01-03 Basic Configurations Commands
Uploaded by
Gustavo Borges STELMAT01-03 Basic Configurations Commands
Uploaded by
Gustavo Borges STELMATCloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3 Basic Configurations Commands
3.1 CLI Overview Commands
3.2 ZTP Commands
3.3 USB-based Deployment Configuration Commands
3.4 First Login Commands
3.5 User Interface Configuration Commands
3.6 User Login Configuration Commands
3.7 File Management Commands
3.8 System Startup Configuration Commands
3.9 ISSU Configuration Commands
3.10 Upgrade Commands
3.11 HTTP Configuration Commands
3.1 CLI Overview Commands
3.1.1 abort trial
Function
The abort trial command disables the trial running of a configuration.
Format
abort trial [ session session-id ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 35
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
session session-id Specifies the ID of a session for which the trial running -
of the configuration is to be disabled.
Views
All views (excluding the user view)
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After the two-phase configuration validation mode is configured and a command
is run, run the commit trial command to enable the trial running of the
configuration. You can specify the time parameter in the commit trial command
to set the timeout period for the trial running. After the trial running of the
configuration times out, the system automatically rolls the configuration back to
the configuration state before the trial running. To disable the trial running of the
configuration before the trial running times out, run the abort trial command to
roll the system configuration back to the configuration state before the trial
running.
Prerequisites
The commit trial command has been run for a configuration.
Configuration Impact
After the trial running of the configuration is disabled, the system configuration
rolls back to the configuration state before the trial running.
Precautions
The abort trial command must be run in the two-phase configuration validation
mode.
Example
# Disable the trial running of a configuration.
<HUAWEI> system-view
[~HUAWEI] sysname rollback
[*HUAWEI] commit trial 120
Info: The system enters the trial configuration mode.
The system will revert to previous configuration if the trial configuration is not confirmed in 120 seconds.
[~rollback] abort trial
Warning: The trial configuration will be rolled back. Continue? [Y/N]:y
Info: The trial configuration rollback succeeded.
[~HUAWEI]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 36
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.1.2 alias
Function
The alias command creates an alias for a command.
The undo alias command deletes an alias.
By default, no alias is created.
Format
alias alias-string [ parameter parameter & <1-32> ] command command
undo alias alias-string
Parameters
Parameter Description Value
alias-string Specifies an alias The value is a string of 1 to 63 case-
string. insensitive characters, supporting letters,
digits, and hyphens (-). It must start with
a letter and cannot contain spaces
between characters.
parameter Specifies a The value is a string of 2 to 63 case-
parameter parameter for an insensitive characters, supporting letters,
alias. digits, and hyphens (-). It must start with
the $ sign.
command Specifies a command The value is a string of 1 to 511
for which an alias is characters. If a space exists in the
to be created. command, the character string of
command must be enclosed in double
quotation marks (").
Views
Command alias view
Level
3: Management level
Task Name and Operations
Task Name Operations
cli write
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 37
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
The alias command can be used in the following scenarios:
● Configure an easy-to-remember string of characters as the alias for a
command. Then, you can just enter the alias string when you need to run the
command. For example, define the alias for display as show. You can enter
the alias show to substitute display.
● Change the order of parameters. For example, after you configure the alias
showif parameter $ifnum $iftype command "display interface $iftype
$ifnum" command, you can enter showif 1 Eth-Trunk to substitute display
interface Eth-Trunk 1.
Precautions
● A command can still be used after an alias is configured for it.
● The character string of command must reference all the parameters defined
in parameter in sequence, and each parameter can be referenced only once.
● When the character string of command starts referencing the parameters
defined in parameter, only parameters beginning with the $ sign rather than
any command keyword can be included. For example, command configuration
like alias showif parameter $ifnum $iftype command "display interface
$iftype iftype $ifnum verbose" is incorrect.
● If the alias definitions include loop nesting or the nesting level is more than
16 layers, the alias is invalid and cannot substitute a command.
● The alias configured by the alias command can take effect only when the
command alias function is enabled using the terminal command alias
command. By default, the command alias function is enabled.
Example
# Create an alias for a command.
<HUAWEI> system-view
[~HUAWEI] command alias
[*HUAWEI-cmdalias] alias show command display
3.1.3 clear configuration candidate
Function
The clear configuration candidate command clears an uncommitted
configuration.
Format
clear configuration candidate
Parameters
None
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 38
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
All views except the user view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
This command clears a configuration that has not been committed in the two-
stage mode.
Prerequisites
A configuration has been edited in two-stage mode.
Precautions
The uncommitted configuration is deleted. The system view is displayed.
Example
# Clear the configuration that has not been committed.
<HUAWEI> system-view
[~HUAWEI] clear configuration candidate
3.1.4 command alias
Function
The command alias command creates and enters the command alias view.
The undo command alias command deletes all alias configured on the device.
Format
command alias
undo command alias
Parameters
None
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 39
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
To enter the command alias view, run the command alias command.
The alias command can be used in the following scenarios:
● Configure an easy-to-remember string of characters as the alias for a
command. Then, you can just enter the alias string when you need to run the
command. For example, define the alias for display as show. You can enter
the alias show to substitute display.
● Change the order of parameters. For example, after you configure the alias
showif parameter $ifnum $iftype command "display interface $iftype
$ifnum" command, you can enter showif 1 Eth-Trunk to substitute display
interface Eth-Trunk 1.
Precautions
The undo command alias command deletes all alias configured on the device as
well as the command alias view.
Follow-up Procedure
Run the alias command to configure an alias for a command.
Example
# Enter the command alias view.
<HUAWEI> system-view
[~HUAWEI] command alias
[~HUAWEI-cmdalias]
3.1.5 command-privilege level
Function
The command-privilege level command sets the command level in a specified
view.
The undo command-privilege command restores the default command level.
By default, each command in each view has a default command level.
Format
command-privilege level level view view-name command-key
undo command-privilege [ level level ] view view-name command-key
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 40
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
level level Specifies the command If the command-privilege level
level. rearrange command is configured, the
value of level ranges from 0 to 15.
If the command-privilege level
rearrange command is not configured,
the value of level ranges from 0 to 3.
NOTE
If the command-privilege level rearrange
command configuration is changed, the value
of level changes based on the level mapping.
● If the command-privilege level rearrange
command configuration is added, the
levels of level-0 and level-1 commands
remain unchanged, the level of level-2
commands is upgraded to 10, and that of
level-3 commands is upgraded to 15.
● If the command-privilege level rearrange
command configuration is deleted, the
level of level-0 commands remains
unchanged, the levels of level-1 to level-9
commands are downgraded to 1, the levels
of level-10 to level-14 commands are
downgraded to 2, and the level of level-15
commands is downgraded to 3.
view view- Specifies the view -
name name. You can enter a
question mark (?) in
the terminal GUI to
obtain all view names
in the command view.
For example:
● shell: user view
● system: system view
● global: all views
● vlan: VLAN view
command- Specifies a command. The value is a character string.
key The command must be
entered manually
because automatic
command line
completion is not
supported.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 41
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The system divides commands into four levels and sets the command level in the
specified view. The device administrator can change the command level as
required, so that a lower-level user can use some high-level commands. The device
administrator can also change the command level to a larger value to improve
device security.
A login user can configure commands according to the configured privilege
corresponding to the user name (through the user privilege level command).
The command lines are classified into visit level (0), monitoring level (1),
configuration level (2), and management level (3) in an ascending order without
command-privilege level rearrange.
Table 3-1 Relationship between command levels and user levels
User Command Description
Level Level
0 Visit Commands of this level include network diagnosis tool
level(0) commands (such as ping and tracert), commands for
accessing external devices from the local device (such as
Telnet) and some display commands.
1 Visit Commands of this level are used for system
level(0), maintenance, including display commands.
Monitoring NOTE
level(1) Some display commands are not at this level. For example, the
display current-configuration and display saved-
configuration commands are at level 3. For details about
command levels, see the CloudEngine 8800, 7800, 6800, and
5800 Series SwitchesCommand Reference.
2 Visit Commands of this level are used for service configuration
level(0), to provide direct network services, including routing
Monitoring commands and commands of each network layer.
level(1),
Configurati
on level(2)
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 42
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
User Command Description
Level Level
3 Visit Commands of this level are used for basic system
level(0), operations, including file system, FTP, TFTP download,
Monitoring user management, command level configuration, and
level(1), debugging.
Configurati
on level(2),
Manageme
nt level(3)
Precautions
You are not advised to change the default command level. If you need to change
it, consult with professional personnel to ensure that routine operation and
maintenance are not affected and security risk is avoided.
The command-key parameter specifies the command of which the level is to be
changed. The view view-name parameter specifies the view to which the
command belongs. The command matching rule is prefix-based matching. For
example, the command-privilege level 2 view shell display interface command
changes the level of all commands starting with display interface in the user view
to level 2.
In versions earlier than V100R006C00, the user level ranges from 0 to 15. If the
system software is upgraded to V100R006C00 or a later version, and the
command-privilege level command is not configured, the levels of level-0 and
level-1 users remain unchanged, and those of level-3 to level-15 users change to
3.
Example
# Set the privilege level of the save command to 5.
<HUAWEI> system-view
[~HUAWEI] command-privilege level 5 view shell save
3.1.6 command-privilege level rearrange
Function
The command-privilege level rearrange command upgrades command levels in
batches.
The undo command-privilege level rearrange command restores the default
command levels in batches.
By default, the command levels assigned by the system during registration are
used.
Format
command-privilege level rearrange
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 43
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
undo command-privilege level rearrange
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a command registers on the device, it is assigned with a default level–0,
level–1, level–2, or level–3, corresponding to the visit level, monitoring level,
configuration level, and management level respectively. You can run the
command-privilege level rearrange command to upgrade all the level-2 and
level-3 commands to level-10 and level-15 commands in batches. The levels of
level-0 and level-1 commands remain unchanged. Changing the command-
privilege level rearrange command configuration affects the value of level in the
user privilege, command-privilege level, adminuser-priority, and local-user
level commands. The command level and user level increase accordingly. For
details, see the "Parameters" table in the corresponding sections.
Precautions
● The command-privilege level command has a higher priority than the
command-privilege level rearrange command as follows:
– During batch command level upgrade, the levels of commands that are
separately changed using the command-privilege level command
remain unchanged.
– You can only restore the levels of the commands that are upgraded in
batches. The levels of commands that are separately changed using the
command-privilege level command remain unchanged.
● Before running the command-privilege level rearrange or undo command-
privilege level rearrange command, ensure that your level is the highest
(level 3 or 15); otherwise, you cannot run the command. For an AAA
authentication user, you can run the display aaa access-user self command
and view the User level field to check the user's level.
● After the levels of the commands are upgraded in batches and before the
levels of the commands are restored, the operation of upgrading the levels of
the commands is invalid and does not change the status of the commands.
Example
# Change the levels of the current commands in batches.
<HUAWEI> system-view
[~HUAWEI] command-privilege level rearrange
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 44
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.1.7 commit
Function
The commit command commits a configuration and generates a configuration
rollback point.
Format
commit [ trial [ time ] ] [ label label ] [ description description ]
Parameters
Parameter Description Value
trial time Specifies the timeout The value is an integer ranging
period for the trial from 60 to 65535, in seconds. The
running of a default value is 600 seconds.
configuration.
label label Specifies the user label of The value is a string of 1 to 256
a configuration rollback case-sensitive characters without
point. spaces. It must start with a letter
and cannot be a hyphen (-).
description Specifies the description The value is a string of 1 to 60
description of a configuration rollback case-sensitive characters with
point. spaces.
Views
All views (excluding the user view)
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
When performing configurations in two-stage mode, perform the following
operations:
● Edit a configuration in the first stage.
● Run the commit command to commit the configuration in the second stage.
The new configuration then takes effect in the current system.
If you want to add descriptions about configuration rollback, run the commit
description description command in two-stage mode. Run the display
configuration commit list verbose command to view the descriptions.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 45
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
To enable the trial running of a configuration, run the trial command. This
configuration enables the trial running of new functions and services without
interrupting the services running on the live network, which improves network
reliability. The time parameter specifies the timeout period for the trial running of
a configuration. When the trial running time expires, the configuration that has
been run in trial rolls back automatically. The system configuration restores to the
configuration status before the configuration is committed. To validate the
configuration that has been run in trial, reconfigure the function and commit the
configuration.
NOTE
During the trial running of a configuration, other users cannot perform any configuration
on the device, and if the local user performs an operation and runs the commit command
to commit the configuration, the configuration in trial running is also committed and the
system exits from the trial running status and enters the normal configuration mode.
You can run the display configuration trial status command to check whether a
system configuration is in the trial running status and the remaining time of the
trial running. If you want to end the trial running status in advance, run the abort
trial command to disable the trial running of a configuration.
Prerequisites
You can edit a configuration only after you have run the system-view command
to enter a system view in two-stage mode.
Precautions
The system configurations change, including the configurations in two-stage
mode.
You do not need to run the commit command to make the commands executed
in the user view to take effect.
In two-phase validation mode, you must run the commit command for the
configuration to take effect. However, you do not need to run the commit
command in the following cases:
● Query commands (such as display interface) are run.
● Maintenance commands (such as slave switchover, dual-active restore,
stack upgrade fast rollback-timer, switch mode, and reset keepalive
packets count) are run.
● Commands are run to enter the existing views (such as the stack view and
physical interface view) on a physical device. For example, the interface
10ge1/0/1 command is run.
● The existing configurations on a device are reconfigured.
Example
# Edit a configuration and commit it to make the change take effect.
<HUAWEI> system-view
[~HUAWEI] vlan 7
[*HUAWEI-vlan7] commit
# Set the configuration rollback information when committing a command.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 46
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] sysname ROLLBACK
[*HUAWEI] commit description This is a new name
[~ROLLBACK] display configuration commit list verbose
1) CommitId: 1000002027
Label: -
User: device
User-Intf: VTY 4
Type: CLI
TimeStamp: 2012-08-22 23:10:49+08:00
Description: This is a new name
3.1.8 diagnose
Function
The diagnose command enters the diagnostic view from the system view.
Format
diagnose
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Diagnostic commands are mainly used for fault diagnosis. However, running some
commands may cause device faults or service interruptions. Therefore, use these
commands under the instruction of technical support personnel.
Example
# Enter the diagnostic view.
<HUAWEI> system-view
[~HUAWEI] diagnose
[~HUAWEI-diagnose]
3.1.9 display command alias
Function
The display command alias command displays configuration information of the
command alias.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 47
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
display command alias
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To view configuration information of command alias on a device, run the display
command alias command.
Example
# Display configuration information of the command alias.
<HUAWEI> display command alias
show = display
showif $ifnum $iftype = display interface $iftype $ifnum
3.1.10 display configuration candidate
Function
The display configuration candidate command displays uncommitted
configurations or all configurations in the system.
Format
display configuration candidate [ merge ]
Parameters
Parameter Description Value
merge Displays all the configurations in the system, including –
committed configurations and uncommitted configurations.
If you do not specify this keyword, the command displays
only uncommitted configurations.
Views
All views in two-stage configuration mode
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 48
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
2: Configuration level
NOTE
If the merge parameter is used, the default level of the command is the management level.
Usage Guidelines
Usage Scenario
You can run the display configuration candidate command to check whether a
configuration to be committed is correct and whether it conflicts with existing
configurations.
Prerequisites
A configuration has been edited in two-stage mode.
Example
# Display uncommitted configurations.
<HUAWEI> system-view
[~HUAWEI] ftp server enable
[*HUAWEI] display configuration candidate
ftp server enable
3.1.11 display history-command
Function
The display history-command command displays the historical commands stored
on the current device.
Format
display history-command [ all-users ]
Parameters
Parameter Description Value
all-users Displays information about all successfully matched -
commands the users executed.
If the parameter is not specified, successfully matched
historical commands the current user executed are displayed.
Views
All views
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 49
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
0: Visit level
NOTE
If the all-users parameter is used, the default level of the command is the management
level.
Usage Guidelines
Usage Scenario
You can run this command to check historical commands the user has executed
recently. This command facilitates information search. Historical commands are
recorded in circular mode. The display history-command and display history-
command all-users commands display a maximum of 10 and 200 historical
commands, respectively.
Precautions
All the historical commands entered by a user are automatically saved on the
terminal, that is, any input that ends with Enter is saved as a historical command.
NOTE
● Historical commands are saved in the same format as that used in the input. If a
command that is entered by a user is in an incomplete format, the saved historical
command is also in the incomplete format.
● If a user runs a command several times, only the latest command is saved on the device.
If the command is entered in different formats, they are considered as different
commands.
You can view historical commands using the following methods:
● To view the previous historical command, press the Up arrow key or Ctrl+P.
If there is an earlier historical command, the earlier historical command is
displayed.
● To view the next historical command, press the Down arrow key or Ctrl+N.
If there is a new historical command, the new historical command is
displayed.
NOTE
Access to historical commands using the Up arrow key does not apply to Windows 9X. The
Up arrow key has different functions in Windows 9X and needs to be replaced by shortcut
keys Ctrl+P.
Example
# Display the historical commands that have been executed on the current
terminal.
<HUAWEI> display history-command
system-view
user-interface vty 0 4
user privilege level 15
quit
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 50
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.1.12 display hotkey
Function
The display hotkey command displays the status of the defined, undefined, and
system hotkeys.
Format
display hotkey
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
After you understand the defined, undefined, and system hotkeys in the system,
you can use hotkeys to quickly enter commands. To redefine hotkeys for a
command, run the hotkey command.
The system allows hotkeys in places where commands can be entered, and
displays the commands corresponding to hotkeys. You can run the display hotkey
command to view the commands corresponding to hotkeys.
Example
# Display defined, undefined, and system hotkeys.
<HUAWEI> display hotkey
----------------- HOTKEY -----------------
=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display ip routing-table
CTRL_O undo debugging all
=Undefined hotkeys=
Hotkeys Command
CTRL_U NULL
=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 51
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
CTRL_H Erase the character left of the cursor.
CTRL_K Kill outgoing connection when connecting.
CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_T Kill outgoing connection.
CTRL_V Paste text from the clipboard.
CTRL_W Delete the word left of the cursor.
CTRL_X Delete all characters up to the cursor.
CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the user view.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.
Table 3-2 Description of the display hotkey command output
Item Description
Defined hotkeys Defined hotkeys.
Undefined hotkeys Undefined hotkeys.
System hotkeys System hotkeys.
3.1.13 display language character-set
Function
The display language character-set command displays the character set in the
system or Chinese character set supported on the terminal login software.
Format
display language character-set [ test ]
Parameters
Parameter Description Value
test Displays the character set in the system and Chinese -
character set supported on the terminal login software.
If this parameter is not specified, only the character set in the
system is displayed.
Views
All views
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 52
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
0: Visit level
Usage Guidelines
The system and terminal login software must use the same character set;
otherwise, Chinese characters may be displayed as garbled characters. You can run
the display language character-set [ test ] command to view the character set in
the system and Chinese character set supported on the terminal login software.
Example
# Display the character set in the system.
<HUAWEI> display language character-set
Current language character set encode : GBK
Table 3-3 Description of the display language character-set command output
Item Description
Current language character set encode Character set in the system.
3.1.14 display sysname
Function
The display sysname command displays a device host name.
Format
display sysname
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
The host name determines the command interface prompt. For example, if the
host name is HUAWEI, the user interface prompt is <HUAWEI>.
You can run this command to view the host name of the current device.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 53
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Display the device host name.
<HUAWEI> display sysname
HUAWEI
3.1.15 display terminal command alias
Function
The display terminal command alias command displays whether the command
alias function is enabled for the current terminal.
Format
display terminal command alias
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run the terminal command alias command to enable the command alias
function for the current terminal. To view whether the command alias function is
enabled for the current terminal, run the display terminal command alias
command.
Example
# After the command alias function is enabled, display the status of the current
terminal.
<HUAWEI> display terminal command alias
Info: Current terminal command alias feature is enable.
# After the command alias function is disabled, display the status of the current
terminal.
<HUAWEI> display terminal command alias
Info: Current terminal command alias feature is disable.
3.1.16 display this
Function
The display this command displays the running configuration in the current view.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 54
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
display this [ include-default ]
Parameters
Parameter Description Value
include-default Displays both the configurations that users have -
performed and default configurations.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
After the configurations are complete in a certain view, run the display this
command to check the current configurations.
If include-default is not specified, the display this command displays only
configurations that users have performed. If include-default is specified, the
display this command displays both default configurations and configurations
that users have performed.
Precautions
● If a configuration parameter uses the default value, this parameter is not
displayed. The set parameters that do not be committed successfully are
neither displayed by display this.
● If you run the display this command in an interface view, configuration of the
interface view is displayed. If you run this command in a protocol view,
configuration of the protocol view is displayed.
● Configuration information marked with * in the front in the command output
indicates the offline configuration.
Example
# Display the running configuration in the current view.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] display this
#
interface 10GE1/0/1
port link-type trunk
#
return
# Display the configurations that take effect in the current view on the system
and default configurations. (The command output is not all listed.)
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 55
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] display this include-default
#
sysname HUAWEI
#
undo command-privilege level rearrange
#
FTP server enable
FTP server port 21
...
3.1.17 display configuration trial status
Function
The display configuration trial status command displays the trial running status
of a system configuration.
Format
display configuration trial status
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To view the trial running status of a system configuration, run the display
configuration trial status command.
Trial running is initiated by NETCONF. If the trial running packets carry the
persistency mark, the trial running status information of a system configuration
contains the persistency mark.
Example
# Display the trial running status of a system configuration.
<HUAWEI> display configuration trial status
Trial status: ACTIVE
Trial time left (sec): 51
# Display the trial running status of a system configuration when trial running is
initiated by NETCONF and the trial running packets carry the persistency mark
whose value is IQ,d4668.
<HUAWEI> system-view
[~HUAWEI] display configuration trial status
Trial status: ACTIVE
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 56
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Persist id: IQ,d4668
Trial time left (sec): 30
Table 3-4 Description of the display trial status command output
Item Description
Trial status Trial running status of a system
configuration. The value can be:
● INACTIVE: The configuration is not
in the trial running status.
● ACTIVE: The configuration is in the
trial running status.
● CANCELING: The trial run of the
configuration is being canceled.
● WAITCANCEL: The trial run of the
configuration is waiting to be
canceled.
Trial time left (sec) Remaining time of a trial run
Persist id Persistency mark
3.1.18 header
Function
The header command configures header information displayed on a terminal
when users log in to a connected device.
The undo header command deletes header information displayed on a terminal
when users log in to a connected device.
By default, no header information is displayed on a terminal when users log in to
a connected device.
Format
header { login | shell } { information text | file file-name }
undo header { login | shell }
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 57
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
login Indicates header -
information displayed on a
terminal when a user logs
in to the device and a
connection between the
terminal and the device is
activated.
shell Indicates the header -
displayed on a terminal
when the session is set up
after the user logs in to
the connected device.
information Specifies the header The value is a string. The maximum
text information and content. length of the string that can be
entered at one time is 480
characters. The value can contain
spaces, and starts and ends with
the same character that is not
displayed.
file file-name Specifies the file name The value is a string. The maximum
that the header uses. length of the string is 64
characters. The file name must be
in the [drive] [path] [file name]
format, where [path] is the
absolute path of the file. The
maximum header file size is 2 KB. If
the file size is greater than 2 KB,
only the first 2 KB file information
can be displayed.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To provide some prompts or alarms to users, you can use the header command to
configure a title on the device. If a user logs in to the device, the title is displayed.
You can directly define header information by specifying the information text
parameter, or configure the content of a specified file as header information by
specifying the file file-name parameter.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 58
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● If the information parameter is specified, the header content must start and
end with the same case-insensitive letter. For example, the header content
abcda starts and ends with a, and header information displayed on the
terminal is bcd. You cannot press Enter to enter information in the next line.
● If the file file-name parameter is specified, all the header content is header
information displayed on the terminal without any start or end character, and
you can press Enter to enter information in the next line.
When a terminal connection is activated and you attempt to log in (for example,
before entering the user name and password), the terminal displays the content of
the title that is set using the header login command. After the successful login,
the terminal displays the content of the title that is configured using the header
shell command.
Precautions
● Before setting the login parameter, you must set login authentication
parameters; otherwise, no header information about authentication is
displayed.
● Before setting the file parameter, ensure that the file containing the header
exists; otherwise, the file name cannot be obtained.
● If the header command is configured several times, only the latest
configuration takes effect.
● After the login title is configured, any user that logs in to the system can view
the title.
Example
# Configure a shell header "Hello!".
<HUAWEI> system-view
[~HUAWEI] header shell information "Hello!"
[*HUAWEI] commit
[~HUAWEI] quit
<HUAWEI> quit // Log off.
# Press Enter. The shell header is displayed when the user logs in again.
Hello!
<HUAWEI>
# Specify the file that stores a login header.
<HUAWEI> system-view
[~HUAWEI] header login file flash:/header-file.txt
3.1.19 hotkey
Function
The hotkey command sets a shortcut key for a command.
The undo hotkey restores the system shortcut keys to the default values.
By default, the system sets the default values for three shortcut keys CTRL+G,
CTRL+L, and CTRL+O, while does not set default value for CTRL+U.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 59
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U } command-text
undo hotkey { CTRL_G | CTRL_L | CTRL_O | CTRL_U }
Parameters
Parameter Description Value
CTRL_G Specifies the shortcut key Ctrl -
+G for a command.
CTRL_L Specifies the shortcut key Ctrl -
+L for a command.
CTRL_O Specifies the shortcut key Ctrl -
+O for a command.
CTRL_U Specifies the shortcut key Ctrl -
+U for a command.
command- Specifies the associated It is a string of 1 to 240 case-
text command line for shortcut sensitive characters, with spaces
keys. supported.
NOTE
When defining shortcut keys, mark
the command with double quotation
marks if the command consists of
several words or the command
includes spaces, and do not mark
the command with double quotation
marks if the command consists of
only one word or the command
includes no space.
Views
System view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
You can set a shortcut key for a command that is often used; you can also change
the default value of the shortcut key that is defined by the system according to
your requirements.
Four shortcut keys are customized by users: CTRL+G, CTRL+L, CTRL+O, and CTRL
+U.
● By default, the shortcut key CTRL+G corresponds to the display current-
configuration command which displays current configuration.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 60
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● By default, the shortcut key CTRL+L corresponds to the display ip routing-
table command which displays routing table information.
● By default, the shortcut key CTRL+O corresponds to the undo debugging all
command which stops the output of all debugging information.
When specifying command-text, you can enter the abbreviation form of a
command. For example, you can enter the hotkey CTRL_G "display cur"
command instead of the hotkey CTRL_G "display current-configuration"
command. These commands in two formats function the same.
After you use the hotkey command to set a shortcut key for a command, you can
run the command by pressing the shortcut key or entering a command.
Configuration Impact
One shortcut key can be associated with only one command. If you run this
command for a number of times to associate a shortcut key with multiple
commands, the last association takes effect.
One shortcut key can be set for only one command. If you set a shortcut key for
multiple commands, only the latest configuration takes effect.
Example
# Assign the display tcp status command for the shortcut key CTRL+L.
<HUAWEI> system-view
[~HUAWEI] hotkey ctrl_l "display tcp status"
[*HUAWEI] commit
[~HUAWEI] display hotkey
----------------- HOTKEY -----------------
=Defined hotkeys=
Hotkeys Command
CTRL_G display current-configuration
CTRL_L display tcp status
CTRL_O undo debugging all
=Undefined hotkeys=
Hotkeys Command
CTRL_U NULL
=System hotkeys=
Hotkeys Function
CTRL_A Move the cursor to the beginning of the current line.
CTRL_B Move the cursor one character left.
CTRL_C Stop current command function.
CTRL_D Erase current character.
CTRL_E Move the cursor to the end of the current line.
CTRL_F Move the cursor one character right.
CTRL_H Erase the character left of the cursor.
CTRL_K Kill outgoing connection when connecting.
CTRL_N Display the next command from the history buffer.
CTRL_P Display the previous command from the history buffer.
CTRL_R Redisplay the current line.
CTRL_T Kill outgoing connection.
CTRL_V Paste text from the clipboard.
CTRL_W Delete the word left of the cursor.
CTRL_X Delete all characters up to the cursor.
CTRL_Y Delete all characters after the cursor.
CTRL_Z Return to the user view.
CTRL_] Kill incoming connection or redirect connection.
ESC_B Move the cursor one word back.
ESC_D Delete remainder of word.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 61
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
ESC_F Move the cursor forward one word.
ESC_N Move the cursor down a line.
ESC_P Move the cursor up a line.
ESC_< Specify the beginning of clipboard.
ESC_> Specify the end of clipboard.
3.1.20 language character-set
Function
The language character-set command configures the character set in the system.
The undo language character-set command restores the default character set in
the system.
The default character set in the system is ISO8859-1.
Format
language character-set character
undo language character-set
Parameters
Parameter Description Value
character Specifies the character set in Currently, the system supports the
the system. following character sets: GBK, UTF-8,
and ISO8859-1.
Views
System view
Default Level
3: Management level
Usage Guidelines
You can configure the character set so that the system supports Chinese or English
input. The character set facilitates device identification and management, for
example, configured Chinese device name and VLAN description.
Currently, the system supports the following character sets: GBK, UTF-8, and
ISO8859-1. GBK and UTF-8 support both English and Chinese input, whereas
ISO8859-1 supports only English input. To enter Chinese characters on the device,
configure GBK or UTF-8 according to the character set supported on the terminal
login software. You can run the display language character-set test command to
view the character sets in the system and on the terminal login software.
NOTE
If the character sets in the system and on the terminal login software are different, Chinese
characters may be displayed as garbled characters.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 62
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Configure GBK as the character set in the system.
<HUAWEI> system-view
[~HUAWEI] language character-set GBK
Change language character-set, confirm? [Y/N]:y
3.1.21 quit
Function
The quit command returns from the current view to a lower-level view. If the
current view is the user view, this command exits from the system.
Format
quit
Parameters
None
Views
All views
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Three types of views are available and they are listed as follows from a lower level
to a higher level:
● User view
● System view
● Service view, such as interface view
Run the quit command to return to a lower-level command view from the current
view. If you are in the user view currently, after you run the quit command, you
quit from the system.
In two-phase mode, if some configurations are not committed, a message is
displayed when the quit command is run to return to the user view from the
system view. You can enter Y, N, or C after the message is displayed.
● Y: Configurations not committed are saved in the current configuration file,
and the user view is displayed.
● N: Configurations not committed are discarded, and the user view is
displayed.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 63
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● C: Configurations not committed remain unchanged, and the current view is
kept.
Example
# Return to the system view from the AAA view, and then return to the user view.
After this, quit the system.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] quit
[~HUAWEI] quit
<HUAWEI> quit
3.1.22 reset history-command
Function
The reset history-command command deletes history commands entered by the
current user in the system.
Format
reset history-command
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
This command can be used to delete history commands entered only by the
current user but not by other users. The deleted history commands cannot be
displayed.
Example
# Delete history commands entered by the current user.
<HUAWEI> reset history-command
3.1.23 reset history-command all-users
Function
The reset history-command all-users command deletes the historical commands
of all users in the system.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 64
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
reset history-command all-users
Parameters
None
Views
User view
Level
3: Management level
Task Name and Operations
Task Name Operations
cli write
Usage Guidelines
The reset history-command all-users command deletes only the query results of
the display history-command all-users command. Query results of the display
history-command command are not affected.
Example
# Delete the historical commands of all users.
<HUAWEI> reset history-command all-users
3.1.24 return
Function
The return command returns to the user view from other views except the user
view.
Format
return
Parameters
None
Views
All views
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 65
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
0: Visit level
Usage Guidelines
In other views, you can use the return command to return to the user view.
● Run this command to return to the user view if the current view is another
view except the user view.
● If the current view is the user view, no change occurs after running this
command.
● The shortcut keys<Ctrl+Z> have the same function as the return command.
Example
# Return to the user view from the user interface view.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] return
<HUAWEI>
3.1.25 system-view
Function
The system-view command enables you to enter the system view from the user
view.
Format
system-view [ immediately ]
Parameters
Parameter Description Value
immediately Indicates that the configuration takes effect immediately. -
Views
User view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
You must configure the device in the system view. Run this command in the user
view to enter the system view.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 66
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The system supports two configuration validation modes: immediate validation
and two-phase validation.
● You can run the system-view command to enter the system view and edit the
configuration in two-phase validation mode. In two-phase validation mode,
the configuration takes effect after you run the commit command.
● You can run the system-view immediately command to enter the system
view and edit the configuration in immediate validation mode. In immediate
validation mode, after you input a command line and press Enter, the
configuration takes effect immediately.
Precautions
In a command line prompt, HUAWEI is the default device name. The prompt
indicates the current view. <HUAWEI> indicates the user view. [HUAWEI] indicates
the immediate validation mode of the system view. [~HUAWEI] indicates the two-
phase validation mode of the system view.
Example
# Enter the system view.
<HUAWEI> system-view
Enter system view, return user view with return command.
[~HUAWEI]
3.1.26 terminal command alias
Function
The terminal command alias command enables the command alias function for
the current terminal.
The undo terminal command alias disables the function.
By default, the function is enabled.
Format
terminal command alias
undo terminal command alias
Parameters
None
Views
User view
Default Level
2: Configuration level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 67
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
The alias configured by the alias command can take effect only when the
command alias function is enabled.
If you run the undo terminal command alias command to disable the command
alias function for the current terminal, the command alias function can still be
configured, and the configuration information of command alias is not deleted,
but the alias configured cannot take effect.
Precautions
The terminal command alias command takes effect only on the current terminal.
The command alias function can only be used in human-to-machine mode.
Example
# Disable the command alias function for the current terminal.
<HUAWEI> undo terminal command alias
3.1.27 terminal command forward matched upper-view
Function
The terminal command forward matched upper-view command enables the
intelligent rollback function.
The undo terminal command forward matched upper-view command disables
the intelligent rollback function.
By default, the intelligent rollback function is enabled.
Format
terminal command forward matched upper-view
undo terminal command forward matched upper-view
Parameters
None
Views
User view
Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 68
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
cli debug
Usage Guidelines
Usage Scenario
● Intelligent rollback enables the system to automatically return to the previous
view if a command fails to be run in the current view. The system performs
view return attempts until the system view is displayed. If the command is
matched, it is run in the current view and the matching view is displayed.
● When configuring services, you need to enter the view of the command to be
configured to complete the configuration. In this case, you need to run the
quit command repeatedly to exit the current view and enter the required
view. The intelligent rollback function allows you to run commands of other
views in the current view to reduce repeated quit operations.
● This command is valid only for sessions that run this command. That is, you
can enable or disable the intelligent rollback function only for the sessions
that run this command.
● If you do not need to automatically match a command in an upper-level view,
run the undo terminal command forward matched upper-view command
to disable the intelligent rollback function.
Precautions
● If command matching fails because an ambiguous command is entered in the
current view, no intelligent rollback can be performed.
● Intelligent rollback is not performed when a command fails to be matched.
● The undo commands do not support intelligent rollback.
● If the intelligent rollback function is enabled, commands may be executed in
unexpected views, and services may be interrupted. Before configuring a
command, check whether the command to be configured exists in the view. If
the command does not exist, run the command in the correct view.
Example
# Enable the intelligent rollback function.
<HUAWEI> terminal command forward matched upper-view
3.1.28 timestamp enable
Function
The timestamp enable command enables the timestamp function for a system.
The undo timestamp enable command disables the timestamp function.
By default, the timestamp function is disabled for a system.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 69
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
timestamp enable
undo timestamp enable
Parameters
None
Views
System view
Default Level
2: Configuration level
Usage Guidelines
After the timestamp function is enabled, the system adds the query time to the
output of the display command.
Example
# Enable the timestamp function for the system.
<HUAWEI> system-view
[~HUAWEI] timestamp enable
[*HUAWEI] commit
[~HUAWEI] display this
2014-08-19 14:39:39.227
#
sysname HUAWEI
#
vlan batch 10
#
dldp enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.80.1
#
lldp enable
#
user-interface maximum-vty 15
#
timestamp enable
#
return
3.2 ZTP Commands
NOTE
Only the CE6863, CE6863K, CE6881E, CE6881, CE6881K, and CE6820 support PKI
commands.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 70
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.2.1 display system ztp
Function
The display system ztp command displays whether the system has been deployed
through ZTP or whether the ZTP process has been executed upon the next startup
with only factory settings.
Format
display system ztp
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
None
Example
# Display whether the system has been deployed through ZTP.
<HUAWEI> display system ztp
---------------------------------------------------------
Slot Last startup ZTP status Next startup ZTP status
---------------------------------------------------------
1 disable enable
---------------------------------------------------------
Table 3-5 Description of the display system ztp command output
Item Description
Slot Slot ID.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 71
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Last startup ZTP status Whether the ZTP process has been
executed upon the next startup with
only factory settings:
● enable: The ZTP process is executed
upon the next startup with only
factory settings.
● disable: The ZTP process is not
executed upon the next startup
with only factory settings.
Next startup ZTP status Whether the ZTP process will be
executed upon the next startup with
only factory settings:
● enable: The ZTP process will be
executed upon the next startup
with only factory settings.
● disable: The ZTP process will not be
executed upon the next startup
with only factory settings.
3.2.2 display pki certificate
Function
The display pki certificate command displays the content of the imported CA
certificate, local certificate, and root certificate on the device.
Format
display pki certificate { ca | local } realm default
Parameters
Parameter Description Value
ca Displays the content of the CA -
certificate.
local Displays the content of the local -
certificate.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 72
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
realm default Specifies the name of the PKI realm The value must be an
that a certificate belongs to as existing PKI realm name.
default. Currently, the device
supports only the default
PKI realm.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
This command displays information about the imported CA certificate, local
certificate, or root certificate on the device, including the signature algorithm,
issuer, validity period, subject, and subject public key.
Example
# Display the content of the local certificate.
<HUAWEI> display pki certificate local realm default
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
25:7d:69:6a:1c:39:a2:10
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Huawei Enterprise Network Product CA,O=Huawei,C=CN
Validity
Not Before: Aug 5 02:43:26 2019 GMT
Not After: Aug 4 02:43:26 2020 GMT
Subject: CN=wwwhuaweicom,O=Huawei,C=CN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:9f:b7:f9:d1:e2:07:4b:48:07:01:2f:87:bd:36:
91:e5:bb:96:bc:8d:f3:74:83:fa:70:da:ed:cc:9a:
83:44:48:b0:73:d6:36:d7:fc:f0:f7:ec:3f:be:1d:
94:61:3d:24:f7:8b:2c:e0:42:67:e4:da:bc:94:d4:
c9:b9:49:d3:c2:56:8d:ca:79:c5:22:e0:5e:06:cb:
4a:84:a3:b8:f8:62:b3:00:4f:c1:3a:3f:00:ad:7d:
4d:94:96:4a:10:80:38:ac:b7:be:13:1d:96:47:1c:
8b:5e:34:dc:e6:7f:2a:57:fd:65:4f:64:e1:cd:82:
37:07:e5:b3:59:63:ef:0f:56:34:ef:c8:02:a4:9b:
84:aa:99:f8:a8:99:13:e6:9a:64:6b:c6:b6:f4:70:
8c:70:f8:d3:a9:54:c0:cf:c3:b5:4b:2b:e7:f5:e7:
0c:2f:9f:23:02:14:bc:45:8a:40:8f:20:ff:62:93:
7e:95:b0:28:a6:d1:6d:3f:d9:be:33:f5:db:09:99:
1d:f1:50:0d:ea:ef:14:ff:b2:82:32:69:bd:dd:cf:
87:2f:d0:9c:54:ef:9c:bb:57:09:e2:04:b4:91:a8:
df:72:d1:bc:00:a2:b5:e3:67:19:d9:c3:3c:82:a0:
64:f7:27:08:88:1d:91:4f:3b:47:78:a6:bc:26:ec:
fc:6d
Exponent: 65537 (0x010001)
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 73
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
X509v3 extensions:
X509v3 Basic Constraints: non-critical
CA:0
X509v3 Key Usage: critical
Key Agreement, Data Encipherment, Key Encipherment (e0), Non-Re
pudiation, Digital Signature,
X509v3 Authority Key Identifier:
KeyID=73:9F:C7:5F:E1:96:A8:0E:79:71:79:DC:69:CB:0A:F1:BC:E0:F4:E5
Signature Algorithm: sha256WithRSAEncryption
59:33:3a:fe:c1:48:4e:3e:de:1a:16:c1:5e:04:ff:a6:94:26:
c8:99:cb:a7:fb:4f:bb:02:55:02:cf:a5:90:e9:19:32:37:d3:
22:cd:b2:da:1b:96:8a:27:ff:e0:88:05:50:b7:5c:b6:40:43:
83:be:e7:cd:99:7f:c7:fd:5:90:59:a4:d6:74:10:0b:ab:b9:
1e:e0:b4:ea:4b:90:d0:de:8d:ff:d6:a1:d5:3c:f5:36:8a:0b:
35:03:76:81:c1:2f:d8:ab:ef:ce:95:0a:0a:09:9b:70:aa:93:
f7:5d:ff:1f:58:4f:99:de:ca:16:06:11:74:32:36:9f:fd:fb:
a4:8f:f0:73:cb:18:04:4b:87:74:ab:ae:cc:40:d3:02:bb:e3:
70:1d:7e:03:f8:20:7d:dd:8d:80:f9:a1:fc:e3:aa:f4:fe:d2:
1c:94:4e:54:4a:5f:41:2f:24:57:0b:bb:90:53:7e:a2:18:85:
1c:71:71:ac:13:91:6f:b3:ed:93:e6:49:5b:67:9b:5e:f0:0b:
7d:ba:41:f4:17:86:c4:10:c8:62:84:29:8f:7d:f6:e2:3d:aa:
39:62:0e:69:63:ff:f9:13:61:ca:3e:9d:39:cb:4a:d9:9a:dd:
70:71:7d:c2:cb:a3:bc:f7:1d:09:92:9f:8f:15:39:8b:f1:aa:
06:4d:ea:b3
Table 3-6 Description of the display pki certificate command output
Item Description
Certificate Information about a certificate.
Data Data of a certificate.
Version Version of a certificate.
Serial Number Serial number of a certificate.
Signature Algorithm Signature algorithm of a certificate.
Issuer Issuer of a certificate.
Validity Validity period of a certificate.
Subject Subject of a certificate:
● C: country code of a PKI entity.
● ST: name of the state or province to
which a PKI entity belongs.
● L: geographic area where a PKI
entity is located.
● O: organization to which a PKI
entity belongs.
● OU: department to which a PKI
entity belongs.
● CN: common name of a PKI entity.
Subject Public Key Info Information about the public key of a
certificate.
Public Key Algorithm Public key algorithm.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 74
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
RSA Public Key Information about the RSA public key.
Modulus Key modulus.
Exponent Key exponent.
X509v3 extensions X.509v3 certificate extensions.
CA Whether the CA can be trusted.
X509v3 Basic Constraints Basic constraints.
X509v3 Key Usage X.509v3 key use.
X509v3 Authority Key Identifier Identifier of a subject key.
KeyID ID.
3.2.3 display pki crl
Function
The display pki crl command displays the CRL content on the device.
Format
display pki crl realm default
Parameters
Parameter Description Value
realm default Specifies the name of the PKI The value must be an existing
realm that a CRL belongs to as PKI realm name. Currently, the
default. device supports only the default
PKI realm.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
This command displays the CRL content, including signature algorithm, issuer,
update time, revoked certificate, CRL sequence number, and revocation time.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 75
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Display the CRL content in the PKI realm named default.
<HUAWEI> display pki crl realm default
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Huawei Enterprise Network Product CA,O=Huawei,C=CN
Last Update: Aug 5 07:26:59 2019 GMT
Next Update: Aug 9 04:06:59 2019 GMT
CRL extensions:
X509v3 CRL Number(HEX): 00
X509v3 Authority Key Identifier:
KeyID=73:9F:C7:5F:E1:96:A8:0E:79:71:79:DC:69:CB:0A:F1:BC:E0:F4:E5
Table 3-7 Description of the display pki crl command output
Item Description
Certificate Revocation List (CRL) CRL information.
Signature Algorithm Signature algorithm.
Issuer Issuer information.
Last Update Last time the CRL was updated.
Next Update Next time the CRL will be updated.
CRL extensions CRL extended attribute.
X509v3 CRL Number(HEX) X.509v3 CRL number.
X509v3 Authority Key Identifier X.509v3 authority key identifier.
KeyID ID.
3.2.4 display pki rsa local-key-pair
Function
The display pki rsa local-key-pair command displays information about an RSA
key pair and the public key in the RSA key pair.
Format
display pki rsa local-key-pair public
Parameters
None
Views
All views
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 76
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
1: Monitoring level
Usage Guidelines
This command displays information about an RSA key pair and the public key in
the RSA key pair, including the time the key pair was created, key pair name,
whether the key can be exported, and public key information.
Example
# Display information about all RSA key pairs.
<HUAWEI> display pki rsa local-key-pair public
=====================================================
Time of the key pair created:23:57:41 2019/08/26
Key name:test
Key Modules:2048 bit
Key type:RSA signature key
=====================================================
Key code:
30820109
02820100
9FB7F9D1 E2074B48 07012F87 BD3691E5 BB96BC8D
F37483FA 70DAEDCC 9A834448 B073D636 D7FCF0F7
EC3FBE1D 94613D24 F78B2CE0 4267E4DA BC94D4C9
B949D3C2 568DCA79 C522E05E 06CB4A84 A3B8F862
B3004FC1 3A3F00AD 7D4D9496 4A108038 ACB7BE13
1D96471C 8B5E34DC E67F2A57 FD654F64 E1CD8237
07E5B359 63EF0F56 34EFC802 A49B84AA 99F8A899
13E69A64 6BC6B6F4 708C70F8 D3A954C0 CFC3B54B
2BE7F5E7 0C2F9F23 0214BC45 8A408F20 FF62937E
95B028A6 D16D3FD9 BE33F5DB 09991DF1 500DEAEF
14FFB282 3269BDDD CF872FD0 9C54EF9C BB5709E2
04B491A8 DF72D1BC 00A2B5E3 6719D9C3 3C82A064
F7270888 1D914F3B 4778A6BC 26ECFC6D
0203
010001
Table 3-8 Description of the display pki rsa local-key-pair command output
Item Description
Time of the key pair created Time when the RSA key pair was
created.
Key name Name of the key pair.
Key Modules Key modulus.
Key type Type of the key.
Key code Public key in the key pair.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 77
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.2.5 pki delete-certificate
Function
The pki delete-certificate command deletes a certificate from the memory.
Format
pki delete-certificate { ca | local } realm default
Parameters
Parameter Description Value
ca Deletes a CA certificate. -
local Deletes a local certificate. -
realm default Specifies the name of the PKI The value must be an existing
realm that a certificate belongs to PKI realm name. Currently,
as default. the device supports only the
default PKI realm.
Views
System view
Default Level
3: Management level
Usage Guidelines
When a certificate expires or a new certificate needs to be imported, run the pki
delete-certificate command to delete the existing CA certificate, local certificate,
or root certificate from the memory. Running this command will not delete
certificate files from the flash memory.
Example
# Delete a local certificate from the memory.
<HUAWEI> system-view
[~HUAWEI] pki delete-certificate local realm default
3.2.6 pki delete-crl
Function
The pki delete-crl command deletes a CRL from the memory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 78
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
pki delete-crl realm default
Parameters
Parameter Description Value
realm default Specifies the name of the PKI The value must be an existing
realm that a CRL belongs to as PKI realm name. Currently, the
default. device supports only the default
PKI realm.
Views
System view
Default Level
3: Management level
Usage Guidelines
When a CRL expires, run the pki delete-crl command to delete the existing CRL
file from the memory. This command will not delete the CRL file in the flash
memory.
Example
# Delete the CRL file of the PKI realm named default from the memory.
<HUAWEI> system-view
[~HUAWEI] pki delete-crl realm default
3.2.7 pki import rsa-key-pair
Function
The pki import rsa-key-pair command imports an RSA key pair to the device
memory.
Format
pki import rsa-key-pair key-name [ realm default ] pem filename file-name
password password
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 79
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
key-name Specifies the name of an The value is a string of 1 to 31
RSA key pair file on the case-sensitive characters. It cannot
device. contain spaces or question marks
(?). If the string is enclosed in
double quotation marks (" "), the
string can contain spaces.
realm default Specifies the name of the The value must be an existing PKI
PKI realm to which the RSA realm name. Currently, the device
key pair file is imported as supports only the default PKI
default. realm.
pem filename Indicates that the RSA key The value must be an existing file
file-name pair to be imported is in name.
PEM format and specifies
the file name to store the
RSA key pair.
password Specifies the decryption The value is a string of 1 to 31
password password of an RSA key case-sensitive characters in
pair. plaintext or a string of 20 to 432
case-sensitive characters in
ciphertext. The value must be the
existing decryption password of an
RSA key pair.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To use the RSA key generated by another entity, run the pki import rsa-key-pair
command to import RSA key pair file to the memory. After the configuration, the
imported RSA key pair can be referenced by the PKI module for operations such as
signing.
Only one RSA key pair file can be imported to the device.
Prerequisites
The RSA key pair must already exist on the storage device.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 80
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Import the RSA key pair file abc.key in PEM format of the RSA key pair named
key-1 and set the decryption password to huaweiDC.
<HUAWEI> system-view
[~HUAWEI] pki import rsa-key-pair key-1 realm default pem filename abc.key password huaweiDC
3.2.8 pki import-certificate
Function
The pki import-certificate command imports a certificate to the device memory.
Format
pki import-certificate { ca | local } realm default pem filename filename
Parameters
Parameter Description Value
ca Specifies a CA certificate to be -
imported. For example, when the
device works as an SSL proxy, you can
import the SSL proxy CA certificate and
use the private key in the certificate to
sign the SSL client certificate again.
local Imports a local certificate. -
realm default Specifies the name of the PKI realm The value must be an
that an imported certificate belongs to existing PKI realm
as default. name. Currently, the
device supports only
the default PKI realm.
pem Imports a certificate in PEM format. -
filename Specifies the name of an imported The value must be an
filename certificate file. existing file name.
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 81
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
After a certificate is downloaded and saved to the device's storage medium, run
the pki import-certificate command to import the certificate to the memory for
it to take effect.
The device supports the import of one CA certificate and one local certificate.
Prerequisites
The certificate file already exists in the device's storage medium.
Example
# Import a local certificate to the PKI realm default in file transfer mode.
<HUAWEI> system-view
[~HUAWEI] pki import-certificate local realm default pem filename local.cer
3.2.9 pki import-crl realm
Function
The pki import-crl command imports a CRL to the memory.
Format
pki import-crl realm default filename file-name
Parameters
Parameter Description Value
realm default Specifies the name of the PKI The value must be an
realm that an imported CRL existing PKI realm name.
belongs to as default. Currently, the device
supports only the default
PKI realm.
filename file- Specifies the name of an The CRL file name must
name imported CRL file. Only the files exist.
in PEM format are supported.
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 82
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
After a CRL file is downloaded and saved to the device's storage medium, you
must run the pki import-crl command to import the CRL file to the device
memory to make it take effect.
Prerequisites
The CRL file already exists in the device's storage medium.
Example
# Import the CRL in the flash memory to the device memory.
<HUAWEI> system-view
[~HUAWEI] pki import-crl realm default filename abc.crl
3.2.10 pki match-rsa-key
Function
The pki match-rsa-key command checks whether a certificate matches an RSA
key pair.
Format
pki match-rsa-key certificate-filename { import_local.pem | default_local.pem
| packet_local.pem }
Parameters
Parameter Description Value
certificate-filename Specifies the The value must be an existing
{ import_local.pem | name of a certificate file name.
default_local.pem | certificate file.
packet_local.pem } ● default_local.pem: indicates the
preconfigured device certificate.
● packet_local.pem: indicates the
device certificate in the product
software package.
● import_local.pem: indicates the
device certificate imported by
users.
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 83
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
After an RSA key pair is imported, you can run the pki match-rsa-key command
to check whether the device certificate matches the RSA key pair.
Example
# Check whether an imported device certificate matches an RSA key pair.
<HUAWEI> system-view
[~HUAWEI] pki match-rsa-key certificate-filename import_local.pem
Info: Certificate from file matches RSA key default.
3.2.11 pki rsa local-key-pair destroy
Function
The pki rsa local-key-pair destroy command destroys a specified RSA key pair.
Format
pki rsa local-key-pair destroy key-name
Parameters
Parameter Description Value
key-name Specifies the name of the RSA key The value must be an
pair to be destroyed. existing key pair name.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When an RSA key pair is leaked, damaged, unused, or lost, it is recommended that
you run the pki rsa local-key-pair destroy command to destroy the RSA key pair.
After this command is executed, the RSA key pair will be deleted from the active
and standby devices.
Prerequisites
The RSA key pair has been imported to the device memory using the pki import
rsa-key-pair command.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 84
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Destroy the RSA key pair test.
<HUAWEI> system-view
[~HUAWEI] pki rsa local-key-pair destroy test
3.2.12 pki validate-certificate
Function
The pki validate-certificate command configures the device to check the validity
of a CA certificate or local certificate.
Format
pki validate-certificate { ca | local } realm default
Parameters
Parameter Description Value
ca Checks the validity of a CA -
certificate.
local Checks the validity of a local -
certificate.
realm default Specifies the name of the PKI realm The value must be an
that a certificate belongs to as existing PKI realm name.
default. Currently, the device
supports only the default
PKI realm.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before a certificate is used, its validity needs to be checked, for example, whether
its peer certificate has expired and whether it has been added to a certificate
blacklist.
Prerequisites
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 85
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
If the CA certificate or local certificate to be verified is manually uploaded to the
device, the certificate must have been imported to the device memory using the
pki import-certificate command.
Example
# Check the validity of a local certificate.
<HUAWEI> system-view
[~HUAWEI] pki validate-certificate local realm default
3.2.13 set ztp { enable | disable }
Function
The set ztp enable command enables the ZTP function on the device.
The set ztp disable command disables the ZTP function on the device.
By default, the ZTP function is enabled on devices.
Format
set ztp enable
set ztp disable
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
By default, the ZTP function is enabled so that an unconfigured device can start
the ZTP process during a startup. To disable an unconfigured device from starting
the ZTP process during a startup, disable the ZTP function on the device.
Example
# Disable the ZTP function.
<HUAWEI> set ztp disable
3.3 USB-based Deployment Configuration Commands
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 86
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.3.1 set device usb-deployment disable
Function
The set device usb-deployment disable command disables the USB-based
deployment function.
The undo set device usb-deployment disable command enables the USB-based
deployment function.
By default, the USB-based deployment function is disabled.
Format
set device usb-deployment disable
undo set device usb-deployment disable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
After the USB-based deployment function is enabled on a device, the device can
be upgraded once a qualified USB flash drive is connected to the device. After the
USB-based deployment function takes effect, to enhance device security and avoid
service interruption caused by unnecessary version upgrades, disable the USB-
based deployment function. After the USB-based deployment function is disabled,
the device cannot be upgraded using any qualified USB flash drive.
Example
# Enable the USB-based deployment function.
<HUAWEI> system-view
[~HUAWEI] undo set device usb-deployment disable
3.3.2 set device usb-deployment password
Function
The set device usb-deployment password command sets an authentication
password for USB-based deployment.
The undo set device usb-deployment password command deletes the
authentication password for USB-based deployment.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 87
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
By default, no authentication password is configured for USB-based deployment.
Format
set device usb-deployment password [ password ]
undo set device usb-deployment password
Parameters
Parameter Description Value
password Specifies an ● When the password parameter is not specified,
authentication the password is entered in interactive mode.
password for The password is a string of 6 to 32 case-
USB-based sensitive characters. It cannot contain spaces.
deployment. The password must contain at least two types
of the following characters: uppercase letters,
lowercase letters, digits, and special characters.
● If password is specified, the password is
entered in plaintext.
The password is a string of 6 to 32 characters.
The password must contain at least two types
of the following characters: uppercase letters,
lowercase letters, digits, and special characters.
The password is displayed in ciphertext in a
configuration file.
NOTE
If the length of the authentication password configured
for USB-based deployment on the device in a version
earlier than V200R020C00 is less than 8 characters, a
configuration restoration failure will be recorded after
the device is upgraded to V200R020C00 or a later
version. In this case, you need to reconfigure the
password.
Views
System view
Default Level
3: Management level
Usage Guidelines
During USB-based deployment, you can check the HMAC of the configuration file
to be loaded to ensure validity of the configuration file. After an authentication
password is configured, the device uses the password as the key to calculate the
HMAC of the configuration file to be loaded based on the HMAC-SHA256
algorithm and compares the calculated HMAC with the value of the HMAC field in
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 88
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
the index file. If the two values are the same, the configuration file is valid and
loaded to the device for USB-based deployment. If the two values are different,
the configuration file is invalid and cannot be loaded for USB-based deployment.
Example
# Set the authentication password Pwd123456 for USB-based deployment.
<HUAWEI> system-view
[~HUAWEI] set device usb-deployment password Pwd123456
3.4 First Login Commands
3.4.1 clock datetime
Function
The clock datetime command sets the current date and time on the switch.
Format
clock datetime [ utc ] HH:MM:SS YYYY-MM-DD
Parameters
Parameter Description Value
utc Indicates the UTC -
time.
HH:MM:SS Specifies the current HH specifies the hour, which is an integer
time on the switch. ranging from 0 to 23. MM specifies the
minute, which is an integer ranging from 0
to 59. SS specifies the second, which is an
integer ranging from 0 to 59.
YYYY-MM-DD Specifies the current YYYY specifies the year, which is an integer
date (year, month, ranging from 2000 to 2037. MM specifies
and day) on the the month, which is an integer ranging
switch. from 1 to 12. DD specifies the day, which
is an integer ranging from 1 to 31.
Views
User view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 89
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
In the scenario where accurate absolute time is required, the current date and
time must be set on the switch.
Prerequisite
The time zone and daylight saving time have been configured using the clock
timezone and clock daylight-saving-time commands. If the time zone and
daylight saving time are not configured, the clock datetime command sets a UTC
time.
Precautions
● The specified time must be in 24-hour format. If you do not specify MM and
SS, their values are 0. You must enter at least one digit to specify HH. For
example, when you enter 0, the time is 00:00:00.
● The specified year must be a four-digit number and the specified month and
day can be a one-digit number. For example, when you enter 2012-9-1, the
time is 2012-09-01.
● If the device is configured to restart at a specified time and if the system time
is changed to be more than 10 minutes later than the specified restart time,
the scheduled restart function will be disabled.
Example
# Set the current time and date of the system to 0:0:0 2012-01-01.
<HUAWEI> clock datetime 0:0:0 2012-01-01
3.4.2 clock date-format
Function
The clock date-format command sets the date format on a device.
The undo clock date-format command restores the default date format on a
device.
By default, the date format of a device is YYYY-MM-DD.
Format
clock date-format { MM-DD-YYYY | YYYY-MM-DD }
undo clock date-format
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 90
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
MM-DD-YYYY Indicates that the date format is MM-DD-YYYY, standing -
for month-day-year.
YYYY-MM-DD Indicates that the date format is YYYY-MM-DD, standing -
for year-month-day.
Views
All views
Default Level
3: Management level
Task Name and Operations
Task Name Operations
system write
Usage Guidelines
To change the date format on a device, run the clock date-format command.
Example
# Set the date format to MM-DD-YYYY.
<HUAWEI> clock date-format MM-DD-YYYY
3.4.3 clock daylight-saving-time
Function
The clock daylight-saving-time command sets the name, start time, and end
time of the daylight saving time (DST).
The undo clock daylight-saving-time command cancels the DST settings.
By default, DST is not used.
Format
clock daylight-saving-time time-zone-name one-year start-time start-date end-
time end-date offset
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 91
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
clock daylight-saving-time time-zone-name repeating start-time { first | second
| third | fourth | last } weekday month end-time { first | second | third | fourth |
last } weekday month offset [ start-year [ end-year ] ]
clock daylight-saving-time time-zone-name repeating start-time start-date1
end-time end-date1 offset [ start-year [ end-year ] ]
undo clock daylight-saving-time
Parameters
Parameter Description Value
time-zone- Specifies the name of The value is a string of 1 to 32
name the DST zone. characters.
one-year Specifies an absolute -
daylight saving time,
which takes effect
only for the daylight
saving time
configured within a
specific year.
repeating Setting a periodic -
daylight saving time
is to set the daylight
saving time in each
year since a specific
year.
start-time Specifies the DST start The start time is in 24-hour format
time. hh:mm. hh specifies the hour, which is an
integer ranging from 0 to 23. mm
specifies the minute, which is an integer
ranging from 0 to 59. If mm is not
specified, DST starts on the hour. You
must enter at least one digit to specify
hh. For example, when you enter 0, the
start time is 00:00.
start-date Specifies the DST start The start date is in the format YYYY-MM-
date. DD. YYYY specifies the year, which is an
integer ranging from 2000 to 2037, MM
specifies the month, which is an integer
ranging from 1 to 12, and DD specifies
the day, which is an integer ranging from
1 to 31.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 92
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
end-time Specifies the DST end The end time is in 24-hour format
time. hh:mm. hh specifies the hour, which is an
integer ranging from 0 to 23. mm
specifies the minute, which is an integer
ranging from 0 to 59. If mm is not
specified, DST starts on the hour. You
must enter at least one digit to specify
hh. For example, when you enter 0, the
start time is 00:00.
end-date Specifies the DST end The end date is in the format YYYY-MM-
date. DD. YYYY specifies the year, which is an
integer ranging from 2000 to 2037, MM
specifies the month, which is an integer
ranging from 1 to 12, and DD specifies
the day, which is an integer ranging from
1 to 31.
NOTE
The start and end months must be different,
and the value obtained by deducting the start
time from the end time must be greater than
the offset value.
first Specifies the first -
workday in a month.
second Specifies the second -
workday in a month.
third Specifies the third -
workday in a month.
fourth indicates the fourth -
workday in a month.
last Specifies the last -
workday in a month.
weekday Specifies a day of the The value is Mon, Tue, Wed, Thu, Fri,
week. Sat, or Sun.
month Specifies a month. The value is Jan, Feb, Mar, Apr, May,
Jun, Jul, Aug, Sep, Oct, Nov, or Dec.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 93
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
start-date1 Specifies the DST start The start date is in the format MM-DD.
date. MM specifies the month, which is an
integer ranging from 1 to 12, and DD
specifies the day, which is an integer
ranging from 1 to 31.
end-date1 Specifies the DST end The end date is in the format MM-DD.
date. MM specifies the month, which is an
integer ranging from 1 to 12, and DD
specifies the day, which is an integer
ranging from 1 to 31.
offset Specifies the DST The value is in the format of HH:MM,
offset. where HH indicates the hour and MM
indicates the minute. The value ranges
from 00:01 to 02:00.
start-year Specifies the start The start year is in the format YYYY and
year. ranges from 2000 to 2037.
end-year Specifies the end year. The end year is in the format YYYY and
ranges from 2000 to 2037.
Views
User view, system view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
DST, also referred to as summer time, is a convention intended to save resources.
In high latitude areas, sunrise time is earlier in summer than in winter. To reduce
use of incandescent lighting in the evenings and save energy, clocks are adjusted
forward one hour.
Users can customize the DST zone according to their countries' or regions'
convention. In addition, users can set how far ahead clocks are adjusted forward,
usually an hour. With DST enabled, when it is time to start DST, the system time is
adjusted according to the user-specified DST. When it is time to end DST, the
system time automatically returns to the original time.
Configuration Impact
To configure DST, note the following:
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 94
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● The time in logs and debugging information uses the local time adjusted
based on the time zone and the configured DST.
● The time in the output of the display commands uses the local time adjusted
based on the time zone and the configured DST.
To remove configurations for DST, note the following:
● If DST has already taken effect when you remove the configurations, the
device will adjust its clock by subtracting the value of the offset parameter
from the current time.
● If DST has not taken effect, removing the configurations will not affect the
system time.
Precautions
● The DST is configured in the summer. The DST duration ranges from one day
to one year.
● You can configure the start time and end time for periodic DST in one of the
following modes: date+date and week+week.
Example
# Set periodic DST.
<HUAWEI> system-view
[~HUAWEI] clock daylight-saving-time bj repeating 0 first sun jan 0 first sun apr 2 2009 2009
# Set periodic DST by day.
<HUAWEI> system-view
[~HUAWEI] clock daylight-saving-time bj repeating 12:11 1-1 1:0 3-4 1
# Set absolute DST.
<HUAWEI> system-view
[~HUAWEI] clock daylight-saving-time bj one-year 12:11 2010-10-2 1:00 2010-11-4 1
3.4.4 clock timezone
Function
The clock timezone command sets the local time zone.
The undo clock timezone command deletes the local time zone.
If you do not specify the time zone name, the system uses DefaultZoneName.
Format
clock timezone time-zone-name { add | minus } offset
undo clock timezone
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 95
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
time-zone- Specifies the time zone name. The name is a string of 1 to 32
name case-sensitive characters without
spaces. When double quotation
marks are used around the
string, spaces are allowed in the
string.
add Specifies the offset from the -
UTC for the time zone specified
by time-zone-name. That is, the
sum of the default UTC time
zone and offset is equal to the
time zone specified by time-
zone-name.
minus Specifies the offset from the -
UTC for the time zone specified
by time-zone-name. That is, the
remainder obtained by
subtracting offset from the
default UTC time zone is equal
to the time zone specified by
time-zone-name.
offset Specifies the offset from the Format: HH:MM:SS
UTC.
● HH specifies the hour, which is
an integer ranging from 0 to
18.
● MM and SS specify the minute
and second respectively, and
both range from 0 to 59.
● When HH is set to the
maximum value, the MM and
SS values must be 0.
