S300, S500, S2700, S5700, and S6700 Series

Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

8 File Management

8.1 Overview of the File System

8.2 File Management Modes
8.3 Local File Management
8.4 File Management on Other Devices
8.5 Configuration Examples for File Management
8.6 Troubleshooting File Management
8.7 FAQ About File Management

8.1 Overview of the File System

File System
The file system manages files and directories on storage media. In the file system,
you can create, delete, modify, and rename files or directories, and view file
contents.

Storage Medium
The switch supports the flash memory.

Naming Rules for Files

The value is a string of case-insensitive characters without spaces. The file name
formats are as follows:
● File name
A file resides in the current working directory if the file name is in this format.
The length of the file name ranges from 1 to 64.
● Drive + Path + File name
This file name format uniquely identifies files in specified paths. The length of
the file name ranges from 1 to 64 and the total length of the path and file
name ranges from 1 to 160.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 241

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

In this format, drive indicates the storage medium and can be set to flash:.
drive of devices in a stack can be set to:
– flash: root directory of the flash memory of the master switch on a device
in a stack.
– stack ID#flash: root directory of the flash memory in a slot on a device in
a stack.
For example, slot2#flash: indicates the flash memory in slot 2.
In the file name, path indicates the directory and subdirectory. The directory
name is case-insensitive. Spaces and the following characters cannot be used
in the directory name: ~ * / \ : ' "
Paths are either absolute or relative. The relative path is related to the root
directory or the current working directory. A relative path starting with a slash
(/) is related to the root directory.
– flash:/my/test/ is an absolute path.
– /selftest/ is related to the root directory and indicates the selftest
directory in the root directory.
– selftest/ is related to the current working directory and indicates the
selftest directory in the current working directory.
For example, in the dir flash:/my/test/mytest.txt command, flash:/my/test/
is an absolute path.
Run the dir /my/test/mytest.txt command to find the mytest.txt file from a
directory related to the root directory.
Run the dir test/mytest.txt command to find the mytest.txt file from a
directory related to the current working directory (flash:/my/ for example).
NOTE

● In the file operation command format, filename indicates the file name.
● In the file operation command format, directory indicates the path (drive + path).

8.2 File Management Modes

The device can function as a server or client to manage files.

● When the device functions as a server, you can access the device from a
terminal to manage files on the device and transfer files between the device
and the terminal.
● When the device functions as a client, you can use the device to manage files
on other devices and transfer files between the device and other devices.

In Trivial File Transfer Protocol (TFTP) mode, the device can function only as a
client. In File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), Secure
Copy Protocol (SCP), or File Transfer Protocol over SSL (FTPS) mode, the device
can function both as a server and a client.

Table 8-1 describes the advantages and disadvantages of different file

management modes. You can select one mode based on actual requirements.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 242

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-1 Advantages and disadvantages of file management modes

Mode Application Advantage Disadvantage
Scenario

In the scenario of
managing storage
media, directories,
and files, log in to You can log in to the Only files on the
the device through device directly to local device can be
Device
the console port, manage storage managed. File
login
Telnet, or STelnet. media, directories, transfer is not
This login mode is and files. supported.
mandatory for
storage medium
management.

● The FTP mode is

easy to configure
and supports file
The FTP mode is transfer and
applicable to the file operations on
transfer scenario directories.
In FTP mode, data is
with low network ● The FTP mode
transmitted in plain
FTP security supports file
text, causing security
requirements. The transfer between
risks.
FTP mode is widely two file systems.
used in version ● The authorization
upgrade. and
authentication
functions are
provided.

● In TFTP mode, the

device can
function only as a
client.
On the LAN of a lab, ● The TFTP mode
the TFTP mode can supports only file
be used to load or transfer, but does
upgrade versions Compared with FTP not support
online. The TFTP mode, TFTP mode interaction.
TFTP
mode is applicable to consumes less ● In TFTP mode,
the environment memory usage. data is
without complicated transmitted in
interactions between plain text, causing
a client and a server. security risks, and
no authorization
or authentication
function is
provided.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 243

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Mode Application Advantage Disadvantage

Scenario

● Data is encrypted
and protected.
● The SFTP mode
supports file
The SFTP mode is
transfer and
applicable to the
operations on
scenario with high
directories.
network security
● In SFTP mode, the Configurations are
SFTP requirements. The
SFTP and FTP complicated.
SFTP mode is widely
used in log functions are
download and file available on the
backup. device. (In FTPS
mode, FTPS and
FTP cannot be
configured
simultaneously.)

● Data is encrypted
The SCP mode is and protected.
applicable to the Configurations are
highly-efficient file ● In SCP mode, files complicated (similar
upload and are uploaded or to SFTP
SCP downloaded
download scenarios configurations), and
with high network when the client is interactions are not
security connected to the supported.
requirements. server, which is
efficient.

● Configurations
The FTPS mode uses are complicated,
the data encryption, and a set of
The FTPS mode is user identity certificates must
applicable to authentication, and be obtained from
scenarios with high message integrity Certificate
FTPS
network check mechanisms Authority (CA).
requirements and no to ensure the
FTP function. security of the TCP- ● To enable the
based application- FTPS function,
layer protocols. disable the FTP
function first.

Device login, FTP, and TFTP are easy to learn and configure. The following section
describes the remaining modes in more detail.

SFTP Mode
As a part of Secure Shell (SSH), SFTP allows remote users to securely log in to the
device and perform file management and transmission through the security
channel provided by SSH. Therefore, SFTP improves data transmission security. In

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 244

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

addition, the device can function as the SSH client to connect to the remote SSH
server for secure file transmission.
SSH security features:
● Encrypted transmission: When an SSH connection is set up, two devices
negotiate an encryption algorithm and a session key to ensure secure
communications between them.
● Public key-based authentication: The device supports the RSA, DSA, or ECC
authentication mode.
● Server authentication: The SSH protocol authenticates a server based on the
public key to defend against attacks from bogus servers.
● Interaction data check: The SSH protocol uses the CRC (for SSH1.5) or MD5-
based MAC algorithm (for SSH2.0) to check the data integrity and
authenticity. This mechanism protects the system from man-in-the-middle
attacks.
Establishment of an SSH connection:
1. Negotiate the SSH version.
The client and the server negotiate an SSH version by exchanging character
strings that specify the SSH version.
2. Negotiate the algorithm.
The server and the client negotiate the key exchange algorithm, encryption
algorithm, and MAC algorithm for subsequent communications.
3. Exchange keys.
Based on the key exchange algorithm, the server and the client obtain the
same session key and session ID after calculation.
4. Authenticate users.
The client sends an authentication request containing the user identity
information to the server. If the authentication succeeds or expires, the client
is disconnected from the server.
The public key-based and password-based authentication modes are
supported.
– In public key-based (RSA, DSA, or ECC) authentication mode, the client
must generate the RSA, DSA, or ECC key and send it to the server. When
a user initiates an authentication request, the client randomly generates
a text that is encrypted with the private key and sends it to the server.
The server decrypts the text by using the public key. If decryption
succeeds, the server considers this user trusted and grants this user access
rights. If decryption fails, the client is disconnected from the server.
– Password-based authentication is implemented by the Authentication,
Authorization and Accounting (AAA). Similar to Telnet and FTP, SSH
supports local database authentication and remote RADIUS server
authentication. The SSH server compares the user name and password of
an SSH client with the preset ones. Authentication succeeds if both
match.
5. Request a session.
After user authentication is complete, the client sends a session request to the
server. After receiving the request, the server processes it.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 245

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

6. Enter the interactive session.

After the session request is accepted, the SSH connection enters the
interactive session mode. In this mode, data is transmitted bidirectionally.

NOTE

Before an SSH connection is set up, the local key pair (RSA, DSA, or ECC key pair) must be
generated on the server. The key pair is used to generate the session key and session ID and
authenticate the server. This step is the key to SSH server configuration.

SCP Mode
Based on the SSH remote file copy function, SCP is used to copy, upload, and
download files. SCP commands are easy to use, improving network maintenance
efficiency.

FTPS Mode
FTPS combines FTP and Secure Sockets Layer (SSL). A client and server use SSL to
authenticate each other and encrypt data to be transmitted. SSL ensures secure
connections to FTP servers and greatly improves security of common FTP servers,
enabling files of the device to be managed securely.

Concepts to learn before configuring the FTPS mode:

● CA
CA is an entity that issues, manages, and abolishes digital certificates, and it
authenticates identities of digital certificate owners. Root CAs are widely
trusted in the world and authorize other lower-level CAs. CA identity
information is provided in the file of a trusted CA.
For example, CA1 is a root CA that issues a certificate to lower-level CA2, and
CA2 issues the certificate to lower-level CA3. The certificate used by the server
is issued by the lowest-level CA.
If the certificate of the server is issued by CA3, the certificate is authenticated
as follows: CA3 authenticates the certificate of the server. If the
authentication succeeds, CA2 authenticates the certificate of CA3. If the
authentication succeeds, the root CA authenticates the certificate of CA2.
Only when the root authentication succeeds, the certificate used by the server
is valid.
Figure 8-1 shows the certificate issuing process and certificate authentication
process.

Figure 8-1 Certificate issuing process and certificate authentication process

● Digital certificate

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 246

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

A digital certificate is an electronic document which uses a digital signature to

bind a public key with an identity. The digital certificate contains information
such as the name of a person or an organization and the address. The
certificate can be used to verify that a public key belongs to an individual.
Users must obtain the public key of the message sending party to decode
messages, and obtain the CA certificate of the message sending party to
authenticate its identity.
● CRL
The CA issues the Certificate Revocation List (CRL), containing a set of
certificates that the CA regards as invalid.
The CA can shorten the validity period of a certificate using a CRL. The
certificate validity period specified by the CRL is shorter than the original
certificate validity period. If the CA revokes a certificate in the CRL, the
declaration about authorized key pair is revoked before the certificate expires.
When the certificate expires, data related to the certificate is cleared from the
CRL to shorten the CRL.

Accessing a device functioning as the server or client:

● Access the device that functions as the FTP server on a terminal

Configure an SSL policy, load the digital certificate, and enable the FTPS
server function on the device that functions as the FTP server. Users can use
the FTP client that supports SSL to access the FTP server to manage files.
● Access the FTP server using the device that functions as an FTP client
Configure an SSL policy on the device that functions as the FTP client and
load the trusted CA certificate to check the owner's identity.

8.3 Local File Management

Context

NOTICE
Ensure that the power supply of the device is stable. Interruption of the power
supply during operations such as file downloading may cause file corruption or
damage to the file system. As a result, the storage medium on the device may be
damaged or the device cannot be properly started.

8.3.1 Logging In to the Device to Manage Files

Pre-configuration Tasks
Before logging in to the device to manage files, complete the following tasks:

● Ensure that routes are reachable between the terminal and the device.
● Ensure that a user has logged in to the device using a terminal.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 247

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Configuration Procedure
After a user logs in to the device on a terminal, the user can perform operations
on storage media, directories, and files.

Users can perform the following operations in any sequence.

Procedure
● Perform operations on directories.

Table 8-2 Performing operations on directories

Operation Command Description

Display the current

pwd -
directory.

Change the current

cd directory -
directory.

Display files and dir [ /all ] [ filename |

subdirectories in a directory | /all- -
specified directory. filesystems ]

Create a directory. mkdir directory -

● The directory to be
deleted must be
empty.
Delete a directory. rmdir directory ● A deleted directory
and its files cannot be
restored from the
recycle bin.

● Perform operations on files.

Table 8-3 Performing operations on files

Operation Command Description

Display the file more filename [ offset ]

-
content. [ all ]

● Before copying a file,

copy source-filename ● If the target file has
Copy a file.
destination-filename
ensure that the
storage space is
sufficient for the file.
the same name as an
existing file, the
system asks you
whether to overwrite
the existing file.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 248

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

copy { source-http-
urlname destination-
Download a file Only
filename | source-
from or upload a V200R013C00SPC500 or a
filename destination-
file to an HTTP later version supports this
http-urlname }
server. function.
[ username user-name
password password ]

copy { source-https-
urlname destination-
Download a file filename | source- Only
from or upload a filename destination- V200R013C00SPC500 or a
file to an HTTPS https-urlname } later version supports this
server. [ username user-name function.
password password ] ssl-
policy ssl-policy

If the target file has the

same name as an existing
move source-filename
Move a file. file, the system asks you
destination-filename
whether to overwrite the
existing file.

rename old-name new-

Rename a file. -
name
zip source-filename
Compress a file. -
destination-filename
unzip source-filename
Decompress a file. -
destination-filename
This command cannot
delete [ /unreserved ] delete a directory.
Delete a file. [ /quiet ] { filename | NOTICE
devicename } In this command, /
unreserved indicates that
the file cannot be restored.

Running the delete

command without the /
unreserved keyword
undelete { filename |
Restore a file. moves a file to the
devicename }
recycle bin. Run this
command to restore this
file.

Remove a file from the

Remove a file from reset recycle-bin
recycle bin to
the recycle bin. [ filename | devicename ]
permanently delete it.

Enter the system

system-view -
view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 249

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

To perform multiple
operations at one time,
run the execute batch-
Execute batch files. execute batch-filename filename command in the
system view. The batch
files must be stored in the
storage medium first.

NOTE

If an error message similar to "Cannot xxx, because it may be locked or no lock

available." is displayed during the execution of a command on a file, wait for a certain
period and execute this command again. If this message is still displayed after you
execute the command multiple times, contact Huawei engineers.

● Perform operations on storage media.

When the file system on a storage medium fails, the terminal prompts the
user to rectify the fault.
When the file system fault cannot be rectified or the data on the storage
medium is unnecessary, you can format the storage medium.

NOTICE

When a storage medium is formatted, data on the storage medium is cleared

and cannot be restored. Therefore, exercise caution when formatting a storage
medium.

Table 8-4 Performing operations on storage media

Operation Command Description

If the system still reports

Repair a storage the fault after this
medium with a fixdisk drive command is executed, the
faulty file system. storage medium is
damaged.

If the storage medium is

Format a storage still unavailable after it is
format drive
medium. formatted, a physical
exception occurs.

● Configure the notification mode of the file system.

When a user performs operations that may cause data loss or damage on a
device, the system generates notifications or alarms. Users can configure the
notification mode of the file system.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 250

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-5 Configuring the notification mode of the file system

Operation Command Description

Enter the system

system-view -
view.

The default notification

mode is alert.
NOTICE
If the notification mode is set
Configure the
file prompt { alert | to quiet, the system does not
notification mode provide notifications when
quiet }
of the file system. data is lost caused by user
misoperations such as
deleting files. Therefore, this
notification mode must be
used with caution.

----End

8.3.2 Managing Files When the Device Functions as an FTP

Server

Pre-configuration Tasks
Before connecting to the FTP server to manage files, complete the following tasks:

● Ensure that routes are reachable between the terminal and the device.
● Ensure that the terminal functions as the FTP client.

Configuration Procedure

NOTICE

The FTP protocol brings security risks. Therefore, the SFTPv2, SCP, or FTPS mode is
recommended.

Table 8-6 describes the procedure for managing files when the device functions as
an FTP server.

Table 8-6 Managing files when the device functions as an FTP server

No. Task Description Remarks

Configure FTP server

parameters including Perform these three
Set FTP server
1 the port number, steps in any
parameters
source address, and sequence.
timeout duration.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 251

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

No. Task Description Remarks

Configure local FTP

user information
Configure local FTP including the service
2
user information type, user privilege
level, and authorized
directory.

Configure the ACL

(Optional) Configure rule and FTP basic
3
the FTP ACL ACL to improve FTP
access security.

Connect to the
Connect to the device
4 device using FTP on -
using FTP
the terminal.

Default Parameter Settings

Table 8-7 Default parameter settings

Parameter Default Setting

FTP server function Disabled

Listening port number 21

FTP user No local user is created.

Procedure
● Set FTP server parameters.

Table 8-8 Setting FTP server parameters

Operation Command Description

Enter the system

system-view -
view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 252

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

The default port number is

21.
If a new port number is
configured, the FTP server
(Optional) disconnects all FTP clients
Specify a port ftp [ ipv6 ] server port and uses this new port
number for the port-number number to listen for
FTP server. connection requests.
Attackers do not know the
port number and cannot
access the listening port of
the FTP server.

Specifies a source ● ftp server-source { -a By default, no source

address for the source-ip-address | -i
FTP server. interface-type
interface-number }
● ftp ipv6 server-
source -a
ipv6_address [ -vpn-
instance vpn_name ]
address is specified for an
FTP server.
After the source address is
specified for the FTP server,
you must use the specified
IP address to log in to the
FTP server. Otherwise, the
login fails.

Enable the FTP ftp [ ipv6 ] server By default, the FTP server
server function. enable function is disabled.

By default, the idle timeout

duration is 10 minutes.
(Optional) If no operation is performed
Configure the ftp [ ipv6 ] timeout on the FTP server during the
timeout duration minutes timeout duration, the FTP
of the FTP server. client automatically
disconnects from the FTP
server.

(Optional) Set ftp [ ipv6 ] server max- By default, the maximum

the maximum sessions max-sessions- number of sessions
number of number supported by the FTP server
sessions is 5.
supported by the
FTP server.

NOTE

● If the FTP service is enabled, the port number of the FTP service cannot be
changed. To change the port number, run the undo ftp [ ipv6 ] server command
to disable the FTP service first.
● After operations on files are complete, run the undo ftp [ ipv6 ] server to disable
the FTP server function to ensure the device security.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 253

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

● Configure local FTP user information.

Before performing operations on files using FTP, configure the local user name
and password, service type, and authorized directory on the FTP server.

Table 8-9 Configuring local FTP user information

Operation Command Description

Enter the system

system-view -
view.

Enter the AAA

aaa -
view.

Configure the local-user user-name

local user name password irreversible- -
and password. cipher password
NOTE
Configure the The user privilege level must
local-user user-name
local user be set to 3 or higher to
privilege level level ensure successful connection
privilege level.
establishment.

Configure the
local-user user-name By default, a local user can
service type for
service-type ftp use any access type.
local users.

By default, the FTP

directory of a local user is
empty.
When multiple FTP users
use the same authorized
directory, you can use the
set default ftp-directory
Configure an directory command to
local-user user-name ftp-
authorized configure a default
directory directory
directory. directory for these FTP
users. In this case, you do
not need run the local-
user user-name ftp-
directory directory
command to configure an
authorized directory for
each user.

Configure the local-user user-name ftp- By default, FTP permissions

FTP permission privilege of a local user are read,
for the local [ directoryfilename ] write, and execute
user. { read | write | execute }* permissions.

● (Optional) Configure an ACL for the FTP server.

An ACL is a list of rules that classify and filter packets according to their
source address, destination address, port number, and other values. ACL rules

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 254

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

are used to classify packets. After these rules are applied to routing devices,
the routing devices determine the packets to be received and rejected.
Users can configure a basic ACL to allow only specified clients to connect to
the FTP server.
The ACL rules are as follows:
– When permit is used in the ACL rule, devices that match the ACL rule can
establish FTP connections with the local device.
– When deny is used in the ACL rule, devices that match the ACL rule
cannot establish FTP connections with the local device.
– When the ACL rule is configured but packets from devices do not match
the rule, other devices cannot establish FTP connections with the local
device.
– When the ACL contains no rule, any device can establish FTP connections
with the local device.

Table 8-10 (Optional) Configuring an ACL for the FTP server

Operation Command Description

Enter the system

system-view -
view.

Enter the ACL

acl [ number ] acl-number -
view.

rule [ rule-id ] { deny |

permit } [ source { source-
address source-wildcard |
Configure the ACL any } | fragment | logging
-
rule. | time-range time-name |
{ vpn-instance vpn-
instance-name | public } ]
*

Return to the
quit -
system view.

Configure a basic
ACL for the FTP ftp [ ipv6 ] acl acl-number -
server.

● Connect to the device using FTP.

