Basic Operation of Network Systems

Abstract

Network operation and maintenance refers to the production organization and management activities taken to ensure the normal, safe and effective operation of communication network and business, also known as operation administration and maintenance (OAM). As the term “OAM” implies, the network operation and maintenance mainly includes the basic operation, administration and maintenance of the network system. The administration and maintenance will be introduced in Chap. 6. This chapter will focus on the basic operation of the network system, specifically, the login management, basic configuration and user management for the network equipment.

Network operation and maintenance refers to the production organization and management activities taken to ensure the normal, safe and effective operation of communication network and business, also known as operation administration and maintenance (OAM). As the term “OAM” implies, the network operation and maintenance mainly includes the basic operation, administration and maintenance of the network system. The administration and maintenance will be introduced in Chap. 6. This chapter will focus on the basic operation of the network system, specifically, the login management, basic configuration and user management for the network equipment.

Today’s mainstream network equipment manufacturers include Huawei, Cisco, Juniper, ZTE, Ruijie, H3C and so on. Their equipment operates mainly on three network operating systems: Huawei’s Veritable Routing Platform (VRP), Cisco’s Internetwork Operating System (IOS) and Juniper Operating System (Junos). Among them, both Huawei’s VRP and Juniper’s Junos adopt a single system for distribution, while Cisco adopts multiple platforms for distribution. Single distribution refers to the adoption of a single network operating system for different network devices, while multi-distribution refers to the distribution of different network operating systems for different network devices. Compared to the multi-distribution approach, a single network operating system is easier to use and can simplify network operations and management.

In order to enable readers to better grasp the ability to operate the network system, this chapter will start from the introduction of the network system, take Huawei devices and its operating system VRP as examples to illustrate how to quickly get familiar with the command-line interface (CLI) of the operating system, and then introduce the management modes, basic configuration and network configuration of various devices.

By the end of this chapter, you will

(1) Understand the VRP version and structure (2) Get familiar with the CLI (3) Master login management of devices

(4) Master basic configuration of devices (5) Master basic networks configuration of devices (6) Master construction of remote login environment

5.1 What Is VRP and CLI

A complete network system , in addition to including the hardware described in Chap. 3, also carry the corresponding software, including communication protocols and network operating system. The network operating system is the system software on which the communication devices operate, providing network access and interconnection services.

This section will introduce Huawei’s network operating system VRP and its CLI, so that readers can understand Huawei VRP and its characteristics, and master how to use the CLI.

5.1.1 What Is Huawei VRP

VRP is Huawei’s network operating system with fully independent intellectual property rights. With IP services as its core, VRP implements a componentized architecture that carries over 300 features. It not only provides rich functional features, but also enables application-based tailoring ability and scalability ability.

As the core software engine for Huawei’s whole series of routers, Ethernet switches, business gateways and other products, no matter low-end or core products, VRP delivers unified user interface and management interface; provides the control plane functions, defining the interface specification of the forwarding plane and realizing the interaction between the forwarding plane and the VRP control plane; and develops the network interface layer to shield the difference between the data link layer and the network layer.

In order to make a single software platform compatible with all kinds of routers and switches, VRP uses a componentized architecture for its software modules, which provides open standard interfaces between various protocols and modules. VRP is composed of five planes: general control plane (GCP), service control plane (SCP), data forwarding plane (DFP), system management plane (SMP) and system service plane (SSP).

1. 1.

   GCP: Supports network protocol cluster, including IPv4 and IPv6. The protocols and functions it supports include socket, TCP/IP, routing management, various routing protocols, VPN, interface management, data link layer, MPLS, security performance, and QoS support for IPv4 and IPv6.

2. 2.

   SCP: Based on GCP, supports value-added services, including connection management, user authentication and billing, user policy management, VPN, multicast business management and maintenance of forwarding information base (FIB) related to business control.

3. 3.

   DFP: Composed of forwarding engine and FIB maintenance, to provide forwarding service for the system. The forwarding engine can be implemented by software or hardware according to the forwarding mode of different products. Data forwarding supports high-speed switching, secure forwarding and QoS, and enables the extension of the forwarding module through open interfaces.

4. 4.

   SMP: Delivers system management function to provide an interfaces for interaction with external devices and unified management of the output information of the system. As for the configuration and management of the platform, VRP can introduce some network management mechanisms in a flexible manner, such as the command line, NMP and the Web.

5. 5.

   SSP: Supports common system services such as memory management, timers, IPC, load, transformation, task/process management and component management.

VRP also supports product license files, which allow the user to adjust the scope of features and performance as needed without breaking the original services.

VRP continues to evolve in terms of processing mechanisms, business capabilities, and product support with the great strides of network technology and application. As shown in the VRP version evolution in Fig. 5.1, more than a decade of development and validation brought about the VRP 1.x, VRP 3.x, VRP 5.x, VRP 8.x and more, bringing us different business capabilities and product support capabilities, respectively.

Fig. 5.1

VRP version evolution

The versions of Huawei VRP system software fall into two categories: core version (or kernel version) and distribution version. The core version is the fundamental version used to develop VRP system for specific switches, namely VRP 1.x, VRP 2.x, VRP 3.x, and now VRP 5.x and VRP 8.x; the distribution version, based on the core version, is the VRP system software released for specific product series, such as S Series Switches, AR/NE Series Routers, etc.

The core version number of the VRP system is a decimal. The digit before the decimal point represents the major version number, which is updated only when a comprehensive functional or architectural change occurs. The first digit after the decimal point indicates the minor version number, only to be updated when there are major or many functional changes. The second and third digits after the decimal point make up the revision number that is issued whenever a change occurs. For example, in the software version VRP 5.120, the major and minor version numbers are 5 and 1, respectively, and 20 is the revision number.

The distribution version of Huawei VRP system is marked by the letters “V”, “R” and “C” (representing three different version numbers), and the basic format is “VxxxRxxxCxx”, where “X” is some specific digits . Parts “V” and “R” are necessary; “C” is determined by the property of the version and is unnecessary.

The letters “V”, “R”, and “C” are defined as follows.

1. 1.

   “V” refers to the software or hardware platform version on which the product is based.

   “Vxxx”, known as the V version number, identifies changes to the backbone platform of a product/solution. Where, “xxx” starts at 100, with increments of 100. The “V” version number changes only with the changes of the product platform.

2. 2.

   “R” refers a set of general features released to the customer, as a specific manifestation of the product at a specific time.

   “Rxxx” identifies a common release for all customers, known as the R version number. Where, “xxx” starts at 001, with increments of 1.

3. 3.

   “C” is a customized version developed based on “R” version to quickly meet the needs of different customer groups, known as C version number.

Under the same R version, “xx” in the C version number starts at 00, with increments of 1. In case of the change to the R version number , the “xx” in the C version number will be renumbered from 00, such as V100R001C01, V100R001C02, and V100R002C01.

On a device, you can view the device version by executing the [display version] command. Example 5.1 shows how to view the device version on the S5700 Switch.

[Example 5.1]

View the device version

When the command [display version] is executed on the S5700 Switch, the following output will be displayed. “Version 5.120” refers to the VRP core version that the switch runs on; “S5700 V200R002C00” in brackets refers to the VRP distribution version of the S5700 Series Switch; “V200” refers to the V version “2”; “R002”, R version “2”; and “C00”, C version “1”. It also shows the corresponding BootROM software version. For example, “Basic Bootrom Version: 100” indicates that the BOOTROM software version is 100. You can also view other version information, such as PCB version, complex programmable logic device version (CPLD version), and so on.

<Huawei>display version Huawei Versatile Routing Platform Software VRP (R) software, Version 5.120 (S5700 V200R002C00) Copyright (C) 2000-2012 Huawei TECH CO., LTD Huawei S5700-52C-EI Routing Switch uptime is 0 week, 2 days, 1 hour, 24 minutes EMGE 0(Master) : uptime is 0 week, 2 days, 1 hour, 23 minutes 512M bytes DDR Memory 64M bytes FLASH Pcb Version : VER B Basic BOOTROM Version : 100 Compiled at Mar 1 2011, 20:27:16 CPLD Version : 74 Software Version : VRP (R) Software, Version 5.120 (S5700 V200R002C00) FANCARD information Pcb Version : FAN VER B PWRCARD I information Pcb Version : PWR VER A

5.1.2 What Is CLI and How to Use

CLI is a human-machine interface provided by network devices such as switches and routers. Compared with the graphical user interface (GUI), the CLI requires less system resources, and is easy to use and expand functions.

1. 1.

   Go to the CLI

   VRP provides the CLI as shown in Fig. 5.2.

   The initial login takes the user to the user view by default. In the VRP, the user view is expressed by “< >“, for instance, <Huawei>. In the user view, the user can only execute commands for such operations as file management, view and debugging, and have no right to execute commands for device maintenance, configuration modification or things like that. If you need to configure a network device, you must do that in the corresponding view. For example, the IP address of the interface can only be created under the interface view; only through the system view can you access other subviews.

   You can switch to system view by executing the [system-view] command in the user view, and execute the [quit] command in the system view to switch to the user view. The commands for view switching under VRP are shown in Table 5.1.

   Executing a service command in the system view can navigate you to a relevant service view. The commands can be executed varies with the view. For example, to configure Interface ge0/0/0 in the system view, you can execute the [interface GigabitEthernet0/0/0] command to enter the interface view.

2. 2.

   Set the command level

   The commands in the VRP system are divided into four levels, from 0 to 3, as shown in Fig. 5.3.

   1. (a)

      Visit level: Network diagnosis commands (such as ping, tracert), commands to access external devices from this device (such as Telnet, SSH, Rlogin), etc.

   2. (b)

      Monitoring level: commands used for system maintenance and service fault diagnosis, such as display, debugging, etc.

   3. (c)

      Configuration level: Service configuration commands, including commands for routing, at each network level, and offering direct network services to users.

   4. (d)

      Management level: Commands used for the basic operations of the system and providing support for the services, including file system, FTP, TFTP, XMODEM download, configuration file switching command, standby board control command, user management command, command level setting command, command for system internal parameter setting, etc.