Views
User view, System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 96
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The system clock is the time indicated by the system timestamp. Because the rules
governing local time differ in different regions, the system clock can be configured
to comply with the rules of any given region.
System clock = UTC + Time zone offset + DST offset
To ensure normal communication between devices, set an accurate system clock.
You can run the clock timezone and clock daylight-saving-time commands to
set the time zone and DST offsets.
Precautions
● The specified time must be in 24-hour format. If you do not specify MM and
SS, their values are 0. You must enter at least one digit to specify HH. For
example, when you enter 0, the time is 00:00:00.
● After configuring the local time zone, run the display clock command to view
the configuration. The time in logs and diagnostic information uses the local
time adjusted based on the time zone and DST.
Example
# Set the local time zone name for Beijing China to BJ.
If the default UTC is London time 2012-12-01 00:00:00, Beijing time is London
time plus 08:00 because the offset from UTC is 8 hours.
<HUAWEI> clock datetime 0:0:0 2012-12-01
<HUAWEI> clock timezone BJ add 08:00:00
3.4.5 display clock
Function
The display clock command displays the current date and clock setting.
Format
display clock [ utc ]
Parameters
Parameter Description Value
utc Indicates that the clock is adjusted to the Coordinated -
Universal Time (UTC).
Views
All views
Default Level
1: Monitoring level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 97
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
You can run the display clock command to view the system date and clock setting
and adjust the setting if necessary.
Precautions
The system clock is set using the clock datetime, clock timezone, and clock
daylight-saving-time commands.
● If the three commands are not used, the original system clock is displayed
after you run the display clock command.
● You can use any combination of the three commands to configure the system
time. Table 3-9 lists the formats of the configured time.
The table assumes that the original system time is 08:00:00 on January 1, 2010.
● 1: indicates that the clock datetime command is used, in which the current
time and date is date-time.
● 2: indicates that the clock timezone command is used, in which the time
zone parameter is set and the time offset is zone-offset.
● 3: indicates that the clock daylight-saving-time command is used, in which
the DST parameters are set and the time offset is offset.
● [1]: indicates that the clock datetime command is optional.
Table 3-9 System clock setting examples
Action Configured System Example
Time
1 date-time Command: clock datetime 8:0:0
2011-11-12
Configured system time:
2011-11-12 08:00:18
Saturday
Time Zone(DefaultZoneName) : UTC
2 Original system time Command: clock timezone BJ add 8
± zone-offset Configured system time:
2011-11-12 16:06:43+08:00
Saturday
Time Zone(BJ) : UTC+08:00
1, 2 date-time ± zone- Commands: clock datetime 8:0:0
offset 2011-11-12 and clock timezone BJ add 8
Configured system time:
2011-11-12 16:06:43+08:00
Saturday
Time Zone(BJ) : UTC+08:00
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 98
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Action Configured System Example
Time
[1], 2, 1 date-time Commands: clock timezone BJ add 8 and
clock datetime 9:0:0 2011-11-12
Configured system time:
2011-11-12
09:00:03+08:00
Saturday
Time Zone(BJ) : UTC+08:00
3 If the original system Command: clock daylight-saving-time BJ
time is not in the DST one-year 6:0 2011-8-1 6:0 2011-10-01 1:0
segment, the original Configured system time:
system time is
2010-01-01
displayed. 06:02:51+08:00
Friday
Time Zone(BJ) : UTC
+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-
year
Start year :
2011
End year :
2011
Start time : 2011-08-01
06:00:00
End time : 2011-10-01
06:00:00
Saving Time : 01:00:00
If the original system Command: clock daylight-saving-time BJ
time is in the DST one-year 6:0 2010-1-1 6:0 2010-9-1 2:0
segment, the Configured system time:
configured system
2010-01-01 08:04:46+10:00
time is the original DST
system time plus Friday
offset. Time Zone(BJ) : UTC
+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-
year
Start year :
2010
End year :
2010
Start time : 2010-01-01
06:00:00
End time : 2010-09-01
06:00:00
Saving Time : 02:00:00
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 99
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Action Configured System Example
Time
1, 3 If date-time is not in Commands: clock datetime 9:0:0
the DST segment, the 2011-11-12 and clock daylight-saving-
configured system time BJ one-year 6:0 2012-8-1 6:0
time is date-time. 2012-10-01 1:0
Configured system time:
2011-11-12
09:00:11+08:00
Saturday
Time Zone(BJ) : UTC
+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-
year
Start year :
2012
End year :
2012
Start time : 2012-08-01
06:00:00
End time : 2012-10-01
06:00:00
Saving Time : 01:00:00
If date-time is in the Commands: clock datetime 9:0:0
DST segment, the 2011-11-12 and clock daylight-saving-
configured system time BJ one-year 9:0 2011-11-12 6:0
time is date-time 2011-12-01 2:0
+offset. Configured system time:
2011-11-12 11:00:09+10:00
DST
Saturday
Time Zone(BJ) : UTC
+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-
year
Start year :
2011
End year :
2011
Start time : 2011-11-12
09:00:00
End time : 2011-12-01
06:00:00
Saving Time : 02:00:00
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 100
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Action Configured System Example
Time
[1], 3, 1 If date-time is not in Commands: clock daylight-saving-time BJ
the DST segment, the one-year 6:0 2012-8-1 6:0 2012-10-01 1:0
configured system and clock datetime 9:0 2011-11-12
time is date-time. Configured system time:
2011-11-12
09:00:06+08:00
Saturday
Time Zone(BJ) : UTC
+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-
year
Start year :
2012
End year :
2012
Start time : 2012-08-01
06:00:00
End time : 2012-10-01
06:00:00
Saving Time : 01:00:00
If date-time is in the Commands: clock daylight-saving-time BJ
DST segment, the one-year 1:0 2011-1-1 1:0 2011-9-1 2:0
configured system and clock datetime 3:0 2011-1-1
time is date-time. Configured system time:
2011-01-01 03:00:03+10:00
DST
Saturday
Time Zone(BJ) : UTC
+08:00
Daylight saving
time :
Name :
BJ
Repeat mode : one-
year
Start year :
2011
End year :
2011
Start time : 2011-01-01
01:00:00
End time : 2011-09-01
01:00:00
Saving Time : 02:00:00
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 101
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Action Configured System Example
Time
2, 3 or 3, If the result of Commands: clock timezone BJ add 8 and
2 original system time clock daylight-saving-time BJ one-year
± zone-offset is not in 6:0 2011-1-1 6:0 2011-9-1 2:0
the DST segment, the Configured system time:
configured system
2010-01-01 16:00:33+08:00
time is equal to the Friday
original system time Time Zone(BJ) : UTC+08:00
± zone-offset. Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 2011-01-01 06:00:00
End time : 2011-09-01 06:00:00
Saving Time : 02:00:00
If the result of Commands: clock daylight-saving-time BJ
original system time one-year 1:0 2010-1-1 1:0 2010-9-1 2:0
± zone-offset is in the and clock timezone BJ add 8
DST segment, the Configured system time:
configured system
2010-01-01 18:01:14+10:00 DST
time is equal to the Friday
original system time Time Zone(BJ) : UTC+08:00
± zone-offset ± Daylight saving time :
Name : BJ
offset. Repeat mode : one-year
Start year : 2010
End year : 2010
Start time : 2010-01-01 01:00:00
End time : 2010-09-01 01:00:00
Saving Time : 02:00:00
1, 2, 3 or If the value of date- Commands: clock datetime 8:0:0
1, 3, 2 time ± zone-offset is 2011-11-12, clock timezone BJ add 8, and
not in the DST clock daylight-saving-time BJ one-year
segment, the 6:0 2012-1-1 6:0 2012-9-1 2:0
configured system Configured system time:
time is equal to date-
2011-11-12 16:00:37+08:00
time ± zone-offset. Saturday
Time Zone(BJ) : UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2012
End year : 2012
Start time : 2012-01-01 06:00:00
End time : 2012-09-01 06:00:00
Saving Time : 02:00:00
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 102
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Action Configured System Example
Time
If the value of date- Commands: clock datetime 8:0:0
time ± zone-offset is 2011-1-1, clock daylight-saving-time BJ
in the DST segment, one-year 6:0 2011-1-1 6:0 2011-9-1 2:0
the configured and clock timezone BJ add 8
system time is equal Configured system time:
to date-time ± zone-
2011-01-01 18:00:45+10:00 DST
offset + offset. Saturday
Time Zone(BJ) : UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 2011-01-01 06:00:00
End time : 2011-09-01 06:00:00
Saving Time : 02:00:00
[1], 2, 3, 1 If date-time is not in Commands: clock daylight-saving-time BJ
or [1], 3, the DST segment, the one-year 6:0 2012-1-1 6:0 2012-9-1 2:0,
2, 1 configured system clock timezone BJ add 8, and clock
time is date-time. datetime 8:0:0 2011-11-12
Configured system time:
2011-11-12 08:00:06+08:00
Saturday
Time Zone(BJ) : UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2012
End year : 2012
Start time : 2012-01-01 06:00:00
End time : 2012-09-01 06:00:00
Saving Time : 02:00:00
If date-time is in the Commands: clock timezone BJ add 8,
DST segment, the clock daylight-saving-time BJ one-year
configured system 1:0 2011-1-1 1:0 2011-9-1 2:0, and clock
time is date-time. datetime 3:0:0 2011-1-1
Configured system time:
2011-01-01 03:00:02+10:00 DST
Saturday
Time Zone(BJ) : UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 2011-01-01 01:00:00
End time : 2011-09-01 01:00:00
Saving Time : 02:00:00
Example
# Display the current system date and time.
<HUAWEI> display clock
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 103
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
2011-01-01 03:00:05+10:00
Saturday
Time Zone(BJ) : UTC+08:00
Daylight saving time :
Name : BJ
Repeat mode : one-year
Start year : 2011
End year : 2011
Start time : 2011-01-01 01:00:00
End time : 2011-09-01 01:00:00
Saving Time : 02:00:00
Table 3-10 Description of the display clock command output
Item Description
2011-01-01 03:00:05+10:00 Current time of the system:
GMT+10, January 1, 2011 03:00:05
Time Zone Time zone.
Daylight saving time DST.
Name DST name.
Repeat mode DST mode.
● one-year: absolute DST
● repeating: periodic DST
Start year Year from which DST takes effect.
End year Year when DST becomes ineffective.
Start time Time when DST takes effect.
End time Time when DST becomes ineffective.
Saving time Storage time.
3.4.6 sysname
Function
The sysname command sets the device host name.
The undo sysname command restores the default device host name.
By default, the device host name is HUAWEI.
Format
sysname host-name
undo sysname
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 104
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
host-name Specifies the The value is a string of 1 to 246 case-sensitive
host name. characters with spaces.
NOTE
When configuring a system name, do not use the
following special characters: \ " , ! @ [ ] ' If these
characters are used, the save-as function and NE explorer
of an NMS are opened slowly after the name is
synchronized to the NMS.
Views
System view
Default Level
3: Management level
Usage Guidelines
Changing the host name affects the command interface prompt. For example, if
the host name is HUAWEI, the user interface prompt is <HUAWEI>.
Example
# Set the host name to HUAWEIA.
<HUAWEI> system-view
[~HUAWEI] sysname HUAWEIA
[*HUAWEI] commit
[~HUAWEIA]
3.5 User Interface Configuration Commands
3.5.1 acl (user interface view)
Function
The acl command uses an ACL to restrict login rights of users on a terminal.
The undo acl command cancels the configuration.
By default, login rights are not restricted.
Format
acl [ ipv6 ] { acl-number | acl-name } { inbound | outbound }
undo acl [ ipv6 ] { inbound | outbound }
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 105
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
ipv6 Indicates an ACL6 number. -
acl-number Specifies the number of an The value is an integer ranging from
ACL. 2000 to 3999.
● 2000-2999: restricts the source
address using the basic ACL.
● 3000-3999: restricts the source
and destination addresses using
the advanced ACL.
acl-name Specifies the name of an ACL. The value is a string of 1 to 32 case-
sensitive characters except spaces.
The value must start with a letter or
digit, and cannot contain only digits.
inbound Restricts users with an -
address or within an address
segment to log in to the
device.
outbound Restricts users who have -
logged in to the device from
logging in to other devices.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command restricts the login rights of a user interface based on the source IP
address, destination IP address, source port, or destination port. You can use this
command to permit or deny access to a destination or from a source.
Prerequisites
Before running this command, run the acl (system view) in the system view and
run the rule (ACL view) command to configure an ACL.
If no rule is configured, login rights on the user interface are not restricted when
the acl command is executed.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 106
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Precautions
After the configurations of the ACL take effect, all users on the user interface are
restricted by the ACL.
You can configure all of the following ACL types: IPv4 inbound, IPv4 outbound,
IPv6 inbound, and IPv6 outbound on a user interface. Only one ACL of each type
can be configured on a user interface, and only the latest configuration of an ACL
takes effect.
Example
# Restrict the Telnet login rights on user interface VTY 0.
<HUAWEI> system-view
[~HUAWEI] acl 3001
[*HUAWEI-acl4-advance-3001] rule deny tcp source any destination-port eq telnet
[*HUAWEI-acl4-advance-3001] quit
[*HUAWEI] user-interface vty 0
[*HUAWEI-ui-vty0] acl 3001 outbound
# Remove the restriction on the Telnet login rights on user interface VTY 0.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[*HUAWEI-ui-vty0] undo acl outbound
3.5.2 activate vty ip-block ip-address
Function
The activate vty ip-block ip-address command unlocks the IP address of a user
that fails the authentication through the VTY user interface.
Format
activate vty ip-block ip-address ip-address [ vpnname vpn-name ]
Parameters
Parameter Description Value
ip-address Specifies a locked IP ● For IPv4 address, the value is in the
address. decimal format.
● For IPv6 address, the value is a 32-digit
hexadecimal number, in the format of
X:X:X:X:X:X:X:X.
vpnname Specifies the name The value is a string of 1 to 31 case-
vpn-name of a VPN to which sensitive characters.
the locked user
NOTE
belongs.
When quotation marks are used around the
string, spaces are allowed in the string.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 107
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
User view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
tty write
Usage Guidelines
In the VTY user interface, if a user enters incorrect passwords for six consecutive
times in 5 minutes, the IP address of this user is locked for 5 minutes. To unlock
the IP address of this user in advance, run the activate vty ip-block ip-address
command.
Example
# Unlock the IP address 10.1.2.3.
<HUAWEI> activate vty ip-block ip-address 10.1.2.3
3.5.3 activate ssh server ip-block ip-address
Function
The activate ssh server ip-block ip-address command unlocks the IP address of a
user that fails the SSH connection authentication.
Format
activate ssh server ip-block ip-address ip-address [ vpn-instance vpn-name ]
Parameters
Parameter Description Value
ip-address Specifies a locked IP ● For IPv4 address, the value is in the
address. decimal format.
● For IPv6 address, the value is a 32-
digit hexadecimal number, in the
format of X:X:X:X:X:X:X:X.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 108
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
vpn-instance Specifies the name The value is a string of 1 to 31 case-
vpn-name of a VPN to which sensitive characters.
the locked user
NOTE
belongs.
When quotation marks are used around the
string, spaces are allowed in the string.
Views
User view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server write
Usage Guidelines
In an SSH connection, if a user enters incorrect passwords for six consecutive times
in 5 minutes, the IP address of this user will be blocked for 5 minutes. To unlock
the IP address of this user in advance, run the activate ssh server ip-block ip-
address command.
Example
# Unlock the IP address 10.1.2.3.
<HUAWEI> activate ssh server ip-block ip-address 10.1.2.3
3.5.4 authentication-mode (user interface view)
Function
The authentication-mode command configures the authentication mode for
accessing the user interface.
The undo authentication-mode command deletes the authentication mode for
accessing the user interface.
By default, no authentication method is configured for the user interface. For the
users logging in to the VTY interface, an authentication method must be
configured; otherwise, users cannot log in.
Format
authentication-mode { aaa | password | none }
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 109
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
undo authentication-mode
Parameters
Parameter Description Value
aaa Indicates the AAA authentication mode. -
password Indicates the password authentication mode. -
none Indicates the non-authentication mode. -
NOTE
The non-authentication mode has potential security risks. Therefore,
exercise caution when deciding to configure this mode.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user logs in to the device using the console interface for the first time, the
system prompts the user to set the login password. After the user logs in to the
device, the user can run the authentication-mode command to change the
authentication mode. The none mode is not recommended because system
security is low. It is recommended that you configure AAA or password
authentication to enhance system security.
Before Telnet or SSH users log in to the device using VTY user interface, they must
run the authentication-mode command to configure the authentication mode.
If SSH is configured for the user interface using the protocol inbound ssh
command, you must configure the authentication-mode aaa authentication
mode to ensure successful logins. If the password authentication mode is
configured, the protocol inbound ssh command cannot be executed.
Precautions
The authentication mode must be configured for login through the VTY user
interface; otherwise, users cannot log in to the device.
For the users logging in to the VTY interface, an authentication method must be
configured; otherwise, users cannot log in.
● After you set the authentication mode for accessing a user interface to
password, run the set authentication password command to configure an
authentication password. Keep the password safe. You need to enter the
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 110
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
password when logging in to the device. The levels of commands accessible to
a user depend on the level configured for the user interface to which the user
logs in.
● When the authentication mode is set to aaa, the authentication password is
deleted at the same time. Users are required to enter the login user name and
password to log in to the device. After login, the level of the commands the
user can run depends on the level of the local user specified in AAA
configuration.
● When you run the undo authentication-mode command to delete the
authentication mode, the system asks you whether to delete the
authentication mode.
● If the AAA authentication mode is used, run the local-user user-name
password command to configure the local user account and login password.
Otherwise, user login fails.
Example
# Configure the authentication mode for accessing the user interface.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] authentication-mode aaa
3.5.5 databits
Function
The databits command sets the number of data bits of the user interface.
The undo databits command restores the default number of data bits.
By default, the number of data bits of the user interface is 8.
Format
databits { 5 | 6 | 7 | 8 }
undo databits
Parameters
Parameter Description Value
5 Indicates that the number of data bits is 5. -
6 Indicates that the number of data bits is 6. -
7 Indicates that the number of data bits is 7. -
8 Indicates that the number of data bits is 8. -
Views
User interface view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 111
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Use this command only when necessary. If the number of data bits of a device's
user interface is changed, ensure that the same number of data bits is set on the
HyperTerminal used for login.
The setting is valid only when the serial port is configured to work in
asynchronous mode.
Example
# Set the number of data bits to 5.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] databits 5
3.5.6 display ssh server ip-block all
Function
The display ssh server ip-block all command displays information about the IP
addresses of all the clients that fail to pass authentication.
Format
display ssh server ip-block all
Parameters
None
Views
All views
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server read
Usage Guidelines
To check information about the IP addresses of all the clients that fail to pass
authentication, run the display ssh server ip-block all command. The command
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 112
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
output includes the names of VPN instances to which the IP addresses belong, IP
address status, numbers of authentication failures, and the IP addresses that fails
to pass authentication will not be adopted to make invalid authentication.
If a user logs in using SSH, the user's IP address will be locked for 5 minutes upon
6 incorrect password attempts within 5 minutes. After the IP address is locked, the
IP address status displayed in the display ssh server ip-block all command output
changes from AUTH FAILED to BLOCKED.
Example
# Display information about the IP addresses of all the clients that fail to pass
authentication.
<HUAWEI> display ssh server ip-block all
-------------------------------------------------------------------------------------
IP Address VPN Name State Auth-fail Count
--------------------------------------------------------------------------------------
192.168.10.1 _public_ BLOCKED 6
--------------------------------------------------------------------------------------
Table 3-11 Description of the display ssh server ip-block all command output
Item Description
IP Address Locked client IP address
VPN Name Name of a VPN instance to which a locked
client IP address belongs
State Status of a locked client IP address:
● BLOCKED: The IP address is locked.
● AUTH FAILED: The IP address fails to pass
authentication.
Auth-fail Count Number of consecutive authentication failures
within 5 minutes
3.5.7 display ssh server ip-block list
Function
The display ssh server ip-block list command displays information about client IP
addresses that are locked because of authentication failures.
Format
display ssh server ip-block list
Parameters
None
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 113
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
All views
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server read
Usage Guidelines
To check information about client IP addresses that are locked because of
authentication failures, run the display ssh server ip-block list command. The
command output includes the names of VPN instances to which the locked client
IP addresses belong and the remaining locking period.
Example
# Display information about client IP addresses that are locked because of
authentication failures.
<HUAWEI> display ssh server ip-block list
-------------------------------------------------------------------------------------
IP Address VPN Name UnBlock Interval(Seconds)
-------------------------------------------------------------------------------------
192.168.10.1 _public_ 36
-------------------------------------------------------------------------------------
Table 3-12 Description of the display ssh server ip-block list command output
Item Description
IP Address Locked client IP address
VPN Name Name of a VPN instance to which a locked
client IP address belongs
UnBlock Interval(Seconds) Remaining locking period, in seconds
3.5.8 display user-interface
Function
The display user-interface command displays information about a user interface.
Format
display user-interface [ ui-type ui-number1 | ui-number ] [ summary ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 114
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
ui-type Displays information about a The value can be Console, VTY,
specified user interface. RPC, or NCA.
ui-number1 Displays information about a The minimum value is 0. The
user interface with a specified maximum value is smaller by 1
relative number. than the number of user interfaces
the system supports.
ui-number Displays information about a The value is an integer ranging
user interface with a specified from 0 to 104. The value varies
absolute number. according to the device type.
summary Displays the summary of a -
user interface.
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display user-interface command to view detailed configuration
information about all user interfaces or a specified user interface. To obtain the
relative number and absolute number of a user interface, run the display users
command and view the User-Intf field in the command output.
Example
# Display detailed information about the user interface with the absolute number
0.
<HUAWEI> display user-interface 0
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+ 0 CON 0 9600 - 15 15 - 6
UI(s) not in async mode -or- with no hardware support:
20-32
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
# Display detailed information about all user interfaces.
<HUAWEI> display user-interface
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 115
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
+ 0 CON 0 9600 - 15 15 - 6
34 VTY 0 - 15 - A -
35 VTY 1 - 15 - A -
36 VTY 2 - 15 - A -
37 VTY 3 - 15 - A -
38 VTY 4 - 15 - A -
39 VTY 5 - 15 - - -
+ 40 VTY 6 - 15 15 N -
41 VTY 7 - 15 - - -
42 VTY 8 - 15 - - -
43 VTY 9 - 15 - - -
+ 44 VTY 10 - 15 15 N -
+ 45 VTY 11 - 15 15 N -
+ 46 VTY 12 - 15 15 N -
+ 47 VTY 13 - 15 15 N -
+ 48 VTY 14 - 15 15 N -
100 NCA 0 - - - A -
+ 101 NCA 1 - - 3 A -
+ 102 NCA 2 - - 3 A -
103 NCA 3 - - - A -
104 NCA 4 - - - A -
UI(s) not in async mode -or- with no hardware support:
21-32
+ : Current UI is active.
F : Current UI is active and work in async mode.
Idx : Absolute index of UIs.
Type : Type and relative index of UIs.
Privi: The privilege of UIs.
ActualPrivi: The actual privilege of user-interface.
Auth : The authentication mode of UIs.
A: Authenticate use AAA.
N: Current UI need not authentication.
P: Authenticate use current UI's password.
Int : The physical location of UIs.
Table 3-13 Description of the display user-interface command output
Parameter Description
+ Active user interface.
F Active user interface in asynchronous mode.
Idx Absolute number of a user interface.
Type Type and relative number of a user interface.
Tx/Rx Data transfer rate of the user interface.
Modem Type of the modem.
Privi Authority configured on a user interface.
ActualPrivi Actual permission of a user interface. (In the case of
the AAA authentication mode, the level of a local
user in AAA configuration is the actual permission.
You can run the display aaa access-user command
to check the user level.)
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 116
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description
Auth Authentication mode on a user interface.
● A: AAA authentication.
● N: No authentication on the current user
interface.
● P: Password authentication.
Int User interface.
3.5.9 display user-interface maximum-vty
Function
The display user-interface maximum-vty command displays the maximum
number of VTY users.
Format
display user-interface maximum-vty
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display user-interface maximum-vty command to view the
maximum number of users who connect to the device using Telnet or SSH. By
default, the total number of Telnet users and SSH users is five maximum.
Example
# Display the maximum number of VTY users.
<HUAWEI> display user-interface maximum-vty
Maximum of VTY user : 5
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 117
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-14 Description of the display user-interface maximum-vty command
output
Parameter Description
Maximum of VTY user Maximum number of VTY users.
The maximum number of VTY users can be
configured using the user-interface maximum-
vty command.
3.5.10 display users
Function
The display users command displays login information for each user interface.
Format
display users [ all ]
Parameters
Parameter Description Value
all Displays information about all users who log in to the device -
through user interfaces, including information about user
interfaces that are not used. If the all parameter is not used,
the command displays only information about user interfaces
that have been connected.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run this command to view information about users who are connected to
the device. The information includes the user name, IP address, and authentication
and authorization information.
Example
# Run the display users command to view information about users who log in to
the device through the user interface.
<HUAWEI> display users
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 118
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
NOTE:
User-Intf: The absolute number and the relative number of user interface
Authen: Whether the authentication passes
Author: Command line authorization flag
--------------------------------------------------------------------------------
User-Intf Delay Type Network Address Authen Author Username
--------------------------------------------------------------------------------
34 VTY 0 16:07:36 TEL 10.135.34.246 pass yes root123
35 VTY 1 00:00:00 TEL 10.135.37.80 pass yes root123
36 VTY 2 24:03:21 TEL 10.135.32.164 pass yes root123
* 37 VTY 3 23:33:44 TEL 10.135.23.55 pass yes root123
Table 3-15 Description of the display users command output
Item Description
* Current user interface. If the all parameter is specified,
information about user interfaces that have login users is
displayed.
User-Intf The number in the first column indicates the absolute
number of the user interface, and the number in the second
column indicates the relative number of the user interface.
● CON: indicates that the user logs in to the device through
the console interface.
● VTY: indicates that the user logs in to the device using
Telnet or STelnet.
● NCA: indicates that the user logs in to the device using
NETCONF.
Delay Interval from the user's latest input to the current time, in
seconds.
Type Connection type. If the all parameter is specified and this
field is empty, the user interface is not used. If the all
parameter is not specified:
● An empty field or -- indicates the console type.
● TEL indicates the Telnet type.
● SSH indicates the SSH type.
Network ● Console user interface: The value is the slot ID of the main
Address control card.
● VTY user interface: The value is the IP address of the login
user.
Username User name for logging in to the device. If the user name is
not specified, Unspecified is displayed.
Authen Whether the authentication succeeds.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 119
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Author Command line authorization status.
● yes: Command line authentication is enabled.
● no: Command line authentication is disabled.
3.5.11 display vty ip-block vty-password-mode all
Function
The display vty ip-block vty-password-mode all command displays all IP
addresses that fail to be authenticated.
Format
display vty ip-block vty-password-mode all
Parameters
None
Views
All views
Default Level
3: Management level
Task Name and Operations
Task Name Operations
tty debug
Usage Guidelines
To check IP addresses that fail to be authenticated, run the display vty ip-block
vty-password-mode all command.
Example
# Display all IP addresses that fail to be authenticated.
<HUAWEI> display vty ip-block vty-password-mode all
-------------------------------------------------------------------------------------
IP Address VPN Name State Auth-fail Count
--------------------------------------------------------------------------------------
192.168.10.1 _public_ BLOCKED 6
--------------------------------------------------------------------------------------
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 120
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-16 Description of the display vty ip-block vty-password-mode all
command output
Item Description
IP Address Blocked IP address
VPN Name Name of the VPN to which the blocked IP
address belongs
State State of an IP address
● BLOCKED: The IP address is blocked.
● AUTH FAILED: The IP address fails to be
authenticated.
Auth-fail Count Number of IP address authentication failures
in the latest 5 minutes
3.5.12 display vty ip-block vty-password-mode list
Function
The display vty ip-block vty-password-mode list command displays IP addresses
that are blocked due to authentication failures.
Format
display vty ip-block vty-password-mode list
Parameters
None
Views
All views
Default Level
3: Management level
Task Name and Operations
Task Name Operations
tty read
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 121
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
To check information, such as the remaining block time, about IP addresses that
are blocked due to authentication failures, run the display vty ip-block vty-
password-mode list command.
Example
# Display IP addresses that are blocked due to authentication failures.
<HUAWEI> display vty ip-block vty-password-mode list
-------------------------------------------------------------------------------------
IP Address VPN Name UnBlock Interval(Seconds)
-------------------------------------------------------------------------------------
192.168.10.1 _public_ 36
-------------------------------------------------------------------------------------
Table 3-17 Description of the display vty ip-block vty-password-mode list
command output
Item Description
IP Address Blocked IP address
VPN Name Name of the VPN to which the blocked IP
address belongs
UnBlock Interval(Seconds) Remaining block time after which the IP
address will be unblocked
3.5.13 flow-control
Function
The flow-control command configures a flow control mode.
The undo flow-control command restores the default flow control mode.
By default, the flow control mode is set to none, indicating that traffic is not
controlled.
Format
flow-control { hardware | none | software }
undo flow-control
Parameters
Parameter Description Value
hardware Implements hardware-based flow control. -
none Implements no flow control. -
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 122
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
software Implements software-based flow control. -
Views
Console user interface view
Default Level
2: Configuration level
Task Name and Operations
Task Name Operations
tty write
Usage Guidelines
The configuration is valid only when the serial port works in the console user
interface view.
Example
# In the console user interface view, configure software-based flow control.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[*HUAWEI-ui-console0] flow-control software
3.5.14 kill user-interface
Function
The kill user-interface command disconnects the device from a specified user
interface.
Format
kill user-interface { ui-number | ui-type ui-number1 }
Parameters
Parameter Description Value
ui-number Specifies the absolute The value is an integer ranging from 0 to
number of a user 164. The value varies according to the device
interface. type.
ui-type Specifies the type of The value can be RPC, NCA, Console, and
a user interface. VTY.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 123
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
ui-number1 Specifies the relative ● If the ui-type is console, the value of ui-
number of a specified number is 0.
user interface. ● If the ui-type is vty, the value of ui-
number is 0 to 20.
● If the ui-type is nca, the value of ui-
number is 0 to 4.
● If the ui-type is rpc, the value of ui-
number is 0 to 14.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If a user logs in to the device and does not perform any operation or you want to
forbid a user from performing operations on the device, you can run the kill user-
interface command to delete a specified user. After the command is executed, the
user logs out from the device.
Precautions
The kill user-interface command cannot be executed on the current user
interface. If the current user interface is VTY 2, the kill user-interface vty 2 fails
to be executed.
Example
# Disconnect the VTY3 user's terminal from the device.
<HUAWEI> kill user-interface vty 3
Warning: User interface VTY3 will be freed. Do you want to continue? [Y/N]:y
Info: User interface VTY3 is free.
3.5.15 history-command max-size
Function
The history-command max-size command sets the size of the historical
command buffer.
The undo history-command max-size command restores the default size of the
historical command buffer.
By default, a maximum of 10 previously-used commands can be saved in the
buffer.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 124
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
history-command max-size size-value
undo history-command max-size
Parameters
Parameter Description Value
size-value Specifies the size of the historical The value is an integer ranging
command buffer. from 0 to 256.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
The CLI can automatically save the historical commands that you enter. This
function is similar to that of Doskey. You can invoke and run the historical
commands at any time.
Example
# Set the size of the historical command buffer to 20.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] history-command max-size 20
3.5.16 idle-timeout
Function
The idle-timeout command sets the timeout duration for disconnection from a
user interface.
The undo idle-timeout command restores the default timeout duration.
By default, the timeout duration is 10 minutes in vty user interface view, and 5
minutes in console user interface view.
Format
idle-timeout minutes [ seconds ]
undo idle-timeout
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 125
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
minutes Specifies the idle The value is an integer that ranges from 0
timeout duration, in to 35791 in the VTY user interface view
minutes. and from 1 to 1440 in the console user
interface view, in minutes.
seconds Specifies the idle The value is an integer ranging from 0 to
timeout duration, in 59, in seconds.
seconds.
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If a user logs in to the device and does not perform an operation, the user
interface is occupied unnecessarily. You can run the idle-timeout command to
disconnect the user's terminal from the device.
Precautions
● If you set the time to zero, then the line connection remains alive until you
close it.
● If the user interface disconnection function is not configured, other users may
fail to log in to the device.
● If the idle timeout interval is set to 0 or a large value, the terminal will remain
in the login state, resulting in security risks. You are advised to run the lock
command to lock the current connection.
● You are advised to set the timeout duration to 10-15 minutes.
● In versions earlier than V200R002C50, the timeout period configured using
the idle-timeout command for a user connection in the console user interface
view ranges from 0 to 35791. If the timeout period is set to 0 minutes or is
greater than 1440 minutes in a version earlier than V200R002C50, it is
automatically set to 1440 minutes after the system software is upgraded to
V200R002C50 or a later version.
Example
# Set the timeout duration to 1 minute and 30 seconds.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 126
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[~HUAWEI-ui-console0] idle-timeout 1 30
3.5.17 ip-block vty-password-mode disable
Function
The ip-block vty-password-mode disable command disables the function of
blocking IP addresses in VTY access scenarios.
The undo ip-block vty-password-mode disable command restores the default
configuration.
By default, the function of blocking IP addresses in VTY access scenarios is
enabled.
Format
ip-block vty-password-mode disable
undo ip-block vty-password-mode disable
Parameters
None
Views
Security password view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
tty write
Usage Guidelines
If the function of blocking IP addresses in VTY access scenarios is enabled, the
device blocks IP addresses that fail to be authenticated and rejects VTY access
requests that use the blocked IP addresses. The device also records the blocked IP
addresses in a list.
After the function is disabled, the device deletes the blocked IP addresses from the
list and does not record new IP addresses that fail to be authenticated. To disable
the function, run the ip-block vty-password-mode disable command.
Example
# Disable the function of blocking IP addresses in VTY access scenarios.
<HUAWEI> system-view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 127
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[~HUAWEI] security password
[*HUAWEI-security-password] ip-block vty-password-mode disable
Warning: It is not recommended to disable ip block feature. This operation may result in system becoming
vulnerable to security threats.
# Enable the function of blocking IP addresses in VTY access scenarios.
<HUAWEI> system-view
[~HUAWEI] security password
[*HUAWEI-security-password] undo ip-block vty-password-mode disable
3.5.18 mmi-mode enable
Function
The mmi-mode enable command enters the machine-to-machine mode.
The undo mmi-mode enable command enters the human-to-machine mode.
By default, a VTY user is in human-to-machine mode.
Format
mmi-mode enable
undo mmi-mode enable
Parameters
None
Views
User view
Default Level
1: Monitoring level
Usage Guidelines
After you enter the machine-to-machine mode using the mmi-mode enable
command, the command output is displayed in one screen.
After you enter the machine-to-machine mode using the mmi-mode enable
command, some important commands that you need to use with caution can be
used directly. In human-to-machine mode, use this command with caution.
Example
# Enter the machine-to-machine mode.
<HUAWEI> mmi-mode enable
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 128
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.5.19 parity
Function
The parity command sets the check bit of a user interface.
The undo parity command restores the default check bit of a user interface.
By default, no check is performed.
Format
parity { even | mark | none | odd | space }
undo parity
Parameters
Parameter Description Value
even Sets the transmission check bit to even parity. -
mark Sets the transmission check bit to mark check. -
none Sets the transmission check bit to no check. -
odd Sets the transmission check bit to odd parity. -
space Sets the transmission check bit to space check. -
Views
Console user interface view
Default Level
2: Configuration level
Task Name and Operations
Task Name Operations
tty write
Usage Guidelines
By default, no transmission check is performed. To prevent transmission errors, run
the parity command to configure the check bit of the specified user interface to
improve data transmission correctness.
Example
# Set the transmission check bit on the console port to odd parity.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 129
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[*HUAWEI-ui-console0] parity odd
3.5.20 protocol inbound
Function
The protocol inbound command specifies the protocols that the VTY user
interface supports.
The undo protocol inbound command restores the default protocols that the VTY
user interface supports.
By default, the system supports all protocols.
Format
protocol inbound { all | ssh | telnet }
undo protocol inbound
Parameters
Parameter Description Value
all Indicates that all protocols including SSH and Telnet are -
supported.
ssh Indicates that only SSH is supported. -
telnet Indicates that only Telnet is supported. -
Views
VTY user interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To manage and monitor login users, configure the VTY user interface for login
users and run the protocol inbound command to configure the protocols that the
VTY user interface supports.
Prerequisites
If SSH is configured for the user interface using the protocol inbound command,
you must configure the authentication-mode aaa authentication mode to ensure
successful logins. If the password authentication mode is configured, the protocol
inbound ssh command cannot be executed.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 130
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Precautions
● The configuration takes effect at the next login.
● Telnet is an insecure protocol. Using SSH is recommended.
● When SSH is specified for the VTY user interface, if the SSH server has been
enabled and the RSA/DSA/ECC key is not configured then the users can log in
to the SSH server using temporary key.
NOTE
To ensure high security, do not use the RSA algorithm whose length is less than 2048
digits.
Example
# Configure SSH for user interfaces VTY0 to VTY4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] authentication-mode aaa
[*HUAWEI-ui-vty0-4] protocol inbound ssh
3.5.21 screen-length
Function
The screen-length command sets the number of lines on each terminal screen
after you run a command.
The undo screen-length command restores the default configuration.
By default, the number of lines to be displayed on a terminal screen is 24.
Format
In the user interface view:
screen-length screen-length [ temporary ]
undo screen-length [ temporary ]
In the user view:
screen-length screen-length temporary
undo screen-length temporary
Parameters
Parameter Description Value
screen-length Specifies the number of lines The value is an integer that
displayed on a terminal screen. ranges from 0 to 512. The value
0 indicates that all command
output is displayed on one
screen.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 131
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
temporary Specifies the number of lines -
temporarily displayed on a
terminal screen.
Views
User interface view, user view
Default Level
3: Management level
Usage Guidelines
If you run a command and its output is displayed in more lines than you can see
on one screen, you can reduce the number of lines displayed on each screen.
In general, you do not need to change the number of lines displayed on each
screen. Setting the number of lines to 0 is not recommended. The configuration
takes effect after you log in to the system again.
NOTE
In the user view, the temporary parameter is mandatory and this command is at the
Management level.
Example
# Set the number of lines on each screen of the terminal to 30.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] screen-length 30
3.5.22 set authentication password
Function
The set authentication password command configures a local authentication
password.
The undo set authentication password command cancels the local
authentication password.
By default, the local authentication password is not configured for the device.
Format
set authentication password [ cipher password ]
undo set authentication password
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 132
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
cipher Specifies the ● When cipher is not entered, password input is
password password for in man-machine interaction mode, and the
the user system does not display the entered password.
interface. The password is a string of 8 to 16 case-
sensitive characters. The password must contain
at least two of the following characters: upper-
case character, lower-case character, digit, and
special character.
Special character except the question mark (?)
and space. However, when double quotation
marks are used around the password, spaces
are allowed in the password.
– Double quotation marks cannot contain
double quotation marks if spaces are used in
a password.
– Double quotation marks can contain double
quotation marks if no space is used in a
password.
For example, the password "a123"45"" is valid,
but the password "a 123"45"" is invalid.
● When cipher is entered, the password is
displayed in either plaintext or ciphertext
during input.
– When being input in plaintext, the password
requirements are the same as those when
cipher is not entered. When you input a
password in simple text, the system displays
the password in simple text mode, which
brings risks.
– When being input in ciphertext, the
password must be a string of 48 to 128
consecutive characters.
The password is displayed in ciphertext in the
configuration file regardless of whether it is
input in plaintext or cipher text.
Views
User interface view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 133
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
If password authentication is configured for users, you can run the set
authentication password command to change the password or set a password in
cipher text.
If cipher password is not specified, the password is entered in interactive mode
and can contain 8 to 16 characters. The requirements for the password are the
same as the requirements for the plaintext password when you specify the cipher
password. The password you enter will not be displayed on the screen.
NOTE
If you enter the plaintext password when specifying cipher password, security risks exist.
The interactive mode is recommended when users enter the password.
Pre-configuration Tasks
Before running the set authentication password command, run the
authentication-mode password command to set the authentication mode of the
user interface to password authentication; otherwise, the set authentication
password command cannot be configured.
Precautions
● If a password in cipher text is configured, users must obtain the password in
plain text that is required for identity authentication.
● If the password authentication is configured but the password is not
configured for the user interface, the user cannot log in to the device.
● If the set authentication password command is executed multiple times, the
latest configuration overrides the previous ones. You can run the set
authentication password command to change the local authentication
password. After the password is changed, a user who wants to log in to the
device must enter the latest password for identity authentication.
● Users can press CTRL_C to cancel password modification in the interaction
mode.
Example
# Set the local authentication password for the user interfaces VTY 0-4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] set authentication password
Warning: The "password" authentication mode is not secure, and it is strongly recommended to use "aaa"
authentication mode.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
[*HUAWEI-ui-vty0-4]
# Set the local authentication password for the user interfaces VTY 0-4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] set authentication password cipher Huawei@123
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 134
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.5.23 shell
Function
The shell command enables terminal services on a user interface.
The undo shell command disables terminal services on a user interface.
By default, terminal services are enabled on all user interfaces.
Format
shell
undo shell
Parameters
None
Views
VTY user interface view
Default Level
3: Management level
Usage Guidelines
You can use the shell command on a user interface to enable terminal services.
This command enables users to enter commands through this interface to query
device information and configure the device.
You can use the undo shell command on the user interface to disable terminal
services. This command does not allow users to perform any operations through
this interface. After using the undo shell command in the VTY view, this user
interface does not provide Telnet and STelnet access.
NOTE
The console user interface does not support this command.
Example
# Disable terminal services on VTY 0 to VTY 4.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] undo shell
Warning: ui-vty0-4 will be disabled. Do you want to continue? [Y/N]:y
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 135
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.5.24 speed (user interface view)
Function
The speed command sets the baud rate of a user interface.
The undo speed command restores the default baud rate of a user interface.
By default, the baud rate is 9600 bit/s.
Format
speed speed-value
undo speed
Parameters
Parameter Description Value
speed-value Specifies the baud rate The value is expressed in bit/s.
of a user interface.
The asynchronous serial interface supports
the following baud rates:
● 1200
● 2400
● 4800
● 9600
● 19200
● 38400
● 57600
● 115200
Views
Console user interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user logs in to the switch through the console interface, the baud rate on
the HyperTerminal must be the same as that configured on the switch; otherwise,
the user cannot log in to the switch.
The setting is valid only when the serial port is configured to work in
asynchronous mode.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 136
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Precautions
In V200R003C00, this command does not take effect on all switches before the
V200R003SPH005 patch is loaded, and users log in to the switch through the
serial interface using the default baud rate 9600 bit/s. After the V200R003SPH005
patch is loaded, all baud rates can be configured on the CE6870-24S6CQ-EI and
CE6870-48S6CQ-EI, the speed 300 or speed 600 command does not take effect
on the CE8850-32CQ-EI, and you are advised to configure other baud rates on the
CE8850-32CQ-EI. For other switches excluding the preceding two models, this
command does not take effect, and users log in to the switch through the serial
interface using the default baud rate 9600 bit/s.
In V200R002C50:
● For switches excluding the CE6860EI, CE6870-48T6CQ-EI, CE8850-32CQ-EI,
CE6880EI, CE5810EI, and CE5850HI, this command does not take effect before
the V200R002C50SPH012 patch is loaded, and users log in to the switch
through the serial interface using the default baud rate 9600 bit/s; all baud
rates can be configured after the V200R002C50SPH012 patch is installed.
● For the CE6860EI, CE6870-48T6CQ-EI, and CE8850-32CQ-EI, this command
does not take effect before the V200R002C50SPH013 patch is loaded, and
users log in to the switch through the serial interface using the default baud
rate 9600 bit/s; after the V200R002C50SPH013 patch is loaded, the speed 300
or speed 600 command does not take effect, and you are advised to
configure other baud rates.
● For the CE6880EI, CE5810EI, and CE5850HI, this command does not take
effect and users log in to the switch through the serial interface using the
default baud rate 9600 bit/s.
In V200R001C00 and earlier versions, the speed 300 or speed 600 command does
not take effect on the CE5810EI and CE5850HI, and you are advised to use other
baud rates.
To prevent the problem:
● When a switch is upgraded from V200R001C00 or an earlier version to
V200R002C50, you are advised to perform the upgrade with the
V200R002C50SPH013 patch. Otherwise, users can only log in to the switch
through the serial interface using the default baud rate after the upgrade. The
CE6880EI, CE5810EI and CE5850HI do not support this patch. When the
CE6880EI, CE5810EI or CE5850HI is upgraded to V200R002C50 or
V200R003C00, users can only log in to the switch through the serial interface
using the default baud rate.
● If a switch is upgraded from V200R003C00 or an earlier version to V200R005
or a later version and the speed 300 or speed 600 command is configured
before the upgrade, the configuration may be lost after the upgrade and you
need to configure the baud rate again.
Example
# Set the baud rate of a user interface to 115200 bit/s.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] speed 115200
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 137
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.5.25 ssh server ip-block disable
Function
The ssh server ip-block disable command disables an SSH server from locking
client IPv4 or IPv6addresses.
The undo ssh server ip-block disable command enables an SSH server to lock
client IPv4 and IPv6 addresses.
By default, an SSH server is enabled to lock client IP addresses.
Format
ssh server ip-block disable
undo ssh server ip-block disable
Parameters
None
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server write
Usage Guidelines
● If an SSH server is enabled to lock client IP addresses, locked client IP
addresses fail to pass authentication and are displayed in the display ssh
server ip-block list command output.
● If an SSH server is disabled from locking client IP addresses, the display ssh
server ip-block list command does not display any client IP address that is
locked because of authentication failures.
● The operation to disable an SSH server from locking client IP addresses poses
system risks and is thereby not recommended.
Example
# Disable an SSH server from locking client IP addresses.
<HUAWEI> system-view
[~HUAWEI] ssh server ip-block disable
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 138
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Warning: It is not recommended to disable IP block feature. This operation may result in system becoming
vulnerable to security threats.
# Enable an SSH server to lock client IP addresses.
<HUAWEI> system-view
[~HUAWEI] undo ssh server ip-block disable
3.5.26 stopbits
Function
The stopbits command sets the stop bit of a user interface.
The undo stopbits command restores the default stop bit of a user interface.
By default, the stop bit is 1.
Format
stopbits { 1.5 | 1 | 2 }
undo stopbits
Parameters
Parameter Description Value
1.5 Sets the stop bit to 1.5. -
1 Sets the stop bit to 1. -
2 Sets the stop bit to 2. -
Views
Console user interface view
Default Level
3: Management level
Usage Guidelines
When a user logs in to the switch through the console interface, the stop bit on
the HyperTerminal must be the same as that configured on the switch; otherwise,
the user cannot log in to the switch.
The stop bit and the data bit configured using the databits command are related.
● If the stop bit is 1, the corresponding data bit is 8.
● If the stop bit is 1.5, the corresponding data bit is 5.
● If the stop bit is 2, the corresponding data bit is 6, 7, or 8.
The setting is valid only when the serial port is configured to work in
asynchronous mode.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 139
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Set the stop bit of a user interface to 2.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0] stopbits 2
3.5.27 user privilege
Function
The user privilege command configures the user level.
The undo user privilege command restores the default user level.
By default, the command level for the console port on the user interface is 15
when the command-privilege level rearrange command is run, while is 3 when
the command-privilege level rearrange command is not run, and other users are
at level 0.
Format
user privilege level level
undo user privilege level
Parameters
Parameter Description Value
level level Specifies the If the command-privilege level rearrange
user level. command is configured, the value of level ranges
from 0 to 15.
NOTE
The larger the If the command-privilege level rearrange
value, the command is not configured, the value of level
higher the ranges from 0 to 3.
priority.
NOTE
If the command-privilege level rearrange command
configuration is changed, the value of level changes
based on the level mapping.
● If the command-privilege level rearrange command
configuration is added, the levels of level-0 and
level-1 commands remain unchanged, the level of
level-2 commands is upgraded to 10, and that of
level-3 commands is upgraded to 15.
● If the command-privilege level rearrange command
configuration is deleted, the level of level-0
commands remains unchanged, the levels of level-1 to
level-9 commands are downgraded to 1, the levels of
level-10 to level-14 commands are downgraded to 2,
and the level of level-15 commands is downgraded to
3.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 140
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
User interface view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The system manages users at levels to control their access permissions. Users who
log in to the device can use only commands at the same or lower level than their
own levels.
Commands are classified into the visit level, monitoring level, configuration level,
and management level that map levels 0, 1, 2, and 3 without command-privilege
level rearrange, as listed in Table 3-18.
Table 3-18 Relationship between command levels and user levels
User Command Description
Level Level
0 Visit Commands of this level include network diagnosis tool
level(0) commands (such as ping and tracert), commands for
accessing external devices from the local device (such as
Telnet) and some display commands.
1 Visit Commands of this level are used for system
level(0), maintenance, including display commands.
Monitoring NOTE
level(1) Some display commands are not at this level. For example, the
display current-configuration and display saved-
configuration commands are at level 3. For details about
command levels, see the CloudEngine 8800, 7800, 6800, and
5800 Series SwitchesCommand Reference.
2 Visit Commands of this level are used for service configuration
level(0), to provide direct network services, including routing
Monitoring commands and commands of each network layer.
level(1),
Configurati
on level(2)
3 Visit Commands of this level are used for basic system
level(0), operations, including file system, FTP, TFTP download,
Monitoring user management, command level configuration, and
level(1), debugging.
Configurati
on level(2),
Manageme
nt level(3)
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 141
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
If the command level configured for a user interface conflicts with that of a user,
the command level of the user takes precedence. For example, if the user 001 can
use commands at level 3 and the command level configured for the user interface
VTY 0 is 2, the user 001 can use commands at level 3 and lower levels when
logging in to the system through the user interface VTY 0.
You can run the display user-interface command to view detailed information
about a user interface.
Precautions
If refined right management is required, run the command-privilege level
command to upgrade command levels.
In versions earlier than V100R006C00, the user level ranges from 0 to 15. If the
system software is upgraded to V100R006C00 or a later version, and the
command-privilege level command is not configured, the levels of level-0 and
level-1 users remain unchanged, and those of level-3 to level-15 users change to
3.
Example
# Set the user level on the VTY0 user interface to 2.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 0
[~HUAWEI-ui-vty0] user privilege level 2
[*HUAWEI-ui-vty0] commit
3.5.28 user-interface
Function
The user-interface command displays one or more user interface views.
Format
user-interface ui-type first-ui-number [ last-ui-number ]
Parameters
Parameter Description Value
ui-type The value can be console
Specifies the type of a user interface.
or vty.
first-ui- Specifies the number of the first user ● If ui-type is set to
number interface. console, the first-ui-
number value is 0.
● If ui-type is set to vty,
the first-ui-number
value ranges from 0
to the maximum
number of VTY user
interfaces.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 142
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
last-ui- Specifies the number of the last user -
number interface. When you select this
parameter, you enter multiple user
interface views at the same time.
This parameter is valid only when ui-
type is set to VTY. The last-ui-number
value must be larger than the first-ui-
number number.
If the maximum number of VTY users
has been set using the user-interface
maximum-vty command in the system
view before ui-type is selected, the last-
ui-number value is less than or equal to
the maximum number of VTY user
interfaces minus one.
Views
System view
Default Level
3: Management level
Usage Guidelines
When the network administrator logs in to the device using the console interface,
Telnet, or SSH, the system manages and monitors the session between the user
and the device on the corresponding user interface. Each user interface
corresponds a user interface view. The network administrator can set parameters
such as authentication and user level to manage sessions in a unified manner.
After you log in to the device, you can run the display user-interface command
to view the supported user interfaces and the corresponding relative.
Example
# Enter the Console 0 user interface.
<HUAWEI> system-view
[~HUAWEI] user-interface console 0
[~HUAWEI-ui-console0]
# Enter the VTY 1 user interface.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 1
[~HUAWEI-ui-vty1]
# Enter the VTY 1 to VTY 3 user interfaces.
<HUAWEI> system-view
[~HUAWEI] user-interface vty 1 3
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 143
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[~HUAWEI-ui-vty1-3]
3.5.29 user-interface maximum-vty
Function
The user-interface maximum-vty command configures the maximum number of
login users.
The undo user-interface maximum-vty command restores the default maximum
number of login users.
By default, the maximum number of Telnet and SSH (STelnet) users is 5.
Format
user-interface maximum-vty number
undo user-interface maximum-vty
Parameters
Parameter Description Value
number Specifies the maximum number of The value is an integer ranging
Telnet and SSH users. from 0 to 21.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The user-interface maximum-vty command configures the maximum number of
login users. If the VTY channels are fully occupied after the configuration is
committed, new connections are not allowed and the current users are not
terminated.
Precautions
● The maximum number of login users set by the user-interface maximum-vty
command is the total number of Telnet and SSH (STelnet) users.
● If the maximum number of login users is set to 0, no user is allowed to log in
to the device using Telnet or SSH.
Example
# Set the maximum number of Telnet users to 7.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 144
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] user-interface maximum-vty 7
3.5.30 user-interface vty security-policy disable
Function
The user-interface vty security-policy disable command disables the VTY user
interface's security policy.
The undo user-interface vty security-policy disable command enables the VTY
user interface's security policy.
By default, the VTY user interface's security policy is enabled.
Format
user-interface vty security-policy disable
undo user-interface vty security-policy disable
Parameters
None
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
tty write
Usage Guidelines
The undo user-interface vty security-policy disable command clears a user
authentication request that has been pending for a long time to access the VTY
user interface. For example, if the number of existing user authentication requests
has already reached the upper limit but a new authentication request is received,
the system clears the authentication request of the user that fails to pass the
authentication within 15 seconds and starts authenticating the new user.
The user-interface vty security-policy disable command cannot clear any user
authentication request that has been pending for a long time to access the VTY
user interface.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 145
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
NOTE
It is recommended that you enable the security policy to harden the VTY user interface's
security.
Example
# Disable the VTY user interface's security policy.
<HUAWEI> system-view
[~HUAWEI] user-interface vty security-policy disable
3.6 User Login Configuration Commands
3.6.1 configuration exclusive
Function
The configuration exclusive command locks the current system configuration.
When the system configuration is locked, the user who locks it can query and
modify the configuration while other users can only query the configuration.
The undo configuration exclusive command unlocks the system configuration.
By default, the system configuration is unlocked.
Format
configuration exclusive
undo configuration exclusive
Parameters
None
Views
All views
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
The device allows simultaneous access and configuration by multiple users, which
may cause configuration conflicts and service exceptions. To prevent service
exceptions, run this command to lock and modify the configuration while allowing
other users to only query the configuration.
To unlock the configuration, do either of the following:
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 146
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● Run the undo configuration exclusive command.
● Do not modify the configuration in the configured maximum lock interval.
The system then automatically unlocks the configuration. To configure the
maximum lock interval, run configuration exclusive timeout.
Precautions
● After you run the configuration exclusive command, other users cannot
modify the system configuration, so confirm your action before running this
command.
● Before you run the configuration exclusive command, run the configuration
exclusive timeout command to configure the maximum lock interval so that
the system can automatically unlock the configuration after this interval.
● Only one user can lock the configuration at a time. After the user logs out,
the configuration is unlocked automatically.
Example
# Lock the current system configuration.
<HUAWEI> configuration exclusive
# Unlock the system configuration.
<HUAWEI> undo configuration exclusive
3.6.2 client ssl-policy (HTTP view)
Function
The client ssl-policy command configures an SSL policy for an HTTP client.
The undo client ssl-policy command deletes the SSL policy on an HTTP client.
By default, no SSL policy is configured on an HTTP client.
Format
client ssl-policy policy-name
undo client ssl-policy
Parameters
Parameter Description Value
policy-name Specifies the name of an SSL The name of an SSL policy must
policy. already exist.
Views
HTTP view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 147
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
Legacy HTTP does not have any security mechanism. It transmits data in simple
text and does not verify the identities of communicating parties. Therefore, data
transmitted over HTTP may be tampered with. In applications that require high
security, such as e-commerce and online banking, HTTP is inapplicable. To
enhance security, run the client ssl-policy command to configure an SSL policy for
an HTTP client.
Configuration Impact
HTTP security is enhanced with the SSL security mechanisms, such as data
encryption, identity verification, and message integrity check.
Prerequisites
1. An SSL policy has been created and the SSL policy view is displayed using the
ssl policy command in the system view.
2. A digital certificate or certificate chain has been loaded using the certificate
load command in the SSL policy view.
Precautions
An HTTP client can only have one SSL policy configured. If the client ssl-policy
command is run more than once, the latest configuration overrides the previous
one.
Example
# Configure an SSL policy named policy1 for an HTTP client.
<HUAWEI> system-view
[~HUAWEI] ssl policy policy1
[*HUAWEI-ssl-policy-policy1] certificate load pem-cert a_servercertchain2_pem_dsa.pem key-pair dsa
key-file a_serverkeychain2_pem_dsa.pem auth-code cipher 123456
[*HUAWEI-ssl-policy-policy1] commit
[~HUAWEI-ssl-policy-policy1] quit
[~HUAWEI] http
[*HUAWEI-http] client ssl-policy policy1
3.6.3 client ssl-verify peer (HTTP view)
Function
The client ssl-verify peer command configures an HTTP client to perform SSL
verification on HTTP servers.
The undo client ssl-verify command disables an HTTP client from performing SSL
verification on HTTP servers.
By default, an HTTP client does not perform SSL verification on HTTP servers.
Format
client ssl-verify peer
undo client ssl-verify
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 148
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
None
Views
HTTP view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
Usage Scenario
To configure an HTTP client to perform SSL verification on HTTP servers, run the
client ssl-verify peer command. After the HTTP client is granted an SSL digital
certificate by a server, the client can verify the validity of the server. This prevents
the client from accessing invalid servers, enhancing security.
Precautions
This command takes effect only if the client ssl-policy command has also been
run to configure an SSL policy for the client.
Example
# Configure an HTTP client to perform SSL verification on HTTP servers.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] client ssl-verify peer
3.6.4 configuration exclusive by-user-name
Function
The configuration exclusive by-user-name command enables a user to lock the
system configuration.
The undo configuration exclusive by-user-name command enables a user to
unlock the system configuration.
By default, the system configuration is not locked.
Format
configuration exclusive by-user-name user-name
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 149
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
undo configuration exclusive by-user-name user-name
Parameters
Parameter Description Value
user-name Specifies the name of a user. The value is a string of 1 to 253
characters.
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
config debug
Usage Guidelines
Usage Scenario
Multiple users can access a device and manage it. A user can be a controller or
another type of user. If the configuration of a forwarder is modified by a non-
controller user, the configurations of the controller and forwarder may be
inconsistent. The configuration exclusive by-user-name command can be used
to specify the controller to lock the system configuration of a forwarder to avoid
the inconsistency.
When multiple users manage a device at the same time, you can specify a user to
lock the device. Only this user can modify the device configuration, while others
cannot.
Configuration Impact
After the system configuration is locked by a user, only this user can perform
configuration operations. Other users can view, edit, maintain, and save the
configuration but cannot commit the configuration. If another user needs to
commit the configuration, run the undo configuration exclusive by-user-name
user-name command to unlock the configuration first.
When this command is run, ensure that the user-name value is that specified
when the configuration exclusive by-user-name command is run.
Precautions
● Only one user can lock the system configuration at a time.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 150
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● The user that runs the configuration exclusive by-user-name user-name
command to lock the system configuration can be different from the user-
name in this command.
For example, User-A can run the configuration exclusive by-user-name
User-B command to specify User-B to lock the system configuration.
● Only users of the management user level can lock and unlock the system
configuration. Users of the management user level include:
– Users of levels 3 to 15 when the command-privilege level rearrange
command configuration exists
– Users of level 3 when the command-privilege level rearrange command
configuration does not exist
● The configuration exclusive by-user-name command locks the device
configuration based on the user name. Only the same user name can be used
to unlock the device. The configuration exclusive command locks a device
based on the session. The device can be unlocked only by the current session.
After the session is logged out, the device is unlocked automatically.
Example
# Enable user root123 to lock the system configuration.
<HUAWEI> system-view
[~HUAWEI] configuration exclusive by-user-name root123
3.6.5 configuration exclusive timeout
Function
The configuration exclusive timeout command sets the timeout period before
the system automatically unlocks the configuration set.
The undo configuration exclusive timeout command restores the default
timeout period.
By default, the timeout period is 30 seconds.
Format
configuration exclusive timeout timeout-value
undo configuration exclusive timeout
Parameters
Parameter Description Value
timeout-value Specifies the timeout period The value is an integer ranging
before the system from 1 to 7200, in seconds. By
automatically unlocks the default, the timeout period is 30
configuration set. seconds.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 151
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Usage Guidelines
Running the configuration exclusive timeout command can set an allowable
maximum period when no commands are delivered by the user that locks the
configuration set. After the timeout period expires, the configuration set is
automatically unlocked and other users can normally run commands.
You can run the configuration exclusive timeout command in one of the
following scenarios:
● When a user without configuration access runs this command, the system
prompts an error message.
● If the configuration set is locked by another user, this command becomes
invalid, and the system prompts an error message when the command is run.
● If the configuration set is locked by the current user, the current user can run
this command.
NOTE
When running the configuration exclusive timeout command, note that:
● If the timeout period is too short, the configuration set is unlocked after a short period
during which no command is run by the user that locks the configuration set.
● If the timeout period is too long, the configuration set remains locked and other users
cannot obtain configuration access for a long period during which no command is run
by the user that locks the configuration set.
● After this command is run, all users (except the user that runs this command) cannot
configure commands because the configuration set is locked.
Example
# Set the timeout period before the system automatically unlocks the
configuration set to 120 seconds.
<HUAWEI> system-view
[~HUAWEI] configuration exclusive timeout 120
3.6.6 display configuration exclusive by-user-name
Function
The display configuration exclusive by-user-name command displays lock
information of the system configuration locked based on user name.
Format
display configuration exclusive by-user-name
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 152
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
None
Views
All views
Default Level
3: Management level
Task Name and Operations
Task Name Operations
config read
Usage Guidelines
To view system configuration lock information, run the display configuration
exclusive by-user-name command. The command output includes the name of a
user who locks or unlocks the system configuration, time when the system
configuration is locked or unlocked, and lock ID.
If no system configuration is locked, no command output is displayed after the
display configuration exclusive by-user-name command is run.
Example
# Display lock information after the system configuration is locked.
<HUAWEI> display configuration exclusive by-user-name
Lock User Name: root123
Lock Time: 2018-03-07 20:13:31+04:00 DST
Identifier: 13
# Display lock information after the system configuration is unlocked.
<HUAWEI> display configuration exclusive by-user-name
Unlock User Name: root1234
Unlock Time: 2018-03-07 20:14:09+04:00 DST
Table 3-19 Description of the display configuration exclusive by-user-name
command output
Item Description
Lock User Name Name of a user who locks the system
configuration
Lock Time Time when the system configuration is locked
Identifier Lock ID, which is unique
Unlock User Name Name of a user who unlocks the system
configuration
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 153
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Unlock Time Time when the system configuration is
unlocked
3.6.7 display configuration exclusive user
Function
The display configuration exclusive user command displays information about
the user that locks the configuration set.
Format
display configuration exclusive user
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display configuration exclusive user command to query the user
that obtains configuration access.
Example
# Display the user that locks the configuration set.
<HUAWEI> display configuration exclusive user
User Index: 34
User Session Name: VTY 0
User Name: root
IP Address: 10.135.38.234
Locked Time: 2013-03-06 21:09:36
Last Configuration Time: 2013-03-06 21:09:36
The configuration right was locked and timeout duration is: 30 second(s)
Table 3-20 Description of the display configuration exclusive user command
output
Item Description
User Index Index of a user
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 154
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
User Session Name Session name of a user, ranging from
VTY0 to VTY20
User Name User name of logging
IP Address IP address of a user, valid for VTY users
only
Locked Time Time when the configuration set is
locked
Last Configuration Time Time when the user runs the last
command
The configuration right was locked and Time when the configuration right is
timeout duration is locked
3.6.8 display dsa key-pair
Function
The display dsa key-pair command displays information about the DSA key pair
with a label.
Format
display dsa key-pair [ brief | label label-name ]
Parameters
Parameter Description Value
brief Displays brief information about all DSA -
key pairs with labels.
label label-name Displays information about the DSA key Label name of the
pair with a specific label. key pair.
Views
All views
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 155
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
You can run the display dsa key-pair command to check information about the
DSA key pair with a label. The information varies when you specify different
parameters in the command.
● If brief is specified, you can view brief information about all DSA key pairs
with labels.
● If label label-name is specified, you can view information about the DSA key
pair with a specific label.
● When neither label nor brief is specified, you can view information about all
DSA key pairs with labels.
Example
# Display information about all DSA key pairs with labels.
<HUAWEI> display dsa key-pair
=====================================
Label name: abc
Modulus: 2048
Time of Key pair created: 2014-01-13 07:41:46
=====================================
Key :
30820325
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60
BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B
F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891
2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268
56A99ECF A5D80036 7B31A905 22F13949 6F4182DB
FDAAB599 739AB021 85856A88 1F919736 8B92DBF6
849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7
505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714
B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE
B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F
BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F
CD4EA0EE 501FC669 5D03D68D 519324E4 93
0215
00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE
BB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7 74959017
62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976
4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230 DB7461F7
C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820101
00D34DAC 0A625592 F93D3107 E4CBD1BD 731B1EFD
A537588A 206E7B76 8826EE11 EBE93BA2 D2EF9211
32912326 3F274FAF 5953DFB3 19EF77DD 4AE1D3BB
90A2E56B AE20C8A5 37B5F1F8 0EE4609B D8AEB111
5AF138DF F044FEC8 E05DF127 875B228E 3347B0CE
A60B607C A4F16C2B 52D7A330 13F9FD2F EE24C90E
DC387478 3180115D A60BD22E 12E35B1B 1BFD1523
04C1013E CD2D3EAF D235E191 7DDADB79 824481FA
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 156
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
A312B43F 9B5DB808 63BC6A91 4A184E82 AC46262C
01D9D6A7 33331DF4 BF7DD29C 324437C3 670176D6
EBDE8C83 4A0D8BD6 666637C3 C4CE68FB C184CA27
520506BC BC6F523C 2D00F21E 1D73AB4D 5759D577
E5C90287 ABC97B64 91C3BB8D E24116C6 FD
=====================================
Table 3-21 Description of the display dsa key-pair command output
Item Description
Label name Label name. To specify the label name, run
the dsa key-pair label command.