Users can use the Windows CLI or third-party software to connect to the
device from a terminal using FTP. The following describes how to connect to
the device using commands in the Windows CLI:
– Run the ftp ip-address command to connect to the device using FTP.
In the preceding command, ip-address indicates the IP address configured
on the device. Routes between the terminal and the device are reachable.
– Enter the user name and password as prompted and press Enter. If
command prompt ftp> is displayed in the FTP client view, the user

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 255

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

accesses the working directory on the FTP server. (The following

information is only for reference.)
C:\Documents and Settings\Administrator> ftp 192.168.150.208
Connected to 192.168.150.208.
220 FTP service ready.
User (192.168.150.208:(none)):huawei
331 Password required for huawei.
Password:
Password:230 User logged in.
ftp

● Run FTP commands to perform file-related operations.

After connecting to the FTP server, users can run FTP commands to perform
file-related operations including performing operations on directories and
files, configuring the file transfer mode, and viewing the online help about
FTP commands.

NOTE

User rights are configured on the FTP server.

The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

Users can perform the following operations in any sequence.

Table 8-11 Running FTP commands to perform file-related operations

Operation Command Description

Change the
working
cd remote-directory -
directory on the
server.

Change the -
current working
cdup
directory to its
parent directory.

Display the -
working
pwd
directory on the
server.

The lcd command displays the

Display or
local working directory on the
change the local
lcd [ local-directory ] client, and the pwd command
working
displays the working directory
directory.
on the remote server.

The directory name can

Create a consist of letters and digits.
directory on the mkdir remote-directory The following special
server. characters are not supported:
<>?\:

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 256

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Delete a
directory from rmdir remote-directory -
the server.

● The ls command displays

only the directory or file
name, whereas the dir
Display command displays detailed
information directory or file
dir/ls [ remote- information such as name,
about the
filename [ local- size, and creation date.
specified
filename ] ]
directory or file ● If no directory is specified
on the server. in the command, the
system searches for the file
in the user's authorized
directories.

Delete a file
delete remote-filename -
from the server.

put local-filename ● To upload a file, run the

Upload one or [ remote-filename ] put command.
more files. Or ● To upload multiple files,
mput local-filenames run the mput command.

get remote-filename ● To download a file, run the

Download one [ local-filename ] get command.
or more files. Or ● To download multiple files,
mget remote-filenames run the mget command.

Select either of them.

● The default file transfer
mode is ASCII.
Set the file ascii ● The ASCII mode is used to
transfer mode to Or transfer text files, and the
ASCII or Binary. binary binary mode is used to
transfer programs, system
software, and database
files.

Set the data Select either of them.

passive
transmission
Or The default data transmission
mode to passive
undo passive mode is active.
or active.

View the online

remotehelp
help about FTP -
[ command ]
commands.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 257

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Enable the
By default, the prompt
system prompt prompt
function is disabled.
function.

After the verbose function is

Enable the enabled, all FTP response
verbose
verbose function. messages are displayed on the
FTP client.

● (Optional) Change the login user.

The current user can switch to another user in the FTP client view. The new
FTP connection is the same as that established by running the ftp command.

Operation Command Description

When the login user is

Change the current switched to another
user user-name
user in the FTP client user, the original user is
[ password ]
view. disconnected from the
FTP server.

● Disconnect the FTP client from the FTP server.

Users can run different commands in the FTP client view to disconnect the
FTP client from the FTP server.

Operation Command Description

Disconnect the FTP

client from the FTP
bye or quit
server and return to
the user view.
Select one of them.
Disconnect the FTP
client from the FTP
close or disconnect
server and return to
the FTP client view.

----End

Verifying the Configuration

● Run the display [ ipv6 ] ftp-server command to check the FTP server
configuration and status.
● Run the display ftp-users command to check information about the FTP
users who log in to the FTP server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 258

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

8.3.3 Managing Files When the Device Functions as an SFTP

Server

Pre-configuration Tasks
Before connecting to the SFTP server to manage files, complete the following
tasks:

● Ensure that routes are reachable between the terminal and the device.
● Ensure that the SSH client software has been installed on the terminal.

Configuration Procedure

NOTICE

You are advised to use SFTPv2 or FTPS because they provide increased security
over SFTPv1.

Table 8-12 describes the procedure for managing files when the device functions
as an SFTP server.

Table 8-12 Managing files when the device functions as an SFTP server

No. Task Description Remarks

1 Generate a local key pair,

enable the SFTP server,
and configure SFTP
server parameters,
including the listening
Set SFTP server port number, source
parameters address, key pair
updating time, SSH
authentication timeout
duration, and number of
SSH authentication Tasks 1, 2, and 3
retries. can be performed
in any sequence.
2 Configure the user
Configure the VTY
authentication mode,
user interface for SSH
SSH, and other basic
users to log in to the
attributes on the VTY
device
user interface.

3 Create an SSH user and

set the service type,
Configure SSH user
authorized directory, and
information
authentication mode on
the SFTP server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 259

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

No. Task Description Remarks

4 Connect to the device -

Connect to the device
using the SSH client
using SFTP
software on the terminal.

Default Parameter Settings

Table 8-13 Default parameter settings

Parameter Default Setting

SFTP server function Disabled

Listening port number 22

Time for updating the key pair of the 0, indicating the key pair of the server
server is never updated

SSH authentication timeout duration 60 seconds

Number of SSH authentication retries 3

SSH user No SSH user is created.

Type of service for SSH users No service type is supported.

Authorized directory for SSH users flash:

Procedure
● Set SFTP server parameters.

Table 8-14 Setting SFTP server parameters

Operation Command Description

Enter the system

system-view -
view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 260

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Perform one of the

operations based on the key
type.
After the key pair is
generated, run the display
rsa local-key-pair rsa local-key-pair public,
create, dsa local- display dsa local-key-pair
Generate a local public, or display ecc local-
key-pair create, or
key pair. key-pair public command to
ecc local-key-pair
create. check the public key in the
local key pair.
NOTE
For increased security, you are
advised to use the longest
possible length for the key
pairs.

Configure the ● ssh server-source By default, the source

source address of -i interface-type address of an SSH server is
the SSH server. interface-number not specified.
● ssh ipv6 server-
source -a
ipv6_address [ -
vpn-instance
vpn_name ]
Enable the SFTP sftp [ ipv4 | ipv6 ] By default, the SFTP server
server function. server enable function is disabled.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 261

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, an SSH server

supports all key exchange
algorithms.
The system software does
not support the
dh_group_exchange_sha1,
dh_group14_sha1, and
dh_group1_sha1 parameters.
To use the
ssh server key- dh_group_exchange_sha1,
exchange dh_group14_sha1, or
{ dh_group14_sha25 dh_group1_sha1 parameter,
(Optional)
6| you need to install the
Configure a key
dh_group15_sha512 WEAKEA plug-in. For higher
exchange algorithm
| security purposes, you are
list for the SSH
dh_group16_sha512 advised to use other
server.
| parameters.
dh_group_exchange_ You can search for Plug-in
sha256 }* Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 262

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, an SSH server

supports all encryption
algorithms.
The system software does
not support the aes256_cbc,
aes128_cbc, 3des_cbc, and
des_cbc parameters. To use
these parameters, you need
to install the WEAKEA plug-
in. For higher security
(Optional)
purposes, you are advised to
Configure an ssh server cipher
specify the aes256_ctr or
encryption { aes128_ctr |
aes128_ctr parameter.
algorithm list for aes256_ctr } *
the SSH server. You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 263

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, the WEAKEA

plug-in is not installed, an
SSH server supports only the
sha2_256 algorithm, and the
undo ssh server hmac
command is unavailable.
When the WEAKEA plug-in is
installed, an SSH server also
supports the sha2_256_96,
sha1, sha1_96, md5 and
md5_96 algorithms, and the
undo ssh server hmac
command is available.
The system software does
not support the
sha2_256_96, sha1, sha1_96,
(Optional) md5, and md5_96
Configure an HMAC ssh server hmac parameters. To use the
algorithm list for sha2_256 sha2_256_96, sha1, sha1_96,
the SSH server. md5, or md5_96 parameter,
you need to install the
WEAKEA plug-in. For higher
security purposes, you are
advised to specify the
sha2_256 parameter.
You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

(Optional)
Configure the
minimum key
length supported
ssh server dh- By default, the minimum key
during Diffie-
exchange min-len length supported is 1024
hellman-group-
min-len bytes.
exchange key
exchange between
the SSH server and
client.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 264

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

(Optional) Specify
By default, DSA, ECC, RSA
the public key ssh server publickey
public key algorithms are
algorithm of the { dsa | ecc | rsa } *
enabled.
SSH server.

By default, the listening port

number is 22.
If a new port number is
configured, the SSH server
(Optional) disconnects all SSH clients
ssh [ ipv4 | ipv6 ]
Configure the and uses the new port
server port port-
listening port number to listen for
number
number. connection requests.
Attackers do not know the
port number and cannot
access the listening port of
the SSH server.

By default, the interval for

updating the key pair is 0,
which indicates that the key
pair is never updated.
After the interval is
(Optional) configured, the system
Configure the automatically updates the
ssh server rekey-
interval for key pair at the specified
interval hours
updating the key interval, which ensures
pair of the server. security.
This command takes effect
only for SSH1.X. However,
SSH1.X provides weak
security and is not
recommended.

(Optional) ssh server rekey By default, the key re-

Configure the SSH time rekey-time negotiation interval is 60
server key re- minutes.
negotiation trigger
interval.

(Optional)
By default, the SSH
Configure the SSH ssh server timeout
authentication timeout
authentication seconds
duration is 60 seconds.
timeout duration.

(Optional)
Configure the ssh server By default, the number of
number of SSH authentication- SSH authentication retries is
authentication retries times 3.
retries.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 265

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, the server's

compatibility with earlier
versions is disabled.
(Optional) Enable ssh server
compatibility with compatible-ssh1x When an SSH server is
earlier versions. enable upgraded, the server's
compatibility with earlier
versions is the same as that
in the configuration file.

By default, no ACL is
configured for the SSH
server.
(Optional) ssh [ ipv6 ] server
Configure an ACL. acl acl-number An ACL is configured to
determine which clients can
log in to the current device
through SSH.

– When the local RSA key pair is generated, two key pairs (a server key pair
and a host key pair) are generated at the same time. Each key pair
contains a public key and a private key. The length of the two key pairs is
2048 bits.
– When the local DSA key pair is generated, only the host key pair is
generated. The length of the host key pair can be 1024 or 2048 bits. The
default length is 2048 bits.
– When the local ECC key pair is generated, only the host key pair is
generated. The length of the host key pair can be 256, 384, or 521 bits.
The default length is 521 bits.
● Configure the VTY user interface for SSH users to log in to the device.
SSH users use the VTY user interface to log in to the device using SFTP.
Attributes of the VTY user interface must be configured.

Table 8-15 Configuring the VTY user interface for SSH users to log in to the
device
Operation Command Description

Enter the system

system-view -
view.

user-interface vty
Enter the VTY user
first-ui-number [ last- -
interface view.
ui-number ]

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 266

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, no authentication
mode is configured for the
VTY user interface.
Set the
authentication The authentication mode of
authentication-mode the VTY user interface must
mode of the VTY
aaa be set to AAA. Otherwise,
user interface to
AAA. you cannot configure the
protocol inbound ssh
command and users cannot
log in to the device.

By default, the VTY user

Configure a VTY interface supports SSH.
user interface that protocol inbound ssh If no VTY user interface
supports SSH. supports SSH, users cannot
log in to the device.

The user privilege level must

be set to 3 or higher to allow
connections to be
established.
Configure the user user privilege level If a local user uses password
privilege level. level authentication, you can run
the local-user user-name
privilege level level
command to set the level of
the user to 3 or higher.

Other attributes of the VTY

user interface are as follows:
● Maximum number of VTY
user interfaces
(Optional) ● Restrictions on incoming
Configure other calls and outgoing calls on
-
attributes of the the VTY user interface
VTY user interface. ● Terminal attributes on the
VTY user interface
For details, see 6.6
Configuring STelnet Login–
Other commands.

● Configure SSH user information.

Configure SSH user information including the authentication mode. The
supported authentication modes are RSA, password, password-rsa, DSA,
password-dsa, ECC, password-ecc, and all.
– The password-rsa authentication mode consists of the password and RSA
authentication modes.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 267

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

– The password-dsa authentication mode consists of the password and DSA

authentication modes.
– The password-ecc authentication mode consists of the password and ECC
authentication modes.
– The all authentication mode indicates that SSH users can be
authenticated by ECC, DSA, password, or RSA.

Table 8-16 Configuring SSH user information

Operation Command Description

Enter the system

system-view -
view.

Create SSH users. ssh user user-name -

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 268

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

If SSH users are not

created using the ssh user
command, directly run the
ssh authentication-type
default password
command to configure the
default password
authentication mode for
users. This makes
configuration simpler
when a large number of
users exist, because you
need to configure only
AAA users.
NOTE
In all authentication mode,
ssh user user-name the user priority depends on
Configure the authentication-type the authentication mode
authentication { password | rsa | selected.
mode for SSH password-rsa | dsa | ● If password
users. password-dsa | ecc | authentication is
password-ecc | all } selected, the user priority
is the same as that
specified on the AAA
module.
● If RSA/DSA/ECC
authentication is
selected, the user priority
depends on the priority
of the VTY window used
during user access.
If all authentication is
selected and an AAA user
with the same name as the
SSH user exists, user
priorities may be different in
password authentication and
RSA/DSA/ECC authentication
modes. Set relevant
parameters as needed.

Set the service By default, the service

ssh user username
type to SFTP or all type of SSH users is
service-type { sftp | all }
for SSH users. empty.

Configure the
The default SFTP service
authorized ssh user username sftp-
authorized directory is
directory for SSH directory directoryname
flash: for an SSH user.
users.

– The password authentication mode is implemented based on AAA. To log

in to the device in the password-ecc, password-dsa, password, or

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 269

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

password-rsa authentication mode, create a local user with the same user
name in the AAA view.
– If the SSH user uses the password authentication mode, only the SSH
server needs to generate the RSA, DSA, or ECC key. If the SSH user uses
the RSA, DSA, or ECC authentication mode, both the SSH server and
client need to generate the RSA, DSA, or ECC key and configure the
public key of the peer end locally.
Perform any of the following configurations according to authentication
mode:
– To configure password authentication for the SSH user, see Table 8-17.
– To configure RSA, DSA, or ECC authentication for the SSH user, see Table
8-18.
– To configure password-rsa, password-dsa, or password-ecc authentication
for the SSH user, configure an AAA user and set the RSA, DSA, or ECC
public key. For details, see Table 8-17 and Table 8-18.

Table 8-17 Configuring password, password-ecc, password-dsa, or password-

rsa authentication for the SSH user
Operation Command Description

Enter the system view. system-view -

Enter the AAA view. aaa -

local-user user-name
Configure the local user
password irreversible- -
name and password.
cipher password

Configure the service local-user user-name

-
type for the local user. service-type ssh

Configure the level for local-user user-name

-
the local user. privilege level level

Return to the system

quit -
view.

Table 8-18 Configuring DSA, RSA, ECC, password-dsa, password-rsa, or

password-ecc authentication for the SSH user
Operation Command Description

Enter the system view. system-view -

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 270

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

rsa peer-public-key
key-name [ encoding-
type { der | openssh |
pem } ]
,
dsa peer-public-key
Display the RSA, DSA, key-name encoding-
-
or ECC public key view. type { der | openssh |
pem }
, or
ecc peer-public-key
key-name encoding-
type { der | openssh |
pem }

Display the public key

public-key-code begin -
editing view.

● The public key must

be a hexadecimal
character string in
the public key
encoding format,
and generated by
the client software
that supports SSH.
For detailed
Edit the public key. hex-data operations, see the
documentation of
the SSH client
software.
● You must enter the
RSA, DSA, ECC
public key on the
device that works as
the SSH server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 271

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

● If no public key code

hex-data is entered,
the public key
cannot be generated
after you run this
command.
● If the specified key
Exit the public key key-name has been
public-key-code end deleted in another
editing view.
view, the system
displays a message
indicating that the
key does not exist
and then returns to
the system view
directly when you
run this command.

Return to the system

view from the public peer-public-key end -
key view.

ssh user user-name

Assign an RSA, DSA, or
assign { rsa-key | dsa-
ECC public key to an -
key | ecc-key } key-
SSH user.
name

● Connect to the device using SFTP.

The SSH client software supporting SFTP must be installed on the terminal to
ensure that the terminal can connect to the device using SFTP. The following
describes how to connect to the device using OpenSSH and the Windows CLI.
– For details about how to install OpenSSH, see the OpenSSH installation
description.
– To use OpenSSH to connect to the device using SFTP, run the relevant
OpenSSH commands. For details about OpenSSH commands, see
OpenSSH help.
– Windows command prompt can identify commands supported by
OpenSSH only when OpenSSH is installed on the terminal.
Access the Windows CLI and run the commands supported by OpenSSH to
connect to the device using SFTP.
The command prompt sftp> indicates that you have accessed the working
directory on the SFTP server. (The following information is for reference.)
C:\Documents and Settings\Administrator> sftp [email protected]
Connecting to 10.136.23.5...
The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.136.23.5' (DSA) to the list of known hosts.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 272

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

User Authentication
Password:
sftp>

● Perform file operations using SFTP.

In the SFTP client view, you can perform one or more file-related operations
listed in Table 8-19.

You can perform the following operations in any sequence and select one or
more operation items as required.

NOTE

In the SFTP client view, the system does not support predictive command input.
Therefore, you must enter commands in their full syntax.
The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

Table 8-19 Running SFTP commands to perform file-related operations

Operation Command Description

Change the user's

current working cd [ remote-directory ] -
directory.

Change the current

working directory to cdup -
its parent directory.

Display the user's

current working pwd -
directory.

Display the file list

dir/ls [ -l | -a ] [ remote- Outputs of the dir and ls
in a specified
directory ] commands are the same.
directory.

A maximum of 10
directories can be
deleted at one time.
Before running the rmdir
Delete directories rmdir remote-directory command to delete
from the server. &<1-10> directories, ensure that
the directories do not
contain any files.
Otherwise, the deletion
fails.

Create a directory
mkdir remote-directory -
on the server.

Change the name of

rename old-name new-
a specified file on -
name
the server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 273

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Download a file
get remote-filename
from the remote -
[ local-filename ]
server.

Upload a local file

put local-filename
to the remote -
[ remote-filename ]
server.

A maximum of 10 files
Delete files from the remove remote-filename
can be deleted at one
server. &<1-10>
time.

View the help about help [ all | command-

-
SFTP commands. name ]

You can also use the following commands to download files from the SFTP
server or upload files.
– IPv4 address: sftp client-transfile { get | put } [ -a source-address | -i
interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-
net | -vpn-instance vpn-instance-name ]| prefer_kex prefer_key-
exchange | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher
prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher |
prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac
prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] * username
user-name password password sourcefile source-file [ destination
destination ]
– IPv6 address: sftp client-transfile { get | put } ipv6 [ -a source-address ]
host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ -vpn-
instance vpn-instance-name | prefer_kex prefer_key-exchange | identity-
key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher |
prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac
prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval
| -kc alivecountmax ] * username user-name password password
sourcefile source-file [ destination destination ]
● Disconnect the SFTP client from the SSH server.

Operation Command Description

Disconnect the SFTP

client from the SSH quit -
server.

----End

Verifying the Configuration

● Run the display ssh user-information [ username ] command to view SSH
user information on the SSH server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 274

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

● Run the display ssh server status command to view global configuration of
the SSH server.
● Run the display ssh server session command to view session information of
the SSH client on the SSH server.

8.3.4 Managing Files When the Device Functions as an SCP

Server

Pre-configuration Tasks
Before connecting to the SCP server to manage files, complete the following tasks:

● Ensure that routes are reachable between the terminal and the device.
● Ensure that the SSH client software supporting SCP has been installed on the
terminal.

Configuration Procedure
Table 8-20 describes the procedure for managing files when the device functions
as an SCP server.

Table 8-20 Managing files when the device functions as an SCP server

No. Task Description Remarks

1 Generate a local key pair,

enable the SCP server,
and configure SCP server
parameters, including the
listening port number,
Set SCP server
source address, key pair
parameters
updating time, SSH
authentication timeout
duration, and number of
SSH authentication Tasks 1, 2, and 3
retries. can be performed
in any sequence.
2 Configure the user
Configure the VTY
authentication mode,
user interface for SSH
SSH, and other basic
users to log in to the
attributes on the VTY
device
user interface.