   The system also restricts the access rights of different users to the device through the hierarchical management of users. The user level corresponds to the command level. Users of a level can only use commands at or below their level. By default, the commands register at levels 0 to 3 and users register at levels 0 to 15. The correspondence between the user level and the command level is shown in Table 5.2.

   In addition, the system also supports command level customization, which allows low-level users to be authorized to use high-level commands as needed. For example, authorizing a level 0 user to use the [save] command can be done with the following configuration.

   <Huawei>system-view [Huawei]command-privilege level 0 view user save

3. 3.

   Edit the command line

   The CLI of VRP provides basic editing functions of the command line, and supports multi-line editing. Each command has a maximum length of 510 characters, command keywords are not case sensitive, and command parameters are case sensitive depending on the parameters defined by each command. The commonly used editing functions are shown in Table 5.3.

   To improve the efficiency of editing the command line, VRP provides completion function via the Tab key and supports the entry of incomplete keywords. The detailed steps are as follows. It is recommended that the user practices to familiarize themselves with these two functions, so as to improve the efficiency of command-line editing.

   1. (a)

      Use of the Tab key

      When editing commands, enter incomplete keyword and press Tab, then the system will automatically complete the keyword, as follows.

      1. (i)

         If the matching keyword is unique, the system replaces the original input content with this complete keyword and the newline displays. The cursor is one space away from the end of the word.

      2. (ii)

         If the matching keyword is not unique, press Tab repeatedly to display all the keywords starting with the input character string in turn. No space between the cursor and the end of the word.

      3. (iii)

         If there is no matching keyword, press Tab key and then the newline displays, the input keyword keeps unchanged.

   2. (b)

      Incomplete keyword input

      The device supports input of incomplete keyword, that is, you can match the input character with a unique keyword in the current view without entering the full keyword. This feature provides a quick way to input and helps improve operational efficiency. For example, when the user needs to view the current configuration, and the full command is [display current-configuration], the user can execute this command by typing “dcu”, “di cu” or “dis cu”, but cannot execute by typing “dc” or “dis c”, etc., because the command starting with “dc” or “dis c” is not unique.

4. 4.

   CLI’s online help

   When using the CLI, the user can utilize the online help feature to get real-time help without having to memorize a large number of complex commands. During the input, the user can type “?” at any time for online help, either full help or partial help, as shown in Fig. 5.4. Uses of the full help and partial help are described in detail below, respectively.

   1. (a)

      Full help

      When typing a command, the user can use the full help feature on the command line to get hints for the complete keyword or parameter. Here are some examples of full help for reference.

      [Example 5.2]

      Full help

      1. (i)

         Under any command view, type “?” to display all the commands under this command view and their brief descriptions. An example is as follows.

         <Huawei>? User view commands: backup Backup electronic elabel cd Change current directory check Check information clear Clear information clock Specify the system clock compare Compare function ...

      2. (ii)

         Input a command keyword, followed by a space separated “?” If the position is for a keyword, all keywords and their brief descriptions are listed. An example is as follows.

         <Huawei>system-view [Huawei]user-interface vty 0 4 [Huawei-ui-vty0-4]authentication-mode ? aaa AAA authentication password Authentication through the password of a user terminal interface [Huawei-ui-vty0-4]authentication-mode aaa ? <cr> [Huawei-ui-vty0-4]authentication-mode aaa

      Among them, “aaa” and “password” are keywords, and “AAA authentication” and “Authentication through the password of a user terminal interface“are the descriptions of the keywords; “<cr>” indicates that the position has no keyword or parameter, and the command will be repeated on the next command line, so just press Enter key to execute it.

      1. (iii)

         Input a command keyword, followed by a space separated “?” If the position is for a parameter, the names and brief descriptions of all relevant parameters are listed. An example is as follows.

         <Huawei>system-view [Huawei]ftp timeout ? INTEGER<1-35791> The value of FTP timeout, the default value is 30 minutes [Huawei]ftp timeout 35 ? <cr> [Huawei]ftp timeout 35

      “INTEGER <1–35791>” is the description of the value of the parameter, and “The value of FTP timeout, the default value is 30 minutes” is a brief description of the function of the parameter.

   2. (b)

      Partial help

      When a user types a command, if he/she remembers only the first one or several characters of the command keyword, he/she can resort to the partial help feature of the CLI to get hints for all keywords beginning with that character string. Here are some examples of partial help for reference.

      [Example 5.3]

      Partial help

      1. (i)

         Enter a character string, followed by “?”, and then all keywords that begin with the string are listed.

         <Huawei>d? debugging delete dir display <Huawei>d

      2. (ii)

         Enter a command, followed by a character string and “?”, and then all keywords that begin with the string are listed.

         <Huawei>display b? bootrom bpdu bpdu-tunnel bridge buffer

5. 5.

   Interpret error messages of the CLI

   Commands entered by the user under the CLI will be executed correctly if they pass the syntax check; otherwise the system will report an error message to the user. The common error messages are shown in Table 5.4, which allows users to check and correct command input.

6. 6.

   Use the undo command line

   Under the CLI, a command prefixed with the keyword undo is the undo command line, which is used to restore the default configuration, disable a feature, or delete a configuration. Almost every configuration command has an undo command line, as illustrated below.

   [Example 5.4]

   Use the undo command line

   1. (a)

      The [undo] command is used to restore the default configuration.

      The [sysname] command is used to set the hostname of the device, as shown below.

      <Huawei>system-view //Enter the system view [Huawei]sysname Server //Set the device name to "Server" [Server]undo sysname //Restore the device default name to "HUAWEI" [Huawei]

   2. (b)

      The [undo] command is used to disable a feature.

      <Huawei>system-view //Enter the system view [Huawei]undo stp enable //Disable STP

   3. (c)

      The [undo] command is used to delete a configuration.

      <Huawei>system-view //Enter the system view [Huawei]interface GigabitEthernet0/0/0 //Enter the interface view [Huawei-GigabitEthernet0/0/0]ip address 10.1.1.1 255.255.255.0 //Configure the interface IP address [Huawei-GigabitEthernet0/0/0]undo ip address //Delete the interface IP address

7. 7.

   Query the history command

   The CLI automatically save the history commands entered by a user for he/she to invoke them and repeat the execution at any time. By default, the CLI saves up to 10 history commands per user. The query and invocation methods of the history command are shown in Table 5.5.

   The following points need to be noted when using the history command feature.

   1. (a)

      The history commands saved by the VRP are in the same format as the commands entered by the user. For a command of an incomplete form, the saved historical command is also in an incomplete form.

   2. (b)

      If the user executes the same command for many times, the VRP only saves the earliest command as the historical command; but if the same command is executed twice in different forms, the command will be saved as two commands. For example, if you execute [display ip routing-table] multiple times, only one command is saved; but if you execute [display ip routing] and [display ip routing-table] respectively, they will be saved as two historical commands.

8. 8.

   Use command-line shortcuts

   To simplify operations, the user can use shortcuts to quickly enter commands. The shortcut keys in the system are divided into custom shortcut keys and system shortcut keys. There are four custom shortcuts as follows.

   1. (a)

      Ctrl + G: [display current-configuration] by default.

   2. (b)

      Ctrl + L: [undo idle-timeout] by default.

   3. (c)

      Ctrl + O: [undo debugging all] by default.

   4. (d)

      Ctrl + U: No default command.

   The user can also associate these four shortcuts with any command as desired. For example, set the command corresponding to the Ctrl + U shortcut to [save] by executing as follows.

   <Huawei>system-view //Enter the system view [Huawei]hot-key CTRL_U save //Set the CTRL +U shortcut to execute the [save] command

   In addition, the CLI also has some system shortcuts, which are fixed in the system and cannot be specified by the user. Common system shortcuts are shown in Table 5.6.

9. 9.

   Batch execution feature

   In the actual operation and maintenance of the device, the user often needs to execute multiple commands continuously. For this reason, these commands can be defined in advance as command lines to be batch-executed, so as to simplify the input of common commands and improve efficiency.

   The CLI of VRP supports automatic batch execution of a specified command line with a timer set by the Maintenance Assistant. With this feature enabled, the device can perform certain operations or configurations without being attended, mainly for timed upgrades or timed configurations of the system. The specific operations are as follows.

   1. (a)

      Execute the [system-view] command to enter the system view.

   2. (b)

      Execute the [assistant task task-name] command to create up to 5 Maintenance Assistant tasks.

   3. (c)

      Execute the [if-match timer cron seconds minutes hours days-of-month months days-of-week [years]] command to configure the Maintenance Assistant task to be performed at the specified time.

   4. (d)

      Execute the [perform priority batch-file filename] command to set the processing actions of the Maintenance Assistant.

Fig. 5.2

VRP CLI

Table 5.1 Commands for view switching under VRP

Fig. 5.3

Command level in the VRP

Table 5.2 Correspondence between user level and command level

Table 5.3 Commonly used editing functions

Fig. 5.4

CLI’s online help

Table 5.4 Common error messages

Table 5.5 Query and invocation methods of the history command

Table 5.6 Common system shortcuts

5.1.3 Query the Display Information of the Command Line

1. 1.

   Query the configuration information of the command line

   After completing a series of configurations, the user can execute the corresponding [display] command to view the configuration and operation information of the device.

   VRP supports querying the configuration information of a protocol or application from the command line. For example, after completing the configuration of the FTP server, the command [display ftp-server] can be executed to see the parameters of the current FTP server.

   [Huawei]display ftp-server

   The system also supports viewing the currently active configuration information and the configuration information in the current view. The applicable commands are as follows.

   1. (a)

      View the currently active configuration information.

   [Huawei]display current-configuration

   Active configuration parameters are not displayed if they are the same as the default parameters.

   1. (b)

      View the active configuration information in the current view.

   [Huawei]display this

   Active configuration parameters are not displayed if they are the same as the default parameters.

2. 2.

   Configure users at different levels to view the specified configuration information

   Network devices provide capabilities that allow users at different levels to view specified configuration information, enabling users to view the information displayed by specified command lines. The specific operations are as follows.

   1. (a)

      The administrator user executes the [command-privilege level] command to set the command available to a low-level user.

   2. (b)

      The administrator user executes the [set current-configuration display] command to set the configuration information that the specified low-level user needs to display.