Modulus Modulus of the key pair. To specify the
modulus of the key pair, run the dsa key-pair
label command.
Time of Key pair created Time when the key pair is generated.
Key Code of the key pair.
3.6.9 display dsa local-key-pair public
Function
The display dsa local-key-pair public command displays the public key in the
local DSA key pair of the device.
Format
display dsa local-key-pair public
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
This command displays the public key in the local DSA key pair. You can copy the
public key in the command output to the DSA public key of the SSH server to
ensure that the public keys on the client and server are consistent and that the
client can be authenticated by the server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 157
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Display the public key in the client DSA key pair.
<HUAWEI> display dsa local-key-pair public
========================================================
Time of key pair created : 2017-08-02 16:45:00
Key name : HUAWEI_Host_DSA
Key modulus : 2048
Key type : DSA encryption key
========================================================
Key code:
30820324
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60
BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B
F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891
2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268
56A99ECF A5D80036 7B31A905 22F13949 6F4182DB
FDAAB599 739AB021 85856A88 1F919736 8B92DBF6
849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7
505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714
B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE
B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F
BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F
CD4EA0EE 501FC669 5D03D68D 519324E4 93
0215
00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE
BB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7 74959017
62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976
4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230 DB7461F7
C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820100
067A64DE A6D47E2D 6D21BD8D C5C630D8 3FE16268
CAA42061 7D1A73E6 F6397EAF 1B0B88E9 035AFDE8
5F4387FA 364CD8E1 BD473BC4 7BE75D0A 8EA6A92E
5B763B53 B97019C0 EDA050B0 A832EC2C 62DB5718
265093E9 DF2C1F75 B8549280 89E496B4 1B2D1A83
07C04723 6ECE953F B51F4A31 8B9E9EED 5293E8AA
44C4E6F1 F6A36949 02350580 4BA4DA38 C8BFADD0
CBBDD72F 2E6681B1 FA7D7853 E1A3D191 6CA323C3
A6FF726F F1777D76 BB7C630A 5A4892A1 C78694CF
C17C07AD 6F640640 A65F22F4 AD2A4FE6 6C6232B1
FF354D22 8E77C44A E112196F 7FC60365 2B5C6793
4C132057 C69E2656 0E180446 AA7AE6AA 6D4FA2D8
18E431D6 ECA1502C 074D0C01 290B5FE2
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQ
IZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW
qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5
iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQW
srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0w
K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07
dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYg
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 158
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfE
Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky
eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA
kjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEABnpk3qbUfi1tIb2NxcYw
2D/hYmjKpCBhfRpz5vY5fq8bC4jpA1r96F9Dh/o2TNjhvUc7xHvnXQqOpqkuW3Y7
U7lwGcDtoFCwqDLsLGLbVxgmUJPp3ywfdbhUkoCJ5Ja0Gy0agwfARyNuzpU/tR9K
MYuenu1Sk+iqRMTm8fajaUkCNQWAS6TaOMi/rdDLvdcvLmaBsfp9eFPho9GRbKMj
w6b/cm/xd312u3xjClpIkqHHhpTPwXwHrW9kBkCmXyL0rSpP5mxiMrH/NU0ijnfE
SuESGW9/xgNlK1xnk0wTIFfGniZWDhgERqp65qptT6LYGOQx1uyhUCwHTQwBKQtf
4g==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:
ssh-dss AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQIZrA9BrUe/
HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZU
wmhWqZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB
+RlzaLktv2hJ0cdGuifhL5iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQWsrXdcuNim7WSRL
+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0wK5i1
CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07dr6BC0IhrY0y93I/g1n0a2b/
eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYgXG76sUhm
5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/
t5pW4y7BWgZZPRfEByn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrkyeCbUzeU
YmpPq
Ux4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDAkjYMXS15avIw23Rh98Fbbbplye
+rJH2xPUlC4v8AAAEABnpk3qbUfi1tIb2NxcYw2D/hYmjKpCBhfRpz
5vY5fq8bC4jpA1r96F9Dh/
o2TNjhvUc7xHvnXQqOpqkuW3Y7U7lwGcDtoFCwqDLsLGLbVxgmUJPp3ywfdbhUkoCJ5Ja0Gy0agwfARyNuzpU
/tR9KMYuenu1Sk+iqRMTm8faj
aUkCNQWAS6TaOMi/rdDLvdcvLmaBsfp9eFPho9GRbKMjw6b/cm/
xd312u3xjClpIkqHHhpTPwXwHrW9kBkCmXyL0rSpP5mxiMrH/NU0ijnfESuESGW9/xgNlK1xnk0wTIFfG
niZWDhgERqp65qptT6LYGOQx1uyhUCwHTQwBKQtf4g== dsa-key
Table 3-22 Description of the display dsa local-key-pair public command output
Item Description
Time of key pair created Time when the public key is created.
Key name Name of the public key.
Key modulus Length of the key.
Key type Type of the public key.
Key code Content of the key.
Host public key for PEM format code PEM code of the public key.
Public key code for pasting into Public key format in the OpenSSH file.
OpenSSH authorized_keys file
3.6.10 display dsa peer-public-key
Function
The display dsa peer-public-key command displays the DSA public key that has
been configured.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 159
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
display dsa peer-public-key [ brief | name key-name ]
Parameters
Parameter Description Value
brief Displays the brief information. -
name key-name Displays the DSA public key with the The key-name must
specified name. already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command displays the DSA public key for you to check whether the local and
peer public keys are consistent.
Precautions
You must complete the DSA public key configuration before running this
command.
Example
# Display the DSA public key with the specified name.
<HUAWEI> display dsa peer-public-key name dsakey001
=====================================
Key name : dsakey001
Encoding type : DER
=====================================
Key code:
30820324
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60 BE8B9E36 D3E4EB9C D6EB7FD2
10219AC0 F41AD47B F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891 2E60452B
37CA17D6 11C2EE4C 46B4BC77 2654C268 56A99ECF A5D80036 7B31A905 22F13949
6F4182DB FDAAB599 739AB021 85856A88 1F919736 8B92DBF6 849D1C74 6BA27E12
F98A28E4 B6D0587D 655979A7 505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714 B6326B7D B6067EBF 153CC1A7
20B0E1A7 E39C13FE B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F BB8F05D4
16B2B5DD 72E3629B B59244BF 9FA29C4F CD4EA0EE 501FC669 5D03D68D 519324E4
93
0215
00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE BB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD 96AE9215 7A29C723 72FE8A02
EBED3B76 BE810B42 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 5BD424BD
70677EFF 1ACF9B3C CE02CD40 46560DA4 2036205C 6EFAB148 66E6A106 0DF6258B
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 160
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
EE31CFE7 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 9A56E32E C15A0659
3D17C407 29F587C7 74959017 62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 26D4CDE5 189A93EA 531E0FF8
2199EF35 DF038976 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 A915EE63
F660C092 360C5D2D 796AF230 DB7461F7 C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820100
6D7C4F77 4E3AC516 90D530FE CDC3A3AF BAC2BCBE 8F511D9D 78CA6E48 D5E4F8F0
9B5C7BBD 49235D79 962893F2 15B55280 F81C7DC1 1DE52FD2 5497ABA1 D7B353A0
2FB1605E 1CD5DB23 15CA4501 F0775337 E87A1BD7 D91B52C5 DCAEEC72 BABE9022
D96175B5 A0F0D536 B52D434E 77AEC2AC 690BC2AA CACBE255 C66F5FE5 F8DD55CB
B2125637 C2F86940 9C014F99 2AB92D09 A632635B E2B2876F E6B8F40B EC1E20F3
EE85F2FC 7B5DE110 EBCFB823 C483AE53 15C76E62 928E5CD8 9AB59158 212044E3
6A482039 D9A81187 3653D9A7 9C239E22 7DCAD3F6 BEB8D2F5 032219DC D4C638E5
B1A59128 74A70340 630057CD D53EE61F A111E3B4 F918B361 11035AC5 2A06EA0C
Table 3-23 Description of the display dsa peer-public-key command output
Item Description
Key name Type of the public key.
Encoding type Type of the public key encoding
format.
Key code Code of the public key.
3.6.11 display ecc key-pair
Function
The display ecc key-pair command displays information about the ECC key pair
with a label.
Format
display ecc key-pair [ brief | label label-name ]
Parameters
Parameter Description Value
brief Displays brief information about all ECC -
key pairs with labels.
label label-name Displays information about the ECC key Label name of the
pair with a specific label. key pair.
Views
All views
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 161
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
You can run the display ecc key-pair command to check information about the
ECC key pair with a label. The information varies when you specify different
parameters in the command.
● If brief is specified, you can view brief information about all ECC key pairs
with labels.
● If label label-name is specified, you can view information about the ECC key
pair with a specific label.
● When neither label nor brief is specified, you can view information about all
ECC key pairs with labels.
Example
# Display information about all ECC key pairs with labels.
<HUAWEI> display ecc key-pair
=====================================
Label name: abc123
Modulus: 521
Time of Key pair created: 2014-01-13 08:01:02
=====================================
Key :
0400B83D B5796B8F 28060F9E 6AA444C6 17F904D5 DE1D25D1 DF86CC94
5B30D58B A8BEA1D6 405D7928 AADCF587 ECCCFEE0 AE4235FE 3F78485C
BA72121D 5C76B902 34C0BC00 6815A445 F3EE1F36 9E7F9646 8E0EDA8D
51EF14B3 164C4742 970A158D 0807FBE6 FC9D9277 31CFF900 75600A8C
BA99BE37 366FFFFB 883C73EA 0970553C F2032738 3D
=====================================
Table 3-24 Description of the display ecc key-pair command output
Item Description
Label name Label name. To specify the label name, run
the ecc key-pair label command.
Modulus Modulus of the key pair. To specify the
modulus of the key pair, run the ecc key-pair
label command.
Time of Key pair created Time when the key pair is generated.
Key Code of the key pair.
3.6.12 display ecc local-key-pair public
Function
The display ecc local-key-pair public command displays information about the
public key in the local ECC key pair.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 162
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
display ecc local-key-pair public
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display ecc local-key-pair public command to check information
about the public key in the local ECC key pair on a client and then copy the public
key to the server. The public key enables a server to authenticate users and
ensures the login of authorized users.
Example
# Display information about the public key in the local ECC key pair on a client.
<HUAWEI> display ecc local-key-pair public
========================================================
Time of key pair created : 2013-12-30 11:11:20
Key name : HUAWEI_Host_ECC
Key modulus : 521
Key type : ECC encryption key
========================================================
Key code:
04012998 DFDD74C4 3F58DF73 C9CED003 8BB308ED
8353FD26 BAF2F836 5EFDCC2A D26E185F 6F6E2E19
683FF161 9141A7C2 3EEA52E3 9801E245 D33079A2
B12DAF27 1DF59401 E5068456 C54FE0E0 5DD99CEB
98C527DB B3CE0707 7863DC59 34EE830C 8AACBDB3
5EA697C4 9A660DD8 1049A330 7DC7ED5A 905184AC
0F6D6022 07731458 4DC1CE84 D8
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAACFBAEpmN/ddMQ/WN9zyc7QA4uzCO2D
U/0muvL4Nl79zCrSbhhfb24uGWg/8WGRQafCPupS45gB4kXTMHmisS2vJx31lAHl
BoRWxU/g4F3ZnOuYxSfbs84HB3hj3Fk07oMMiqy9s16ml8SaZg3YEEmjMH3H7VqQ
UYSsD21gIgdzFFhNwc6E2A==
---- END SSH2 PUBLIC KEY ----
Table 3-25 Description of the display ecc local-key-pair public command output
Item Description
Time of key pair created Time when the public key in the local
ECC key pair is generated, in the format
of YYYY-MM-DD HH:MM:SS.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 163
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Key name Name of the public key in the local ECC
key pair.
Key modulus Length of the public key in the local ECC
key pair.
Key type Type of the public key in the local ECC
key pair.
Key code Code of the public key in the local ECC
key pair configured using the ecc local-
key-pair command.
Host public key for PEM format PEM code of the public key in the local
code ECC key pair.
3.6.13 display ecc peer-public-key
Function
The display ecc peer-public-key command displays information about the ECC
public key configured on the remote end.
Format
display ecc peer-public-key [ brief | name key-name ]
Parameters
Parameter Description Value
brief Displays brief information about the ECC -
public key configured on the remote end.
name key-name Displays the ECC public key with the The key-name
specified name. must already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 164
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
You can run this command to check detailed information about the ECC public key
and whether the local and peer public keys are the same.
Precautions
You must complete the ECC public key configuration before running this
command.
Example
# Display brief information about all the ECC public keys.
<HUAWEI> display ecc peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
521 sat
------------------------------------------
# Display detailed information about the ECC public key named sat.
<HUAWEI> display ecc peer-public-key name sat
=====================================
Key name: sat
=====================================
Key code:
040020D4 5436AC31 BB1501EE 54CB84B6 AD9D5DB5 1B65EA59 9B5409A9 045D12A5
9133AF2C A7E9E80E 344E95DA D166E270 77B67702 72F9B94F FB78E487 1C2928C9
5437CE00 93AD2608 0D940547 8D6B84AB DDD30FE1 75B2C790 884B4F91 5DEE668F
08EE50CE 1CAE6D54 1A1DC28C 1936C451 ECBB7AB0 B7F2F09B 8F699940 CF81C7C7
906A40F4 7D
Table 3-26 Description of the display ecc peer-public-key command output
Item Description
Bits Length of the ECC public key configured
on the remote end.
Name Name of the ECC public key configured
on the remote end.
Key name Name of the ECC public key configured
on the remote end.
Key code Code of the ECC public key configured on
the remote end.
3.6.14 display rsa key-pair
Function
The display rsa key-pair command displays information about the RSA key pair
with a label.
Format
display rsa key-pair [ brief | label label-name ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 165
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
brief Displays brief information about all RSA -
key pairs with labels.
label label-name Displays information about the RSA key Label name of the
pair with a specific label. key pair.
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display rsa key-pair command to check information about the
RSA key pair with a label. The information varies when you specify different
parameters in the command.
● If brief is specified, you can view brief information about all RSA key pairs
with labels.
● If label label-name is specified, you can view information about the RSA key
pair with a specific label.
● When neither label nor brief is specified, you can view information about all
RSA key pairs with labels.
Example
# Display information about all RSA key pairs with labels.
<HUAWEI> display rsa key-pair
=====================================
Label name : a01
Modulus : 2048
Time of key pair created : 2013-12-31 01:47:14
=====================================
Key :
3082010A 02820101 00E788C5 7BE23271 71E4ACFE 2AC67BD1 5B6F2B1B 98B9B530
8C3A5635 2CA667E9 685537FB 7CFC6F7E B6834F92 3EB55305 AC37A137 A797318B
164873EE 9E156132 9CE6B060 E737C8EC C6B7B4B8 D79885EB B3710E69 D6420B5A
554573B6 B381E159 162601B7 2CA4DFD0 16899329 79EC1DE4 A23B0232 496E3373
3408DC0F D4C84A71 7FC821B8 21AD254B 928C1003 FF549929 889FAFA1 AE8AC22E
F5BDAD25 ECA8D7C0 EE711AC7 CAB34583 325D1D58 4DBCDE86 BF3DA0C0 BA9D872E
6F745D72 0FD66EE0 56F35FB4 5F347405 3E7BDCAF 2F0EFE7E 990AD206 D9DA400E
2C380055 8462D6E0 B93B0C73 EB394D01 D83A6B6F 37B64FAF F7DFBAA4 F7073AE1
CC1B0C5E 8F735904 19020301 0001
=====================================
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 166
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-27 Description of the display rsa key-pair command output
Item Description
Label name Label name. To specify the label name, run
the rsa key-pair label command.
Modulus Modulus of the RSA key pair. To specify the
modulus of the RSA key pair, run the rsa key-
pair label command.
Time of key pair created Time when the key pair is generated.
Key Code of the key pair.
3.6.15 display rsa local-key-pair public
Function
The display rsa local-key-pair public command displays the public key in the
local key pair.
Format
display rsa local-key-pair public
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run this command on the client and configure the client public key in the
command output to the SSH server, which ensures that the SSH client validity
check by the SSH server is successful and enables the secure data exchange
between the SSH server and client.
Example
# Display the public key in the local key pair.
<HUAWEI> display rsa local-key-pair public
======================Host key==========================
Time of key pair created : 2013-12-30 08:55:13
Key name : HUAWEI_Host
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 167
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Key type : RSA encryption key
========================================================
Key code:
3082010A
02820101
00C4D569 631EC1E2 833E315D 5DED65F3 498F2ED0
9B04F901 DEC806AA 0941AC43 3BB7422B B1D6E754
26B36B48 9F40A1CE AAF31314 5B729DFB 931BDBD8
81EBF078 54D8570D B4BFDCF8 90091546 76CDED0A
5FAAA330 9F4D6186 DE41AFBE A2FA67D7 EB3FC5E9
FD80859D 4E7B1C12 21198FFA 231B8048 A6E6F0D3
205557D6 B0580D81 ADFD2B6D 3256FBAE 9E81ABA6
0E8FA794 5DB0AA13 FB4ACA36 E3D75918 C40E68C6
9F6CA0C8 7FAD471C AF7F0BD5 4469C4A7 CF8BC85B
EA735E02 5FAC972C 7BCD818C 3C8E3EAB DB830026
D6CDBA62 F00C8928 4A04A67C A597207E 23D91EF3
183E2466 F8D06754 CEE5EB2B 937E8516 AA1485D7
79B7CB6B 5AB299AB FFB1E1BF A0353DD3 97
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDE1WljHsHigz4xXV3tZfNJjy7QmwT5Ad7I
BqoJQaxDO7dCK7HW51Qms2tIn0ChzqrzExRbcp37kxvb2IHr8HhU2FcNtL/c+JAJ
FUZ2ze0KX6qjMJ9NYYbeQa++ovpn1+s/xen9gIWdTnscEiEZj/ojG4BIpubw0yBV
V9awWA2Brf0rbTJW+66egaumDo+nlF2wqhP7Sso249dZGMQOaMafbKDIf61HHK9/
C9VEacSnz4vIW+pzXgJfrJcse82BjDyOPqvbgwAm1s26YvAMiShKBKZ8pZcgfiPZ
HvMYPiRm+NBnVM7l6yuTfoUWqhSF13m3y2taspmr/7Hhv6A1PdOX
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE1WljHsHigz4xXV3tZfNJjy7QmwT5Ad7IBqoJQaxD
O7dCK7HW51Qms2tIn0ChzqrzExRbcp37kxvb2IHr8HhU2FcNtL/c+JAJFUZ2ze0KX6qjMJ9NYYbeQa++
ovpn1+s/xen9gIWdTnscEiEZj/ojG4BIpubw0yBVV9awWA2Brf0rbTJW+66egaumDo+nlF2wqhP7Sso2
49dZGMQOaMafbKDIf61HHK9/C9VEacSnz4vIW+pzXgJfrJcse82BjDyOPqvbgwAm1s26YvAMiShKBKZ8
pZcgfiPZHvMYPiRm+NBnVM7l6yuTfoUWqhSF13m3y2taspmr/7Hhv6A1PdOX rsa-key
Host public key for SSH1 format code:
2048 65537 248479449894298928294307779358726016363453127732399382240868603696328
38092602580810460413033525882290576141938684323785867753090434139378610895900966
99069400366338221105253327868286329658226300153628555662751480887246101263431835
00691736600459588199818030880967385624775381317439545767556794593852794045844003
34335076114347973757304101202989966991960922618440645983410857662297120846209864
22771028604935279415615054836817431585686417436260033974542999889336079286514057
18228159988733198430380627228312138479579994102250624429597554309014943522876720
35453712256315056983907073654304186669580624268424033646475701244823
======================Server key========================
Time of key pair created : 2013-12-30 08:55:14
Key name : HUAWEI_Server
Key type : RSA encryption key
========================================================
Key code:
3081B9
0281B1
00EA73D0 8787CAC7 01F5B1C3 BB526E42 18B4E740
C26250C8 E6453106 A22CC86D 9D702D5A A7192FFA
19ECBEAF C7AD3C56 89900E35 30D11766 4683E827
960AB080 6D1D5403 BB9553FC 57046006 D2A12AEA
086D0066 C7D81278 CC2720A9 7FF3F006 85EB945F
8306A451 D2795842 8FDAC528 0EAE9D23 8E7D0B28
BE4AA3BF 16F8282A 4C087B9E 87FBDF5D 7F2EB809
BC0F278C E5A1D14E C664FD67 C6C48430 ED371D0E
CD97BE6A 0BF06704 53817E6E 1690CEE3 45
0203
010001
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 168
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-28 Description of the display rsa local-key-pair public command output
Item Description
Time of key pair created Time and date when the public key is
created.
Key name The value can be the host or server public
key. The server public key is saved only
when the key type is RSA.
Key type Type of the public key.
Key code Code of the public key.
3.6.16 display rsa peer-public-key
Function
The display rsa peer-public-key command displays the peer public key saved on
the local host. If no parameter is specified, the command displays detailed
information about all peer public keys.
Format
display rsa peer-public-key [ brief | name key-name ]
Parameters
Parameter Description Value
brief Displays the brief information about -
all peer public keys.
name key-name Specifies the key name. The key-name must
already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to check detailed information about the RSA public key
and whether the local and peer public keys are the same.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 169
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Precautions
Before running the display rsa peer-public-key command, run the rsa peer-
public-key command to generate the peer public key.
Example
# Display the brief information about all RSA public keys.
<HUAWEI> display rsa peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
2048 rsakey001
------------------------------------------
Table 3-29 Description of the display rsa peer-public-key brief command output
Item Description
Bits Bits in the public key.
Name Name of the public key.
# Display the detailed information about the RSA public key named rsakey001.
<HUAWEI> display rsa peer-public-key name rsakey001
=====================================
Key name : rsakey001
Encoding type : DER
=====================================
Key code:
308188
028180
739A291A BDA704F5 D93DC8FD F84C4274 631991C1 64B0DF17 8C55FA83 3591C7D4
7D5381D0 9CE82913 D7EDF9C0 8511D83C A4ED2B30 B809808E B0D1F52D 045DE408
61B74A0E 135523CC D74CAC61 F8E58C45 2B2F3F2D A0DCC48E 3306367F E187BDD9
44018B3B 69F3CBB0 A573202C 16BB2FC1 ACF3EC8F 828D55A3 6F1CDDC4 BB45504F
0203
010001
Table 3-30 Description of the display rsa peer-public-key name command output
Item Description
Key name Name of the public key.
Encoding type Coding type of the public key
Key code Code of the public key.
3.6.17 display ssh client
Function
The display ssh client command displays SSH client information.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 170
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
display ssh client session
Parameters
Parameter Description Value
session Displays the current session status information of the SSH -
client.
Views
All views
Default Level
3: Management level
Usage Guidelines
To check the current session connection information of the SSH client, run the
display ssh client session command.
Example
# Display the current session status information of the SSH client.
<HUAWEI> display ssh client session
--------------------------------------------------------------------------
Session :1
Version : 2.0
CTOS Cipher : aes256-ctr
STOC Cipher : aes256-ctr
CTOS Hmac : hmac-sha2-256
STOC Hmac : hmac-sha2-256
CTOS Compress : none
STOC Compress : none
Total Packet Number : 152
Packet Number after Rekey : 152
Total Data(MB) :0
Data after Rekey(MB) :0
Time after Session Established(Minute) : 2
Time after Rekey(Minute) :2
--------------------------------------------------------------------------------
Table 3-31 Description of the display ssh client session command output
Item Description
Session SSH session ID.
Version Version information of the protocol that the SSH
session connection uses.
CTOS Cipher Encryption algorithm from the client to the server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 171
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
STOC Cipher Encryption algorithm from the server to the client.
CTOS Hmac HMAC algorithm from the client to the server.
STOC Hmac HMAC algorithm from the server to the client.
CTOS Compress Compression algorithm from the client to the server.
STOC Compress Compression algorithm from the server to the client.
Total Packet Number Total number of SSH session packets.
Packet Number after Total number of SSH session packets after key re-
Rekey negotiation.
Total Data(MB) Total data volume of the SSH session connection, in
MB.
Data after Rekey(MB) Total data volume of the SSH session connection after
key re-negotiation, in MB.
Time after Session Connection duration after the SSH session connection
Established(Minute) is activated, in minutes.
Time after Connection duration after the SSH session connection
Rekey(Minute) is activated and the key is re-negotiated, in minutes.
3.6.18 display ssh server
Function
The display ssh server command displays the SSH server information.
Format
display ssh server { status | session }
Parameters
Parameter Description Value
status Displays the global configuration on the SSH server. -
session Displays the current session connection information on the -
SSH server.
Views
All views
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 172
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
After configuring the SSH attributes, you can run this command to view the
configuration or session connection information on the SSH server to verify that
the SSH connection has been established.
Example
# Display the global configuration on the SSH server.
<HUAWEI> display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) :3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Disable
SSH server keepalive : Enable
SFTP IPv4 server : Enable
SFTP IPv6 server : Enable
STELNET IPv4 server : Enable
STELNET IPv6 server : Enable
SNETCONF IPv4 server : Disable
SNETCONF IPv6 server : Disable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable
SSH server DES : Enable
SSH IPv4 server port : 22
SSH IPv6 server port : 22
SSH server source address : 0.0.0.0
SSH ipv6 server source address : 0::0
SSH ipv6 server source vpnName :
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
SSH server ip-block : Enable
Table 3-32 Description of the display ssh server status command output
Item Description
SSH Version Protocol version used for the SSH session connection.
SSH authentication Timeout interval of SSH server authentication, in
timeout (Seconds) seconds.
Run the ssh server timeout command to set this item.
SSH authentication Number of times for retrying the SSH session
retries (Times) connection.
Run the ssh server authentication-retries command
to set this item.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 173
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
SSH server key Interval for generating an SSH server password, in
generating interval hours.
(Hours) Run the ssh server rekey-interval command to set
this item.
SSH version 1.x SSH 1.x version compatibility, and the value can be
compatibility Enable or Disable.
Run the ssh server compatible-ssh1x enable
command to set this item.
SSH server keepalive Keepalive state of the SSH server. The value can be
Enable or Disable.
Run the ssh server keepalive disable command to set
this item.
SFTP IPv4 server/SFTP Status of the SFTP server. The value can be Enable or
IPv6 server Disable.
Run the sftp server enable command to set this item.
STELNET IPv4 server/ Status of the STelnet server. The value can be Enable
STELNET IPv6 server or Disable.
Run the stelnet server enable command to set this
item.
SNETCONF IPv4 Status of the SNETCONF server. The value can be
server/SNETCONF IPv6 Enable or Disable.
server Run the snetconf server enable command to set this
item.
SNETCONF IPv4 server Port of the SNETCONF server.
port(830)/SNETCONF Run the protocol inbound ssh port 830 command to
IPv6 server port(830) set this item.
SCP IPv4 server/SCP Status of the SCP server. The value can be Enable or
IPv6 server Disable.
Run the scp server enable command to set this item.
SSH server DES DES algorithm of the SSH server.
Run the ssh server cipher command to set this item.
SSH IPv4 server Port of the SSH server.
port/SSH IPv6 server Run the ssh server port command to set this item.
port
ACL name Name of the ACL rule bound to the SSH server.
Run the ssh server acl acl-name command to set this
item.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 174
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
ACL number Number of the ACL rule bound to the SSH server.
Run the ssh server acl acl-number command to set
this item.
ACL6 name Name of the ACL6 rule bound to the SSH server.
Run the ssh ipv6 server acl acl-number command to
set this item.
ACL6 number Number of the ACL6 rule bound to the SSH server.
Run the ssh ipv6 server acl acl-number command to
set this item.
SSH server source Source IP address of the SSH server.
address/SSH ipv6 Run the ssh server-source -i interface-type interface-
server source address number command to set this item.
SSH ipv6 server source VPN name of the SSH IPv6 server.
vpnName
SSH server ip-block Status of the SSH server from locking client IP
addresses. It can be any one of the following:
● Enable: SSH server is enabled to lock client IP
addresses.
● Disable: SSH server is disabled to lock client IP
addresses.
# Display the current session connection information on the SSH server.
<HUAWEI> display ssh server session
--------------------------------------------------------------------------------
Session :1
Connect type : VTY 0
Version : 2.0
State : Started
Username : root123
Retry :2
Client to Server cipher : aes256-cbc
Server to Client cipher : aes256-cbc
Client to Server HMAC : hmac-sha2-256
Server to Client HMAC : hmac-sha2-256
Client to Server compression : none
Server to Client compression : none
Key exchange algorithm : ecdh-sha2-nistp521
Public key : ecc
Service type : stelnet
Authentication type : password
Connection port number : 22
Idle time : 00:00:00
Total Packet Number : 90
Packet Number after Rekey :0
Total Data(MB) :0
Data after Rekey(MB) :0
Time after Session Established(Minute) : 0
Time after Rekey(Minute) :1
--------------------------------------------------------------------------------
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 175
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-33 Description of the display ssh server session command output
Item Description
Session SSH session ID.
Connect type Connection used by the SSH session. The options are
as follows:
● VTY: connection used by the STelnet user
● NCA: connection used by the SNetconf user
● SFTP: connection used by the SFTP user
Version Protocol version used for the SSH session connection.
State Status of the SSH session connection.
Username User name for SSH session connection.
Run the ssh user command to set this item.
Retry Number of times for retrying the SSH session
connection.
Run the ssh server authentication-retries command
to set this item.
Client to Server cipher Encryption algorithm name from the client to the
server.
Server to Client cipher Encryption algorithm name from the server to the
client.
Client to Server HMAC HMAC algorithm name from the client to the server.
Server to Client HMAC HMAC algorithm name from the server to the client.
Client to Server Name of the compression algorithm from the client to
compression the server.
Server to Client Name of the compression algorithm from the server to
compression the client.
Key exchange Exchange algorithm name.
algorithm
Public key Public key algorithm used for server authentication,
which can be RSA, DSA, or ECC.
NOTE
To ensure high security, do not use the RSA algorithm whose
length is less than 2048 digits.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 176
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Service type Service type for an SSH user. The options are as
follows:
● sftp
● stelnet
● snetconf
Run the ssh user service-type command to set this
item.
Authentication type Authentication mode for an SSH user. The options are
as follows:
● password
● rsa
● dsa
● ecc
● x509v3-rsa
● password-x509v3-rsa
● password-rsa (password and RSA)
● password-dsa (password and DSA)
● password-ecc (password and ECC)
● all (password, pki, DSA, ECC, or RSA)
Run the ssh user authentication-type command to
set this item.
Connection port Port number of the SSH server.
number Run the ssh server port command to set this item.
Idle time Idle time of the SSH session.
Total Packet Number Total number of SSH session packets.
Packet Number after Total number of SSH session packets after key re-
Rekey negotiation.
Total Data(MB) Total data volume of the SSH session connection, in
MB.
Data after Rekey(MB) Total data volume of the SSH session connection after
key re-negotiation, in MB.
Time after Session Connection duration after the SSH session connection
Established(Minute) is activated, in minutes.
Time after Connection duration after the SSH session connection
Rekey(Minute) is activated and the key is re-negotiated, in minutes.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 177
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.19 display ssh server-info
Function
The display ssh server-info command displays the binding between the SSH
server and RSA, DSA, or ECC public key when the current device works as the SSH
client.
Format
display ssh server-info
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
When the SSH client needs to authenticate the server, the server public key saved
in the local host is used to authenticate the connected SSH server. If the
authentication fails, you can run the display ssh server-info command to verify
that the server public key is correct.
Example
# Display all bindings between the SSH server and public keys on the SSH client.
<HUAWEI> display ssh server-info
-----------------------------------------------------------------------------------------------------------------
Server Name(IP) Server public key name Server public key type
State
-----------------------------------------------------------------------------------------------------------------
192.168.1.120 192.168.1.120 RSA CONFIGURE
192.168.1.110 192.168.1.110 RSA CONFIGURE
-----------------------------------------------------------------------------------------------------------------
Table 3-34 Description of the display ssh server-info command output
Item Description
Server Name(IP) Host name of the SSH server.
Server Public Key Type Type of the public key on the SSH server.
Server public key name Name of the public key on the SSH server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 178
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
State Indicates the server key state:
● CONFIGURE: Indicates that the server public key is
saved in database.
● DYNAMIC: Indicates that the server public key is
not saved in database.
3.6.20 display ssh user-information
Function
The display ssh user-information command displays the configuration of all SSH
users.
Format
display ssh user-information [ username ]
Parameters
Parameter Description Value
username Displays the SSH user name. The SSH must already exist.
Views
All views
Default Level
3: Management level
Usage Guidelines
This command displays the SSH user name, bound RSA, DSA, or ECC public key
name, and service type.
Example
# Display the configuration of all SSH users.
<HUAWEI> display ssh user-information
--------------------------------------------------------------------------------
User Name : client001
Authentication type : password
User public key name : --
User public key type : --
Sftp directory : flash:
Service type : sftp
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 179
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
User Name : client002
Authentication type : rsa
User public key name : --
User public key type : --
Sftp directory : flash:
Service type : sftp
--------------------------------------------------------------------------------
Total 2, 2 printed
Table 3-35 Description of the display ssh user-information command output
Item Description
User Name SSH user name.
Run the ssh user command to set this item.
Authentication type Authentication mode for an SSH user. The options are
as follows:
● password
● rsa
● dsa
● ecc
● x509v3-rsa
● password-x509v3-rsa
● password-rsa (password and RSA)
● password-dsa (password and DSA)
● password-ecc (password and ECC)
● all (password, pki, DSA, ECC, or RSA)
Run the ssh user authentication-type command to
set this item.
User public key name Peer RSA, DSA, or ECC public key assigned to an SSH
user.
Run the rsa peer-public-key, dsa peer-public-key, or
ecc peer-public-key command to set this item.
User public key type Type of the public key allocated to the SSH user:
● RSA: indicates that the type is RSA.
● DSA: indicates that the type is DSA.
● ECC: indicates that the type is ECC.
● --: indicates that no public key type is specified.
Sftp directory SFTP service directory of an SSH user.
Run the ssh user sftp-directory command to set this
item.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 180
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Service type Service type for an SSH user. The options are as
follows:
● sftp: indicates that the service type is SFTP.
● stelnet: indicates that the service type is STelnet.
● snetconf: indicates that the service type is
SNetConf.
● --: indicates that no service type is specified.
Run the ssh user service-type command to set this
item.
3.6.21 display telnet server
Function
The display telnet server status command displays the configuration of the
current Telnet server.
Format
display telnet server
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
When you fail to log in to a server using Telnet, run the display telnet server
command to check the configuration of the Telnet server. The command output
can help you find the cause of the login failure.
Example
# Display the basic configuration of the Telnet server.
<HUAWEI> display telnet server
Telnet server : Enable
Telnet server port : 23
Telnet IPv6 server : Disable
Telnet IPv6 server port : 23
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 181
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Telnet server source address : 0.0.0.0
TELNET ipv6 server source address : 0::0
TELNET ipv6 server source vpnName :
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
Table 3-36 Description of the display telnet server command output
Item Description
Telnet server Status of the Telnet server. The value can be
Enable or Disable.
Run the telnet server disable command to
set this item.
Telnet server port Telnet server port number.
Run the telnet server port command to set
this item.
Telnet IPv6 server Status of the Telnet IPv6 server. The value can
be Enable or Disable.
Run the telnet ipv6 server disable command
to set this item.
Telnet IPv6 server port Port number of the Telnet IPv6 server.
Run the telnet server port command to set
this item.
Telnet server source address Source IP address of the Telnet server.
Run the telnet server-source command to set
this item.
TELNET ipv6 server source Source IP address of the Telnet IPv6 server.
address
TELNET ipv6 server source Source VPN instance name of the Telnet IPv6
vpnName server.
ACL name Name of the ACL rule bound to Telnet server.
Run the telnet server acl acl-name command
to set this item.
ACL number Number of the ACL rule bound to Telnet
server.
Run the telnet server acl acl-number
command to set this item.
ACL6 name Name of the ACL6 rule bound to Telnet server.
Run the telnet ipv6 server acl acl-name
command to set this item.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 182
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
ACL6 number Number of the ACL6 rule bound to Telnet
server.
Run the telnet ipv6 server acl acl-number
command to set this item.
3.6.22 display telnet server status
Function
The display telnet server status command displays the connection of the Telnet
server.
Format
display telnet server status
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run this command to check the source IP address of the Telnet server and
the source address carried in a connection request.
If the Telnet connection does not exist, no information is displayed after you run
this command.
Example
# Display the status of the Telnet server.
<HUAWEI> display telnet server status
Session 1:
Source ip address : 192.168.1.3
VTY Index :0
Session 2:
Source ip address : 192.168.1.4
VTY Index :1
Session 3:
Source ip address : 192.168.1.5
VTY Index :2
Session 4:
Source ip address : 192.168.1.6
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 183
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
VTY Index :3
Current number of sessions : 4
Table 3-37 Description of the display telnet server status command output
Item Description
Session Index of current connections.
Source ip address Source IP address in the Telnet connection.
VTY Index Relative number of the user interface.
Current number of sessions Number of current connections.
3.6.23 display telnet client
Function
The display telnet client command displays the number of current telnet
connections.
Format
display telnet client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
An administrator can use the display telnet client command to check how many
users have logged in to a server through Telnet.
Example
# Display the number of current connections.
<HUAWEI> display telnet client
---------------------------------------
Current user count : 2
Source IPv4 address : 10.1.1.2
---------------------------------------
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 184
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-38 Description of the display telnet client command output
Item Description
Current user count Number of current connected users.
Source IPv4 address The IPv4 address of Source.
3.6.24 dsa key-pair label
Function
The dsa key-pair label command generates a DSA key pair with a label.
The undo dsa key-pair label command deletes a DSA key pair with a label.
By default, no DSA key pair with a label is generated.
Format
dsa key-pair label label-name [ modulus modulus-bits ]
dsa key-pair label load private private-key public public-key
undo dsa key-pair label label-name
Parameters
Parameter Description Value
label-name Specifies the label name The value is a string of 1 to 35
of a DSA key pair. case-insensitive characters. The
string can contain only letters,
digits, and underscores (_).
modulus Specifies the modulus of The value is 2048, in bits. The
modulus-bits the DSA key pair. default value is 2048.
A larger modulus indicates higher
security. However, it takes a long
time to generate and use such a
key pair.
load private Specifies the private key The private-key must already exist.
private-key in the key pair.
public public-key Specifies the public key The public-key must already exist.
in the key pair.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 185
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to generate a DSA key pair for user authentication. The
DSA key pair improves authentication security. You can run the dsa key-pair label
command to generate multiple DSA key pairs, and the key pairs are identified by
different labels.
Precautions
You can run the dsa key-pair label command to generate multiple DSA key pairs
with labels. The maximum number of DSA key pairs is specified by the dsa key-
pair maximum command. By default, the device can generate a maximum of 20
DSA key pairs with labels.
Example
# Generate the DSA key pair with the label name ssh_host.
<HUAWEI> system-view
[~HUAWEI] dsa key-pair label ssh_host
3.6.25 dsa key-pair maximum
Function
The dsa key-pair maximum command configures the maximum number of DSA
key pairs with labels that can be generated.
The undo dsa key-pair maximum command restores the maximum number of
DSA key pairs with labels to the default value.
By default, the device can generate a maximum of 20 DSA key pairs with labels.
Format
dsa key-pair maximum max-keys
undo dsa key-pair maximum
Parameters
Parameter Description Value
max-keys Specifies the maximum number of The value is an integer that
DSA key pairs with labels. ranges from 1 to 20.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 186
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Saving DSA key pairs consumes system memory and file resources. Therefore, you
can adjust the maximum number of DSA key pairs as required to ensure that they
do not occupy too many system resources.
Configuration Impact
The device fails to generate DSA key pairs with labels when the number of DSA
key pairs reaches the upper limit specified by this command.
Example
# Set the maximum number of DSA key pairs with labels to 15.
<HUAWEI> system-view
[~HUAWEI] dsa key-pair maximum 15
3.6.26 dsa local-key-pair create
Function
The dsa local-key-pair create command generates a local DSA key pair.
By default, a local DSA key pair is not configured.
Format
dsa local-key-pair create
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 187
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Compared with RSA, Digital Signature Algorithm (DSA) has a wider application
range in the SSH protocol. According to the encryption principle of the asymmetric
encryption system, the public and private keys are generated to implement secure
key exchange. This ensures the secure session process.
The prerequisite for a user to successfully log in to the SSH server using DSA
authentication is to generate a local DSA key pair. A local DSA key pair can be
generated in the following two methods:
● Configuration: You can run the dsa local-key-pair create command to
generate a local DSA key pair.
● Automatic generation: If an SSH client logs in to a device and the SSH server
has no DSA key pair, the system automatically generates a DSA key pair.
Key pairs generated in the two methods are the same in terms of function,
security, query, and deletion. It is recommended that you run the dsa local-key-
pair create command to generate a local DSA key pair.
When you run this command, the system prompts you to confirm whether to
change the original key if the DSA key exists. The key in the new key pair is
named device name_Host_DSA, for example, HUAWEI_Host_DSA.
After you enter the command, the device prompts you to enter the number of bits
in the host key. The length of a host key pair is 2048.
After a successful login, run the save command to save configurations. The
generated key pair then is saved on the device and is not lost after the device
restarts.
Precautions
This command is not saved in a configuration file and can take effect immediately
after being executed. After the device restarts, you do not need to run the
command again.
Example
# Generate a local DSA key pair on the device.
<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair create
Info: The key name will be: HUAWEI_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
3.6.27 dsa local-key-pair destroy
Function
The dsa local-key-pair destroy command deletes local DSA host key pairs.
Format
dsa local-key-pair destroy
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 188
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
DSA applies to SSH verification. According to the encryption principle of the
asymmetric encryption system, the public and private keys are generated to
implement secure key exchange. This ensures the secure session process. You can
run the dsa local-key-pair create command to generate local DSA keys. When
local DSA keys are unnecessary, you can run the dsa local-key-pair destroy
command to delete these keys.
Prerequisite
The local DSA keys that can be deleted exist.
Precautions
After you run this command, it takes effect and is not saved in a configuration file.
Example
# Delete local DSA keys.
<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair destroy
Info: The name of the key which will be destroyed is
HUAWEI_Host_DSA.
Warning: These keys will be destroyed. Continue? Please select [Y/
N]:y
Info: Succeeded in destroying the DSA host keys.
3.6.28 dsa local-key-pair load
Function
The dsa local-key-pair load command loads the local DSA and server key pairs
from a specified file.
By default, the local DSA and server key pairs are not configured.
Format
dsa local-key-pair load hostkey file-name
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 189
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
hostkey Loads the local DSA key pair. -
file-name Specifies the name of the file from which The name of the file
key pairs are loaded. must already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user is upgraded from a low level to a high level and wants to use DSA
key configuration of the low level, run the dsa local-key-pair load command to
load the local DSA and server key pairs from a specified file.
Prerequisites
The file that contains the DSA key pair already exists.
Example
# Load the local DSA key pair.
<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair load hostkey flash:/hostkey_dsa
3.6.29 dsa peer-public-key
Function
The dsa peer-public-key command configures an encoding format for a DSA
public key and displays the DSA public key view.
The undo dsa peer-public-key command deletes a DSA public key.
By default, no encoding format is configured for a DSA public key.
Format
dsa peer-public-key key-name encoding-type { der | openssh | pem }
undo dsa peer-public-key key-name
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 190
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
key-name Specifies the public key name. The value is a string of
1 to 40 case-sensitive
characters without
space.
NOTE
When double quotation
marks are used around
the string, spaces are
allowed in the string.
encoding-type Specifies an encoding format for a DSA -
public key.
der Specifies the Distinguished Encoding -
Rules (DER) format for a DSA public
key.
DER encodes data in hexadecimal
format.
openssh Specifies the OpenSSH format for a DSA -
public key.
OpenSSH encodes data in base-64
format.
OpenSSH is an encoding format based
on PEM.
pem Specifies the Privacy Enhanced Mail -
(PEM) format for a DSA public key.
PEM encodes data in base-64 format.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you use a DSA public key for authentication, you must specify the public
key of the corresponding client for an SSH user on the server. When the client logs
in to the server, the server uses the specified public key to authenticate the client.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 191
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
You can also save the public key generated on the server to the client. Then the
client can be successfully authenticated by the server when it logs in to the server
for the first time.
Huawei data communications devices support the DER, OpenSSH and PEM
formats for DSA keys. If you use a DSA key in non-DER/OpenSSH/PEM format, use
a third-party tool to convert the key into a key in DER, OpenSSH or PEM format.
Because a third-party tool is not released with Huawei system software, DSA
usability is unsatisfactory. In addition to DER and PEM, DSA keys need to support
the OpenSSH format to improve DSA usability.
Third-party software, such as PuTTY, OpenSSH, and OpenSSL, can be used to
generate DSA keys in different formats. The details are as follows:
● The PuTTY generate DSA keys in PEM format.
● The OpenSSH generates DSA keys in OpenSSH format.
● The OpenSSL generates DSA keys in DER format.
OpenSSL is an open source software. You can download related documents at
http://www.openssl.org/.
After you configure an encoding format for a DSA public key, Huawei data
communications device automatically generates a DSA public key in the
configured encoding format and enters the DSA public key view. Then you can run
the public-key-code begin command and manually copy the DSA public key
generated on the peer device to the local device.
Follow-up Procedure
After you copy the DSA public key generated on the peer device to the local
device, perform the following operations to exit the DSA public key view:
1. Run the public-key-code end command to return to the DSA public key view.
2. Run the peer-public-key end command to exit the DSA public key view and
return to the system view.
Precautions
If a DSA public key has assigned to an SSH client, release the binding relationship
between the public key and the SSH client. If you do not release the binding
relationship between them, the undo dsa peer-public-key command will fail to
delete the DSA public key.
If a DSA public key has been assigned to an SSH user, run the undo ssh user user-
name assign dsa-key command to delete the mapping between the DSA public
key and the SSH user. If you do not delete the mapping, the undo dsa peer-
public-key command cannot delete the DSA public key.
Example
# Configure an encoding format for a DSA public key and enter the DSA public
key view.
<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key 23 encoding-type der
[*HUAWEI-dsa-public-key]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 192
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.30 ecc key-pair label
Function
The ecc key-pair label command generates an ECC key pair with a label.
The undo ecc key-pair label command deletes an ECC key pair with a label.
By default, no ECC key pair with a label is generated.
Format
ecc key-pair label label-name [ modulus modulus-bits ]
undo ecc key-pair label label-name
Parameters
Parameter Description Value
label-name Specifies the label The value is a string of 1 to 35 case-
name of an ECC key insensitive characters. It can contain
pair. digits, letters, and underscores (_) only.
modulus Specifies the modulus The value can be 256, 384, or 521, in
modulus-bits of the ECC key pair. bits. The default value is 521.
A larger modulus indicates higher
security. However, it takes a long time to
generate and use such a key pair.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to generate an ECC key pair for user authentication.
The ECC key pair improves authentication security. You can run the ecc key-pair
label command to generate multiple ECC key pairs, and the key pairs are
identified by different labels.
Precautions
You can run the ecc key-pair label command to generate multiple ECC key pairs
with labels. The maximum number of ECC key pairs is specified by the ecc key-
pair maximum command. By default, the device can generate a maximum of 20
ECC key pairs with labels.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 193
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Generate an ECC key pair with a label named ecc_key_pair.
<HUAWEI> system-view
[~HUAWEI] ecc key-pair label ecc_key_pair
3.6.31 ecc key-pair maximum
Function
The ecc key-pair maximum command configures the maximum number of ECC
key pairs with labels that can be generated.
The undo ecc key-pair maximum command restores the maximum number of
ECC key pairs with labels to the default value.
By default, the device can generate a maximum of 20 ECC key pairs with labels.
Format
ecc key-pair maximum max-keys
undo ecc key-pair maximum
Parameters
Parameter Description Value
max-keys Specifies the maximum number of The value is an integer that
ECC key pairs with labels. ranges from 1 to 20.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Saving ECC key pairs consumes system memory and file resources. Therefore, you
can adjust the maximum number of ECC key pairs as required to ensure that they
do not occupy too many system resources.
Configuration Impact
The device fails to generate ECC key pairs with labels when the number of ECC key
pairs reaches the upper limit specified by this command.
Example
# Set the maximum number of ECC key pairs with labels to 15.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 194
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] ecc key-pair maximum 15
3.6.32 ecc local-key-pair
Function
The ecc local-key-pair create command generates a local ECC key pair.
The ecc local-key-pair destroy command deletes the local ECC key.
By default, no local ECC key pair exists in the system.
Format
ecc local-key-pair create
ecc local-key-pair destroy
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
A local key pair is a prerequisite to a successful SSH login. Compared with the RSA
algorithm used by the rsa local-key-pair create command, the ECC algorithm
shortens the key length, accelerates the encryption, and improves the security. The
length of the server key pair can be 256 bits, 384 bits, and 521 bits. By default, the
length of the key pair is 521 bits.
If you no longer need the local ECC key pairs, run the ecc local-key-pair destroy
command to delete them.
The prerequisite for a user to successfully log in to the SSH server using ECC
authentication is to generate a local ECC key pair. A local ECC key pair can be
generated in the following two methods:
● Configuration: You can run the ecc local-key-pair create command to
generate a local ECC key pair.
● Automatic generation: If an SSH client logs in to a device and the SSH server
has no ECC key pair, the system automatically generates an ECC key pair.
Key pairs generated in the two methods are the same in terms of function,
security, query, and deletion. It is recommended that you run the ecc local-key-
pair create command to generate a local ECC key pair.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 195
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
After a successful login, run the save command to save configurations. The
generated key pair then is saved on the device and is not lost after the device
restarts.
Precautions
● The generated ECC host key pair is named in the format of switch
name_Host_ECC, such as HUAWEI_Host_ECC.
● The ecc local-key-pair create and ecc local-key-pair destroy commands are
not saved in the configuration file. They only need to be run once and take
effect even after the switch restarts.
● Do not delete the ECC key file from the switch.
Example
# Generate a local ECC key pair.
<HUAWEI> system-view
[~HUAWEI] ecc local-key-pair create
Info: The key name will be: HUAWEI_Host_ECC
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: Key pair generation will take a short while.
Please input the modulus [default=521]:
# Delete the local ECC key pair.
<HUAWEI> system-view
[~HUAWEI] ecc local-key-pair destroy
Info: The name of the key which will be destroyed is HUAWEI_Host_ECC.
Warning: These keys will be destroyed. Continue? Please select [Y/N]: Y
Info: Succeeded in destroying the ECC host keys.
3.6.33 ecc peer-public-key
Function
The ecc peer-public-key command generates an ECC public key and enters the
ECC public key view.
The undo ecc peer-public-key command deletes the ECC public key.
By default, no ECC public key is generated.
Format
ecc peer-public-key key-name [ encoding-type enc-type ]
undo ecc peer-public-key key-name
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 196
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
key-name Specifies the ECC The value is a string of 1 to 40 case-
public key name. sensitive characters without spaces.
NOTE
When quotation marks are used around
the string, spaces are allowed in the
string.
encoding-type Sets the encoding Currently, only distinguished
enc-type format of the ECC encoding rules (DER, PEM,
public key. OPENSSH) are supported.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you use an ECC public key for authentication, specify the public key on the
server for the client of SSH users. When the client logs in to the server, the server
uses the specified public key to authenticate the client.
After you enter the ECC public key view, run the public-key-code begin
command, and copy the ECC public key to the server.
NOTE
A maximum of 20 ECC public keys can be configured.
Follow-up Procedure
After you copy the ECC public key generated on the client to the server, perform
the following operations to exit the ECC public key view:
1. Run the public-key-code end command to return to the ECC public key view.
2. Run the peer-public-key end command to exit the ECC public key view and
return to the system view.
Precautions
The public key on the client is randomly generated by the client software.
If an ECC public key has been assigned to an SSH user, run the undo ssh user
user-name assign ecc-key command to delete the mapping between the ECC
public key and the SSH user. If you do not delete the mapping, the undo ecc peer-
public-key command cannot delete the ECC public key.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 197
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Create an ECC public key and enter the ECC public key view.
<HUAWEI> system-view
[~HUAWEI] ecc peer-public-key ecckey001
[*HUAWEI-ecc-public-key]
3.6.34 ftp server login-failed threshold-alarm
Function
The ftp server login-failed threshold-alarmcommand configures alarm
generation and clearance thresholds for FTP server login failures within a specified
period.
The undo ftp server login-failed threshold-alarm command restores the default
alarm generation and clearance thresholds.
By default, an alarm is generated if the number of login failures reaches 30 within
5 minutes and is cleared if the number of login failures falls below 20 within the
same period.
Format
ftp server login-failed threshold-alarm upper-limit report-times lower-limit
resume-times period period-time
undo ftp server login-failed threshold-alarm [ upper-limit report-times lower-
limit resume-times period period-time ]
Parameters
Parameter Description Value
upper-limit Specifies the number of times The value is an
report-times authentication failure alarms are integer ranging from
reported. If the value is 0, no 0 to 100.
authentication failure alarm is
reported. The default value is 30.
lower-limit Specifies the number of times The value is an
resume-times authentication failure clear alarms are integer ranging from
reported. The default value is 20. 0 to 45.
period period- Specifies the period in which failure The value is an
time alarms are counted. The default value integer ranging from
is 5, in minutes. 1 to 120.
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 198
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ftp-server write
Usage Guidelines
Usage Scenario
If an FTP management user frequently fails to log in within a short period, the
device generates a management security alarm and reports it to administrators for
their intervention. To configure alarm reporting and clearance thresholds within a
specified period, run the ftp server login-failed threshold-alarm command.
The command takes effect for both ipv4 and ipv6 FTP servers.
Example
# Configure 40 as the alarm reporting threshold and 25 as the alarm clearance
threshold within 10 minutes.
<HUAWEI> system-view
[*HUAWEI] ftp server login-failed threshold-alarm upper-limit 40 lower-limit 25 period 10
3.6.35 http
Function
The http command displays the HTTP view.
The undo http command deletes the HTTP view and all configurations in this
view.
By default, the HTTP view is not displayed.
Format
http
undo http
Parameters
None
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 199
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
HTTP is an application-layer protocol that transports hypertext from WWW servers
to local browsers. HTTP uses the client/server model in which requests and replies
are exchanged.
Before configuring HTTP, run the http command to enter the HTTP view.
Example
# Display the HTTP view.
<HUAWEI> system-view
[~HUAWEI] http
3.6.36 lock
Function
The lock command locks the current user interface to prevent unauthorized users
from operating the interface.
By default, the system does not automatically lock the current user interface.
Format
lock
Parameters
None
Views
User view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 200
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Lock the current user interface using this command to prevent other users from
operating the interface. The user interfaces consist of console ports, and Virtual
Type Terminals (VTYs).
After using the lock command, you are prompted to input the password twice. If
you input the correct password for twice, the user interface is locked.
Precautions
● The passwords must meet the specified requirements.
– When password complexity check is supported, the requirements are as
follows:
▪ The password is a string of 8 to 128 case-sensitive characters.
▪ The password must contain at least two of the following characters:
upper-case character, lower-case character, digit, and special
character.
Special characters except the question mark (?) and space.
– If you run the undo local-user policy security-enhance command in the
AAA view to disable the local account security policy and then run the
lock command, the password does not need to meet the complexity
requirement. In this case, the requirements are as follows:
▪ The password is a string of 1 to 128 case-sensitive characters.
The character string does not include the special character question
mark (?) and space.
● Password entered in interactive mode is not displayed on the screen.
● When you run the lock command to lock the user interface and set a locking
password, you can press CTRL_C to cancel the operation.
● To unlock the user interface, press Enter, and then input the correct password
as prompted by the system.
Example
# Lock the current user interface after logging in through the console port.
<HUAWEI> lock
Enter Password:
Confirm Password:
Info: The terminal is locked.
# To log in to the system after the system is locked, you must press Enter. The
following information is displayed:
Enter Password:
# Enter the correct password and return to the user view.
<HUAWEI>
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 201
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.37 peer-public-key end
Function
The peer-public-key end command returns to the system view from the public
key view and saves the configured public keys.
Format
peer-public-key end
Parameters
None
Views
Public key view
Default Level
3: Management level
Usage Guidelines
You must save the public key generated on the remote host to the local host,
which ensures that the validity check on the remote end is successful. After editing
a public key in the public key view, you can run this command to return to the
system view.
Example
# Return to the system view from the public key view.
<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] 0203
[*HUAWEI-dsa-public-key-dsa-key-code] 010001
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]
3.6.38 public-key-code begin
Function
The public-key-code begin command displays the public key editing view.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 202
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
public-key-code begin
Parameters
None
Views
Public key view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You must save the public key generated on the remote host to the local host,
which ensures that the validity check on the remote end is successful. Run the
public-key-code begin command to display the public key editing view, and enter
the key data. The key characters can contain spaces. You can press Enter to enter
data in another line.
Prerequisite
A key name has been specified by running the rsa peer-public-key, dsa peer-
public-key, or ecc peer-public-key command.
NOTICE
For security purposes, it is not recommended that you use RSA as the public key.
Precautions
● The content of a key does not support Chinese characters.
● The public key must be a hexadecimal character string in the public key
encoding format, and generated by the client or server that supports SSH.
● The public keys displayed by running the display rsa local-key-pair public,
display dsa local-key-pair public, or display ecc local-key-pair public
command can be used as the key data to enter.
● You can successfully edit the public key in a public key pair by entering the
public key in the server key pair or client key pair. In SSH application, only the
public key in the client key pair can be entered as key data. If you enter the
public key in the server key pair, authentication fails during SSH login.
Example
# Display the public key editing view and enter the key data.
<HUAWEI> system-view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 203
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] 0203
[*HUAWEI-dsa-public-key-dsa-key-code] 010001
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]
3.6.39 public-key-code end
Function
The public-key-code end command returns to the public key view from the public
key editing view and saves the configured public keys.
Format
public-key-code end
Parameters
None
Views
Public key editing view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After this command is run, the process of editing the public key ends. Before
saving the public key, the system will check the validity of the key.
● If there are illegal characters in the public key character string configured by
the user, the system will display a relevant error prompt. The public key
previously configured by the user is discarded. As a result, the configuration
fails.
● If the public key configured is valid, it is saved in the public key chain table of
the client.
Precautions
● Generally, in the public key view, only the public-key-code end command can
be used to exit. Thus, in this instance the quit command cannot be used.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 204
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● If the legal key coding is not input, the key cannot be generated after the
public-key-code end command is used. The system prompts that generating
the incorrect key fails.
● If the key is deleted in another window, the system prompts that the key does
not exist and returns to the system view directly after you run the public-key-
code end command.
Example
# Exit from the RSA public key editing view and saves the RSA key configuration.
<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] 0203
[*HUAWEI-dsa-public-key-dsa-key-code] 010001
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]
3.6.40 rsa key-pair label
Function
The rsa key-pair label command generates an RSA key pair with a label.
The undo rsa key-pair label command deletes an RSA key pair with a label.
By default, no RSA key pair with a label is generated.
Format
rsa key-pair label label-name [ modulus modulus-bits ]
rsa key-pair label load private private-key public public-key
undo rsa key-pair label label-name
Parameters
Parameter Description Value
label-name Specifies the label name of The value is a string of 1 to 35
an RSA key pair. case-insensitive characters. It
can contain letters, digits, or
underscores (_) only.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 205
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
modulus modulus- Specifies the modulus of The value are 2048 and 3072,
bits the RSA key pair. in bits. The default value is
3072.
load private Specifies the private key in The private-key must already
private-key the key pair. exist.
public public-key Specifies the public key in The public-key must already
the key pair. exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The RSA key-pair is an algorithm for authenticating users in the SSH and ensures
security of user authentication. You can run the rsa key-pair label command to
generate multiple RSA key pairs, and the key pairs are identified by different
labels.
Precautions
You can run the rsa key-pair label command to generate multiple RSA key pairs
with labels. The maximum number of RSA key pairs is specified by the rsa key-
pair maximum command. By default, the device can generate a maximum of 20
RSA key pairs with labels.
NOTE
To ensure high security, using the 3072-bit RSA key pair is recommended.
Example
# Generate an RSA key pair with a label named as ssh_host.
<HUAWEI> system-view
[~HUAWEI] rsa key-pair label ssh_host
3.6.41 rsa key-pair maximum
Function
The rsa key-pair maximum command configures the maximum number of RSA
key pairs with labels that can be generated.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 206
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The undo rsa key-pair maximum command restores the maximum number of
RSA key pairs with labels to the default value.
By default, the device can generate a maximum of 20 RSA key pairs with labels.
Format
rsa key-pair maximum max-keys
undo rsa key-pair maximum
Parameters
Parameter Description Value
max-keys Specifies the maximum number of The value is an integer that
RSA key pairs with labels. ranges from 1 to 20.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Saving RSA key pairs consumes system memory and file resources. Therefore, you
can adjust the maximum number of RSA key pairs as required to ensure that they
do not occupy too many system resources.
Configuration Impact
The device fails to generate RSA key pairs with labels when the number of RSA
key pairs reaches the upper limit specified by this command.
Example
# Set the maximum number of RSA key pairs with labels to 15.
<HUAWEI> system-view
[~HUAWEI] rsa key-pair maximum 15
3.6.42 rsa local-key-pair create
Function
The rsa local-key-pair create command generates a local RSA key pair.
By default, a local RSA key pair is not configured.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 207
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
rsa local-key-pair create
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To implement secure data exchange between the server and client, run this
command to generate a local key pair.
The prerequisite for a user to successfully log in to the SSH server using RSA
authentication is to generate a local RSA key pair. A local RSA key pair can be
generated in the following two methods:
● Configuration: You can run the rsa local-key-pair create command to
generate a local RSA key pair.
● Automatic generation: If an SSH client logs in to a device and the SSH server
has no RSA key pair, the system automatically generates an RSA key pair.
Key pairs generated in the two methods are the same in terms of function,
security, query, and deletion. It is recommended that you run the rsa local-key-
pair create command to generate a local RSA key pair.
After a successful login, run the save command to save configurations. The
generated key pair then is saved on the device and is not lost after the device
restarts.
Precautions
If the RSA key pair exists, the system prompts you to confirm whether to replace
the original key pair. The keys in the new key pair are named device name_server
and device name_host, for example, HUAWEI_host and HUAWEI_server.
After inputting this command, you are prompted to enter the digit of the host key.
The length of the server key pair and the host key pair is 2048 or 3072 digits. If
there has been a key pair, you should confirm whether to change it.
This command is not saved in a configuration file.
Example
# Generate a local RSA key pair.
<HUAWEI> system-view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 208
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[~HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (2048, 3072).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:
3.6.43 rsa local-key-pair destroy
Function
The rsa local-key-pair destroy command deletes all local RSA host and server key
pairs.
Format
rsa local-key-pair destroy
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To delete the local key pair, run rsa local-key-pair destroy command. If the host
key pair and the service key pair of an SSH server are deleted, run the rsa local-
key-pair create command to create the host key pair and service key pair for the
SSH server.
After you run this command, verify that all local RSA keys are deleted. This
command is not saved in a configuration file.
Prerequisite
The local RSA keys that can be deleted exist.
Example
# Delete all RSA server keys.
<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair destroy
% The name for the keys which will be destroyed is HUAWEI_Host.
% Confirm to destroy these keys? Please select [Y/N]: y
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 209
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.44 rsa local-key-pair load
Function
The rsa local-key-pair load command loads the local RSA and server key pairs
from a specified file.
By default, the local RSA and server key pairs are not configured.
Format
rsa local-key-pair load { hostkey | serverkey } file-name
Parameters
Parameter Description Value
hostkey Loads the local RSA key pair. -
serverkey Loads the server key pair. -
file-name Specifies the name of the file from which The name of the file
key pairs are loaded. must already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a user is upgraded from a low level to a high level and wants to use RSA
key configuration of the low level, run the rsa local-key-pair load command to
load the local RSA and server key pairs from a specified file.
Prerequisites
The file that contains the RSA key pair already exists.
Example
# Load the local RSA key pair.
<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair load hostkey flash:/rsahostkey.dat
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 210
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.45 rsa peer-public-key
Function
The rsa peer-public-key command configures an encoding format for RSA public
key and enters the RSA public key view.
The undo rsa peer-public-key command deletes a public key.
By default, no public key is configured.
Format
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]
undo rsa peer-public-key key-name
Parameters
Parameter Description Value
key-name Specifies the public key name. The value is a string of
1 to 40 case-
insensitive characters
without spaces.
NOTE
When double quotation
marks are used around
the string, spaces are
allowed in the string.
encoding- Specifies an encoding format for RSA -
type public key, the default is DER.
der Specifies the DER format for an RSA -
public key.
DER encodes data in hexadecimal
format.
openssh Specifies the OpenSSH format for an -
RSA public key.
OpenSSH encodes data in base-64
format.
OpenSSH is an encoding format based
on PEM.
pem Specifies the PEM format for an RSA -
public key.