3 Create SSH users and set

Configure SSH user the authentication mode
information and service type on the
SCP server.

4 Manage files when —

Upload and download
the device functions
files on the SCP client.
as an SCP server

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 275

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Default Parameter Settings

Table 8-21 Default parameter settings

Parameter Default Setting

SCP server function Disabled

Listening port number 22

Time for updating the key pair of the 0, indicating the key pair of the server
server is never updated

SSH authentication timeout duration 60 seconds

Number of SSH authentication retries 3

SSH user No SSH user is created.

Type of service for SSH users No service type is supported.

Procedure
● Set SCP server parameters.

Table 8-22 Setting SCP server parameters

Operation Command Description

Enter the system

system-view -
view.

Perform one of the operations

based on the key type.
After the key pair is generated,
run the display rsa local-key-
rsa local-key-pair pair public, display dsa local-
Generate a local create, dsa local-key- key-pair public, or display ecc
key pair. pair create, or ecc local-key-pair public
local-key-pair create. command to check the public
key in the local key pair.
NOTE
For increased security, you are
advised to use the longest
possible length for the key pairs.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 276

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Configure the ● ssh server-source By default, the source address

source address of -i interface-type of an SSH server is not
the SSH server. interface-number specified.
● ssh ipv6 server-
source -a
ipv6_address [ -
vpn-instance
vpn_name ]
Enable the SCP scp [ ipv4 | ipv6 ] By default, the SCP server
server function. server enable function is disabled.

By default, an SSH server

supports all key exchange
algorithms.
The system software does not
support the
dh_group_exchange_sha1,
dh_group14_sha1, and
dh_group1_sha1 parameters.
To use the
dh_group_exchange_sha1,
ssh server key- dh_group14_sha1, or
exchange dh_group1_sha1 parameter,
(Optional)
{ dh_group14_sha256 you need to install the
Configure a key
| dh_group15_sha512 WEAKEA plug-in. For higher
exchange
| dh_group16_sha512 security purposes, you are
algorithm list for
| advised to use other
the SSH server.
dh_group_exchange_ parameters.
sha256 }* You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you do
not have permission to access
the website, contact technical
support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 277

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, an SSH server

supports all encryption
algorithms.
The system software does not
support the aes256_cbc,
aes128_cbc, 3des_cbc, and
des_cbc parameters. To use
these parameters, you need to
install the WEAKEA plug-in.
For higher security purposes,
(Optional)
you are advised to specify the
Configure an ssh server cipher
aes256_ctr or aes128_ctr
encryption { aes128_ctr |
parameter.
algorithm list for aes256_ctr } *
the SSH server. You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you do
not have permission to access
the website, contact technical
support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 278

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, the WEAKEA plug-

in is not installed, an SSH
server supports only the
sha2_256 algorithm, and the
undo ssh server hmac
command is unavailable.
When the WEAKEA plug-in is
installed, an SSH server also
supports the sha2_256_96,
sha1, sha1_96, md5 and
md5_96 algorithms, and the
undo ssh server hmac
command is available.
The system software does not
support the sha2_256_96,
(Optional) sha1, sha1_96, md5, and
Configure an md5_96 parameters. To use
ssh server hmac
HMAC algorithm the sha2_256_96, sha1,
sha2_256
list for the SSH sha1_96, md5, or md5_96
server. parameter, you need to install
the WEAKEA plug-in. For
higher security purposes, you
are advised to specify the
sha2_256 parameter.
You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you do
not have permission to access
the website, contact technical
support personnel.

(Optional)
Configure the
minimum key
By default, the minimum key
length supported
ssh server dh- length in Diffie-hellman-
during Diffie-
exchange min-len group-exchange between the
hellman-group-
min-len SSH server and client is 1024
exchange key
bytes.
exchange
between the SSH
server and client.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 279

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, the listening port

number is 22.
If a new port number is
(Optional) configured, the SSH server
ssh [ ipv4 | ipv6 ] disconnects all SSH clients and
Configure the
server port port- uses the new port number to
listening port
number listen for connection requests.
number.
Attackers do not know the
port number and cannot
access the listening port of the
SSH server.

By default, the interval for

updating the key pair is 0,
which indicates that the key
pair is never updated.
(Optional) After the interval is configured,
Configure the the system automatically
ssh server rekey-
interval for updates the key pair at the
interval hours
updating the key specified interval, which
pair of the server. ensures security.
This command takes effect
only for SSH1.X. However,
SSH1.X provides weak security
and is not recommended.

(Optional) ssh server rekey time By default, the key re-

Configure the rekey-time negotiation interval is 60
SSH server key re- minutes.
negotiation
trigger interval.

(Optional)
Specifies the By default, DSA, ECC, RSA
ssh server publickey
public key public key algorithms are
{ dsa | ecc | rsa } *
algorithm of the enabled.
SSH server.

(Optional)
Configure the By default, the SSH
ssh server timeout
SSH authentication timeout
seconds
authentication duration is 60 seconds.
timeout duration.

(Optional)
Configure the ssh server
By default, the number of SSH
number of SSH authentication-
authentication retries is 3.
authentication retries times
retries.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 280

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

(Optional) Enable ssh server By default, the server's

compatibility with compatible-ssh1x compatibility with earlier
earlier versions. enable versions is disabled.
When an SSH server is
upgraded, the server's
compatibility with earlier
versions is the same as that in
the configuration file.

By default, no ACL is
configured for the SSH server.
(Optional) ssh [ ipv6 ] server acl An ACL is configured to
Configure an ACL. acl-number determine which clients can
log in to the current device
through SSH.

– When the local RSA key pair is generated, two key pairs (a server key pair
and a host key pair) are generated at the same time. Each key pair
contains a public key and a private key. The length of the two key pairs is
2048 bits.
– When the local DSA key pair is generated, only the host key pair is
generated. The length of the host key pair can be 1024 or 2048 bits. The
default length is 2048 bits.
– When the local ECC key pair is generated, only the host key pair is
generated. The length of the host key pair can be 256, 384, or 521 bits.
The default length is 521 bits.
● Configure the VTY user interface for SSH users to log in to the device.
SSH users use the VTY user interface to log in to the device using SCP.
Attributes of the VTY user interface must be configured.

Table 8-23 Configuring the VTY user interface for SSH users to log in to the
device
Operation Command Description

Enter the system

system-view -
view.

user-interface vty
Enter the VTY user
first-ui-number [ last- -
interface view.
ui-number ]

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 281

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, no authentication
mode is configured for the
VTY user interface.
Set the
authentication The authentication mode of
authentication-mode the VTY user interface must
mode of the VTY
aaa be set to AAA. Otherwise,
user interface to
AAA. you cannot configure the
protocol inbound ssh
command and users cannot
log in to the device.

By default, the VTY user

Configure a VTY interface supports SSH.
user interface that protocol inbound ssh If no VTY user interface
supports SSH. supports SSH, users cannot
log in to the device.

The user privilege level must

be set to 3 or higher to allow
connections to be
established.
Configure the user user privilege level If a local user uses password
privilege level. level authentication, you can run
the local-user user-name
privilege level level
command to set the level of
the user to 3 or higher.

Other attributes of the VTY

user interface are as follows:
● Maximum number of VTY
user interfaces
(Optional) ● Restrictions on incoming
Configure other calls and outgoing calls on
-
attributes of the the VTY user interface
VTY user interface. ● Terminal attributes on the
VTY user interface
For details, see 6.6
Configuring STelnet Login–
Other commands.

● Configure SSH user information.

Configure SSH user information including the authentication mode. The
supported authentication modes are RSA, password, password-rsa, DSA,
password-dsa, ECC, password-ecc, and all.
– The password-rsa authentication mode consists of the password and RSA
authentication modes.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 282

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

– The password-dsa authentication mode consists of the password and DSA

authentication modes.
– The password-ecc authentication mode consists of the password and ECC
authentication modes.
– The all authentication mode indicates that SSH users can be
authenticated by ECC, DSA, password, or RSA.

Table 8-24 Configuring SSH user information

Operation Command Description

Enter the system

system-view -
view.

Create SSH users. ssh user user-name -

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 283

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

If SSH users are not

created using the ssh
user command, directly
run the ssh
authentication-type
default password
command to configure
the default password
authentication mode for
users. This makes
configuration simpler
when a large number of
users exist, because you
need to configure only
AAA users.
NOTE
In all authentication mode,
ssh user user-name the user priority depends on
the authentication mode
Configure the authentication-type
selected.
authentication { password | rsa |
mode for SSH password-rsa | dsa | ● If password
authentication is
users. password-dsa | ecc | selected, the user
password-ecc | all } priority is the same as
that specified on the
AAA module.
● If RSA/DSA/ECC
authentication is
selected, the user
priority depends on the
priority of the VTY
window used during
user access.
If all authentication is
selected and an AAA user
with the same name as the
SSH user exists, user
priorities may be different
in password authentication
and RSA/DSA/ECC
authentication modes. Set
relevant parameters as
needed.

Set the service By default, the service

ssh user username
type to all for SSH type of SSH users is
service-type all
users. empty.

– The password authentication mode is implemented based on AAA. To log

in to the device in the password-ecc, password-dsa, password, or
password-rsa authentication mode, create a local user with the same user
name in the AAA view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 284

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

– If the SSH user uses the password authentication mode, only the SSH
server needs to generate the RSA, DSA, or ECC key. If the SSH user uses
the RSA, DSA, or ECC authentication mode, both the SSH server and
client need to generate the RSA, DSA, or ECC key and configure the
public key of the peer end locally.
Perform any of the following configurations according to authentication
mode:
– To configure password authentication for the SSH user, see Table 8-25.
– To configure RSA, DSA, or ECC authentication for the SSH user, see Table
8-26.
– To configure password-rsa, password-dsa, or password-ecc authentication
for the SSH user, configure an AAA user and set the RSA, DSA, or ECC
public key. For details, see Table 8-25 and Table 8-26.

Table 8-25 Configuring password, password-ecc, password-dsa, or password-

rsa authentication for the SSH user
Operation Command Description

Enter the system view. system-view -

Enter the AAA view. aaa -

local-user user-name
Configure the local user
password irreversible- -
name and password.
cipher password

Configure the service local-user user-name

-
type for the local user. service-type ssh

Configure the level for local-user user-name

-
the local user. privilege level level

Return to the system

quit -
view.

Table 8-26 Configuring DSA, RSA, ECC, password-dsa, password-rsa, or

password-ecc authentication for the SSH user
Operation Command Description

Enter the system view. system-view -

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 285

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

rsa peer-public-key
key-name [ encoding-
type { der | openssh |
pem } ]
,
dsa peer-public-key
Display the RSA, DSA, key-name encoding-
-
or ECC public key view. type { der | openssh |
pem }
, or
ecc peer-public-key
key-name encoding-
type { der | openssh |
pem }

Display the public key

public-key-code begin -
editing view.

● The public key must

be a hexadecimal
character string in
the public key
encoding format,
and generated by
the client software
that supports SSH.
For detailed
Edit the public key. hex-data operations, see the
documentation of
the SSH client
software.
● You must enter the
RSA, DSA, ECC
public key on the
device that works as
the SSH server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 286

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

● If no public key code

hex-data is entered,
the public key
cannot be generated
after you run this
command.
● If the specified key
Exit the public key key-name has been
public-key-code end deleted in another
editing view.
view, the system
displays a message
indicating that the
key does not exist
and then returns to
the system view
directly when you
run this command.

Return to the system

view from the public peer-public-key end -
key view.

ssh user user-name

Assign an RSA, DSA, or
assign { rsa-key | dsa-
ECC public key to an -
key | ecc-key } key-
SSH user.
name

● Manage files when the device functions as an SCP server.

The SSH client software supporting SCP must be installed on the terminal to
ensure that the terminal can connect to the device using SCP. The following
describes how to connect to the device using OpenSSH and the Windows CLI.

– For details about how to install OpenSSH, see the OpenSSH installation
description.
– To use OpenSSH to connect to the device using SFTP, run the relevant
OpenSSH commands. For details about OpenSSH commands, see
OpenSSH help.
– Windows command prompt can identify commands supported by
OpenSSH only when OpenSSH is installed on the terminal.

Access the Windows CLI and run the commands supported by the OpenSSH
to connect to the device using SCP. (The following information is for
reference.)
C:\Documents and Settings\Administrator> scp [email protected]:flash:/vrpcfg.zip vrpcfg-backup.zip
The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.136.23.5' (DSA) to the list of known hosts.

User Authentication
Password:

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 287

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

vrpcfg.zip 100% 1257 1.2KByte(s)/sec 00:00

Received disconnect from 10.136.23.5: 2: The connection is closed by SSH server

C:\Documents and Settings\Administrator>

The user terminal uploads or downloads files while connecting to the SCP
server and accesses the user local directory.

NOTE

The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

----End

Verifying the Configuration

● Run the display ssh user-information [ username ] command to view SSH
user information on the SSH server.
● Run the display ssh server status command to view global configuration of
the SSH server.
● Run the display ssh server session command to view session information of
the SSH client on the SSH server.

8.3.5 Managing Files When the Device Functions as an FTPS

Server

Pre-configuration Tasks
Before connecting to the FTPS server to manage files, complete the following
tasks:

● Ensure that routes are reachable between the terminal and the device.
● Ensure that the FTP client software supporting SSL has been installed on the
terminal.

Configuration Procedure
Table 8-27 describes the procedure for managing files when the device functions
as an FTPS server.

Table 8-27 Managing files when the device functions as an FTPS server

No. Task Description Remarks

Upload the digital
Upload the server
certificate and
1 digital certificate and
private key to the
private key
device.
Task 1 must be
performed before
task 2. The other
tasks can be
performed in any
sequence.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 288

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

No. Task Description Remarks

Configure an SSL
Configure the SSL
policy and load the
2 policy and load the
digital certificate to
digital certificate
the server.

Enable the FTPS

server function,
configure an SSL
Configure the FTPS policy for the FTPS
server function and server, and set FTPS
3
set FTP service server parameters
parameters. including the port
number, source
address, and timeout
period.

Configure FTP local

Configure local FTP users including the
4
user information service type and
authorized directory.

Connect to the
Connect to the device
5 device using FTPS on -
using FTPS
the terminal.

Default Parameter Settings

Table 8-28 Default parameter settings

Parameter Default Setting

SSL policy No SSL policy is created for an FTPS

server.

FTPS server function Disabled

Listening port number 21

FTP user No local user is created.

Procedure
● Upload the server digital certificate and private key.
Upload the server digital certificate and private key file to the security
directory on the device in SFTP or SCP mode. If no security directory exists on
the device, run the mkdir directory command to create one.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 289

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

The server must obtain a digital certificate (including the private key file)
from a CA. Clients that connect to the server must obtain a digital certificate
from the CA to authenticate the validity of the server digital certificate.

NOTE

A certificate authority (CA) is an entity that issues and manages digital certificates.
Digital certificates used on the FTPS server must be issued by a CA.

Digital certificates support the PEM, ASN1, and PFX formats. Despite of the
formats, the certificates have the same content.
– A PEM digital certificate has a file name extension .pem and is applicable
to text transmission between systems.
– An ASN1 digital certificate has a file name extension .der and is the
default format for most browsers.
– A PFX digital certificate has a file name extension .pfx and is a binary
format that can be converted into the PEM or ASN1 format.
For details, see the description about uploading files in other modes.
● Configure the SSL policy and load the digital certificate.
Load the digital certificate and specify the private key.

Table 8-29 Configuring the SSL policy and loading the digital certificate
Operation Command Description

Enter the system

system-view -
view.

Customize an SSL cipher

suite policy and enter the
(Optional) ssl cipher-suite-list cipher suite policy view.
Customize the customization-policy-
SSL cipher suite. name By default, no customized
SSL cipher suite policy is
configured.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 290

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Configure the cipher suites

for a customized SSL cipher
suite policy.
By default, no customized
SSL cipher suite policy is
configured.
If a customized SSL cipher
suite policy is being
referenced by an SSL policy,
the cipher suites in the
customized cipher suite
policy can be added,
modified, or partially
deleted. Deleting all of the
cipher suites is not
supported.
If a customized SSL cipher
suite policy is being
referenced by an SSL policy,
set cipher-suite the cipher suites in the
{ tls12_ck_dss_aes_128_ customized cipher suite
gcm_sha256 | policy can be added,
tls12_ck_dss_aes_256_gc modified, or partially
m_sha384 | deleted. Deleting all of the
tls12_ck_rsa_aes_128_gc cipher suites is not allowed.
m_sha256 | The system software does
tls12_ck_rsa_aes_256_gc not contain the
m_sha384 | } tls12_ck_rsa_aes_256_cbc_
sha256,
tls1_ck_dhe_dss_with_aes_
128_sha,
tls1_ck_dhe_dss_with_aes_
256_sha,
tls1_ck_dhe_rsa_with_aes_
128_sha,
tls1_ck_dhe_rsa_with_aes_
256_sha,
tls1_ck_rsa_with_aes_128_
sha, and
tls1_ck_rsa_with_aes_256_
sha parameters. To use
these parameters, you need
to install the WEAKEA plug-
in. However, these
algorithms have low
security. For security
purposes, you are advised
to use other algorithms.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 291

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

You can search for Plug-in

Usage Guide at the
Huawei technical support
website (Enterprise
Network or Carrier), and
choose the desired plug-in
usage guide based on the
switch model and software
version. If you do not have
permission to access the
website, contact technical
support personnel.

quit Return to the system view.

Create an SSL
policy and enter
ssl policy policy-name -
the SSL policy
view.

By default, the SSL

minimum version of an SSL
policy is TLS1.2.
The system software does
not contain the tls1.0
parameter. To use this
parameter, you need to
install the WEAKEA plug-in.
However, this algorithm has
low security. For security
purposes, you are advised
(Optional) Set a
ssl minimum version to specify the tls1.2
minimum version
{ tls1.1 | tls1.2 parameter.
of an SSL policy.
You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 292

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, no customized
cipher suite policy is bound
to an SSL policy. Each SSL
policy uses a default cipher
suite. After a customized
cipher suite policy is
unbound from an SSL
policy, the SSL policy uses
one of the following cipher
suites supported by default:
● tls1_ck_rsa_with_aes_256
_sha
● tls1_ck_rsa_with_aes_128
_sha
● tls1_ck_dhe_rsa_with_aes
(Optional) Bind a binding cipher-suite- _256_sha
customized SSL customization
● tls1_ck_dhe_dss_with_ae
cipher suite policy customization-policy-
s_256_sha
to an SSL policy. name
● tls1_ck_dhe_rsa_with_aes
_128_sha
● tls1_ck_dhe_dss_with_ae
s_128_sha
● tls12_ck_rsa_aes_256_cbc
_sha256
If the cipher suite in the
customized cipher suite
policy bound to an SSL
policy contains only one
type of algorithm (RSA or
DSS), the corresponding
certificate must be loaded
for the SSL policy to ensure
successful SSL negotiation.

certificate load pem-

Load the digital cert cert-filename key-
certificate in the pair { dsa | rsa } key-file
PEM format. key-filename auth-code Load the digital certificate
cipher auth-code in the PEM, ASN1, or PFX
certificate load asn1- format.
Load the digital
cert cert-filename key-
certificate in the
pair { dsa | rsa } key-file
ASN1 format.
key-filename

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 293

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

certificate load pfx-cert NOTE

cert-filename key-pair
Load the digital
{ dsa | rsa } { mac
certificate in the
cipher mac-code | key-
PFX format.
file key-filename } auth-
code cipher auth-code
certificate load pem-
Load the digital
chain cert-filename key-
certificate chain
pair { dsa | rsa } key-file
in the PEM
key-filename auth-code
format.
cipher auth-code
● You can load a certificate
or certificate chain for only
one SSL policy. Before
loading a certificate or
certificate chain, you must
unload any existing
certificate or certificate
chain.
● When you configure an
SSL policy to load a
certificate or certificate
chain, ensure that the
maximum length of the
key pair in the certificate
or certificate chain is 2048
bits. If the length of the
key pair exceeds 2048 bits,
the certificate file or
certificate chain file cannot
be uploaded to the device.
● Before rolling
V200R008C00 or a later
version back to an earlier
version, back up the SSL
private key file.

