote login, the masterdevice and slave device act as the client and server respectively.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
29
Format of a NAP packetNAP packets are encapsulated into UDP packets, using the UDP port 53535. The destination IPaddress of NAP packets is the reserved multicast address 224.0.0.128, and the source IP addressis the address configured for the sending interface. If the sending interface has no IP address,0.0.0.0 is used as the source IP address of NAP packets. The TTL of NAP packets is 1. Figure1-12 shows the format of a NAP packet.
Figure 1-12 Format of a NAP packet
Version0 4321
Protocol Type Reserved
Length Checksum
...TLV1 (n byte)
TLV2 (n byte)
TLVn (n byte)
TLV Numberbyte
Major fields in a NAP packet are described as follows:l Version: indicates the version number of NAP. The value is 01.l Type: indicates the type of a NAP packet. There are five types of NAP packets. Table
1-4 lists these five types and their corresponding values.
Table 1-4 Description of the Type field in a NAP packetValue Type01 Detect packet02 Response packet03 Establish packet (confirming the establishment of a
neighbor relationship)04 Hello packet05 Close packet
l TLVn: indicates the variable-sized TLV data area. This field consists of three parts: data
type, data length, and data.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
30
NAP NegotiationBy default, a NAP-supporting device is a slave device and its interface is a slave interface,responsible for listening to rather than sending packets. After the NAP master and slave devicesare configured, the listening function is enabled on the slave interface by default. After NAP isenabled on the master interface on the master device, the device sends a Detect packet to discoverneighbors, and then enters the NAP negotiation phase. The NAP negotiation process is shownin Figure 1-13.
Figure 1-13 NAP negotiationMaster device Slave device
Protocal packet
AnalyzingACK
ACK
1. The NAP slave device initiates the process, and the listening function is enabled on the
slave interface by default. Then, the slave device waits for a Detect packet from the masterdevice.
2. The master device sends a Detect packet through the master interface to discover neighbors.3. After receiving the Detect packet, the slave device analyzes it.4. The master and slave devices enter the NAP negotiation phase.5. The slave device sends a Response packet through the slave interface. After receiving the
packet, the master device replies with an Establish packet. Then, the NAP neighborrelationship is established.
IP Address AllocationTo simplify both the configuration of service IP addresses for the master and slave interfacesand the maintenance for current NAP connections during the configuration, you need toconfigure IP addresses for the master and slave interfaces separately.By default, NAP allocates IP addresses in the address pool (10.167.253.0/24) to the master andslave interfaces. If an address conflict occurs, select either of the following two methods tomanually configure the interface addresses: Specify a NAP IP address pool, and IP addresseswill be automatically allocated based on a NAP address allocation algorithm. Configure IPaddresses of the same network segment for the master and slave interfaces.
HUAWEI NE40E-X1/NE40E-X2 Universal Service RouterFeature Description - Basic Configurations 1 Basic Configuration
Issue 03 (2013-08-15) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.
31
Remote Loginl After IP address allocation, the master device logs in to the slave device through Telnet,
enters the interactive interface, and initializes the slave device.l If the slave device has only default configurations, the master device can log in to the slave
device without a user name and a password.l If the slave device is configured with a user name and a password, the master device has
to pass authentication before remotely logging in to the slave device through NAP.NOTE
The slave device with default configurations checks the source address of a remote Telnet connection. Ifthe Telnet source address is the NAP address of the master device, the slave device considers that the masterdevice has the highest user level (the same as that of the console interface) and allows the master deviceto directly log in without being authenticated. If the Telnet source address is not the NAP address of themaster devi