PEM encodes data in base-64 format.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 211
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to display the public key view, and save the public key on the
remote host to the local host. This ensures that the remote device validity is
checked in connection.
After you configure an encoding format for an RSA public key, Huawei data
communications device automatically generates an RSA public key in the
configured encoding format and enters the RSA public key view. Then you can run
the public-key-code begin command and manually copy the RSA public key
generated on the peer device to the local device.
NOTE
A maximum of 20 RSA public keys can be configured. To ensure high security, do not use
the RSA key pair whose length is less than 2048 digits.
Prerequisite
The public key in hexadecimal notation on the remote host has been obtained and
recorded.
Follow-up Procedure
After you copy the RSA public key generated on the peer device to the local
device, perform the following operations to exit the RSA public key view:
1. Run the public-key-code end command to return to the RSA public key view.
2. Run the peer-public-key end command to exit the RSA public key view and
return to the system view.
Precautions
If an RSA public key has been assigned to an SSH user, run the undo ssh user
user-name assign rsa-key command to delete the mapping between the RSA
public key and the SSH user. If you do not delete the mapping, the undo rsa peer-
public-key command cannot delete the RSA public key.
Example
# Display the public key view.
<HUAWEI> system-view
[~HUAWEI] rsa peer-public-key rsakey001
[*HUAWEI-rsa-public-key]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 212
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.46 run
Function
The run command executes a user view command in the system view.
By default, a user view command cannot be executed in the system view.
Format
run command-line
Parameters
Parameter Description Value
command-line Specifies a command to be executed. -
Views
System view
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
To run commands, which can be run only in the user view, in the system view, you
must return to the user view. After completing this configuration task, you can run
the run command to run such commands in the system view without returning to
the user view.
Precautions
● The command specified in the run command must be able to be run in the
user view.
● When you run the run command, the association help function is unavailable.
● When you check the command history on the device using the display
history-command command, only the commands that you enter are
recorded. The command format is run command-line.
● When you check log information using the CLI/5/CMDRECORD command,
only the commands that are actually executed are recorded in logs. The
command format is run command-line.
● run cannot be used to execute commands that involve configuration rollback
or system software behavior change, such as switch virtual-system vs-name,
rollback configuration to { commit-id commit-id | label label | file file-
name } | last number-of-commits }, quit, and patch load.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 213
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# View .cfg files in the system view.
<HUAWEI> system-view
[~HUAWEI] run dir *.cfg
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 11,970 Mar 14 2012 19:11:22 31.cfg
1 -rw- 12,033 Apr 22 2012 17:10:30 31_new.cfg
509,256 KB total (118,784 KB free)
3.6.47 ssh authentication-type default password
Function
The ssh authentication-type default password command configures password
authentication as the default authentication mode for users who request to log in
to a device using SSH.
The undo ssh authentication-type default password command cancels the
configuration.
By default, password authentication is used.
Format
ssh authentication-type default password
undo ssh authentication-type default password
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When there are multiple SSH users in the system, the preset password
authentication mode is used to simplify the configuration.
When users request to log in to a device using SSH, if no SSH user is created using
the ssh user, ssh user authentication-type, and ssh user service-type
commands, successful user login depends on whether the ssh authentication-
type default password command is run.
● If the ssh authentication-type default password command is run, users log
in through AAA authentication.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 214
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● If the ssh authentication-type default password command is not run, users
cannot log in.
If an SSH user has been created using the ssh user, ssh user authentication-
type, and ssh user service-type commands, authentication of the SSH user
depends on whether the ssh user authentication-type command is run. If the ssh
user authentication-type command is run, the user is authenticated using the
authentication mode specified in this command. If the ssh user authentication-
type command is not run, the user cannot log in to the device.
Precautions
You can run the ssh user user-name authentication-type password command to
configure the password authentication mode for an SSH user. If the ssh user and
ssh authentication-type default password commands are configured
simultaneously, the ssh user command takes effect.
This command takes effect for both IPv4 and IPv6 users.
Example
# Configure the password authentication mode for an SSH user.
<HUAWEI> system-view
[~HUAWEI] ssh authentication-type default password
3.6.48 ssh authorization-type default
Function
The ssh authorization-type default command sets the authorization method for
an SSH connection to AAA or Root.
The undo ssh authorization-type default command restores the authorization
method.
By default, the authorization method for an SSH connection is AAA.
Format
ssh authorization-type default { aaa | root }
undo ssh authorization-type default
Parameters
Parameter Description Value
aaa Sets the authorization method for an SSH session as AAA. -
root Sets the authorization method for an SSH session as Root. -
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 215
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server write
Usage Guidelines
If the authorization type for an SSH connection is AAA, the privilege level of SSH
user is that configured in the AAA view.
If the authorization type for an SSH connection is root, the privilege level of SSH
user is different from that configured in the AAA view. In this situation, the
privilege level is the maximum value, 15 or 3.
This command takes effect for both ipv4 and ipv6 connections.
Example
# Set the authorization method for SSH session as AAA.
<HUAWEI> system-view
[~HUAWEI] ssh authorization-type default aaa
3.6.49 ssh client peer assign
Function
The ssh client peer assign command specifies the host public key of the SSH
server to connect on the SSH client.
The undo ssh client peer assign command cancels the specified host public key
of the SSH server to connect on the SSH client.
By default, the host public key of the server to connect is not specified on the
client.
Format
ssh client peer server-ip-address assign { rsa-key | dsa-key | ecc-key } key-name
undo ssh client peer server-ip-address assign { rsa-key | dsa-key | ecc-key }
Parameters
Parameter Description Value
server-ip-address Specifies the host name or IP address of The SSH must
the SSH server. already exist.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 216
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
rsa-key Specifies the RSA public key. -
dsa-key Specifies the DSA public key. -
ecc-key Specifies the ECC public key. -
key-name Specifies the SSH server public key The SSH server
name that has been configured on the public key name
SSH client. must already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client connects to the SSH server for the first time and the first login is
not enabled on the SSH client using the ssh client first-time enable command,
the SSH client rejects the access from unauthorized SSH servers. You need to
specify the host public key of the SSH server and the mapping between the key
and SSH server on the SSH client. After that, the client will determine whether the
server is reliable using the correct public key based on the mapping.
NOTICE
For security purposes, it is not recommended that you use RSA as the public key.
Precautions
The RSA, DSA, or ECC public key to be assigned to the SSH server must have been
configured on the SSH client using the rsa peer-public-key, dsa peer-public-key,
or ecc peer-public-key command. If the key has not been configured, the
verification for the RSA, DSA, or ECC public key of the SSH server on the SSH
client fails.
Example
# Assign the DSA public key to the SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh client peer 10.164.39.120 assign dsa-key sshdsakey01
# Delete the DSA public key of the SSH server.
<HUAWEI> system-view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 217
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[~HUAWEI] undo ssh client peer 10.164.39.120 assign dsa-key
3.6.50 ssh client cipher
Function
The ssh client cipher command configures encryption algorithms on an SSH
client.
The undo ssh client cipher command restores the default encryption algorithms
on an SSH client.
By default, the encryption algorithms supported by an SSH client are
AES256_GCM, AES128_GCM, AES256_CTR, AES192_CTR, and AES128_CTR
encryption algorithms.
Format
ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc | aes256_cbc |
aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 | aes128_gcm |
aes256_gcm } *
undo ssh client cipher
Parameters
Parameter Description Value
des_cbc Sets the encryption algorithm to DES_CBC. -
3des_cbc Sets the encryption algorithm to 3DES_CBC. -
aes128_cbc Sets the encryption algorithm to AES128_CBC. -
aes192_cbc Sets the encryption algorithm to AES192_CBC. -
aes256_cbc Sets the encryption algorithm to AES256_CBC. -
aes128_ctr Sets the encryption algorithm to AES128_CTR. -
aes192_ctr Sets the encryption algorithm to AES192_CTR. -
aes256_ctr Sets the encryption algorithm to AES256_CTR. -
arcfour128 Sets the encryption algorithm to Arcfour128. -
arcfour256 Sets the encryption algorithm to Arcfour256. -
aes128_gcm Sets the encryption algorithm to AES128_GCM. -
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 218
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
aes256_gcm Sets the encryption algorithm to AES256_GCM. -
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-client write
Usage Guidelines
Usage Scenario
To configure encryption algorithms on an SSH client, run the ssh client cipher
command. The SSH client and server negotiate encryption algorithms for the
packets exchanged between them. During negotiation, the client sends its
encryption algorithms to the server. After comparing the received encryption
algorithms with local ones, the server selects the first matching encryption
algorithm received for packet transmission. If no matching encryption algorithm is
found, the negotiation fails.
Precautions
For security purposes, you are advised to use secure algorithms such as
AES128_CTR, AES256_CTR, AES192_CTR, AES128_GCM, and AES256_GCM.
If the device loads a configuration file for startup (for example, the device loads a
configuration file using ZTP for initial configuration) and the configuration file
does not contain the ssh client cipher command configuration, the encryption
algorithms supported by the SSH client are AES256_GCM, AES128_GCM,
AES256_CTR, AES192_CTR, AES128_CTR, AES256_CBC, AES128_CBC, and
3DES_CBC.
This command applies to both IPv4 and IPv6.
Example
# Configure encryption algorithms in CTR mode on an SSH client.
<HUAWEI> system-view
[~HUAWEI] ssh client cipher aes128_ctr aes256_ctr
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 219
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.51 ssh client first-time enable
Function
The ssh client first-time enable command enables the first login on the SSH
client.
The undo ssh client first-time enable command disables the first login on the
SSH client.
By default, first login is disabled on the SSH client.
Format
ssh client first-time enable
undo ssh client first-time enable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When the SSH client accesses the SSH server for the first time and the public key
of the SSH server is not configured on the SSH client, you can enable the first
login for the SSH client to access the SSH server and save the public key on the
SSH client. When the SSH client accesses the SSH server next time, the saved
public key is used to authenticate the SSH server.
Precautions
You can run the ssh client peer assign command to pre-assign a public key to the
SSH server. In this manner, you can log in to the SSH server successfully at the first
time.
This command takes effect for both ipv4 and ipv6 SSH clients.
Example
# Enable the first login on the SSH client.
<HUAWEI> system-view
[~HUAWEI] ssh client first-time enable
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 220
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.52 ssh client hmac
Function
The ssh client hmac command configures HMAC authentication algorithms on an
SSH client.
The undo ssh client hmac command restores the default HMAC authentication
algorithms on an SSH client.
By default, the HMAC authentication algorithms supported by an SSH client are
SHA2_256 and SHA2_512.
Format
ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 |
sha2_512 } *
undo ssh client hmac
Parameters
Parameter Description Value
md5 Sets the HMAC authentication algorithm to MD5. -
md5_96 Sets the HMAC authentication algorithm to MD5_96. -
sha1 Sets the authentication algorithm to SHA1 HMAC. -
sha1_96 Sets the HMAC authentication algorithm to SHA1_96. -
sha2_256 Sets the HMAC authentication algorithm to SHA2_256. -
sha2_256_96 Sets the HMAC authentication algorithm to SHA2_256_96. -
sha2_512 Sets the HMAC authentication algorithm to SHA2_512. -
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 221
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
ssh-client write
Usage Guidelines
Usage Scenario
To configure HMAC authentication algorithms on an SSH client, run the ssh client
hmac command. During negotiation, the client sends its authentication algorithms
to the server. After comparing the received authentication algorithms with the
local ones on the server, the server selects the first matching authentication
algorithm received for packet transmission. If no matching authentication
algorithm is found, the negotiation fails.
Precautions
For security purposes, you are advised to use a secure algorithm (SHA2_256 or
SHA2_512.)
If the device loads a configuration file for startup (for example, the device loads a
configuration file using ZTP for initial configuration) and the configuration file
does not contain the ssh client hmac command configuration, the HMAC
authentication algorithms supported by the SSH client are SHA2_512,
SHA2_256_96, SHA2_256, SHA1, SHA1_96, MD5, and MD5_96.
This command applies to both IPv4 and IPv6.
Example
# Configure the SHA2_256 HMAC authentication algorithm.
<HUAWEI> system-view
[~HUAWEI] ssh client hmac sha2_256
3.6.53 ssh client keepalive-interval
Function
The ssh client keepalive-interval command sets the interval for sending
keepalive packets on the SSH client.
The undo ssh client keepalive-interval command restores the default interval for
sending keepalive packets on the SSH client.
The default interval for sending keepalive packets on the SSH client is 0.
Format
ssh client keepalive-interval seconds
undo ssh client keepalive-interval
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 222
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
seconds Specifies the interval for The value is an integer ranging from 0 to
sending keepalive 3600, in seconds. The value 0 indicates
packets. that keepalive packets are not sent.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client does not receive any data packet from the SSH server within a
period, the client sends keepalive packets to the server. If the client does not
receive any keepalive response packet from the server, the client disconnects from
the server.
Precautions
If the interval is restored to 0, the client does not send any keepalive packet to the
server.
This command takes effect for both ipv4 and ipv6 SSH clients.
Example
# Set the interval for sending keepalive packets on the SSH client to 30 seconds.
<HUAWEI> system-view
[~HUAWEI] ssh client keepalive-interval 30
3.6.54 ssh client keepalive-maxcount
Function
The ssh client keepalive-maxcount command sets the maximum number of
keepalive packets sent by the SSH client.
The undo ssh client keepalive-maxcount command restores the default
maximum number of keepalive packets sent by the SSH client.
The default maximum number of keepalive packets is 3, indicating that the client
sends three keepalive packets to the server before disconnecting from the server.
Format
ssh client keepalive-maxcount count
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 223
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
undo ssh client keepalive-maxcount
Parameters
Parameter Description Value
count Specifies the maximum number The value is an integer that ranges
of keepalive packets. from 1 to 30.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client does not receive any data packet from the server within a period,
the client sends the maximum number of keepalive packets to the server. If the
client does not receive any keepalive response packet from the server, the client
disconnects from the server.
Precautions
The interval for sending keepalive packets on the client must be greater than the
interval that is set using the ssh client keepalive-interval command. If the client
does not send any keepalive packet (the interval is 0), the maximum number of
keepalive packets does not take effect.
This command takes effect for both ipv4 and ipv6 SSH clients.
Example
# Set the maximum number of keepalive packets on the SSH client to 5.
<HUAWEI> system-view
[~HUAWEI] ssh client keepalive-maxcount 5
3.6.55 ssh client key-exchange
Function
The ssh client key-exchange command adds a key exchange algorithm to the key
exchange algorithm list for an SSH client.
The undo ssh client key-exchange command restores the default configuration.
By default, an SSH client uses the dh_group_exchange_sha256 key exchange
algorithm.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 224
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *
undo ssh client key-exchange
Parameters
Parameter Description Value
dh_group14_sha1 Adds the diffie-hellman-group14-sha1 -
algorithm to the key exchange algorithm
list for the SSH client.
dh_group1_sha1 Adds the diffie-hellman-group1-sha1 -
algorithm to the key exchange algorithm
list for the SSH client.
dh_group_exchange_sha1 Adds the diffie-hellman-group-exchange- -
sha1 algorithm to the key exchange
algorithm list for the SSH client.
dh_group_exchange_sha256 Adds the diffie-hellman-group-exchange- -
sha256 algorithm to the key exchange
algorithm list for the SSH client.
ecdh_sha2_nistp256 Adds the Elliptic curve Diffie-hellman- -
sha2-nistp256 algorithm to the key
exchange algorithm list for the SSH client.
ecdh_sha2_nistp384 Adds the Elliptic curve Diffie-hellman- -
sha2-nistp384 algorithm to the key
exchange algorithm list for the SSH client.
ecdh_sha2_nistp521 Adds the Elliptic curve Diffie-hellman- -
sha2-nistp521 algorithm to the key
exchange algorithm list for the SSH client.
sm2_kep Adds the SuperMemo 2 Key Exchange -
Protocol algorithm to the key exchange
algorithm list for the SSH client.
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 225
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-client write
Usage Guidelines
Usage Scenario
The SSH client and server negotiate the key exchange algorithm for packet
transmission. To configure a key exchange algorithm list for the SSH client, run the
ssh client key-exchange command. After the server receives a packet from the
client, the server matches the key exchange algorithm list of the client against its
local list and selects the first matching key exchange algorithm. If no matching
key exchange algorithms exist, the negotiation fails.
This command can be run on an IPv4 or IPv6 SSH client.
Precautions
For security purposes, the dh_group_exchange_sha256 key exchange algorithm is
recommended.
When the device loads a configuration file for startup (for example, the device
loads a configuration file using ZTP for initial configuration), and the
configuration file does not contain the ssh client key-exchange command
configuration, the SSH client uses dh_group_exchange_sha256,
dh_group_exchange_sha1, dh_group14_sha1, dh_group1_sha1,
ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521, and sm2_kep key
exchange algorithms.
Example
# Add the dh_group_exchange_sha256 algorithm to the key exchange algorithm
list for the SSH client.
<HUAWEI> system-view
[~HUAWEI] ssh client key-exchange dh_group_exchange_sha256
3.6.56 ssh client publickey
Function
The ssh client publickey command enables public key algorithms for an SSH
client.
The undo ssh client publickey command restores the default configuration.
By default, the RSA public key algorithm is enabled.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 226
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
ssh client publickey { dsa | ecc | rsa } *
undo ssh client publickey [ dsa | ecc | rsa ] *
Parameters
Parameter Description Value
dsa Indicates the DSA algorithm. -
ecc Indicates the ECC algorithm. -
rsa Indicates the RSA algorithm. -
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-client write
Usage Guidelines
Usage Scenario
To enable public key algorithms for an SSH client, run the ssh client publickey
command. If only one public key algorithm is specified in the command, the client
can use only this algorithm to log in to the server. For example, if the ssh client
publickey dsa command is run, only the DSA algorithm can be used for login, and
the ECCand RSA algorithms cannot be used for login. If this command is run more
than once, the latest configuration overrides the previous one.
NOTE
For security purposes, do not use RSA keys whose length is less than 2048 bits.
Precautions
● A public key algorithm can be used for login only after it is enabled on both
the client and server.
● To restore the default configuration, you can run the undo ssh client
publickey command specified with the algorithms that are the same as those
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 227
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
configured in the ssh client publickey command. Alternatively, you can run
the undo ssh client publickey command with no algorithms specified.
● If the ssh client first-time enable command is run, a message is displayed
asking you to save the server public key when you use the client to log in to
the server. During the saving process, the SSH client automatically selects a
public key algorithm that can ensure successful negotiation and allocates the
algorithm to the SSH server based on the ssh client publickey command
configuration.
● If the ssh client first-time enable command is not run, you must run the ssh
client peer assign command to allocate a public key to the SSH server. In
addition, the SSH server must be able to use the public key algorithm
corresponding to the allocated public key to successfully negotiate with the
SSH client with the ssh client publickey command configured. Otherwise, the
SSH server's public key fails to be authenticated by the SSH client.
● When the device loads a configuration file for startup (for example, the device
loads a configuration file using ZTP for initial configuration), and the
configuration file does not contain the ssh client publickey command
configuration, the DSA, ECC, and RSA public key algorithms are enabled.
● This command can be run on an IPv4 or IPv6 SSH client.
Example
# Enable the ECC algorithm.
<HUAWEI> system-view
[~HUAWEI] ssh client publickey ecc
3.6.57 ssh client rekey
Function
The ssh client rekey command sets the criteria that trigger SSH client key re-
negotiation.
The undo ssh client rekey command restores the default values of criteria that
trigger SSH client key re-negotiation.
By default, key re-negotiation is triggered on the SSH client when one of the
following conditions is met:
● The total size of sent and received packets reaches 1000 MB.
● The total number of sent and received packets reaches 2147483648.
● The online duration reaches 60 minutes.
Format
ssh client rekey { data-limit data-limit | max-packet max-packet | time
minutes } *
undo ssh client rekey { data-limit [ data-limit ] | max-packet [ max-packet ] |
time [ minutes ] } *
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 228
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
data-limit data- Specifies the maximum The value is an integer ranging
limit packet data volume that from 100 to 10000, in MB.
triggers key re-negotiation.
max-packet max- Specifies the maximum The value is an integer ranging
packet number of packets that from 268435456 to
triggers key re-negotiation. 2147483648.
time minutes Specifies the session The value is an integer in the
duration that triggers key range of 30 to 1440, in
re-negotiation. minutes.
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-client write
Usage Guidelines
When an SSH session meets one or more of the following criteria, the system re-
negotiates a key and uses the new key to establish SSH session connections,
improving system security.
● The number of interaction packets meets the configured key re-negotiation
criterion.
● The accumulated packet data volume meets the configured key re-
negotiation criterion.
● The session duration meets the configured key re-negotiation criterion.
● This command takes effect for both IPv4 and IPv6 SSH clients.
NOTE
A key re-negotiation request is initiated when either the SSH client or server meets the key
re-negotiation criteria, and the other party responds.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 229
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Configure key re-negotiation to be triggered on the SSH client when the total
size of sent and received packets reaches 10000 MB, the total number of sent and
received packets reaches 268435456, or the online duration reaches 1440 minutes.
<HUAWEI> system-view
[~HUAWEI] ssh client rekey data-limit 10000 max-packet 268435456 time 1440
3.6.58 ssh dscp
Function
The ssh dscp command sets the DSCP priority of STelnet packets.
The undo ssh dscp command restores the default setting.
By default, the DSCP priority of STelnet packets is 48.
Format
ssh { client | server } dscp dscp-number
undo ssh { client | server } dscp [ dscp-number ]
Parameters
Parameter Description Value
client Specifies the STelnet client. -
server Specifies the STelnet server. -
dscp-number Specifies the DSCP priority. The value is an integer that ranges
from 0 to 63. A greater DSCP value
indicates a higher priority.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to set the DSCP priority of STelnet packets. The DSCP
priority of STelnet packets sent by the switch is then changed to the configured
value. When network congestion occurs, you can appropriately reduce the DSCP
priority of STelnet packets to ensure proper forwarding of data packets.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 230
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The priority of this command is higher than that of the set priority dscp
command. If a DSCP value is configured using this command, the configured value
takes effect. If a DSCP value is configured using the set priority dscp command
rather than this command, the value configured using the set priority dscp
command takes effect. If no DSCP value is configured using the preceding
commands, the default DSCP value is used.
When you run the undo ssh { client | server } dscp [ dscp-number ] command:
● If dscp-number is not specified, the DSCP field is restored to the default value.
● If dscp-number is 48, the DSCP field is restored to the default value.
● If dscp-number is set to non-48 value, the value must be the same as ssh
{ client | server } dscp dscp-number command. Otherwise, the command
execution fails.
Precautions
The command only takes effect for IPv4 packets.
Example
# Set the DSCP priority of STelnet packets sent by the client to 40.
<HUAWEI> system-view
[~HUAWEI] ssh client dscp 40
3.6.59 ssh server acl
Function
The ssh server acl command configures the ACL that the SSH server uses to
control the access permission of the SSH client.
The undo ssh server acl command cancels the configured ACL of the SSH server.
By default, no ACL is configured for SSH server.
Format
ssh [ ipv6 ] server acl { acl-number | acl-name }
undo ssh [ ipv6 ] server acl
Parameters
Parameter Description Value
acl-number Specifies the ACL The value is an integer that ranges from 2000
number. to 3999.
acl-name Specifies the ACL The value is a string of 1 to 32 case-sensitive
name. characters except spaces. The value must
start with a letter or digit, and cannot contain
only digits.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 231
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Configure the ACL for the following servers for access control:
● STelnet server: controls which clients can log in to this server through STelnet.
● SFTP server: controls which clients can log in to this server through SFTP.
● SNetconf server: controls which clients can log in to this server through
SNetconf.
Prerequisites
Before running this command, run the acl (system view) in the system view and
run the rule (ACL view) command to configure an ACL.
Precautions
A basic ACL is configured to restrict source addresses and an advanced ACL is
configured to restrict source and destination addresses.
The command ssh server acl { acl-number | acl-name } only takes effect for ipv4
client.
Example
# Configure the ACL numbered 2000 on the SSH server.
<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.10 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] ssh server acl 2000
# Configure the ACL named switch on the SSH server.
<HUAWEI> system-view
[~HUAWEI] acl name switch
[*HUAWEI-acl4-advance-switch] rule permit tcp
[*HUAWEI-acl4-advance-switch] quit
[*HUAWEI] ssh server acl switch
3.6.60 ssh server assign
Function
The ssh server assign command assigns a host key or PKI certificate to an SSH
server.
The ssh server assign command deletes the host key or PKI certificate assigned to
an SSH server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 232
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
By default, no host key or PKI certificate is assigned to an SSH server.
Format
ssh server assign { rsa-host-key | dsa-host-key | ecc-host-key | pki } label-name
undo ssh server assign { rsa-server-key | rsa-host-key | dsa-host-key | ecc-host-
key | pki }
Parameters
Parameter Description Value
rsa-server-key Specifies an RSA server key. -
rsa-host-key Sets the key type to RSA host key. -
dsa-host-key Sets the key type to DSA host key. -
ecc-host-key Sets the key type to ECC host key. -
pki Indicates that a PKI certificate will be -
assigned to an SSH server.
label-name Specifies the name of the key The label name must
assigned to an SSH server. already exist.
If a PKI certificate will be
assigned to an SSH server,
label-name can only be
set to default.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To ensure the security of an SSH server, run the ssh server assign command to
reference the generated RSA, DSA, or ECC key with a label or assign a PKI
certificate to the SSH server.
NOTE
For security purposes, you are advised not to use an RSA key.
Table 3-39 describes the usage scenarios for different authentication modes.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 233
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-39 Usage scenarios for authentication modes
Authentication Mode Usage Scenario
RSA It is a public key encryption
architecture and an asymmetric
encryption algorithm. Based on the
problem of factoring large numbers,
RSA is mainly used to transmit the
keys of the symmetric encryption
algorithm, which can improve
encryption efficiency and simplify key
management. The server checks
whether the SSH user, public key, and
digital user signature are valid. If all of
them are valid, the user is permitted
access to the server. If any of them is
invalid, the authentication fails and
the user is denied access to the server.
DSA It is the same as RSA authentication in
implementation. The server checks
whether the SSH user, public key, and
digital user signature are valid. If all of
them are valid, the user is permitted
access to the server. If any of them is
invalid, the authentication fails and
the user is denied access to the server.
Compared with RSA authentication,
DSA authentication uses the digital
signature algorithm for encryption and
has a wider application scope.
● Many SSH tools only support DSA
authentication for servers and
clients.
● Based on the latest RFC
recommendation for SSH, DSA
authentication takes precedence
over RSA authentication.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 234
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Authentication Mode Usage Scenario
ECC It is the same as RSA authentication in
implementation. The server checks
whether the SSH user, public key, and
digital user signature are valid. If all of
them are valid, the user is permitted
access to the server. If any of them is
invalid, the authentication fails and
the user is denied access to the server.
Compared with RSA authentication,
ECC authentication has the following
advantages:
● Provides the same security with
shorter key length.
● Features a shorter computing
process and higher processing
speed.
● Requires less storage space.
● Requires lower bandwidth.
Prerequisites
RSA, DSA, or ECC key pair with a label has been generated using the rsa key-pair
label, dsa key-pair label, or ecc key-pair label command before you run this
command.
Configuration Impact
The RSA, DSA, or ECC key pair with a label assigned to the SSH server has a
higher priority than the key pair generated using the rsa local-key-pair create,
dsa local-key-pair create, or ecc local-key-pair create command. If this
command is not configured, the SSH server uses the key pair generated using the
rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create
command for encryption.
Precautions
● After you delete the RSA, DSA, or ECC key pair with a label, the key pair
assigned to the SSH server is deleted simultaneously.
● This command takes effect for both IPv4 and IPv6 SSH servers.
Example
# Assign the ECC host key named ecckey to the SSH server.
<HUAWEI> system-view
[~HUAWEI] ecc key-pair label ecckey
[*HUAWEI] ssh server assign ecc-host-key ecckey
# Assign a PKI certificate to the SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh server assign pki default
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 235
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.61 ssh server authentication-retries
Function
The ssh server authentication-retries command sets the maximum number of
authentication retries for an SSH connection.
The undo ssh server authentication-retries command restores the default
maximum number of authentication retries for an SSH connection.
The default maximum number of authentication retries for an SSH connection is
3.
Format
ssh server authentication-retries times
undo ssh server authentication-retries
Parameters
Parameter Description Value
times Specifies the maximum number of The value is an integer that
authentication retries for an SSH ranges from 1 to 5.
connection.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to configure the maximum number of authentication
retries for an SSH connection, which prevents server overload due to malicious
access. When the number of authentication retries exceeds the maximum number,
the device instructs the remote host to tear down the connection.
Precautions
The configured number of retries takes effect upon the next login.
The total number of RSA, DSA, ECC, and password authentication retries on the
SSH client cannot exceed the maximum number that is set using this command.
This command takes effect for both IPv4 and IPv6 connections.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 236
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Set the maximum number of times for retrying login authentication to 4.
<HUAWEI> system-view
[~HUAWEI] ssh server authentication-retries 4
3.6.62 ssh server authentication-type keyboard-interactive
enable
Function
The ssh server authentication-type keyboard-interactive enable command
enables keyboard interactive authentication on an SSH server.
The undo ssh server authentication-type keyboard-interactive enable
command disables keyboard interactive authentication on the SSH server.
By default, keyboard interactive authentication is enabled on an SSH server.
Format
ssh server authentication-type keyboard-interactive enable
undo ssh server authentication-type keyboard-interactive enable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Keyboard interaction authentication is also called password card authentication. If
you need to log in to an SSH server in keyboard interactive authentication mode,
run the ssh server authentication-type keyboard-interactive enable command.
Its function implementation process is as follows: An SSH user enters the user
name to log in to a device. After detecting that the user is a password card
authentication user, the TACACS server sends the user name to the password card
authentication server. The password card authentication server generates a
challenge code based on the user name and sends the challenge code to the
TACACS server. The TACACS server displays the challenge code on the device. The
user enters the user password and the received challenge code in the password
card. The password card computes a challenge response code. The user sends the
challenge response code to the password card authentication server using the
device and TACACS server. The password card authentication server checks
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 237
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
whether the challenge response code is correct and returns the authentication
result to the user.
After this function is enabled, the system prompts the user to enter the challenge
response code.
If you need to log in to the SSH server in password authentication mode, run the
undo ssh server authentication-type keyboard-interactive enable command to
disable keyboard interactive authentication as required.
Example
# Enable keyboard interactive authentication on an SSH server.
<~HUAWEI> system-view
[~HUAWEI] ssh server authentication-type keyboard-interactive enable
3.6.63 ssh server compatible-ssh1x enable
Function
The ssh server compatible-ssh1x enable command enables the earlier version-
compatible function on an SSH server.
The undo ssh server compatible-ssh1x enable command disables the earlier
version-compatible function on the SSH server.
By default, the earlier version-compatible function is disabled on an SSH server.
Format
ssh server compatible-ssh1x enable
undo ssh server compatible-ssh1x enable
Parameters
None
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server write
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 238
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Scenario
The earlier version-compatible function of an SSH server is applicable to the
protocol version negotiation between the client and server. The client negotiates
the protocol version, by comparing its own protocol version with the received
packet. After a TCP connection is set up between the client and server, the SSH
client starts to negotiate with the server on the protocol version by running which
they can work normally.
By comparing the protocol versions, the server determines whether to work with
the client.
● If the client runs a protocol version that is earlier than 1.3 or later than 2.0,
version negotiation fails and the server terminates the TCP connection with
the client.
● If the client runs a protocol version that is between 1.3 and 1.99 (including
V1.3), the SSH1.5 server module is established when the "compatibility
configuration option" of SSH is SSH1.x-compatible. The system then proceeds
with the SSH1.x process. The server terminates the TCP connection with the
client when the "compatibility configuration option" of SSH is SSH1.x-
incompatible.
● That is 1.99 or 2.0, the SSH2.0 server module is established. The system then
proceeds with the SSH2.0 process.
Precaution
● All the connections from the SSH 1.x client are dropped, if the compatibility
with SSH 1.3 and 1.5 is disabled.
● If the SSH server is enabled to be compatible with earlier SSH versions, the
system prompts a security risk.
● SSHv1 is not secure, and SSHv2 is recommended.
● The configuration takes effect upon the next login.
Example
# Enable the compatibility with SSH 1.x version.
<HUAWEI> system-view
[~HUAWEI] ssh server compatible-ssh1x enable
3.6.64 ssh server cipher
Function
The ssh server cipher command configures an encryption algorithm list for an
SSH server.
The undo ssh server cipher command restores the default encryption algorithm
list of an SSH server.
By default, the encryption algorithms supported by the SSH server are
AES256_GCM, AES128_GCM, AES256_CTR, AES192_CTR and AES128_CTR.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 239
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr |
aes256_ctr | arcfour128 | arcfour256 | aes192_cbc | aes192_ctr | aes128_gcm |
aes256_gcm | blowfish_cbc } *
undo ssh server cipher
Parameters
Parameter Description Value
des_cbc Specifies the CBC DES encryption algorithm. -
3des_cbc Specifies the CBC 3DES encryption algorithm. -
aes128_cbc Specifies the CBC AES128 encryption algorithm. -
aes256_cbc Specifies the CBC AES256 encryption algorithm. -
aes128_ctr Specifies the CTR AES128 encryption algorithm. -
aes256_ctr Specifies the CTR AES256 encryption algorithm. -
arcfour128 Specifies the Arcfour128 encryption algorithm. -
arcfour256 Specifies the Arcfour256 encryption algorithm. -
aes192_cbc Specifies the CBC AES192 encryption algorithm. -
aes192_ctr Specifies the CTR AES192 encryption algorithm. -
aes128_gcm Specifies the GCM AES128 encryption algorithm. -
aes256_gcm Specifies the GCM AES256 encryption algorithm. -
blowfish_cbc Specifies the CBC Blowfish encryption algorithm. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 240
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
An SSH server and a client need to negotiate an encryption algorithm for the
packets exchanged between them. You can run the ssh server cipher command to
configure an encryption algorithm list for the SSH server. After the list is
configured, the server matches the encryption algorithm list of a client against the
local list after receiving a packet from the client and selects the first encryption
algorithm that matches the local list. If no encryption algorithms in the list of the
client match the local list, the negotiation fails.
Precautions
des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, blowfish_cbc, arcfour128,
and arcfour256 are weak encryption algorithms. Therefore, it is not recommended
that these algorithms be added to the encryption algorithm list. For security
purposes, you are advised to use the following strong encryption algorithms:
AES128_CTR, AES256_CTR, AES192_CTR, AES128_GCM and AES256_GCM.
If a device starts with a loaded configuration file (for example, a configuration file
is loaded to the device using ZTP for initial configuration), and no encryption
algorithm list is configured for the SSH server in the configuration file using the
ssh server cipher command, the encryption algorithms supported by the SSH
server are AES256_GCM, AES128_GCM, AES256_CTR, AES192_CTR, AES128_CTR,
AES256_CBC, AES128_CBC and 3DES_CBC.
This command takes effect for both IPv4 and IPv6 SSH servers.
Example
# Configure CTR encryption algorithms for an SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh server cipher aes256_ctr aes128_ctr
3.6.65 ssh server dh-exchange min-len
Function
The ssh server dh-exchange min-len min-len command sets the minimum length
of keys used in Diffie-hellman-group-exchange between the SSH server and client.
The undo ssh server dh-exchange min-len command restores the default
minimum length of keys used in Diffie-hellman-group-exchange between the SSH
server and client.
By default, the minimum supported length of keys used in Diffie-hellman-group-
exchange between the SSH server and client is 2048 bits.
Format
ssh server dh-exchange min-len min-len
undo ssh server dh-exchange min-len
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 241
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
min-len Specifies the minimum length of keys The value is an integer that
used in Diffie-hellman-group- can only be 1024 or 2048, in
exchange between the SSH server and bits.
client.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the SSH client supports the Diffie-hellman-group-exchange key of more than
1024 bits, for security purposes, run the ssh server dh-exchange min-len
command to set the minimum key length to 2048 bits or more.
Precautions
Security risks exist if the minimum length of keys used in Diffie-hellman-group-
exchange is less than 2048 bits. You are advised to set the minimum key length to
2048 bits or more.
When the device loads the configuration file for startup (for example, the device
loads the configuration file using ZTP for initial configuration), and the
configuration file does not contain the ssh server dh-exchange min-len
command configuration, the minimum key length is 1024 bits.
This command applies to both IPv4 and IPv6 SSH servers.
Example
# Set the minimum length of keys used in Diffie-hellman-group-exchange
between the SSH server and client to 2048 bits.
<HUAWEI> system-view
[~HUAWEI] ssh server dh-exchange min-len 2048
3.6.66 ssh server hmac
Function
The ssh server hmac command configures an HMAC authentication algorithm list
for an SSH server.
The undo ssh server hmac command restores the default HMAC authentication
algorithm list of an SSH server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 242
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
By default, the HMAC authentication algorithms supported by an SSH server are
SHA2_256 and SHA2_512.
Format
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 |
sha2_512 } *
undo ssh server hmac
Parameters
Parameter Description Value
md5 Specifies the MD5 HMAC authentication algorithm. -
md5_96 Specifies the MD5_96 HMAC authentication algorithm. -
sha1 Specifies the SHA1 HMAC authentication algorithm. -
sha1_96 Specifies the SHA1_96 HMAC authentication algorithm. -
sha2_256 Specifies the SHA2_256 HMAC authentication algorithm. -
sha2_256_96 Specifies the SHA2_256_96 HMAC authentication -
algorithm.
sha2_512 Specifies the SHA2_512 HMAC authentication algorithm. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an HMAC authentication algorithm
for the packets exchanged between them. You can run the ssh server hmac
command to configure an HMAC authentication algorithm list for the SSH server.
After the list is configured, the server matches the list of a client against the local
list after receiving a packet from the client and selects the first HMAC
authentication algorithm that matches the local list. If no HMAC authentication
algorithms in the list of the client match the local list, the negotiation fails.
Precautions
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 243
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
For security purposes, you are advised to use a secure encryption algorithm
(SHA2_256 or SHA2_512.)
If a device starts with a loaded configuration file (for example, a configuration file
is loaded to the device using ZTP for initial configuration), and no HMAC
authentication algorithm list is configured for the SSH server in the configuration
file using the ssh server hmac command, the HMAC authentication algorithms
supported by the SSH server are SHA2_512, SHA2_256_96, SHA2_256, SHA1,
SHA1_96, MD5 and MD5_96.
This command takes effect for both IPv4 and IPv6 SSH servers.
Example
# Configure the SHA2_256 HMAC authentication algorithm for an SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh server hmac sha2_256
3.6.67 ssh server keepalive disable
Function
The ssh server keepalive disable command disables the keepalive function on the
SSH server.
The undo ssh server keepalive disable command enables the keepalive function
on the SSH server.
By default, the keepalive function is enabled on the SSH server.
Format
ssh server keepalive disable
undo ssh server keepalive disable
Parameters
None
Views
System view
Default Level
3: Management level
Usage Guidelines
If the keepalive function is disabled on the SSH server, the server will disconnect
from the SSH client when there is no data exchange, which causes server resource
waste due to reconnections. After the keepalive function is enabled on the SSH
server, the server responds when receiving keepalive packets from the SSH client.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 244
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
If the function is disabled, the SSH server discards the received keepalive packets.
When the SSH client does not receive any keepalive response packet, the client
disconnects from the server.
Example
# Enable the keepalive function on the SSH server.
<HUAWEI> system-view
[~HUAWEI] undo ssh server keepalive disable
3.6.68 ssh server key-exchange
Function
The ssh server key-exchange command configures a key exchange algorithm list
on an SSH server.
The undo ssh server key-exchange command restores the default configuration.
By default, an SSH server supports dh_group_exchange_sha256 key exchange
algorithms.
Format
ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 |
dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *
undo ssh server key-exchange
Parameters
Parameter Description Value
dh_group14_sha1 Specifies that the Diffie-hellman-group14- -
sha1 algorithm is contained in the key
exchange algorithm list configured on the
SSH server.
dh_group1_sha1 Specifies that the Diffie-hellman-group1- -
sha1 algorithm is contained in the key
exchange algorithm list configured on the
SSH server.
dh_group_exchange_sha1 Specifies that the Diffie-hellman-group- -
exchange-sha1 algorithm is contained in
the key exchange algorithm list configured
on the SSH server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 245
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
dh_group_exchange_sha256 Specifies that the Diffie-hellman-group- -
exchange-sha256 algorithm is contained in
the key exchange algorithm list configured
on the SSH server.
ecdh_sha2_nistp256 Specifies that the Elliptic curve Diffie- -
hellman-sha2-nistp256 algorithm is
contained in the key exchange algorithm
list configured on the SSH server.
ecdh_sha2_nistp384 Specifies that the Elliptic curve Diffie- -
hellman-sha2-nistp384 algorithm is
contained in the key exchange algorithm
list configured on the SSH server.
ecdh_sha2_nistp521 Specifies that the Elliptic curve Diffie- -
hellman-sha2-nistp521 algorithm is
contained in the key exchange algorithm
list configured on the SSH server.
sm2_kep Specifies that the SuperMemo 2 Key -
Exchange Protocol algorithm is contained
in the key exchange algorithm list
configured on the SSH server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate a key exchange algorithm for the
packets exchanged between them. You can run the ssh server key-exchange
command to configure a key exchange algorithm list for the SSH server. After the
list is configured, the server matches the key exchange algorithm list of a client
against the local list after receiving a packet from the client and selects the first
key exchange algorithm that matches the local list. If no key exchange algorithms
in the list of the client match the local list, the negotiation fails.
Precautions
For security purposes, the dh_group_exchange_sha256 key exchange algorithm is
recommended.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 246
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
If a device starts with a loaded configuration file (for example, a configuration file
is loaded to the device using ZTP for initial configuration), and the ssh server key-
exchange command configuration does not exist in the configuration file, the SSH
server supports these key exchange algorithms: dh_group_exchange_sha256,
dh_group_exchange_sha1, dh_group14_sha1, dh_group1_sha1,
ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521, and sm2_kep.
Example
# Configure key exchange algorithm lists dh_group_exchange_sha256 on the SSH
server.
3.6.69 ssh server login-failed threshold-alarm
Function
The ssh server login-failed threshold-alarm command configures alarm
generation and clearance thresholds for SSH server login failures within a specified
period.
The undo ssh server login-failed threshold-alarm command restores the default
alarm generation and clearance thresholds.
By default, an alarm is generated if the number of login failures reaches 30 within
5 minutes and is cleared if the number of login failures falls below 20 within the
same period.
Format
ssh server login-failed threshold-alarm upper-limit report-times lower-limit
resume-times period period-time
undo ssh server login-failed threshold-alarm [ upper-limit report-times lower-
limit resume-times period period-time ]
Parameters
Parameter Description Value
upper-limit Specifies an The value is an integer ranging from 0 to
report-times alarm generation 100. The default value is 30. If the value is 0,
threshold. no alarms are generated upon SSH server
login failures.
lower-limit Specifies an The value is an integer ranging from 0 to
resume-times alarm clearance report-times and varies with report-times.
threshold. The default value is 20, and the maximum
value is 45. If resume-times is 0, the
function is the same as that when the value
is set to 1, which means that a clear alarm is
generated if no login failures occur.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 247
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
period period- Specifies a The value is an integer ranging from 1 to
time statistics 120, in minutes. The default value is 5. If
collection period. report-times is 0, the period-time value
specified does not take effect.
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server write
Usage Guidelines
Usage Scenario
To manage frequent SSH server login failures within a specified period, run the ssh
server login-failed threshold-alarm command to configure alarm generation
and clearance thresholds for the login failures.
This command takes effect for both IPv4 and IPv6 SSH servers.
Precautions
The alarm generation threshold specified using report-times must be greater than
or equal to the alarm clearance threshold specified using resume-times.
Example
# Configure the device to generate an alarm when the number of SSH server login
failures within 3 minutes reaches 20 and clear the alarm when the number of SSH
server login failures within 3 minutes is less than 10.
<HUAWEI> system-view
[~HUAWEI] ssh server login-failed threshold-alarm upper-limit 20 lower-limit 10 period 3
3.6.70 ssh server port
Function
The ssh server port command changes the listening port number of the SSH
server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 248
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The undo ssh server port command restores the default listening port number of
the SSH server.
The default listening port number of the SSH server is 22.
Format
ssh [ ipv4 | ipv6 ] server port port-number
undo ssh [ ipv4 | ipv6 ] server port
Parameters
Parameter Description Value
ipv4 Specifies the IPv4 server port. -
ipv6 Specifies the IPv6 server port. -
port-number Specifies the listening port number of The value is 22 or an
the SSH server. integer ranging from 1025
to 65535.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Configure the listening port number of the SSH server to prevent from malicious
access to the SSH service standard port and ensure security.
Run ssh server port command can enable both IPv4 and IPv6 SSH server. Run ssh
ipv4 server port command to enable IPv4 SSH server. Run ssh ipv6 server port
command to enable IPv6 SSH server.
Precautions
The SSH client can log in successfully with no port specified only when the server
is listening on port 22. If the server is listening on another port, the port number
must be specified upon login.
Before changing the current port number, disconnect all devices from the port.
After the port number is changed, the server starts to listen on the new port.
Example
# Set the listening port number of the SSH server is 1025.
<HUAWEI> system-view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 249
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[~HUAWEI] ssh server port 1025
Warning: The operation will disconnect all online users. Continue? [Y/N]: y
3.6.71 ssh server publickey
Function
The ssh server publickey command enables or disables the public key algorithm
function of the SSH server.
The undo ssh server publickey command restores public key algorithms of the
SSH server to default values.
By default, RSA algorithm is enabled.
Format
ssh server publickey { dsa | ecc | rsa | x509v3-ssh-rsa } *
undo ssh server publickey [ dsa | ecc | rsa | x509v3-ssh-rsa ] *
Parameters
Parameter Description Value
dsa Indicates the DSA algorithm. -
ecc Indicates the ECC algorithm. -
rsa Indicates the RSA algorithm. -
x509v3-ssh-rsa Indicates the x509v3-ssh-rsa algorithm. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To allow a public key algorithm and reject other public key algorithms, run the ssh
server publickey command and specify the specific public key algorithm in the
command. For example, after the ssh server publickey dsa command is run, the
DSA algorithm is allowed but other algorithms are not. If this command is run
more than once, the latest configuration overrides the previous one.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 250
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
NOTE
For security purposes, do not use the RSA algorithm with the key length less than 2048
bits..
Precautions
● A public key algorithm can be used for login only after it is enabled on both
the client and server.
● When you run the undo ssh server publickey command with an algorithm
specified, ensure that the algorithm is the same as that configured using the
ssh server publickey command. Alternatively, you run the undo ssh server
publickey command with no algorithm specified. Otherwise, the
configuration restoration function does not take effect.
● If the ssh user authentication-type { password | rsa | dsa | ecc | password-
rsa | password-dsa | password-ecc | all } command is run to configure public
key authentication for SSH users, the involved public key algorithm must be
consistent with that enabled in the ssh server publickey { dsa | ecc | rsa } *
command. Otherwise, device login fails. For example, if the ssh server
publickey ecc command is run, run the ssh user authentication-type { ecc |
password-ecc | all } command to set the authentication type of SSH users to
ECC, password-ECC, or All.
● When a device loads the configuration file for startup (for example, the device
loads the configuration file using ZTP for initial configuration), and the ssh
server publickey command configuration does not exist in the configuration
file, the DSA, ECC, and RSA public key algorithms are enabled.
● This command takes effect for both IPv4 and IPv6 SSH servers.
Example
# Allow using the ECC algorithm and deny other algorithms.
<HUAWEI> system-view
[~HUAWEI] ssh server publickey ecc
# Allow using the x509v3-ssh-rsa algorithm and deny other algorithms.
<HUAWEI> system-view
[~HUAWEI] ssh server publickey x509v3-ssh-rsa
3.6.72 ssh server rekey
Function
The ssh server rekey command sets the criteria that trigger SSH server key re-
negotiation.
The undo ssh server rekey command restores the default values of criteria that
trigger SSH server key re-negotiation.
By default, key re-negotiation is triggered on the SSH server when one of the
following conditions is met:
● The total size of sent and received packets reaches 1000 MB.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 251
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● The total number of sent and received packets reaches 2147483648.
● The online duration reaches 60 minutes.
Format
ssh server rekey { data-limit data-limit | max-packet max-packet | time
minutes } *
undo ssh server rekey { data-limit [ data-limit ] | max-packet [ max-packet ] |
time [ minutes ] } *
Parameters
Parameter Description Value
data-limit data- Specifies the maximum The value is an integer ranging
limit packet data volume that from 100 to 10000, in MB.
triggers key re-negotiation.
max-packet max- Specifies the maximum The value is an integer ranging
packet number of packets that from 268435456 to
triggers key re-negotiation. 2147483648.
time minutes Specifies the session The value is an integer in the
duration that triggers key range of 30 to 1440, in
re-negotiation. minutes.
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server write
Usage Guidelines
Usage Scenario
When an SSH session meets one or more of the following criteria, the system re-
negotiates a key and uses the new key to establish SSH session connections,
improving system security.
● The number of interaction packets meets the configured key re-negotiation
criterion.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 252
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● The accumulated packet data volume meets the configured key re-
negotiation criterion.
● The session duration meets the configured key re-negotiation criterion.
● This command takes effect for both IPv4 and IPv6 SSH clients.
NOTE
A key re-negotiation request is initiated when either the SSH client or server meets the key
re-negotiation criteria, and the other party responds.
Precautions
This command applies only to the SSHv2 protocol.
Example
# Configure key re-negotiation to be triggered on the SSH server when the total
size of sent and received packets reaches 10000 MB, the total number of sent and
received packets reaches 268435456, or the online duration reaches 1440 minutes.
<HUAWEI> system-view
[~HUAWEI] ssh server rekey data-limit 10000 max-packet 268435456 time 1440
3.6.73 ssh server rekey-interval
Function
The ssh server rekey-interval command sets the interval for updating the SSH
server key pair.
The undo ssh server rekey-interval command restores the default interval for
updating the SSH server key pair.
The default interval for updating the SSH server key pair is 0, indicating that the
key pair is never updated.
Format
ssh server rekey-interval hours
undo ssh server rekey-interval
Parameters
Parameter Description Value
hours Specifies the interval for The value is an integer that ranges
updating the server key pair. from 0 to 24, in hours.
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 253
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the server key pair is not updated for a long time, the key is easy to decrypt and
the server is insecure. After the interval for updating the SSH server key pair is set
using this command, the system will automatically update the key pair at
intervals.
Precautions
● This command applies only to the SSHv1 protocol.
● If the client is connected to the server, the server public key on the client is
not updated immediately. This key is updated only when the client is
reconnected to the server.
Example
# Set the interval for updating the SSH server key pair to 2 hours.
<HUAWEI> system-view
[~HUAWEI] ssh server rekey-interval 2
3.6.74 ssh server security-banner disable
Function
Using the ssh server security-banner disable command, you can disable the risk
prompt function on the SSH server.
Using the undo ssh server security-banner disable command, you can enable
the risk prompt function on the SSH server.
By default, the risk prompt function is enabled on the SSH server.
Format
ssh server security-banner disable
undo ssh server security-banner disable
Parameters
None
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 254
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
ssh-server write
Usage Guidelines
When an SSH client attempts to log in to an SSH server, but the negotiated
algorithm is an insecure one, the SSH server generates a risk warning message
and sends the message to the SSH client. However, if the SSH client cannot parse
this type of message, it fails to interact with the server, leading to a login failure.
To prevent this problem, you can run the ssh server security-banner disable
command to disable the risk warning function triggered by the SSH server when
an insecure algorithm is used between the SSH server and client.
Example
# Disable the risk warning function triggered by an SSH server when an insecure
algorithm is used between the SSH server and client.
<HUAWEI> system-view
[~HUAWEI] ssh server security-banner disable
3.6.75 ssh server timeout
Function
The ssh server timeout command sets the timeout interval for SSH connection
authentication.
The undo ssh server timeout restores the default timeout interval for SSH
connection authentication.
The default timeout interval for SSH connection authentication is 60 seconds.
Format
ssh server timeout seconds
undo ssh server timeout
Parameters
Parameter Description Value
seconds Specifies the timeout interval for The value is an integer ranging
SSH connection authentication. from 1 to 120, in seconds.
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 255
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you have not logged in successfully at the timeout interval for SSH connection
authentication, the current connection is terminated to ensure security. You can
run the display ssh server command to query the current timeout interval.
Precautions
The setting for the timeout interval takes effect upon next login.
This command takes effect for both IPv4 and IPv6 connections.
Example
# Set the SSH connection authentication timeout interval to 90 seconds.
<HUAWEI> system-view
[~HUAWEI] ssh server timeout 90
3.6.76 ssh server-source
Function
The ssh server-source command specifies a source interface or source IPv6
address for an SSH server.
The undo ssh server-source command cancels the specified source interface or
source IPv6 address of an SSH server.
By default, no source interface or source IPv6 address is specified for an SSH
server.
Format
ssh server-source -i interface-type interface-number
undo ssh server-source -i interface-type interface-number
ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]
undo ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-
name ]
ssh server-source all-interface
undo ssh server-source all-interface
ssh ipv6 server-source all-interface
undo ssh ipv6 server-source all-interface
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 256
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
-i interface-typeSpecifies the source You can enter a question mark (?)
interface-number interface for an SSH and select a value from the
server. displayed value range.
-a ipv6-address Specifies the source The value contains 128 bits, which
IPv6 address for an SSH are divided into eight groups. Each
server. group contains 4 hexadecimal
numbers. The groups are separated
by colons (:), in the format of
X:X:X:X:X:X:X:X.
ipv6 Specifies an SSH IPv6 -
server.
-vpn-instance Specifies the name of a The value is a string of 1 to 31
vpn-instance- VPN instance. case-sensitive characters except
name spaces. When double quotation
marks are used to include the
string, spaces are allowed in the
string. The value _public_ is reserved
and cannot be used as the VPN
instance name.
all-interface Indicates that all the -
interfaces having IP
addresses configured
are used as the source
interface of the SSH
server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
An SSH server receives login requests from all interfaces and addresses, leading to
low system security. To improve system security, you can run the ssh server-
source command to specify a source interface or source IPv6 address for the SSH
server. Then only authorized users can log in to the SSH server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 257
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● If only the ssh server-source -i or ssh ipv6 server-source -a command is
executed, the specified interface is used as the source interface.
● If only the ssh server-source all-interface or ssh ipv6 server-source all-
interface command is configured, all valid interfaces on the device are used
as the source interface, including physical interfaces that have IP addresses
configured and logical interfaces that are created and have IP addresses
configured.
● If both the ssh server-source -i and ssh server-source all-interface
commands are executed, the interface specified in the ssh server-source -i
command is preferred as the source interface of the SSH server.
● If both the ssh ipv6 server-source -a and ssh ipv6 server-source all-
interface commands are executed, the interface with the IPv6 address
specified in the ssh ipv6 server-source -a command is preferred as the source
interface of the SSH server.
● The ssh server-source -i interface-type interface-number and ssh server-
source all-interface commands take effect only in IPv4.
● If the ssh server-source command is not executed to specify the source
interface, users cannot access the network using SSH.
Prerequisites
A logical interface must have been created before you specify it as the source
interface of an SSH server. Otherwise, the ssh server-source command cannot be
executed successfully.
Before specifying a VPN instance for an SSH server, ensure that a VPN has been
created. Otherwise, the ssh server-source command cannot be executed
successfully.
Configuration Impact
After a source interface or source IPv6 address is specified for an SSH server, the
system allows SFTP, STelnet, SCP, and SNETCONF users to log in to the server only
through the specified source interface or source IPv6 address, and denies access of
SFTP, STelnet, SCP, and SNETCONF users who log in through other interfaces. This
configuration affects only the SFTP, STelnet, SCP, and SNETCONF users who
attempt to log in to the SSH server.
Precautions
● After you specify a source interface or source IPv6 address for an SSH server,
ensure that SFTP, STelnet, SCP, and SNETCONF users can communicate with
the specified source interface at Layer 3 so that authorized SFTP, STelnet, SCP,
and SNETCONF users can successfully log in to the SSH server.
● The configuration takes effect upon the next login. The system will prompt
you to determine whether to continue the operation.
● If the specified source interface is bound to a VPN instance, the SSH server is
also bound to the VPN instance.
● If the specified source interface is bound to the VPN instance vpn1 and the
VPN instance vpn2 is configured using the ssh ipv6 server-source -a ipv6-
address [ -vpn-instance vpn-instance-name ] command, the VPN instance
vpn1 bound to the source interface will be used for IPv4 users, and the VPN
instance vpn2 configured using the ssh ipv6 server-source command will be
used for IPv6 users.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 258
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● After a bound VPN instance is deleted, the VPN configuration specified using
the ssh server-source command will not be cleared and does not take effect.
In this case, the SSH server uses a public IP address. If the VPN instance with
the same name as the deleted one is reconfigured, the VPN function will be
restored.
● After the bound source interface is deleted, the interface configuration in the
ssh server-source command will not be deleted and does not take effect.
After the source interface with the same name is reconfigured, the function
will be restored.
● For an IPv6 SSH server, you can run the ssh ipv6 server-source -a ipv6-
address [ -vpn-instance vpn-instance-name ] command to configure a user
to log in to the server through a specified IPv6 source address.
● After the ssh server-source all-interface command is run, no source interface
will be specified for the SSH server. Users can log in to the SSH server from all
valid interfaces, which increases system security risks. Therefore, you are
advised to cancel the command configuration.
Example
# Specify Loopback0 as the source interface of the SSH server.
<HUAWEI> system-view
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] ip address 10.1.1.1 24
[*HUAWEI-LoopBack0] quit
[*HUAWEI] ssh server-source -i loopback 0
Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/
N]:y
# Set the source IPv6 address of the SSH server to 2001:db8::1 and the VPN
instance name to vpn1.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpn1
[*HUAWEI-vpn-instance-vpn1] ipv6-family
[*HUAWEI-vpn-instance-vpn1-af-ipv6] commit
[~HUAWEI-vpn-instance-vpn1-af-ipv6] quit
[~HUAWEI-vpn-instance-vpn1] quit
[~HUAWEI] ssh ipv6 server-source -a 2001:db8::1 -vpn-instance vpn1
Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/
N]:y
# Specify all IPv4 interfaces on the device as the source interface of the SSH
server.
<HUAWEI> system-view
[~HUAWEI] ssh server-source all-interface
Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/
N]:y
# Specify all IPv6 interfaces on the device as the source interface of the SSH
server.
<HUAWEI> system-view
[~HUAWEI] ssh ipv6 server-source all-interface
Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/
N]:y
3.6.77 ssh user
Function
The ssh user command creates an SSH user.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 259
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The undo ssh user command deletes an SSH user.
By default, no ssh user is created.
Format
ssh user user-name
undo ssh user [ user-name ]
Parameters
Parameter Description Value
user-name Specifies the name of The name is a string of 1 to 253 case-
an SSH user. insensitive characters without spaces.
NOTE
When quotation marks are used around the string,
spaces are allowed in the string.
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-server write
Usage Guidelines
You can create a user using either of the following methods:
● Run the ssh user command.
● After the ssh user authentication-type, ssh user service-type, and ssh user
sftp-directory command are run, the system automatically create a user
named user-name if the system detects that the user named user-name does
not exist.
Example
# Create an SSH user named testuser.
<HUAWEI> system-view
[~HUAWEI] ssh user testuser
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 260
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.78 ssh user assign
Function
The ssh user assign command assigns an existing public key to a user.
The undo ssh user assign command deletes the mapping between the user and
public key.
By default, no public key is assigned to a user.
Format
ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name
undo ssh user user-name assign { rsa-key | dsa-key | ecc-key }
Parameters
Parameter Description Value
user-name Specifies the SSH user name. The SSH must already exist.
rsa-key Specifies the RSA public key. -
dsa-key Specifies the DSA public key. -
ecc-key Specifies the ECC public key. -
key-name Specifies the client public key name. The public key name must
already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When an SSH client needs to log in to the SSH server in RSA, DSA, or ECC mode,
run this command to assign a public key to the client. If the client has been
assigned keys, the latest assigned key takes effect.
NOTICE
For security purposes, it is not recommended that you use RSA as the public key.
Precautions
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 261
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The newly configured public key takes effect upon next login.
If the user named user-name to whom a public key is assigned does not exist, the
system automatically creates an SSH user named user-name and performs the
configured authentication for the SSH user.
Example
# Assign key1 to a user named John.
<HUAWEI> system-view
[~HUAWEI] ssh user john assign rsa-key key1
3.6.79 ssh user assign pki
Function
The ssh user assign pki command binds a PKI certificate to an SSH user.
The undo ssh user assign pki command unbinds a PKI certificate from an SSH
user.
By default, no PKI certificate is bound to an SSH user.
Format
ssh user user-name assign pki pki-name
undo ssh user assign pki
Parameters
Parameter Description Value
user-name Specifies an SSH user The value is a string of 1 to 253 case-
name. sensitive characters without spaces.
NOTE
If the string is enclosed in double quotation
marks (" "), the string can contain spaces.
pki-name Specifies the name of The value is a string of 1 to 35 case-
the PKI certificate to be sensitive characters without spaces.
bound to an SSH user. Currently, only the PKI certificate in the
default PKI realm can be bound to an SSH
user.
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 262
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
When x509v3-ssh-rsa authentication is used for user authentication, you need to
bind a PKI certificate to an SSH server and SSH user. To provide secure
environment for user logins, run the ssh user assign pki command to bind a PKI
certificate to the SSH user.
Example
# Bind the PKI certificate in the PKI realm named default to the SSH user
root@123.
<HUAWEI> system-view
[~HUAWEI] ssh user root@123 assign pki default
3.6.80 ssh user authentication-type
Function
The ssh user authentication-type command configures the authentication mode
for an SSH user.
The undo ssh user authentication-type command deletes the configured
authentication mode.
By default, no authentication mode is configured for an SSH user.
Format
ssh user user-name authentication-type { password | rsa | password-rsa | dsa |
password-dsa | ecc | password-ecc | x509v3-rsa | password-x509v3-rsa | all }
undo ssh user user-name authentication-type
Parameters
Parameter Description Value
user-name Specifies an SSH user name. The SSH must
already exist.
password Specifies the password authentication -
mode.
rsa Specifies the RSA authentication mode. -
NOTE
To ensure high security, do not use the RSA
algorithm whose length is less than 2048 digits
as the authentication type for the SSH user.
password-rsa Specifies the password and RSA -
authentication mode.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 263
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
dsa Specifies the DSA authentication mode. -
password-dsa Specifies the password and DSA -
authentication mode.
ecc Specifies the ECC authentication mode. -
password-ecc Specifies the password and ECC -
authentication mode.
x509v3-rsa Specifies the x509v3-ssh-rsa authentication -
mode for SSH users.
password-x509v3- Specifies the password and x509v3-ssh-rsa -
rsa authentication modes.
all Specifies the password, ECC, DSA, x509v3- -
ssh-rsa, or RSA authentication mode.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you configure the authentication mode for an SSH user, the system
automatically creates an SSH user named user-name if the user-name user does
not exist.
NOTICE
For security purposes, you are advised not use the RSA algorithm whose length is
less than 2048 digits as the authentication type for the SSH user.
Table 3-40 describes the usage scenarios for different authentication modes.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 264
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-40 Usage scenarios for authentication modes
Authentication Mode Usage Scenario
RSA It is a public key encryption
architecture and an asymmetric
encryption algorithm. Based on the
problem of factoring large numbers,
RSA is mainly used to transmit the
keys of the symmetric encryption
algorithm, which can improve
encryption efficiency and simplify key
management. The server checks
whether the SSH user, public key, and
digital user signature are valid. If all of
them are valid, the user is permitted
access to the server. If any of them is
invalid, the authentication fails and
the user is denied access to the server.
DSA It is the same as RSA authentication in
implementation. The server checks
whether the SSH user, public key, and
digital user signature are valid. If all of
them are valid, the user is permitted
access to the server. If any of them is
invalid, the authentication fails and
the user is denied access to the server.
Compared with RSA authentication,
DSA authentication uses the digital
signature algorithm for encryption and
has a wider application scope.
● Many SSH tools only support DSA
authentication for servers and
clients.
● Based on the latest RFC
recommendation for SSH, DSA
authentication takes precedence
over RSA authentication.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 265
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Authentication Mode Usage Scenario
ECC It is the same as RSA authentication in
implementation. The server checks
whether the SSH user, public key, and
digital user signature are valid. If all of
them are valid, the user is permitted
access to the server. If any of them is
invalid, the authentication fails and
the user is denied access to the server.
Compared with RSA authentication,
ECC authentication has the following
advantages:
● Provides the same security with
shorter key length.
● Features a shorter computing
process and higher processing
speed.
● Requires less storage space.
● Requires lower bandwidth.
password On the server, the AAA module assigns
each authorized user a password for
login. The server has the mapping
between user names and passwords.
When a user requests to access the
server, the server authenticates the
user name and password. If either of
them fails to be authenticated, the
access request of the user is denied.
The account information of users who
are configured with the password
authentication mode can be
configured on devices or remote
authentication servers (for example,
RADIUS servers).
password-rsa, password-dsa, The SSH server authenticates a client
password-x509v3-rsa, and password- by checking both the public key and
ecc password. The client can be
authenticated only when both the
public key and password meet
requirements.
x509v3-ssh-rsa x509v3-ssh-rsa authentication is a PKI
certificate authentication mode, which
features better scalability and higher
security.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 266
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Authentication Mode Usage Scenario
all In this authentication mode, the SSH
server authenticates a client by
checking the public key or password.
The client can be authenticated when
either the public key or password
meets the requirement.
Precautions
A new SSH user cannot log in to the SSH server unless being configured with an
authentication mode. The newly configured authentication mode takes effect
upon next login.