● Configure the FTPS server function and set FTP service parameters.
FTPS is based on the FTP protocol. You can enable the FTPS server function
and set FTP service parameters.

Table 8-30 Configuring the FTPS server function and setting FTP service
parameters
Operation Command Description

Enter the system

system-view -
view.

The default port number is

21.
If a new port number is
configured, the FTP server
(Optional) disconnects all FTP clients
Specify a port ftp [ ipv6 ] server port and uses this new port
number for the port-number number to listen for
FTP server. connection requests.
Attackers do not know the
port number and cannot
access the listening port of
the FTP server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 294

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

The SSL policy configured

Configure the SSL
ftp secure-server ssl- on the FTPS server is the
policy on the
policy policy-name same as that created in the
FTPS server.
last step.

Specifies a source ● ftp server-source { -a By default, no source

address for the source-ip-address | -i address is specified for an
FTP server. interface-type FTP server.
interface-number } After the source address is
● ftp ipv6 server- specified for the FTP server,
source -a you must use the specified
ipv6_address [ -vpn- IP address to log in to the
instance vpn_name ] FTP server. Otherwise, the
login fails.

By default, the FTPS server

function is disabled.
Enable the FTPS ftp [ ipv6 ] secure- NOTE
server function. server enable To enable the security FTPS
server function, you must
disable the FTP server
function.

(Optional) ftp [ ipv6 ] timeout By default, the idle timeout

Configure the minutes duration is 10 minutes.
timeout duration If no operation is performed
of the FTP server. on the FTP server during the
timeout duration, the FTP
client automatically
disconnects from the FTP
server.

(Optional) Set
the maximum By default, the maximum
ftp [ ipv6 ] server max-
number of number of sessions
sessions max-sessions-
sessions supported by the FTP server
number
supported by the is 5.
FTP server.

NOTE

● If the FTPS service is enabled, the port number of the FTPS service cannot be
changed. To change the port number, run the undo ftp [ ipv6 ] secure-server
command to disable the FTPS service first.
● After operations on files are complete, run the undo ftp [ ipv6 ] secure-server to
disable the FTPS server function to ensure the device security.
● Configure local FTP user information.

Before performing operations on files using FTPS, configure the local user
name and password, service type, and authorized directory on the FTPS server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 295

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-31 Configuring local FTP user information

Operation Command Description

Enter the system

system-view -
view.

Enter the AAA

aaa -
view.

Configure the local-user user-name

local user name password irreversible- -
and password. cipher password
NOTE
Configure the The user privilege level must
local-user user-name
local user be set to 3 or higher to
privilege level level ensure successful connection
privilege level.
establishment.

Configure the
local-user user-name By default, a local user can
service type for
service-type ftp use any access type.
local users.

By default, the FTP

directory of a local user is
empty.
When multiple FTP users
use the same authorized
directory, you can use the
set default ftp-directory
Configure an directory command to
local-user user-name ftp-
authorized configure a default
directory directory
directory. directory for these FTP
users. In this case, you do
not need run the local-
user user-name ftp-
directory directory
command to configure an
authorized directory for
each user.

Configure the local-user user-name ftp- By default, FTP permissions

FTP permission privilege of a local user are read,
for the local [ directoryfilename ] write, and execute
user. { read | write | execute }* permissions.

● Connect to the device using FTPS.

The FTP client software supporting SSL must be installed on the terminal to
ensure that the terminal can connect to the FTPS server using third-party
software to manage files.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 296

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

NOTE

The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

----End

Verifying the Configuration

● Run the display ssl policy command to view the SSL policy and digital
certificate.
● Run the display [ ipv6 ] ftp-server command to view the FTPS server status.
● Run the display ftp-users command to view information about the FTP users
who log in to the FTP server.

8.4 File Management on Other Devices

8.4.1 Managing Files When the Device Functions as a TFTP

Client
Pre-configuration Tasks
Before connecting to a device as a TFTP client to manage files, complete the
following tasks:
● Ensure that routes are reachable between the current device and the TFTP
server.
● Obtain the host name or IP address of the TFTP server and the directory for
storing files to be downloaded or uploaded.

Configuration Procedure
NOTE

TFTP is insecure and will bring security risks. Using SFTPv2, SCP, or FTPS is recommended.

Table 8-32 describes the procedure for managing files when the device functions
as a TFTP client.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 297

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-32 Procedure for managing files when the device functions as a TFTP
client
No. Task Description Remarks

Configure the TFTP

client source address.
To ensure
(Optional) Configure
communication
1 the TFTP client source
security, the source
address
address can be set to
a source IP address You can configure
or source interface. the TFTP client
source address and
Configure the ACL TFTP ACL rule in any
(Optional) Configure rule and TFTP basic sequence.
2
the TFTP ACL ACL to improve TFTP
access security.

Run TFTP commands

Upload and
3 to upload or
download files.
download files

Procedure
● (Optional) Configure the TFTP client source address.
When specifying the source address in an ACL, use the address of a stable
interface, for example, a loopback interface. This simplifies the ACL rule and
security policy configuration. After the client source address is configured as
the source or destination address in the ACL rule, IP address differences and
interface status impact are shielded, and incoming and outgoing packets are
filtered.

Table 8-33 (Optional) Configuring the TFTP client source address

Operation Command Description

Enter the system

system-view -
view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 298

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

The TFTP client

tftp client-source { -a
Configure the TFTP source-ip-address | -i
client source address. interface-type interface-
number }
source address can
be set to a source IP
address or source
interface. If a source
interface is specified,
configure an IP
address for the
interface. This is used
for establishing TFTP
connections.
By default, the TFTP
client source address
is the IP address of
the outbound
interface connecting
to the TFTP server,
and it is displayed as
0.0.0.0.

● (Optional) Configure the TFTP ACL.

An ACL is a list of rules that classify and filter packets according to their
source address, destination address, port number, and other values. An ACL
classifies packets based on rules. After the rules are applied to a router, the
router determines whether a packet is permitted or denied in accordance with
these rules.
Multiple rules can be defined in an ACL. ACLs are classified into basic ACLs,
advanced ACLs, and Layer 2 ACLs.
TFTP supports only basic ACLs, which are numbered from 2000 to 2999.
ACL rule:
– If permit is defined in an ACL rule, the device can establish TFTP
connections with any devices that match the rule.
– If deny is defined in an ACL rule, the device cannot establish TFTP
connections with devices that match the rule.

Table 8-34 (Optional) Configuring the TFTP ACL

Operation Command Description

Enter the system

system-view -
view.

Create an ACL and By default, no ACL is

acl [ number ] acl-number
enter the ACL view. created.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 299

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, no ACL
rule is configured.
NOTE
The vpn-instance and
public parameter is
supported only when a
software-based ACL is
applied to the S5720I-
SI, S5735-S, S5735S-S,
rule [ rule-id ] { deny | S5735-S-I, S5735S-H,
permit } [ source { source- S5736-S, S5731-H,
S5731-S, S5731S-H,
address source-wildcard |
Configure the ACL S5731S-S, S5732-H,
any } | fragment | logging | S6720-EI, S6720S-EI,
rule.
time-range time-name | S6720S-S, S6730-H,
{ vpn-instance vpn-instance- S6730S-H, S6730-S, or
name | public } ] * S6730S-S. For usage
scenarios of software-
based ACLs, see "ACL
Implementations" in
the S300, S500, S2700,
S5700, and S6700
V200R020C10
Configuration Guide -
Security ACL
Configuration - ACL
Fundamentals.

Return to the
quit -
system view.

Configure the TFTP tftp-server [ ipv6 ] acl acl-

-
ACL. number

● Run TFTP commands to upload or download files.

Operation Command Description

tftp [ -a source-ip-address | -i
interface-type interface-
number ] tftp-server [ public-
IPv4
net | vpn-instance vpn-
address
instance-name ] { get | put }
source-filename [ destination-
filename ] ● get: downloads a file.
● put: uploads a file.
tftp ipv6 [ -a source-ip-
address ] tftp-server-ipv6 [ -oi
IPv6 interface-type interface-
address number ] { get | put } source-
filename [ destination-
filename ]

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 300

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

NOTE

The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

The source address or interface specified in the tftp command has a higher
priority than that specified in the tftp client-source command. If you specify
different source addresses or interfaces in the tftp client-source and tftp
commands, the source address or interface specified in the tftp command
takes effect. The source address or interface specified in the tftp client-
source command applies to all TFTP connections. The source address or
interface specified in the tftp command applies only to the current TFTP
connection.

----End

Verifying the Configuration

● Run the display tftp-client command to check source address of the TFTP
client.
● Run the display acl { acl-number | all } command to check the ACL
configurations of the TFTP client.

8.4.2 Managing Files When the Device Functions as an FTP

Client

Pre-configuration Tasks
Before connecting to a device as an FTP client to manage files, complete the
following tasks:

● Ensure that routes are reachable between the current device and the FTP
server.
● Obtain the host name or IP address of the FTP server, FTP user name, and
password.
● Obtain the listening port number of the FTP server if the default listening port
number is not used.

Configuration Procedure

NOTICE

The FTP protocol brings security risks. The SFTPv2, SCP, or FTPS mode is
recommended.

Table 8-35 describes the procedure for managing files when the device functions
as an FTP client.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 301

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-35 Procedure for managing files when the device functions as an FTP
client
No. Task Description Remarks

Configure the FTP

client source address.
To ensure
(Optional) Configure
communication
1 the FTP client source
security, the source
address
address can be set to
a source IP address
or source interface.

Run FTP commands to

2 connect to the FTP - Perform steps 1 and
server 2 in sequence. After
the FTP connection is
Run FTP commands
established, perform
to perform file-
steps 3 and 4 in any
related operations,
sequence. To
such as uploading
Run FTP commands to disconnect from the
and downloading
3 perform file-related FTP server, perform
files, configuring the
operations step 5.
file transfer mode,
and viewing the
online help about
FTP commands.

(Optional) Change
4 -
the login user

Disconnect the FTP

5 client from the FTP -
server

Procedure
● (Optional) Configure the FTP client source address.
When specifying the source address in an ACL, use the address of a stable
interface, for example, a loopback interface. This simplifies the ACL rule and
security policy configuration. After the client source address is configured as
the source or destination address in the ACL rule, IP address differences and
interface status impact are shielded, and incoming and outgoing packets are
filtered.
The FTP client source address must be set to the loopback interface IP address
or loopback interface.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 302

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-36 Configuring the FTP client source address

Operation Command Description

Enter the system

system-view -
view.

You are advised to

ftp client-source { -a
Configure the FTP source-ip-address | -i
client source address. interface-type interface-
number }
use the loopback
interface IP address.
When the FTP client
source address is set
to loopback interface,
configure an IP
address for the
loopback interface
for establishing FTP
connections.

● Run FTP commands to connect to the FTP server.

Run the corresponding command in the user view or FTP client view to
connect to the FTP server.
Perform the following operations based on the server IP address types.

Table 8-37 Running FTP commands to connect to the FTP server (with an
IPv4 address)
Operation Command Description

Connect to
ftp [ -a source-ip-address |
the FTP server
-i interface-type interface-
in the user
number ] host-ip [ port-
view when
number ] [ public-net |
the server
vpn-instance vpn-
uses an IPv4
instance-name ]
address. Select one of them.
ftp To enter the FTP client view,
Connect to run the ftp command.
the FTP server open [ -a source-ip-
in the FTP address | -i interface-type
client view interface-number ] host-ip
when the [ port-number ] [ public-
server uses an net | vpn-instance vpn-
IPv4 address. instance-name ]

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 303

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

NOTE

● Before connecting to the FTP server, run the set net-manager vpn-instance
command to set the default VPN instance. After this command is used, the FTP
operation uses the default VPN instance.
● The source address specified in the ftp command has a higher priority than that
specified in the ftp client-source command on an IPv4 network. If you specify
different source addresses in the ftp client-source and ftp commands, the source
address specified in the ftp command takes effect. The source address specified in
the ftp client-source command applies to all TFTP connections. The source
address specified in the ftp command applies only to the current TFTP connection.

Table 8-38 Running FTP commands to connect to the FTP server (with an
IPv6 address)
Operation Command Description

Connect to the
FTP server in the
ftp ipv6 host-ipv6 [ port-
user view when
number ]
the server uses
an IPv6 address. Select one of them.
To enter the FTP
Connect to the ftp client view, run the
FTP server in the ftp command.
FTP client view
when the server open ipv6 host-ipv6 [ port-
uses an IPv6 number ]
address.

Users must enter the correct user name and password to connect to the
server.
● Run FTP commands to perform file-related operations.
After connecting to the FTP server, users can run FTP commands to perform
file-related operations including performing operations on directories and
files, configuring the file transfer mode, and viewing the online help about
FTP commands.

NOTE

User rights are configured on the FTP server.

The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

Users can perform the following operations in any sequence.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 304

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-39 Running FTP commands to perform file-related operations

Operation Command Description

Change the
working
cd remote-directory -
directory on the
server.

Change the -
current working
cdup
directory to its
parent directory.

Display the -
working
pwd
directory on the
server.

The lcd command displays the

Display or
local working directory on the
change the local
lcd [ local-directory ] client, and the pwd command
working
displays the working directory
directory.
on the remote server.

The directory name can

Create a consist of letters and digits.
directory on the mkdir remote-directory The following special
server. characters are not supported:
<>?\:

Delete a
directory from rmdir remote-directory -
the server.

● The ls command displays

only the directory or file
name, whereas the dir
Display command displays detailed
information directory or file
dir/ls [ remote- information such as name,
about the
filename [ local- size, and creation date.
specified
filename ] ]
directory or file ● If no directory is specified
on the server. in the command, the
system searches for the file
in the user's authorized
directories.

Delete a file
delete remote-filename -
from the server.

put local-filename ● To upload a file, run the

Upload one or [ remote-filename ] put command.
more files. Or ● To upload multiple files,
mput local-filenames run the mput command.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 305

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

get remote-filename ● To download a file, run the

Download one [ local-filename ] get command.
or more files. Or ● To download multiple files,
mget remote-filenames run the mget command.

Select either of them.

● The default file transfer
mode is ASCII.
Set the file ascii ● The ASCII mode is used to
transfer mode to Or transfer text files, and the
ASCII or Binary. binary binary mode is used to
transfer programs, system
software, and database
files.

Set the data Select either of them.

passive
transmission
Or The default data transmission
mode to passive
undo passive mode is active.
or active.

View the online

remotehelp
help about FTP -
[ command ]
commands.

Enable the
By default, the prompt
system prompt prompt
function is disabled.
function.

After the verbose function is

Enable the enabled, all FTP response
verbose
verbose function. messages are displayed on the
FTP client.

● (Optional) Change the login user.

The current user can switch to another user in the FTP client view. The new
FTP connection is the same as that established by running the ftp command.

Operation Command Description

When the login user is

Change the current switched to another
user user-name
user in the FTP client user, the original user is
[ password ]
view. disconnected from the
FTP server.

● Disconnect the FTP client from the FTP server.

Users can run different commands in the FTP client view to disconnect the
FTP client from the FTP server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 306

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Disconnect the FTP

client from the FTP
bye or quit
server and return to
the user view.
Select one of them.
Disconnect the FTP
client from the FTP
close or disconnect
server and return to
the FTP client view.

----End

Verifying the Configuration

● Run the display ftp-client command to check source interface of the FTP
client.

8.4.3 Managing Files When the Device Functions as an SFTP

Client
Pre-configuration Tasks
Before connecting to a device as an SFTP client to manage files, complete the
following tasks:
● Ensure that routes are reachable between the current device and the SSH
server.
● Obtain the host name or IP address of the SSH server and SSH user
information.
● Obtain the listening port number of the SSH server if the default listening
port number is not used.

Configuration Procedure
Table 8-40 describes the procedure for managing files when the device functions
as an SFTP client.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 307

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-40 Procedure for managing files when the device functions as an SFTP
client
No. Task Description Remarks

Configure the SFTP

client source address.
To ensure
(Optional) Configure
communication
1 the SFTP client source
security, the source
address
address can be set to
a source IP address
or source interface.

Generate a local key

pair and configure
the public key on the
SSH server.
Generate a local key Perform this task
2 only if the device
pair
logs in to the SSH
server in RSA, DSA,
or ECC
authentication
mode.
Tasks 1, 2, and 3 can
Configure the initial be performed in any
SSH connection by sequence. Tasks 4-6
enabling the initial must be performed
Configure the initial authentication sequentially.
3
SSH connection. function or saving
the public key of the
SSH server on the
SSH client.

Run SFTP commands

4 to connect to the SSH -
server.

Users can perform

operations on
directories and files
Perform file on the SSH server
5
operations using SFTP. and view the help
about SFTP
commands on the
SFTP client.

Disconnect the SFTP

6 client from the SSH -
server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 308

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Procedure
● (Optional) Configure the SFTP client source address.
When specifying the source address in an ACL, use the address of a stable
interface, for example, a loopback interface. This simplifies the ACL rule and
security policy configuration. After the client source address is configured as
the source or destination address in the ACL rule, IP address differences and
interface status impact are shielded, and incoming and outgoing packets are
filtered.
The SFTP client source address must be set to the loopback interface IP
address or loopback interface.

Table 8-41 Configuring the SFTP client source address

Operation Command Description

Enter the system

system-view -
view.

The default source

sftp client-source { -a
Configure the SFTP source-ip-address | -i
client source address. interface-type interface-
number }
address is 0.0.0.0.
The client source
address is set to the
loopback interface IP
address or loopback
interface.

● Generating a local key pair

NOTE

Perform this step only if the device logs in to the SSH server in RSA, DSA, or ECC
authentication mode. This step is not required if the password authentication mode is
used.

Table 8-42 Generating a local key pair

Operation Command Description

Enter the
system-view -
system view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 309

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Run one of the commands

according to the type of key
configured on the remote
end.
Run the display rsa local-
Generate the rsa local-key-pair create, key-pair public, display dsa
local key dsa local-key-pair create, or local-key-pair public, or
pair. ecc local-key-pair create. display ecc local-key-pair
public command to view the
public key in the local RSA,
DSA, or ECC key pair.
Configure the public key on
the SSH server.

● Configure the initial SSH connection.

Before the client has saved the public key of the SSH server, the client cannot
connect to the SSH server. Configure the initial SSH connection in either of
the following ways:
– Enable the initial authentication function on the SSH client. This function
allows the client to successfully connect to an SSH server for the first
time without validating the SSH server's public key. When the initial SSH
connection succeeds, the client automatically saves the public key of the
SSH server for subsequent SSH connections. For details, see Table 8-43.
This configuration method is simple.
– Save the public key of the SSH server on the client so that the client can
authenticate the SSH server successfully. For details, see Table 8-44. This
method ensures higher security but becomes more complex than the first
method.

Table 8-43 Enabling first authentication for the SSH client

Operation Command Description

Enter the
system-view -
system view.

Enable first
By default, first
authentication ssh client first-time
authentication is disabled on
for the SSH enable
the SSH client.
client.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 310

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-44 Configuring the SSH client to assign the RSA, DSA, or ECC public
key to the SSH server
Operation Command Description

Enter the
system-view -
system view.

rsa peer-public-key key-

name [ encoding-type
{ der | openssh | pem } ]
,
Enter the RSA, dsa peer-public-key key- Perform one of the
DSA, or ECC name encoding-type operations based on the key
public key view. { der | openssh | pem } type.
Or
ecc peer-public-key key-
name encoding-type
{ der | openssh | pem }

Enter the public

key editing public-key-code begin -
view.

● The public key must be a

hexadecimal character
string in the public key
encoding format, and
generated by the SSH
Edit the public server.
hex-data
key. ● After entering the public
key editing view, you
must enter the RSA, DSA,
or ECC public key that is
generated on the server
to the client.

● If the public key hex-data

is invalid, the public key
cannot be generated after
you run this command.
Exit from the ● If the specified key key-
public key public-key-code end name has been deleted,
editing view. the system displays a
message indicating that
the key does not exist and
then returns to the
system view after you run
this command.