   [Example 5.5]

   Configure users at different levels to view the specified configuration information

   For example, the following configuration procedure: the administrator needs to enable a low-level user (such as a Level-0 user) to execute the [display current-configuration] command, but the user at that level can only view the IP address configuration information of the interface.

   <Huawei>system-view [Huawei]command-privilege level 0 view cli_8f display current-configuration [Huawei]set current-configuration display level 0 ip address

   At this point, the Level-0 user logs in to the device and executes the command [display current-configuration] to view the configuration information. It will generally display the following results, that only the configuration information of the interface and the corresponding IP address are displayed.

   <Huawei>display current-configuration # interface GigabitEthernet0/0/0 ip address 192.168.200.183 255.255.255.0 # interface LoopBack0 ip address 10.168.1.1 255.255.255.0 # return

3. 3.

   Control how the command line is displayed

   All command lines feature common display mode, which can be flexibly controlled as needed. When too much information is displayed on the terminal screen, the PageUp key and PageDown key can be used to display the previous page information and the next page information, respectively. When a command is executed, if more than one screen of information should be displayed, the system will automatically pause for the convenience of the user. At this point, the user can control the display mode of the command line through the function keys, as shown in Table 5.7.

4. 4.

   Filter the display information of the command line

   The function of filtering the display information of the command line helps the user quickly find the information needed. For example, when the [display] command is executed to view the display information, a regular expression (that is, specify display rules) can be used to filter the display information. When more than one screen of information is displayed at a time of execution, the CLI activates the pause function, in which state the user is given three options, as shown in Table 5.8.

   The three alternative filtering options in Table 5.8 are described below.

   1. (a)

      | begin regular-expression: Output all lines starting with a line that matches the specified regular expression, that is, filter all strings to be output until the specified string (which is case sensitive) is present, and all subsequent strings will be displayed on the screen.

   2. (b)

      | exclude regular-expression: Output all lines that do not match the specified regular expression, that is, if a string to be output does not contain the specified string (which is case sensitive), it will be displayed on the screen, otherwise it will be filtered and not displayed.

   3. (c)

      | include regular-expression: Only output all lines that match the specified regular expression, that is, if a string to be output contains the specified string (which is case sensitive), it will be displayed on the screen, otherwise it will be filtered and not displayed.

   The following is an example of a way to specify the filtering mode in a command.

   [Example 5.6]

   A way to specify the filtering mode in a command

   Execute the [display interface brief] command to display all lines that do not match the regular expression “10GE|40GE”. “10GE|40GE” means to match “10GE” or “40GE”, where the command and the result of execution are as follows. Due to the filtering mode “exclude 10GE|40GE” adopted by the command, the result of the display does not contain all 10GE and 40GE interfaces.

   <Huawei>display interface brief | exclude 10GE|40GE PHY: Physical *down: administratively down ^down: standby (l): loopback (s): spoofing (b): BFD down (e): EFM down (d): Dampening Suppressed (p): port alarm down (dl): DLDP down InUti/OutUti: input utility rate/output utility rate Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk2 down down 0%   0% 0 0 Eth-Trunk27 up up 0.01%  0.01% 0 0 MEth0/0/0 up up 0.01%  0.01% 0 0 NULL0 up up(s) 0%   0% 0 0 Vlanif2 down down   -- -- 0 0 Vlanif10 down down   -- -- 0 0 Vlanif20 down down   -- -- 0 0 Vlanif200 up up   -- -- 0 0

   Execute the [display current-configuration] command to only display all lines that match the regular expression “vlan” as follows.

   <Huawei>display current-configuration | include vlan vlan batch 2 9 to 20 77 99 200 222 4091 vlan 19 mux-vlan vlan 222 aggregate-vlan access-vlan 1 instance 2 vlan 2 carrier-vlan 100 ce-vlan 10 port trunk allow-pass vlan 99 200 igmp-snooping static-router-port vlan 99 port trunk allow-pass vlan 20 port default vlan 77 port trunk allow-pass vlan 20

   Execute the [display current-configuration] command to display the number of the lines that match the regular expression “vlan” as follows.

<Huawei>display current-configuration | include vlan | count Total lines: 14.

Table 5.7 Control how the command line is displayed

Table 5.8 Filter the display information of the command line

5.2 Device Login Management

Unlike terminals such as computers, phones and tablets, network communication devices such as switches, routers and firewalls do not have dedicated input/output (I/O) devices. Therefore, to use the operating system of these network devices, it is necessary to connect the network operating system to the computer in a specific way, and then use the network operating system and conduct OAM of the device with the help of the computer’s I/O devices (that is, keyboard, mouse, monitor and other devices). This process of connecting the operating system of a network device to a computer in a specific way is called login management for the device.

This section will introduce the common login management methods, and combined with examples, elaborate on various login management methods, so that readers can understand and master how to manage the device login through different ways.

5.2.1 Common Device Login Management Methods

The operation and management of network devices by the user is called network management. By the user’s configuration management mode, the common network management modes can be divided into the CLI mode and Web mode. The CLI mode means that the user logs in to the device through the Console port (also known as serial port), Telnet or STelnet, and then uses the command line provided by the device to manage and configure the device. The following will go deep into the login management through CLI and Web, respectively.

1. 1.

   Log in through the Console port

   Use a dedicated Console communication cable (also known as a serial cable) to connect the device’s Console port, as shown in Fig. 5.5.

   Local login via the Console port is the most basic way to log in to a device and is the basis for all other login methods. By default, the user can log in locally through the Console port, as a Level-15 user. This approach, however, is only effective in case of local login and generally works for the following three scenarios.

   1. (a)

      When the device is to be configured for the first time, it can be logged in through the Console port for configuration.

   2. (b)

      When the user is unable to log in to the device remotely, he/she can log in locally through the Console port.

   3. (c)

      When the device fails to start, the user can access the BootLoader through the Console port for diagnosis or system upgrade.

2. 2.

   Login via Telnet

   Telnet, which originated in ARPANET, is one of the oldest Internet applications that provides a way for the user to log in to a server remotely from a terminal on a network.

   The traditional way of computer operation is to use a special hardware terminal directly connected to the computer for command line operations. But when using Telnet, the user can log in to another computer remotely from his/her own computer through the network to carry out operations, thus eliminating the distance and the equipment limitation. Similarly, the user can use Telnet to log in remotely to any network device that supports Telnet service, so as to realize remote configuration, maintenance, etc. Because this method can save the cost of network management and maintenance, it is widely used.

   Using the TCP as the transport layer protocol, Telnet adopts Port 23 as well as the client/server mode. When a user logs in to a remote computer via Telnet, there are actually two programs enabled: one is the Telnet client program that runs on the local computer; the other is the Telnet server program that runs on the remote device to be logged. Therefore, during the remote login, the user’s local computer acts as a client, while the remote computer providing the service is a server.

   The remote login of Telnet between the client and server involves the following interaction process.

   1. (a)

      The Telnet client establishes a connection with the remote Telnet server program through IP address or domain name. In fact, a TCP connection is established between the client and the server. The port that the server program monitors is Port 23.

   2. (b)

      The system transmits the commands or characters input on the client to the server in the format of network virtual terminal (NVT). The user name, password, and any subsequent commands or characters input are transmitted as IP data units.

   3. (c)

      The server converts the output data in the NVT format into a format available to the client and sends it back to the client, including the command outputs and the execution result of the commands.

   4. (d)

      The client sends the command to disconnect and end the remote login.

   By default, the user cannot log in to the device directly via Telnet. If necessary, the user can log locally through the Console port to complete the configuration (see Sect. 5.3.3 for details).

3. 3.

   Login via STelnet

   Telnet lacks a secure authentication mode and uses TCP for plaintext transmission, hence the great security risks. The single support of the Telnet service is also prone to deny of service (DOS), host IP address spoofing, routing spoofing and other malicious attacks. As people attach more importance to network security, the traditional way of sending passwords and data in a plaintext manner by Telnet has been gradually not accepted by the user.

   SSH is short for Secure Shell, running in the standard Protocol Port 22. The SSH is a network security protocol, which provides secure remote login and other secure network services in an insecure network environment by encrypting network data, thus solving the security problems of the remote Telnet. The SSH relies on the TCP for data interaction, that is, building a secure channel on the TCP. In addition, the SSH supports other service ports in addition to the standard Port 22, so it is more secure and protected against illegal attacks.

   It also supports password authentication and RSA authentication, and exerts encryption on the data based on DES, 3DES, AES, etc., thus effectively preventing the eavesdropping of the password, protecting the integrity and reliability of the data, and ensuring the safe transmission of data. In particular, through the support of RSA authentication, the mixed application of symmetric encryption and asymmetric encryption, and the secure exchange of keys, the SSH finally realizes the secure session process. Thanks to encrypted data transmission and more secure authentication mechanism, it is widely used and has become one of the most important network protocols.

   The SSH protocol comes in two different and incompatible versions: the SSH1 (SSH 1.5) protocol and the SSH2 (SSH 2.0) protocol. The SSH 2.0 is superior to SSH 1.5 in terms of security, functionality, and performance. STelnet, short for Secure Telnet, enables the user to log in securely to devices from a remote end, and provides an interactive configuration interface, where all interactive data is encrypted thus ensuring a secure session. Huawei network equipment supports both client and server side of STelnet, as well as SSH1 (SSH 1.5) and SSH2 (SSH 2.0) protocols.

   The SSH adopts the traditional client/server application model, whose security features are guaranteed in the following ways.

   1. (a)

      Data encryption: Encryption Key is generated through client/server negotiation and exchange to realize symmetric Encryption of data packets and ensure the confidentiality of data in the process of transmission.

   2. (b)

      Data integrity: Integrity keys are generated through client/server negotiation and exchange to uniquely identify a session link, so that the interactive messages of all sessions are identified by the integrity keys. In this way, the receiver can detect any data that has been modified by a third party and discard the data unit, ensuring the integrity of the data during transmission.

   3. (c)

      Authority authentication: By providing a variety of authentication methods to ensure that only the authenticated legitimate users can have a conversation with the server, it improves the security of the system, while protecting the rights and interests of legitimate users.

4. 4.