Example
# Set the authentication mode to password authentication for the SSH user john.
<HUAWEI> system-view
[~HUAWEI] ssh user john authentication-type password
# Set the authentication mode to ECC authentication for the SSH user
ssh_user1@dom1.
<HUAWEI> system-view
[~HUAWEI] ssh user ssh_user1@dom1 authentication-type ecc
# Set the authentication mode to x509v3-ssh-rsa for the SSH user
ssh_user1@dom1
<HUAWEI> system-view
[~HUAWEI] ssh user ssh_user1@dom1 authentication-type x509v3-rsa
3.6.81 ssh user service-type
Function
The ssh user service-type command configures the service type for an SSH user.
The undo ssh user service-type command restores the default service type for an
SSH user.
By default, no service type is configured for an SSH user.
Format
ssh user user-name service-type { { sftp | stelnet | snetconf } * | all }
undo ssh user user-name service-type
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 267
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
user-name Specifies the SSH user name. The SSH must
already exist.
sftp Specifies the SFTP service type. -
stelnet Specifies the STelnet service type. -
snetconf Specifies the SNetconf service type. -
all Specifies that SFTP, STelnet, or SNETCONF -
can be used as the service mode.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to determine the service type for connecting to devices.
If the user-name user does not exist, the system creates an SSH user named user-
name and uses the configured service type for the SSH user.
Precautions
If the SFTP service type is configured for an SSH user, you need to set the
authorized directory for the user. By default, the SFTP service authorized directory
is flash: for the SSH user. You can run the ssh user sftp-directory command to set
the authorized directory.
If you run the ssh user user-name service-type sftp stelnet snetconf command,
the ssh user user-name service-type all command is saved in the configuration
file.
Example
# Configure the service type for SSH users.
<HUAWEI> system-view
[~HUAWEI] ssh user john service-type all
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 268
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.82 stelnet
Function
The stelnet command enables you to use the STelnet protocol to log in to another
device from the current device.
Format
# IPv4 address
stelnet [ -a source-ip-address | -i interface-type interface-number ] [ -force-
receive-pubkey ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] |
[ prefer_kex kex-type ] | [ prefer_ctos_cipher cipher-type ] | [ prefer_stoc_cipher
cipher-type ] | [ prefer_ctos_hmac hmac-type ] | [ prefer_stoc_hmac hmac-type ]
| [ prefer_ctos_compress compress-type ] | [ prefer_stoc_compress compress-
type ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] | [ identity-key { dsa | ecc | rsa
| pki } ] | [ user-identity-key { dsa | ecc | rsa | pki } ] ] *
# IPv6 address
stelnet ipv6 [ -a source-ip-address ] [ -force-receive-pubkey ] host-ipv6 [ [ -vpn-
instance vpn-instance-name ] | [ -oi interface-type interface-number ] | [ port-
number ] | [ prefer_kex kex-type ] | [ prefer_ctos_cipher cipher-type ] |
[ prefer_stoc_cipher cipher-type ] | [ prefer_ctos_hmac hmac-type ] |
[ prefer_stoc_hmac hmac-type ] | [ prefer_ctos_compress compress-type ] |
[ prefer_stoc_compress compress-type ] | [ -ki aliveinterval ] | [ -kc
alivecountmax ] | [ identity-key { dsa | ecc | rsa | pki } ] | [ user-identity-key
{ dsa | ecc | rsa | pki } ] ] *
Parameters
Parameter Description Value
-a source-ip-address Specifies the STelnet -
source IP address.
-i interface-type Specifies the STelnet -
interface-number source interface.
If the source interface
is specified using -i
interface-type
interface-number, the
-vpn-instance vpn-
instance-name
parameter is not
supported.
-force-receive-pubkey Indicates that a server -
forcibly receives public
key authentication.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 269
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
host-ip Specifies the IP The IPv4 STelnet must already
address or host name exist.
of the remote IPv4
STelnet server.
host-ipv6 Specifies the IPv6 The IPv6 STelnet must already
address or host name exist.
of the remote IPv6
STelnet server.
-oi interface-type Specifies the If the IPv6 address of the
interface-number outbound interface on remote host is linked to a
the local device. local address, the outbound
interface must be specified.
port-number Specifies the port The value is an integer that
number that the SSH ranges from 1 to 65535. The
server is listening on. default value 22 is the
standard port number.
prefer_kex kex-type Specifies the preferred The key exchange algorithms
key exchange include:
algorithm. ● dh-exchange-group-
sha256
● ecdh-sha2-nistp256
● ecdh-sha2-nistp384
● ecdh-sha2-nistp521
● sm2_kep
The default key exchange
algorithm is sm2_kep, ecdh-
sha2-nistp521, ecdh-sha2-
nistp384, ecdh-sha2-nistp256,
dh-exchange-group-sha256.
NOTE
When the public key algorithm
on the server is ecc, the sm2_kep
algorithm is preferred.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 270
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
prefer_ctos_cipher Specifies the preferred The encryption algorithms
cipher-type encryption algorithm include:
from the client to the ● 3des
server.
● aes128
● aes256
● arcfour128
● arcfour256
● aes128_ctr
● aes256_ctr
● aes128_gcm
● aes256_gcm
● aes192_ctr
The default encryption
algorithm is aes256_ctr.
NOTE
Encryption algorithms supported
depend on the ssh client cipher
command configured by the
user.
You are advised to use
aes128_ctr, aes256_ctr,
aes128_gcm, aes256_gcm, and
aes192_ctr encryption
algorithms to ensure high
security.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 271
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
prefer_stoc_cipher Specifies the preferred The encryption algorithms
cipher-type encryption algorithm include:
from the server to the ● 3des
client.
● aes128
● aes256
● arcfour128
● arcfour256
● aes128_ctr
● aes256_ctr
● aes128_gcm
● aes256_gcm
● aes192_ctr
The default encryption
algorithm is aes256_ctr.
NOTE
Encryption algorithms supported
depend on the ssh client cipher
command configured by the
user.
You are advised to use
aes128_ctr, aes256_ctr,
aes128_gcm, aes256_gcm, and
aes192_ctr encryption
algorithms to ensure high
security.
prefer_ctos_hmac hmac- Specifies the preferred The HMAC algorithms
type HMAC algorithm from include:
the client to the ● md5
server.
● md5_96
● sha1
● sha1_96
● sha2_256
● sha2_256_96
● sha2_512
The default HMAC algorithm
is sha2_256.
NOTE
HMAC algorithm supported
depend on the ssh client hmac
command configured by the
user.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 272
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
prefer_stoc_hmac hmac- Specifies the preferred The HMAC algorithms
type HMAC algorithm from include:
the server to the ● md5
client.
● md5_96
● sha1
● sha1_96
● sha2_256
● sha2_256_96
● sha2_512
The default HMAC algorithm
is sha2_256.
NOTE
HMAC algorithm supported
depend on the ssh client hmac
command configured by the
user.
prefer_ctos_compress Specifies the preferred The value of this parameter
compress-type compression can only be set to zlib in the
algorithm from the current version.
client to the server.
prefer_stoc_compress Specifies the preferred The value of this parameter
compress-type compression can only be set to zlib in the
algorithm from the current version.
server to the client.
-vpn-instance vpn- Specifies the name of The VPN must already exist.
instance-name the VPN instance.
-ki aliveinterval Specifies the interval The value is an integer that
for sending keepalive ranges from 1 to 3600, in
packets when no seconds.
packet is received.
-kc alivecountmax Specifies the number The value is an integer that
of times for no reply ranges from 1 to 30. The
of keepalive packets. default value is 3.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 273
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
identity-key Specifies the public The public key algorithm can
key algorithm for the be one of the following:
authentication on the
server. ● dsa
● ecc
● rsa
● pki
The default public key
algorithm is ecc.
NOTE
Public key algorithm supported
depend on the ssh client
publickey command configured
by the user.
user-identity-key Indicates the public The public key algorithm can
key for the user be one of the following:
authentication.
● dsa
● ecc
● rsa
● pki
The default public key
algorithm is ecc.
NOTE
Public key algorithm supported
depend on the ssh client
publickey command configured
by the user.
Views
User view, System view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
Logins through Telnet bring security risks because Telnet does not provide any
authentication mechanism and data is transmitted using TCP in plain text.
Compared with Telnet, SSH guarantees secure file transfer on a traditional
insecure network by authenticating clients and encrypting data in bidirectional
mode. The SSH protocol supports STelnet. You can run this command to use
STelnet to log in to another device from the current device.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 274
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
STelnet is a secure Telnet service. SSH users can use the STelnet service in the
same way as the Telnet service.
When a fault occurs in the connection between the client and server, the client
needs to detect the fault in real time and proactively release the connection. You
need to set the interval for sending keepalive packets and the maximum number
of times on the client that logs in to the server through STelnet.
● Interval for sending keepalive packets: If a client does not receive any packet
within the specified interval, the client sends a keepalive packet to the server.
● Maximum number of times the server has no response: If the number of
times that the server does not respond exceeds the specified value, the client
proactively releases the connection.
Precautions
● Enable the STelnet service on the SSH server by stelnet server enable
command, before connecting the SSH server by using the STelnet command.
● The SSH client can log in to the SSH server with no port specified only when
the server is listening on port 22. If the server is listening on another port, the
port number must be specified upon login.
Example
# Set keepalive parameters when the client logs in to the server through STelnet.
<HUAWEI> stelnet 10.164.39.209 -ki 10 -kc 4
# Remotely connect to the STelnet server that uses an IPv6 address.
<HUAWEI> stelnet ipv6 2001:db8:1::1 prefer_ctos_cipher aes128
3.6.83 stelnet server enable
Function
The stelnet server enable command enables the STelnet service on the SSH
server.
The undo stelnet server enable command disables the STelnet service on the
SSH server.
By default, the STelnet service is disabled on the SSH server.
Format
stelnet [ ipv4 | ipv6 ] server enable
undo stelnet [ ipv4 | ipv6 ] server enable
Parameters
Parameter Description Value
ipv4 Specifies IPv4 server. -
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 275
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
ipv6 Specifies IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To connect a client to the SSH server through STelnet, you must enable the
STelnet service on the SSH server.
Run the command stelnet server enable can enable both IPv4 and IPv6 STelnet
server. Run stelnet ipv4 server enable command to enable IPv4 STelnet server.
Run stelnet ipv6 server enable command to enable IPv6 STelnet server.
Precautions
After you disable the STelnet service on the SSH server, all clients that have logged
in through STelnet are disconnected.
In V200R002C50 and V200R003C00, you can run the stelnet [ ipv4 | ipv6 ] server
enable command to enable the STELNET function. If the current version is
downgraded to V200R001C00 or an earlier version, this configuration will be lost,
so you need to run the stelnet server enable command again. In V200R005C00,
you can run the stelnet ipv4 server enable command to enable the IPv4 STELNET
function, or run the stelnet ipv6 server enable command to enable the IPv6
STELNET function (IPv4 STELNET and IPv6 STELNET functions are not enabled
simultaneously). If the current version is downgraded to V200R001C00 or an
earlier version, this configuration will be lost, so you need to run the stelnet
server enable command again.
Example
# Enable the STelnet service.
<HUAWEI> system-view
[~HUAWEI] stelnet server enable
3.6.84 telnet
Function
The telnet command enables a user to log in to another device from the current
device through Telnet.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 276
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
# Log in to another device from the current device through Telnet based on IPv4.
telnet [ -i { interface-type interface-number | interface-name } | [ vpn-instance
vpn-instance-name ] [ -a source-ip-address ] ] host-ip [ port-number ]
# Log in to another device from the current device through Telnet based on IPv6.
telnet ipv6 [ public-net | vpn-instance vpn-instance-name ] host-ipv6 [ -oi
interface-type interface-number ] [ port-number ]
Parameters
Parameter Description Value
vpn-instance Specifies the name of the VPN The VPN must exist.
vpn-instance- instance to which the device to be
name logged in through Telnet belongs.
If vpn-instance vpn-instance-name is
used to specify a VPN instance, the -i
interface-type interface-number
parameter is not supported.
-a source-ip- Specifies a source IP address used by a -
address user to communicate with the server
for security purposes. If no source
address is specified, the system uses
the IP address of a local outbound
interface to initiate a Telnet
connection.
-i interface-typeSpecifies the source interface type and -
interface-number number on the local device.
host-ip Specifies the IPv4 address or host The IPv4 address or
name of the remote device. host name must exist.
public-net Indicates access to a public network. -
host-ipv6 Specifies the IPv6 address or host The IPv6 address or
name of the remote device. host name must exist.
-oi interface-type Specifies an outbound interface on If the IPv6 address of
interface-number the local device. a remote host is a
link-local address,
you must specify the
outbound interface
on the local device.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 277
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
port-number Specifies the TCP port number used by The value is an
the remote device that functions as integer in the range
the Telnet server. from 1 to 65535, and
the default value is
23.
Views
User view
Default Level
0: Visit level
Usage Guidelines
Usage Scenario
If one or more devices need to be configured and managed, you do not need to
connect your terminal to each of the devices for local maintenance. If you have
obtained the IP address of a device, run the telnet command to log in to the
device from your terminal through Telnet to remotely configure the device. This
method allows you to maintain multiple devices using a single user terminal,
greatly facilitating operations.
During the connection process, you can press Ctrl+K to terminate the connection
between the local and remote devices.
Prerequisites
The user terminal communicates with the remote device using their IP addresses
and the Telnet server function is enabled on the remote device.
Precautions
● Before you run the telnet command to connect to the Telnet server, the
Telnet client and server must be able to communicate at Layer 3 and the
Telnet service must be enabled on the Telnet server.
● A Telnet login may bring security risks because Telnet does not provide any
secure authentication mechanism and data is transmitted using TCP in plain
text. STelnet is recommended for networks that require high security.
Example
# Establish a Telnet connection with a remote device.
<HUAWEI> telnet 192.168.1.6
# Use an IPv6 address to establish a Telnet connection with a remote device.
<HUAWEI> telnet ipv6 fc00:0:0:11::158
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 278
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.85 telnet client source
Function
The telnet client source command specifies a source IP address and source
interface for a Telnet client.
The undo telnet client source command restores the default configuration.
By default, the source IP address of a Telnet client is 0.0.0.0, and there is no source
interface.
Format
telnet client source { -a source-ip-address | -i interface-type interface-number }
undo telnet client source
Parameters
Parameter Description Value
-a source-ip-address Specifies the IPv4 address of the local -
switch.
-i interface-type interface- Specifies the outbound interface of -
number the local switch.
Views
System view
Default Level
3: Management level
Usage Guidelines
If no source IP address is specified in the telnet command, the source IP address
specified using the telnet client source command is used. If a source IP address is
specified in the telnet command, the specified source IP address is used. Check
the current Telnet connection on the server. The displayed IP address is the
specified source IP address or the primary IP address of the specified interface.
After the bound source interface is deleted, the interface configuration in the ssh
server-source command will not be deleted and does not take effect. After the
source interface with the same name is reconfigured, the function will be restored.
If the specified source interface is bound to a VPN instance, the client is also
bound to the VPN instance.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 279
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Set the source IP address of the Telnet client to 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] telnet client source -a 10.1.1.1
3.6.86 telnet dscp
Function
The telnet dscp command sets the DSCP priority of Telnet packets.
The undo telnet dscp command restores the default setting.
By default, the DSCP priority of Telnet packets is 48.
Format
telnet { client | server } dscp dscp-number
undo telnet { client | server } dscp [ dscp-number ]
Parameters
Parameter Description Value
client Specifies the Telnet client. -
server Specifies the Telnet server. -
dscp-number Specifies the DSCP priority. The value is an integer that ranges
from 0 to 63. A greater DSCP value
indicates a higher priority.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to set the DSCP priority of Telnet packets. The DSCP
priority of Telnet packets sent by the switch is then changed to the configured
value. When network congestion occurs, you can appropriately reduce the DSCP
priority of Telnet packets to ensure proper forwarding of data packets.
The priority of this command is higher than that of the set priority dscp
command. If a DSCP value is configured using this command, the configured value
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 280
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
takes effect. If a DSCP value is configured using the set priority dscp command
rather than this command, the value configured using the set priority dscp
command takes effect. If no DSCP value is configured using the preceding
commands, the default DSCP value is used.
When you run the undo telnet { client | server } dscp [ dscp-number ] command:
● If dscp-number is not specified, the DSCP field is restored to the default value.
● If dscp-number is 48, the DSCP field is restored to the default value.
● If dscp-number is set to non-48 value, the value must be the same as telnet
{ client | server } dscp dscp-number command. Otherwise, the command
execution fails.
Precautions
The command only takes effect for IPv4 packets.
Example
# Set the DSCP priority of Telnet packets sent by the client to 40.
<HUAWEI> system-view
[~HUAWEI] telnet client dscp 40
3.6.87 telnet server acl
Function
The telnet server acl command configures the ACL to control the access of clients
to the Telnet server.
The undo telnet server acl command cancels the configuration of the ACL.
By default, no ACL is configured for Telnet server.
Format
telnet [ ipv6 ] server acl { acl-number | acl-name }
undo telnet [ ipv6 ] server acl
Parameters
Parameter Description Value
ipv6 Specifies a Telnet IPv6 -
server.
acl-number Specifies the basic ACL The value is an integer that ranges from
number. 2000 to 3999.
acl-name Specifies the ACL name. The value is a string of 1 to 32 case-
sensitive characters except spaces. The
value must start with a letter or digit, and
cannot contain only digits.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 281
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When a device functions as the Telnet server, you can configure the ACL on the
device to control the login of the clients to the device.
Prerequisites
Before running this command, run the acl (system view) in the system view and
run the rule (ACL view) command to configure an ACL.
Precautions
● If no rule is configured, the incoming and outgoing calls are not restricted
after the command telnet server acl is run.
● A basic ACL is configured to restrict source addresses and an advanced ACL is
configured to restrict source and destination addresses.
● If the access control right for a network segment is permit or deny, the access
control right for the other network segments is deny. For example, if an ACL
allows access from clients on a network segment, clients on the other
network segments cannot log in to the device. If an ACL rejects access from
clients on a network segment, clients on all the network segments cannot log
in to the device by default.
● The command telnet server acl { acl-number | acl-name } takes effect for
ipv4 function.
Example
# Configure the ACL numbered 2000 on the Telnet server.
<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] telnet server acl 2000
# Configure the ACL named switch on the Telnet server.
<HUAWEI> system-view
[~HUAWEI] acl name switch
[*HUAWEI-acl4-advance-switch] rule permit tcp
[*HUAWEI-acl4-advance-switch] quit
[*HUAWEI] telnet server acl switch
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 282
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.6.88 telnet server login-failed threshold-alarm
Function
The telnet server login-failed threshold-alarm command configures alarm
generation and clearance thresholds for Telnet server login failures within a
specified period.
The undo telnet server login-failed threshold-alarm command restores the
default alarm generation and clearance thresholds.
By default, an alarm is generated if the number of login failures reaches 30 within
5 minutes and is cleared if the number of login failures falls below 20 within the
same period.
Format
telnet server login-failed threshold-alarm upper-limit report-times lower-limit
resume-times period period-time
undo telnet server login-failed threshold-alarm [ upper-limit report-times
lower-limit resume-times period period-time ]
Parameters
Parameter Description Value
upper-limit Specifies an The value is an integer ranging from 0 to
report-times alarm generation 100. The default value is 30. If the value is
threshold. 0, no alarms are generated upon Telnet
server login failures.
lower-limit Specifies an The value is an integer ranging from 0 to
resume-times alarm clearance report-times. It varies with report-times. The
threshold. default value is 20, and the maximum value
is 45. If resume-times is 0, it functions the
same as the value is set to 1, which means
that a clear alarm is generated if no login
failures occur.
period period- Specifies a The value is an integer ranging from 1 to
time statistics 120, in minutes. The default value is 5. If
collection period. report-times is 0, the period-time value
specified does not take effect.
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 283
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
telnet-server write
Usage Guidelines
Usage Scenario
To manage frequent Telnet server login failures within a specified period, run the
telnet server login-failed threshold-alarm command to configure alarm
generation and clearance thresholds for the login failures.
This command takes effect for both ipv4 and ipv6 Telnet servers.
Precautions
The alarm generation threshold specified using report-times must be greater than
or equal to the alarm clearance threshold specified using resume-times.
Example
# Configure the device to generate an alarm when the number of Telnet server
login failures within 3 minutes reaches 20 and clear the alarm when the number
of Telnet server login failures within 3 minutes is less than 10.
<HUAWEI> system-view
[~HUAWEI] telnet server login-failed threshold-alarm upper-limit 20 lower-limit 10 period 3
3.6.89 telnet server-source
Function
The telnet server-source command specifies a source interface for a Telnet server.
The undo telnet server-source command restores the default setting.
By default, the source interface of a Telnet server is not specified.
Format
telnet server-source -i interface-type interface-number
undo telnet server-source -i interface-type interface-number
telnet server-source all-interface
undo telnet server-source all-interface
telnet ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]
undo telnet ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-
name ]
telnet ipv6 server-source all-interface
undo telnet ipv6 server-source all-interface
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 284
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
-i interface-type interface- Specifies an IPv4 source interface for a -
number Telnet server.
-a ipv6-address Specifies a source IPv6 address for a Telnet -
server.
ipv6 Indicates the IPv6 information about a -
Telnet server.
-vpn-instance vpn- Specifies the name of a VPN instance. -
instance-name
all-interface Indicates that any interface having an IP -
address configured can be used as the
source interface of a Telnet server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Guidelines
Usage Scenario
After a restart with non-base configuration, a Telnet server receives login requests
from all interfaces and addresses, leading to low system security. To improve
system security, you can run the telnet server-source command to specify a
source interface or source IPv6 address for the SSH server. Then only authorized
users can log in to the Telnet server.
● If the telnet server-source -i or telnet ipv6 server-source -a command is run
and the telnet server-source all-interface or telnet ipv6 server-source all-
interface command is not, the specified interface is used as the source
interface, or the specified IPv6 address is used as the source IPv6 address.
● If the telnet server-source all-interface or telnet ipv6 server-source all-
interface command is run and the telnet server-source -i or telnet ipv6
server-source -a command is not, any valid interface on the device can be
used as the source interface, including any physical interface with an IP
address configured and any created logical interface with an IP address
configured.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 285
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● If both the telnet server-source -i and telnet server-source all-interface
commands are run, the interface specified in the telnet server-source -i
command is preferentially used as the source interface of the Telnet server.
● If both the telnet ipv6 server-source -a and telnet ipv6 server-source all-
interface commands are run, the interface IPv6 address specified in the
telnet ipv6 server-source -a command is preferentially used as the source
IPv6 address of the Telnet server.
● The telnet server-source -i interface-type interface-number and telnet
server-source all-interface commands take effect only in IPv4 scenarios.
● If no source interface is specified using the telnet server-source command
after the system starts with base configuration, users cannot log in to the
system through Telnet.
Prerequisites
A loopback interface has been created if you want to specify it as the source
interface of a Telnet server using the telnet server-source command. Otherwise,
the command cannot be executed.
A VPN instance has been created before you specify it for a Telnet server using the
telnet ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]
command. Otherwise, the command cannot be executed.
Configuration Impact
If a source interface or source IPv6 address is specified for an SSH server, the
server allows SFTP, STelnet, SCP, and SNETCONF users to log in through the
specified source interface or source IPv6 address only, and denies access of SFTP,
STelnet, SCP, and SNETCONF users who attempt to log in through other interfaces
or IPv6 addresses. This configuration applies to the Telnet users who attempt to
log in to the server, not to the Telnet users who have logged in to the server.
Precautions
● If a source interface or source IPv6 address is specified for a Telnet server,
Telnet users must be able to communicate with the specified source interface
or source IPv6 address at Layer 3 to ensure that authorized Telnet users can
log in to the server.
● If the specified source interface is bound to a VPN instance, the VPN instance
is automatically bound to the Telnet server. If the interface to which the
specified source IPv6 address belongs is bound to a VPN instance, the -vpn-
instance parameter must be specified when you specify the IPv6 address for
the client.
● If the VPN instance bound to the specified source interface is deleted, the VPN
configuration specified in the telnet ipv6 server-source -a ipv6-address [ -
vpn-instance vpn-instance-name ] command is not cleared but does not take
effect. In this case, the Telnet server uses the public network instance instead.
If the VPN instance with the same name as the deleted one is reconfigured,
the VPN function will be restored.
● For an IPv6 Telnet server, you can run the telnet ipv6 server-source -a ipv6-
address [ -vpn-instance vpn-instance-name ] command to specify a source
IPv6 address through which users log in to the server.
● If the telnet server-source all-interface command is run, users can log in to
the Telnet server through any valid IPv4 interface, which increases system
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 286
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
security risks. Therefore, running the telnet server-source all-interface
command is not recommended.
● If the telnet ipv6 server-source all-interface command is run, users can log
in to the Telnet server through any valid IPv6 interface address, which
increases system security risks. Therefore, running the telnet ipv6 server-
source all-interface command is not recommended.
● After the bound source interface is deleted, the interface configuration in the
ssh server-source command will not be deleted and does not take effect.
After the source interface with the same name is reconfigured, the function
will be restored.
Example
# Specify Loopback0 as the source interface of the Telnet server.
<HUAWEI> system-view
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] ip address 10.1.1.1 24
[*HUAWEI-LoopBack0] quit
[*HUAWEI] telnet server-source -i loopback 0
# Allow any IPv4 interface on the Telnet server to be used as the source interface
of the server.
<HUAWEI> system-view
[~HUAWEI] telnet server-source all-interface
# Allow any IPv6 interface address on the Telnet server to be used as the source
IPv6 address of the server.
<HUAWEI> system-view
[~HUAWEI] telnet ipv6 server-source all-interface
3.6.90 telnet server disable
Function
The telnet server disable command disables the Telnet server.
The undo telnet server disable command enables the Telnet server.
The default situation is as follows:
● If a device starts without any configuration file, the Telnet server is disabled.
● If a device starts with a loaded configuration file (for example, a
configuration file is loaded to the device using ZTP for initial configuration)
and the configuration file contains the telnet server disable command, the
Telnet server is disabled; otherwise, the Telnet server is enabled.
Format
telnet [ ipv6 ] server disable
undo telnet [ ipv6 ] server disable
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 287
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
ipv6 Specifies a Telnet IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
You can run this command to enable and disable the Telnet server. A Telnet server
can be connected only when it is enabled.
If the Telnet server is disabled using the telnet [ ipv6 ] server disable command,
new Telnet connections are not allowed and existing Telnet connections are
disconnected.
When a Telnet server stops, you can log in to the device only through the console
port or SSH.
NOTICE
The Telnet protocol is insecure, and the STelnet V2 mode is recommended.
Example
# Enable a Telnet server.
<HUAWEI> system-view
[~HUAWEI] undo telnet server disable
# Disable a Telnet server.
<HUAWEI> system-view
[~HUAWEI] telnet server disable
# Enable an IPv6 Telnet server.
<HUAWEI> system-view
[~HUAWEI] undo telnet ipv6 server disable
3.6.91 telnet server port
Function
The telnet server port command configures the listening port number of a Telnet
server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 288
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The undo telnet server port command restores the default listening port of a
Telnet server.
The default listening port of a Telnet server is 23.
Format
telnet [ ipv6 ] server port port-number
undo telnet [ ipv6 ] server port
Parameters
Parameter Description Value
ipv6 Specifies a Telnet IPv6 -
server.
port-number Specifies the listening port The value is an integer that is 23 or
number of a Telnet server. ranges from 1025 to 65535. The
default value 23 is the standard
Telnet server port number.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To protect the Telnet standard port against attacks and ensure network security,
configure the listening port number of the Telnet server.
The command telnet server port port-number takes effect for ipv4 Telnet servers.
Precautions
A Telnet client can log in to the server with no port specified only when the server
is listening on port 23. If the server is listening on another port, the port number
must be specified upon login.
Before changing the current port number, disconnect all devices from the port.
After the port number is changed, the server starts to listen on the new port.
Example
# Configure the listening port number to 1026.
<HUAWEI> system-view
[~HUAWEI] telnet server port 1026
# Restore the listening port number to the default value.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 289
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] undo telnet server port
3.7 File Management Commands
3.7.1 activate ftp server ip-block ip-address
Function
The activate ftp server ip-block ip-address command unlocks the ipv4 and ipv6
addresses of a user that fails the FTP authentication.
Format
activate ftp server ip-block ip-address ip-address [ vpn-instance vpn-name ]
Parameters
Parameter Description Value
ip-address Specifies a locked ● For IPv4 address, the value is in the
IP address. decimal format.
● For IPv6 address, the value is a 32-digit
hexadecimal number, in the format of
X:X:X:X:X:X:X:X.
vpn-instance Specifies the name The value is a string of 1 to 31 case-
vpn-name of a VPN to which sensitive characters, spaces and question
the locked user marks are not supported. In addition, the
belongs. VPN instance name must not be _public_.
When double quotation marks are used
around the string, spaces are allowed in the
string.
Views
User view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ftp-server write
Usage Guidelines
In an FTP connection, if a user enters incorrect passwords for the consecutive
times in specified minutes, the IP address of this user will be locked. Run the ftp
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 290
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
server ip-block reactive command to set lock period. To unlock the IP address of
this user in advance, run activate ftp server ip-block ip-address command.
Example
# Unlock the IP address 10.1.2.3.
<HUAWEI> activate ftp server ip-block ip-address 10.1.2.3
3.7.2 append
Function
The append command adds local file data to the end of a file on the FTP server.
Format
append local-filename [ remote-filename ]
Parameters
Parameter Description Value
local-filename Specifies the local file name. The value is a string of 1
to 128 characters.
remote- Specifies the name of a file on the The value is a string of 1
filename FTP server. If the specified file does to 128 characters.
not exist on the FTP server, create
the file.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
If the file specified in the remote-filename parameter does not exist when you
run the append command, create the file and add local file data to the end of the
created file.
Example
# Add the data of local file sample2.txt to the end of file sample1.txt on the FTP
server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 291
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] append sample2.txt sample1.txt
200 Port command okay.
150 Opening ASCII mode data connection for /sample1.txt.
226 Transfer complete.
\ 100% [***********]
FTP: 35 byte(s) send in 1.443522666 second(s) 23byte(s)/sec.
# Add the data of local file a.txt to the end of file a.txt on the FTP server.
[ftp] append a.txt
200 Port command okay.
150 Opening ASCII mode data connection for /a.txt.
226 Transfer complete.
\ 100% [***********]
FTP: 35 byte(s) send in 1.443522666 second(s) 23byte(s)/sec.
3.7.3 ascii
Function
The ascii command sets the file transfer mode to ASCII on an FTP client.
The default file transfer mode is ASCII.
Format
ascii
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Files can be transferred in ASCII or binary mode.
ASCII mode is used to transfer plain text files, and binary mode is used to transfer
application files, such as system software, images, video files, compressed files,
and database files.
Example
# Set the file transfer mode to ASCII.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 292
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] ascii
200 Type set to A.
3.7.4 binary
Function
The binary command sets the file transmission mode to binary on an FTP client.
The default file transfer mode is ASCII.
Format
binary
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Files can be transferred in ASCII or binary mode.
ASCII mode is used to transfer plain text files, and binary mode is used to transfer
application files, such as system software, images, video files, compressed files,
and database files.
NOTE
The binary mode can be set to transfer ASCII and binary files.
Example
# Set the file transmission mode to binary.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 293
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[ftp] binary
200 Type set to I
3.7.5 bye
Function
The bye command terminates the connection with the remote FTP server and
enters the user view.
Format
bye
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command is equivalent to the quit command.
You can use the close and disconnect commands to terminate the connection
with the remote FTP server and retain the FTP client view.
Example
# Terminate the connection with the remote FTP server and enter the user view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] bye
221 server closing.
<HUAWEI>
3.7.6 bye/exit
Function
The bye/exit command enables the system to disconnect from the remote SFTP
server and return to the SFTP client view.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 294
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
bye
exit
Parameters
None
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
You can use this command to return to the system view from the SFTP client view.
Example
# Disconnect from SFTP server using bye command.
<HUAWEI> system-view
[~HUAWEI] sftp 10.1.1.1
sftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Please input the username: sftp
sftp-client> bye
[~HUAWEI]
# Disconnect from SFTP server using exit command.
[~HUAWEI] sftp 10.1.1.1
sftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Please input the username: sftp
sftp-client> exit
[~HUAWEI]
3.7.7 cd (FTP client view)
Function
The cd command changes the working directory of the FTP server.
Format
cd remote-directory
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 295
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
remote- Specifies the name of a The value is a string of 1 to 128
directory working directory on the FTP case-insensitive characters
server. without spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The FTP server authorizes users to access files in certain directories and their
subdirectories.
Example
# Change the working directory to d:/temp.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] cd d:/temp
250 "D:/temp" is current directory.
3.7.8 cd (SFTP client view)
Function
The cd command changes the working directory of the SFTP server.
Format
cd [ remote-directory ]
Parameters
Parameter Description Value
remote- Specifies the name of a The value is a string of 1 to 128
directory directory on the SFTP server. case-insensitive characters
without spaces.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 296
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
● The SFTP server authorizes users to access files in certain directories and their
subdirectories.
● The specified working directory must exist on the SFTP server. If the remote-
directory parameter is not included in the cd command, only the current
working directory of an SSH user is displayed as the command output.
Example
# Change the current working directory of the SFTP server to /bill.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> cd bill
Current directory is:
/bill
3.7.9 cd (user view)
Function
The cd command changes the current working directory of a user.
By default, the current working directory is flash:/.
Format
cd [ directory ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 297
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
directory Specifies the The value is a string of 1 to 255 case-sensitive
current working characters without spaces in the [ drive ] path
directory of a format.
user.
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
You are advised to add : and / between the
storage device name and directory. Characters ? ~
* / \ : ' " | < > [ ] cannot be used in the directory
name.
For example, a directory name is flash:/selftest/
test/.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
For example, if you change the current working directory flash:/selftest/ to the
logfile directory in flash, the absolute path is flash:/logfile/, and the relative path
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 298
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
is /logfile/. The logfile directory is not logfile/ because it is not in the current
working directory selftest.
Precautions
● The directory specified in the cd command must exist; otherwise, the error
messages will be displayed:
You can perform the following operations to rectify faults:
a. Run the pwd command to view the current working directory.
b. Run the dir command to view the current working directory and verify
that the directory specified in the cd command exists.
● If you run the cd command without specifying the directory parameter, the
system returns to the root directory.
Example
# Change the current working directory from flash:/temp to flash:.
<HUAWEI> pwd
flash:/temp/
<HUAWEI> cd flash:
<HUAWEI> pwd
flash:/
# Change the current working directory from flash: to flash:/t1/t2.
<HUAWEI> pwd
flash:/
<HUAWEI> cd flash:/t1/t2
<HUAWEI> pwd
flash:/t1/t2/
# Change the current working directory from flash:/selftest to flash:/logfile.
<HUAWEI> pwd
flash:/selftest/
<HUAWEI> cd /logfile/
<HUAWEI> pwd
flash:/logfile/
# Change the current working directory from flash:/selftest to flash:/selftest/test.
<HUAWEI> pwd
flash:/selftest/
<HUAWEI> cd test/
<HUAWEI> pwd
flash:/selftest/test/
3.7.10 cdup (SFTP client view)
Function
The cdup command changes the current working directory of an SSH user to its
parent directory.
Format
cdup
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 299
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
None
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
You can run the cdup command to change the current working directory to its
parent directory.
Example
# Change the current working directory to its parent directory.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> cd dhcp
Current directory is:
/dhcp
sftp-client> cdup
Current directory is:
/
sftp-client>
3.7.11 cdup (FTP client view)
Function
The cdup command enables you to return to the upper-level directory.
Format
cdup
Parameters
None
Views
FTP client view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 300
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
To exit from the current directory and return to the upper-level directory, run the
cdup command.
Precautions
The directories accessible to an FTP user are restricted by the authorized
directories configured for the user.
Example
# Exit from the current directory and return to the upper-level directory.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] cd security
250 CWD command successful.
[ftp] cdup
200 CDUP command successful.
3.7.12 close
Function
The close command terminates the connection with the remote FTP server and
retains the FTP client view.
Format
close
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command is equivalent to the disconnect command.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 301
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
You can run the bye and quit commands to terminate the connection with the
remote FTP server and enter the user view.
Precautions
To enter the user view from the FTP client view, you can run the bye or quit
command.
Example
# Terminate the connection with the remote FTP server and enter the FTP client
view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] close
221 Server closing.
[ftp]
3.7.13 copy
Function
The copy command copies a file.
Format
copy source-filename destination-filename [ all ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 302
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Settings
source-filename Specifies the path and An absolute path name
the name of a source is a string of 1 to 255
file. characters. A relative
path name is a string of
1 to 128 case-sensitive
characters without
spaces in the [ drive ]
[ path ] file name
format. Up to 8 levels of
directories are supported.
When quotation marks
are used around the
string, spaces are
allowed in the string.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
You are advised to add :
and / between the
storage device name and
directory. Characters ? ~
* / \ : ' " | < > [ ] cannot
be used in the directory
name.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 303
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Settings
destination-filename Specifies the path and An absolute path name
the name of a is a string of 1 to 255
destination file. characters. A relative
path name is a string of
1 to 128 case-sensitive
characters without
spaces in the [ drive ]
[ path ] file name
format. Up to 8 levels of
directories are supported.
When quotation marks
are used around the
string, spaces are
allowed in the string.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
You are advised to add :
and / between the
storage device name and
directory. Characters ? ~
* / \ : ' " | < > [ ] cannot
be used in the directory
name.
all Copies a file to all -
member devices.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 304
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Precautions
● If the destination file name is not specified, the designation file and the
source file have the same name. If the source file and the destination file are
in the same directory, you must specify the destination file name. If the
destination file name is not specified, you cannot copy the source file.
Example
# Copy the newbasicsoft.cc file from the master device in a stack to other
member devices.
<HUAWEI> copy newbasicsoft.cc 1#flash:/newbasicsoft.cc
Info: Are you sure to copy flash:/newbasicsoft.cc to 1#flash:/newbasicsoft.cc? [Y/N]:y
100% complete
Info: Copying file flash:/newbasicsoft.cc to 1#flash:/newbasicsoft.cc...Done.
# Copy the file config.cfg from the root directory of the flash card to flash:/temp.
The destination file name is temp.cfg.
<HUAWEI> copy flash:/config.cfg flash:/temp/temp.cfg
Info: copy flash:/config.cfg to flash:/temp/temp.cfg?[Y/N]:y
100% complete
Info: Copied file flash:/config.cfg to flash:/temp/temp.cfg...Done.
# If the current directory is the root directory of the flash card, you can perform
the preceding configuration using the relative path.
<HUAWEI> pwd
flash:/
<HUAWEI> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 6,721,804 Mar 19 2012 12:31:58 devicesoft.cc
1 -rw- 910 Mar 19 2012 12:32:58 config.cfg
2 drw- - Mar 05 2012 09:54:34 temp
...
670,092 KB total (569,904 KB free)
<HUAWEI> copy config.cfg temp/temp.cfg
Info: copy flash:/config.cfg to flash:/temp/temp.cfg?[Y/N]:y
100% complete
Info: Copied file flash:/config.cfg to flash:/temp/temp.cfg...Done.
# Copy the file config.cfg from the root directory of the flash card to flash:/temp.
The destination file name is config.cfg.
<HUAWEI> pwd
flash:/
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 305
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 6,721,804 Mar 19 2012 12:31:58 devicesoft.cc
1 -rw- 910 Mar 19 2012 12:32:58 config.cfg
2 drw- - Mar 05 2012 09:54:34 temp
...
670,092 KB total (569,904 KB free)
<HUAWEI> copy config.cfg temp
Info: copy flash:/config.cfg to flash:/temp/config.cfg?[Y/N]:y
100% complete
Info: Copied file flash:/config.cfg to flash:/temp/config.cfg...Done.
# Copy the file backup.zip to backup1.zip in the test directory from the current
working directory flash:/test/.
<HUAWEI> pwd
flash:/test/
<HUAWEI> copy backup.zip backup1.zip
Info: copy flash:/test/backup.zip to flash:/test/backup1.zip?[Y/N]:y
100% complete
Info: Copied file flash:/test/backup.zip to flash:/test/backup1.zip...Done.
3.7.14 compare configuration
Function
The compare configuration compares whether the current configurations are
identical with the next startup configuration file.
Format
compare configuration [ configuration-file ]
Parameters
Parameter Description Value
configuration-file Specifies the name of the The name of the
configuration file to be compared with configuration file
the current configurations. must already exist.
NOTE
If this parameter is not specified, the
current configurations and the next startup
configuration file are compared.
Views
User view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 306
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
After completing a series of operations, you can compare whether the current
configurations are the same as the configurations in the next startup
configuration file or a specified configuration file starting from the first line of the
current configurations. You can determine whether to save the current
configurations based on the comparison result and specify the current
configurations as the next startup configuration file.
After you run this command to compare the current configurations with the next
startup configuration file or a specified configuration file, the system displays the
different content starting from the first different line to the ninth different line. If
the different content contains fewer than nine lines, the system displays only the
content from the first different line to the end of the file.
NOTE
You can run this command to compare whether the current configurations are the same as
the configurations in the next startup configuration file or a specified configuration file in
service VS.
Precautions
The file name extension of the configuration file must be .cfg or .zip.
After this command is run once, only the first difference between the two
configuration files is displayed. To compare all differences, modify the difference
recognized to be the same and run the compare configuration command
repeatedly.
Example
# Compare whether the current configurations are identical with the next startup
configuration file.
<HUAWEI> compare configuration
Building configuration...
Warning: The current configuration is not the same as the next startup configuration file. There may be
several differences, and the
following are some configurations beginning from the first:
====== Current configuration line 9 ======
drop-profile default
#
vlan batch 10
#
dldp enable
#
lldp enable
====== Configuration file line 7 ======
drop-profile default
#
vlan batch 10
#
lldp enable
#
diffserv domain default
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 307
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.15 delete (FTP client view)
Function
The delete command deletes a file from the FTP server.
Format
delete remote-filename
Parameters
Parameter Description Value
remote- Specifies the name of a file The value is a string of 1 to 128
filename to be deleted. case-insensitive characters
without spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The permission to delete the file completely depends on the access rights
configuration on the remote server system. By executing the dir command
displays the list of directories and files in the specified directory.
A file deleted in the FTP client view cannot be restored.
Example
# Delete the file temp.c.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] delete temp.c
Warning: File temp.c will be deleted. Continue? [Y/N]:y
250 File deleted from remote host.
3.7.16 delete (user view)
Function
The delete command deletes a specified file in the storage device.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 308
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
delete [ /unreserved ] [ /quiet ] { filename | devicename } [ all ]
Parameters
Parameter Description Value
/unreserved Deletes a specified file. -
The deleted file cannot
be restored.
/quiet Deletes a file directly -
without any
confirmation.
filename Specifies the name of a An absolute path name is a string of 1
file to be deleted. to 255 characters. A relative path name
is a string of 1 to 128 case-sensitive
characters without spaces in the
[ drive ] [ path ] file name format. Up
to 8 levels of directories are supported.
When quotation marks are used around
the string, spaces are allowed in the
string.
In the preceding parameter, drive
specifies the storage device name, and
path specifies the directory and
subdirectory.
You are advised to add : and / between
the storage device name and directory.
Characters ? ~ * / \ : ' " | < > [ ] cannot
be used in the directory name.
devicename Deletes all the files in the -
storage device.
all Deletes files in the -
specified directory in a
batch from all storage
devices.
Views
User view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 309
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Precautions
● The wildcard (*) character can be used in the delete command.
● If the parameter /unreserved is not included, the file is stored in the recycle
bin. To display all files including deleted files that are displayed in square
brackets ([ ]), run the dir /all command. To restore these files that are
displayed in square brackets ([ ]), run the undelete command. To clear these
files from the recycle bin, run the reset recycle-bin command.
NOTICE
If you delete a file using the /unreserved parameter, the file cannot be
restored.
● If the recycle bin is full, files cannot be deleted using the delete command
without the parameter /unreserved configured. In this case, delete
unnecessary files permanently using the delete command with the
parameter /unreserved configured.
● If you delete two files with the same name from different directories, the last
file deleted is kept in the recycle bin.
● If you attempt to delete a protected file, such as a configuration file or patch
file, a system prompt is displayed.
● You cannot delete a directory by running the delete command. To delete a
directory, run the rmdir (user view) command.
● After the system is restarted, if a failure message is displayed when you delete
a software package or configuration file before service processes become
stable, perform the deletion only when the processes become stable.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 310
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Delete the file test.txt from the current working directory flash:/selftest.
<HUAWEI> delete test.txt
Info: Are you sure to delete flash:/selftest/test.txt? [Y/N]:y
3.7.17 dir (user view)
Function
The dir command displays information about files and directories in the storage
medium.
Format
dir [ /all ] [ filename | directory | /all-filesystems ]
Parameters
Parameter Description Value
/all Displays information -
about all files and
directories in the current
directory, including files
and directories moved to
the recycle bin from the
current directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 311
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
filename Specifies the file name. An absolute path name
is a string of 1 to 255
characters. A relative
path name is a string of
1 to 128 case-sensitive
characters without
spaces in the [ drive ]
[ path ] file name
format. Up to 8 levels of
directories are supported.
When quotation marks
are used around the
string, spaces are
allowed in the string.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
You are advised to add :
and / between the
storage device name and
directory. Characters ? ~
* / \ : ' " | < > [ ] cannot
be used in the directory
name.
directory Specifies the file The value is a string of 1
directory. to 255 case-sensitive
characters without
spaces in the [ drive ]
path format.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
You are advised to add :
and / between the
storage device name and
directory. Characters ? ~
* / \ : ' " | < > [ ] cannot
be used in the directory
name.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 312
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
/all-filesystems Display information -
about files and
directories in the root
directories of all the
storage media on the
device.
Views
User view
Default Level
3: Management level
Usage Guidelines
The wildcard character (*) can be used in this command. If no parameter is
specified, this command displays information about files and directories in the
current directory.
The following describes the drive name:
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
You can run the dir /all command to view information about all files and
directories of the storage medium, including those moved to the recycle bin. The
name of a file in the recycle bin is placed in square brackets ([]), for example,
[test.txt].
Table 3-41 lists information about some files queried through the dir command.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 313
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-41 File information
Item Description
$_checkpoint Directory for storing configuration
rollback point information.
**.cc Software version file.
POST Directory for storing hardware self-test
information when the system starts.
SysResTemplate.ini System forwarding resource template,
which exists in the user directory after
the forwarding mode is set in the
system.
device.sys System hardware configuration file.
logfile Directory for storing log information:
● diag.log: detailed logs of key events
and exceptions
● log.log: logs of operations and key
events
You can run the display logbuffer
command to view event logs and
other logs.
lost+found Directory for storing information about
the damaged file in the file
management module recovered by the
system during abnormal restart.
**.zip/**.cfg/**.dat System configuration file. For details,
see the save command.
The file name extension of compressed
log files is also .zip.
● log_slot ID_time.log.zip: a common
log file that reaches a specified size
● diaglog_slot ID_time.log.zip: a
diagnostic log file that reaches a
specified size
You can run the info-center logfile
size command to set the size of a log
file.
*.ztbl File for saving security MAC address
information after port security is
configured.
*.cap File for saving captured packets after
packet capture is configured on the
device.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 314
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
*.MOD/*.mod Modules that are not running can be
dynamically loaded to the system
using a file. The file must be uploaded
to the directory flash:/$_install_mod/.
Example
# Display information about all files and directories in the current directory.
<HUAWEI> dir /all
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 drwx - Mar 03 2013 03:44:28 $_checkpoint
1 -rw- 104,517,153 Mar 02 2013 18:22:18 devicesoft.cc
2 drwx - Mar 03 2013 03:42:52 POST
3 -rw- 14 Mar 03 2013 03:45:32 SysResTemplate.ini
4 -rw- 16,781 Mar 03 2013 03:41:39 device.sys
5 drwx - Jan 19 2012 09:54:13 logfile
6 drwx - Feb 27 2013 04:44:53 lost+found
7 -rw- 33,036 Mar 03 2013 03:41:39 vrpcfg.cfg
8 -rw- 6,311 Feb 25 2012 17:22:30 [vrpcfg1.cfg]
9 lrwx 164,169,606 Jul 08 2015 20:48:21 link.cc -> flash:/home/CE5810-V100R006C00.cc
10 lrwx 6,632 Jul 13 2015 20:19:02 link.txt -> system file
670,092 KB total (569,904 KB free)
# Display information about the file in the current directory.
<HUAWEI> dir vrpcfg.cfg
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
8 -rw- 33,036 Jan 22 2012 16:35:31 vrpcfg.cfg
670,092 KB total (569,904 KB free)
# Display information about all .ini files in the current directory.
<HUAWEI> dir *.ini
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
1 -rw- 14 Jan 10 2012 10:39:27 SysResTemplate.ini
670,092 KB total (569,904 KB free)
Table 3-42 Description of the dir command output
Item Description
Directory of Flash memory directory.
flash
Idx File index.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 315
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Attr File attributes:
● d: indicates a directory. If this item is not displayed, the
corresponding FileName field displays a file. For example,
devicesoft.cc is a file and logfile is a directory.
● r: indicates that the file or directory is readable.
● w: indicates that the file or directory is writable.
● x: indicates that the file or directory is executable.
● l: indicates that the file is a link file.
Size(Byte) File size.
Date Date when the file is generated.
Time Time when the file is generated.
FileName File name.
● vrpcfg.cfg: configuration file. The file name extension of the
configuration file must be .cfg or .zip.
● devicesoft.cc: system software. The file name extension of the
system software must be .cc.
Some software sub-systems store necessary data in other files in
the file system when the device is running properly. The name of
a file in the recycle bin is placed in square brackets ([]).
3.7.18 dir/ls (FTP client view)
Function
The dir and ls commands display all files or specified files that are stored on the
FTP server, and save them to a local disk.
Format
dir [ remote-filename [ local-filename ] ]
ls [ remote-filename [ local-filename ] ]
Parameters
Parameter Description Value
remote- Specifies the name and The value is a string of 1 to 128
filename directory of a file stored on case-sensitive characters without
the FTP server. spaces. The remote-filename
must already exist.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 316
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
local-filename Specifies the name of the The value is a string of 1 to 128
local file that saves the FTP case-sensitive characters without
server file information. spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes differences between the dir and ls commands.
● When you run the dir command, detailed file information is displayed,
including the file size, date when the file was created, whether the file is a
directory, and whether the file can be modified. When you run the ls
command, only the file name is displayed.
● The dir command is used to save detailed file information, while the ls
command is used to save only the file name even if the file is specified and
saved in a local directory.
Precautions
The wildcard (*) character can be used in commands dir and ls.
Example
# Display the name or detailed information about a file that is saved in the test
directory.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] cd test
250 CWD command successful.
[ftp] dir
200 Port command okay.
150 Opening ASCII mode data connection for /test.
drwxrwxrwx 1 noone nogroup 0 Mar 23 16:04 yourtest
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 10:38 backup.txt
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 10:38 backup1.txt
226 Transfer complete.
[ftp] ls
200 Port command okay.
150 Opening ASCII mode data connection for /test.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 317
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
yourtest
backup.txt
backup1.txt
226 Transfer complete.
# Display the detailed information for the file temp.c, and save the displayed
information in file temp1.
[ftp] dir temp.c temp1
200 Port command okay.
150 Opening ASCII mode data connection for /temp.c.
226 Transfer complete.
[ftp] quit
221 Server closing.
<HUAWEI> more temp1
-rwxrwxrwx 1 noone nogroup 3929 Apr 27 18:13 temp.c
# Display the name of file test.bat, and save the displayed information in file test.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] ls test.bat test
200 Port command okay.
150 Opening ASCII mode data connection for /test.bat.
226 Transfer complete.
[ftp] quit
221 Server closing.
<HUAWEI> more test
test.bat
Table 3-43 Description of the dir/Is command output
Item Description
d Indicates a directory. If this parameter is not present, the
command output indicates a file.
r Indicates that the file or directory can be read.
w Indicates that the file or directory can be modified.
x Indicates that the file or directory is executable.
3.7.19 dir/ls (SFTP client view)
Function
The dir and ls commands display a list of specified files that are stored on the
SFTP server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 318
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
dir [ -l | -a ] [ remote-directory ]
ls [ -l | -a ] [ remote-directory ]
Parameters
Parameter Description Value
-l Displays detailed information about -
all files and directories in a specified
directory.
-a Displays names of all files and -
directories in a specified directory.
remote-directory Specifies the name of a directory on The value is a string of
the SFTP server. 1 to 128 case-sensitive
characters without
spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
The dir and ls commands are equivalent.
● If -l and -a parameters are not specified, detailed information about all files
and directories in a specified directory is displayed when you run the dir or ls
command. The effect is the same as the dir -l command output.
● By default, if the remote-directory parameter is not specified, the list of
current directory files is displayed when you run the dir or ls command.
Example
# Display a list of files in the test directory of the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> dir test
-rwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 yourtest
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup.txt
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup1.txt
sftp-client> dir -a test
yourtest
backup.txt
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 319
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
backup1.txt
sftp-client> ls test
-rwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 yourtest
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup.txt
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup1.txt
sftp-client> ls -a test
yourtest
backup.txt
backup1.txt
3.7.20 disconnect
Function
The disconnect command terminates the connection with the remote FTP server
and displays the FTP client view.
Format
disconnect
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
This command is equivalent to the close command.
You can run the bye and quit commands to terminate the connection with the
remote FTP server and enter the user view.
To enter the user view from the FTP client view, you can run the bye or quit
command.
Example
# Terminate the connection with the remote FTP server and enter the FTP client
view.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] disconnect
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 320
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
221 Server closing.
[ftp]
3.7.21 display ftp client
Function
The display ftp client command displays the source IP address configured for the
FTP client.
Format
display ftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
The default source IP address 0.0.0.0 is used if ftp client source is not configured.
Example
# Display the source IP address of the FTP client.
<HUAWEI> display ftp client
SrcIPv4Addr : 10.18.26.233
Table 3-44 Description of the display ftp client command output
Item Description
SrcIPv4Addr IPv4 address of an FTP client.
You can run the ftp client source
command to change the IPv4 address
of the FTP client.
If the IP address is configured for the
source port, the message "Interface
Name" is displayed.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 321
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.22 display ftp server
Function
The display ftp server command displays FTP server parameter settings.
Format
display ftp server
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run this command to display FTP server parameter settings.
Example
# Display FTP server parameter settings.
<HUAWEI> display ftp server
Server state : Disabled
IPv6 server state : Disabled
Timeout value (mins) : 10
IPv6 Timeout value (mins) : 10
Listen port : 21
IPv6 listen port : 21
ACL name :
IPv6 ACL name :
ACL number :
IPv6 ACL number :
Current user count :0
Max user number : 15
Source IPv4 address : 0.0.0.0
Source IPv6 Address : ::
Source IPv6 VpnName :
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 322
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-45 Description of the display ftp server command output
Parameter Description
Server state FTP server status.
● Enabled
● Disabled
By default, the FTP server is disabled.
You can run the ftp server enable command to start the FTP
server.
IPv6 server FTP IPv6 server status.
state ● Enabled
● Disabled
By default, the FTP IPv6 server is disabled.
You can run the ftp ipv6 server enable command to start the
FTP server.
Timeout value Idle timeout duration of FTP users.
(mins) The default idle timeout duration is 30 minutes.
You can run the ftp server timeout command to set the idle
timeout duration of FTP users.
IPv6 Timeout Idle timeout duration of FTP users.
value (mins) The default idle timeout duration is 30 minutes.
You can run the ftp ipv6 server timeout command to set the
idle timeout duration of FTP users.
Listen Port Number of the listening port on the FTP server.
The default value is 21.
If the value is not 21, you can run the ftp server port
command to configure the listening port number.
IPv6 listen Number of the listening port on the FTP IPv6 server.
port The default value is 21.
If the value is not 21, you can run the ftp ipv6 server port
command to configure the listening port number.
ACL name Name of the ACL for the IPv4 address.
If no ALC is configured, the ACL name is unavailable. You can
run the ftp server acl acl-name command to change the ACL
name.
IPv6 ACL Name of the ACL for the IPv6 address.
name If no ALC is configured, the ACL name is unavailable. You can
run the ftp ipv6 server acl acl-name command to change the
ACL name.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 323
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description
ACL number ACL number.
If no ALC is configured, the ACL number is unavailable. You can
run the ftp server acl acl-number command to change the ACL
number.
IPv6 ACL ACL6 number.
number If no ALC is configured, the ACL number is unavailable. You can
run the ftp ipv6 server acl acl-number command to change
the ACL6 number.
Current user Number of current users who has logged in to the FTP server.
count
Max user Maximum number of users allowed to log in to the FTP server.
number The default value is 15.
Source IPv4 Source IPv4 address.
address The default source IPv4 address is 0.0.0.0.
You can run the ftp server source -a command to configure
the source IPv4 address.
Source IPv6 Source IPv6 address.
Address The default source IPv6 address is 0.0.0.0.
You can run the ftp ipv6 server source -a ipv6-address
command to configure the source IPv6 address.
Source IPv6 Name of the source IPv6 VPN instance.
VpnName You can run the ftp ipv6 server source -a -vpn-instance vpn-
instance-name command to configure the name of the source
IPv6 VPN instance.
3.7.23 display ftp server ip auth-fail information
Function
The display ftp server ip auth-fail information command displays the
information of the FTP auth–failed IP addresses of user.
Format
display ftp server ip auth-fail information
Parameters
None
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 324
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
All view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ftp-server read
Usage Guidelines
The display ftp server ip auth-fail information command displays the
information of the FTP auth–failed IP addresses. The command output includes
the names of VPN instances to which the IP addresses belong, IP address status,
numbers of authentication failures, and the IP addresses that fails to pass FTP
authentication will not be adopted to make invalid authentication.
Example
# Display information about the IP addresses of all the clients that fail to pass FTP
authentication.
<HUAWEI> display ftp server ip auth-fail information
------------------------------------------------------------------------------------------------------------------------------
--
IP Address VPN Name First Time Auth-fail Auth-fail Count
------------------------------------------------------------------------------------------------------------------------------
--
10.0.0.1 _public_ 2016-09-05 11:19:28 1
------------------------------------------------------------------------------------------------------------------------------
--
Table 3-46 Description of the display ftp server ip-block all command output
Item Description
IP Address Locked client IP address
VPN Name Name of a VPN instance to which a locked
client IP address belongs
First Time Auth-fail Time when the first authentication fails
Auth-fail Count Number of consecutive client authentication
failures in the latest authentication period
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 325
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.24 display ftp server ip-block list
Function
The display ftp server ip-block list command displays information about client IP
addresses that are locked because of FTP authentication failures.
Format
display ftp server ip-block list
Parameters
None
Views
All views
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ftp-server read
Usage Guidelines
To check information about client IP addresses that are locked because of FTP
authentication failures, run the display ftp server ip-block list command. The
command output includes the names of VPN instances to which the locked client
IP addresses belong and the remaining locking period.
Example
# Display information about client IP addresses that are locked because of FTP
authentication failures.
<HUAWEI> display ftp server ip-block list
----------------------------------------------------------------------------------------------------------
IP Address VPN Name UnBlock Interval (Seconds)
----------------------------------------------------------------------------------------------------------
10.0.0.1 _public_ 294
----------------------------------------------------------------------------------------------------------
Table 3-47 Description of the display ftp server ip-block list command output
Item Description
IP Address Locked client IP address
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 326
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
VPN Name Name of a VPN instance to which a locked
client IP address belongs
UnBlock Interval(Seconds) Remaining locking period, in seconds
3.7.25 display ftp server users
Function
The display ftp server users command displays FTP user parameters on the FTP
server.
Format
display ftp server users
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can check FTP user parameters on the FTP server, such as the FTP user name,
IP address of the client host, port number, idle duration, and the authorized
directories.
Example
# Display FTP user parameters.
<HUAWEI> display ftp server users
User Name : root
Host Address : 10.18.26.139
Control Port : 20465
Idle Time (mins) : 1
Root Directory : flash:
Table 3-48 Description of the display ftp-users command output
Item Description
User Name FTP user name.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 327
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Host Address IP address of the client host.
Control Port Port number of the client host.
Idle Time (mins) Idle duration.
Root Directory Authorized directory of a user.
You can run the local-user ftp-directory command to
configure the authorized directory.
3.7.26 display scp client
Function
The display scp client command displays source parameters of the current SCP
client.
Format
display scp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display scp client command to check source parameters of the
SCP client.
Example
# Display source parameters of the SCP client.
<HUAWEI> display scp client
The source address of SCP client is 10.1.1.1.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 328
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-49 Description of the display scp client command output
Item Description
The source address of SCP client is The source address of the SCPclient. By
10.1.1.1. default, the source address of the SCP
client is 0.0.0.0.
3.7.27 display sftp client
Function
The display sftp client command displays the source IP address configured for the
SFTP client.
Format
display sftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display sftp client command to display the source IP address of
the SFTP client. The default source IP address 0.0.0.0 is used if sftp client-source
is not configured.
Example
# Display the source IP address configured for the SFTP client.
<HUAWEI> display sftp client
The source address of SFTP client is 10.1.1.1.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 329
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-50 Description of the display sftp client command output
Item Description
The source address of SFTP client is 10.1.1.1 is the source IP address of the
10.1.1.1. SFTP client.
You can run the sftp client-source
command to configure the source IP
address for the SFTP client.
If an IP address has been configured
for the source port, the message "The
source interface of SFTP client is
LoopBack0" is displayed.
3.7.28 display tftp client
Function
The display tftp client command displays the source IP address configured for the
TFTP client.
Format
display tftp client
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
You can run the display tftp client command to query source IP address of the
TFTP client. The default source IP address is 0.0.0.0 if tftp client source is not
configured.
Example
# Display the source IP address configured for the TFTP client.
<HUAWEI> display tftp client
--------------------------------------------------------------------------------
ACL name :
ACL number :
IPv6 ACL name :
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 330
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
IPv6 ACL number :
Source IPv4 address : 0.0.0.0
--------------------------------------------------------------------------------
Table 3-51 Description of the display tftp client command output
Item Description
ACL name Name of the ACL that specifies the IPv4
address the TFTP client can access.
ACL number Number of the ACL that specifies the IPv4
address the TFTP client can access.
IPv6 ACL name Name of the ACL that specifies the IPv6
address the TFTP client can access.
IPv6 ACL number Number of the ACL that specifies the IPv6
address the TFTP client can access.
Source IPv4 address Source IPv4 address of the TFTP client.
The source IPv4 address is configured using the
tftp client source -a source-ip-address
command.
Interface Name Source interface of the TFTP client.
The source interface is configured using the
tftp client source -i interface-type interface-
number command. This field is displayed only
when the source interface is configured using
this command.
3.7.29 execute
Function
The execute command executes a specified batch file or VRP Shell Languages
(VSL) script.
Format
execute batch-filename [ parameter&<1-8> ]
Parameters
Parameter Description Value
batch- The name and path of a batch file must
Specifies the name
filename already exist. If the batch file to be
and path of a batch
processed is in the current directory; you
file.
can only input the name of a batch file.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 331
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
parameter Specifies a VSL The value is a string of 1 to 32 case-
parameter. sensitive characters.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The commands in a batch file are run one by one. A batch file cannot contain any
invisible character. If an invisible character is detected, the execute command exits
from the current process and no rollback is performed.
NOTE
Whether a character is invisible is determined based on the ASCII character table.
Characters whose ASCII character value ranges from 32 to 126 are visible (the ASCII
character value 32 indicates spaces). Other characters are invisible.
The execute command does not ensure that all commands can be run. The
execute command is not hot backed up, and no restriction is on the format or
contents of the command.
Running the execute command functions the same as running the commands one
by one manually.
Precautions
● The commands in a batch file are run one by one. A batch file cannot contain
invisible characters (control characters or escape characters, such as \r, \n, and
\b). If any invisible character is detected, the execute command exits from the
current process and no rollback is performed.
● The execute command does not ensure that all commands can be run. If the
system runs a wrong or immature command, it displays the error and goes to
next command. The execute command does not perform the hot backup
operation, and the command format or content is not restricted.
● When a .bat file is a VSL script, the execute command configures services
automatically and commands in the batch file as well as performs
configurations for services specified by parameter at a time.
Example
# Execute the test.bat file in the directory flash:/. The test.bat file contains four
commands: system-view, aaa, local-user switch password irreversible-cipher
Helloworld@6789, and commit.
<HUAWEI> system-view
[~HUAWEI] execute test.bat
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 332
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[*HUAWEI] system-view
^
Error: Unrecognized command found at '^' position.
[*HUAWEI] aaa
[*HUAWEI-aaa] local-user switch password irreversible-cipher Helloworld@6789
[*HUAWEI-aaa] commit
[~HUAWEI-aaa]
When the system runs the first command system-view in current system view, it
displays an error and continues to run the following commands.
The system displays the execution of a batch file in AAA view.
[~HUAWEI-aaa] display this
local-user switch password irreversible-cipher $1c$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
$UF-.fQ,Q}>^)OBzgoU$
3.7.30 ftp
Function
The ftp command connects the FTP client to the FTP server and enters the FTP
client view.
Format
# Connect the FTP client to the FTP server based on the IPv4 address.
ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-
number ] [ public-net | vpn-instance vpn-instance-name ] ]
# Connect the FTP client to the FTP server based on the IPv6 address.
ftp ipv6 host-ipv6 [ public-net | vpn-instance vpn-instance-name ] [ port-number
| -oi interface-type interface-name ]
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address for The value is in dotted
address connecting to the FTP client. You are decimal notation.
advised to use a loopback interface IP
address as the source IP address.
-i interface- Specifies the source interface type and -
type interface- ID. You are advised to use a loopback
number interface as the source interface.