Return to the
peer-public-key end -
system view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 311

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

If the SSH server public key

saved in the SSH client does
not take effect, run the undo
ssh client servername
Bind the RSA, assign { rsa-key | dsa-key |
ssh client servername
DSA, or ECC ecc-key } command to
assign { rsa-key | dsa-key
public key to cancel the binding between
| ecc-key } keyname
the SSH server. the SSH server and RSA,
DSA, or ECC public key. Then
run this command to assign
a new RSA, DSA, or ECC
public key to the SSH server.

● Run SFTP commands to connect to the SSH server.

The command for connecting an SFTP client is similar to that for connecting
the STelnet client. Both types of clients can carry the source address, support
the keepalive function, and select a key exchange algorithm, an encryption
algorithm, and an HMAC algorithm.

Table 8-45 Running SFTP commands to connect to the SSH server

Operatio
Command Description
n

Enter the
system system-view -
view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 312

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operatio
Command Description
n

By default, an SSH client

supports all key exchange
algorithms.
The system software does
not support the
dh_group_exchange_sha1,
dh_group14_sha1, and
dh_group1_sha1
parameters. To use the
dh_group_exchange_sha1,
(Optiona
dh_group14_sha1, or
l)
dh_group1_sha1 parameter,
Configur ssh client key-exchange
you need to install the
e a key { dh_group14_sha256 |
WEAKEA plug-in. For higher
exchange dh_group15_sha512 |
security purposes, you are
algorith dh_group16_sha512 |
advised to use other
m list for dh_group_exchange_sha256 }*
parameters.
the SSH
client. You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 313

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operatio
Command Description
n

By default, an SSH client

supports all encryption
algorithms.
The system software does
not support the aes256_cbc,
aes128_cbc, 3des_cbc, and
des_cbc parameters. To use
(Optiona these parameters, you need
l) to install the WEAKEA plug-
Configur in. For higher security
e an purposes, you are advised to
encryptio ssh client cipher { aes128_ctr | specify the aes256_ctr or
n aes256_ctr } * aes128_ctr parameter.
algorith You can search for Plug-in
m list for Usage Guide at the Huawei
the SSH technical support website
client. (Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 314

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operatio
Command Description
n

By default, the WEAKEA

plug-in is not installed, an
SSH server supports only the
sha2_256 algorithm, and the
undo ssh server hmac
command is unavailable.
When the WEAKEA plug-in is
installed, an SSH server also
supports the sha2_256_96,
sha1, sha1_96, md5 and
md5_96 algorithms, and the
undo ssh server hmac
command is available.
The system software does
(Optiona
not support the
l)
sha2_256_96, sha1,
Configur
sha1_96, md5, and md5_96
e an
parameters. To use the
HMAC ssh client hmac sha2_256
sha2_256_96, sha1,
algorith
sha1_96, md5, or md5_96
m list for
parameter, you need to
the SSH
install the WEAKEA plug-in.
client.
For higher security purposes,
you are advised to specify
the sha2_256 parameter.
You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

(Optiona ssh client rekey time rekey- By default, the key re-
l) time negotiation interval is 60
Configur minutes.
e the
SSH
client key
re-
negotiati
on
trigger
interval.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 315

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operatio
Command Description
n

sftp [ -a source-address | -i
interface-type interface-
number ] host-ip [ port ]
[ [ public-net | -vpn-instance
vpn-instance-name ] | identity-
key { dsa | rsa | ecc } | user-
Connect
identity-key { rsa | dsa | ecc } |
the SFTP
prefer_kex prefer_key-exchange
client to
| prefer_ctos_cipher
the SFTP
prefer_ctos_cipher |
server
prefer_stoc_cipher
based on
prefer_stoc_cipher |
IPv4.
prefer_ctos_hmac
prefer_ctos_hmac |
Run either of the commands
prefer_stoc_hmac
based on the IP address type.
prefer_stoc_hmac| -ki
aliveinterval ] | [ -kc In most cases, only the IP
alivecountmax] * address is specified in the
commands.
sftp ipv6 [ -a source-address ] NOTE
host-ipv6 [ -oi interface-type The aes128 or aes256
interface-number ] [ port ] algorithm is recommended to
[ identity-key { dsa | rsa | ecc } improve data transmission
security.
| user-identity-key { rsa | dsa |
ecc } | -vpn-instance vpn-
Connect
instance-name | prefer_kex
the SFTP
prefer_key-exchange |
client to
prefer_ctos_cipher
the SFTP
prefer_ctos_cipher |
server
prefer_stoc_cipher
based on
prefer_stoc_cipher |
IPv6.
prefer_ctos_hmac
prefer_ctos_hmac |
prefer_stoc_hmac
prefer_stoc_hmac | -ki
aliveinterval | -kc
alivecountmax ] *

Command example:
[HUAWEI] sftp 10.137.217.201

After the SSH connection is established, sftp-client> is displayed, indicating

that you have entered the SFTP client view.
● Perform file operations using SFTP.
In the SFTP client view, you can perform one or more file-related operations
listed in Table 8-46.
You can perform the following operations in any sequence and select one or
more operation items as required.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 316

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

NOTE

In the SFTP client view, the system does not support predictive command input.
Therefore, you must enter commands in their full syntax.
The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

Table 8-46 Running SFTP commands to perform file-related operations

Operation Command Description

Change the user's

current working cd [ remote-directory ] -
directory.

Change the current

working directory to cdup -
its parent directory.

Display the user's

current working pwd -
directory.

Display the file list

dir/ls [ -l | -a ] [ remote- Outputs of the dir and ls
in a specified
directory ] commands are the same.
directory.

A maximum of 10
directories can be
deleted at one time.
Before running the rmdir
Delete directories rmdir remote-directory command to delete
from the server. &<1-10> directories, ensure that
the directories do not
contain any files.
Otherwise, the deletion
fails.

Create a directory
mkdir remote-directory -
on the server.

Change the name of

rename old-name new-
a specified file on -
name
the server.

Download a file
get remote-filename
from the remote -
[ local-filename ]
server.

Upload a local file

put local-filename
to the remote -
[ remote-filename ]
server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 317

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

A maximum of 10 files
Delete files from the remove remote-filename
can be deleted at one
server. &<1-10>
time.

View the help about help [ all | command-

-
SFTP commands. name ]

You can also use the following commands to download files from the SFTP
server or upload files.
– IPv4 address: sftp client-transfile { get | put } [ -a source-address | -i
interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-
net | -vpn-instance vpn-instance-name ]| prefer_kex prefer_key-
exchange | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher
prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher |
prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac
prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] * username
user-name password password sourcefile source-file [ destination
destination ]
– IPv6 address: sftp client-transfile { get | put } ipv6 [ -a source-address ]
host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ -vpn-
instance vpn-instance-name | prefer_kex prefer_key-exchange | identity-
key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher |
prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac
prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval
| -kc alivecountmax ] * username user-name password password
sourcefile source-file [ destination destination ]
● Disconnect the SFTP client from the SSH server.
Operation Command Description

Disconnect the SFTP

client from the SSH quit -
server.

----End

Verifying the Configuration

● Run the display sftp-client command to check source interface of the SFTP
client.
● Run the display ssh server-info command to check the mappings between
the SSH server and the public key.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 318

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

8.4.4 Managing Files When the Device Functions as an SCP

Client
Pre-configuration Tasks
Before connecting to a device as an SCP client to manage files, complete the
following tasks:
● Ensure that routes are reachable between the current device and the SSH
server.
● Obtain the host name or IP address of the SSH server and SSH user
information.
● Obtain the listening port number of the SSH server if the default listening
port number is not used.

Configuration Procedure
Table 8-47 describes the procedure for managing files when the device functions
as an SCP client.

Table 8-47 Procedure for managing files when the device functions as an SCP
client
No. Task Description Remarks

Configure the SCP

client source address.
To ensure
(Optional) Configure
communication
1 the SCP client source
security, the source
address
address can be set to
a source IP address
or source interface.

Generate a local key Tasks 1, 2, and 3 can

pair and configure be performed in any
the public key on the sequence.
SSH server.
Generate a local key Perform this task
2 only if the device
pair
logs in to the SSH
server in RSA, DSA,
or ECC
authentication
mode.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 319

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

No. Task Description Remarks

Configure the initial

SSH connection by
enabling the initial
Configure the initial authentication
3
SSH connection function or saving
the public key of the
SSH server on the
SSH client.

Run SCP commands to

4 connect to the SSH -
server

Procedure
● (Optional) Configure the SCP client source address.

Table 8-48 (Optional) Configuring the SCP client source address

Operation Command Description

Enter the system

system-view -
view.

scp client-source { -a By default, no source

Configure the SCP source-ip-address | -i IP address is
client source address. interface-type interface- configured on the
number } SCP client.

● Generate a local key pair.

NOTE

Perform this step only if the device logs in to the SSH server in RSA, DSA, or ECC
authentication mode. This step is not required if the password authentication mode is
used.

Table 8-49 Generating a local key pair

Operation Command Description

Enter the
system-view -
system view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 320

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Run one of the commands

according to the type of key
configured on the remote
end.
Run the display rsa local-
Generate the rsa local-key-pair create, key-pair public, display dsa
local key dsa local-key-pair create, or local-key-pair public, or
pair. ecc local-key-pair create. display ecc local-key-pair
public command to view the
public key in the local RSA,
DSA, or ECC key pair.
Configure the public key on
the SSH server.

● Configure the initial SSH connection.

Before the client has saved the public key of the SSH server, the client cannot
connect to the SSH server. Configure the initial SSH connection in either of
the following ways:
– Enable the initial authentication function on the SSH client. This function
allows the client to successfully connect to an SSH server for the first
time without validating the SSH server's public key. When the initial SSH
connection succeeds, the client automatically saves the public key of the
SSH server for subsequent SSH connections. For details, see Table 8-43.
This configuration method is simple.
– Save the public key of the SSH server on the client so that the client can
authenticate the SSH server successfully. For details, see Table 8-44. This
method ensures higher security but becomes more complex than the first
method.

Table 8-50 Enabling first authentication for the SSH client

Operation Command Description

Enter the
system-view -
system view.

Enable first
By default, first
authentication ssh client first-time
authentication is disabled on
for the SSH enable
the SSH client.
client.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 321

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-51 Configuring the SSH client to assign the RSA, DSA, or ECC public
key to the SSH server
Operation Command Description

Enter the
system-view -
system view.

rsa peer-public-key key-

name [ encoding-type
{ der | openssh | pem } ]
,
Enter the RSA, dsa peer-public-key key- Perform one of the
DSA, or ECC name encoding-type operations based on the key
public key view. { der | openssh | pem } type.
Or
ecc peer-public-key key-
name encoding-type
{ der | openssh | pem }

Enter the public

key editing public-key-code begin -
view.

● The public key must be a

hexadecimal character
string in the public key
encoding format, and
generated by the SSH
Edit the public server.
hex-data
key. ● After entering the public
key editing view, you
must enter the RSA, DSA,
or ECC public key that is
generated on the server
to the client.

● If the public key hex-data

is invalid, the public key
cannot be generated after
you run this command.
Exit from the ● If the specified key key-
public key public-key-code end name has been deleted,
editing view. the system displays a
message indicating that
the key does not exist and
then returns to the
system view after you run
this command.

Return to the
peer-public-key end -
system view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 322

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

If the SSH server public key

saved in the SSH client does
not take effect, run the undo
ssh client servername
Bind the RSA, assign { rsa-key | dsa-key |
ssh client servername
DSA, or ECC ecc-key } command to
assign { rsa-key | dsa-key
public key to cancel the binding between
| ecc-key } keyname
the SSH server. the SSH server and RSA,
DSA, or ECC public key. Then
run this command to assign
a new RSA, DSA, or ECC
public key to the SSH server.

● Run SCP commands to connect to the SSH server.

Different from the SFTP mode, after the SCP connection is established, the
client can directly upload files to or download files from the server.

Table 8-52 Running SCP commands to connect to the SSH server

Operati
Command Description
on

Enter
the
system-view -
system
view.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 323

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operati
Command Description
on

By default, an SSH
client supports all key
exchange algorithms.
The system software
does not support the
dh_group_exchange_s
ha1, dh_group14_sha1,
and dh_group1_sha1
parameters. To use the
dh_group_exchange_s
ha1, dh_group14_sha1,
(Option
or dh_group1_sha1
al)
parameter, you need to
Configur
install the WEAKEA
e a key ssh client key-exchange
plug-in. For higher
exchang { dh_group14_sha256 |
security purposes, you
e dh_group15_sha512 |
are advised to use
algorith dh_group16_sha512 |
other parameters.
m list dh_group_exchange_sha256 }*
for the You can search for
SSH Plug-in Usage Guide
client. at the Huawei technical
support website
(Enterprise Network
or Carrier), and choose
the desired plug-in
usage guide based on
the switch model and
software version. If you
do not have permission
to access the website,
contact technical
support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 324

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operati
Command Description
on

By default, an SSH
client supports all
encryption algorithms.
The system software
does not support the
aes256_cbc,
aes128_cbc, 3des_cbc,
and des_cbc
parameters. To use
these parameters, you
(Option need to install the
al) WEAKEA plug-in. For
Configur higher security
e an purposes, you are
encrypti advised to specify the
ssh client cipher { aes128_ctr |
on aes256_ctr or
aes256_ctr } *
algorith aes128_ctr parameter.
m list You can search for
for the Plug-in Usage Guide
SSH at the Huawei technical
client. support website
(Enterprise Network
or Carrier), and choose
the desired plug-in
usage guide based on
the switch model and
software version. If you
do not have permission
to access the website,
contact technical
support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 325

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operati
Command Description
on

By default, the
WEAKEA plug-in is not
installed, an SSH server
supports only the
sha2_256 algorithm,
and the undo ssh
server hmac command
is unavailable. When
the WEAKEA plug-in is
installed, an SSH server
also supports the
sha2_256_96, sha1,
sha1_96, md5 and
md5_96 algorithms,
and the undo ssh
server hmac command
is available.
The system software
(Option
does not support the
al)
sha2_256_96, sha1,
Configur
sha1_96, md5, and
e an
md5_96 parameters. To
HMAC
ssh client hmac sha2_256 use the sha2_256_96,
algorith
sha1, sha1_96, md5, or
m list
md5_96 parameter, you
for the
need to install the
SSH
WEAKEA plug-in. For
client.
higher security
purposes, you are
advised to specify the
sha2_256 parameter.
You can search for
Plug-in Usage Guide
at the Huawei technical
support website
(Enterprise Network
or Carrier), and choose
the desired plug-in
usage guide based on
the switch model and
software version. If you
do not have permission
to access the website,
contact technical
support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 326

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operati
Command Description
on

(Option ssh client rekey time rekey-time By default, the key re-
al) negotiation interval is
Configur 60 minutes.
e the
SSH
client
key re-
negotiat
ion
trigger
interval.

Connect scp [ -port port-number | { public-net

the SCP | vpn-instance vpn-instance-name } |
client to identity-key { dsa | rsa | ecc } | user-
the SCP identity-key { rsa | dsa | ecc } | { -a
server source-address | -i interface-type Run either of the
based interface-number } | -r | -cipher - commands based on
on IPv4. cipher | -c ] * sourcefile destinationfile the IP address type.
NOTE
scp ipv6 [ -port port-number | The aes128 or aes256
Connect
{ public-net | vpn-instance vpn- algorithm is
the SCP recommended to improve
instance-name } | identity-key { dsa |
client to data transmission
rsa | ecc } | user-identity-key { rsa | security.
the SCP
dsa | ecc } | -a source-address | -r | -
server
cipher -cipher | -c ] * sourcefile
based
destinationfile [ -oi interface-type
on IPv6.
interface-number ]

NOTE

The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

----End

Verifying the Configuration

● Run the display scp-client command to check source configurations on the
SCP client.
● Run the display ssh server-info command to check the mappings between
the SSH server and the public key.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 327

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

8.4.5 Managing Files When the Device Functions as an FTPS

Client

Pre-configuration Tasks
Before connecting to a device as an FTPS client to manage files, complete the
following tasks:

● Ensure that routes are reachable between the current device and the FTPS
server.
● Load the digital certificate on the FTPS server.
● Obtain the host name or IP address of the FTPS server, FTPS user name, and
password.

Configuration Procedure
Table 8-53 describes the procedure for managing files when the device functions
as an FTPS client.

Table 8-53 Procedure for managing files when the device functions as an FTPS
client

No. Task Description Remarks

Upload the CA
Upload required files
1 certificate and CRL
to the device.
file

Configure the SSL

policy and load the CA
2 -
certificate and CRL
file

Connect to the FTPS

3 -
server

Run FTP commands After the FTPS

to perform file- connection is
related operations, established, perform
such as uploading tasks 4 and 5 in any
Run FTP commands to
and downloading sequence.
4 perform file-related
files, configuring the
operations
file transfer mode,
and viewing the
online help about
FTP commands.

(Optional) Change
5 -
the login user

Disconnect the FTP

6 client from the FTP -
server

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 328

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Procedure
● Upload the CA certificate and CRL file.
Upload the CA certificate and CRL file to the security directory on the device
in FTP, SFTP, or SCP mode. If no security directory exists on the device, run
the mkdir security command to create one.

NOTE

● The FTPS client must obtain certificates from the CA to authenticate the digital
certificate of the server.
● The CRL is issued by the CA and contains serial numbers of certificates that are
revoked. If the digital certificate is listed in the CRL file, the client cannot
authenticate the server successfully and the FTPS connection fails.

Digital certificates support the PEM, ASN1, and PFX formats. Despite of the
formats, the certificates have the same content.
– A PEM digital certificate has a file name extension .pem and is applicable
to text transmission between systems.
– An ASN1 digital certificate has a file name extension .der and is the
default format for most browsers.
– A PFX digital certificate has a file name extension .pfx and is a binary
format that can be converted into the PEM or ASN1 format.
The CRL file supports the ASN1 and PEM formats. These two formats
represent the same contents.
For details, see the description about uploading files in other modes.
● Configure an SSL policy and load the CA certificate and CRL file.

Table 8-54 Configuring an SSL policy and loading the CA certificate and CRL
file
Operation Command Description

Enter the
system-view -
system view.

Customize an SSL cipher suite

policy and enter the cipher
(Optional) ssl cipher-suite-list suite policy view.
Customize SSL customization-policy-
cipher suite. name By default, no customized
SSL cipher suite policy is
configured.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 329

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration
Operation Command
set cipher-suite
{ tls12_ck_dss_aes_128_gc
m_sha256 |
tls12_ck_dss_aes_256_gc
m_sha384 |
tls12_ck_rsa_aes_128_gc
m_sha256 |
tls12_ck_rsa_aes_256_gc
m_sha384 }
Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd.
8 File Management
Description
Configure the cipher suites
for a customized SSL cipher
suite policy.
By default, no customized
SSL cipher suite policy is
configured.
To configure cipher suites for
a customized SSL cipher suite
policy, run the set cipher-
suite command.
If a customized SSL cipher
suite policy is being
referenced by an SSL policy,
the cipher suites in the
customized cipher suite
policy can be added,
modified, or partially deleted.
Deleting all of the cipher
suites is not supported.
The system software does
not support the
tls12_ck_rsa_aes_256_cbc_sh
a256,
tls1_ck_dhe_dss_with_aes_1
28_sha,
tls1_ck_dhe_dss_with_aes_2
56_sha,
tls1_ck_dhe_rsa_with_aes_1
28_sha,
tls1_ck_dhe_rsa_with_aes_2
56_sha,
tls1_ck_rsa_with_aes_128_sh
a, and
tls1_ck_rsa_with_aes_256_sh
a parameters. To use the
tls12_ck_rsa_aes_256_cbc_sh
a256,
tls1_ck_dhe_dss_with_aes_1
28_sha,
tls1_ck_dhe_dss_with_aes_2
56_sha,
tls1_ck_dhe_rsa_with_aes_1
28_sha,
tls1_ck_dhe_rsa_with_aes_2
56_sha,
tls1_ck_rsa_with_aes_128_sh
a, or
tls1_ck_rsa_with_aes_256_sh
a parameter, you need to
330
S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

install the WEAKEA plug-in.

For higher security purposes,
you are advised to use other
parameters.
You can search for Plug-in
Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

quit Return to the system view.