   Login via Web

   Web mode refers to that the user logs in to the device through HTTP or HTTPS, where with the device as the server, the graphical operation interface is provided through the built-in Web server to facilitate the user’s intuitive and convenient management and maintenance of the device.

   HTTP is the most widely used network protocol on the Internet. It was originally designed to make browsers more efficient by providing a way to publish and receive HTML pages. The work of HTTP consists of two processes.

   1. (a)

      The browser of the client first needs to establish a connection with the server through the network, which is completed through the TCP running on Port 80. Once the connection is established, the client sends a request to the server in the form of the uniform resource locater (URL), protocol version number, followed by MIME information, including the request modifier, client information, and license content.

   2. (b)

      After receiving the request, the server will reply the corresponding response information in the form of a status line, including the protocol version number of the information, a successful or incorrect code, followed by MIME information, including server information, entity information and other possible contents.

   HTTP sends information in plaintext. If a hacker intercepts a transmission between a Web browser and a server, the information in it can be accessed directly. In view of the inherent security hazards of HTTP, the security-oriented HTTP channel “HTTPS” emerges, which guarantees the security of the transmission process through transmission encryption and identity authentication on the basis of HTTP. HTTPS adds a secure socket layer (SSL) on top of HTTP to provide the security infrastructure that the SSL provides, so the encrypted details require the SSL. HTTPS uses a different default port (Port 443) than HTTP and an encryption/authentication layer (between HTTP and TCP) to provide authentication and encrypted communication. HTTPS is widely used for security-sensitive communications over the Internet, such as transactions, payments, etc.

   HTTPS focuses on the following three aspects of its security design.

   1. (a)

      Data confidentiality: It guarantees that the data contents will not be disclosed to a third party in the process of transmission, just like the encapsulated parcel delivered by the courier that others cannot learn the contents inside.

   2. (b)

      Data integrity: It detects the transmitted content tampered with by a third party in a timely manner. Similarly, taking the parcel as an example, although the courier does not know what is in the parcel, but it may be stealthily substituted midway. The data integrity just makes it easy for the user to get aware of and reject the stealthily substituted parcel.

   3. (c)

      Authentication security: It ensures that the data arrives at the desired destination of the user, that the parcel not stealthily substituted must be delivered to the correct destination. That is to say, authentication is used to ensure this correct delivery.

   HTTPS has the following three advantages over HTTP.

   1. (a)

      HTTPS authenticates the user and server to ensure that data is sent to the correct client and server.

   2. (b)

      HTTPS, which is built by SSL + HTTP, supports the network protocol of encrypted transmission and identity authentication. It achieves higher security than HTTP, and it prevent data from being stolen and tampered in the process of transmission, so as to ensure the integrity of data.

   3. (c)

      As the most secure solution under the current architecture, HTTPS, although not absolutely secure, significantly increases the cost of man-in-the-middle attacks.

   Of course, HTTPS comes with some costs for improved security. On the same network, HTTPS increases page load time by nearly 50% and power consumption by 10% to 20%; affects the cache, thus increasing data overhead and power consumption; in addition, increases the consumption of computing resources. For example, a certain amount of computing resources and server costs will be occupied by the SSL protocol encryption algorithm and the intensified SSL interactions. In the case of large-scale user access to the application, the server needs to encrypt and decrypt frequently, and almost every byte needs to be encrypted and decrypted, which naturally leads to the server cost.

   Huawei’s data communication equipment supports device login using HTTP/HTTPS, but this Web mode can only realize the management and maintenance of partial functions of the device. The CLI mode is still needed if the device requests more complex or delicate management.

Fig. 5.5

Log in through the Console port

5.2.2 Common Cases of Device Login Management

[Example 5.7]

Login through the Console port

1. 1.

   Topological structure

   Figure 5.6 shows the login through the Console port All network devices have the Console port, and the first time a network device is used, the Console port is usually used for local login.

2. 2.

   Preparations

   Before login to the device through the Console port, there are two things needed to do.

   1. (a)

      Install a terminal emulation program on PC (such as HyperTerminal for Windows).

   2. (b)

      Prepare the Console cable.

3. 3.

   Steps

   1. (a)

      After the preparation work is completed, follow the following 5 steps to complete the device login.

      1. (i)

         Make physical connection as shown in Fig. 5.6. Insert the DB9 plug of the Console cable into the PC serial port (COM), and then plug the RJ-45 plug into the Console port of the device. It needs to be noted that if there is no DB9 serial port on the maintenance terminal (PC), a DB9 serial port to USB transfer cable can be purchased separately to connect the USB port to the maintenance terminal.

      2. (ii)

         Open the terminal simulation program (such as HyperTerminal) on the PC, and create a new connection, as shown in Fig. 5.7, and then click “OK”.

      3. (iii)

         Set the serial port for connection according to the serial port’s actual connection to the maintenance terminal. In this example, set the serial port to “COM4”, as shown in Fig. 5.8, and click “OK”.

      4. (iv)

         Set the serial port’s communication parameters: set the baud rate to “9600”, data bit “8bits”, parity bit “None”, stop bit “1 bit”, flow control “None”, as shown in Fig. 5.9, and then click “OK”.

      5. (v)

         Press “Enter” repeatedly until the system prompts the user to configure the authentication password in the following message. Then the system automatically saves the password configuration.

      Please configure the login password (maximum length 16) Enter Password: Confirm Password:

   2. (b)

      Since the Windows operating system is no longer equipped with HyperTerminal since Windows 7, it is recommended to use PuTTY, a free 32-bit Telnet, Rlogin and SSH client.

      To log in to the device with PuTTY via the Console port, go through the following four steps.

      1. (i)

         Make physical connections in the same way as when using HyperTerminal.

      2. (ii)

         Open PuTTY on PC, as shown in Fig. 5.10, and then select “Serial Port” option.

      3. (iii)

         Select the right serial port for connection and set the serial port parameters, as shown in Fig. 5.11. Connect to serial port “COM1”, with speed/baud rate at “9600”, data bit of “8”, stop bit of “1”, parity bit “none”, and flow control “none”.

      4. (iv)

         Click the “Open” button until the system prompts the user to configure the authentication password. The prompt message is as follows. After that, the system automatically saves this password configuration.

   Please configure the login password (maximum length 16) Enter Password: Confirm Password:

Fig. 5.6

Topological structure subject to the login through the Console port

Fig. 5.7

Create a new connection

Fig. 5.8

Set the serial port

Fig. 5.9

Set the serial port’s communication parameters

Fig. 5.10

PuTTY configuration

Fig. 5.11

Set the serial port parameters

[Example 5.8]

Telnet login management

1. 1.

   Topological structure

   Figure 5.12 shows the topology of Telnet login management. In a real network environment, any network device configured with Telnet remote login can be used as a Telnet server.

2. 2.

   Preparations

   Before Telnet login, it is necessary to ensure that the three-layer network of PC and Telnet server maintenance interface is accessible. The IP address of the maintenance interface can be configured as per actual requirements, which is assumed to be 120.20.20.20/24 here. With an authorized PC, login management of the device can be performed on the LAN or Internet. See Sect. 5.3.4 for the specific configuration.

3. 3.

   Steps

   This example introduces the steps of Telnet login management using the built-in client of Windows. The user name for Telnet remote login is “HUAWEI” and the password is “Huawei@123”.

   1. (a)

      To install he built-in client of Windows, select “Control Panel” -> “Programs and Features”, click the “Turn Windows features on or off” hyperlinks to bring up the Windows features window, and then check “Telnet client”, and click “OK” button, as shown in Fig. 5.13.

   2. (b)

      Log in to the device using a command prompt on the PC. As shown in Fig. 5.14, enter “telnet 120.20.20.20” at the command prompt, then press “Enter” key, and then enter user name “HUAWEI” and password “Huawei@123” to successfully log in to the device, as shown in Fig. 5.15.

Fig. 5.12

Topological structure of Telnet login management

Fig. 5.13

Install the Telnet client that comes with Windows

Fig. 5.14

Log in to the device using a command prompt

Fig. 5.15

Log in to the device with Telnet

[Example 5.9]

STelnet login management

1. 1.

   Topological structure

   Figure 5.16 shows the topology of STelnet login management. In a real network environment, any network device configured with Telnet remote login can be used as a STelnet server.

2. 2.

   Preparations

   Before STelnet login, it is necessary to ensure that the three-layer network of PC and STelnet server maintenance interface is accessible. With an authorized PC, login management of the device can be performed on the LAN or Internet. See Sect. 5.3.4 for the specific configuration.

3. 3.

   Steps

   This example introduces the steps of STelnet login management using the third-party client of Windows. The user name for STelnet remote login is “HUAWEI” and the password is “Huawei@123”.

   1. (a)

      Open STelnet client.Take PuTTY as an example here. After opening the PuTTY client, set “Connection Type” to “SSH”, as shown in Fig. 5.17.

   2. (b)

      Set the STelnet login parameters, as shown in Fig. 5.18. Set “Host Name (or IP Address)” as “120.20.20” and “Port” as “22”. The SSH protocol version adopted by default is SSH 2.0. And then click “Open”.

   3. (c)

      As shown in Fig. 5.19, enter the user name “HUAWEI” and the password “Huawei@123” in the pop-up login window to successfully log in to the device.

Fig. 5.16

Topological structure of STelnet login management

Fig. 5.17

Log in to STelnet through the PuTTY client

Fig. 5.18

Set the STelnet login parameters

Fig. 5.19

Log in to the device with STelnet

[Example 5.10]

Web login management

1. 1.

   Topological structure

   Figure 5.20 shows the topological structure of Web login management.

2. 2.

   Preparations

   Before Web login, it is necessary to ensure that the three-layer network of PC and Telnet server maintenance interface is accessible. With an authorized PC, login management of the device can be performed on the LAN or Internet. See Sect. 5.3.4 for the specific configuration.

3. 3.

   Steps

   Here, take Huawei USG6000V Firewall as an example to explain the steps of login over HTTPS. Note that for HTTPS, if the default port is “443”, there is no need to specify a port to access the URL. In this case, the URL is “https://120.20.20.20”, and Huawei USG6000V Firewall opens Port 8443 for HTTPS by default, so the user needs to specify the port in the URL, that is, “https://120.20.20.20:8443”.