The IP address configured for this
interface is the source IP address for
sending packets. If no IP address is
configured for the source interface,
the FTP connection cannot be set up.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 333
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
host-ip Specifies the IP address or host name The value is in dotted
of the remote IPv4 FTP server. decimal notation.
NOTE
You can run the display dns dynamic-
host or display ip host command to view
the mapping between the IP address and
host name.
port-number Specifies the port number of the FTP The value is an integer
server. that ranges from 1 to
65535. The default
value is the standard
port number 21.
public-net Specifies the FTP server on the public -
network.
You must set the public-net
parameter when the FTP server IP
address is a public network IP address.
vpn-instance Specifies the name of the VPN The value is a string of
vpn-instance- instance where the FTP server is 1 to 31 case-sensitive
name located. characters except
spaces. When double
quotation marks are
used to include the
string, spaces are
allowed in the string.
The value _public_ is
reserved and cannot be
used as the VPN
instance name.
host-ipv6 Specifies the IP address of the remote The value is a 32-digit
IPv6 FTP server. hexadecimal number, in
the format
X:X:X:X:X:X:X:X.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 334
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
-oi interface- Specifies the source interface for the -
type interface- IPv6 FTP client, including the type and
name number of the interface. The IPv6
address configured in this interface
view is the source IPv6 address of the
packet. If no IPv6 address is
configured for the source interface,
the FTP connection cannot be set up.
Setting the loopback interface as the
source IPv6 address is recommended.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before accessing the FTP server on the FTP client, you must first run the ftp
command to connect the FTP client to the FTP server.
On an IPv4 network, the source IP address specified using the ftp command takes
precedence over that specified using the ftp client-source command. If the ftp
command is run after a source IP address has been specified using the ftp client-
source command, the source IP address specified using the ftp command is used
for communication.
The source IP address specified using the ftp client-source command applies to all
FTP connections; the source IP address specified using the ftp command applies
only to the current FTP connection.
Prerequisites
An FTP connection can establish if the following conditions are met:
● FTP server function on a device is enabled by executing the ftp server enable
command on the FTP server to allow FTP users to log in.
● There are reachable routes between the FTP server and FTP client.
Precautions
● You can set the source IP address to the source or destination IP address in
the ACL rule when the -a or -i parameter is specified on the IPv4 network.
This shields the IP address differences and interface status impact, filters
incoming and outgoing packets, and implements security authentication.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 335
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● You can run the set net-manager vpn-instance command to configure the
NMS management VPN instance before running the open command to
connect the FTP client and server.
– If public-net or vpn-instance is not specified, the FTP client accesses the
FTP server in the VPN instance managed by the NMS.
– If public-net is specified, the FTP client accesses the FTP server on the
public network.
– If vpn-instance vpn-instance-name is specified, the FTP client accesses
the FTP server in a specified VPN instance.
● If no parameter is set in the ftp command, only the FTP view is displayed, and
no connection is set up between the FTP server and client.
● If the port number that the FTP server uses is non-standard, you must specify
a standard port number; otherwise, the FTP server and client cannot be
connected.
● When you run the ftp command, the system prompts you to enter the user
name and password for logging in to the FTP server. You can log in to the FTP
server if the user name and password are correct.
● If the number of login users exceeds the maximum value that the FTP server
allows, other authorized users cannot log in to the FTP server. To allow news
authorized users to log in to the FTP server, users who have performed FTP
services must disconnect their clients from the FTP server. You can run the bye
or quit command to disconnect the FTP client from the FTP server and return
to the user view, or run the close or disconnect command to disconnect the
FTP client from the FTP server and retain in the FTP client view.
Example
# Connect to the FTP server whose IP address is 10.137.217.201.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp]
# Establish FTP connection with a remote server with source IP address.
<HUAWEI> system-view
[~HUAWEI] interface LoopBack 0
[*HUAWEI-LoopBack0] ip address 1.1.1.1 24
[*HUAWEI-LoopBack0] commit
[~HUAWEI-LoopBack0] quit
[~HUAWEI] ftp client source -a 1.1.1.1
[*HUAWEI] commit
[~HUAWEI] quit
<HUAWEI> ftp -a 1.1.1.1 1.1.1.1 10000
Trying 1.1.1.1 ...
Press CTRL + K to abort
Connected to 1.1.1.1.
220 VRPV8 FTP service ready.
User(1.1.1.1:(none)):root
331 Password required for root.
Password:
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 336
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
230 User logged in.
[ftp]
# Connect to the remote IPv6 FTP server whose address is 2001:db8:1::1.
<HUAWEI> ftp ipv6 2001:db8:1::1
Trying 2001:db8:1::1
Press CTRL + K to abort
Connected to ftp 2001:db8:1::1
220 FTP service ready.
User(2001:db8:1::1:(none)):huawei
331 Password required for huawei
Enter Password:
230 User logged in.
[ftp]
3.7.31 ftp client source
Function
The ftp client source command specifies the source IP address used by the FTP
client to send packets.
The undo ftp client source command restores the default source IP address used
by the FTP client to send packets.
The default source IP address used by the FTP client to send packets is 0.0.0.0.
Format
ftp client source { -a source-ip-address | -i interface-type interface-number }
undo ftp client source
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address. You are The value is
address advised to use a loopback interface IP in dotted
address as the source IP address. decimal
notation.
-i interface-type Specifies the source interface, including the -
interface-number interface type and number. You are advised
to use a loopback interface as the source
interface.
The IP address configured for the source
interface is the source IP address for sending
packets. If no IP address is configured for the
source interface, the FTP connection cannot
be set up.
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 337
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the
router specifies to send packets. The source IP address must be configured for an
interface with stable performance. The loopback interface is recommended. Using
the loopback interface as the source interface simplifies the ACL rule and security
policy configuration. This shields the IP address differences and interface status
impact, filters incoming and outgoing packets, and implements security
authentication.
Precautions
● You can also run the ftp command to configure the source IP address whose
priority is higher than that of the source IP address specified by the ftp client
source command. If the ftp command is run after a source IP address has
been specified using the ftp client-source command, the source IP address
specified using the ftp command is used for communication. The source
address specified in the ftp client source command applies to all FTP
connections; the source address specified in the ftp command applies only to
the current FTP connection.
● The IP address that a user displays on the FTP server is the specified source IP
address or source interface IP address.
● After the bound source interface is deleted, the interface configuration in the
ssh server-source command will not be deleted and does not take effect.
After the source interface with the same name is reconfigured, the function
will be restored.
● This command takes effect only in IPv4.
● If the specified source interface has been bound to a VPN instance, the client
is automatically bound to the same VPN instance.
Example
# Set the source IP address of the FTP client to 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] ftp client source -a 10.1.1.1
3.7.32 ftp get/put
Function
The ftp get/put command uploads a source file to the FTP server or downloads a
source file from the FTP server to a host.
Format
# IPv4 address
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 338
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
ftp { put | get } [ -a source-ip-address | -i interface-type interface-number ] host-
ip host-ip [ port portnumber ] [ public-net | vpn-instance vpn-instance-name ]
username username sourcefile local-filename [ destination remote-filename ]
# IPv6 address
ftp { put | get } ipv6 host-ip host-ipv6 [ public-net | vpn-instance vpn-instance-
name ] [ port portnumber ] username username sourcefile local-filename
[ destination remote-filename ]
Parameters
Parameter Description Value
-a source-ip- Specifies the IP address for The value is in dotted
address establishing the FTP decimal notation.
connection.
-i interface-type Specifies the interface for -
interface-number establishing the FTP
connection.
host-ip host-ip Specifies the IPv4 address or The value is in dotted
host name of the FTP server. decimal notation.
NOTE
You can run the display dns
dynamic-host or display ip host
command to view the mapping
between the IP address and host
name.
host-ip host-ipv6 Specifies the IPv6 address or The value is a 32-digit
host name of the FTP server. hexadecimal number, in the
format X:X:X:X:X:X:X:X.
NOTE
You can run the display dns
dynamic-host or display ip host
command to view the mapping
between the IP address and host
name.
put Saves local files to the FTP -
server.
get Saves the files on the FTP -
server to the local host.
port portnumber Specifies the port number of The value is an integer that
the FTP server. ranges from 1 to 65535.
The default value is 21.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 339
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
vpn-instance vpn- Specifies the name of a VPN The VPN must already exist.
instance-name instance.
username Specifies a user name. The value is a string of 1 to
username 255 case-insensitive
characters that can contain
letters, digits, and special
characters.
sourcefile local- Specifies the name of the The value is a string of 1 to
filename source file to be uploaded or 128 characters, which can
downloaded. contain digits, letters, and
special characters.
destination Specifies the name of the The value is a string of 1 to
remote-filename destination file to be uploaded 128 characters, which can
or downloaded. contain digits, letters, and
special characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the device only needs to upload files to or download files from the FTP server,
you can use this command to complete a file transfer at one time.
Prerequisites
Ensure that the VPN has been configured when you specify vpn-instance vpn-
instance-name in the command.
Precautions
● After this command is executed, the device (FTP client) establishes a
connection with the FTP server before starting the file transfer.
● If the server monitors the FTP connection through the default port, you need
not specify the port number. Otherwise, specify the port number.
● This command does not support resumable upload or download. If the upload
or download process is interrupted due to a fault, the previously generated
file (which includes only part of the source file) will be replaced by a new file
after the fault is rectified and the upload or download process resumes.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 340
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Upload the source file sample.txt to the FTP server.
<HUAWEI> ftp put -a 10.1.1.10 host-ip 10.1.1.1 username switch sourcefile sample.txt
Trying 10.1.1.1 ...
Press CTRL + K to abort
Connected to 10.1.1.1.
220 FTP service ready.
331 Password required for switch.
Enter password:
200 Type set to I.
200 Port command okay.
150 Opening BINARY mode data connection for /sample.txt.
/ 100% [***********]
226 Transfer complete.
FTP: 4860 byte(s) send in 0.134 second(s) 35.417Kbyte(s)/sec.
# Upload the source file sample.txt to the FTP server 10.1.1.1 through an
interface.
<HUAWEI> ftp put -i 10ge 1/0/1 host-ip 10.1.1.1 username switch sourcefile sample.txt
Trying 10.1.1.1 ...
Press CTRL + K to abort
Connected to 10.1.1.1.
220 FTP service ready.
331 Password required for switch.
Enter password:
200 Type set to I.
200 Port command okay.
150 Opening BINARY mode data connection for /sample.txt.
/ 100% [***********]
226 Transfer complete.
FTP: 4860 byte(s) send in 0.134 second(s) 35.417Kbyte(s)/sec.
3.7.33 ftp server acl
Function
The ftp server acl command specifies an ACL number or ACL name for the
current FTP server so that the FTP client with the same ACL number or ACL name
can access the FTP server.
The undo ftp server acl command deletes an ACL number or ACL name of the
current FTP server.
By default, no ACL is configured for FTP server.
Format
ftp [ ipv6 ] server acl { acl-number | acl-name }
undo ftp [ ipv6 ] server acl
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 341
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 FTP -
server.
acl-number Specifies the number of The value is an integer that ranges from
the ACL. 2000 to 3999.
acl-name Specifies the ACL name. The value is a string of 1 to 32 case-
sensitive characters except spaces. The
value must start with a letter or digit,
and cannot contain only digits.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To ensure the security of an FTP server, you need to configure an ACL for it to
specify FTP clients that can access the current FTP server.
Precautions
If no rule is configured, the incoming and outgoing calls are not restricted after
the command ftp server acl is run.
The ftp server acl command takes effect only after you run the rule command to
configure the ACL rule.
The command ftp server acl { acl-number | acl-name } only takes effect for ipv4
client.
Example
# Allow the client whose ACL number is 2000 to log in to the FTP server.
<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] ftp server acl 2000
3.7.34 ftp server default-directory
Function
The ftp server default-directory command configures the default FTP working
directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 342
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The undo ftp server default-directory command disables the default FTP
working directory.
By default, no default FTP working directory is configured.
Format
ftp server default-directory directory
undo ftp server default-directory
Parameters
Parameter Description Value
directory Specify the default The value is a string of 1 to 255 case-sensitive
FTP working characters without spaces. When double
directory. quotation marks are used around the string,
spaces are allowed in the string.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the set default ftp-directory command to configure a default FTP
working directory for all FTP users at one time.
The command takes effect for both ipv4 and ipv6 users.
Precautions
● The ftp server default-directory command takes effect only when the device
functions as an FTP server and the user function as an FTP client.
● You can run the local-user ftp-directory command to configure an
authorized working directory for a local user.
● If you have configured the FTP working directory by running the local-user
ftp-directory command, you must use this FTP working directory.
● You can run the lcd command to view the working directory of FTP users.
● If no FTP working directory is specified on the device, FTP users cannot log in
to the device, and are prompted that the working directory is unauthorized.
Example
# Set the default FTP working directory to flash:/.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 343
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] ftp server default-directory flash:/
3.7.35 ftp server enable
Function
The ftp server enable command enables the FTP server function to allow FTP
users to log in to the FTP server.
The undo ftp server command disables the FTP server function so that FTP users
cannot log in to the FTP server.
By default, the FTP function is disabled.
Format
ftp [ ipv6 ] server enable
undo ftp [ ipv6 ] server [ enable ]
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 FTP server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To manage FTP server files on a client, you must run the ftp server enable
command to enable the FTP server function to allow FTP users to log in to the
FTP server.
Precautions
If the FTP server function is disabled, no user can log in to the FTP server, and
users who have logged in to the FTP server cannot perform any operation except
logout.
The ftp server enable command can enable IPv4 function. However, the ftp ipv6
server enable command enables only the IPv6 function.
NOTICE
The FTP protocol compromises device security. SFTP V2 mode is recommended.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 344
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Enable the FTP server function.
<HUAWEI> system-view
[~HUAWEI] ftp server enable
3.7.36 ftp server ip-block disable
Function
The ftp server ip-block disable command disables an FTP server from locking
client ipv4 and ipv6 addresses.
The undo ftp server ip-block disable command enables an FTP server to lock
client ipv4 and ipv6 addresses.
By default, an FTP server is enabled to lock client ipv4 and ipv6 addresses.
Format
ftp server ip-block disable
undo ftp server ip-block disable
Parameters
None
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ftp-server write
Usage Guidelines
If an FTP server is enabled to lock client ipv4 and ipv6 addresses, a client IP
address is locked when the number of FTP authentication failures reaches the
upper limit in a specific period of time. Client IP addresses being locked fail the
authentication and are displayed in the display ftp server ip-block list command
output.
If an FTP server is disabled from locking client IP addresses, the display ftp server
ip-block list command does not display any client IP address that is locked
because of authentication failures.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 345
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
IP addresses being locked are unlocked immediately after the FTP server is
disabled from locking client IP addresses.
You are advised to enable the FTP server to lock client IP addresses to ensure
security.
Example
# Disable an FTP server from locking client IP addresses.
<HUAWEI> system-view
[~HUAWEI] ftp server ip-block disable
# Enable an FTP server to lock client IP addresses.
<HUAWEI> system-view
[~HUAWEI] undo ftp server ip-block disable
3.7.37 ftp server ip-block failed-times
Function
The ftp server ip-block failed-times command sets the maximum number of
consecutive FTP authentication failures within a specified period. If the number is
reached, the system locks out the IP address of user.
The undo ftp server ip-block failed-times command restores the maximum
number of consecutive FTP authentication failures and the period in which
consecutive authentication failures are counted to default values.
By default, the maximum number of consecutive FTP authentication failures
before the IP address of user lockout is 6, and the period is 5 minutes.
Format
ftp server ip-block failed-times failed-times period period
undo ftp server ip-block failed-times failed-times period period
Parameters
Parameter Description Value
failed-times Specifies the maximum number of The value is an integer
consecutive FTP authentication ranging from 1 to 10.
failures before the IP address of user
lockout.
period period Specifies a period in which The value is an integer
consecutive FTP authentication ranging from 1 to 120, in
failures are counted. minutes.
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 346
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ftp-server write
Usage Guidelines
To set the maximum number of consecutive authentication failures within a
specified period, run the ftp server ip-block failed-times command. If the
number is reached, the system locks out the IP address of user, which prevents the
user from accessing the device through FTP. The system automatically unlocks the
IP address of user until the unlocking period expires. This improves device security.
To manually unlock the IP address of user, run the activate ftp server ip-block ip-
address command.
Example
# Set the maximum number of consecutive authentication failures before the IP
address of user lockout to 3 and the period in which consecutive FTP
authentication failures are counted to 6 minutes.
<HUAWEI> system-view
[~HUAWEI] ftp server ip-block failed-times 3 period 6
3.7.38 ftp server ip-block reactive
Function
The ftp server ip-block reactive command sets a period after which the system
automatically unlocks an ipv4 and ipv6 address of user.
The undo ftp server ip-block reactive command restores the default period.
By default, the period is 5 minutes.
Format
ftp server ip-block reactive reactive-period
undo ftp server ip-block reactive [ reactive-period ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 347
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
reactive-period Specifies a period after which the The value is an integer
system automatically unlocks an IP ranging from 1 to 1000, in
address of user. minute.
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ftp-server write
Usage Guidelines
To set a period after which the system automatically unlocks an IP address of user,
run the ftp server ip-block reactive command. A locked IP address of user cannot
access the device through FTP. The system automatically unlocks the IP address of
user until the unlocking period expires. This improves device security.
To manually unlock the IP address of user, run the activate ftp server ip-block ip-
address command.
Example
# Set the period after which the system automatically unlocks the IP address of
user to 50 minutes.
<HUAWEI> system-view
[~HUAWEI] ftp server ip-block reactive 50
3.7.39 ftp server port
Function
The ftp server port command specifies the listening port number of the FTP
server.
The undo ftp server port command restores the default value of the listening
port number.
The default value is 21.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 348
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
ftp [ ipv6 ] server port port-number
undo ftp [ ipv6 ] server port
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 FTP server. -
port port-number Specifies the listening port The value is 21 or an
number of the FTP server. integer that ranges from
1025 to 65535.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
By default, the listening port number of the FTP server is 21. Attackers may
frequently access the default listening port, which wastes bandwidth, deteriorates
server performance, and prevents authorized users from accessing the FTP server
through the listening port. You can run the ftp [ ipv6 ] server port command to
specify another listening port number to prevent attackers from accessing the
listening port.
The command ftp server port port-number sets the FTP server ipv4 listen port.
Prerequisites
Before running the ftp [ ipv6 ] server port command to specify the listening port
number, you must first run the undo ftp server command to disable FTP services.
Precautions
● After the listening port number is changed, the FTP server disconnects all FTP
connections and uses the new listening port.
● If the current listening port number is 21, FTP client users do not need to
specify the port number for logging in to the FTP server. If the current
listening port number is not 21, FTP client users must use the FTP server's
listening port number to log in to the FTP server.
● After the listening port number is changed, you must run the ftp server
enable command to enable FTP services to make the configuration take
effect.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 349
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Change the port number of the FTP server to 1028.
<HUAWEI> system-view
[~HUAWEI] undo ftp server
[*HUAWEI] ftp server port 1028
3.7.40 ftp server source
Function
The ftp server source command sets the specific source IP address of the FTP
server to establish the connection, including the source IP address and source
interface.
The undo ftp server source command cancels the configuration of FTP server
source configuration.
By default, the source IP address and source interface of the FTP server are not
specified, and the source IP address for the FTP server to send packets is 0.0.0.0.
The IPv6 source address of packet sent by the FTP server is ::.
Format
ftp server source { -a source-ip-address | -i interface-type interface-number }
undo ftp server source { -a ip-address | -i interface-type interface-number }
ftp server source all-interface
undo ftp server source all-interface
ftp ipv6 server source -a ipv6-address [ -vpn-instance vpn-instance-name ]
undo ftp ipv6 server source -a ipv6-address [ -vpn-instance vpn-instance-name ]
ftp ipv6 server source all-interface
undo ftp ipv6 server source all-interface
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address The value is in dotted
address for the FTP server to send decimal notation.
packets. The loopback IP
address is recommended.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 350
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
-i interface-typeSpecifies the loopback interface -
interface-number of the FTP server as the source
interface.
The primary IP address of the
source interface is the source IP
address for sending packets. If
no IP address is configured for
the source IP address, the FTP
connection cannot be set up.
ipv6 Specifies the FTP IPv6 server. -
-a ipv6-address Specifies the source IPv6 The value consists of 128
address. octets, which are classified
into 8 groups. Each group
contains 4 hexadecimal
numbers in the format
X:X:X:X:X:X:X:X.
-vpn-instance Specifies the VPN. The value is a string of 1 to
vpn-instance- 31 case-sensitive characters
name except spaces. When double
quotation marks are used to
include the string, spaces
are allowed in the string.
The value _public_ is
reserved and cannot be
used as the VPN instance
name.
all-interface Indicates that any interface -
having an IP address configured
can be used as the source
interface of an FTP server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After a restart with non-base configuration, an FTP server receives login requests
from all interfaces and addresses, leading to low system security. To improve
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 351
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
system security, you can run the ftp server source command to specify a source
interface or source IPv6 address for the FTP server so that only authorized users
can log in to the FTP server.
● If the ftp server source { -a | -i } or ftp ipv6 server source -a command is
run and the ftp server source all-interface or ftp ipv6 server source all-
interface command is not, the specified interface is used as the source
interface, or the specified IPv6 address is used as the source IPv6 address.
● If the ftp server source all-interface or ftp ipv6 server source all-interface
command is run and the ftp server source { -a | -i } or ftp ipv6 server source
-a command is not, any valid interface on the device can be used as the
source interface, including any physical interface with an IP address
configured and any created logical interface with an IP address configured.
● If both the ftp server source { -a | -i } and ftp server source all-interface
commands are run, the interface specified in the ftp server source -i
command is preferentially used as the source interface of the FTP server.
● If both the ftp ipv6 server source -a and ftp ipv6 server source all-interface
commands are run, the interface whose IPv6 address is specified in the ftp
ipv6 server source -a command is preferentially used as the source interface
of the FTP server.
● The ftp server source { -a | -i } and ftp server source all-interface
commands take effect only in IPv4 scenarios.
● If no source interface is specified using the ftp server source command after
the system starts with base configuration, users cannot log in to the FTP
server.
Prerequisites
A loopback interface has been created if you want to specify it as the source
interface for an FTP server. Otherwise, the command cannot be executed.
A VPN instance has been created before you specify it for an FTP server.
Otherwise, the command cannot be executed.
Configuration Impact
If a source interface or source IPv6 address is specified for an FTP server, FTP users
can log in only through the specified source interface or source IPv6 address.
Precautions
● If a source interface or source IPv6 address is specified for an FTP server, FTP
users can log in only through the specified source interface or source IPv6
address. After a source interface or source IPv6 address is specified for an FTP
server, you need to restart the FTP service to activate the configuration.
● If the specified source interface is bound to a VPN instance, the VPN instance
is automatically bound to the FTP server. If the interface whose IPv6 address
is specified as the source IPv6 address is bound to a VPN instance, the -vpn-
instance parameter must be specified when you specify the IPv6 address for
the client.
● If the specified source interface is bound to a VPN instance (vpn1 for
example) and another VPN instance (vpn2 for example) is specified in the ftp
ipv6 server source -a ipv6-address [ -vpn-instance vpn-instance-name ]
command, vpn1 is used for IPv4 users, and vpn2 is used for IPv6 users.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 352
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● If the VPN instance bound to the specified source interface is deleted, the VPN
configuration specified in the ftp ipv6 server source -a ipv6-address [ -vpn-
instance vpn-instance-name ] command is not cleared but does not take
effect. In this case, the FTP server uses the public network instance instead. If
the VPN instance with the same name as the deleted one is reconfigured, the
VPN function will be restored.
● If the specified source interface is deleted, the interface configuration in the
ftp server source command is not deleted but does not take effect. If the
source interface with the same name as the deleted one is reconfigured, the
function will be restored.
● For an IPv6 FTP server, you can run the ftp ipv6 server source -a ipv6-address
[ -vpn-instance vpn-instance-name ] command to configure a user to log in
to the server through a specified IPv6 source address.
● If the ftp server source all-interface command is run, users can log in to the
FTP server through any valid IPv4 interface, which increases system security
risks. Therefore, running this command is not recommended.
● If the ftp ipv6 server source all-interface command is run, users can log in
to the FTP server through any valid IPv6 interface address, which increases
system security risks. Therefore, running this command is not recommended.
Example
# Set the source IP address of the FTP server to Loopback0.
<HUAWEI> system-view
[~HUAWEI] ftp server source -i loopback0
Warning: To make the server source configuration take effect, the FTP server will be restarted. Continue? [Y/
N]: y
Info: Succeeded in setting the source interface of the FTP server to LoopBack0.
Info: Succeeded in starting the FTP server.
3.7.41 ftp server timeout
Function
The ftp server timeout command configures the idle timeout duration of the FTP
server.
The undo ftp server timeout command restores the default idle timeout duration.
By default, the idle timeout duration of the FTP server is 10 minutes.
Format
ftp [ ipv6 ] server timeout minutes
undo ftp [ ipv6 ] server timeout
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 FTP server. -
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 353
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
minutes Specifies idle timeout duration. The value is an integer that ranges
from 1 to 35791, in minutes.
Views
System view
Default Level
3: Management level
Usage Guidelines
After a user logs in to the FTP server, a connection is set up between the FTP
server and the user's client. The idle timeout duration is configured to release the
connection when the connection is interrupted or when the user performs no
operation for a specified time.
The command ftp server timeout minutes only takes effect for ipv4 connection.
Example
# Set the idle timeout duration to 36 minutes.
<HUAWEI> system-view
[~HUAWEI] ftp server timeout 36
3.7.42 get (SFTP client view)
Function
The get command downloads a file from the SFTP server and saves the file to the
local device.
Format
get remote-filename [ local-filename ]
Parameters
Parameter Description Value
remote- Specifies the name of the file The value is a string of 1 to 128
filename to be downloaded from the case-sensitive characters without
SFTP server. spaces. The remote-filename
must already exist.
local-filename Specifies the name of a The value is a string of 1 to 128
downloaded file to be saved case-sensitive characters without
to the local device. spaces.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 354
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the get command to download files from the FTP server to upgrade
devices.
Precautions
● If local-filename is not specified on the local device, the original file name is
used.
● If the name of the downloaded file is the same as that of an existing local
file, the system prompts you whether to overwrite the existing file.
Example
# Download a file from the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> get test.txt
Remote file: / test.txt ---> Local file: test.txt
Downloading the file. Please wait.../
Downloading file successfully ended.
File download is completed in 1 seconds.
3.7.43 get (FTP client view)
Function
The get command downloads a file from the FTP server and saves the file to the
local device.
Format
get remote-filename [ local-filename ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 355
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
remote- Specifies the name of the file The value is a string of 1 to 128
filename to be downloaded from the case-sensitive characters without
FTP server. spaces. The remote-filename
must already exist.
local-filename Specifies the name of a The value is a string of 1 to 128
downloaded file to be saved case-sensitive characters without
to the local device. spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the get command to download system software, backup
configuration files, and patch files from the FTP server to upgrade devices.
Precautions
● If the downloaded file name is not specified on the local device, the original
file name is used.
● If the name of the downloaded file is the same as that of an existing local
file, the system prompts you whether to overwrite the existing file.
Example
# Download the system software devicesoft.cc from the FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] get devicesoft.cc
Warning: The file may not transfer correctly in ASCII mode.
213 267329908
200 Port command successful
150 Opening data channel for file download from server of "/
devicesoft.cc"
/ 100% [***********]
226 Successfully transferred "/devicesoft.cc"
FTP: 267329908 byte(s) received in 114.362 second(s) 2290.035Kbyte(s)/sec.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 356
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.44 help (SFTP client view)
Function
The help command displays the help information in the SFTP client view.
Format
help [ command-name ]
Parameters
Parameter Description Value
command-name Displays the format and The value is a string of 1 to
parameters of a specified 255 characters.
command in the SFTP client view.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the help command to obtain the help information and display all
commands or a command format in the SFTP client view.
Precautions
If you specify no parameter when running the help command, all commands in
the SFTP client view are displayed.
Example
# Display the format of the command get.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> help get
get Remote file name STRING<1-128> [Local file name STRING<1-128>] Download file
Default local file name is the same with remote file.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 357
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.45 lcd
Function
The lcd command displays and changes the local working directory of the FTP
client in the FTP client view.
Format
lcd [ local-directory ]
Parameters
Parameter Description Value
local-directory Specifies the local working The value is a string of 1 to 128
directory of the FTP client. case-sensitive characters without
spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the lcd command to display the local working directory of the FTP
client when uploading or downloading files, and set the upload or download path
to the path of the local working directory.
Precautions
The lcd command displays the local working directory of the FTP client, while the
pwd command displays the working directory of the FTP server. If you specify the
parameter local-directory in the lcd command, you can directly change the local
working directory in the FTP client view.
Example
# Change the local working directory to flash:/test.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 358
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[ftp] lcd
The current local directory is flash:/.
[ftp] lcd flash:/test/
The current local directory is flash:/test/.
3.7.46 mget
Function
The mget command downloads multiple files from the remote FTP server to the
local device.
Format
mget remote-filenames
Parameters
Parameter Description Value
remote- Specifies multiple files to download The value is a string of 1
filenames to the local device. File names are to 254 characters.
separated using spaces, and the
wildcard (*) is supported.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the mget command to download multiple files at the same time.
Precautions
● The command cannot download all files in a directory or subdirectory.
● If the name of the downloaded file is the same as that of an existing local
file, the system prompts you whether to overwrite the existing file.
Example
# Download files 1.txt, 2.txt, and vrp221.cfg from the remote FTP server.
<HUAWEI> ftp 10.10.10.1
Trying 10.10.10.1 ...
Press CTRL+K to abort
Connected to 10.10.10.1.
220 FTP service ready.
User(10.10.10.1:(none)):switch
331 Password required for switch.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 359
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Enter password:
230 User logged in.
[ftp]mget 1.txt 2.txt vrp221.cfg
200 Port command okay.
150 Opening ASCII mode data connection for 1.txt.
226 Transfer complete.
FTP: 3885 byte(s) received in 0.174 second(s) 22.32Kbyte(s)/sec.
200 Port command okay.
150 Opening ASCII mode data connection for 2.txt.
226 Transfer complete.
FTP: 8721 byte(s) received in 0.179 second(s) 48.72Kbyte(s)/sec.
200 Port command okay.
150 Opening ASCII mode data connection for vrp221.cfg.
226 Transfer complete.
FTP: 6700 byte(s) received in 0.151 second(s) 44.37Kbyte(s)/sec.
[ftp]
3.7.47 mkdir (FTP client view)
Function
The mkdir command creates a directory on the remote FTP server.
Format
mkdir remote-directory
Parameters
Parameter Description Value
remote- Specifies the directory The value is a string of case-sensitive
directory to be created. characters without spaces. The
absolute path length ranges from 1 to
128.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
● You can run the mkdir command to create a subdirectory in a specified
directory, and the subdirectory name must be unique.
● If no path is specified when you create a subdirectory, the subdirectory is
created in the current directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 360
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● The created directory is stored on the FTP server.
Example
# Create a directory test on the remote FTP server.
<HUAWEI> ftp 172.16.104.110
Trying 172.16.104.110 ...
Press CTRL+K to abort
Connected to 172.16.104.110.
220 FTP service ready.
User(172.16.104.110:(none)):switch
331 Password required for switch
Enter password:
230 User logged in.
[ftp] mkdir test
257 "test" new directory created.
3.7.48 mkdir (SFTP client view)
Function
The mkdir command creates a directory on the remote SFTP server.
Format
mkdir remote-directory
Parameters
Parameter Description Value
remote- Specifies the directory The value is a string of case-sensitive
directory to be created. characters without spaces. The
absolute path length ranges from 1 to
128.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
● You can run the mkdir command to create a subdirectory in a specified
directory, and the subdirectory name must be unique.
● If no path is specified when you create a subdirectory, the subdirectory is
created in the current directory.
● The created directory is stored on the SFTP server.
● After a directory is created, you can run the dir/ls (SFTP client view)
command to view the directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 361
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Create a directory on the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> mkdir ssh
Info: Succeeded in creating a directory.
3.7.49 mkdir (User view)
Function
The mkdir command creates a directory in the current storage device.
Format
mkdir directory
Parameters
Parameter Description Settings
directory Specifies a directory or The value is a string of
directory and its path. case-sensitive characters
in the [ drive ] [ path ]
directory format. The
absolute path length
ranges from 1 to 255,
while the directory name
length ranges from 1 to
128. Up to 8 levels of
directories are supported.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
Characters such as ~, *, /,
\, :, ', " cannot be used in
the directory name.
Views
User view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 362
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
If you only the subdirectory name is specified, a subdirectory is created in the
current working directory. You can run the pwd command to query the current
working directory. If the subdirectory name and directory path are specified, the
subdirectory is created in the specified directory.
Precautions
● The subdirectory name must be unique in a directory; otherwise, the message
"Error: Directory with same name already exists" is displayed.
● A maximum of eight directory levels are supported when you create a
directory.
Example
# Create the subdirectory new in the flash card.
<HUAWEI> mkdir flash:/new
Info: Create directory flash:/new......Done.
3.7.50 more
Function
The more command displays the content of a specified file.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 363
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
more filename [ offset ]
Parameters
Parameter Description Value
filename Specifies the An absolute path name is a string of 1 to 255
file name. characters. A relative path name is a string of 1 to
128 case-sensitive characters without spaces in the
[ drive ] [ path ] file name format. Up to 8 levels
of directories are supported. When quotation marks
are used around the string, spaces are allowed in
the string.
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
You are advised to add : and / between the storage
device name and directory. Characters ? ~ * / \ : ' " |
< > [ ] cannot be used in the directory name.
offset Specifies the The value is an integer that ranges from 0 to
file offset. 2147483647, in bytes.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the more command to display the file content directly on a device.
● The following describes the drive name.
– drive is the storage device and is named as flash:.
– If devices are stacked, drive can be named as:
▪ flash: root directory of the flash memory of the master switch in the
stack.
▪ chassis ID#flash: root directory of the flash memory on a device in
the stack.
For example, slot2#flash: indicates the flash memory in slot 2.
● The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 364
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
directory. A relative path beginning with a slash (/) is a path relative to the
root directory.
– flash:/my/test/ is an absolute path.
– /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
– selftest/ is a path relative to the current working directory and indicates
the selftest directory in the current working directory.
Precautions
● You are not advised to use this command to display non-text files; otherwise,
the terminal is shut down or displays garbled characters, which is harmless to
the system.
● Files are displayed in text format.
● You can display the file content flexibly by specifying parameters before
running the more command:
– You can run the more filename command to view a specified text file.
The content of the specified text file is displayed on multiple screens. You
can press the spacebar consecutively on the current session GUI to
display all content of the file.
To display the file content on multiple screens, you must ensure that:
▪ The number of lines that can be displayed on a terminal screen is
greater than 0. (The number of lines that can be displayed on a
terminal screen is set by running the screen-length command.)
▪ The total number of file lines is greater than the number of lines
that can be displayed on a terminal screen. (The number of lines that
can be displayed on a terminal screen is set by running the screen-
length command.)
– You can run the more filename offset command to view a specified file.
The content of the specified text file starting from offset is displayed on
multiple screens. You can press the spacebar consecutively on the current
session GUI to display all content of the file.
To display the file content on multiple screens, you must ensure that:
▪ The number of lines that can be displayed on a terminal screen is
greater than 0. (The number of lines that can be displayed on a
terminal screen is set by running the screen-length command.)
▪ The number of lines starting from offset in the file is greater than
the number of lines that can be displayed on a terminal screen. (The
number of lines that can be displayed on a terminal screen is set by
running the screen-length command.)
Example
# Display the content of the file test.bat.
<HUAWEI> more test.bat
rsa local-key-pair create
user-interface vty 12 14
authentication-mode aaa
protocol inbound ssh
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 365
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
user privilege level 5
commit
quit
ssh user sftpuser authentication-type password
ssh user sftpuser service-type all
sftp server enable
commit
# Display the content of the file log.txt and set the offset to 100.
<HUAWEI> more log.txt 100
: CHINA HUAWEI TECHNOLOGY LIMITTED CO.,LTD
# FILE NAME: Product Adapter File(PAF)
# PURPOSE: MAKE VRPV5 SUITABLE FOR DIFFERENT PRODUCT IN LIB
# SOFTWARE PLATFORM: V6R2C00
# DETAIL VERSION: B283
# DEVELOPING GROUP: 8090 SYSTEM MAINTAIN GROUP
# HARDWARE PLATFORM: 8090 (512M Memory)
# CREATED DATE: 2003/05/10
# AUTH: RAINBOW
# Updation History: Kelvin dengqiulin update for 8090(2004.08.18)
# lmg update for R3(2006.11.7)
# fsr update for R5 (2008.1.18)
# qj update for R6 (2008.08.08)
# COPYRIGHT: 2003---2008
#----------------------------------------------------------------------------------
#BEGIN FOR RESOURCE DEFINATION
[RESOURCE]
FORMAT: SPECS RESOURCE NAME STRING = CONTROLLABLE(1 : ABLE , 0: NOT ABLE),DEFAUL
T VALUE , MAX VALUE , MIN VALUE
#BEGIN SPECS RESOURCE FOR TE tunnel Nto1 PS MODULE
PAF_LCS_TUNNEL_SPECS_TE_PS_MAX_PROTECT_NUM = 1, 8, 16, 1
PAF_LCS_TUNNEL_SPECS_TE_PS_REBOOT_TIME = 1, 180000, 3600000, 60000
---- More ----
3.7.51 move
Function
The move command moves the source file from a specified directory to a
destination directory.
Format
move source-filename destination-filename
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 366
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Settings
source-filename Specifies the directory An absolute path name
and name of a source is a string of 1 to 255
file. characters. A relative
path name is a string of
1 to 128 case-sensitive
characters without
spaces in the [ drive ]
[ path ] file name
format. Up to 8 levels of
directories are supported.
When quotation marks
are used around the
string, spaces are
allowed in the string.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
You are advised to add :
and / between the
storage device name and
directory. Characters ? ~
* / \ : ' " | < > [ ] cannot
be used in the directory
name.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 367
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Settings
destination-filename Specifies the directory An absolute path name
and name of a is a string of 1 to 255
destination file. characters. A relative
path name is a string of
1 to 128 case-sensitive
characters without
spaces in the [ drive ]
[ path ] file name
format. Up to 8 levels of
directories are supported.
When quotation marks
are used around the
string, spaces are
allowed in the string.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
You are advised to add :
and / between the
storage device name and
directory. Characters ? ~
* / \ : ' " | < > [ ] cannot
be used in the directory
name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 368
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Precautions
● The move and copy commands have different effects:
– The move command moves the source file to the destination directory.
– The copy command copies the source file to the destination directory.
Example
# Move the file test from the root directory to the directory new.
<HUAWEI> move test new/
Warning: Move file flash:/test to flash:/new/test? [Y/N]:y
100% complete
Info: Move file flash:/test to flash:/new/test...Done.
3.7.52 mput
Function
The mput command uploads multiple files from the local device to the remote
FTP server.
Format
mput local-filenames
Parameters
Parameter Description Value
local-filenames Specifies files to be uploaded. File The value is a string of 1
names are separated using spaces, to 256 characters.
and the wildcard (*) is supported.
Views
FTP client view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 369
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
You can run the mput command to upload multiple files to the remote FTP server
at the same time, especially in the upgrade scenario.
System prompts a confirmation message to the user before file transfer. You can
disable the prompt message using undo prompt command.
Precautions
If the name of the uploaded file is the same as that of an existing file on the FTP
server, the system overwrites the existing file.
Example
# Upload two local files 111.text and vrp222.cfg to the remote FTP server.
<HUAWEI> ftp 10.10.10.1
Trying 10.10.10.1 ...
Press CTRL+K to abort
Connected to 10.10.10.1.
220 FTP service ready.
User(10.10.10.1:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] mput 111.txt vrp222.cfg
200 Port command successful.
150 Opening ASCII mode data connection for file transfer.
226 Transfer complete.
FTP: 6556 byte(s) sent in 0.231 second(s) 28.38Kbyte(s)/sec.
200 Port command successful.
150 Opening ASCII mode data connection for file transfer.
226 Transfer complete.
FTP: 4198 byte(s) sent in 0.171 second(s) 24.54Kbyte(s)/sec.
[ftp]
3.7.53 open
Function
The open command connects the FTP client and server.
Format
# Connect the FTP client to the FTP server based on the IPv4 address.
open [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-
number ] [ public-net | vpn-instance vpn-instance-name ]
# Connect the FTP client to the FTP server based on the IPv6 address.
open ipv6 host-ipv6 [ -oi interface-type interface-number ] [ port-number ]
[ public-net | vpn-instance vpn-instance-name ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 370
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address for -
address connecting to the FTP client. You
are advised to use the loopback
interface IP address.
-i interface-type Specifies the source interface type -
interface- and ID. You are advised to use the
number loopback interface.
The IP address configured for this
interface is the source IP address
for sending packets. If no IP
address is configured for the
source interface, the FTP
connection cannot be set up.
host-ip Specifies the IP address or host The IPv4 address is in
name of the remote IPv4 FTP dotted decimal notation.
server. The host name is a string
of 1 to 255 characters.
NOTE
You can run the display dns
dynamic-host or display ip host
command to view the mapping
between the IP address and host
name.
host-ipv6 Specifies the IP address or host The IPv6 address is a 32-
name of the remote IPv6 FTP digit hexadecimal number
server. in the X:X:X:X:X:X:X:X
format. The host name is a
NOTE
string of 1 to 255
You can run the display dns characters.
dynamic-host or display ip host
command to view the mapping
between the IP address and host
name.
port-number Specifies the port number of the The value is an integer that
FTP server. ranges from 1 to 65535.
The default value is the
standard port number 21.
public-net Specifies the FTP server on the -
public network.
You must set the public-net
parameter when the FTP server IP
address is a public network IP
address.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 371
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
vpn-instance Specifies the name of the VPN The value is a string of 1 to
vpn-instance- instance where the FTP server is 31 case-sensitive
name located. characters except spaces.
When double quotation
marks are used to include
the string, spaces are
allowed in the string. The
value _public_ is reserved
and cannot be used as the
VPN instance name.
host-ipv6 Specifies the IP address of the The value is a 32-digit
remote IPv6 FTP server. hexadecimal number in the
X:X:X:X:X:X:X:X format.
-oi interface- Specifies the source interface type -
type interface- and ID.
number
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the open command in the FTP client view to connect the FTP client to
the server to transmit files and manage files and directories of the FTP server.
Precautions
● You can run the ftp command in the user view to connect the FTP client and
server and enter the FTP client view.
● You can set the source IP address to the source or destination IP address in
the ACL rule when the -a or -i parameter is specified on the IPv4 network.
This shields the IP address differences and interface status impact, filters
incoming and outgoing packets, and implements security authentication.
● You can run the set net-manager vpn-instance command to configure the
NMS management VPN instance before running the open command to
connect the FTP client and server.
– If public-net or vpn-instance is not specified, the FTP client accesses the
FTP server in the VPN instance managed by the NMS.
– If public-net is specified, the FTP client accesses the FTP server on the
public network.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 372
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
– If vpn-instance vpn-instance-name is specified, the FTP client accesses
the FTP server in a specified VPN instance.
● If the port number that the FTP server uses is non-standard, you must specify
a standard port number; otherwise, the FTP server and client cannot be
connected.
● When you run the open command, the system prompts you to enter the user
name and password for logging in to the FTP server. You can log in to the FTP
client and enter the FTP client view if the user name and password are
correct.
Example
# Connect the FTP client with the FTP server whose IP address is 10.137.217.204.
<HUAWEI> ftp
[ftp] open 10.137.217.204
Trying 10.137.217.204 ...
Press CTRL + K to abort
Connected to 10.137.217.204.
220 FTP service ready.
User(10.137.217.204:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp]
# Connect the FTP client with the FTP server whose IP address is 2001:db8:1::1.
<HUAWEI> ftp
[ftp] open ipv6 2001:db8:1::1
Trying 2001:db8:1::1 ...
Press CTRL + K to abort
Connected to 2001:db8:1::1
220 FTP service ready.
User(2001:db8:1::1:(none)):switch
331 Password required for switch
Enter Password:
230 User logged in.
[ftp]
3.7.54 passive
Function
The passive command sets the data transmission mode to passive.
The undo passive command sets the data transmission mode to active.
By default, the data transmission mode is active.
Format
passive
undo passive
Parameters
None
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 373
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
The device supports the active and passive data transmission modes. In active
mode, the server initiates a connection request, and the client and server need to
enable and monitor a port to establish a connection. In passive mode, the client
initiates a connection request, and only the server needs to monitor the
corresponding port. This command is used together with the firewall function.
When the client is configured with the firewall function, FTP connections are
restricted between internal clients and external FTP servers if the FTP transmission
mode is active. If the FTP transmission mode is passive, FTP connections between
internal clients and external FTP servers are not restricted.
Example
# Set the data transmission mode to passive.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] passive
Info: Succeeded in switching passive on.
3.7.55 prompt
Function
The prompt command enables the prompt function when files are transmitted
between the FTP client and server.
The undo prompt command disables the prompt function.
By default, the prompt function is disabled.
Format
prompt
undo prompt
Parameters
None
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 374
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can enable the prompt function as required when transmitting files between
the FTP client and server.
Precautions
● The prompt command can be used when you run the put, mput, get, and
mget commands.
● The prompt function can be enabled only for confirming service upload and
download.
– When you run the put or mput command, the system always overwrites
the existing file if the name of the uploaded file is the same as that of an
existing file on the FTP server.
– When you run the get or mget command, the system always prompts
you whether to overwrite the existing file if the name of the uploaded file
is the same as an existing file name in the specified directory.
Example
# Enable the FTP message prompt function.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] prompt
Info: Succeeded in switching prompt on.
# Disable the FTP message prompt function.
[ftp] undo prompt
Info: Succeeded in switching prompt off.
3.7.56 put (FTP client view)
Function
The put command uploads a local file to the remote FTP server.
Format
put local-filename [ remote-filename ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 375
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
local-filename Specifies the local file name The value is a string of 1 to 128
of the FTP client. case-sensitive characters without
spaces. The local-filename must
already exist.
remote- Specifies the name of the The value is a string of 1 to 128
filename file to be uploaded to the case-sensitive characters without
remote FTP server. spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the put command to upload a local file to the remote FTP server for
further check and backup. For example, you can upload the local log file to the
FTP server for other users to check, and upload the configuration file to the FTP
server as a backup before upgrading the device.
Precautions
● If the file name is not specified on the remote FTP server, the local file name
is used.
● If the name of the uploaded file is the same as that of an existing file on the
FTP server, the system overwrites the existing file.
Example
# Upload the configuration file vrpcfg.zip to the remote FTP server as a backup,
and save it as backup.zip.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] put vrpcfg.zip backup.zip
200 Port command okay.
150 Opening ASCII mode data connection for /backup.zip.
/ 100% [***********]
226 Transfer complete.
FTP: 1098 byte(s) sent in 0.131 second(s) 8.38Kbyte(s)/sec.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 376
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.57 put (SFTP client view)
Function
The put command uploads a local file to a remote SFTP server.
Format
put local-filename [ remote-filename ]
Parameters
Parameter Description Value
local-filename Specifies a local file The value is a case-sensitive character
name on the SFTP string without spaces. The file name
client. (including the absolute path) contains
1 to 128 characters. The local-filename
must already exist.
remote- Specifies the name of The value is a case-sensitive character
filename the file uploaded to the string without spaces. The file name
remote SFTP server. (including the absolute path) contains
1 to 128 characters.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command enables you to upload files from the local device to a remote SFTP
server to view the file contents or back up the files. For example, you can upload
log files of a device to an SFTP server and view the logs in the server. During an
upgrade, you can upload the configuration file of the device to the SFTP server for
backup.
Precautions
● If remote-filename is not specified, the uploaded file is saved on the remote
SFTP server with the original file name.
● If the specified remote-filename is the same as an existing file name on the
SFTP server, the uploaded file overwrites the existing file on the server.
Example
# Upload a file to the SFTP server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 377
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> put wm.cfg
Local file: wm.cfg ---> Remote file: /wm.cfg
Uploading the file. Please wait...\
Uploading file successfully ended.
File upload is completed in 0 seconds.
3.7.58 pwd (FTP client view)
Function
The pwd command displays the FTP client's working directory on the remote FTP
server.
Format
pwd
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
After logging in to the FTP server, you can run the pwd command to display the
FTP client's working directory on the remote FTP server.
If the displayed working directory is incorrect, you can run the cd command to
change the FTP client's working directory on the remote FTP server.
Example
# Display the FTP client's working directory on the remote FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] pwd
257 "/" is current directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 378
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.59 pwd (SFTP client view)
Function
The pwd command displays the SFTP client's working directory on the remote FTP
server.
Format
pwd
Parameters
None
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
After logging in to the SFTP server, you can run the pwd command to display the
SFTP client's working directory on the remote SFTP server.
If the displayed working directory is incorrect, you can run the cd command to
change the SFTP client's working directory on the remote SFTP server.
Example
# Display the SFTP client's working directory on the remote SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> pwd
Current directory is:
/
sftp-client> cd test
Current directory is:
/test
sftp-client> pwd
Current directory is:
/test
3.7.60 pwd (user view)
Function
The pwd command displays the current working directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 379
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
pwd
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the pwd command in any directory to display the current working
directory. To change the current working directory, you can run the cd command.
Example
# Display the current working directory.
<HUAWEI> pwd
flash:/test/
3.7.61 remotehelp
Function
The remotehelp command displays the help information about an FTP command
when the FTP client and server are connected.
Format
remotehelp [ command ]
Parameters
Parameter Description Value
command Specifies the FTP The value is a string of 1 to 16
command. characters.
Views
FTP client view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 380
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
You can run the remotehelp command to display the help information about an
FTP command.
● The help information is provided by the remote server. Different remote
servers may provide different help information for an FTP command.
● The following are the protocol commands support help information.
Command Help Information
USER "USER <sp> <username>"
PASS "PASS <sp> password"
ACCT* "ACCT <sp> account-information"
CWD "CWD [ <sp> directory-name ]"
CDUP "CDUP <change to parent directory>"
SMNT* "SMNT <sp> <structure mount>,
Unimplemented"
QUIT "QUIT <terminate service>"
REIN* "REIN <reinitialize server state>;
Unimplemented"
PORT "PORT <sp> b0, b1,b2, b3, b4, b5"
PASV "PASV <set server in passive mode>"
TYPE "TYPE <sp> [ A | I ]"
STRU* "STRU <specify file structure>;
Unimplemented"
MODE* "MODE <specify transfer mode>;
Unimplemented"
RETR "RETR <sp> file-name"
STOR "STOR <sp> file-name"
STOU* "STOU <sp> file-name; Unimplemented"
APPE "APPE <sp> file-name"
ALLO* "ALLO allocate storage<vacuously>;
Unimplemented"
REST* "REST <restart command>;
Unimplemented"
RNFR "RNFR <sp> file-name"
RNTO "RNTO <sp> file-name"
ABOR* "ABOR <abort operation>; Unimplemented"
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 381
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Command Help Information
DELE "DELE <sp> file-name"
RMD "RMD <sp> path-name"
MKD "MKD <sp> path-name"
PWD "PWD <return current directory>"
LIST "LIST [ <sp> path-name ]"
NLST* "NLST [ <sp> path-name ];
Unimplemented"
SITE* "SITE; Unimplemented"
SYST "SYST <get type of operating system>"
STAT* "STAT [ <sp> <pathname> ]"
HELP "HELP [ <sp> <string> ]"
NOOP* "NOOP; Unimplemented"
XCUP "XCUP <change to parent directory>"
XCWD "XCWD [ directory-name ]"
XMKD "XMKD <sp> path-name"
XPWD "XPWD <return current directory>"
XRMD "XRMD <sp> path-name"
EPSV "EPSV <sp> <net-prt>"
EPRT "EPRT <sp> <d><net-prt><d><net-
addr><d><port><d>"
FEAT* "FEAT, Unimplemented"
NOTE
● * means the command is not complete.
● For the commands other than the above listed commands, the response string is
"Unknown command".
Example
# Display the syntax of the command cdup.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 382
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] remotehelp
214-The following commands are recognized (Commands marked with '*' are unimplem
ented).
USER PASS ACCT* CWD CDUP SMNT* QUIT REIN*
PORT PASV TYPE STRU* MODE* RETR STOR STOU*
APPE ALLO* REST* RNFR RNTO ABOR DELE RMD
MKD PWD LIST NLST SITE* SYST STAT* HELP
NOOP* XCUP XCWD XMKD XPWD XRMD EPSV EPRT
FEAT*
214 Direct comments to Huawei Tech.
[ftp] remotehelp cdup
214 Syntax: CDUP <change to parent directory>.
3.7.62 remove (SFTP client view)
Function
The remove command deletes specified files from the remote SFTP server.
Format
remove remote-filename &<1-10>
Parameters
Parameter Description Value
remote- Specifies the name of the file The value is a string of 1 to
filename to be deleted from the remote 128 case-sensitive characters
SFTP server. without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
● You can configure a maximum of 10 file names in the command and separate
them using spaces and delete them at one time.
● If the file to be deleted is not in the current directory, you must specify the file
path.
Example
# Delete the file 3.txt from the server and backup1.txt from the test directory.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 383
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> remove 3.txt test/backup1.txt
Warning: Are sure to remove these files? [Y/N]:y
Info: Succeeded in removing the file: /3.txt.
Info: Succeeded in removing the file: /test/backup1.txt.
3.7.63 rename (SFTP client view)
Function
The rename command renames a file or directory stored on the SFTP server.
Format
rename old-name new-name
Parameters
Parameter Description Value
old-name The value is a string of 1 to 128 case-
Specifies the name of a file
sensitive characters without spaces. The
or directory.
old-name must already exist.
new-name Specifies the new name of The value is a string of 1 to 128 case-
the file or directory. sensitive characters without spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
You can run the rename command to rename a file or directory.
Example
# Rename the directory yourtest on the SFTP server.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> rename test/yourtest test/test
Warning: Rename /test/yourtest to /test/test? [Y/N]:y
Info: Succeeded in renaming file.
sftp-client> cd test
Current directory is:
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 384
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
/test
sftp-client> dir
drwxrwxrwx 1 noone nogroup 0 Mar 29 22:44 .
drwxrwxrwx 1 noone nogroup 0 Mar 29 22:39 ..
drwxrwxrwx 1 noone nogroup 0 Mar 24 00:04 test
-rwxrwxrwx 1 noone nogroup 5736 Mar 24 18:38 backup.txt
3.7.64 rename (user view)
Function
The rename command renames a file or folder.
Format
rename old-name new-name
Parameters
Parameter Description Settings
old-name Specifies the name of a An absolute path name
file or folder. is a string of 1 to 255
characters. A relative
path name is a string of
1 to 128 characters.
case-sensitive characters
without spaces in the
[ drive ] [ path ]
filename format.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
You are advised to add :
and / between the
storage device name and
directory. Characters ? ~
* / \ : ' " | < > [ ] cannot
be used in the directory
name.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 385
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Settings
new-name Specifies the new name An absolute path name
of the file or directory. is a string of 1 to 255
characters. A relative
path name is a string of
1 to 128 characters.
case-sensitive characters
without spaces in the
[ drive ] [ path ]
filename format.
In the preceding
parameter, drive
specifies the storage
device name, and path
specifies the directory
and subdirectory.
You are advised to add :
and / between the
storage device name and
directory. Characters ? ~
* / \ : ' " | < > [ ] cannot
be used in the directory
name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name:
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 386
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Precautions
● You must rename a file or directory in its source directory.
● If the renamed file or directory has the same name as an existing file or
directory, an error message is displayed.
● If you specify old-name or new-name without specifying the file path, the file
must be saved in your current working directory.
Example
# Rename the directory mytest to yourtest in the directory flash:/test/.
<HUAWEI> pwd
flash:/test
<HUAWEI> rename mytest yourtest
Info: Rename file flash:/test/mytest to flash:/test/yourtest ?[Y/N]:y
Info: Rename file flash:/test/mytest to flash:/test/yourtest ......Done.
# Rename the file sample.txt to sample.bak.
<HUAWEI> rename sample.txt sample.bak
Info: Rename file flash:/sample.txt to flash:/sample.bak ?[Y/N] :y
Info: Rename file flash:/sample.txt to flash:/sample.bak .......Done.
3.7.65 reset recycle-bin
Function
The reset recycle-bin command permanently deletes files from the recycle bin.
Format
reset recycle-bin [ /f | filename | devicename ]
Parameters
Parameter Description Value
/f Directly deletes all -
files from the
recycle bin.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 387
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
filename Specifies the name An absolute path name is a string of 1 to 255
of a file to be characters. A relative path name is a string of
deleted. 1 to 128 case-sensitive characters without
spaces in the [ drive ] [ path ] file name
format. Up to 8 levels of directories are
supported. When quotation marks are used
around the string, spaces are allowed in the
string.
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
You are advised to add : and / between the
storage device name and directory.
Characters ? ~ * / \ : ' " | < > [ ] cannot be used
in the directory name.
The wildcard (*) character is supported.
devicename Specifies the -
storage device
name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you run the delete command without specifying the /unreserved parameter,
the file is moved to the recycle bin and still occupies the memory. To free up the
space, you can run the reset recycle-bin command to permanently delete the file
from the recycle bin.
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 388
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Precautions
● You can run the dir /all command to display all files that are moved to the
recycle bin from the current directory, and file names are displayed in square
brackets ([ ]).
● If you delete a specified storage device, all files in the root directory of the
storage device are deleted.
● If you run the reset recycle-bin command directly, all files that are moved to
the recycle bin from the current directory are permanently deleted.
Example
# Delete the file test.txt that is moved to the recycle bin from the directory test.
<HUAWEI> reset recycle-bin flash:/test/test.txt
Info: Are you sure to clear flash:/test/test.txt?[Y/N]:y
Info: Clearing file flash:/test/test.txt......Done.
# Delete files that are moved to the recycle bin from the current directory.
<HUAWEI> pwd
flash:/test
<HUAWEI> reset recycle-bin
Info: Are you sure to clear flash:/test/aa.txt?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/aa.txt......Done.
Info: Are you sure to clear flash:/test/abc.txt?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/abc.txt......Done.
Info: Are you sure to clear flash:/test/1.bat?[Yes/All/No/Cancel]:y
Info: Clearing file flash:/test/1.bat......Done.
3.7.66 rmdir (FTP client view)
Function
The rmdir command deletes a specified directory from the remote FTP server.
Format
rmdir remote-directory
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 389
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
remote- Specifies a directory or The value is a string of 1 to 128
directory path on the FTP server. case-sensitive characters without
spaces.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the rmdir command to delete a specified directory from the remote
FTP server.
Precautions
● Before running the rmdir command to delete a directory, you must delete all
files and subdirectories from the directory.
● If no path is specified when you delete a subdirectory, the subdirectory is
deleted from the current directory.
● The directory is deleted from the FTP server rather than the FTP client.
Example
# Delete the directory d:/temp1 from the remote FTP server.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] rmdir d:/temp1
250 'D:\temp1': directory removed.
3.7.67 rmdir (user view)
Function
The rmdir command deletes a specified directory from the storage device.
Format
rmdir directory
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 390
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
directory Specifies a The value is a string of case-sensitive characters in
directory or the [ drive ] [ path ] directory format. The
directory and its absolute path length ranges from 1 to 255, while
path. the directory name length ranges from 1 to 128.
Up to 8 levels of directories are supported.
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
Characters such as ~, *, /, \, :, ', " cannot be used
in the directory name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Precautions
● Before running the rmdir command to delete a directory, you must delete all
files and subdirectories from the directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 391
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● A deleted directory and its files cannot be restored from the recycle bin.
Example
# Delete the directory test from the current directory.
<HUAWEI> rmdir test
Info: Are you sure to remove directory flash:/test?[Y/N]:y
Info: Removing directory flash:/test/.......Done.
3.7.68 rmdir (SFTP client view)
Function
The rmdir command deletes a specified directory from the remote SFTP server.
Format
rmdir remote-directory &<1-10>
Parameters
Parameter Description Value
remote- Specifies the name of a file The value is a string of 1 to 128
directory on the SFTP server. case-sensitive characters without
spaces.
Views
SFTP client view
Default Level
3: Management level
Usage Guidelines
● You can configure a maximum of 10 file names in the command and separate
them using spaces and delete them at one time.
● Before running the rmdir command to delete a directory, you must delete all
files and subdirectories from the directory.
● If the directory to be deleted is not in the current directory, you must specify
the file path.
Example
# Delete the directory 1 from the current directory, and the directory 2 from the
test directory.
<HUAWEI> system-view
[~HUAWEI] sftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL+K to abort
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 392
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Connected to 10.137.217.201 ...
Please input the username:admin
Enter password:
sftp-client> rmdir 1 test/2
Warning: Are sure to remove these directories? [Y/N]:y
Info: Succeeded in removing the directory: /test/1.
Info: Succeeded in removing the directory: /test/test/2.
3.7.69 scp
Function
The scp command uploads a local file to the remote SCP server or downloads a
file from the remote SCP server to a local directory.
Format
# Transfer a file between the local client and the remote SCP server based on IPv4.
scp [ -a source-ip-address | -i interface-type interface-number ] [ -force-receive-
pubkey ] [ [ -port port-number ] | [ public-net | vpn-instance vpn-instance-
name ] | -c | [ -cipher cipher-type ] | [ -prefer-kex kex-type ] | -r | [ identity-key
{ dsa | ecc | rsa | pki } ] | [ user-identity-key { dsa | ecc | rsa | pki } ] ] * source-
filename destination-filename
# Transfer a file between the local client and the remote SCP server based on IPv6.
scp ipv6 [ -a source-ipv6-address | -oi interface-type interface-number ] [ public-
net | vpn-instance vpn-instance-name ] [ -force-receive-pubkey ] [ [ -port port-
number ] | -c | [ -cipher cipher-type ] | [ -prefer-kex kex-type ] | -r | [ identity-
key { dsa | ecc | rsa | pki} ] | [ user-identity-key { dsa | ecc | rsa | pki } ] ] *
source-filename destination-filename
Parameters
Parameter Description Value
-a source-ip- Specifies the source IPv4 -
address address for connecting to
the SCP client. You are
advised to use the
loopback interface IP
address.
-a source-ipv6- Specifies the source IPv6 -
address address for connecting to
the SCP client. You are
advised to use the
loopback interface IP
address.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 393
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
-i interface- Specifies the source -
type interface- interface used by the SCP
number client to set up
connections. It consists of
the interface type and
number. It is recommended
that you specify a loopback
interface. The IP address
configured for this
interface is the source IP
address for sending
packets. If no IP address is
configured for the source
interface, the FTP
connection cannot be set
up.
If the source interface is
specified using -i interface-
type interface-number, the
public-net and vpn-
instance vpn-instance-
name parameters are not
supported.
-oi interface- Specifies an outbound -
type interface- interface on the local
number device.
If the remote host uses an
IPv6 address, you must
specify the outbound
interface on the local
device.
-force-receive- Indicates that a server -
pubkey forcibly receives public key
authentication.
-port port- Specifies the port number The value is an integer that ranges
number of the SCP server. from 1 to 65535. The default value
is 22.
public-net Indicates that the SCP -
server is connected to the
public network.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 394
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
vpn-instance Specifies the name of the The name of the VPN instance
vpn-instance- VPN instance where the must already exist.
name SCP server is located.
-r Uploads or downloads files -
in batches.
-c Compress files when -
uploading or downloading
them.
-cipher cipher- Specifies the encryption The algorithms include:
type algorithms for uploading
or downloading files. ● 3des
● aes128
● aes256
● aes128_ctr
● aes256_ctr
● aes128_gcm
● aes256_gcm
● aes192_ctr
The default value is 3des, aes128,
aes128_ctr, aes256_ctr,
aes128_gcm, aes256_gcm,
aes192_ctr, aes256.
NOTE
Encryption algorithms supported
depend on the ssh client cipher
command configured by the user.
You are advised to use aes128_ctr,
aes256_ctr, aes128_gcm, aes256_gcm,
and aes192_ctr encryption algorithms
to ensure high security.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 395
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
-prefer_kex Specifies the preferred key The key exchange algorithms
kex-type exchange algorithm. include:
● dh-exchange-group-sha256
● ecdh-sha2-nistp256
● ecdh-sha2-nistp384
● ecdh-sha2-nistp521
● sm2_kep
The default key exchange
algorithm is sm2_kep, ecdh-sha2-
nistp521, ecdh-sha2-nistp384,
ecdh-sha2-nistp256, dh-exchange-
group-sha256.
NOTE
When the public key algorithm on the
server is ecc, the sm2_kep algorithm is
preferred.
identity-key Specifies the public key The public key algorithm can be
algorithm for server one of the following:
authentication.
● dsa
● ecc
● rsa
● pki
The default public key algorithm is
ecc.
NOTE
Public key algorithm supported
depend on the ssh client publickey
command configured by the user.
user-identity- Specifies a public key The public key algorithm can be
key algorithm for user one of the following:
authentication.
● dsa
● ecc
● rsa
● pki
The default public key algorithm is
ecc.
NOTE
Public key algorithm supported
depend on the ssh client publickey
command configured by the user.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 396
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
source- Specifies a source file to be The source file format is
filename uploaded or downloaded. username@hostname:
[path]filename for the file
downloading operation.
The source file format is
[path]filename for the file
uploading operation.
destination- Specifies a destination file The destination file format is
filename to be uploaded or username@hostname:
downloaded. [path]filename for the file
uploading operation.
The destination file format is
[path]filename for the file
downloading operation.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
SCP file transfer mode is based on SSH2.0 Compared with the SFTP file transfer
mode, the SCP file transfer mode allows you to upload or download files when the
connection is set up between the SCP client and server.