Create the SSL

policy and
ssl policy policy-name -
enter the SSL
policy view.

By default, the SSL minimum

version of an SSL policy is
TLS1.2.
The system software does not
support the tls1.0 parameter.
To use the tls1.0 parameter,
you need to install the
WEAKEA plug-in. For higher
security purposes, you are
(Optional) Set advised to specify the tls1.2
a minimum ssl minimum version parameter.
version of an { tls1.1 | tls1.2 } You can search for Plug-in
SSL policy. Usage Guide at the Huawei
technical support website
(Enterprise Network or
Carrier), and choose the
desired plug-in usage guide
based on the switch model
and software version. If you
do not have permission to
access the website, contact
technical support personnel.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 331

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

By default, no customized
cipher suite policy is bound
to an SSL policy. Each SSL
policy uses a default cipher
suite. After a customized
cipher suite policy is unbound
from an SSL policy, the SSL
policy uses one of the
following cipher suites
supported by default:
● tls1_ck_rsa_with_aes_256_
sha
● tls1_ck_rsa_with_aes_128_
sha
(Optional) ● tls1_ck_dhe_rsa_with_aes_
Bind a binding cipher-suite- 256_sha
customized customization
● tls1_ck_dhe_dss_with_aes_
SSL cipher customization-policy-
256_sha
suite policy to name
an SSL policy. ● tls1_ck_dhe_rsa_with_aes_
128_sha
● tls1_ck_dhe_dss_with_aes_
128_sha
● tls12_ck_rsa_aes_256_cbc_
sha256
If the cipher suite in the
customized cipher suite
policy bound to an SSL policy
contains only one type of
algorithm (RSA or DSS), the
corresponding certificate
must be loaded for the SSL
policy to ensure successful
SSL negotiation.

Load the CA
certificate in trusted-ca load pem-ca Load the CA certificate in the
the PEM ca-filename PEM, ASN1 or PFX format.
format. A maximum of four CA
certificates can be loaded in
Load the CA an SSL policy. The loaded CA
certificate in trusted-ca load asn1-ca certificates are added to the
the ASN1 ca-filename existing CA list.
format.
NOTE
Before rolling V200R008C00 or a
Load the CA
trusted-ca load pfx-ca later version back to an earlier
certificate in
ca-filename auth-code version, back up the SSL private
the PFX key file.
cipher auth-code
format.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 332

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

A maximum of two CRL files

can be loaded in an SSL
Load the CRL crl load { pem-crl | asn1-
policy. The loaded CRL files
file crl } crl-filename
are added to the existing CRL
file list.

NOTE

● If only one CA certificate exists on the FTPS server, configure all CA certificates in
the validation path up to and including the root CA certificate.
● If a certificate chain exists on the FTPS server, configure only the root CA certificate
on the client.
● If the CRL file is not loaded, the FTPS connection is not affected. However, the
client cannot authenticate the digital certificate of the server. You are advised to
load the CRL file and keep it up to date.
● Connect to the FTPS server.

Table 8-55 Connecting to the FTPS server

Operation Command Description

ftp ssl-policy policy-name

Connect the [ -a source-ip-address | -i
FTPS client interface-type interface-
to the FTPS number ] host [ port-
server based number ] [ public-net | vpn-
on IPv4. instance vpn-instance- Run either of the commands
name ] based on the IP address type.
Connect the
FTPS client ftp ssl-policy policy-name
to the FTPS ipv6 host-ipv6-address
server based [ port-number ]
on IPv6.

When connecting to the FTPS server, run the ftp command to enter the FTP
client view and the open command to implement FTP connection.
Users must enter the correct user name and password to enter the FTP client
view and manage files on the server.
● Run FTP commands to perform file-related operations.
After connecting to the FTPS server, users can run FTP commands to perform
file-related operations on the FTPS server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 333

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

NOTE

User rights are configured on the FTP server.

The file system limits the number of files in the root directory to 50. Creation of files
in excess of this limit in the root directory may fail.

Users can perform the following operations in any sequence.

Table 8-56 Running FTP commands to perform file-related operations

Operation Command Description

Change the
working
cd remote-directory -
directory on the
server.

Change the -
current working
cdup
directory to its
parent directory.

Display the -
working
pwd
directory on the
server.

The lcd command displays the

Display or
local working directory on the
change the local
lcd [ local-directory ] client, and the pwd command
working
displays the working directory
directory.
on the remote server.

The directory name can

Create a consist of letters and digits.
directory on the mkdir remote-directory The following special
server. characters are not supported:
<>?\:

Delete a
directory from rmdir remote-directory -
the server.

● The ls command displays

only the directory or file
name, whereas the dir
Display command displays detailed
information directory or file
dir/ls [ remote- information such as name,
about the
filename [ local- size, and creation date.
specified
filename ] ]
directory or file ● If no directory is specified
on the server. in the command, the
system searches for the file
in the user's authorized
directories.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 334

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

Delete a file
delete remote-filename -
from the server.

put local-filename ● To upload a file, run the

Upload one or [ remote-filename ] put command.
more files. Or ● To upload multiple files,
mput local-filenames run the mput command.

get remote-filename ● To download a file, run the

Download one [ local-filename ] get command.
or more files. Or ● To download multiple files,
mget remote-filenames run the mget command.

Select either of them.

● The default file transfer
mode is ASCII.
Set the file ascii ● The ASCII mode is used to
transfer mode to Or transfer text files, and the
ASCII or Binary. binary binary mode is used to
transfer programs, system
software, and database
files.

Set the data Select either of them.

passive
transmission
Or The default data transmission
mode to passive
undo passive mode is active.
or active.

View the online

remotehelp
help about FTP -
[ command ]
commands.

Enable the
By default, the prompt
system prompt prompt
function is disabled.
function.

After the verbose function is

Enable the enabled, all FTP response
verbose
verbose function. messages are displayed on the
FTP client.

● (Optional) Change the login user.

The current user can switch to another user in the FTP client view. The FTP
connection between the new user and FTPS server is the same as that
established by running the ftp ssl-policy command.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 335

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Operation Command Description

When the login user is

Change the current switched to another
user user-name
user in the FTP client user, the original user is
[ password ]
view. disconnected from the
FTP server.

● Disconnect the FTPS client from the FTPS server.

Users can run different commands in the FTP client view to disconnect the
FTPS client from the FTPS server.

Operation Command Description

Disconnect the FTP

client from the FTP
bye or quit
server and return to
the user view.
Select one of them.
Disconnect the FTP
client from the FTP
close or disconnect
server and return to
the FTP client view.

----End

Verifying the Configuration

● Run the display ssl policy command to check the SSL policy, CA certificate,
and CRL file configured on the FTPS client.

8.5 Configuration Examples for File Management

8.5.1 Example of Logging In to the Device to Manage Files
Networking Requirements
After logging in to the device through the console interface, Telnet, or STelnet,
perform the following operations:
● View files and subdirectories in the current directory.
● Create the test directory, copy the vrpcfg.zip file to test, and rename
vrpcfg.zip as backup.zip.
● View files in the test directory.

Figure 8-2 Networking diagram for logging in to the switch for file operations

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 336

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Procedure
Step 1 View files and subdirectories in the current directory.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] quit
<Switch> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 889 Mar 01 2012 14:41:56 private-data.txt
1 -rw- 6,311 Feb 17 2012 14:05:04 backup.cfg
2 -rw- 2,393 Mar 06 2012 17:20:10 vrpcfg.zip
3 -rw- 812 Dec 12 2011 15:43:10 hostkey
4 drw- - Mar 01 2012 14:41:46 compatible
5 -rw- 540 Dec 12 2011 15:43:12 serverkey
...
65,233 KB total (7,289 KB free)

Step 2 Create the test directory, copy the vrpcfg.zip file to test, and rename vrpcfg.zip
as backup.zip.
# Create the test directory.
<Switch> mkdir test

# Copy the vrpcfg.zip file to test and rename vrpcfg.zip as backup.zip.

<Switch> copy vrpcfg.zip flash:/test/backup.zip

NOTE

If no target file name is specified, the source file and target file have the same name.

Step 3 View files in the test directory.

# Access the test directory.
<Switch> cd test

# View the current working directory.

<Switch> pwd
flash:/test

# View files in the test directory.

<Switch> dir
Directory of flash:/test/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 2,399 Mar 12 2012 11:16:44 backup.zip

65,233 KB total (7,285 KB free)

----End

Configuration File
Switch configuration file
#
sysname Switch

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 337

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

#
return

8.5.2 Example for Configuring the FTP Server

Networking Requirements
As shown in Figure 8-3, routes between the PC and the device functioning as an
FTP server are reachable. 10.136.23.5 is the management Ethernet interface's IP
address of the FTP server. To upgrade the device, upload the system software from
the PC to the device, and backup the configuration file to the PC.

Figure 8-3 Networking diagram for managing files when the device functions as
an FTP server

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the FTP function and FTP user information including user name,
password, user privilege level, service type, and authorized directory on the
FTP server.
2. Save the vrpcfg.zip file on the FTP server.
3. Connect to the FTP server from the PC.
4. Upload devicesoft.cc to and download vrpcfg.zip from the FTP server.

Procedure
Step 1 Configure the FTP function and FTP user information on the FTP server.
<HUAWEI> system-view
[HUAWEI] sysname FTP_Server
[FTP_Server] ftp server-source -i MEth 0/0/1
//If the device does not have an Ethernet management port, the source interface is the interface with the
management IP address. If the source address of the server is configured as a non-management IP address
or the interface with a non-management IP address, a client can connect to the server only using the
configured source address.
[FTP_Server] ftp server enable
[FTP_Server] aaa
[FTP_Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[FTP_Server-aaa] local-user admin1234 privilege level 15
[FTP_Server-aaa] local-user admin1234 service-type ftp
[FTP_Server-aaa] local-user admin1234 ftp-directory flash:/
[FTP_Server-aaa] quit
[FTP_Server] quit

Step 2 Save the vrpcfg.zip file on the FTP server.

<FTP_Server> save

Step 3 Connect to the FTP server from the PC as user admin1234 whose password is
Helloworld@6789 and transfer files in binary mode.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 338

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Assume that the PC runs the Windows XP operating system.

C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5220
FTP service ready.
User (10.136.23.5:(none)): admin1234331
Password required for admin1234.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp>

Step 4 Upload the system software to the device and back up the configuration file of
the device to the PC.
# Upload the system software to the device.
ftp> put devicesoft.cc
200 Port command okay.
150 Opening BINARY mode data connection for devicesoft.cc
226 Transfer complete.
ftp: 23876556 bytes sent in 25.35Seconds 560.79Kbytes/sec.

# Back up the configuration file.

ftp> get vrpcfg.zip
200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.zip.
226 Transfer complete.
ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.

NOTE

The devicesoft.cc file to be uploaded and the vrpcfg.zip file to be downloaded are stored
in the local directory on the FTP client. Before uploading and downloading files, obtain the
local directory on the client. The default FTP user's local directory on the Windows XP
operating system is C:\Documents and Settings\Administrator.

Step 5 Verify the configuration.

# Run the dir command on the FTP server to check whether the system software
configuration file is uploaded to the device.
<FTP_Server> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt
4 -rw- 1,257 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
6 -rw- 23,876,556 Mar 13 2012 14:24:24 devicesoft.cc
7 drw- - Oct 31 2011 10:20:28 sysdrv
8 drw- - Feb 21 2012 17:16:36 compatible
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 23,496 Dec 15 2011 20:59:36 20111215.zip
12 -rw- 588 Nov 04 2011 13:54:04 servercert.der
13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der
14 drw- - Nov 04 2011 13:58:36 security
...
65,233 KB total (7,289 KB free)

# Access the FTP user's local directory on the PC and check the vrpcfg.zip file.
----End

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 339

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Configuration File
FTP_Server configuration file
#
sysname FTP_Server
#
FTP server enable
FTP server-source -i MEth 0/0/1
#
aaa
local-user admin1234 password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9y$>M
\bjG$D>%@Ug/<3I$+=Y$
local-user admin1234 privilege level 15
local-user admin1234 ftp-directory flash:/
local-user admin1234 service-type ftp
#
return

Related Content
Videos

Remotely Transfer Files Using FTP.

8.5.3 Example for Configuring the SFTP Server

Networking Requirements
As shown in Figure 8-4, routes between the PC and the device functioning as an
SSH server are reachable. 10.136.23.4 is the management Ethernet interface's IP
address on the SSH server. Configure the device as an SSH server so that it can
authenticate the client (PC) and encrypt data in bidirectional mode. This prevents
man-in-middle attacks and DNS/IP spoofing attacks and ensures secure file
transfer.

Figure 8-4 Networking diagram for managing files using SFTP when the device
functions as an SSH server

Configuration Roadmap
The configuration roadmap is as follows:

1. Generate a local key pair and enable the SFTP server function on the SSH
server so that the server and client can securely exchange data.
2. Configure the VTY user interface on the SSH server.
3. Configure SSH user information including the authentication mode, service
type, authorized directory, user name, and password.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 340

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

4. Connect to the SSH server using the third-party software OpenSSH on the PC.

Procedure
Step 1 Generate a local key pair on the SSH server, and enable the SFTP server.
<HUAWEI> system-view
[HUAWEI] sysname SSH_Server
[SSH_Server] dsa local-key-pair create
Info: The key name will be: SSH_Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[SSH_Server] ssh server-source -i MEth 0/0/1
//If the device does not have an Ethernet management port, the source interface is the interface with the
management IP address. If the source address of the server is configured as a non-management IP address
or the interface with a non-management IP address, a client can connect to the server only using the
configured source address.
[SSH_Server] sftp server enable

Step 2 Configure the VTY user interface on the SSH_Server.

[SSH_Server] user-interface vty 0 14
[SSH_Server-ui-vty0-14] authentication-mode aaa
[SSH_Server-ui-vty0-14] protocol inbound ssh
[SSH_Server-ui-vty0-14] quit

Step 3 Configure SSH user information including the authentication mode, service type,
authorized directory, user name, and password.
[SSH_Server] ssh user client001 authentication-type password
[SSH_Server] ssh user client001 service-type sftp
[SSH_Server] ssh user client001 sftp-directory flash:
[SSH_Server] aaa
[SSH_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[SSH_Server-aaa] local-user client001 privilege level 15
[SSH_Server-aaa] local-user client001 service-type ssh
[SSH_Server-aaa] quit

Step 4 Connect to the SSH server using the third-party software OpenSSH on the PC.
The Windows CLI can identify OpenSSH commands only when OpenSSH is
installed on the PC.

NOTE

Use a version of OpenSSH that is compatible with the operating system running on the
terminal. An incorrect version may prevent communication with the switch through SFTP.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 341

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Figure 8-5 Connecting to the SSH server

After you connect to the SSH server through third-party software, the SFTP view is
displayed. You can then perform file-related operations in the SFTP view.

----End

Configuration File
SSH_Server configuration file
#
sysname SSH_Server
#
aaa
local-user client001 password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9y$>M\bjG
$D>%@Ug/<3I$+=Y$
local-user client001 privilege level 15
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
ssh server-source -i MEth 0/0/1
#
user-interface vty 0 14
authentication-mode aaa
#
return

8.5.4 Example for Configuring the FTPS Server

Networking Requirements
As shown in Figure 8-6, routes between the PC and the device functioning as an
FTPS server are reachable. 10.137.217.201 is the management Ethernet interface
IP address on the FTPS server.

The FTP server function does not provide security mechanisms. Because data is
transmitted in plain text, the network is susceptible to man-in-the-middle attacks
and MAC/IP address spoofing. To address this issue and ensure secure file transfer,
configure the SSL policy, data encryption, user identity authentication, and

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 342

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

message integrity check mechanisms on the FTPS server. SSL ensures secure
connection based on the FTP server function.

Figure 8-6 Networking diagram for managing files when the device functions as
an FTPS server

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the FTP server function on the device and upload the digital
certificate to the root directory on the device.
2. On the device, copy the digital certificate to the security directory, configure
the SSL policy, and load the digital certificate so that the client can
authenticate the server.
3. Enable the FTPS server function and configure the local FTP user.
4. Connect to the FTPS server using third-party software.

Procedure
Step 1 Configure the FTP server function on the server and upload the digital certificate
to the server.
# Enable the FTP server function and configure FTP user information.
<HUAWEI> system-view
[HUAWEI] sysname FTPS_Server
[FTPS_Server] ftp server-source -i MEth 0/0/1
//If the device does not have an Ethernet management port, the source interface is the interface with the
management IP address. If the source address of the server is configured as a non-management IP address
or the interface with a non-management IP address, a client can connect to the server only using the
configured source address.
[FTPS_Server] ftp server enable
[FTPS_Server] aaa
[FTPS_Server-aaa] local-user admin password irreversible-cipher huawei@6789
[FTPS_Server-aaa] local-user admin service-type ftp
[FTPS_Server-aaa] local-user admin privilege level 3
[FTPS_Server-aaa] local-user admin ftp-directory flash:
[FTPS_Server-aaa] quit
[FTPS_Server] quit

# Open the Windows CLI and run the ftp command to connect to the FTP server.
Enter the correct user name and password to connect to the FTP server. Upload
the digital certificate and private key to the FTP server.
Run the dir command on the FTP server to check that the digital certificate and
private key are uploaded successfully.
<FTPS_Server> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 343

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

0 drw- - May 10 2011 05:05:40 src

1 -rw- 524,575 May 10 2011 05:05:53 private-data.txt
2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip
3 -rw- 1,302 May 10 2011 05:32:05 4_servercert_der_dsa.der
4 -rw- 951 May 10 2011 05:32:44 4_serverkey_der_dsa.der
...
65,233 KB total (7,289 KB free)

Step 2 Configure an SSL policy and load a digital certificate.

# Create the security directory and move the digital certificate to the security
directory.
<FTPS_Server> mkdir security/
<FTPS_Server> move 4_servercert_der_dsa.der security/
<FTPS_Server> move 4_serverkey_der_dsa.der security/

Run the dir command in the security directory to check that the digital certificate
and private key have been moved successfully.
<FTPS_Server> cd security/
<FTPS_Server> dir
Directory of flash:/security/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 1,302 May 10 2011 05:44:34 4_servercert_der_dsa.der
1 -rw- 951 May 10 2011 05:45:22 4_serverkey_der_dsa.der

65,233 KB total (7,289 KB free)

# Create an SSL policy and load a digital certificate in the ASN1 format.
<FTPS_Server> system-view
[FTPS_Server] ssl policy ftp_server
[FTPS_Server-ssl-policy-ftp_server] certificate load asn1-cert 4_servercert_der_dsa.der key-pair dsa key-
file 4_serverkey_der_dsa.der
[FTPS_Server-ssl-policy-ftp_server] quit

Step 3 Enable the FTPS server function and configure the local FTP user.
# Enable the FTPS server function.

NOTE

Disable the FTP server function before enabling the FTPS server function.
[FTPS_Server] undo ftp server
[FTPS_Server] ftp secure-server ssl-policy ftp_server
[FTPS_Server] ftp secure-server enable

# Configure the local FTP user.

Use the admin user configured in Step 1.
Step 4 Connect to the FTPS server using third-party software.
For details, see related third-party documentation.
Step 5 Verify the configuration.
# Run the display ssl policy command on the FTPS server to view information
about the SSL policy.
[FTPS_Server] display ssl policy

SSL Policy Name: ftp_server

Policy Applicants:
Key-pair Type: DSA
Certificate File Type: ASN1
Certificate Type: certificate

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 344

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Certificate Filename: 4_servercert_der_dsa.der

Key-file Filename: 4_serverkey_der_dsa.der
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Issuer Name:
Validity Not Before:
Validity Not After:

# Run the display ftp-server command on the FTPS server to view the SSL policy
name and the FTPS server status. The command output indicates that the FTPS
server status is running.
[FTPS_Server] display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running

# The FTP server supporting SSL can securely connect to the FTPS server, upload
files, and download files.
----End

Configuration File
FTPS_Server configuration file
#
sysname FTPS_Server
#
FTP secure-server enable
FTP server-source -i MEth 0/0/1
ftp secure-server ssl-policy ftp_server
#
aaa
local-user admin password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9y$>M\bjG
$D>%@Ug/<3I$+=Y$
local-user admin privilege level 3
local-user admin ftp-directory flash:
local-user admin service-type ftp
#
ssl policy ftp_server
certificate load asn1-cert 4_servercert_der_dsa.der key-pair dsa key-file 4_serverkey_der_dsa.der
#
return

8.5.5 Example for Configuring the TFTP Client

Networking Requirements
As shown in Figure 8-7, the remote device at 10.1.1.1/24 functions as the TFTP
server. The device at 10.2.1.1/24 functions as the TFTP client. Routes between the
device and the server are reachable.
The device needs to be upgraded. To upgrade the device, you must download
system software devicesoft.cc from and upload the configuration file vrpcfg.zip
to the TFTP server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 345

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Figure 8-7 Networking diagram for managing files when the device functions as a
TFTP client

Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and configure the working
directory.
2. Run TFTP commands to download devicesoft.cc from and upload vrpcfg.zip
to the TFTP server.