   1. (a)

      Open the browser (Firefox Browser and Google Chrome is recommended).

   2. (b)

      As shown in Fig. 5.21, enter the URL “https://120.20.20.20:8443” of the firewall in the address bar to display the interface of Web login management.

   3. (c)

      Enter the user name “HUAWEI” and the password “Huawei@123” in the interface to log in to the device, as shown in Fig. 5.22.

Fig. 5.20

Topological structure of Web login management

Fig. 5.21

Interface of Web login management

Fig. 5.22

Log in to the device via Web

5.3 Basic Configuration of the Network System

In order to meet the requirements and for convenience of operation and maintenance, the network system must complete the necessary basic configuration of the device before configuring the service, including the basic configuration of the device environment, the management of the device configuration file, the configuration of the basic network and the relevant configuration of the remote login, etc.

5.3.1 Basic Configuration of Device Environment

The user can set the device environment in order to adapt to the usage habit or the demand of the actual operating environment. Device environment configuration can be divided into basic system environment configuration and basic user environment configuration. Each will be explained in detail below.

1. 1.

   Basic system environment configuration

   The basic environment of the system mainly covers language mode, device name, system clock, title text, command level, etc., among which the more common are the setting of language mode, host name and system clock.

   1. (a)

      Switching of language modes

      In consideration of the language habits of the Chinese user, Huawei VRP provides help information in English and Chinese respectively, and the user can switch between them according to their needs. It is important to note that VRP help information is displayed in English by default, and some VRPs do not support language switching.

      [Example 5.11]

      Switch the language mode with the [language-mode] command

      By default, VRP displays help information in English. In the user view, execute the command [language-mode Chinese] to switch to Chinese mode; similarly, to switch back to English mode, execute the [language-mode English] command in the user view.

   <Huawei>language-mode Chinese Change language mode, confirm? [Y/N]y Jan 31 2020 12:07:00-08:00 Huawei %%01CMD/4/LAN_MODE(l)[50]:The user chose Y when deciding whether to change the language mode. 提示:改变语言模式成功。 <Huawei>language-mode English 改变当前语言环境，确认切换? [Y/N]y Info: Succeeded to change language mode.

   1. (b)

      Setting of device name

      In practice, network device names can be configured according to user requirements. In order to facilitate future operation and maintenance, all network devices must be subject to uniform, clear naming specifications. It is generally recommended that the name of a network device include the information such as the equipment room and rack where it is deployed, and the function, layer, model, and serial No. of the device. The specific naming specification can be specified according to the actual requirements during the network scheme design.

      [Example 5.12]

      Set the device name

      A certain device is located in Rack 03 in the core equipment room, and is at the convergence layer within the network structure, used for gathering the traffic of the production department; the device model adopted is Huawei S5700, so it can be named as “Core03-SC-HJ-S5700”. The specific configuration steps are as follows.

      1. (i)

         Execute the [system-view] command to enter the system view.

      <Huawei>system-view Enter system view, return user view with Ctrl+Z.

      1. (ii)

         Execute the command [sysname Core03-SC-HJ-S5700] to set the device name, which takes effect immediately.

      [Huawei]sysname Core03-SC-HJ-S5700

   2. (c)

      Setting of system clock

      The system clock is the time displayed by the system timestamp, which is required to be set accurately by the user in order to ensure normal coordination with other devices. For network devices, the system clock is converted with the formula “UTC + time zone offset + daylight saving time offset.” UTC is short for Universal Time Coordinated.

      In view of regional differences, in order to set the system clock, the user should first understand the regulations of the country or the region, and obtain the parameters of time zone offset and daylight saving time offset. The system clock is set in the user view, including time zone setting, current time setting and daylight saving time setting. The relevant parameters are shown in Table 5.9.

      The following two examples illustrate the steps for setting up the system clock.

      [Example 5.13]

      Clock setting (not adopting daylight saving time)

      Assuming the device is in use in China (UTC + 8), the current date and time is 17:00:00 on January 31, 2020, and daylight saving time is not adopted in China, the configuration process is as follows.

      1. (i)

         Set the current time zone, named “BeiJing”, and the time zone is UTC + 8.

      <Huawei>clock timezone BeiJing minus 8:00:00 //"minus" is used here for UTC+8, meaning it is earlier than UTC; if in UTC-12, "add" should be used to indicate time later than UTC

      1. (ii)

         Set the current date and time.

      <Huawei>clock datetime 17:00:00 2020-01-31

      Execute the [display clock] command to check the system clock after the setting is complete.

   <Huawei>display clock 2020-01-31 17:00:02 Friday Time Zone(BeiJing) : UTC-08:00

   [Example 5.14]

   Clock setting (adopting daylight saving time)

   Assuming the device is in use in Sydney, Australia (UTC + 10), the current date and time is 17:00:00 on January 31, 2020 (not adopting daylight saving time), and daylight saving time in Australia (starting at 2:00 a.m. on the first Sunday in October and ending at 3:00 a.m. on the first Sunday in April) is one hour ahead of the original system time, the configuration process is as follows.

   1. (i)

      Set the current time zone, named “Sydney”, and the time zone is GMT + 10.

   <Huawei>clock timezone Sydney minus 10:00:00

   1. (ii)

      Set the current date and time.

   <Huawei>clock datetime 17:00:00 2020-01-31

   Execute the [display clock] command to check that the system clock shows 17:00:00 on January 31, 2020.

   <Huawei>display clock 2020-01-31 17:00:01 Friday Time Zone(Sydney) : UTC-10:00

   1. (iii)

      Set adoption of the daylight saving time.

   <Huawei>clock daylight-saving-time Australia repeating 02:00 first Sun OCT 03:00 first Sun Apr 1

   Execute the [display clock] command to check the system clock after the setting is complete. Now the system adopts daylight saving time, which is an hour earlier than the original time.

   <Huawei>display clock 2020-01-31 18:01:11 DST Friday Time Zone(Australia) : UTC-10:00 Daylight saving time : Name : Australia Repeat mode : repeat Start year : 2000 End year : 2099 Start time : first Sunday October 02:00:00 End time : first Sunday April 03:00:00 Saving time : 01:00:00

2. 2.

   Basic user environment configuration

   In VRP, the user can configure the basic user environment and manage the device’s basic files by switching user levels and locking the user interface.

   Switching from a higher level to a lower level requires no password; switching from a lower level to a higher level requires the correct level switching password. The switch of the environment configuration of an user level consists of two steps: configuring the password used to switch the user level and switching the user level.

   Here is an example of how to do this.

Table 5.9 Setting of relevant parameters of system clock

[Example 5.15]

Switch of Telnet user level

Assuming that the Telnet user is at Level 0 by default, the user can only execute commands applicable to Level 0 by default after logging in to the device in the Telnet mode, having no right to enter the system view by executing the [system-view] command, as shown below.

<Huawei>system-view ^ Error: Unrecognized command found at '^' position.

In order to execute high-level commands, the user must execute the [super password] command in the system view to configure the password for switching the user level. For example, the [super password level 3 cipher Huawei] command means that the password for switching from a lower level (Level 0–2) to Level 3 is “HUAWEI”.

After the configuration is completed, execute the [super] command on the device to switch the user level, and then enter the password “huawei” as prompted by the system to switch the user level from 0 to 3. At this point the user can execute all the commands, as shown below.

<Huawei>super Password: Now user privilege is level 3, and only those commands whose level is equal to or less than this level can be used. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE <Huawei>system-view Enter system view, return user view with Ctrl+Z.

In addition, users who need to temporarily leave the operating terminal can be locked to prevent unauthorized users from manipulating the terminal interface. The operation is very simple, execute the [lock] command in the user view. Once the lock is successful, the screen will display “locked!”. It should be noted that to lock the user interface, the user needs to enter and confirm a password. To release the lock, the password set at the time of the lock must be correctly entered.

5.3.2 Management of Device Configuration Files

VRP manages programs and configuration files through file system. File system represents the management of files and directories in storage devices, including the creation of file systems, the creation, deletion, modification and renaming of files and directories, and the display of file contents. File system can realize two kinds of functions: managing storage devices; and managing files stored in storage devices. A storage device is a hardware device for storing information. The storage devices currently supported by routers include flash memory, hard disk and memory card. The types of device actually supported by different products are not static. File is a mechanism for the system to store and manage information. System directory is a mechanism to organize the whole file collection. A directory is a logical container of files. Next, we will introduce the operation of directories and files, the management of storage devices and the management of configuration files.

1. 1.

   Operation of directories and files

   For the file system, the common directory and file operations are shown in Table 5.10, including displaying, copying, moving and deleting files. Assuming that the device has been saved, that is, the configuration file “vrpcfg.zip” exists in the device, the common directory and file operations for the device are shown in the following Table 5.10.

   [Example 5.16]

   Directory and file operations

   1. (a)

      Display the current directory.

   <Huawei>pwd flash:

   1. (b)

      Create a directory and name it “backup”.

   <Huawei>mkdir backup Info: Create directory flash:/backup......Done.

   1. (c)

      Delete the directory “backup”.

   <Huawei>rmdir backup Remove directory flash:/backup?[Y/N]:y %Removing directory flash:/backup...Done!

   1. (d)

      Display the file list under the current directory.

   <Huawei>dir Directory of flash:/ Idx Attr Size(Byte) Date Time FileName 0 drw- - Jan 29 2020 11:19:01 src 1 -rw- 447 Jan 29 2020 11:20:06 vrpcfg.zip 2 -rw- 1,343 Jan 29 2020 11:24:28 vrpconfig.cfg 3 -rw- 1,343 Jan 29 2020 11:31:10 vrpcfg.txt 4 -rw- 1,343 Jan 29 2020 11:55:09 backup 5 drw- - Jan 29 2020 11:55:28 backup1

   1. (e)

      Decompress the configuration file.

   <Huawei>unzip vrpcfg.zip flash:/vrpcfg.txt Extract flash:/vrpcfg.zip to flash:/vrpcfg.txt?[Y/N]:

   Type “Y” and press Enter to unzip the file.