● You are advised to set the source IP address to the loopback address, or set
the outbound interface to the loopback interface using -a and -i, to improve
security.
● When -r is specified, you can use the wildcard (*) to upload or download files
in batches, for example, *.txt and switch.*.
● When -c is specified, files are compressed before being transmitted. File
compression takes a long time and affects file transfer speed; therefore, you
are not advised to compress files before transferring them.
Precautions
● The format of uploaded and downloaded files of the SCP server is
username@hostname:[path]filename.
– username is the user name for logging in to the SCP server.
– hostname is the name or IP address of the SCP server.
– path is the working directory on the SCP server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 397
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
– filename is the name of a file.
● If hostname is an IPv6 address, the IPv6 address must be included in square
brackets ([ ]), for example, john@[1000::1]:.
● If the destination file name is the same as the name of an existing directory,
the file is moved to this directory with the source file name. If the destination
file has the same name as an existing file, the system overwrites the existing
file.
● If an SCP user on the client authenticates the server using an RSA, a DSA or
an ECC public key, the SCP user is prompted to select the key pair for
authentication.
Example
# Log in through DSA authentication and copy the xxxx.txt file to the flash
memory of remote SCP server at 10.10.0.114.
<HUAWEI> system-view
[~HUAWEI] scp identity-key dsa flash:/xxxx.txt [email protected]:flash:/xxxx.txt
Trying 10.10.0.114...
Press CTRL+K to abort
Connected to 10.10.0.114...
The server is not authenticated. Continue to access it? [Y/N]:y
Save the server's public key? [Y/N]:y
The server's public key will be saved with the name 10.10.0.114. Please wait...
Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:
d
Enter password:
xxxx.txt 100% 261Bytes 1Kb/s
3.7.70 scp client-source
Function
The scp client-source command specifies the source IP address for the SCP client
to send packets.
The undo scp client-source command cancels the source IP address for the SCP
client to send packets.
The default source IP address of the SCP client is 0.0.0.0.
Format
scp client-source { -a source-ip-address [ public-net | -vpn-instance vpn-
instance-name ] | -i interface-type interface-number }
undo scp client-source
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 398
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address of -
address the SCP client. You are advised to
use the loopback interface IP
address.
public-net Indicates that the SCP server is -
connected to the public network.
-vpn-instance Specifies the name of the VPN The value is a string of
vpn-instance- instance where the SCP server is 1 to 31 case-sensitive
name located. characters except
spaces. When double
quotation marks are
used to include the
string, spaces are
allowed in the string.
The value _public_ is
reserved and cannot be
used as the VPN
instance name.
-i interface-type Specifies the type and number of a -
interface-number source interface.
The IP address configured for this
interface is the source IP address
for sending packets. If no IP
address is configured for the source
interface, the SCP connection
cannot be set up.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the
router specifies to send packets. The source IP address must be configured for an
interface with stable performance. The loopback interface is recommended. Using
the loopback interface as the source interface simplifies the ACL rule and security
policy configuration. This shields the IP address differences and interface status
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 399
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
impact, filters incoming and outgoing packets, and implements security
authentication.
Before specifying the parameter vpn-instance vpn-instance-name, ensure that a
VPN instance has been configured.
If you use -i to specify a logical interface as the source interface, ensure that the
logical interface has been created successfully.
Prerequisites
VPN configuration must be successful, to configure the vpn instance using this
command.
Precautions
● The scp command also configures the source IP address whose priority is
higher than that of the source IP address specified in the scp client-source
command. If you specify source addresses in the scp client-source and scp
commands, the source IP address specified in the scp command is used for
data communication. The source address specified in the scp client-source
command applies to all SCP connections. The source address specified in the
scp command applies only to the current SCP connection.
● If the specified source interface has been bound to a VPN instance, the client
is automatically bound to the same VPN instance.
● After a bound VPN instance is deleted, the VPN configuration specified using
the scp client-source command will not be cleared but does not take effect.
In this case, the SCP server uses a public IP address. If you configure the VPN
instance with the same name again, the VPN function restores.
● After the bound source interface is deleted, the interface configuration in the
ssh server-source command will not be deleted and does not take effect.
After the source interface with the same name is reconfigured, the function
will be restored.
Example
# Set the source IP address of the SCP client to the loopback interface IP address
10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] scp client-source -a 10.1.1.1
3.7.71 scp max-sessions
Function
The scp max-sessions command sets the maximum number of SCP clients
allowed to connect to an SCP server concurrently.
The undo scp max-sessions command restores the default number of SCP clients
allowed to connect to an SCP server concurrently.
By default, a maximum of 2 SCP clients are allowed to connect to an SCP server
concurrently.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 400
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
scp max-sessions max-session-count
undo scp max-sessions
Parameters
Parameter Description Value
max-session-count Specifies the number of The value is an integer
SCP clients allowed to that ranges from 0 to 5.
connect to an SCP server The default value is 2.
concurrently.
Views
System view
Default Level
3: Management level
Usage Guidelines
This command limits the number of SCP clients connecting to an SCP server.
This command takes effect for both ipv4 and ipv6 connections.
NOTE
If the configured limit is smaller than the number of currently connected SCP clients, the SCP
clients are not disconnected, but new SCP clients cannot be connect to the SCP server.
Example
# Set the number of SCP clients allowed to connect to an SCP server to 5.
<HUAWEI> system-view
[~HUAWEI] scp max-sessions 5
3.7.72 scp server enable
Function
The scp server enable command enables the SCP service on the SSH server.
The undo scp server enable command disables the SCP service on the SSH server.
By default, the SCP function is disabled.
Format
scp [ ipv4 | ipv6 ] server enable
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 401
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
undo scp [ ipv4 | ipv6 ] server enable
Parameters
Parameter Description Value
ipv4 Specifies IPv4 server. -
ipv6 Specifies IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
SCP is used to copy, upload, and download files based on the SSH remote copy
function. The SCP file copy command is easy to use, improving network
maintenance efficiency.
Run scp server enable command can enable both IPv4 and IPv6 SCP server. Run
scp ipv4 server enable command to enable IPv4 SCP server. Run scp ipv6 server
enable command to enable IPv6 SCP server.
To connect the client to the SSH server to transfer files in SCP mode, you must
first enable the SCP server on the SSH server.
In V200R002C50 and V200R003C00, you can run the scp [ ipv4 | ipv6 ] server
enable command to enable the SCP function. If the current version is downgraded
to V200R001C00 or an earlier version, this configuration will be lost, so you need
to run the scp server enable command again. In V200R005C00, you can run the
scp ipv4 server enable command to enable the IPv4 SCP function, or run the scp
ipv6 server enable command to enable the IPv6 SCP function (IPv4 SCP and IPv6
SCP functions are not enabled simultaneously). If the current version is
downgraded to V200R001C00 or an earlier version, this configuration will be lost,
so you need to run the scp server enable command again.
Example
# Enable the SCP service.
<HUAWEI> system-view
[~HUAWEI] scp server enable
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 402
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.73 set configuration appdata auto-check enable
Function
The set configuration appdata auto-check enable command enables the
function to automatically check whether data in the service process database is
the same as that in the central database.
The undo set configuration appdata auto-check enable command disables the
function to automatically check whether data in the service process database is
the same as that in the central database.
By default, this function is disabled.
Format
set configuration appdata auto-check enable
undo set configuration appdata auto-check enable
Parameters
none
Views
System view
Default Level
2: Configuration level
Task Name and Operations
Task Name Operations
config write
Usage Guidelines
Usage Scenario
The device data is saved in the central database and service process databases.
Each service process database needs to synchronize data from the central
database. If the data in a service process database is inconsistent with that in the
central database, the host behaviors may not meet operator expectations, causing
service function exceptions. Therefore, automatic data verification needs to be
enabled to periodically check data consistency between service process databases
and the central database. If any inconsistency is detected, an alarm is reported
immediately, notifying you of analyzing the impact on services timely. You can
restart the board or device to rectify the fault.
To enable or disable the automatic data verification function, run this command.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 403
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Disable the function to automatically check whether data in the service process
database is the same as that in the central database.
<HUAWEI> system-view
[~HUAWEI] undo set configuration appdata auto-check enable
3.7.74 set net-manager vpn-instance
Function
The set net-manager vpn-instance command configures the default VPN
instance that the NMS uses on the device.
The undo set net-manager vpn-instance command deletes the default VPN
instance from the device.
By default, no VPN instance is configured on the device.
Format
set net-manager [ ipv6 ] vpn-instance vpn-instance-name
undo set net-manager [ ipv6 ] vpn-instance
Parameters
Parameter Description Value
ipv6 Specifies the IPv6 -
VPN instance.
vpn-instance Specifies the name of The value is a string of 1 to 31 case-
vpn-instance- the default VPN sensitive characters except spaces.
name instance. When double quotation marks are used
to include the string, spaces are
allowed in the string. The value
_public_ is reserved and cannot be used
as the VPN instance name.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the NMS manages devices on the VPN network, you need to send the device
information to the NMS using the VPN instance.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 404
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
You can run the set net-manager vpn-instance command to configure the
default VPN instance for the NMS to manage the device so that the device can
use this VPN instance to communicate with the NMS.
Precautions
● Before running the set net-manager vpn-instance command, you must
create VPN instances.
● If the host has been configured as a log host, the NMS can receive device logs
from the default VPN instance.
● The VPN configured using the set net-manager vpn-instance command
affects the following service modules: TFTP client, FTP client, SFTP client, SCP
client, Info Center module, SNMP module, TACACS module, IP FPM module,
PM module, Callhome module of the SSH server.
● After a bound VPN instance is deleted, the VPN configuration specified using
the set net-manager command will not be cleared but does not take effect.
In this case, the server uses a public IP address. If you configure the VPN
instance with the same name again, the VPN function restores.
Example
# Set the default VPN instance to v1.
<HUAWEI> system-view
[~HUAWEI] set net-manager vpn-instance v1
3.7.75 sftp
Function
The sftp command connects the device to the SSH server so that you can manage
files that are stored on the SFTP server.
Format
# Connect the SFTP client to the SFTP server based on IPv4.
sftp [ -a source-address | -i interface-type interface-number | -force-receive-
pubkey ] host-ip [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] |
prefer_kex kex-type | prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-
type | prefer_ctos_hmac hmac-type | prefer_stoc_hmac hmac-type |
prefer_ctos_compress compress-type | prefer_stoc_compress compress-type | -ki
aliveinterval | -kc alivecountmax | identity-key { dsa | ecc | rsa | pki } | user-
identity-key { dsa | ecc | rsa | pki } ] *
# Connect the SFTP client to the SFTP server based on IPv6.
sftp ipv6 [ -force-receive-pubkey ] [ -a source-address ] host-ipv6 [ [ public-net |
-vpn-instance vpn-instance-name ] [ -oi interface-type interface-number ]
[ port ] [ prefer_kex kex-type | prefer_ctos_cipher cipher-type |
prefer_stoc_cipher cipher-type | prefer_ctos_hmac hmac-type | prefer_stoc_hmac
hmac-type | prefer_ctos_compress compress-type | prefer_stoc_compress
compress-type | -ki aliveinterval | -kc alivecountmax | identity-key { dsa | ecc | rsa
| pki } | user-identity-key { dsa | ecc | rsa | pki } ] ] *
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 405
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
-a source-address Specifies the source IP -
address for connecting
to the SFTP client. You
are advised to use the
loopback interface IP
address.
-i interface-type Specifies the source -
interface-number interface type and ID.
You are advised to use
the loopback interface.
The IP address
configured for this
interface is the source IP
address for sending
packets. If no IP address
is configured for the
source interface, the
SFTP connection cannot
be set up.
If the source interface is
specified using -i
interface-type interface-
number, the -vpn-
instance vpn-instance-
name and public-net
parameters are not
supported.
-force-receive-pubkey Indicates that a server -
forcibly receives public
key authentication.
host-ip Specifies the IP address The value is a string of 1 to
or host name of the 255 case-sensitive
remote IPv4 SFTP server. characters without spaces.
When quotation marks are
used around the string,
spaces are allowed in the
string.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 406
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
host-ipv6 Specifies the IPv6 The value is a string of 1 to
address or host name of 255 case-sensitive
the remote IPv6 SFTP characters without spaces.
server. When quotation marks are
used around the string,
spaces are allowed in the
string.
-oi interface-type Specifies an outbound -
interface-number interface on the local
device.
If the remote host uses
an IPv6 address, you
must specify the
outbound interface on
the local device.
port Specifies the port The value is an integer that
number of the SSH ranges from 1 to 65535. The
server. default port number is 22.
public-net Specifies the SFTP server -
on the public network.
You must set the public-
net parameter when the
SFTP server IP address is
a public network IP
address.
-vpn-instance vpn- Name of the VPN The VPN must already exist.
instance-name instance where the SFTP
server is located.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 407
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
prefer_kex kex-type Specifies the preferred The key exchange
key exchange algorithm. algorithms include:
● dh-exchange-group-
sha256
● ecdh-sha2-nistp256
● ecdh-sha2-nistp384
● ecdh-sha2-nistp521
● sm2_kep
The default key exchange
algorithm is sm2_kep, ecdh-
sha2-nistp521, ecdh-sha2-
nistp384, ecdh-sha2-
nistp256, dh-exchange-
group-sha256.
NOTE
When the public key algorithm
on the server is ecc, the
sm2_kep algorithm is
preferred.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 408
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
prefer_ctos_cipher Specify an encryption The encryption algorithms
cipher-type algorithm for include:
transmitting data from ● 3des
the client to the server.
● aes128
● aes256
● arcfour128
● arcfour256
● aes128_ctr
● aes256_ctr
● aes128_gcm
● aes256_gcm
● aes192_ctr
The default encryption
algorithm is aes256_ctr.
NOTE
Encryption algorithms
supported depend on the ssh
client cipher command
configured by the user.
You are advised to use
aes128_ctr, aes256_ctr,
aes128_gcm, aes256_gcm, and
aes192_ctr encryption
algorithms to ensure high
security.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 409
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
prefer_stoc_cipher Specify an encryption The encryption algorithms
cipher-type algorithm for include:
transmitting data from ● 3des
the server to the client.
● aes128
● aes256
● arcfour128
● arcfour256
● aes128_ctr
● aes256_ctr
● aes128_gcm
● aes256_gcm
● aes192_ctr
The default encryption
algorithm is aes256_ctr.
NOTE
Encryption algorithms
supported depend on the ssh
client cipher command
configured by the user.
You are advised to use
aes128_ctr, aes256_ctr,
aes128_gcm, aes256_gcm, and
aes192_ctr encryption
algorithms to ensure high
security.
prefer_ctos_hmac Specify an HMAC The HMAC algorithms
hmac-type algorithm for include:
transmitting data from ● md5
the client to the server.
● md5_96
● sha1
● sha1_96
● sha2_256
● sha2_256_96
● sha2_512
The default HMAC
algorithm is sha2_256.
NOTE
HMAC algorithm supported
depend on the ssh client
hmac command configured by
the user.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 410
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
prefer_stoc_hmac Specify an HMAC The HMAC algorithms
hmac-type algorithm for include:
transmitting data from ● md5
the server to the client.
● md5_96
● sha1
● sha1_96
● sha2_256
● sha2_256_96
● sha2_512
The default HMAC
algorithm is sha2_256.
NOTE
HMAC algorithm supported
depend on the ssh client
hmac command configured by
the user.
prefer_ctos_compress Specifies the preferred The value of this parameter
compress-type compression algorithm can only be set to zlib in
from the client to the the current version.
server.
prefer_stoc_compress Specifies the preferred The value of this parameter
compress-type compression algorithm can only be set to zlib in
from the server to the the current version.
client.
-ki aliveinterval Specifies the interval for The value is an integer that
sending keepalive ranges from 1 to 3600, in
packets when no packet seconds.
is received in reply.
-kc alivecountmax Specifies the times for The value is an integer that
sending keepalive ranges from 1 to 30. The
packets when no packet default value is 3.
is received in reply.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 411
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
identity-key Specifies the public key The public key algorithm
algorithm for the can be one of the following:
authentication on the
server. ● dsa
● ecc
● rsa
● pki
The default public key
algorithm is ecc.
NOTE
Public key algorithm supported
depend on the ssh client
publickey command
configured by the user.
user-identity-key Indicates the public key The public key algorithm
for the user can be one of the following:
authentication.
● dsa
● ecc
● rsa
● pki
The default public key
algorithm is ecc.
NOTE
Public key algorithm supported
depend on the ssh client
publickey command
configured by the user.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of
SSH. It ensures that users can log in to a remote device securely for file
management and transmission, and enhances the security in data transmission. In
addition, you can log in to a remote SSH server from the device that functions as
an SFTP client.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 412
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
When the connection between the SFTP server and client fails, the SFTP client
must detect the fault in time and disconnect from the SFTP server. To ensure this,
before being connected to the server in SFTP mode, the client must be configured
with the interval and times for sending the keepalive packet when no packet is
received in reply. If the client receives no packet in reply within the specified
interval, the client sends the keepalive packet to the server again. If the maximum
number of times that the client sends keepalive packets exceeds the specified
value, the client releases the connection. By default, when no packet is received,
the function for sending keepalive packets is not enabled.
Precautions
● You can set the source IP address to the source or destination IP address in
the ACL rule when the -a or -i parameter is specified. This shields the IP
address differences and interface status impact, filters incoming and outgoing
packets, and implements security authentication.
● The SSH client can log in to the SSH server with no port number specified
only when the port number of the SSH server is 22. If the SSH server uses
another port, the port number must be specified when SSH clients log in to
the SSH server.
● If you cannot run the sftp command successfully when you configured the
ACL on the SFTP client, or when the TCP connection fails, an error message is
displayed indicating that the SFTP client cannot be connected to the server.
NOTE
To ensure high security, do not use the des algorithm, 3des algorithm, and rsa algorithm
whose length is less than 2048 digits.
Example
# Set the current listening port number of the SSH server to 1025, and specify the
SFTP client on the public network and the SSH server on the private network.
<HUAWEI> system-view
[~HUAWEI] sftp 10.164.39.223 1025 -vpn-instance ssh
Trying 10.164.39.223 ...
Press CTRL+K to abort
Connected to 10.164.39.223 ...
Please input the username: client001
Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:
d
Enter password:
sftp-client>
# Set keepalive parameters when the client is connected to the server in SFTP
mode.
<HUAWEI> system-view
[~HUAWEI] sftp 10.164.39.223 -ki 10 -kc 4
Trying 10.164.39.223 ...
Press CTRL+K to abort
Connected to 10.164.39.223 ...
Please input the username: client001
Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:
d
Enter password:
sftp-client>
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 413
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.76 sftp client-source
Function
The sftp client-source command specifies the source IP address used by the SFTP
client to send packets.
The undo sftp client-source command restores the default source IP address used
by the SFTP client to send packets.
The default source IP address used by the SFTP client to send packets is 0.0.0.0.
Format
sftp client-source { -a source-ip-address [ public-net | -vpn-instance vpn-
instance-name ] | -i interface-type interface-number }
undo sftp client-source
Parameters
Parameter Description Value
-a source-ip- Specifies the IP address of the SFTP The value is in dotted
address client as the source IP address. decimal notation.
public-net Indicates that the source address of -
packets sent by the client is a
public address.
This parameter is mandatory when
you run this command to configure
the source address of packets as
the public address.
-vpn-instance Specifies the VPN instance name. The value is a string of 1
vpn-instance- to 31 case-sensitive
name characters except
spaces. When double
quotation marks are
used to include the
string, spaces are
allowed in the string.
The value _public_ is
reserved and cannot be
used as the VPN
instance name.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 414
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
-i interface-type Specifies the source interface. -
interface-number
The IP address configured for the
source interface is the source IP
address for sending packets. If no
IP address is configured for the
source interface, the SFTP
connection cannot be set up.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the
router specifies to send packets. The source IP address must be configured for an
interface with stable performance. The loopback interface is recommended. Using
the loopback interface as the source interface simplifies the ACL rule and security
policy configuration. This shields the IP address differences and interface status
impact, filters incoming and outgoing packets, and implements security
authentication.
Precautions
● If the specified source interface has been bound to a VPN instance, the client
is automatically bound to the same VPN instance.
● If the specified source interface has been bound to a VPN instance, for
example, vpn1, but a different VPN instance, for example, vpn2, is specified in
the sftp client-source{ -a source-ip-address-vpn-instance vpn-instance-
name } command, the VPN instance vpn2 takes effect.
● You can query the source IP address or primary IP address of the source
interface for the SFTP connection on the SFTP server.
● The sftp command also configures the source IP address whose priority is
higher than that of the source IP address specified in the sftp client-source
command. If the sftp command is run after a source IP address has been
specified using the sftp client-source command, the source IP address
specified using the sftp command is used for communication. The source
address specified in the sftp client-source command applies to all SFTP
connections; the source address specified in the sftp command applies only to
the current SFTP connection.
● After the bound source interface is deleted, the interface configuration in the
ssh server-source command will not be deleted and does not take effect.
After the source interface with the same name is reconfigured, the function
will be restored.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 415
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Set the source IP address of the SFTP client to 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] sftp client-source -a 10.1.1.1
Info: Succeeded in setting the source address of the SFTP client to 10.1.1.1.
3.7.77 sftp client-transfile
Function
The sftp client-transfile command uploads files from an SFTP client to an SFTP
server or downloads files from an SFTP server to an SFTP client.
Format
# Establish an IPv4 SFTP connection and upload or download files.
sftp client-transfile { get | put } [ -a source-address | -i interface-type interface-
number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-
name | prefer_kex prefer_kex | identity-key { rsa | dsa | ecc | pki } |
prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher |
prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki
interval | -kc count ] ] * username user-name password password sourcefile
source-file [ destination destination ]
# Establish an IPv6 SFTP connection and upload or download files.
sftp client-transfile { get | put } ipv6 [ -a source-ipv6-address ] host-ip host-ipv6
[ -oi interface-type interface-number ] [ port ] [ [ public-net | -vpn-instance vpn-
instance-name | prefer_kex prefer_kex | identity-key { rsa | dsa | ecc } |
prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher |
prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki
interval | -kc count ] ] * username user-name password password sourcefile
source-file [ destination destination ]
Parameters
Parameter Description Value
get Downloads files from an -
SFTP server to an SFTP
client.
put Uploads files from an SFTP -
client to an SFTP server.
-a source-address Specifies the source IP The value is in dotted
address of an SFTP client. decimal notation.
-i interface-type Specifies the source interface -
interface-number of an SFTP client.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 416
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
host-ip host-ipv4 Specifies the IPv4 address or -
host name of an SFTP server.
port Specifies the listening port The value is an integer
number of the SSH server. ranging from 1 to 65535.
The default value is 22.
If the listening port number
of the SFTP server is 22, the
port number is optional for
the SFTP client to log in to
the server. Otherwise, the
port number is mandatory
for the SFTP client to log in
to the server.
public-net Establishes the SFTP -
connection on a public
network.
-vpn-instance vpn- Specifies a VPN instance The value is a string of 1
instance-name name to establish the SFTP to 31 case-sensitive
connection on the VPN. characters. It cannot
contain spaces.
NOTE
If the string is enclosed in
double quotation marks ("
"), the string can contain
spaces.
prefer_kex prefer_kex Specifies preferred key Preferred key exchange
exchange algorithms. algorithms supported
depend on the ssh client
key-exchange command
settings.
identity-key { rsa | dsa Specifies public key Currently, PKI, RSA, DSA
| ecc | pki } algorithms for server and ECC algorithms are
authentication. supported. The default
public key algorithm is
ECC.
NOTE
For security purposes, do
not use the RSA algorithm
whose modulus bit value is
less than 2048. You are
advised to use the ECC
algorithm instead.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 417
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
prefer_ctos_cipher Specifies preferred Preferred encryption
prefer_ctos_cipher encryption algorithms for algorithms supported
the packets sent by the depend on the ssh client
client to the server. cipher command
settings.
prefer_stoc_cipher Specifies preferred Preferred encryption
prefer_stoc_cipher encryption algorithms for algorithms supported
the packets sent by the depend on the ssh client
server to the client. cipher command
settings.
prefer_ctos_hmac Specifies preferred HMAC Preferred HMAC
prefer_ctos_hmac algorithms for the packets algorithms supported
sent by the client to the depend on the ssh client
server. hmac command settings.
prefer_stoc_hmac Specifies preferred HMAC Preferred HMAC
prefer_stoc_hmac algorithms for the packets algorithms supported
sent by the server to the depend on the ssh client
client. hmac command settings.
-ki interval Specifies a period, during The value is an integer
which if no data is received ranging from 1 to 3600,
from the server, the client in seconds. The default
sends keepalive packets to value is 60 seconds.
the server.
-kc count Specifies the allowed The value is an integer
maximum number of ranging from 1 to 30. The
failures to receive the default value is 5.
server's responses to
keepalive packets sent by
the client.
username user-name Specifies a user name for an The value is a string of 1
SFTP connection. to 255 case-sensitive
characters.
NOTE
If the string is enclosed in
double quotation marks ("
"), the string can contain
spaces.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 418
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
password password Specifies the password for The value is a string of 1
an SFTP connection. to 128 case-sensitive
characters. It cannot
contain spaces.
NOTE
If the string is enclosed in
double quotation marks ("
"), the string can contain
spaces.
sourcefile source-file Specifies the absolute path The value is a string of 1
of the source file for file to 256 characters case-
upload or download. insensitive characters. It
cannot contain spaces.
destination Specifies the absolute path The value is a string of 1
destination of the destination file for file to 256 characters case-
upload or download. insensitive characters. It
cannot contain spaces.
If destination destination is
not specified, the name of
the file downloaded from or
uploaded to the SFTP server
is the same as that on the
server.
ipv6 Indicates that the SFTP -
server is an IPv6 server.
-oi interface-type Specifies the source IPv6 -
interface-number interface of an SFTP client.
If host-ipv6 is a link-local
IPv6 address, the interface
name corresponding to the
link-local address must be
specified. If host-ipv6 is not
a link-local IPv6 address, no
interface name needs to be
specified.
host-ip host-ipv6 Specifies the IPv6 address or -
host name of an SFTP server.
-a source-ipv6-address Specifies the source address The value is a 32-digit
of an SFTP IPv6 client. hexadecimal number, in
the format X:X:X:X:X:X:X:X.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 419
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
ssh-client debug
Usage Guidelines
Usage Scenario
To upload files from an SFTP client to an SFTP server or download files from an
SFTP server to an SFTP client, run the sftp client-transfile command. This
command can be run only on an SFTP client.
If you run the sftp command for file transfer, you need to enter the user name
and password as prompted first. Files can be transferred only after the
authentication succeeds. The sftp client-transfile command supports one-click
file transfer. Specifically, file transfer requires that the command be run only once.
Prerequisites
● There are reachable routes between the SSH client and server.
● The SSH server IP address and SSH user information used for login are
obtained.
● The SFTP service is enabled on the server; the service types configured for the
server include SFTP; password authentication is configured for the SSH user.
Precautions
● If the command fails to be executed due to ACL configurations on the SFTP
client or the TCP connection fails, the system displays an error message
indicating that the connection to the server fails.
● If the connection between the SFTP server and the client fails, it is required
that the client detect the fault in time and tear down the connection. To
achieve this, before the client logs in to the server through SFTP, configure an
interval at which keepalive packets are sent if no data is received and the
maximum number of times that the server does not respond. If the client
does not receive any data within the specified period, it sends a keepalive
packet to the server. If the maximum number of times that the server does
not respond exceeds the specified value, the client tears down the connection.
● If the source interface is specified using -i interface-type interface-number,
the -vpn-instance vpn-instance-name parameter is not supported.
● This command is used to connect to the server and transfer files. Password
authentication is required for login.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 420
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Configure an SFTP user to download the source file sample.txt from the server
at 10.1.1.2 to the SFTP client.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance ssh
[*HUAWEI-vpn-instance-ssh] ipv4-family
[*HUAWEI-vpn-instance-ssh-af-ipv4] commit
[~HUAWEI-vpn-instance-ssh-af-ipv4] quit
[~HUAWEI-vpn-instance-ssh] quit
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.2 1025 -vpn-instance ssh username switch password
Huawei-123 sourcefile sample.txt
# Configure an SFTP user to download the source file sample.txt from the server
at 10.1.1.3 to the SFTP client. Set the -ki interval and -kc count to 10s and 4,
respectively.
<HUAWEI> system-view
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.3 -ki 10 -kc 4 username switch password
Huawei-123 sourcefile sample.txt
# Configure an SFTP user to download the source file sample.txt from the server
at 10.1.1.4 to the SFTP client, and log in to the SFTP server in DSA authentication
mode.
<HUAWEI> system-view
[~HUAWEI] sftp client-transfile get host-ip 10.1.1.4 identity-key dsa username switch password
Huawei-123 sourcefile sample.txt
# Configure an SFTP user to upload the sample.txt file to the SFTP server whose
IPv6 address is 2001:db8::1, and log in to the SFTP server in DSA authentication
mode.
<HUAWEI> system-view
[~HUAWEI] sftp client-transfile put ipv6 host-ip 2001:db8::1 identity-key dsa username switch
password Huawei-123 sourcefile sample.txt
3.7.78 sftp idle-timeout
Function
The sftp idle-timeout command configures the idle timeout duration for
disconnecting to the SFTP client from the SSH server.
The undo sftp idle-timeout command restores the default idle timeout duration.
By default, the timeout period is 10 minutes.
Format
sftp idle-timeout minutes [ seconds ]
undo sftp idle-timeout
Parameters
Parameter Description Value
minutes Specifies the idle timeout The value is an integer that ranges
minutes. from 0 to 35791.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 421
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
seconds Specifies the idle timeout It is an integer that ranges from 0 to
seconds. 59.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the undo sftp idle-timeout command to configure the idle timeout
duration to disconnect the SFTP client from the SSH server when an SFTP user
does not perform any operation within the specified duration.
Precautions
If you run the sftp idle-timeout 0 0 command, the idle timeout function is
disabled.
This command takes effect for both ipv4 and ipv6 connections.
Example
# Set the idle timeout duration to 1 minute and 30 seconds.
<HUAWEI> system-view
[~HUAWEI] sftp idle-timeout 1 30
3.7.79 sftp max-sessions
Function
The sftp max-sessions command configures the maximum number of server
connections in SFTP mode.
The undo sftp max-sessions command restores the maximum number of server
connections in SFTP mode to the default value.
By default, a maximum of five servers can be connected in SFTP mode.
Format
sftp max-sessions max-session-count
undo sftp max-sessions
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 422
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
max-session-count Specifies the maximum The value is an integer that
number of server connections ranges from 0 to 15.
in SFTP mode.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the sftp max-sessions command to configure the maximum number
of SSH server connections in SFTP mode to prevent the heavy load resulting from
excessive accesses, and it takes effect for both IPv4 and IPv6 connections.
Precautions
If the maximum number is smaller than that of the current value, the current
connection persists and no connection can be set up.
Example
# Set the maximum number of server connections to 10.
<HUAWEI> system-view
[~HUAWEI] sftp max-sessions 10
3.7.80 sftp server enable
Function
The sftp server enable command enables the SFTP service on the SSH server.
The undo sftp server enable command disables the SFTP service on the SSH
server.
By default, the SFTP service is disabled.
Format
sftp [ ipv4 | ipv6 ] server enable
undo sftp [ ipv4 | ipv6 ] server enable
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 423
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
ipv4 Specifies IPv4 server. -
ipv6 Specifies IPv6 server. -
Views
System view
Default Level
3: Management level
Usage Guidelines
To connect the client to the SSH server to transfer files in SFTP mode, you must
first enable the SFTP server on the SSH server.
Run sftp server enable command can enable both IPv4 and IPv6 SFTP server. Run
sftp ipv4 server enable command to enable IPv4 SFTP server. Run sftp ipv6
server enable command to enable IPv6 SFTP server.
NOTICE
Disabling the SFTP service on the server disconnects all the clients connected
through SFTP.
In V200R002C50 and V200R003C00, you can run the sftp [ ipv4 | ipv6 ] server
enable command to enable the SFTP function. If the current version is
downgraded to V200R001C00 or an earlier version, this configuration will be lost,
so you need to run the sftp server enable command again. In V200R005C00, you
can run the sftp ipv4 server enable command to enable the IPv4 SFTP function,
or run the sftp ipv6 server enable command to enable the IPv6 SFTP function
(IPv4 SFTP and IPv6 SFTP functions are not enabled simultaneously). If the current
version is downgraded to V200R001C00 or an earlier version, this configuration
will be lost, so you need to run the sftp server enable command again.
Example
# Enable the SFTP service.
<HUAWEI> system-view
[~HUAWEI] sftp server enable
Info: Succeeded in starting the SFTP server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 424
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.81 sftp server default-directory
Function
The sftp server default-directory command configures the default authorized
directory of the SFTP server.
The undo sftp server default-directory command cancels the configured default
authorized directory of the SFTP server.
By default, the default authorized directory of the SFTP server is not configured.
Format
sftp server default-directory sftpdir
undo sftp server default-directory [ sftpdir ]
Parameters
Parameter Description Value
sftpdir Configures the default authorized The directory of the server
directory of the SFTP server. must already exist.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When accessing the server using SFTP, you can only access the authorized
directory of the SFTP server. You can use any of the following methods to
configure the authorized directory of the SFTP server. The three methods are in
descending order of priorities.
● Run the ssh user username sftp-directory directoryname command in the
system view to configure the authorized directory of the SFTP server for a
specified user.
● Run the local-user user-name ftp-directory directory command in the AAA
view to configure the authorized directory of the FTP server for a specified
user.
● Run the sftp server default-directory sftpdir command in the system view to
configure the global and default authorized directory of the SFTP server.
The authorized directory configured using the ssh user sftp-directory command
has the highest priority and takes effect only for specified SSH users. The
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 425
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
authorized directory configured using the sftp server default-directory command
has the lowest priority and takes effect for all SSH users. For example, if
directoryA is configured for the user client001 using the ssh user client001 sftp-
directory directoryA command, and directoryB is also configured for the user
client001 using the local-user client001 ftp-directory directoryB command in
the AAA view, the authorized directory that takes effect for the user client001 is
directoryA. If the authorized directories of the SFTP server and the FTP server are
not configured, the authorized directory configured using the sftp server default-
directory command is used.
Precautions
This command takes effect for both ipv4 and ipv6 SFTP servers.
In versions earlier than V200R001C00, the default access path of the device is
flash:/. In V200R001C00 and later versions, the SFTP access path is empty by
default. Therefore, if you perform file operations using SFTP on a device running a
version earlier than V200R001C00 and the authorized directory of the SFTP server
is not configured, the default access path flash:/ is used.
● When the device is upgraded to V200R001C00 or V200R002C50, you need to
manually configure the ssh user username sftp-directory flash: command.
● When the device is upgraded to V200R003C00 or a later version, the sftp
server default-directory flash: command is automatically configured in the
system to ensure that users can properly access the device using SFTP after
the upgrade, which requires no attention.
Example
# Set the default authorized directory of the SFTP server for SSH users to flash:.
<HUAWEI> system-view
[~HUAWEI] sftp server default-directory flash:
3.7.82 ssh user sftp-directory
Function
The ssh user sftp-directory command configures the SFTP service authorized
directory for an SSH user.
The undo ssh user sftp-directory command cancels the SFTP service authorized
directory for an SSH user.
By default, the authorized directory of the SFTP service for the SSH user is not
configured.
Format
ssh user username sftp-directory directoryname
undo ssh user username sftp-directory
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 426
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
username Specifies the SSH user The value is a string of 1 to 253 case-
name. insensitive characters without spaces.
When double quotation marks are
used around the string, spaces are
allowed in the string.
directoryname Specifies the directory The SFTP must already exist.
name on the SFTP
server.
Views
System view
Default Level
3: Management level
Usage Guidelines
Users can only access the specified directory on the SFTP server. If the username
user does not exist, the system creates an SSH user named username and uses the
SFTP service authorized directory configured for the user. If the configured
directory does not exist, the SFTP client fails to connect to the SSH server using
this SSH user.
The command takes effect for both ipv4 and ipv6 functions.
In versions earlier than V200R001C00, the default access path of the device is
flash:/. In V200R001C00 and later versions, the SFTP access path is empty by
default. Therefore, if you perform file operations using SFTP on a device running a
version earlier than V200R001C00 and the authorized directory of the SFTP server
is not configured, the default access path flash:/ is used.
● When the device is upgraded to V200R001C00 or V200R002C50, you need to
manually configure the ssh user username sftp-directory flash: command.
● When the device is upgraded to V200R003C00 or a later version, the sftp
server default-directory flash: command is automatically configured in the
system to ensure that users can properly access the device using SFTP after
the upgrade, which requires no attention.
Example
# Configure the SFTP service authorized directory flash:/ssh for the SSH user
admin.
<HUAWEI> system-view
[~HUAWEI] ssh user admin sftp-directory flash:/ssh
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 427
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.83 tail
Function
The tail command displays information in a file.
Format
tail file-name [ line ]
Parameters
Parameter Description Value
file-name Specifies the name of a The value is a string in the [ drive ]
file. [ path ] [ file-name ] format. An absolute
path name is a string of 1 to 255
characters. A relative path name is a string
of 1 to 128 characters. Up to 8 levels of
directories are supported. The path must
already exist.
line Specifies the number of The value is an integer ranging from 0 to
lines of information to 2147483647. By default, if this parameter
be viewed. The number is not selected, information in the last 10
of lines is counted lines is displayed.
backwards from the last
line in the file.
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the tail command to view information in a file or in the last several
lines of the file.
Example
# Display information in the last two lines of the rpm.log file.
<HUAWEI> tail rpm.log 2
[140808-07:52:26] [RPM][SIGN] RPM ReqAppDBRspHandle RequestType:2, RequestId:10001, RcvTransNo:
655458744,SndTransNo:655458744,Session:655458744
[140808-07:52:27] [RPM][ERR] File:autoconfig.py does exist in the filelist in node /opt/svrp/router1/1-17/
vrpv8/home/$_system for osnode:273 when add file [PID(25786): LinuxError(0)]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 428
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.84 tftp
Function
The tftp command uploads a file to the TFTP server or downloads a file to the
local device.
Format
# Upload a file to the TFTP server or download a file to the local device based on
the IPv4 address
tftp [ -a source-ip-address | -i interface-type interface-number ] tftp-server [ vpn-
instance vpn-instance-name | public-net ] { get | put } source-filename
[ destination-filename ]
# Upload a file to the TFTP server or download a file to the local device based on
the IPv6 address
tftp ipv6 [ -a source-ipv6-address ] tftp-server-ipv6 [ vpn-instance vpn-instance-
name | public-net ] [ -oi interface-type interface-number ] { get | put } source-
filename [ destination-filename ]
Parameters
Parameter Description Value
-a source-ip- Specifies the source IP address for -
address connecting to the TFTP client. You
are advised to use the loopback
interface IPv4 address.
-a source-ipv6- Specifies the source IPv6 address -
address for connecting to the TFTP client.
You are advised to use the
loopback interface IP address.
-i interface-type Specifies the source interface used -
interface- by the TFTP client to set up
number connections. It consists of the
interface type and number. It is
recommended that you specify a
loopback interface.
The IP address configured for this
interface is the source IP address
for sending packets. If no IP
address is configured for the
source interface, the TFTP
connection cannot be set up.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 429
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
tftp-server Specifies the IPv4 address or host -
name of the TFTP server.
NOTE
You can run the display dns dynamic-
host or display ip host command to
view the mapping between the IP
address and host name.
tftp-server-ipv6 Specifies the IPv6 address for the -
TFTP server.
vpn-instance Name of the VPN instance where The value is a string of 1
vpn-instance- the TFTP server is located. to 31 case-sensitive
name characters except spaces.
When double quotation
marks are used to include
the string, spaces are
allowed in the string. The
value _public_ is reserved
and cannot be used as the
VPN instance name.
public-net Indicates that the TFTP server on -
the public network is connected.
get Download a file. -
put Upload a file. -
source-filename Specifies the source file name. The value is a string of 1
to 128 case-sensitive
characters without spaces.
It can contain
alphanumeric and special
characters. The source-
filename must already
exist.
destination- Specifies the destination file name. The value is a string of 1
filename to 128 case-sensitive
characters without spaces.
It can contain
alphanumeric and special
characters. By default,
source and destination file
names are the same.
Views
User view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 430
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When upgrading the system, you can run the tftp command to upload an
important file to the TFTP server or download a system software to the local
device.
Precautions
● When you run the tftp command to upload a file to the TFTP server in TFTP
mode, files are transferred in binary mode by default. The tftp does not
support the ASCII mode for file transfer.
● After specifying a source IP address, you can use this IP address to
communicate with the server and implement packet filtering to ensure data
security.
Example
# Download file vrpcfg.txt from the root directory of the TFTP server to the local
device. The IP address of the TFTP server is 10.1.1.1. Save the downloaded file to
the local device as file vrpcfg.bak.
<HUAWEI> tftp 10.1.1.1 get vrpcfg.txt flash:/vrpcfg.bak
# Upload file vrpcfg.txt from the root directory of the storage device to the
default directory of the TFTP server. The IP address of the TFTP server is 10.1.1.1.
Save file vrpcfg.txt on the TFTP server as file vrpcfg.bak.
<HUAWEI> tftp 10.1.1.1 put flash:/vrpcfg.txt vrpcfg.bak
3.7.85 tftp client source
Function
The tftp client source command specifies the source IP address for the TFTP client
to send packets.
The undo tftp client source command restores the default source IP address for
the TFTP client to send packets.
The default source IP address for the TFTP client to send packets is 0.0.0.0.
Format
tftp client source { -a source-ip-address | -i interface-type interface-number }
undo tftp client source
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 431
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
-a source-ip- The value is
Specifies the source IP address of the TFTP
address in dotted
client. You are advised to use the loopback
decimal
interface IP address.
notation.
-i interface-type Specifies the source interface type and -
interface-number interface number to establish the connection
with the server.
The IP address configured for this interface is
the source IP address for sending packets. If
no IP address is configured for the source
interface, the TFTP connection cannot be set
up.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If no source IP address is specified, the client uses the source IP address that the
router specifies to send packets. The source IP address must be configured for an
interface with stable performance. The loopback interface is recommended. Using
the loopback interface as the source interface simplifies the ACL rule and security
policy configuration. This shields the IP address differences and interface status
impact, filters incoming and outgoing packets, and implements security
authentication.
Precautions
● The tftp command also configures the source IP address whose priority is
higher than that of the source IP address specified in the tftp client source
command. If you specify source addresses in the tftp client source and tftp
commands, the source IP address specified in the tftp command is used for
data communication. The source address specified in the tftp client source
command applies to all TFTP connections. The source address specified in the
tftp command applies only to the current TFTP connection.
● You can query the source IP address or source interface IP address specified in
the TFTP connection on the TFTP server.
● After the bound source interface is deleted, the interface configuration in the
ssh server-source command will not be deleted and does not take effect.
After the source interface with the same name is reconfigured, the function
will be restored.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 432
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● The command takes effect for ipv4 functions.
● If the specified source interface has been bound to a VPN instance, the client
is automatically bound to the same VPN instance.
Example
# Set the source IP address of the TFTP client to 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] tftp client source -a 10.1.1.1
Info: Succeeded in setting the source address of the TFTP client to 10.1.1.1.
3.7.86 tftp server acl
Function
The tftp server acl command specifies the ACL number or ACL name for the local
device so that the device can access TFTP servers with the same ACL number or
ACL name.
The undo tftp server acl command deletes the ACL number or ACL name from
the local device.
By default, no ACL number or ACL name is specified on the local client.
Format
tftp server [ ipv6 ] acl { acl-number | acl-name }
undo tftp server [ ipv6 ] acl
Parameters
Parameter Description Value
acl-number Specifies the number of The value is an integer that ranges from
the ACL. 2000 to 2999.
acl-name Specifies the ACL name. The value is a string of 1 to 32 case-
sensitive characters except spaces. The
value must start with a letter or digit,
and cannot contain only digits.
ipv6 Specifies the IPv6 address -
of a specific server.
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 433
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
To ensure the security of the local device, you need to run the tftp-server acl
command to specify an ACL to specify TFTP servers that the local device can
access.
Precautions
The tftp-server acl command takes effect only after you run the rule (ACL view)
or rule (ACL6 view) command to configure the rule. If no rule is configured, the
local device can access a specified TFTP server in TFTP mode.
If no rule is configured, the incoming and outgoing calls are not restricted after
the command tftp-server acl is run.
Example
# Allow the local device to the access the TFTP server whose ACL number is 2000.
<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] tftp server acl 2000
3.7.87 undelete
Function
The undelete command restores a file that has been temporally deleted and
moved to the recycle bin.
Format
undelete { filename | devicename }
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 434
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
filename Specifies the An absolute path name is a string of 1 to 255
name of a file to characters. A relative path name is a string of 1
be restored. to 128 case-sensitive characters without spaces
in the [ drive ] [ path ] file name format. Up to
8 levels of directories are supported. When
quotation marks are used around the string,
spaces are allowed in the string.
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
You are advised to add : and / between the
storage device name and directory. Characters ?
~ * / \ : ' " | < > [ ] cannot be used in the
directory name.
devicename Specifies the -
storage device
name.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the undelete command to restore a file that has been temporally
deleted and moved to the recycle bin. However, files that are permanently deleted
by running the delete or reset recycle-bin command with the /unreserved
parameter cannot be restored.
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 435
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Like devicename, drive specifies the storage device name.
Precautions
● To display information about a temporally deleted file, run the dir /all
command. The file name is displayed in square brackets ([ ]).
Example
# Restore file sample.bak from the recycle bin.
<HUAWEI> undelete sample.bak
Info: Are you sure to undelete flash:/sample.bak ?[Y/N]:y
Info: Undeleting file flash:/sample.bak......Done.
# Restore a file that has been moved from the root directory to the recycle bin.
<HUAWEI> undelete flash:
Info: Are you sure to undelete flash:/test.txt?[Y/N] :y
Info: Undeleting file flash:/test.txt......Done.
Info: Are you sure to undelete flash:/rr.bak?[Y/N]:y
Info: Undeleting file flash:/rr.bak......Done.
3.7.88 unzip
Function
The unzip command decompresses a file.
Format
unzip source-filename destination-filename [ password password ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 436
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
source- Specifies the name An absolute path name is a string of 1 to 255
filename of a source file to characters. A relative path name is a string of
be decompressed. 1 to 128 case-sensitive characters without
spaces in the [ drive ] [ path ] file name
format. Up to 8 levels of directories are
supported. When quotation marks are used
around the string, spaces are allowed in the
string.
In the preceding parameter, drive specifies
the storage device name, and path specifies
the directory and subdirectory.
You are advised to add : and / between the
storage device name and directory.
Characters ? ~ * / \ : ' " | < > [ ] cannot be
used in the directory name.
destination- Specifies the name An absolute path name is a string of 1 to 255
filename of a destination characters. A relative path name is a string of
file that is 1 to 128 case-sensitive characters without
decompressed. spaces in the [ drive ] [ path ] file name
format. Up to 8 levels of directories are
supported. When quotation marks are used
around the string, spaces are allowed in the
string.
In the preceding parameter, drive specifies
the storage device name, and path specifies
the directory and subdirectory.
You are advised to add : and / between the
storage device name and directory.
Characters ? ~ * / \ : ' " | < > [ ] cannot be
used in the directory name.
password Specifies the The password is a string of 8 to 20 characters
password password for an containing two or more types of digits,
encrypted uppercase letters, lowercase letters, and
compressed file. special characters.
Views
User view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 437
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
You can decompress files, especially log files that are stored on the storage device
and run the more command to query the file.
If the target file requires high security, you are advised to encrypt the file. unzip
can decompress compressed files encrypted in AES-256 mode.
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Precautions
● If the destination file path is specified while the file name is not specified, the
designation file name is the same as the source file name.
● The source file persists after being decompressed.
● The compressed file must be a .zip file. If a file to be decompressed is not a
zip file, the system displays an error message during decompression.
● The source file must be a single file. If you attempt to decompress a directory
or multiple files, the decompression cannot succeed.
Example
# Decompress log file syslogfile-2012-02-27-17-47-50.zip that are stored in the
syslogfile directory and save it to the root directory as file log.txt.
<HUAWEI> pwd
flash:/syslogfile
<HUAWEI> unzip syslogfile-2012-02-27-17-47-50.zip flash:/log.txt
Info: Extract flash:/syslogfile/syslogfile-2012-02-27-17-47-50.zip to flash:/log.txt?[Y/N]:y
100% complete
Info: Decompressed file flash:/syslogfile/syslogfile-2012-02-27-17-47-50.zip to flash
:/log.txt...Done
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 438
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.89 user
Function
The user command changes the current FTP user when the local device is
connected to the FTP server.
Format
user user-name
Parameters
Parameter Description Value
user-name Specifies the name of a The value is a string of 1 to 255 case-
login user. insensitive characters.
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the user command to change the current user on the FTP server.
Precautions
After you run the user command to change the current user, a new FTP
connection is set up, which is the same as that you specify in the ftp command.
Example
# Log in to the FTP server using the user name tom.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] user tom
331 Password required for tom.
Enter password:
230 User logged in.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 439
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.7.90 verbose
Function
The verbose command enables the verbose function on the FTP client.
The undo verbose command disables the verbose function.
By default, the verbose function is enabled.
Format
verbose
undo verbose
Parameters
None
Views
FTP client view
Default Level
3: Management level
Usage Guidelines
After the verbose function is enabled, all FTP response messages are displayed on
the FTP client.
Example
# Enable the verbose function.
<HUAWEI> ftp 10.137.217.201
Trying 10.137.217.201 ...
Press CTRL + K to abort
Connected to 10.137.217.201.
220 FTP service ready.
User(10.137.217.201:(none)):switch
331 Password required for switch.
Enter password:
230 User logged in.
[ftp] verbose
Info: Succeeded in switching verbose on.
[ftp] get h1.txt
200 Port command okay.
150 Opening ASCII mode data connection for h1.txt.
226 Transfer complete.
FTP: 69 byte(s) received in 0.160 second(s) 431.25byte(s)/sec.
# Disable the verbose function.
[ftp] undo verbose
Info: Succeeded in switching verbose off.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 440
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[ftp] get h1.txt
FTP: 69 byte(s) received in 0.150 second(s) 460.00byte(s)/sec.
3.7.91 zip
Function
The zip command compresses a file.
The unzip command decompresses a file.
Format
zip source-filename destination-filename [ password password ]
unzip source-filename destination-filename [ password password ]
Parameters
Parameter Description Value
source- Specifies the An absolute path name is a string of 1 to 255
filename name of a characters. A relative path name is a string of 1
source file to be to 128 case-sensitive characters without spaces
compressed. in the [ drive ] [ path ] file name format. Up
to 8 levels of directories are supported. When
quotation marks are used around the string,
spaces are allowed in the string.
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
You are advised to add : and / between the
storage device name and directory. Characters ?
~ * / \ : ' " | < > [ ] cannot be used in the
directory name.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 441
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
destination- Specifies the An absolute path name is a string of 1 to 255
filename name of a characters. A relative path name is a string of 1
destination file to 128 case-sensitive characters without spaces
that is in the [ drive ] [ path ] file name format. Up
compressed. to 8 levels of directories are supported. When
quotation marks are used around the string,
spaces are allowed in the string.
In the preceding parameter, drive specifies the
storage device name, and path specifies the
directory and subdirectory.
You are advised to add : and / between the
storage device name and directory. Characters ?
~ * / \ : ' " | < > [ ] cannot be used in the
directory name.
password Specifies the The password is a string of 8 to 20 characters
password password for an containing two or more types of digits,
encrypted uppercase letters, lowercase letters, and special
compressed file. characters.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the target file requires high security, you are advised to encrypt the file. Specify
the password parameter, the target file will be encrypted in AES-256 mode.
The following describes the drive name.
● drive is the storage device and is named as flash:.
● If devices are stacked, drive can be named as:
– flash: root directory of the flash memory of the master switch in the
stack.
– chassis ID#flash: root directory of the flash memory on a device in the
stack.
For example, slot2#flash: indicates the flash memory in slot 2.
The path can be an absolute path or relative path. A relative path can be
designated relative to either the root directory or the current working directory. A
relative path beginning with a slash (/) is a path relative to the root directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 442
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● flash:/my/test/ is an absolute path.
● /selftest/ is a path relative to the root directory and indicates the selftest
directory in the root directory.
● selftest/ is a path relative to the current working directory and indicates the
selftest directory in the current working directory.
Precautions
● If the destination file path is specified while the file name is not specified, the
designation file name is the same as the source file name.
● The source file persists after being compressed.
● Directories cannot be compressed.
Example
# Compress file log.txt that is stored in the root directory and save it to the test
directory as file log.zip.
<HUAWEI> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 155 Dec 02 2011 01:28:48 log.txt
1 -rw- 9,870 Oct 01 2011 00:22:46 patch.pat
2 drw- - Mar 22 2012 00:00:48 test
3 -rw- 836 Dec 22 2011 16:55:46 rr.dat
...
670,092 KB total (569,904 KB free)
<HUAWEI> zip log.txt flash:/test/log.zip
Info: Compress flash:/log.txt to flash:/test/log.zip? [Y/N]:y
100% complete
Info: Compress file flash:/log.txt to flash:/test/log.zip...Done.
<HUAWEI> cd test
<HUAWEI> dir
Directory of flash:/test/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 836 Mar 20 2012 19:49:14 test
1 -rw- 239 Mar 22 2012 20:57:38 test.txt
2 -rw- 1,056 Dec 02 2011 01:28:48 log.txt
3 -rw- 240 Mar 22 2012 21:23:46 log.zip
670,092 KB total (569,903 KB free)
3.8 System Startup Configuration Commands
3.8.1 clear configuration commit
Function
The clear configuration commit command deletes the label of a configuration
rollback point specified in the system or the earliest configuration rollback point
generated in the system.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 443
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
clear configuration commit { commit-id label | oldest number-of-commits }
Parameters
Parameter Description Value
commit-id label Deletes the label of a The value is an integer that the
specified configuration system generates automatically.
rollback point.
Run the display configuration
commit list command to check the
configuration rollback points.
oldest number- Specifies the number of The value is an integer that ranges
of-commits the earliest configuration from 1 to 80.
rollback points to be
deleted.
Views
User view
Default Level
2: Configuration level
NOTE
If use the oldest parameter, this command is at the management level.
Usage Guidelines
Usage Scenario
To reduce the information amount in the system buffer, run this command to
delete one or more earliest configuration rollback points that are generated.
Configuration rollback points in the system can be classified into those with labels
and those without any label.
● You can run the clear configuration commit commit-id label command to
delete the label of a specified configuration rollback point.
● You can run the clear configuration commit oldest number-of-commits
command to delete a configuration rollback point without any label. After the
clear configuration commit oldest number-of-commits command is run,
configuration rollback points with labels become discontinuous configuration
rollback points. If you run the display configuration commit list command
to check the configuration rollback points, values of the CommitId fields of
these discontinuous configuration rollback points in the command output are
marked with an asterisk (*).
In normal cases, you do not need to run this command to delete the earliest
rollback points from the list. The system will automatically delete the earliest
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 444
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
rollback points before generating new points if the number of rollback points in
the list reaches the upper limit (80).
Prerequisites
Make sure that the configuration rollback point can be deleted by running the
display configuration commit list or display configuration commit changes
command to check the system configuration change in the rollback point.
Follow-up Procedure
Run the display configuration commit list command to check whether the
configuration rollback point has been deleted.
Example
# Delete the configuration rollback point numbered 1000000265.
<HUAWEI> clear configuration commit 1000000265 label
3.8.2 clear configuration commit label
Function
The clear configuration commit label command deletes a configuration rollback
point with a specified user label.
Format
clear configuration commit label label-name
Parameters
Parameter Description Value
label-name Specifies a user The value is a string of 1 to 256 case-sensitive
label for a characters. It can be any visible ASCII character
configuration except for the space. However, the string can
rollback point. contain spaces if it is enclosed with double
quotation marks (" "). The string cannot start
with a digit or be a hyphen (-).
NOTE
The value of this parameter must be an existing
configuration rollback point on the device. Otherwise,
the command cannot be executed.
Views
User interface view
Default Level
2: Configuration level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 445
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
config write
Usage Guidelines
Usage Scenario
To delete a useless configuration rollback point with a specified label, run the
clear configuration commit command. The system can generate a maximum of
20 configuration rollback points with labels, 10 periodic configuration rollback
points, and five historical periodic configuration rollback points. If a configuration
rollback point is no longer useful, run this command to clear it to reduce the
system cache information.
Precautions
After a configuration rollback point is deleted, system configurations cannot be
rolled back to what they were at this configuration rollback point by running
rollback commands.
Run the display configuration commit list and display configuration changes
commands to display information about the configuration rollback point. Checking
the command output helps prevent misoperations.
Example
# Delete the configuration rollback point with the label named new_label.
<HUAWEI> clear configuration commit label new_label
Warning: The current operation will delete the rollback checkpoint. Continue? [Y/N]: y
3.8.3 check module
Function
The check module command checks module package integrity.
Format
check module { file-name | startup }
Parameters
Parameter Description Value
file-name Specifies the name of the patch The value is a string of 5 to 127
package to be checked. case-sensitive characters without
spaces. The value of the patch
name is a string of 5 to 63
characters.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 446
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
startup Checks the integrity of the -
patch package used for the
next startup.
Views
User view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
patch execute
Usage Guidelines
Before you load a module package, run the check module command to check
whether the package is damaged. If the module package is not damaged, a
message is displayed indicating that the package is complete. Otherwise, a
message is displayed indicating that the package is incomplete. If the specified
module package name does not exist, a message is displayed indicating that the
package does not exist. If you specify the startup parameter without setting any
next-startup module package, a message is displayed indicating that the required
module package does not exist. In this case, run the install-module file-name
[ next-startup ] command to specify the next-startup module package.
Example
# Check module package integrity when no module package exists.
<HUAWEI> check module startup
Error: No module exists.
# Check the integrity of the next-startup module package with digital signatures.
<HUAWEI> check module startup
Warning: Package verification consumes system CPU resources. Continue? [Y/N]: Y
Info: Prepare to check file flash:/$_install_mod/TEST.MOD, please wait…done.
Info: Digital signature verification of the system module succeeded.
# Check the integrity of a specified module package with digital signatures.
<HUAWEI> check module TEST.MOD
Warning: Package verification consumes system CPU resources. Continue? [Y/N]: Y
Info: Prepare to check file flash:/$_install_mod/TEST.MOD, please wait…done.
Info: Digital signature verification of the system module succeeded.
# Check the integrity of the next-startup common module package.
<HUAWEI> check module startup
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 447
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Warning: Package verification consumes system CPU resources. Continue? [Y/N]: Y
Info: Prepare to check file flash:/$_install_mod/TEST.MOD, please wait…done.
Info: The module is complete.
# Check the integrity of a specified common module package.
<HUAWEI> check module TEST.MOD
Warning: Package verification consumes system CPU resources. Continue? [Y/N]: Y
Info: Prepare to check file flash:/$_install_mod/TEST.MOD, please wait…done.
Info: The module is complete.
3.8.4 check patch
Function
The check patch command checks the integrity of a patch package.
Format
check patch { file-name | startup }
Parameters
Parameter Description Value
file-name Specifies the name of the The name of the patch must
patch package to be checked. already exist. It is in the format of
[ drive ] [ path ] filename. If
[ drive ] is not specified, the name
of the default storage device is
used.
startup Checks the integrity of the -
patch package used for the
next startup.
Views
User view
Default Level
3: Management level
Usage Guidelines
To check whether the patch package is damaged before installing it, run the check
patch command. If the patch package is not damaged, a message indicating that
the patch package is complete is displayed. Otherwise, a message indicating that
the patch package is incomplete is displayed. If the specified patch package does
not exist, a message indicating that the patch package does not exist is displayed.
If you specify the startup parameter without setting any next-startup patch file, a
message is displayed indicating that the required patch file does not exist. In this
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 448
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
case, run the startup patch file-name all command to specify a next-startup
patch package.
Example
# Check the integrity of the patch package named CE-V200R003SPH001.PAT.
<HUAWEI> check patch CE-V200R003SPH001.PAT
Warning: Patch package verification consumes system CPU resources. Continue? [Y/N]: y
# Check the integrity of the patch package used for the next startup.
<HUAWEI> check patch startup
Warning: Patch package verification consumes system CPU resources. Continue? [Y/N]: y
3.8.5 check system-software
Function
The check system-software command checks the integrity of the system software
package.
Format
check system-software system-file
Parameters
Parameter Description Value
system-file Specifies the name of the The name of the system software
system software package package must already exist. It is in the
on which an integrity format of [ drive ] [ path ] filename. If
check is performed. [ drive ] is not specified, the name of
the default storage device is used.
Views
User view
Default Level
3: Management level
Usage Guidelines
Before switching the system software package, you can run this command to
check whether the system software package is destroyed. If the system software
package is not destroyed, the system prompts that the system software package
passes the check. Otherwise, the system prompts that the system software
package is incomplete. If the entered name of the system software package does
not exist, the system prompts that the check is mistaken. Make sure that the
system software package has existed on the device before running this command.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 449
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Check the integrity of the system software package CE-V200R003C00.cc.
<HUAWEI> check system-software CE-V200R003C00.cc
3.8.6 clear inactive-configuration
Function
The clear inactive-configuration command clears the inactive configuration
information about a device or subcard that is not in position.
Format
clear inactive-configuration { slot slot-id [ card card-card-number ] | all |
chassis chassis-id }
Parameters
Parameter Description Value
slot slot-id Clears the inactive configuration The value is an integer
information about the specified and the value range
device that is not in position. depends on the device
model.
all Clears the inactive configuration -
information about all the devices
that are not in position.
chassis chassis- Specifies the stack ID of the device. The value range depends
id on the device
NOTE
configuration.
This parameter takes effect only on a
stacked device.
card card- Clears the inactive configuration The value range depends
number information about the specified on the device
subcard. configuration.
NOTE
This parameter is supported only on the
device on which subcards can be
installed.
Views
System view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 450
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
When a device or subcard is replaced, if you do not want to save the current
configuration information, run this command to clear the inactive configuration
information about the device or subcard that is not in position.
Precautions
For a device on which no subcard can be installed, this command can be used only
in a stack.
Before clearing the inactive configuration information about a device or subcard,
ensure that the device or subcard is not in position.
After this command is run, the inactive configuration information about the device
or subcard will be cleared. The system will display an error message when you
commit other uncommitted configurations that depend on the inactive
configuration information, and the commit operation fails.
Example
# Clear the inactive configuration information about the device that is not in
position.
<HUAWEI> system-view
[~HUAWEI] clear inactive-configuration slot 1
Warning: The inactive configuration of slot 1 will be deleted and can't be restored.
Are you sure to continue?[Y/N] y
The command will takes a few minutes, please wait..
Info: Succeeding in clearing the inactive configuration.
3.8.7 configuration checkpoint auto-save disable
Function
The configuration checkpoint auto-save disable command disables a device
from automatically generating a configuration rollback point.
The undo configuration checkpoint auto-save disable command enables a
device to automatically generate a configuration rollback point.
By default, a device is enabled to automatically generate a configuration rollback
point.
Format
configuration checkpoint auto-save disable
undo configuration checkpoint auto-save disable
Parameters
None
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 451
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
config write
Usage Guidelines
After configurations are committed on a device, the device automatically
generates a configuration rollback point and allocates an ID to identify the
rollback point. If you find that configurations are incorrect or a fault caused by
configurations affects network running, you can roll the configurations back to a
specified configuration rollback point in batches.
If you run the configuration checkpoint auto-save disable command and then
the commit command, no configuration rollback point is automatically generated.
However, if you run the undo configuration checkpoint auto-save disable
command and then the commit command, a configuration rollback point is
automatically generated.
Example
# Disable a device from automatically generating a configuration rollback point.
<HUAWEI> system-view
[~HUAWEI] configuration checkpoint auto-save disable
3.8.8 configuration current backup-to-server monthly
Function
The configuration current backup-to-server monthly command enables the
function to upload a configuration file to the server on a specific date and time
every month.
The undo configuration current backup-to-server monthly command disables
this function.
By default, the function to upload a configuration file to the server on a specific
date and time every month is disabled.
Format
configuration current backup-to-server monthly date date-value [ time time-
value ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 452
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
undo configuration current backup-to-server monthly
Parameters
Parameter Description Value
date date-value Specifies a date. The value is an integer ranging from 1 to
31.
time time-value Specifies a time The value is expressed in the format of
point. HH:MM:SS, where HH:MM:SS indicates a
second-specific time point. HH ranges from
0 to 23, and MM and SS both range from 0
to 59. The default value is 00:00:00.
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
config debug
Usage Guidelines
To upload a configuration file to the server on a specific date and time every
month, run the configuration current backup-to-server monthly command.
The configuration file generated after this command is a .dat file, and the
generated time is local time.
Example
# Upload a configuration file to the server at 12:12:12 on the first day every
month.
<HUAWEI> system-view
[~HUAWEI] configuration current backup-to-server monthly date 1 time 12:12:12
3.8.9 configuration file auto-save
Function
The configuration file auto-save command enables the function of saving system
configurations periodically.
The undo configuration file auto-save command disables the function of saving
system configurations periodically.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 453
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
By default, the system does not periodically save configurations.
Format
configuration file auto-save [ interval interval | cpu-limit cpu-usage | delay
delay-interval ] *
configuration file auto-save { interval | cpu-limit | delay } default
undo configuration file auto-save
Parameters
Parameter Description Value
interval interval Specifies the interval for The value is an integer that
saving configurations. ranges from 30 to 43200, in
minutes. The default value is
30.
cpu-limit cpu- Specifies the threshold of the The value is an integer that
usage CPU usage during the ranges from 1 to 100. The
periodic save operation. default value is 50.
delay delay- Specifies the delay in The value is an integer that
interval automatic backup after the ranges from 1 to 60, in
configuration changes. minutes. The default value is
five minutes. The value of
delay-interval must be less than
the value of interval.
default Restores the default values -
for the parameters of the
automatic save function.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After this command enables the function of saving system configurations
periodically, the configuration file will not be lost if the device is powered off or
restarts.