Procedure
Step 1 Run the TFTP software on the TFTP server and configure the working directory.
(For details, see related third-party documentation.)
Step 2 Run TFTP commands to download devicesoft.cc from and upload vrpcfg.zip to
the TFTP server.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...\
TFTP: Downloading the file successfully.
23876556 bytes received in 199 seconds.
<HUAWEI> tftp 10.1.1.1 put vrpcfg.zip
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait...|
TFTP: Uploading the file successfully.
7717 bytes send in 1 second.

Step 3 Verify the configuration.

# Run the dir command on the TFTP client to check that the devicesoft.cc file has
been downloaded successfully.
<HUAWEI> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
6 -rw- 23,876,556 Mar 13 2012 14:24:24 devicesoft.cc
7 drw- - Oct 31 2011 10:20:28 sysdrv
8 drw- - Feb 21 2012 17:16:36 compatible
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
12 -rw- 588 Nov 04 2011 13:54:04 servercert.der
13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der
14 drw- - Nov 04 2011 13:58:36 security
...

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 346

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

65,233 KB total (7,289 KB free)

# Access the working directory on the TFTP server and check that the vrpcfg.zip
file has been uploaded successfully.

----End

Configuration File
None

8.5.6 Example for Configuring an FTP Client

Networking Requirements
As shown in Figure 8-8, the remote device at 10.1.1.1/24 functions as the FTP
server. The device at 10.2.1.1/24 functions as the FTP client. Routes between the
device and the server are reachable.
The device needs to be upgraded. To upgrade the device, you must download
system software devicesoft.cc from and upload the configuration file vrpcfg.zip
to the FTP server.

Figure 8-8 Networking diagram for managing files when the device functions as
an FTP client

Configuration Roadmap
The configuration roadmap is as follows:
1. Run the FTP software on the FTP server and configure FTP user information.
2. Connect to the FTP server.
3. Run FTP commands to download devicesoft.cc from and upload vrpcfg.zip to
the FTP server.

Procedure
Step 1 Run the FTP software on the FTP server and configure FTP user information. (For
details, see related third-party documentation.)
Step 2 Connect to the FTP server.
<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 FTP service ready.
User(10.1.1.1:(none)):admin

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 347

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

331 Password required for admin.

Enter password:
230 User logged in.

[ftp]

Step 3 Run FTP commands to download devicesoft.cc from and upload vrpcfg.zip to the
FTP server.
[ftp] binary
[ftp] get devicesoft.cc
[ftp] put vrpcfg.zip
[ftp] quit

Step 4 Verify the configuration.

# Run the dir command on the FTP client to check whether the devicesoft.cc file
has been successfully downloaded.
<HUAWEI> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
6 -rw- 23,876,556 Mar 13 2012 14:24:24 devicesoft.cc
7 drw- - Oct 31 2011 10:20:28 sysdrv
8 drw- - Feb 21 2012 17:16:36 compatible
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
12 -rw- 588 Nov 04 2011 13:54:04 servercert.der
13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der
14 drw- - Nov 04 2011 13:58:36 security
...
65,233 KB total (7,289 KB free)

# Access the working directory on the FTP server and check that the vrpcfg.zip
file has been successfully uploaded.

----End

Configuration File
None

8.5.7 Example for Configuring an SFTP Client

Networking Requirements
SSH provides a mechanism to authenticate the client and encrypts data
bidirectionally, ensuring secure file transfer on insecure networks. The client uses
SFTP to securely connect to the SSH server and transfer files.

As shown in Figure 8-9, routes between the SSH server and clients client001 and
client002 are reachable. In this example, a Huawei device functions as the SSH
server.

Client001 and client002 connect to the SSH server using the password
authentication mode and the DSA authentication mode, respectively.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 348

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Figure 8-9 Networking diagram for managing files when the device functions as
an SFTP client

Configuration Roadmap
The configuration roadmap is as follows:

1. Generate a local key pair and enable the SFTP server function on the SSH
server so that the server and client can securely exchange data.
2. Create users client001 and client002 and set their authentication modes on
the SSH server.
3. Generate a local key pair on client002 and configure the DSA public key of
client002 on the SSH server so that the server can authenticate the client
when the client connects to the server.
4. Log in to the SSH server as users client001 and client002 using SFTP and
manage files.

Procedure
Step 1 Generate a local key pair and enable the SFTP server function on the SSH server.
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[SSH_Server] ssh server-source -i Vlanif 10 //Assume that the interface corresponding to the server IP
address 10.1.1.1 is VLANIF 10.
[SSH Server] sftp server enable

Step 2 Create SSH users on the SSH server.

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] user privilege level 3
[SSH Server-ui-vty0-4] quit

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 349

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

# Create an SSH user named client001 user and set the authentication mode to
password for the user.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp
[SSH Server] ssh user client001 sftp-directory flash:
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] quit

# Create an SSH user named client002 and set the authentication mode to DSA
for the user.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa
[SSH Server] ssh user client002 service-type sftp
[SSH Server] ssh user client002 sftp-directory flash:

Step 3 Generate a local key pair on client002 and configure the DSA public key of
client002 on the SSH server.
# Generate a local key pair on client002.
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.

# Check the DSA public key of the client.

[client002] display dsa local-key-pair public

=====================================================
Time of Key pair created: 2014-03-03 19:11:04+00:00
Key name: client002_Host
Key type: DSA encryption Key
=====================================================
Key code:
30820109 02820100 C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC 8EA252B0 E90A5001
1F2567C6 3952DEFD 95EF93C2 D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187 04FD6A03
C4FFDB58 04B3A0C4 B6E50528 AAE56FF9 5F66EE00 8E4702DB AA764006 322E6F72 CC9C1A39
462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA 20C9CB60 98E5ACDA 2E98B55A 0299FBAB
FE91EFA3 E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7 2DD37D1C 710C6E14 57DA200C
477E45BC 38AC7685 BD8D6325 CCBE3F32 85435E5B EB6A08DF 752B7EBD CE21CFCB F3AC0C35
671E5ACC AFC36F0B 54E646F6 D12B4BA3 6E9EF69F A5BED377 954709EB CE29A923 04B347D7
29296E7D 3D5F69AB 4365AA2F 0203 010001

Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDH2S4n6IdF1JM6sfXaaSrEHVRL3I6iUrDp
ClABHyVnxjlS3v2V75PC136M37Nuf0NXwde6CXjdei9/cYcE/WoDxP/bWASzoMS2
5QUoquVv+V9m7gCORwLbqnZABjIub3LMnBo5Ri280OqTREEWeLojQEc+xFjfhPog
yctgmOWs2i6YtVoCmfur/pHvo+FV4GV8f/zUTqtx7KenPdeshHS3LdN9HHEMbhRX
2iAMR35FvDisdoW9jWMlzL4/MoVDXlvragjfdSt+vc4hz8vzrAw1Zx5azK/DbwtU
5kb20StLo26e9p+lvtN3lUcJ684pqSMEs0fXKSlufT1faatDZaov
---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file :

ssh-dsa

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 350

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

AAAAB3NzaC1yc2EAAAADAQABAAABAQDH2S4n6IdF1JM6sfXaaSrEHVRL3I6iUrDpClABHyVnxjlS3v2V75PC13
6M37Nuf0NXwde6CXjdei9/cYcE/WoDxP/bWASz
oMS25QUoquVv+V9m7gCORwLbqnZABjIub3LMnBo5Ri280OqTREEWeLojQEc
+xFjfhPogyctgmOWs2i6YtVoCmfur/pHvo+FV4GV8f/zUTqtx7KenPdeshHS3LdN9HHEMbhRX
2iAMR35FvDisdoW9jWMlzL4/MoVDXlvragjfdSt+vc4hz8vzrAw1Zx5azK/DbwtU5kb20StLo26e9p
+lvtN3lUcJ684pqSMEs0fXKSlufT1faatDZaov= dsa-key

# Configure the DSA public key of client002 on the SSH server. (Information in
bold in the display command output is the DSA public key of client002. Copy the
information to the server.)
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
[SSH Server-dsa-key-code] 30820109
[SSH Server-dsa-key-code] 02820100
[SSH Server-dsa-key-code] C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC
[SSH Server-dsa-key-code] 8EA252B0 E90A5001 1F2567C6 3952DEFD 95EF93C2
[SSH Server-dsa-key-code] D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187
[SSH Server-dsa-key-code] 04FD6A03 C4FFDB58 04B3A0C4 B6E50528 AAE56FF9
[SSH Server-dsa-key-code] 5F66EE00 8E4702DB AA764006 322E6F72 CC9C1A39
[SSH Server-dsa-key-code] 462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA
[SSH Server-dsa-key-code] 20C9CB60 98E5ACDA 2E98B55A 0299FBAB FE91EFA3
[SSH Server-dsa-key-code] E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7
[SSH Server-dsa-key-code] 2DD37D1C 710C6E14 57DA200C 477E45BC 38AC7685
[SSH Server-dsa-key-code] BD8D6325 CCBE3F32 85435E5B EB6A08DF 752B7EBD
[SSH Server-dsa-key-code] CE21CFCB F3AC0C35 671E5ACC AFC36F0B 54E646F6
[SSH Server-dsa-key-code] D12B4BA3 6E9EF69F A5BED377 954709EB CE29A923
[SSH Server-dsa-key-code] 04B347D7 29296E7D 3D5F69AB 4365AA2F
[SSH Server-dsa-key-code] 0203
[SSH Server-dsa-key-code] 010001
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end

# Bind the DSA public key to the SSH user client002.

[SSH Server] ssh user client002 assign dsa-key dsakey001

Step 4 Connect SFTP clients to the SSH server.

# If the clients connect to the SSH server for the first time, enable the initial
authentication function on the clients.
Enable the initial authentication function on client001.
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable

Enable the initial authentication function on client002.

[client002] ssh client first-time enable

# Log in to the SSH server from client001 in password authentication mode.

[client002] sftp 10.1.1.1
Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
password:SSH_SERVER_CODE

Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey
authentication; Ctrl_C for Cancel], Please select [R, D, Enter or
Ctrl_C]:D

sftp-client>

# Log in to the SSH server from client002 in DSA authentication mode.

[client002] sftp 10.1.1.1
Please input the username:client002

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 351

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Trying 10.1.1.1 ...

Press CTRL+K to abort
Connected to 10.1.1.1 ...
password:SSH_SERVER_CODE

Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey
authentication; Ctrl_C for Cancel], Please select [R, D, Enter or
Ctrl_C]:D

sftp-client>

Step 5 Verify the configuration.

Run the display ssh server status command to check that the SFTP service has
been enabled. Run the display ssh user-information command to view
information about the configured SSH users.
# Check the SSH server status.
[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable
SSH server source :0.0.0.0
ACL4 number :0
ACL6 number :0

# Check information about SSH users.

[SSH Server] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : flash:
Service-type : sftp Authorization-cmd : No
User 2:
User Name : client002
Authentication-type : dsa
User-public-key-name : dsakey001
User-public-key-type : dsa
Sftp-directory : flash:
Service-type : sftp
Authorization-cmd : No

----End

Configuration File
● SSH server configuration file
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
30820109
02820100
C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC 8EA252B0 E90A5001 1F2567C6
3952DEFD 95EF93C2 D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187 04FD6A03
C4FFDB58 04B3A0C4 B6E50528 AAE56FF9 5F66EE00 8E4702DB AA764006 322E6F72
CC9C1A39 462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA 20C9CB60 98E5ACDA
2E98B55A 0299FBAB FE91EFA3 E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7
2DD37D1C 710C6E14 57DA200C 477E45BC 38AC7685 BD8D6325 CCBE3F32 85435E5B

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 352

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

EB6A08DF 752B7EBD CE21CFCB F3AC0C35 671E5ACC AFC36F0B 54E646F6 D12B4BA3

6E9EF69F A5BED377 954709EB CE29A923 04B347D7 29296E7D 3D5F69AB 4365AA2F
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9y
$>M\bjG$D>%@Ug/<3I$+=Y$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
ssh user client002 service-type sftp
ssh user client002 sftp-directory flash:
ssh server-source -i Vlanif 10
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
return

● Client001 configuration file

#
sysname client001
#
ssh client first-time enable
#
return

● Client002 configuration file

#
sysname client002
#
ssh client first-time enable
#
return

8.5.8 Example for Configuring an SCP Client

Networking Requirements
Compared with the SFTP protocol, the SCP protocol can authenticate user identity
while transferring files, improving configuration efficiency.
As shown in Figure 8-10, routes between the SSH server and the device
functioning as the SCP client are reachable. The SCP client can download files
from the SSH server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 353

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Figure 8-10 Networking diagram for managing files when the device functions as
an SCP client

Configuration Roadmap
The configuration roadmap is as follows:

1. Generate a local key pair on the SSH server.

2. Create an SSH user on the SSH server.
3. Enable the SCP function on the SSH server.
4. Download the backup.cfg file from the SSH server.

Procedure
Step 1 Generate a local key pair on the SSH server.
<HUAWEI> system-view
[HUAWEI] sysname SSH_Server
[SSH_Server] dsa local-key-pair create
Info: The key name will be: SSH_Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.

Step 2 Create an SSH user on the SSH server.

# Configure the VTY user interface.

[SSH_Server] user-interface vty 0 14
[SSH_Server-ui-vty0-14] authentication-mode aaa
[SSH_Server-ui-vty0-14] protocol inbound ssh
[SSH_Server-ui-vty0-14] quit

# Create an SSH user client001 and set the authentication mode to password
and service type to all.
[SSH_Server] ssh user client001
[SSH_Server] ssh user client001 authentication-type password
[SSH_Server] ssh user client001 service-type all

# Set the password of the client001 user to Helloworld@6789.

[SSH_Server] aaa
[SSH_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[SSH_Server-aaa] local-user client001 service-type ssh
[SSH_Server-aaa] local-user client001 privilege level 3
[SSH_Server-aaa] quit

Step 3 Enable the SCP function on the SSH server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 354

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

[SSH_Server] ssh server-source -i Vlanif 10 //Assume that the interface corresponding to the server IP
address 10.1.1.1 is VLANIF 10.
[SSH_Server] scp server enable

Step 4 Download the backup.cfg file from the SSH server.

# If the client connects to the SSH server for the first time, enable the initial
authentication function on the client.
<HUAWEI> system-view
[HUAWEI] sysname SCP_Client
[SCP_Client] ssh client first-time enable

# Download the backup.cfg file from the remote SSH server at 10.1.1.1 using
AES-256 encryption to the local user's directory.
[SCP_Client] scp -cipher aes256 [email protected]:backup.cfg backup.cfg
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server has not been authenticated. Continue to access it? [Y/N]:y
Do you want to save the server's public key? [Y/N]:y
The server's public key will be saved with the name 10.1.1.1. Please wait.
..
Enter password:
backup.cfg 100% 19174Bytes 7KByte(s)/sec

----End

Configuration File
● SSH_Server configuration file
#
sysname SSH_Server
#
aaa
local-user client001 password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9y
$>M\bjG$D>%@Ug/<3I$+=Y$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
scp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type all
ssh server-source -i Vlanif 10
#
user-interface vty 0 14
authentication-mode aaa
#
return
● SCP_Client configuration file
#
sysname SCP_Client
#
ssh client first-time enable
#
return

8.5.9 Example for Configuring an FTPS Client

Networking Requirements
The FTP server function does not provide security mechanisms. Because data is
transmitted in plain text, the network is susceptible to man-in-the-middle attacks

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 355

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

and MAC/IP address spoofing. To address this issue and ensure secure file transfer,
configure the SSL policy, data encryption, user identity authentication, and
message integrity check mechanisms on the FTPS server. SSL ensures secure
connection based on the FTP server function.

As shown in Figure 8-11, routes between the FTPS server and the device
functioning as the FTPS client are reachable. The FTPS client can securely connect
to the FTPS server to remotely manage files.

● On the FTPS client, configure the SSL policy and load the CA certificate to
check the owner's identity.
● On the FTPS server, configure the SSL policy, load the digital certificate to
check the owner's identity, and enable the FTPS server function.

Obtain required certificates for the FTPS client and server from the CA. In this
example, Huawei device functions as the FTPS server.

Figure 8-11 Networking diagram for managing files when the device functions as
an FTPS client

Configuration Roadmap
The configuration roadmap is as follows:

1. Upload the certificates.

– Upload the digital certificate and private key to the root directory on the
FTPS server.
– Upload the CA certificate to the root directory on the FTPS client.
2. Load the certificates and configure SSL policies.
– On the FTPS server, copy the digital certificate to the security directory,
configure the SSL policy, and load the digital certificate.
– On the FTPS client, copy the CA certificate to the security directory,
configure the SSL policy, and load the digital certificate.
3. Enable the FTPS server function and configure the local FTP user.
4. Run FTP commands to connect to the FTPS server and remotely manage files.

Procedure
Step 1 Upload the certificates.
● Configure the FTP function on the client and server and upload the
certificates to the client and server. For details, see 8.3.2 Managing Files
When the Device Functions as an FTP Server.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 356

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

# Run the dir command on the FTPS server to check that the digital
certificate and private key have been uploaded successfully.
<HUAWEI> system-view
[HUAWEI] sysname FTPS_Server
[FTPS_Server] quit
<FTPS_Server> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

0 drw- - May 10 2011 05:05:40 src
1 -rw- 524,575 May 10 2011 05:05:53 private-data.txt
2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip
3 -rw- 1,302 Mar 13 2012 18:23:28 4_servercert_der_dsa.der
4 -rw- 951 Mar 13 2012 18:30:20 4_serverkey_der_dsa.der
...

65,233 KB total (7,289 KB free)

# Run the dir command on the client to check that the CA certificate has
been uploaded successfully.
<HUAWEI> system-view
[HUAWEI] sysname FTPS_Client
[FTPS_Client] quit
<FTPS_Client> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 524,558 May 10 2011 04:50:39 private-data.txt
1 -rw- 1,237 Mar 14 2012 07:46:24 cacert.der
2 -rw- 1,241 Mar 14 2012 07:46:20 rootcert.der
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 we1.zip
6 drw- - Apr 10 2011 01:35:54 logfile
7 -rw- 4 Apr 19 2011 04:24:28 snmpnotilog.txt
8 drw- - Apr 13 2011 11:37:40 lam
...

65,233 KB total (17,489 KB free)

Step 2 Configure an SSL policy and load certificates.