   <Huawei>unzip vrpcfg.zip flash:/vrpcfg.txt Extract flash:/vrpcfg.zip to flash:/vrpcfg.txt?[Y/N]:y 100% complete %Decompressed file flash:/vrpcfg.zip to flash:/vrpcfg.txt.

   1. (f)

      Display the file contents.

   <Huawei>more vrpcfg.txt # sysname Huawei # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 ---- More ----

   1. (g)

      Copy the file, before which create the directory “backup” first.

   <Huawei>copy vrpcfg.txt flash:/ backup/ Copy flash:/vrpcfg.txt to flash:/backup/vrpcfg.txt??[Y/N]:

   Type “Y” and press Enter to complete the copy operation.

   <Huawei>copy vrpcfg.txt flash:/backup Copy flash:/vrpcfg.txt to flash:/backup?[Y/N]:y 100% complete Info: Copied file flash:/vrpcfg.txt to flash:/backup...Done.

   1. (h)

      Delete the file.

   <Huawei>delete vrpcfg.txt Delete flash:/vrpcfg.txt?[Y/N]: Info: Deleting file flash:/vrpcfg.txt...succeeded.

   At this point, execute the [dir] command to view the file list under the current directory, and you can find that the file “vrpcfg.txt” has been deleted.

   1. (i)

      Recover the deleted file.

   <Huawei>undelet vrpcfg.txt Undelete flash:/vrpcfg.txt?[Y/N]:y %Undeleted file flash:/vrpcfg.txt.

   At this point, execute the [dir] command to view the file list under the current directory, and you can find that the file “vrpcfg.txt” has been recovered.

   1. (j)

      Completely delete the files in the recycle bin.

   <Huawei>reset recycle-bin Squeeze flash:/backup?[Y/N]:y %Cleared file flash:/backup.

2. 2.

   Management of storage devices

   VRP supports some basic management of storage devices, including formatting and repairing of storage devices, as shown in Table 5.11.

   [Example 5.17]

   Management of storage devices

   The operation of formatting a storage device is as follows.

   <Huawei>format flash: All data(include configuration and system startup file) on flash: will be lost , proceed with format ? [Y/N]:y. %Format flash: completed.

   For storage devices with abnormal file system, VRP can try to repair them. The operation is shown as follows.

   <Huawei>fixdisk flash: Fix disk flash: will take long time if needed. % Fix disk flash: completed.

   Readers are advised to use the commands for managing storage devices carefully, especially the [format] command, because once used, all files in the storage devices will be deleted.

3. 3.

   Management of configuration files

   1. (a)

      Initial configuration and current configuration

      When the router is powered on, the configuration file is read from the default storage device to initialize the router, so the configuration in the configuration file is called the saved-configuration. If there is no configuration file in the default storage device, the router is initialized with default parameters. Corresponding to the initial configuration, the configuration that is in effect during router operation is called the current-configuration. Table 5.12 lists the common operations involving the configuration file.

      [Example 5.18]

      Common operations involving the configuration file

      As we already know, the user can configure network devices through CLI. In order to make the current configuration the initial configuration when the router is powered on next time, it is necessary to execute the [save] command to save the current configuration to the default storage device to generate the initial configuration file. The operation steps are as follows.

   <Huawei>save The current configuration will be written to the device. Are you sure to continue?[Y/N]Y Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]: Jan 29 2020 12:48:52-08:00 Huawei %%01CFM/4/SAVE(l)[0]:The user chose Y when dec iding whether to save the configuration to the device. Now saving the current configuration to the slot 0. Save the configuration successfully.

   Execute the command [display saved-configuration] to view the initial configuration of the network device.

   [Huawei]display saved-configuration # sysname r1 # undo info-center enable # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw# local-user admin service-type http # ---- More ----

   Execute the command [display current-configuration] to view the current configuration of the network device.

   [Huawei]display current-configuration # sysname Huawei # undo info-center enable # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher -$[1(P>3t>]@l3D+mKgUFM@# local-user admin service-type http # ---- More ----

   Execute the [reset saved-configuration] command to erase the configuration file in the storage device.

   <Huawei>reset saved-configuration Warning: The action will delete the saved configuration in the device. The configuration will be erased to reconfigure. Continue? [Y/N]:y Warning: Now clearing the configuration in the device. Jan 29 2020 12:51:56-08:00 Huawei %%01CFM/4/RST_CFG(l)[1]:The user chose Y when deciding whether to reset the saved configuration. Info: Succeeded in clearing the configuration in the device.

   Execute the [compare configuration] command to compare whether the current configuration file is consistent with the initial configuration file stored in the storage device. For example, after modifying the device name to “Test-difference”, VRP will display the inconsistency between the two files in the output information, as shown below.

   <Test-difference>compare configuration Warning: The current configuration is not the same as the next startup configura tion file. There may be several differences, and the following are some configurations beginning from the first: ====== Current configuration line 2 ====== sysname Test-difference # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default ====== Configuration file line 2 ====== sysname Huawei # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # drop-profile default

   1. (b)

      Management of the startup configuration files

      System software and configuration files need to be loaded when the system starts. Before managing the startup configuration files, it is necessary to clarify three related concepts, namely, the startup saved-configuration file, the next startup saved-configuration file and the next startup configuration file. In the device, you can check the startup configuration of the current system by executing the [display startup] command, as shown below.

      <Huawei>display startup MainBoard: Configed startup system software: flash:/sup.bin Startup system software: flash:/sup.bin Next startup system software: flash:/sup.bin Startup saved-configuration file: flash:/vrpcfg.zip Next startup saved-configuration file: flash:/vrpcfg.zip Next startup configuration: backup-configuration

      Among them, the startup saved-configuration file is the configuration file used in this startup, the next startup saved-configuration file is the configuration file to be loaded in the next startup, and the next startup configuration file is the disaster recovery configuration file to be loaded in the next startup.

      It should be noted that only network security products generally support the configuration management of next startup configuration, such as USG firewall, AntiDDoS and other products. In case of failure of these safety devices, only when the original current configuration or initial configuration cannot meet the expected requirements, it is necessary to load next startup configuration files on the devices to realize configuration recovery. That is to say, under normal circumstances, the next startup configuration file will not be configured.

      Next, two examples are given to explain how to manage the next startup saved-configuration file and next startup configuration file at the next startup through VRP.

   [Example 5.19]

   Management of the next startup saved-configuration file

   Execute the command [startup saved-configuration configuration-filename] to configure the configuration file to be loaded when the device starts next time. The operation steps are as follows.

   1. (i)

      Execute the [dir] command in the user view to view the file name of the configuration file, as shown below. At this time, there are two configuration files in the device: “vrpcfg.zip” and “vrpcfg1.zip”.

   <Huawei>dir Directory of flash:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 drw- - Feb 03 2020 03:15:00 dhcp 1 -rw- 121,802 May 26 2014 09:20:58 poR1lpage.zip 2 -rw- 2,263 Feb 03 2020 03:14:55 statemach.efs 3 -rw- 828,482 May 26 2014 09:20:58 sslvpn.zip 4 -rw- 656 Feb 03 2020 03:47:42 vrpcfg1.zip 5 -rw- 656 Feb 03 2020 03:14:53 vrpcfg.zip

   1. (ii)

      Execute the [display startup] command in the user view to view the list of current startup configuration files.

   <Huawei>display startup MainBoard: Startup system software: null Next startup system software: null Backup system software for next startup: null Startup saved-configuration file: flash:/vrpcfg.zip Next startup saved-configuration file: flash:/vrpcfg.zip

   1. (iii)

      Configure the next startup saved-configuration file as “vrpcfg.zip”. Execute Step B again, and then you can see that the configuration file to be loaded at the next startup has been modified to “vrpcfg1.zip”.

   <Huawei>startup saved-configuration vrpcfg1.zip This operation will take several minutes, please wait.... Info: Succeeded in setting the file for booting system <Huawei>disp startup MainBoard: Startup system software: null Next startup system software: null Backup system software for next startup: null Startup saved-configuration file: flash:/vrpcfg.zip Next startup saved-configuration file: flash:/vrpcfg1.zip

   [Example 5.20]

   Management of the next startup configuration file

   The next startup configuration file is a backup file generated by the system in flash memory, which cannot be deleted, modified or renamed, and cannot be designated as the configuration file for the next startup by the [startup saved-configuration] command. The next startup configuration file will be lost only after the flash memory is formatted.

   Operation steps for managing the next startup configuration file are as follows.

   1. (i)

      Execute the [dir] command in the user view to view the available configuration file. During actual operation and maintenance, the configuration files previously backed up can be uploaded to the device in advance for standby.

   <SRG>dir 13:45:28 2020/02/03 Directory of flash:/ 0 -rw- 61 Feb 03 2020 13:33:50 private-data.txt 1 -rw- 986 Feb 03 2020 13:33:50 vrpcfg.zip 2 -rw- 986 Feb 03 2020 13:36:19 backupcfg.zip

   1. (ii)

      Execute the [backup-configuration backupcfg.zip] command in the user view to designate “backupcfg.zip” as the next startup configuration file.

   <SRG>backup-configuration backupcfg.zip

   1. (iii)

      Execute the [startup backup-configuration] command to set the next startup configuration file as the next startup configuration file.

   <SRG>startup backup-configuration

   1. (iv)

      Execute the [display startup] command in the user view and view the list of current startup configuration files, to confirm the next startup configuration file is set.

   <Huawei>startup saved-configuration vrpcfg1.zip This operation will take several minutes, please wait.... Info: Succeeded in setting the file for booting system <Huawei>disp startup MainBoard: Startup system software: null Next startup system software: null Backup system software for next startup: null Startup saved-configuration file: flash:/vrpcfg.zip Next startup saved-configuration file: flash:/vrpcfg1.zip Next startup configuration: backup-configuration

   In addition, after setting the next startup configuration file to be started next time, you can cancel the next startup configuration file to be started next time in the following two ways.

   1. (i)

      After modifying the configuration, execute the [save] command without parameters in the user view, and the system will use the saved configuration file as the configuration file for next startup, that is, cancel the next startup configuration file.

   2. (ii)

      Execute the [undo startup backup-configuration] command to cancel the next startup configuration file as the next startup configuration file.