● Perform the following operations on the FTPS server.
# Create the security directory and move the digital certificate to the security
directory.
<FTPS_Server> mkdir security/
<FTPS_Server> move 4_servercert_der_dsa.der security/
<FTPS_Server> move 4_serverkey_der_dsa.der security/

# Run the dir command in the security directory to check that the digital
certificate and private key have been moved successfully.
<FTPS_Server> cd security/
<FTPS_Server> dir
Directory of flash:/security/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 1,302 Mar 13 2012 18:23:28 4_servercert_der_dsa.der
1 -rw- 951 Mar 13 2012 18:30:20 4_serverkey_der_dsa.der

65,233 KB total (7,289 KB free)

# Configure the SSL policy and load the digital certificate in the ASN1 format.
<FTPS_Server> system-view
[FTPS_Server] ssl policy ftp_server
[FTPS_Server-ssl-policy-ftp_server] certificate load asn1-cert 4_servercert_der_dsa.der key-pair dsa
key-file 4_serverkey_der_dsa.der
[FTPS_Server-ssl-policy-ftp_server] quit

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 357

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

# Run the display ssl policy command on the FTPS server to view
information about the SSL policy.
[FTPS_Server] display ssl policy

SSL Policy Name: ftp_server

Policy Applicants:
Key-pair Type: DSA
Certificate File Type: ASN1
Certificate Type: certificate
Certificate Filename: 4_servercert_der_dsa.der
Key-file Filename: 4_serverkey_der_dsa.der
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Issuer Name:
Validity Not Before:
Validity Not After:

● Perform the following operations on the FTPS client:

# Create the security directory and move the CA certificate to the security
directory.
<FTPS_Client> mkdir security/
<FTPS_Client> move cacert.der security/
<FTPS_Client> move rootcert.der security/

# Run the dir command in the security directory to check that the CA
certificate has been moved successfully.
<FTPS_Client> cd security/
<FTPS_Client> dir
Directory of flash:/security/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 1,237 Mar 14 2012 07:46:24 cacert.der
1 -rw- 1,241 Mar 14 2012 07:46:20 rootcert.der

65,233 KB total (17,489 KB free)

# Configure the SSL policy and load the CA certificate.

<FTPS_Client> system-view
[FTPS_Client] ssl policy ftp_client
[FTPS_Client-ssl-policy-ftp_client] trusted-ca load asn1-ca cacert.der
[FTPS_Client-ssl-policy-ftp_client] trusted-ca load asn1-ca rootcert.der
[FTPS_Client-ssl-policy-ftp_client] quit

# Run the display ssl policy command on the FTPS client to view information
about the SSL policy.
[FTPS_Client] display ssl policy

SSL Policy Name: ftp_client

Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = ASN1, Filename = cacert.der
Trusted-CA File 2: Format = ASN1, Filename = rootcert.der

Step 3 Enable the FTPS server function and configure the local FTP user.

# Enable the FTPS server function.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 358

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

NOTE

Disable the FTP server function before enabling the FTPS server function.
[FTPS_Server] undo ftp server
[FTPS_Server] ftp secure-server ssl-policy ftp_server
[FTPS_Server] ftp secure-server enable
[FTPS_Server] ftp server-source -i Vlanif 10 //Assume that the interface corresponding to the server IP
address 10.1.1.1 is VLANIF 10.

# Configure the local FTP user.

[FTPS_Server] aaa
[FTPS_Server-aaa] local-user admin password irreversible-cipher Helloworld@6789
[FTPS_Server-aaa] local-user admin service-type ftp
[FTPS_Server-aaa] local-user admin privilege level 3
[FTPS_Server-aaa] local-user admin ftp-directory flash:
[FTPS_Server-aaa] quit

Alternatively, you can use the same user who uploaded the certificates in Step 1 or
create a user.
Step 4 On the FTPS client, run FTP commands to connect to the FTPS server and
remotely manage files.
[FTPS_Client] ftp ssl-policy ftp_client 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 FTP service ready.
234 AUTH command successfully, Security mechanism accepted.
200 PBSZ is ok.
200 Data channel security level is changed to private.
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.

[ftp]

To connect to the FTPS server, enter the correct user name and password.
Step 5 Verify the configuration.
# Run the display ftp-server command on the FTPS server to view the SSL policy
name and the FTPS server status.
[FTPS_Server] display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running

Manage files remotely on the FTPS client.

----End

Configuration File
● FTPS_Server configuration file
#
sysname FTPS_Server

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 359

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

#
FTP secure-server enable
FTP server-source -i Vlanif10
ftp secure-server ssl-policy ftp_server
#
aaa
local-user admin password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9y$>M
\bjG$D>%@Ug/<3I$+=Y$
local-user admin privilege level 3
local-user admin ftp-directory flash:
local-user admin service-type ftp
#
ssl policy ftp_server
certificate load asn1-cert 4_servercert_der_dsa.der key-pair dsa key-file 4_serverkey_der_dsa.der
#
return

● FTPS_Client configuration file

#
sysname FTPS_Client
#
ssl policy ftp_client
trusted-ca load asn1-ca cacert.der
trusted-ca load asn1-ca rootcert.der
#
return

8.6 Troubleshooting File Management

8.6.1 FTP Login Failure

Possible Causes
● The source address of the FTP server is not configured.
● The FTP server is not running.
● The listening port number of the FTP server is not the default one, and no
port number is specified when you log in to the FTP server.
● The authentication information, authorized directory, and user privilege level
of the FTP user are not configured.
● The number of online FTP users who have logged in to the FTP server reaches
the upper threshold.
● An ACL is configured on the FTP server, and the FTP client IP address is not
specified in the ACL.
● Multiple authentication modes are configured on the FTP server.

Procedure
Step 1 Check whether the source address of the FTP server is configured on the device.
● FTP IPv4:
Run the display this command in the system view to check whether the ftp
server-source command is configured. If not, run the ftp server-source
command in the system view to configure an IPv4 source address for the FTP
server.
● FTP IPv6:

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 360

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Run the display this command in the system view to check whether the ftp
ipv6 server-source command is configured. If not, run the ftp ipv6 server-
source command in the system view to configure an IPv6 source address for
the FTP server.
Step 2 Check whether the FTP server is running properly.
Run the display ftp-server command in any view to check the FTP server status.
● The following information indicates that the FTP server is not running:
<HUAWEI> display ftp-server
Info: The FTP server is already disabled.

Run the ftp server enable command in the system view to start the FTP
server.
<HUAWEI> system-view
[HUAWEI] ftp server enable
Info: Succeeded in starting the FTP server.

● The following information indicates that the FTP server is running properly:
<HUAWEI> display ftp-server
FTP server is running
Max user number 5
User count 0
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy
FTP Secure-server is stopped

Step 3 Check whether the listening port number of the FTP server is the default port
number 21.
1. Run the display tcp status command in any view to check the current TCP
port listening status.
<HUAWEI> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
2a67f47c 6 /1 0.0.0.0:21 0.0.0.0:0 23553 Listening
2b72e6b8 115/4 0.0.0.0:22 0.0.0.0:0 23553 Listening
3265e270 115/1 0.0.0.0:23 0.0.0.0:0 23553 Listening
2a6886ec 115/23 10.137.129.27:23 10.138.77.43:4053 0 Establish
ed
2a680aac 115/14 10.137.129.27:23 10.138.80.193:1525 0 Establish
ed
2a68799c 115/20 10.137.129.27:23 10.138.80.202:3589 0 Establish
ed

2. Run the display ftp-server command in any view to check the listening port
number of the FTP server.
<HUAWEI> display ftp-server
FTP server is running
Max user number 5
User count 0
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy
FTP Secure-server is stopped

If the listening port number is not 21, run the ftp server port command to set the
listening port number to 21.
<HUAWEI> system-view
[HUAWEI] undo ftp server

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 361

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Warning: The operation will stop the FTP server. Continue? [Y/N]:y
Info: Succeeded in closing the FTP server.
[HUAWEI] ftp server port 21
[HUAWEI] ftp server enable
Info: Succeeded in starting the FTP server.

Alternatively, enter the port number configured on the server when setting up an
FTP connection on the FTP client.
Step 4 Check whether the authentication information, authorized directory, and user
privilege level of the FTP user are correctly configured.
The FTP user name, password, authorized directory, and user privilege level must
be configured. If the FTP authorized directory and user privilege level are not
configured, login fails.
1. Run the aaa command to enter the AAA view.
2. Run the local-user user-name password irreversible-cipher password
command to configure the local FTP user name and password.
3. Run the local-user user-name ftp-directory directory command to specify an
FTP authorized directory for the FTP user.
4. Run the local-user user-name privilege level level command to set the FTP
user privilege level. The user privilege level must be set to 3 or higher to
ensure successful connection establishment.
The service type is optional. By default, the system supports all service types. If
you set the service-type parameter, only the service types that you set are
available to the FTP user.
Run the local-user user-name service-type ftp command to set the service types
for the FTP user.
Step 5 Check whether the number of online FTP users who have logged in to the FTP
server reaches the upper threshold.
Run the display ftp-users command to check the number of online FTP users.
Step 6 Check the ACL rule on the FTP server.
Run the display [ ipv6 ] ftp-server command to check the ACL rule on the FTP
server.
If an ACL is configured on the FTP server, only IP addresses specified in the ACL
can log in to the FTP server.
Step 7 Check whether multiple authentication modes are configured on the FTP server.
1. Run the aaa command to enter the AAA view.
2. Run the display this command to check whether multiple authentication
modes are configured. For details, see AAA Configuration.

----End

8.6.2 File Upload Failure

Possible Causes
● The source or destination directory contains characters not supported by the
device, such as spaces.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 362

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

● The server root directory does not have sufficient storage space.
● The MTU on the server or client is modified. The size of data frames sent by
the server or client exceeds the maximum value of the peer device or a device
on the transmission path. As a result, the data frames are discarded.

Procedure
Step 1 Check whether the source or destination directory contains characters not
supported by the device, such as spaces.
The directory name cannot contain spaces and the following special characters: ~
* / \ : ' ".
If the directory contains any of these characters, modify the directory.
Step 2 Check whether the storage space of the server root directory is sufficient.
Run the dir command on the server to check the available space of the server root
directory.
If the storage space is insufficient, run the delete /unreserved command in the
user view to delete outdated files.
Step 3 Check whether the MTU on the server or client interface exceeds the maximum
value supported by the device.
Run the display this command in the interface view on the server or client to
check the MTU value. If no value is displayed, the default value 1500 is used.
If the MTU exceeds the maximum value of the server or client, run the mtu
command in the interface view to set the MTU to a smaller value. For details on
the largest frame size supported by a device, see What Is the MTU of an
Interface and What Is the Largest Frame Size Allowed on an Interface? in
Interface Management in the FAQs.

----End

8.7 FAQ About File Management

8.7.1 How Can I View Deleted Files?

Files deleted through the delete command are moved to the recycle bin. To delete
files permanently, you can run the delete/unreserved command.
The dir command does not display files in the recycle bin. To view these files, run
the dir/all command. File names of deleted files in the recycle bin are enclosed in
square brackets ([]).

8.7.2 Which SSH Version Does the Device Support?

The device supports SSH v1.99. That is, it supports SSH1 (SSH1.x) and SSH2
(SSH2.0).
When the device functions as an SSH client, it can log in to an SSH server running
only v2.0. When the device functions as the SSH server, it allows SSH clients
running either v1.x or v2.0 to log in.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 363

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

8.7.3 Why Must Local Users Be Configured on a Device When

SSH Users Configure Remote Authentication?
Configuring local users on a device is optional. When the ssh authentication-type
default password command is used on a device, you do not need to configure
local users.

8.7.4 How Can I Repair a Storage Device Where an Exception

Occurred?
● Run the dir command to display information about a specified file or
directory on the device. If the command output contains unknown, for
example, 30,000 KB total (672 KB free, 25,560 KB used, 3,616 KB unknown),
run the fixdisk device-name command in the user view to release the
unknown space.
Do not run the fixdisk device-name command if the device is functioning
normally.
● If no file is displayed after you run the dir command, but the storage space is
occupied, the following scenarios may occur:
Deleted files are in the recycle bin. Run the dir /all command to display all
files, including deleted files that are contained in square brackets ([]). To
restore these deleted files, run the undelete command. To delete the files in
the recycle bin, run the reset recycle-bin command.

NOTICE

● After you run the fixdisk device-name command, all the files and directories in
the specified storage device will be deleted. Exercise caution when determining
whether to run these commands because the files and directories cannot be
restored after being deleted.
● The fixdisk device-name command cannot rectify device-level faults.

8.7.5 How Do I Upload or Download Files?

To upload or download files between two devices or between a device and a host,
you can use the console port, File Transfer Protocol (FTP), Secure Copy Protocol
(SCP), Trivial File Transfer Protocol (TFTP), Secure File Transfer Protocol (SFTP), or
FTP over Secure Sockets Layer (FTPS). The device and host can function as the
server or client during file transfer. Table 8-57 describes the application scenarios,
advantages, and disadvantages of each file transfer mode. You can select one
mode based on actual requirements. For details about the file transfer modes, see
"File Management" in the Configuration Guide - Basic Configuration of the
corresponding product version.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 364

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

Table 8-57 File transfer modes

File Application Advantage Disadvantage
Transfer Scenario
Mode

The console port can

be used when no ● Only one serial
network cable is required
environment is to connect a host
available or the and a device.
switch's
Console ● No network The file transfer
management
port connection is speed is low.
interface is faulty or
cannot be logged in required so
to. This mode is associated
implemented using security risks are
the switch's avoided.
BootLoad menu.

● FTP is easy to
FTP can be used configure.
when security FTP transmits data in
requirements are ● This mode plain text, resulting
FTP provides
low; for example, in potential security
during version authorization and risks.
upgrades. authentication
functions.

TFTP transmits data

TFTP can be used
in plain text and
when the client and
does not provide
server do not need
authorization and
complex interactions,
TFTP consumes authentication
for example, online
TFTP fewer memory functions. There are
version uploads or
resources than FTP. potential security
upgrades on a lab
risks because the
local area network
devices are prone to
(LAN) in good
viruses and network
conditions.
attacks.

SFTP can be used

when security
SFTP performs high-
requirements are
security encryption SFTP is complex to
SFTP high; for example,
and integrity checks configure.
log downloads and
for data.
configuration file
backups.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 365

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

File Application Advantage Disadvantage

Transfer Scenario
Mode

● SCP performs
high-security
encryption and
integrity checks
for data.
● This mode
features high
SCP can be used efficiency because
when security and the same SCP is complex to
SCP performance command is used configure (similar to
requirements are to set up a SFTP).
high. connection
between the
client and server
and complete the
file upload/
download
operation
simultaneously.

FTPS uses data

encryption, identity
FTPS can be used FTPS is complex to
authentication, and
when security and configure and
message integrity
FTPS performance requires Certificate
checks to ensure
requirements are Authority (CA)-
security of TCP-
high. issued certificates.
based application
layer protocols.

NOTE

● The console port uses XModem as the transmission protocol. Select the correct
transmission protocol when you transfer files.
● When TFTP is used, the device can function as the client only. When FTP, SFTP, SCP, or
FTPS is used, the device can function as the client or server.
● When uploading system files to a device, ensure that the power supply of the device is
normal. Interruption of the power supply may result in file or file system corruption, and
may prevent the device from working properly.
● The device cannot automatically download files from a server at a specified time using
the console port, FTP, SFTP, SCP, TFTP, or FTPS.

8.7.6 How Do I Limit the FTP Upload or Download Speed?

FTP does not provide a rate limit mechanism. You can configure a rate limit on the
communication interface of the FTP client or server to limit the FTP upload or
download speed. For details, see "Traffic Policing, Traffic Shaping, and Interface-
based Rate Limiting" in the Configuration Guide - QoS of the corresponding
product version.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 366

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

8.7.7 How Do I Check Whether an Uploaded File Is Complete?

To check whether an uploaded file is complete, you can compare the size of the
file on the source and destination. Before uploading the file, check and record the
file size. After uploading the file, run the dir command to check the file size in the
storage medium. If the file sizes are the same, the uploaded file is complete. If
they are different, the uploaded file is incomplete. In this case, run the delete
command to delete the file and upload the file again.
<HUAWEI> dir /all
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 14 Feb 27 2012 11:20:12 back_time_a
1 -rw- 16 Dec 28 2011 13:10:56 abc.tbl
2 drw- - Feb 25 2012 14:19:56 logfile
3 drw- - Oct 31 2011 15:05:26 sysdrv
4 drw- - Feb 25 2012 14:20:08 compatible
5 drw- - Oct 31 2011 15:19:02 selftest
6 -rw- 14 Feb 27 2012 11:20:12 back_time_b
7 -rw- 9,637 Feb 25 2012 14:18:22 vrpcfg.cfg
8 -rw- 4 Jan 18 2012 16:34:56 snmpnotilog.txt
9 -rw- 1,968 Feb 25 2012 14:20:22 private-data.txt
10 -rw- 637 Nov 04 2011 11:48:46 cacert.der
11 -rw- 4,303 Feb 09 2012 21:16:06 vrpcfg1.cfg.bak
12 -rw- 639 Nov 04 2011 11:49:04 rootcert.der
13 drw- - Nov 04 2011 11:50:24 security
14 -rw- 13 Nov 29 2011 20:33:40 tftp_test.txt
15 -rw- 52,770,448 Dec 05 2011 17:00:06 basicsoft.cc
16 -rw- 98,139,547 Jan 31 2012 16:11:52 devicesoft.cc
17 -rw- 463,309 Jan 31 2012 15:55:40 rbsaveddata.txt

509,256 KB total (272,952 KB free)

Size(Byte) in the command output shows the file size.

8.7.8 What Are the Extensions of Different Types of Files?

Table 8-58 lists the extensions of common types of files.

Table 8-58 Extensions of common types of files

File Type Extension

Web page file .7z

License file .dat

Configuration file .cfg or .zip

System file .cc

Patch file .pat

8.7.9 Where Are Log Files Saved?

Log files of a switch are saved in the syslogfile or logfile folder in the master
swith flash memory.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 367

S300, S500, S2700, S5700, and S6700 Series
Ethernet Switches
Configuration Guide - Basic Configuration 8 File Management

<HUAWEI>dir //Display all the files and folders in the flash memory.
Directory of flash:/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 1,766 Dec 24 2040 03:37:54 private-data.txt
3 drw- - Dec 24 2040 03:40:12 syslogfile
4 drw- - Dec 24 2040 03:37:58 compatible
16 -rw- 10,571 Jan 04 2041 03:51:18 elabel-slot0.fls
……
<HUAWEI>cd logfile //Access the logfile folder.
<HUAWEI>dir
Directory of flash:/logfile/

Idx Attr Size(Byte) Date Time FileName

0 -rw- 10,824 Jan 24 2042 09:15:04 logfile-2042-01-24-09-15-03.zip
1 -rw- 15,334 Feb 03 2042 14:45:08 logfile-2042-02-03-14-45-08.zip

8.7.10 How Do I Delete Files?

Run the delete [ /unreserved ] [ /quiet ] { filename | devicename } [ all ]
command to delete specified files, such as system files, configuration files, patch
files, license files, and log files, from a storage medium.

● Delete a file from the storage medium.

<HUAWEI> delete test.txt
Delete flash:/test.txt?[Y/N]:y
Info: Deleting file flash:/test.txt...succeeded.

NOTE

● The actual output information may differ from the preceding information.
● The all parameter is supported only in a stack. When this parameter is specified,
the command deletes all the files in the corresponding directories on all member
devices in a batch.
● Do not delete running version files (including system software, patch files, web
page files, and configuration files) in the CLI. To delete such files, use the
BootROM menu. After a version file is deleted, the device cannot restart using the
version file. Exercise caution when you delete a version file.
● Log files are stored in the logfile or syslogfile directory of the flash memory.
You can access the logfile or syslogfile directory and then delete log files, or
directly delete log files from the absolute path of the flash memory.
# Access the logfile directory and then delete log files.
<HUAWEI> cd logfile/
<HUAWEI> delete logfile-2013-01-24-09-15-03.zip
Delete flash:/logfile/logfile-2013-01-24-09-15-03.zip?[Y/N]:y
Info: Deleting file flash:/logfile/logfile-2013-01-24-09-15-03.zip...succeeded.

# Delete log files from the absolute path of the flash memory.
<HUAWEI> delete flash:/logfile/logfile-2013-01-24-09-15-03.zip
Delete flash:/logfile/logfile-2013-01-24-09-15-03.zip?[Y/N]:y
Info: Deleting file flash:/logfile/logfile-2013-01-24-09-15-03.zip...succeeded.

8.7.11 How Do I Transfer Files Between Two Switches?

To transfer files such as patch and configuration files between two switches, you
can configure one switch as the server and the other as the client. You can then
upload or download files between the server and client using FTP, TFTP, SFTP, SCP,
or FTPS. For details about how to transfer files, see "File Management" in the
Configuration Guide - Basic Configuration of the corresponding product version.

Issue 03 (2022-06-27) Copyright © Huawei Technologies Co., Ltd. 368