Table 5.10 Common directory and file operations

Table 5.11 Management of storage devices

Table 5.12 Common operations involving the configuration file

5.3.3 Configuration of Basic Network

Basic network configuration includes some simple service configurations, including IP address configuration, VLAN creation and configuration, static route configuration and so on. Next, the specific configuration process will be illustrated by cases.

1. 1.

   Configuration of IP address

   IP address is a unique 32-bit address assigned to a host or interface connected to the Internet, which is the basis of network connection. In order to make the interface run IP service, it is necessary to configure IP address for the interface. IP address of interface can be configured manually; when IP addresses are scarce or used only occasionally, address borrowing can also be adopted.

   A layer 3 interface can be directly configured with IP address. For network devices without layer 3 interfaces, if they need to run IP services, they need to create VLAN virtual interface (VLANIF), and then configure IP address in VLAN virtual interface. In addition, on the same device, IP addresses of different interfaces cannot be configured in the same network segment.

   IP address configuration includes the following three steps.

   1. (a)

      Execute the [system-view] command to enter the system view.

   2. (b)

      Execute the [interface interface-type interface-number] command to enter the interface view.

   3. (c)

      Execute the [ip address ip-address { mask | mask-length }] command to configure the IP address of the interface.

   [Example 5.21]

   IP address configuration

   To configure the IP address of interface GE0/0/3 as “10.1.1.1/24”, the example is as follows.

   <Huawei>system-view [Huawei]interface GigabitEthernet0/0/3 [Huawei-GigabitEthernet0/0/3]ip address 10.1.1.1 24

   When IP addresses are scarce or an IP address is only used occasionally, the interface can be configured to borrow other existing IP addresses to save IP address resources. It should be noted that this configuration of borrowing IP addresses must comply with the following restrictions.

   1. (a)

      Loopback interface and Ethernet interface can lent their IP addresses to other interfaces, but cannot borrow addresses from other interfaces.

   2. (b)

      The borrowed interface itself cannot use the borrowed IP address.

   3. (c)

      Borrowed IP addresses can be lent to multiple interfaces.

   4. (d)

      If the borrowed interface has multiple IP addresses, only the main IP address can be lent.

   The command to configure the borrowing of IP address is [ip address unnumbered interface interface-type interface-number].

   [Example 5.22]

   Configuration of IP address borrowing

   For the tunnel interface, in order to save the IP address, the IP address of physical interface GE0/0/3 is borrowed here, and the operation steps are as follows.

   1. a.

      execute the command [display ip interface brief] to display the IP addresses of all layer 3 interfaces.

      [USG-GigabitEthernet0/0/3]display ip interface brief *down: administratively down (s): spoofing Interface IP Address Physical Protocol Description GigabitEthernet0/0/3 10.2.1.1 up up USG LoopBack1 unassigned up up(s) USG Tunnel0 unassigned up down USG

   2. b.

      Configure the tunnel interface Tunnel 0 to borrow the IP address of GE0/0/3.

      [USG]interface Tunnel 0 [USG-Tunnel0]ip address unnumbered interface GigabitEthernet0/0/3

   3. c.

      Display the borrowed interface IP address.

      [USG-Tunnel0]display ip interface brief *down: administratively down (s): spoofing Interface IP Address Physical Protocol Description GigabitEthernet0/0/3 10.2.1.1 up up USG LoopBack1 unassigned up up(s) USG Tunnel0 10.2.1.1 up up USG

2. 2.

   Establishment and configuration of VLAN

   The port-based approach is the simplest, most effective and most common way to divide VLAN. The following describes the basic configuration of VLAN in this way. Table 5.13 lists common VLAN-related commands.

Table 5.13 Common VLAN-related commands

[Example 5.23]

Basic configuration of VLAN

1. (a)

   Network topology

   Figure 5.23 shows the topology of VLAN’s basic configuration. Interface E0/0/24 of switch SW1 is connected with Interface E0/0/24 of switch SW2. Complete port-based VLAN configuration according to the networking topology is shown in Fig. 5.23.

2. (b)

   Networking requirements

   1. (i)

      The two downlink interfaces of SW1 are connected to VLAN 10 and VLAN 20 respectively.

   2. (ii)

      A downlink interface of SW2 accesses VLAN 20.

   PCs in VLAN 10 need to be able to access each other, but PCs in VLAN 10 cannot access those in VLAN 20.

3. (c)

   Configuration ideas

   The VLAN should be configured using the following ideas.

   1. (i)

      Create VLANs and plan the VLAN each employee should join.

   2. (ii)

      Configure the port attributes and determine the device connection objects.

   3. (iii)

      Associate ports and VLANs.

4. (d)

   Configuration steps

   1. (i)

      Configure SW1.

      • Create VLAN 10 and VLAN 20.

        [SW1]vlan batch 10 20

      • Configure the port attributes.

        [SW1]interface Ethernet0/0/1 [SW1-Ethernet0/0/1]port link-type access [SW1-Ethernet0/0/1]port default vlan 10 [SW1-Ethernet0/0/1]quit [SW1]interface Ethernet0/0/2 [SW1-Ethernet0/0/2]port link-type access [SW1-Ethernet0/0/2]port default vlan 20 [SW1-Ethernet0/0/2]quit [SW1]interface Ethernet0/0/24 [SW1-Ethernet0/0/24]port link-type trunk [SW1-Ethernet0/0/24]port trunk allow-pass vlan 10 20

   2. (ii)

      Configure SW2.

   Refer to the configuration of SW1.

   After completing the above configuration on the device, configure the IP address for each PC, just ensure that all IP addresses are in the same network segment. At this time, PCs in VLAN 10 can communicate with each other, but PCs in VLAN 10 cannot communicate with those in VLAN 20.

1. 3.

   Static routing configuration

   Common commands related to static routing are shown in Table 5.14.

   [Example 5.24]

   Static routing configuration

   1. (a)

      Network topology

      Figure 5.24 shows the topology of static routing configuration. The IP addresses and masks of each interface and host of the router are marked in the topology. In this example, static routing configuration is required, so that any two nodes in the graph can communicate with each other.

   2. (b)

      Configuration ideas

      The configuration idea of this example is as follows

      1. (i)

         Configure the IPv4 address of each interface of each router to make the networks communicate with each other.

      2. (ii)

         Configure IPv4 static routing and default routing to destination address on router.

      3. (iii)

         Configure IPv4 default gateway on each host, so that any two hosts can communicate with each other.

   3. (c)

      Data preparation

      To complete this configuration case, it is necessary to combine the working principle of static routing explained in Chap. 4, and understand and prepare the following data.

      1. (i)

         The default route where the next hop of R1 is the 1.1.4.2.

      2. (ii)

         The static route where the destination address of R2 is 1.1.1.0 and the next hop is 1.1.4.1.

      3. (iii)

         The static route where the destination address of R2 is 1.1.3.0 and the next hop is 1.1.4.6.

      4. (iv)

         The default route where the next hop of R3 is the 1.1.4.5.

      5. (v)

         The default gateways of hosts PC1, PC2 and PC3 are 1.1.1.1, 1.1.2.1 and 1.1.3.1, respectively.

   4. (d)

      Configuration steps

      The specific reference configuration steps are as follows.

      1. (i)

         Configure the IP address of each interface (refer to the IP address configuration above).

      2. (ii)

         Configure the static routing.

         • Configure the default route for IPv4 on R1.

      [R1]ip route-static 0.0.0.0 0.0.0.0 1.1.4.2

      • Configure the two default routes for IPv4 on R2.

      [R2]ip route-static 1.1.1.0 255.255.255.0 1.1.4.1 [R2]ip route-static 1.1.3.0 255.255.255.0 1.1.4.6

      • Configure the default route for IPv4 on R3.

      [R3]ip route-static 0.0.0.0 0.0.0.0 1.1.4.5

      1. (iii)

         Configure the host. Configure the default gateways of hosts PC1, PC2 and PC3 as 1.1.1.1, 1.1.2.1 and 1.1.3.1 respectively.

      After the configuration is completed, you can execute the command [display ip routing-table] to check the static routing configuration result.

   5. (e)

      Result verification

   6. (f)

      After the configuration is completed, you can execute the command [display ip routing-table] to view the IP routing table and check that the configured static routes are correctly added to the routing table.

      [R1]display ip routing-table Route Flags: R - relay, D - download to fib ----------------------- Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 0.0.0.0/0 Static 60 0 RD 1.1.4.2 Ethernet1/0/0 1.1.1.0/24 Direct 0 0 D 1.1.1.1 Ethernet2/0/0 1.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 1.1.4.0/30 Direct 0 0 D 1.1.4.1 Ethernet1/0/0 1.1.4.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 1.1.4.2/32 Direct 0 0 D 1.1.4.2 Ethernet1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

      After confirming that the static route is configured correctly, use the [ping] command to verify connectivity.

      [R1]ping 1.1.3.1 PING 1.1.3.1: 56 data bytes, press CTRL_C to break Reply from 1.1.3.1: bytes=56 Sequence=1 ttl=254 time=62 ms Reply from 1.1.3.1: bytes=56 Sequence=2 ttl=254 time=63 ms Reply from 1.1.3.1: bytes=56 Sequence=3 ttl=254 time=63 ms Reply from 1.1.3.1: bytes=56 Sequence=4 ttl=254 time=62 ms Reply from 1.1.3.1: bytes=56 Sequence=5 ttl=254 time=62 ms --- 1.1.3.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/62/63 ms

      You can also use the [ping] command on the PC to verify the connectivity to the router, and the operation method is similar to that on the router.

Fig. 5.23

Topology of VLAN’s basic configuration

Table 5.14 Common commands related to static routing

Fig. 5.24

Topology of static routing configuration

5.3.4 Configuration Related to Remote Login

As mentioned in Sect. 5.2.1, network device supports multiple login management modes, including login through Console port, through Telnet, through STelnet, through Web, etc. Among them, login through Console port is the most basic configuration mode, and it is also the basis of several other login management modes. That is to say, other login management methods must be completed after the necessary configuration is completed on the basis of logging in through the Console port. This section mainly introduces the configuration of Telnet-based remote login and STelnet-based remote login.

1. 1.

   Configuration related to Telnet-based remote login

   According to the topology structure of Telnet login management shown in Fig. 5.12, it is necessary to ensure the normal communication between the terminal PC and the Telnet server, that is, the IP address of the maintenance port of Telnet server can be pinged from the configured terminal. And then set the parameters used by the user when logging in, including the authentication method of the logged-in user, the level of the logged-in user, etc.

   There are three authentication methods for logged-in users, including none, password and AAA authentication. By default, the system adopts the method of non-authentication, that is, after Telnet login to the server, no information needs to be entered. When password authentication is used, the logged-in user needs to enter the correct password to complete the login. When AAA authentication is used, the logged-in user needs to enter the correct username and password to complete the login.

   [Example 5.25]

   Configuration related to Telnet-based remote login

   Because Telnet remote login only supports AAA authentication, this example uses password authentication when explaining Telnet related configuration, and the AAA authentication is explained in Telnet remote login below. The logged-in user is at Level 0 by default, and the login password is “Huawei@123”. The detailed configuration process is given below.

   1. (a)

      Execute the [system-view] command to enter the system view.

   <Huawei>system-view

   1. (b)

      Execute the command [user-interface vty first-ui-number last-ui-number] to enter the VTY user interface view.

   [Huawei]user-interface vty 0 4

   1. (c)

      Execute the [protocol inbound telnet] command to configure the protocol for the VTY user interface to support Telnet.

   [Huawei-ui-vty0-4]protocol inbound telnet

   1. (d)

      Execute the command [authentication-mode password] to set the authentication mode as password authentication.

   [Huawei-ui-vty0-4]authentication-mode password

   1. (e)

      Execute the command [set password cipher|simple Huawei@123] to set the login password.

   [Huawei-ui-vty0-4]set authentication password cipher Huawei@123

   1. (f)

      Execute the command [user privilege level 0] to set the default level of the logged-in user.

   [Huawei-ui-vty0-4]user privilege level 0

2. 2.

   Configuration related to STelnet-based remote login

   To log in to the device through STelnet, it needs to be configured that the protocol supported by the user interface is SSH, so the authentication mode of VTY user interface must be set to AAA authentication; otherwise, the VTY user interface cannot be successfully configured to support SSH protocol when executing the [protocol inbound ssh] command.

   In addition, SSH users are used for STelnet login. On the basis of configuring AAA authentication as the authentication mode of VTY user interface, it is also necessary to configure authentication mode of SSH users. SSH user authentication supports password authentication, RSA (Rivest-Shamir-Adleman) authentication, elliptic curves cryptography (ECC) authentication, password-RSA authentication, password-ECC authentication and ALL authentication.

   1. (a)

      Password authentication: an authentication method based on “user name + password”. Configure the corresponding password for each SSH user through AAA. When logging in through SSH, you can log in by entering the correct username and password.

   2. (b)

      RSA algorithm authentication: a verification method based on the client’s private key. RSA is a public key encryption system based on asymmetric encryption algorithm. RSA key consists of public key and private key. During configuration, the public key generated by the client needs to be copied to the server, and the server uses this public key to encrypt data. A device as an SSH client can only store up to 20 keys.

   3. (c)

      ECC authentication: An elliptic curve algorithm, compared with RSA, featuring shorter key length, less computation, faster processing speed, smaller storage space and lower bandwidth requirements under the same security performance.

   4. (d)

      Password-RSA authentication: The SSH server performs password authentication and RSA authentication on the logged-in user at the same time, and only when both are met can the authentication pass.

   5. (e)

      Password-ECC authentication: The SSH server performs password authentication and ECC authentication on the logged-in user at the same time, and only when both are met can the authentication pass.

   6. (f)

      ALL authentication: The SSH server performs RSA authentication, ECC authentication or password authentication on the logged-in user, and the authentication can pass as long as any one of them is met.

   [Example 5.26]

   Configuration related to STelnet-based remote login

   Assume that the STelnet login user name is “Huawei”, the password is “Huawei@123”, the authentication method of SSH user is password authentication, and the default level of login user is Level 0, the detailed configuration process is given below.

   1. (a)

      Enter AAA view and create a remote login user.

      [Huawei]aaa [Huawei-aaa]local-user Huawei password cipher Huawei@123 [Huawei-aaa]local-user Huawei privilege level 0 [Huawei-aaa]local-user Huawei service-type telnet ssh

   2. (b)

      Enter the user interface view, configure the authentication mode as AAA authentication, the user level as Level 0, and the SSH protocol to be supported.

      [Huawei]user-interface vty 0 4 [Huawei-ui-vty0-4]authentication-mode aaa [Huawei-ui-vty0-4]user privilege level 0 [Huawei-ui-vty0-4]protocol inbound ssh

   3. (c)

      Configure the SSH user authentication mode. Here, for simplicity, it is configured as password authentication, and the RSA authentication involves key creation, so interested readers can consult the product manual by themselves.

      [Huawei]ssh user Huawei authentication-type password

   4. (d)

      Configure SSH server functions.

      [Huawei]stelnet server enable [Huawei]rsa local-key-pair create The key name will be: Host % RSA keys defined for Host already exist. Confirm to replace them? (y/n)[n]:y The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: Generating keys... .....................++++++++++++ ................++++++++++++ ....++++++++ ..................................++++++++

3. 3.

   Configuration related to Web login

   Generally, the device supports login via HTTP or HTTPS, but for security reasons, it is recommended to turn off HTTP and adopt HTTPS-based login.

   Generally, configuring the Web login management includes the following three steps.

   1. (a)

      Configure the maintenance interface.

   2. (b)

      Configure the user for Web login.

   3. (c)

      Open HTTPS and configure protocol parameters.

   Next, the detailed processes of configuring Web login on AR router and USG6000V firewall are illustrated by cases.

   [Example 5.27]

   Configuration of Web login on AR router

   The topology of Web login on AR router is shown in Fig. 5.25.

   After logging in the device through the Console port, use CLI to complete the configuration related to Web login as follows.

   1. (a)

      Configure the maintenance interface IP address.

      <Huawei>system-view [Huawei]interface GigabitEthernet0/0/0 [Huawei-GigabitEthernet0/0/0]ip add 120.20.20.20 24

   2. (b)

      Configure the Web login user, whose username is “Huawei” and password is “Huawei@123”.

      [Huawei]aaa [Huawei-aaa]local-user Huawei password cipher Huawei@123 [Huawei-aaa]local-user Huawei service-type web

   3. (c)

      Turn on HTTPS and configure relevant parameters. HTTPS on AR router uses Port 443 by default.

      [Huawei]http server enable [Huawei]http secure-server port 8443

   After the above configuration is completed, open the browser on the PC and use the URL “https://120.20.20.20:8443” to log in to the router.

   [Example 5.28]

   Configuration of Web login on the USG6000V Fireware

   The topology of Web login on the USG6000V Fireware is shown in Fig. 5.26.

   After logging in the device through the Console port, use CLI to complete the configuration related to Web login as follows.

   1. (a)

      Configure the maintenance interface, and designate the interface to a safe area (such as trust area).

      <USG6000V>system-view [USG6000V]interface GigabitEthernet 0/0/0 [USG6000V-GigabitEthernet0/0/0]ip add 120.20.20.20 24 [USG6000V1]firewall zone trust [USG6000V-zone-trust]add interface GigabitEthernet 0/0/0

   2. (b)

      Configure the Web login user, whose username is “Huawei” and password is “Huawei@123”.

      [USG6000V]aaa [USG6000V-aaa]local-user Huawei password cipher Huawei@123 [USG6000V-aaa]local-user Huawei service-type web

   3. (c)

      Turn on HTTPS and configure relevant parameters. HTTPS on the USG6000V Fireware uses Port 8443 by default.

      <USG6000V>system-view [USG6000V]interface GigabitEthernet 0/0/0 [USG6000V1-GigabitEthernet0/0/0]service-manage https permit

      After the above configuration is completed, open the browser on the PC and use the URL “https://120.20.20.20:8443” to log in to the fireware.

Fig. 5.25

Topology of Web login on AR router

Fig. 5.26

Topology of Web login on the USG6000V Fireware

5.4 Summary

The basic operation of network is one of the important components of network operation and maintenance. This chapter takes Huawei’s network devices as examples to introduce the common basic operations of network devices. Section 5.1 first introduces the network operating system VRP for Huawei’s data communication products, and then focuses on some skills of using CLI; Section 5.2 introduces the common login management modes of network devices, including the CLI mode and Web mode, among which the CLI mode can be subdivided into Console port, Telnet and STelnet modes; Section 5.3 introduces how to perform some basic operations on devices through CLI, including device environment configuration, operation and management of configuration files, basic network configuration, configuration related to remote login, etc.

Through the study in this chapter, readers should understand the network operating system, master the use of Huawei VRP and its CLI, get familiar with and master the login management modes of network devices, master some basic operations in network operation and maintenance, and be able to make necessary configuration for devices according to design requirements or usage habits.

5.5 Exercise

1. 1.

   VRP is the abbreviation of ().

   1. A.

      Versatile Routine Platform

   2. B.

      Virtual Routing Platform

   3. C.

      Virtual Routing Plane

   4. D.

      Versatile Routing Platform

2. 2.

   [Multi-choice] VRP supports Telnet users of ().

   1. A.

      Visiting class

   2. B.

      Monitoring level

   3. C.

      Configuration level

   4. D.

      Management level

3. 3.

   For Huawei routers, the user needs to input the command () to enter the system view from the user view.

   1. A.

      system-view

   2. B.

      enable

   3. C.

      configure terminal

   4. D.

      interface system

4. 4.

   [Multi-choice] When logging in to the router by Telnet, you can choose ().

   1. A.

      Password authentication

   2. B.

      AAA authentication

   3. C.

      MD5 authentication

   4. D.

      Non-authentication

5. 5.

   [Multi-choice] Compared with Telnet, SSH has the advantage of ().

   1. A.

      Encrypting all transmitted data to avoid man-in-the-middle attacks

   2. B.

      Preventing DNS and IP spoofing

   3. C.

      Accelerating the transmission because the transmitted data is compressed

   4. D.

      Being suitable for large-scale use based on UDP connection