If the configuration file auto-save command is not executed, the system does
not enable the function of saving system configurations periodically. In this case,
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 454
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
the configuration file auto-save { interval | cpu-limit | delay } default
command does not take effect.
If the configuration file auto-save command is executed, the system compares
the configuration files before saving configurations. If the configurations do not
change, the system does not save the configurations.
● You can specify interval interval to set the interval for periodically saving
configurations. If interval is not specified, the default interval (30 minutes) is
used.
● If cpu-limit cpu-usage is specified, the automatic save function does not
affect system performance. After the automatic save timer is triggered, the
system cancels the current automatic save operation if the system CPU usage
is detected to be higher than the upper limit. The default upper limit of the
CPU usage is 50% for the automatic save function.
● After delay delay-interval is specified, the system saves the changed
configurations after the specified delay. The default value is 5 minutes.
● If the interval interval and delay delay-interval parameters are both set, the
parameter in which the configured interval first expires triggers the
configuration save operation. When the interval configured in the other
parameter expires, the system checks configurations again. It performs a save
operation only when detecting a configuration change.
The undo configuration file auto-save command disables the automatic save
function.
Configuration Impact
After the autosave function is configured, the system automatically saves
configurations to the server configuration file when the current running
configuration file is different from the server configuration file and the interval
configured in the interval interval or delay delay-interval parameter expires, no
matter whether the save operation has been manually saved.
Follow-up Procedure
Run the display saved-configuration configuration command to check the
configurations about the periodic save function.
Precautions
After the automatic save function is enabled, the configurations are saved in the
configuration file for the next startup. The content in the configuration file
changes when the configuration changes. The system cancels the automatic save
operation when:
● Content is being written into the configuration file.
● The configurations are being recovered.
● The CPU usage is excessively high.
Example
# Set the automatic save interval to 60 minutes.
<HUAWEI> system-view
[~HUAWEI] configuration file auto-save interval 60
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 455
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
# Configure the system to save the new configuration 3 minutes after the
configuration changes at an interval of 10 hours when the upper limit of the CPU
usage is 60%.
<HUAWEI> system-view
[~HUAWEI] configuration file auto-save interval 600 delay 3 cpu-limit 60
3.8.10 copy startup
Function
The copy startup command copies the configuration file and specifies the file
copy as the configuration file for next startup.
Format
copy source-filename startup destination-filename [ slot slot-id | all ]
Parameters
Parameter Description Value
source-filename Specifies the name of The value is a string of 1
the source file to be to 255 case-sensitive
copied. characters without
spaces. The format is
[path]+file name. The
value does not support
the following characters:
~?*/\:'"|<>[]
destination-filename Specifies the name of The value is a string of 5
the destination file. to 64 case-sensitive
characters without
spaces. No path can be
specified. The value does
not support the
following characters: ~ ?
*/'"|<>[]
slot slot-id Copies a file to a device The value is an integer
that is installed in the or a character string. You
specified slot. can enter a question
mark (?) and select a
value from the displayed
value range.
all Copies a file to all -
member devices.
Views
User view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 456
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To specify a configuration file as the next startup file, run this command to copy
the configuration file and set the file copy as the configuration file for next
startup. In this case, when configurations on the device are modified again, the
configuration file for next startup is not affected.
The configuration file name extension must be .zip, .dat, or .cfg.
● A configuration file with the file name extension .cfg is a text file, and you
can view the file content in the text file. After the file is specified as the
configuration file for next startup, the system restores all commands in the
file one by one during a startup.
● A .cfg file is compressed to a .zip file that occupies less space. After being
specified as the configuration file, the .zip file is decompressed to the .cfg file
and the system restores all commands in the .cfg file one by one during
startup.
● A .dat file is a binary file. If the startup software version and the .dat file
version are the same, the system restores all configurations in the .dat file in
batches when the device starts. This speeds up the system startup. If the
startup software version and the .dat file version are different, the system
restores configurations using commands in the .dat file.
Follow-up Procedure
Run the reboot command to restart the device.
Precautions
● When using a .dat file, do not manually modify the content of the file;
otherwise, the file may fail to be loaded during the startup and the device is
started without any configuration file.
● You must store the source file in the flash directory.
● When this command and the startup saved-configuration command are
configured, the later configuration takes effect.
Example
# Copy the oldvrp.cfg file and specify the file copy as the configuration file for
next startup.
<HUAWEI> copy oldvrp.cfg startup newvrp.cfg all
Are you sure to copy flash:/oldvrp.cfg to flash:/newvrp.cfg and specify newvrp.cfg as the configuration file
for next startup? [Y/N]: y
Info: Operating, please wait for a moment....
Info: Copying file flash:/oldvrp.cfg to flash:/newvrp.cfg...Done.
Info: Succeeded in setting the configuration for booting system.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 457
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.8.11 configuration file auto-save backup-to-server
Function
The configuration file auto-save backup-to-server command specifies the server
where the system periodically saves the configuration file.
The undo configuration file auto-save backup-to-server command cancels the
server where the system periodically saves the configuration file.
By default, the system does not periodically save configurations to the server.
Format
configuration file auto-save backup-to-server server server-ip [ vpn-instance
vpn-instance-name ] transport-type { { ftp | sftp } [ port port-value ] user user-
name password password | tftp } [ path folder ]
undo configuration file auto-save backup-to-server server [ server-ip | server-ip
vpn-instance vpn-instance-name [ port port-value ] ]
Parameters
Parameter Description Value
server server-ip Specifies the IP address of -
the server where the system
periodically saves the
configuration file.
vpn-instance Specifies the name of the The value is a string of 1 to 31
vpn-instance- VPN instance. case-sensitive characters except
name spaces. When double quotation
marks are used to include the
string, spaces are allowed in the
string. The value _public_ is
reserved and cannot be used as
the VPN instance name.
transport-type Specifies the mode in which The value can be ftp, sftp, or
the configuration file is tftp. To ensure file transfer
transmitted to the server. security, use the SFTP method.
port port-value Specifies the port number The value is an integer ranging
used to send a configuration from 1 to 65535.
file to a server.
user user-name Specifies the name of the The value is a string of 1 to 64
user who saves the characters without spaces.
configuration file on the
server.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 458
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
password Specifies the password of The value is a string of case-
password the user who saves the sensitive characters without
configuration file on the spaces. It can be a plaintext
server. string of 1 to 255 characters or a
ciphertext string of 20 to 432
characters.
A 24-character ciphertext
password configured in an earlier
version is also supported in this
version.
When double quotation marks
are used around the string,
spaces are allowed in the string.
path folder Specifies the relative save The value is a string of 1 to 64
path on the server. case-sensitive characters.
If this parameter is not
specified, the FTP, SFTP, or
TFTP root path is enabled by
default.
Views
System view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to periodically save the configuration file to the server.
The configuration file generated after this command is run is in the same format
as the configuration file for the next startup. If the configuration file for the next
startup is a .dat file, the configuration file generated is also a .dat file. If the
configuration file for the next startup is a .cfg or .zip file, the configuration file
generated is a .zip file.
The configuration file is saved on the server as a compressed package. The
package is named in the format of YY-MM-DD.HH-MM-SS.device name.zip, for
example, 2012-10-25.15-13-37.HUAWEI.zip. After the package is decompressed,
the file with the file name extension of .cfg is the configuration file.
You can configure multiple servers running the configuration file auto-save
command several times.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 459
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The periodic saving interval depends on the interval configured using the
configuration file auto-save command.
Precautions
● Before using this command, run the configuration file auto-save command;
and enable FTP, SFTP, or TFTP on the server, otherwise, the configuration file
auto-save backup-to-server command does not take effect. The system
cancels the operation of periodically saving the configuration file in the
following scenarios:
– The configuration file is being written.
– The LPU is recovering the configuration.
– The CPU usage is high.
● The system supports a maximum of five servers. The servers are independent
of each other. If the system fails to save configuration files to a server, the
system reports traps to the NMS and records logs.
● When configuration files are being uploaded, the system does not save
configurations to a server until the configuration files are uploaded.
● The user name and password must be the same as those used in FTP or SFTP
login mode.
● The time of the configuration file generated after this command is run is the
UTC.
● After a bound VPN instance is deleted, the VPN configuration specified using
the configuration file auto-save backup-to-server command will not be
cleared but does not take effect. If you configure the VPN instance with the
same name again, the VPN function restores.
● When you run this command to save configuration files to a server, the
system supports only the binary transmission mode. Therefore, the server
must support the binary transmission mode.
Example
# Specify the server to which the system periodically sends the configuration file,
and set the transmission mode to SFTP.
<HUAWEI> system-view
[~HUAWEI] configuration file auto-save
[*HUAWEI] configuration file auto-save backup-to-server server 10.1.1.1 transport-type sftp user
admin1234 password Helloworld@6789
3.8.12 display configuration
Function
The display configuration command displays the configuration in a specified
configuration file.
Format
display configuration configuration-file
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 460
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
configuration-file Specifies the name of The value is a string of 5 to 64 case-
an existing sensitive characters without spaces.
configuration file. The file name extension can
be .zip, .dat, or .cfg.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After a configuration file is saved using the save command, run the display
configuration command to view the configuration file.
The command output is relevant to user configuration. The command does not
display the default configuration.
Prerequisites
The specified configuration file exists.
Example
# Display the configuration file named vrpcfg.zip.
<HUAWEI> display configuration vrpcfg.zip
#
FTP server enable
#
...
aaa
local-user ftp password irreversible-cipher `xy$!D3>a#Oc5/Js:mGN*Ii8AZtE4Kb!0h*QS7J<wD(j-9oN^.5%!
@OKp,.5*YKuR
local-user ftp ftp-directory flash:/
local-user ftp service-type ftp
#
...
interface 10GE1/0/1
undo shutdown
ip address 10.1.1.200 255.255.255.0
#
...
interface LoopBack0
ip address 10.10.1.1 255.255.255.255
#
...
user-interface con 0
set authentication password cipher %$%$~^Mg.QBcGS^}H.Q*w~#*,JA8%$%$
history-command max-size 30
#
user-interface vty 0 14
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 461
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
user privilege level 3
idle-timeout 0 0
#
return
3.8.13 display configuration changes
Function
The display configuration changes command displays the difference between a
configuration file and the current running configuration file on the device.
Format
To display the difference based on the configuration file names, run:
display configuration changes [ running file file-name | file file-name running ]
To display the difference based on the user labels, run:
display configuration changes [ running label label | label label running ]
Parameters
Parameter Description Value
file file-name The name is a string of 5 to
Displays the difference between a
64 characters in the format
configuration file and the current
of *.zip, *.cfg, or *.dat. The
running configuration file.
file-name must already exist.
label label Displays the difference between The label must already exist.
the current running configuration
file and the configuration file
based on a specific user label.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run the display configuration changes running file file-name command
to check the difference between the current running configuration file and a
specified configuration file.
You can run the display configuration changes file file-name running command
to check the difference between a specified configuration file and the current
running configuration file.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 462
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The display configuration changes running label label command displays the
difference between the current configuration and the configuration of a specified
user label.
The display configuration changes label label running command displays the
difference between the configuration of a specified user label and the current
configuration.
This command can only compare the current running configuration file with a
configuration file. When you run this command, the first specified configuration
file is called source configuration, and the later specified configuration file is
called target configuration. If the target configuration is different from the source
configuration, the difference is displayed based on the following rules:
● An added command is displayed in the format of prefix+.
● A deleted command is displayed in the format of prefix-.
● If a command is modified, the original command is displayed in the format of
prefix-, and the new command is displayed in the format of prefix+.
Precautions
The specified configuration file specified by file-name must exist on the device.
Example
# Display the difference between the current running configuration file and the
configuration file a.cfg.
<HUAWEI> display configuration changes running file a.cfg
Building configuration
Warning: The specified configuration file is not the same as the current configuration. There are several
differences as follow:
#
+ sysname China
3.8.14 display configuration commit at at
Function
The display configuration commit at command displays all configurations of a
device at a specific configuration rollback point.
Format
display configuration commit at commit-id
Parameters
Parameter Description Value
commit-id Displays all configurations The value is an integer ranging from
of a device at a specific 1000000001 to 1999999999. A commit
configuration rollback ID is automatically generated by a
point. device and cannot be manually
modified.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 463
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
All views
Default Level
3: Management level
Usage Guidelines
After a user commits a command to a device, the device automatically generates
a configuration rollback point, which records the configuration changes and all
configurations at this point. You can run the display configuration commit at
command to view all configurations of the device at this point. So that if the
device has a fault, run the rollback configuration command to roll the device
back to the configurations before the fault occurs.
Example
# Display all configurations of a device at the 1000000481 configuration rollback
point.
<HUAWEI> display configuration commit at 1000000481
#
sysname HUAWEI
#
drop-profile default
#
diffserv domain default
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
stack
#
stack member 1 domain 10
#
---- More ----
3.8.15 display configuration commit changes
Function
The display configuration commit changes command displays the configuration
change recorded at a configuration rollback point.
Format
display configuration commit changes [ at commit-id | since commit-id | last
number-of-commits ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 464
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
at commit-id Displays the configuration The value is an integer that the
change at a specified system generates automatically.
configuration rollback
point. Run the display configuration
commit list command to check the
configuration rollback points.
since commit-id Displays the configuration The value is an integer that the
changes from the system generates automatically.
specified configuration
rollback point to the Run the display configuration
current state. commit list command to check the
configuration rollback points.
last number-of- Displays the changes at The value is an integer that ranges
commits the specified number of from 1 to 80.
latest configuration
rollback points.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Run this command to check the configuration changes when you need to restore
the system to a historical state because incorrect operations are performed on the
device or some configurations fail due to some faults.
Prerequisites
Configuration has been performed and the configuration rollback point has been
generated.
Follow-up Procedure
Recover or roll back the configuration after checking the configuration change.
Example
# Display the configuration change saved at the configuration rollback point
numbered 1000002001.
<HUAWEI> display configuration commit changes at 1000002001
Building configuration
#
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 465
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
+ interface Vlanif89
+ ip address 192.168.89.1 255.255.255.0
#
# Display the configuration changes from the specified configuration rollback
point to the latest rollback point.
<HUAWEI> display configuration commit changes since 1000001999
Building configuration
#
- vlan batch 10
#
+ vlan batch 10 89
#
+ interface Vlanif89
+ ip address 192.168.89.1 255.255.255.0
#
# Display the configuration changes at the latest three configuration rollback
points.
<HUAWEI> display configuration commit changes last 3
Building configuration
#
- vlan batch 10
#
+ vlan batch 10 89
#
+ interface Vlanif89
+ ip address 192.168.89.1 255.255.255.0
#
# Display the configuration changes at all configuration rollback points in the
current system.
<HUAWEI> display configuration commit changes
Building configuration
Commit changes of commitId 1000002001 2015-06-18
03:04:59
#
+ interface Vlanif89
+ ip address 192.168.89.1 255.255.255.0
#
Commit changes of commitId 1000002000 2015-06-18
03:04:30
Commit changes of commitId 1000001999 2015-06-18
03:01:59
#
- vlan batch 10
#
+ vlan batch 10 89
#
Commit changes of commitId 1000001998 2015-06-18 03:00:20
Commit changes of commitId 1000001997 2015-06-18 02:01:39
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 466
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-52 Description of the display configuration commit changes command
output
Item Description
Commit changes of commitId Number of a configuration rollback point,
which uniquely identifies the rollback point.
Run the display configuration commit list
command to check the configuration
rollback points.
- Deleted configuration.
For the modified configuration, - indicates
the old configuration and + indicates the
new configuration.
+ Added configuration.
For the modified configuration, - indicates
the old configuration and + indicates the
new configuration.
3.8.16 display configuration candidate changes
Function
The display configuration candidate changes command displays the difference
between the candidate configuration and current running configuration.
Format
display configuration candidate changes
Parameters
None
Views
All views except the user view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
config read
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 467
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
Before committing a set of configuration, run the display configuration
candidate changes command to view the difference between the candidate
configuration and current running configuration.
This command displays the difference between the configuration in the
<candidate/> configuration database and that in the <running/> configuration
database. If a configuration difference exists, the command output is displayed as
follows:
● Commands that exist in the candidate configuration rather than the current
running configuration are prefixed with "+".
● Commands that exist in the current running configuration rather than the
candidate configuration are prefixed with "-".
● If a command in the current running configuration is modified in the
candidate configuration, two commands that are prefixed with "-" and "+",
respectively, are displayed in sequence.
Precautions
This command applies only to the two-phase validation mode.
Before you run the commit command to commit a configuration, a configuration
conflict occurs if the current running configuration is changed. In this case, run the
refresh configuration candidate command to resolve the configuration conflict,
and then run the display configuration candidate changes command to view the
configuration difference.
Example
# Display the difference between the candidate configuration and current running
configuration.
<HUAWEI> system-view
[~HUAWEI] display configuration candidate changes
Building configuration
#
interface Tunnel1
- mtu 1400
+ mtu 1300
#
+ interface Tunnel3
#
Table 3-53 Description of the display configuration candidate changes
command output
Item Description
Building Generation of differential configuration.
configuration
- Deleted configuration.
+ Added configuration.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 468
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.8.17 display configuration commit list
Function
The display configuration commit list command displays the configuration
rollback points that are generated in the system.
Format
display configuration commit list [ verbose ] [ number-of-commits | label ]
Parameters
Parameter Description Value
verbose Displays the configuration rollback -
point details including the
description.
number-of- Displays a specified number of The value is an
commits configuration rollback points. integer that ranges
from 1 to 100.
label Displays label of the configuration -
rollback point list.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After configuring the system, run this command to check historical configuration
rollback points.
The system displays the configuration rollback points in descending order of
generation time. That is, the latest configuration rollback point is displayed first.
Follow-up Procedure
Use the rollback point label to roll back the configuration.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 469
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Display all configuration rollback points.
<HUAWEI> system-view
[~HUAWEI] sysname ROLLBACK
[*HUAWEI] commit description This is a test
[~ROLLBACK] display configuration commit list
------------------------------------------------------------------------------------
No. CommitId Label User TimeStamp
------------------------------------------------------------------------------------
1 1000002002 - - 2012-08-22 17:55:49+08:00
2 1000002001 - huawei 2012-08-22 17:12:04+08:00
3 1000002000 - - 2012-08-22 17:11:09+08:00
# Display details about all configuration rollback points.
<HUAWEI> system-view
[~HUAWEI] sysname ROLLBACK
[*HUAWEI] commit description This is a test
[~ROLLBACK] display configuration commit list verbose
1) CommitId: 1000002002
Label: -
User: -
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-08-22 17:55:49+08:00
Description: This is a test
2) CommitId: 1000002001
Label: -
User: huawei
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-08-22 17:12:04+08:00
Description:
3) CommitId: 1000002000
Label: -
User: -
User-Intf: VTY 0
Type: CLI
TimeStamp: 2012-08-22 17:11:09+08:00
Description:
Table 3-54 Description of the display configuration commit list command output
Item Description
No. Sequence number.
CommitId ID of the configuration rollback point, which uniquely
identifies the configuration rollback point.
If values of the CommitId fields are marked with an asterisk
(*), the configuration rollback points are discontinuous
configuration rollback points, that is, a user has configured
labels for the configuration rollback points and then run the
clear configuration commit oldest number-of-commits
command to change the labeled configuration rollback points
into discontinuous ones.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 470
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Label Label of the configuration rollback point.
You can run the commit label label command to add a label
for a configuration rollback point.
User User name.
User-Intf User interface type, such as CON0 and VTY1.
Type Mode in which a configuration rollback point is generated,
such as CLI, SNMP, NETCONF, RESTORE, SYSTEM, and
ROLLBACK:
● CLI: A configuration rollback point is generated when the
administrator configures commands on the device.
● SNMP: A configuration rollback point is generated when
the web system delivers configurations to the device.
● NETCONF: A configuration rollback point is generated
when the controller delivers configurations to the device.
● ROLLBACK: A configuration rollback point is generated
when the rollback configuration command is run to roll
back configurations. For example, if a user performs
configurations four times and commit the configurations,
four contiguous rollback points a, b, c, and d are generated
in sequence. If the user finds that the configuration at the
rollback point b is incorrect and rolls back the
configuration to the rollback point a, a new rollback point
e is generated after the configuration rollback. This new
rollback point is marked ROLLBACK to indicate that it is
generated during a configuration rollback.
● RESTORE: A configuration rollback point is generated
when the device restarts. The configuration at this rollback
point is that generated after the device restart.
● SYSTEM: A configuration rollback point is automatically
generated when the undo configuration checkpoint
auto-save disable command is run to automatically save
rollback points.
TimeStamp Timestamp of the configuration rollback point.
Description Description of a configuration rollback point.
You can run the commit description description command to
add description for a configuration rollback point.
3.8.18 display configuration recover-result
Function
The display configuration recover-result command displays the configuration
recovery result after an upgrade.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 471
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
display configuration recover-result
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
After you run the startup saved-configuration or copy startup command to
specify the configuration file for the next startup and restart the device, run this
command to check the configuration recovery result (success, failure, or partial
failure) and failure cause.
Example
# Display the configuration result after an upgrade.
<HUAWEI> display configuration recover-result
Info: The current startup saved-configuration file is flash:/vrpcfg.zip.
The number of failed commands is 1.
--------------------------------------------------------------------------------
Command : vm-manager
View : system
Line : 204
Reason : Execute failed
Time : 2013-06-25 09:13:09
--------------------------------------------------------------------------------
Table 3-55 Description of the display configuration recover-result command
output
Item Description
Command Command that fails the configuration
recovery
View View in which the command resides
Line Line number of the command in the
current startup configuration file
Reason Reason why the command fails
Time Execution time of the configuration
recovery
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 472
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.8.19 display configuration rollback result
Function
The display configuration rollback result command displays the configurations
that fail to roll back and the messages that are generated during the
configuration rollback.
Format
display configuration rollback result
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
During the configuration rollback, some configurations fail to roll back or
messages are generated during configuration rollback. Run this command to
check the failed configurations and messages.
Example
# Display the latest configuration rollback failure and the messages generated
during configuration rollback.
<HUAWEI> display configuration rollback result
!warning information
interface 10GE1/0/5
+ pim bfd enable
Warning: The configuration is successful. Enable global BFD to validate the configuration.
!There are still several differences as follow:
#
interface 10GE1/0/2
- ip address 10.3.3.3 255.255.255.0
+ ip address 10.4.4.4 255.255.255.0
#
# Display the latest configuration rollback success without messages generated
during configuration rollback.
<HUAWEI> display configuration rollback result
Info: The latest rollback operation is successful.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 473
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-56 Description of the display configuration rollback result command
output
Item Description
!warning Message that is generated during the configuration rollback.
information
!There are still Information about a rollback failure.
several
differences as
follow:
- Deleted configuration.
For the modified configuration, - indicates the old
configuration and + indicates the new configuration.
+ Added configuration.
For the modified configuration, - indicates the old
configuration and + indicates the new configuration.
3.8.20 display configuration sessions
Function
The display configuration sessions command displays session status.
Format
display configuration sessions [ verbose ]
Parameters
Parameter Description Value
verbose Indicates detailed information about session status. -
Views
All views
Default Level
3: Management level
Usage Guidelines
To query information about users who have logged in to the device, you can run
the display configuration sessions command to view session status.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 474
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Display session status.
<HUAWEI> display configuration sessions
--------------------------------------------------------------------------------
Session User-Intf User Date Lock
--------------------------------------------------------------------------------
285 _SYSTEM_ 2014-09-23 15:07:52 -
286 SNMP_User 2014-09-23 15:07:54 -
514 * VTY 0 2014-09-25 13:39:11 -
--------------------------------------------------------------------------------
# Display detailed information about session status.
<HUAWEI> display configuration sessions verbose
--------------------------------------------------------------------------------
Session : 285
User-Intf :
User : _SYSTEM_
Date : 2014-09-23 15:07:52
Lock-Type : -
Cfg-Mode :-
Client : NETCONF
Elapsed-Time : 1 days, 22:36:57
Session : 286
User-Intf : SNMP_User
User :
Date : 2014-09-23 15:07:54
Lock-Type : -
Cfg-Mode : 1-stage
Client : SNMP
Elapsed-Time : 1 days, 22:36:55
Session : 514 *
User-Intf : VTY 0
User :
Date : 2014-09-25 13:39:11
Lock-Type : -
Cfg-Mode :-
Client : CLI
Elapsed-Time : 0 days, 0:05:38
--------------------------------------------------------------------------------
Table 3-57 Description of the display configuration sessions command output
Item Description
Session Indicates the ID of the session that connects to
the system.
User-Intf Indicates the interface information that the user
used to logging on.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 475
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
User Indicates the user name.
● When a user performs operations through an
NMS, SNMP_User is displayed.
● When a user performs RMON operations,
RMON_User is displayed.
● After the system is started, OPS will
automatically apply for an internal link that
is used as a channel for the Maintenance
assistant to subscribe to logs and alarms.
The link user name is _SYSTEM_.
Date Indicates the time of the logging user.
Lock Indicates the lock state.
Cfg-Mode Indicates the configuration mode.
Client Indicates the client information.
Elapsed-Time Indicates the elapsed time of the logging user.
3.8.21 display current-configuration
Function
The display current-configuration command displays the currently running
configuration.
This command does not display parameters that use default settings.
Format
display current-configuration [ configuration [ configuration-type
[ configuration-instance ] ] | interface [ interface-type [ interface-number ] ] | all
| inactive ] [ include-default ]
Parameters
Parameter Description Value
configuration Specifies the The value is determined by the
configuration-type configuration type. current system configurations.
configuration- Specifies a configuration The value is a string of 1 to
instance instance. 200 case-insensitive characters
without spaces. When double
quotation marks are used
around the string, spaces are
allowed in the string.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 476
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
interface [ interface- -
Specifies an interface
type [ interface-
type.
number ] ]
all Displays all the -
configuration
information.
inactive Displays the offline -
configuration
information.
include-default Displays the default -
configuration.
Views
All views
Default Level
3: Management level
Usage Guidelines
To check whether the configured parameters take effect, run the display current-
configuration command. The parameters that do not take effect are not
displayed.
The command output is relevant to user configuration. If the include-default
parameter is specified, the command output includes the default system
configuration starting with a tilde (~).
You can use a regular expression to filter the command output. For the regular
expression rules, see "Filtering Command Outputs" in the CloudEngine 8800, 7800,
6800, and 5800 Series SwitchesConfiguration Guide - Basic Configuration.
After you run the display current-configuration all or display current-
configuration inactive command, * in the command output indicates offline
configuration.
NOTE
The symbol * has two meanings:
1. When * is displayed in an interactive operation, it indicates the configurations that have not
been submitted.
2. When * is displayed in configuration information, it indicates the offline configurations.
Example
# Display all configurations that include vlan.
<HUAWEI> display current-configuration | include vlan
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 477
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
vlan batch 10 77 88
port trunk allow-pass vlan 10
# Display the FTP configuration.
<HUAWEI> display current-configuration configuration ftp
#
FTP server enable
#
return
# Display the configuration that includes the default configuration.
<HUAWEI> display current-configuration include-default
!Software Version V100R006C00SPC200
!Last configuration was updated at 2015-09-14 02:34:08+00:00
!Last configuration was saved at 2015-09-08 06:58:17+00:00
#
~language character-set ISO8859-1
#
sysname HUAWEI
#
~undo command-privilege level rearrange
#
return
3.8.22 display module-information
Function
The display module-information command displays information about
dynamically installed modules in the system.
Format
display module-information [ verbose | next-startup ]
Parameters
Parameter Description Value
verbose Displays details about dynamically -
installed modules.
file-name Displays the specify module The module must already
information loaded at the next exist, with the file name
startup. extension being .mod
or .MOD.
next-startup Displays module information loaded -
at the next startup.
Views
All views
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 478
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
1: Monitoring level
Usage Guidelines
To view information about dynamically installed modules in the system, run the
display module-information command. The information helps to monitor
whether modules are successfully installed or uninstalled.
Example
# Display details about dynamically installed modules in the system.
<HUAWEI> display module-information verbose
Module Information
----------------------------------------------------------------------------------------
Module Version InstallTime PackageName
----------------------------------------------------------------------------------------
LI V200R005MOD001 2019-08-15 10:31:26 CE-V200R005MOD001.MOD
----------------------------------------------------------------------------------------
Total = 1
Board Info :
----------------------------------------------------------------------------------------
Slot-id ProcId Type FileName EffectiveTime Module
----------------------------------------------------------------------------------------
1 11 C HM800000.mod 2019-08-15 10:29:32.100 LI
----------------------------------------------------------------------------------------
Total = 1
# Displays the specify module information loaded at the next startup.
<HUAWEI> display module-information CE6850CE6863V200R005MOD503.MOD verbose
Module Information
--------------------------------------------------------------------
Module Version InstallTime PackageName
--------------------------------------------------------------------
TLV V200R005MOD503 2012-05-23 06:28:00 CE6850CE6863V200R005MOD503.MOD
--------------------------------------------------------------------
Total = 1
Board Info :
----------------------------------------------------------------------------------------
Slot-id ProcId Type FileName EffectiveTime Module
----------------------------------------------------------------------------------------
17 3 SCRIPT HM980000.mod 2014-11-19 08:26:46.491 TLV
18 6 SCRIPT HM980000.mod 2014-11-19 08:26:46.812 TLV
----------------------------------------------------------------------------------------
Total = 2
Table 3-58 Description of the display module-information verbose command
output
Item Description
Module Information Information about a module
Module Name of a module
Version Version of a module
InstallTime Time when a module is installed
PackageName Name of a module file
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 479
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Total Number of modules installed
Board Info Board information
Slot-id Board ID
ProcId Process ID
Type File type
FileName File name
Module Name of a module
3.8.23 display saved-configuration
Function
The display saved-configuration command displays the configuration file to be
used for the next startup.
Format
display saved-configuration [ last | time | configuration ]
Parameters
Parameter Description Value
last Displays the system configurations saved last time. -
time Displays the recent time when the configurations are -
saved manually or automatically.
configuration Displays the parameters of the automatic save function. -
Views
All views
Default Level
3: Management level
Usage Guidelines
If the device has been started and is not working properly, run the display saved-
configuration command to check the device startup configuration in the file
specified by running the startup saved-configuration or copy startup command.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 480
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Run the display saved-configuration last command to check the system
configurations saved last time in the configuration file loaded during the current
startup.
Run the display saved-configuration time command to check the last time when
the system configurations are saved.
Run the display saved-configuration configuration command to check the
automatic save function parameters including the automatic save interval and
CPU usage.
The command output is relevant to user configuration. The command does not
display the default configuration.
Example
# Display the configuration file for the next startup.
<HUAWEI> display saved-configuration
#
sysname Switch
...
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.4.3 255.255.255.0
...
#
interface MEth0/0/0
ip address 192.168.200.8 255.255.255.0
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 20
...
#
user-interface maximum-vty 15
user-interface con 0
user-interface vty 0 14
idle-timeout 0 0
#
return
3.8.24 display schedule reboot
Function
The display schedule reboot command displays the configuration of the
scheduled restart of the device.
Format
display schedule reboot
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 481
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
After using the schedule reboot command to configure a scheduled restart, you
can use this command to view the configuration of the scheduled restart.
Example
# Display the configuration of the scheduled restart of the device.
<HUAWEI> display schedule reboot
Info: System will reboot at 22:00:00 2013/09/17 UTC(in 1 hours and 36 minutes).
Table 3-59 Description of the display schedule reboot command output
Item Description
System will reboot at Specific restart time.
in hours and minutes Time span between the restart time and the current
time.
3.8.25 display software crl
Function
The display software crl command displays information about a digital signature
certificate revocation list (CRL) file.
Format
display software crl
Parameters
None
Views
ALL views
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 482
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
1: Monitoring level
Usage Guidelines
If an issued digital signature certificate needs to be revoked due to key disclosure
or other reasons, a third-party tool can be used to mark the certificate invalid and
add the certificate to a digital certificate CRL. To check information about the
digital signature CRL file, run the display software crl command.
Example
# Display information about a digital signature CRL file that has been loaded to
the main control board.
<HUAWEI> display software crl
CRL file information:
------------------------------------------------------------------------------------------------------------------------------
-----------
Slot-id Publisher Issue date Status
------------------------------------------------------------------------------------------------------------------------------
-----------
1 C=CN,O=Huawei,CN=Huawei Root CA 2015-10-19
15:38:25+08:00 Valid
1 C=CN,O=Huawei,CN=Huawei Code Signing Certificate Authority 2016-04-05
16:27:05+08:00 Valid
1 C=CN,O=Huawei,CN=Huawei Timestamp Certificate Authority 2016-03-01
16:56:22+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Root CA 2015-10-19
15:38:25+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Code Signing Certificate Authority 2016-04-05
16:27:05+08:00 Valid
2 C=CN,O=Huawei,CN=Huawei Timestamp Certificate Authority 2016-03-01
16:56:22+08:00 Valid
------------------------------------------------------------------------------------------------------------------------------
-----------
Package digital signature verification failure list:
---------------------------------------------------------------------------------
Slot ID Package Name
---------------------------------------------------------------------------------
1 VRPV800R019C10B130D0921_ne5ke.cc
1 VRPV800R019C10B130D0920_ne5ke.cc
2 VRPV800R019C10B130D0921_ne5ke.cc
2 VRPV800R019C10B130D0920_ne5ke.cc
---------------------------------------------------------------------------------
Table 3-60 Description of the display software crl command output
Item Description
Slot-id Slot ID of the device where the CRL resides
Publisher CRL issuer
Issue date CRL issue date
CRL status:
Status ● Valid
● InValid
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 483
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Package Name Software package name.
Slot-id Slot ID of the board where the CRL resides.
3.8.26 display startup
Function
The display startup command displays the system software for the current and
next startup, configuration file, PAF, and patch file.
Format
display startup [ slot slot-id ]
Parameters
Parameter Description Value
slot slot-id The value is an integer. The range of
Specifies a member device
the integer is dependent on the specific
in a stack.
device.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Before upgrading or degrading a device, run this command to check whether the
files for next startup have been loaded. If the files have been loaded, the device
can be upgraded or degraded successfully after it is restarted. You can also run the
command to view the system software and files for current startup.
Example
# Display the names of system software for current and next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/basicsoftware.cc
Startup system software: flash:/basicsoftware.cc
Next startup system software: flash:/basicsoftware.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 484
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Next startup paf file: default
Startup patch package: NULL
Next startup patch package: NULL
Table 3-61 Description of the display startup command output
Item Description
Configured startup system software System software that is configured for
the current startup by running the
startup system-software command
before the system starts.
Startup system software System software that is used in the
current startup.
Next startup system software System software that is configured for
the next startup by running the startup
system-software or copy startup
command.
If no system software for the next
startup is configured, the system
software used in the current startup is
displayed.
Startup saved-configuration file Configuration file that is used in the
current startup.
Next startup saved-configuration file Configuration file that is configured for
the next startup by running the startup
saved-configuration command.
If no configuration file for the next
startup is configured, the configuration
file used in the current startup is
displayed.
Startup paf file PAF file that is used in the current
startup.
default indicates that no PAF file is
specified or the PAF file does not take
effect.
Next startup paf file PAF file that is configured for the next
startup.
If no PAF file is configured, default is
displayed.
Startup patch package Patch package file that is used in the
current startup.
NULL indicates that no patch package
file is specified or the patch package file
does not take effect.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 485
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Next startup patch package Patch package file that is configured for
the next startup by running the startup
patch command.
If no patch package file is configured,
NULL is displayed.
3.8.27 install-module
Function
The install-module command dynamically loads a specified module file.
Format
install-module file-name [ next-startup ]
Parameters
Parameter Description Value
file-name Specifies the name of the module file to The name of the
be loaded. module file must
already exist.
next-startup Specifies the name of the module file to -
be loaded at the next startup.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Guideline
To install a module in the current system by loading the module file, run the
install-module command. The extension of a module file name must be *.MOD
or *.mod.
To view information about successfully loaded module files, run the display
module-information command.
Precautions
Loaded module files must be stored in the $_install_mod directory.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 486
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Load the SwitchV200R001MOD501.MOD file to the $_install_mod directory.
<HUAWEI> install-module SwitchV200R001MOD501.MOD
3.8.28 reboot
Function
The reboot command restarts the device.
Format
reboot [ fast | save diagnostic-information ]
Parameters
Parameter Description Value
fast Fast restarts the device. -
save diagnostic-information Saves the diagnostic information before -
the restart.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
This command functions in the same way as a power recycle operation (power off
and then restart the device). The command enables you to restart the device
remotely.
● After the reboot or reboot save diagnostic-information command is run, the
system displays a message asking you whether to save the configuration. If
you choose to save the configuration, the current configuration is written into
the configuration file to prevent configuration loss after the reboot. If you
choose not to save the configuration, the device reboots using the
configuration in the configuration file, leading to the loss of unsaved
configuration.
● After the reboot fast command is run, the device reboots without prompting
you to save the configuration.
● After the reboot save diagnostic-information command is run, if a
diagnostic information file already exists, the system displays a message
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 487
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
asking you whether to overwrite the file before the reboot. If you choose to
overwrite the file, the system saves current diagnostic information to the root
directory of the Flash card and overwrites the original diagnostic information
file. If you choose not to overwrite the file, the system does not collect
diagnostic information. Diagnostic information does not affect device
configuration.
Precautions
● If you do not respond to the displayed message within the timeout period
after running this command, the system will return to the user view and the
device will not be restarted.
● To avoid loss of diagnostic information after a restart, configure the device to
save the diagnostic information before restarting.
● This command interrupts services on the entire device. Therefore, do not use
this command when the device is running properly.
● Before restarting the device, ensure that the configuration file has been saved.
Example
# Restart the device.
<HUAWEI> reboot
# Restart the device quickly.
<HUAWEI> reboot fast
3.8.29 refresh configuration candidate
Function
The refresh configuration candidate command re-executes candidate
configuration to resolve configuration conflicts.
Format
refresh configuration candidate
Parameters
None
Views
All views except the user view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 488
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
cli execute
Usage Guidelines
Usage Scenario
If the system displays a message indicating that the current running configuration
is changed when you run the display configuration candidate changes
command to view the difference between the candidate configuration and current
running configuration, run the refresh configuration candidate command to
resolve the configuration conflict so that you can continue to view the
configuration difference.
If a configuration conflict occurs before you commit the configuration, you can
resolve the configuration conflict and then run the commit command to commit
the configuration. Alternatively, run the commit command to commit the
configuration directly, without resolving the configuration conflict.
Precautions
This command applies only to the two-phase validation mode.
Example
# Update the candidate configuration based on the current running configuration
to resolve configuration conflicts.
<HUAWEI> system-view
[~HUAWEI] refresh configuration candidate
3.8.30 reset boot password
Function
The reset boot password command resets the BIOS or BootLoader password to
default password.
By default, The default username and password are available in CloudEngine
Series Data Center Switches Default Usernames and Passwords (V100 and V200)
(Enterprise Network or Carrier). If you have not obtained the access permission
of the document, see Help on the website to find out how to obtain it.
Format
reset boot password [ slot slot-id ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 489
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
slot slot-id Specifies a slot ID. The value range depends
on the device
configuration.
Views
User view
Default Level
3: Management level
Usage Guidelines
If you forget the BIOS or BootLoader password and cannot access the BIOS or
BootLoader menu, run the reset boot password command to reset the password
to default password. Then you can use this password to access the BIOS or
BootLoader menu.
Example
# Reset the BootLoader password.
<HUAWEI> reset boot password
Warning: The password used to access the boot menu by pressing Ctrl+B will be cleared, continue? [Y/N]: y
Info: The password used to access the boot menu by pressing Ctrl+B is cleared successfully.
3.8.31 reset saved-configuration
Function
The reset saved-configuration command cancels the configuration file used for
next startup.
Format
reset saved-configuration
Parameters
None
Views
User view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 490
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After the device software is upgraded or the device in use is applied to another
scenario, you can run the reset saved-configuration command to cancel the
configuration file used for next startup so that the device starts with empty
configurations.
Precautions
● After this command is run and the device restarts, enter N when the system
asks you whether to save the current configuration file as the next startup
configuration file. Then configuration of canceling the configuration file for
next startup then takes effect.
● After the device starts with the default configuration, you need to log in to
the device through the console port. Remote login is not supported.
● If the next startup configuration file is empty, the device displays a message
indicating that the file does not exist.
● Exercise caution when you run the reset saved-configuration command.
Example
# Cancel the configuration file used for next startup.
<HUAWEI> reset saved-configuration
The action will delete the saved configuration on the device.
The configuration will be erased to reconfigure.Continue? [Y/N]: y
Warning: Now the configuration on the device is being deleted.
..........
Info: Succeeded in clearing the configuration in the device.
<HUAWEI> reboot
slot 1:
Next startup system software: flash:/basicsoftware.cc
Next startup saved-configuration file: NULL
Next startup paf file: default
Next startup patch package: NULL
Warning: The current configuration will be saved to the next startup saved-confi
guration file. Continue? [Y/N]: n
Warning: The system will reboot. Continue? [Y/N]: y
3.8.32 rollback configuration
Function
The rollback configuration command rolls back the system from the current
configuration state to a historical configuration state.
Format
rollback configuration { to { commit-id commit-id | label label | file file-name }
| last number-of-commits }
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 491
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
commit-id Specifies the label of the The value is an integer that the
commit-id configuration rollback point to system generates automatically.
which system configurations
are expected to roll back. Run the display configuration
commit list command to check
the configuration rollback
points.
label label Specifies a user label for a The value is a string of 1 to 256
configuration rollback point. A case-sensitive ASCII characters,
specified user label indicates spaces not supported. The value
the historical configuration must start with a letter and
state to which the system cannot be presented in a single
configuration is expected to hyphen (-). The label must
roll back. already exist.
file file-name Specifies a configuration file The value is a string of 5 to 64
for configuration rollback. A case-sensitive characters in the
specified configuration file format of *.zip, *.cfg, or *.dat,
indicates the historical spaces not supported. The file-
configuration state to which name must already exist.
the system configuration is
expected to roll back.
last number- Specifies the number of The value is an integer that
of-commits configuration rollback points. ranges from 1 to 80.
The system will be rolled back
to the historical configuration
state before these
configuration rollback points.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the configuration is incorrect, the service is not running properly, or an
unexpected configuration result occurs on the network, run this command to roll
back the system to the specified historical configuration state.
For example, a user performs four configuration operations and submits these
configurations and four consecutive rollback points a, b, c, and d are generated.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 492
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The user finds that the configuration at b is incorrect and wants to roll back the
system to the configuration state before b. After the user rolls back the system
configuration to a, a new rollback point e is generated and marked with Rollback.
If an error occurs in the configuration rollback, you can recover the configuration
to the state before the rollback, and a new rollback point is generated and marked
with Rollback.
Prerequisites
The display configuration commit changes command has been executed to
check the configuration change in the configuration rollback point to determine
whether the configuration can be rolled back to the expected historical state.
Follow-up Procedure
If some configurations fail to be rolled back, run the display configuration
rollback result command to check these configurations and the messages
generated during configuration execution.
Example
# Roll back the system to the historical configuration state at rollback point
1000000001.
<HUAWEI> rollback configuration to commit-id 1000000001
# Roll back the system to the historical configuration state at the rollback point
before the last two rollback points.
<HUAWEI> rollback configuration last 2
3.8.33 save
Function
The save command saves the configurations to the configuration file.
Format
save [ configuration-file ]
Parameters
Parameter Description Value
configuration-file Specifies the name of a The value is a string of 5 to 64
configuration file. case-sensitive characters without
spaces.
Views
User view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 493
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
You can run commands to modify the current configuration of the device, but the
modified configuration will be lost after the device restarts. To enable the new
configuration to take effect after a restart, save the current configuration in the
configuration file before restarting the device.
When a series of configurations are complete and take effect, you must save the
current configuration file to the storage device.
The save configuration-file command saves the current configuration to a specific
file on the storage device. Generally, running the save configuration-file command
does not affect the current startup configuration file. If the configuration file
specified by configuration-file has the same name with the current configuration
file and the default directory is used, running the save configuration-file
command is equivalent to running the save command.
If you do not specify configuration-file when saving the configuration file for the
first time, the system displays the file name extension of the configuration file. If
you directly press Enter, the configuration file is saved as vrpcfg.zip. The
vrpcfg.zip file is the default system configuration file and does not contain any
configuration in the initial state.
Precautions
● If the configuration file to be saved using this command has the same name
with the existing configuration file, the existing configuration file is rewritten.
● The configuration file name extension must be .zip, .dat or .cfg.
– .cfg: The file is saved in plain text mode. After the file is specified as the
configuration file, all commands in the file are recovered one by one
during startup.
– .zip: The .cfg file is compressed to a .zip file that occupies less space. After
being specified as the configuration file, the .zip file is decompressed to
the .cfg file and all commands in the .cfg file are recovered one by one
during startup.
– .dat: A .dat file is a binary file. If the startup software version and the .dat
file version are the same, the system restores all configurations in
the .dat file in batches when the device starts. This speeds up the system
startup.
Example
# Save the current configuration file to the default storage medium when the
switch starts with configuration.
<HUAWEI> save
Warning: The current configuration will be written to the device. Continue? [Y/N]:y
Now saving the current configuration to the slot 1
Info: Save the configuration successfully.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 494
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
# Save the current configuration file to the default storage medium for the first
time when the switch starts without configuration.
<HUAWEI> save
Warning: The current configuration will be written to the device. Continue? [Y/N]: y
Info: Please input the file name(*.cfg, *.zip, *.dat)[vrpcfg.zip]:
Now saving the current configuration to the slot 2 ..
Info: Save the configuration successfully.
3.8.34 schedule reboot
Function
The schedule reboot command configures the scheduled restart of a device and
set the specific time when the device restarts or the delay time before the device
restarts.
The undo schedule reboot command disables the scheduled restart function.
By default, the scheduled restart is disabled.
Format
schedule reboot { at time | delay interval [ force ] }
undo schedule reboot
Parameters
Parameter Description Value
at time Specifies the The format of time is hh:mm YYYY/MM/DD. The
device restart restart time must be later than the current
time. device time by less than 720
hours.YYYY/MM/DD indicates year, month, and
date and is optional.
● hh indicates hour and the value ranges from
0 to 23.
● mm indicates minute and the value ranges
from 0 to 59.
● YYYY indicates year and the value ranges
from 2000 to 2037.
● MM indicates month and the value ranges
from 1 to 12.
● DD indicates date and the value ranges from
1 to 31.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 495
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
delay Specifies the The format of interval is hh:mm or mm. The
interval delay time delay time must be no more than 720 hours.
before the ● In hh:mm, hh indicates hour and the value
device restarts. ranges from 0 to 720 and mm indicates
minute and the value ranges from 0 to 59.
● mm indicates minute and the value ranges
from 0 to 43200.
force Specifies -
forcible
scheduled
restart.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When upgrading or restarting the device, you can configure the device to restart
at time when few services are running to minimize the impact on services.
Precautions
● If the schedule reboot at command is used to set a specific date
(YYYY/MM/DD) and the date is a future date, the device restarts at the
specified time, with an error within 1 minute. If no date is set, two situations
occur: If the specified time is later than the current time, the device restarts at
the specified time of the day. If the specified time is earlier than the current
time, the device restarts at the set time next day.
● Note that the gap between the specified date and current date must be
shorter than or equal to 720 hours. If the scheduled restart has been
configured, the latest configuration overrides the previous one.
● Run the schedule reboot delay interval command to set the delay time
before the device restarts. If the force parameter is not specified, the system
compares the configuration file with the current configuration. If the current
configuration is different from the configuration file, the system asks you
whether to save the current configuration. After you complete the selection,
the system prompts you to confirm the configured restart time. Enter Y or y
to make the configured restart time take effect. If the force parameter is
specified, the system does not display any message, and the restart time takes
effect directly. The current configuration is not compared or saved.
● The scheduled restart function becomes invalid when you use the clock
datetime command to set the system time to over 10 minutes later than the
restart time set by the schedule reboot command. If the time difference is
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 496
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
equal to or less than ten minutes, the device immediately restarts and does
not save the configuration.
● This command restarts the device at the specified time, interrupting all
services on the device. Therefore, do not use this command when the device is
running properly.
● Before restarting the device, ensure that the configuration file has been saved.
Example
# Configure the device to restart at 22:00.
<HUAWEI> schedule reboot at 22:00
Warning: The current configuration will be saved to the next startup saved-configuration file. Continue?
[Y/N]:y
Now saving the current configuration....
Save the configuration successfully.
Info: Reboot system at 22:00:00 2017/08/07 UTC (in 11 hours and 19 minutes).
Confirm? [Y/N]:y
3.8.35 set configuration commit
Function
The set configuration commit command sets a user label for a configuration
rollback point.
By default, no user label is set for configuration commit.
Format
set configuration commit commit-id label label-string
Parameters
Parameter Description Value
commit-id Specifies the ID of a The value is an integer ranging
configuration rollback point. from 1000000001 to 1999999999
and generated by the system
automatically.
label label- Specifies the user label of a The value is a string of 1 to 256
string configuration rollback point. case-sensitive ASCII characters
NOTE without spaces. The value must
The parameter value must be
start with a letter and cannot be
unique in the system and in presented in a single hyphen (-).
one-to-one mappings with
commit-id.
Views
User view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 497
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After a configuration rollback point is generated, the system automatically
allocates a commit ID for this configuration rollback point. The commit ID is an
integer that ranges from 1000000001 to 1999999999, which is difficult to
understand and remember. When the number of configuration rollback points that
are automatically generated by the system reaches the upper threshold, earliest
configuration rollback points are replaced by latest configuration rollback points.
For some important configurations, however, the related configuration rollback
points need to be retained. In this case, you can run the set configuration
commit command to specify a user label for a configuration rollback point, which
is easy to understand and remember and configuration rollback points related to
important configurations are not replaced.
You can specify a user label when a configuration rollback point is generated
using the commit command. If a configuration rollback point has been generated,
you can run the set configuration commit command to add a user label for the
configuration rollback point. For continuous configuration rollback points with
labels, you cannot directly modify the labels. You must run the clear
configuration commit commit-id label command to delete the labels of the
configuration rollback points first and then run the set configuration commit
command to specify user labels for the configuration rollback points.
NOTE
For discontinuous configuration rollback points with labels (values of the CommitId fields
of the configuration rollback points in the display configuration commit list command
output are marked with an asterisk [*]), exercise caution when running the clear
configuration commit commit-id label command because this command will
simultaneously delete the configuration rollback points and their labels.
You can run the clear configuration commit commit-id label command to delete
label information of a configuration rollback point.
You can run the display configuration commit list command to check label
information of a configuration rollback point.
Precautions
● In unified management mod, the set configuration commit command can
only be run in a physical system (PS).
● You cannot run the clear configuration commit oldest number-of-commits
command to delete a configuration rollback point with a label.
● If the set configuration commit command has been run, you cannot run the
rollback configuration command to roll back the system to the previous
configuration.
● If you run the set configuration commit command multiple times, only the
latest configuration takes effect.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 498
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Set the label new_label for configuration commit ID 1000000002.
<HUAWEI> set configuration commit 1000000002 label new_label
3.8.36 set flow-control-message reliability disable
Function
The set flow-control-message reliability disable command to set message
congestion more than 30 minutes, the veneer will not reset.
The undo set flow-control-message reliability disable command is used to set
message congestion for more than 30 minutes and the veneer will reset.
By default, undo set flow-control-message reliability disable.
Format
set flow-control-message reliability disable
undo set flow-control-message reliability disable
Parameters
None
Views
System view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
rpm write
Usage Guidelines
Message congestion detected by the single board for more than 30 minutes will
reset the single board by default.
If the message congestion is set by set flow-control-message reliability for more
than 30 minutes, the veneer will not be reset.
If the message congestion is set by undo set flow-control-message reliability for
more than 30 minutes, the veneer will be reset.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 499
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Example
# Configuration veneer detected message congestion for more than 30 minutes.
Reset veneer by default.
<HUAWEI> system-view
[~HUAWEI] set flow-control-message reliability disable
3.8.37 software crl load
Function
The software crl load command loads a digital signature certificate revocation list
(CRL) file to the main control board.
Format
software crl load crl-name
Parameters
Parameter Description Value
crl-name Specifies a CRL name. The value is a string of 5 to 63 case-
insensitive characters, spaces not
The CRL file must be in the supported.
flash directory of the main
control board. The file name is determined by the
uploaded file and must be the same as
the name of the uploaded file.
Views
User view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
patch write
Usage Guidelines
The lifetime of a certificate is limited. A certificate authority (CA) can revoke a
certificate to shorten its lifetime. A CRL is a list of certificates that have been
revoked, and therefore should not be relied upon. The CRL is issued by a CA. If a
CA revokes a certificate, the key pair defined in the certificate can no longer be
used even if the certificate does not expire. After a certificate in a CRL expires, the
certificate is deleted from the CRL to shorten the CRL.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 500
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
If an issued digital signature certificate needs to be revoked due to key disclosure
or other reasons, a third-party tool can be used to mark the certificate invalid and
add the certificate to a digital certificate CRL. To load the latest digital signature
CRL file to a device, run the software crl load command. After the file is loaded,
the device does not verify the digital signature certificate upon next startup.
Example
# Load a CRL file to the main control board.
<HUAWEI> software crl load crldata-new.crl
3.8.38 startup saved-configuration
Function
The startup saved-configuration command specifies the system configuration file
for next startup.
Format
startup saved-configuration configuration-file [ slot slot-id ]
Parameters
Parameter Description Value
configuration-file Specifies the name of a The name of a configuration file
configuration file. Make must already exist. The file name
sure that the file exists. extension can be .zip, .dat, or .cfg.
slot slot-id Specifies a member device The value is an integer. The range
in a stack. of the integer is dependent on the
specific device.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When the original configuration file cannot be used due to the software upgrade,
run the startup saved-configuration command to specify another configuration
file for next startup. The startup configuration file must be saved in the root
directory of the storage device.
Follow-up Procedure
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 501
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Run the reboot command to restart the device.
Precautions
● The configuration file specified for the next startup must exist.
● The configuration file name extension must be .zip, .dat, or .cfg.
– A configuration file with the file name extension .cfg is a text file, and
you can view the file content in the text file. After the file is specified as
the configuration file for next startup, the system restores all commands
in the file one by one during a startup.
– A .cfg file is compressed to a .zip file that occupies less space. After being
specified as the configuration file, the .zip file is decompressed to the .cfg
file and the system restores all commands in the .cfg file one by one
during startup.
– A .dat file is a binary file. If the startup software version and the .dat file
version are the same, the system restores all configurations in the .dat
file in batches when the device starts. This speeds up the system startup.
If the startup software version and the .dat file version are different, the
system restores configurations using commands in the .dat file.
● This command and the copy startup command can be used to specify the
configuration file for next startup and the later configuration takes effect.
Example
# Specify the system configuration file for the next startup.
<HUAWEI> startup saved-configuration vrpcfg.cfg
Info: Succeeded in setting the configuration for booting system.
3.8.39 startup system-software
Function
The startup system-software system specifies the system software for next
startup.
By default, no system software is specified for next startup.
Format
startup system-software system-file [ all | slave-board | slot slot-id ]
Parameters
Parameter Description Value
system-file Specifies the name of the The value must be the name of an
system software file. existing system software file. The
format is [ drive-name ][ file-name ].
If drive-name is not specified, the
value is the name of the default
storage device.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 502
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
all Specifies all the stack -
devices.
slave-board Specifies the system -
software for the next
startup of the standby MPU.
slot slot-id Specifies the stack device. The value is an integer. The value
range depends on the specific device.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
In system software upgrade or downgrade, run this command to specify the
system software for next startup.
Follow-up Procedure
Run the reboot command to restart the device.
Precautions
● The system software must use .cc as the file name extension and be saved to
the root directory of the storage device.
● The system software set for next startup cannot be deleted.
● In a stack, the specified system software must be saved to the root directory
of the flash memory of all member devices in the stack.
Example
# Specify the system software for next startup.
<HUAWEI> startup system-software basicsoft.cc
3.8.40 startup patch
Function
The startup patch command specifies the patch file for next startup.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 503
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
startup patch patch-name { all | slot slot-id }
Parameters
Parameter Description Value
patch-name Specifies the name of the The name of the patch file must already
patch file for next exist. It is in the format of [ drive-
startup. name ] [ path ] [ file-name ]. If drive-
name is not specified, the name of the
default storage device is used.
all Specifies all member -
devices in a stack.
slot slot-id The value is an integer. The range of the
Specifies a member
integer is dependent on the specific
device in a stack.
device.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
To make the patch file take effect after the device restarts, run this command to
specify the patch file for next startup.
Prerequisites
The desired patch file has been uploaded to the Flash:/ of the device.
Follow-up Procedure
Run the reboot command to restart the device.
Precautions
● A patch file uses .pat as the file name extension and must be saved in the
root directory.
● If you use this command to specify another patch for next startup, the
previous patch will be overridden.
● After the patch file is specified for next startup, run the display patch-
information command to view the patch file.
– If the patch file for next startup is not empty, the device load the patch
automatically after next startup.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 504
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
– If the patch file for next startup is empty, the device cannot load the
patch after next startup.
● After the device restarts, the system loads and runs the patch. If you do not
want the system to load the patch file after startup, use either of the
following methods to delete the patch file:
– Run the patch delete all command to delete the current patch.
– Run the reset patch-configure next-startup command to delete the
patch file already loaded on the system after startup.
Example
# Specify the patch file for next startup.
<HUAWEI> startup patch patch.pat all
3.8.41 uninstall-module
Function
The uninstall-module command uninstalls a specified module file.
Format
uninstall-module { file-name [ next-startup ] | all }
uninstall-module next-startup all
Parameters
Parameter Description Value
file-name Specifies the name of the module file The value is a string of 5 to
to be uninstalled. 63 case-sensitive characters
in the format of .mod
or .MOD.
next-startup Specifies the name of the module file -
loaded at next startup.
all Specifies that all modules need to be -
uninstalled.
Views
User view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 505
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
patch execute
Usage Guidelines
The uninstall-module command can be used to uninstall in-use modules from
the system.
The display module-information command can be used to check whether a
specified module has been uninstalled from the system.
The uninstall-module next-startup all command configures a device to remove
all dynamically loaded modules at a next startup.
Example
# Uninstall module 123.MOD from the system.
<HUAWEI> uninstall-module 123.MOD
This will uninstall the module. Are you sure? [Y/N]:y
Info: Succeeded in uninstalling the module.
# Remove all dynamically loaded modules at a next startup.
<HUAWEI> uninstall-module next-startup all
Info: Operating, please wait for a moment........done.
Info: Succeeded in uninstalling the module.
3.9 ISSU Configuration Commands
NOTE
ISSU is a test feature and cannot be used for commercial purposes.
3.9.1 display fei frame backup-time
Function
The display fei frame backup-time command displays the backup time of each
service module during an ISSU upgrade.
NOTE
Only the CE6870EI support this command.
Format
display fei frame backup-time slot slot-id component fei
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 506
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
slot slot-id Specifies a slot ID. The value is an integer or a string of
characters. You can enter a question
mark (?) and select a value from the
displayed value range.
component fei Indicates FEI -
components.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run this command to check the backup time of each service module
during an ISSU upgrade, including the backup start time and end time.
Example
# Display the backup time of each service module during an ISSU upgrade.
<HUAWEI> display fei frame backup-time slot 1 component fei
The details of service backup time as follows:
--------------------------------------------------------------------------------------------
Service BeginTime EndTime UsedTime (s) ThresholdTime (s)
--------------------------------------------------------------------------------------------
ACL 15:24:30 15:24:32 2 20
CPU_DEFEND 15:24:32 15:24:36 4 250
VLAN 15:24:36 15:24:39 3 150
TRUNK 15:24:39 15:24:41 2 20
MAC 15:24:41 15:24:43 2 100
ARP 15:24:43 15:24:57 14 1000
MSTP 15:24:57 15:24:59 2 10
LLDP 15:24:59 15:25:01 2 10
DLDP 15:25:01 15:25:03 2 10
SMARTLINK 15:25:03 15:25:05 2 10
EFM 15:25:05 15:25:07 2 10
DAD 15:25:07 15:25:09 2 10
L2PT 15:25:09 15:25:11 2 200
LDT 15:25:11 15:25:13 2 10
ERPS 15:25:13 15:25:15 2 10
TRILL 15:25:15 15:25:17 2 50
QOS 15:25:17 15:25:20 3 1500
MQC 15:25:20 15:25:22 2 100
FCOE 15:25:22 15:25:24 2 100
DCB 15:25:24 15:25:26 2 20
SECURITY 15:25:26 15:25:29 3 250
NS_FLOW 15:25:29 15:25:29 0 200
MC 15:25:29 15:25:31 2 50
MIRR 15:25:31 15:25:33 2 50
------------------------------------------------------------------------------------
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 507
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Table 3-62 Description of the display fei frame backup-time command output
Item Description
Service Name of a service profile.
BeginTime Backup start time.
EndTime Backup end time.
UsedTime (s) Time taken for backup.
ThresholdTime (s) Upper threshold for the time taken for backup.
3.9.2 display issu check-result
Function
The display issu check-result command displays the result of ISSU check.
Format
display issu check-result
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
After you use the issu check command to perform ISSU check, you can use the
display issu check-result command to view the check result.
Example
# Display the result of system upgrade check.
<HUAWEI> display issu check-result
------------------------------ISSU CHECK RESULT-------------------------------
Check Date : 2015/03/07 15:57:01
Check Result : success
Upgrade type : lossy
Base package : CE6850EI-V100R005C00SPC300.cc
Upgrade package : CE6850EI-V100R005C10SPC200.cc
Base patch : CE6850EI-V100R005SPH001.PAT
Base paf : default
Upgrade paf : default
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 508
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
------------------------------------------------------------------------------
Info: The upgrade procedure is:
Reboot the slave board with the upgrade system software.
Create standby process with the upgrade system software, and detailed process groups are as follows:
process group: 10003 slot: 1
process group: 10005 slot: 3
process group: 10004 slot: 1
process group: 10006 slot: 3
Upgrade process with the upgrade system software, and detailed process groups are as follows:
process group: 10003 slot: 1
process group: 10005 slot: 3
process group: 10004 slot: 1
process group: 10006 slot: 3
process group: 3 slot: 1
process group: 1000 slot: 1
process group: 10001 slot: 1
process group: 1002 slot: 1
process group: 1001 slot: 1
process group: 2 slot: 1
process group: 10002 slot: 1
Reboot group with the upgrade system software, The detail groups is below:
board group: 1 slot: 3
Reboot the master board with the upgrade system software.
------------------------------------------------------------------------------
Table 3-63 Description of the display issu check-result command output
Item Description
Check Date Date when an ISSU check is
performed.
Check Result ISSU check result.
Upgrade type ISSU type.
Base package Name of the old system software.
Upgrade package Name of the new system software.
Base patch Name of the old patch file.
Base paf Name of the old PAF file.
Upgrade paf Name of the new PAF file.
3.9.3 display issu group
Function
The display issu group command displays information about device groups.
Format
display issu group
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 509
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
You can run the command to check information about device groups during ISSU.
Example
# Display current information about board groups.
<HUAWEI> display issu group
Grouping Information
-----------------------------------
GroupId SlotId BoardType
-----------------------------------
1 1 MPU
-----------------------------------
Table 3-64 Description of the display issu group command output
Item Description
GroupId Group ID.
SlotId ID of a device.
BoardType Device type.
3.9.4 display issu report
Function
The display issu report command displays detailed information about the ISSU
process.
Format
display issu report
Parameters
None
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 510
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
User view
Default Level
3: Management level
Usage Guidelines
After you use the issu start command to start ISSU, you can use the display issu
report command to view detailed information about the ISSU process.
Example
# Display detailed information about the ISSU progress.
<HUAWEI> display issu report
-----------------------------ISSU REPORT-----------------------------------
Upgrade number : 20150815164424
Upgrade type : lossy
Upgrade result : success
Base package : CE6850EI-V100R005C00SPC300.cc
Upgrade package : CE6850EI-V100R005C10SPC200.cc
Base patch : CE6850EI-V100R005SPH001.PAT
Base paf : default
Upgrade paf : default
Upgrade rollback time(min) : 120
Upgrade start begin time : 2015/08/15 16:44:24
Upgrade start end time : 2015/08/15 17:02:11
Upgrade start total duration : 0 Hours 17 Minutes 47 Seconds
Upgrade confirm time : 2015/08/15 17:02:42
Upgrade abort time : --
---------------------------------------------------------------------------
Upgrade procedure details:
slot: 1 [reboot]
begin time: 2015/08/15 16:46:07
end time: 2015/08/15 16:54:26
duration: 0 Hours 8 Minutes 19 Seconds
slot: 2 [upgrade process]
process group: 10003
begin time: 2015/08/15 16:54:32
end time: 2015/08/15 16:56:04
duration: 0 Hours 1 Minutes 32 Seconds
slot: 2 [upgrade process]
process group: 10004
begin time: 2015/08/15 16:54:33
end time: 2015/08/15 16:56:04
duration: 0 Hours 1 Minutes 31 Seconds
slot: 2 [reset process]
process group: 3
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:52
duration: 0 Hours 0 Minutes 53 Seconds
slot: 2 [reset process]
process group: 1000
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:53
duration: 0 Hours 0 Minutes 54 Seconds
slot: 2 [reset process]
process group: 10001
begin time: 2015/08/15 16:54:59
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 511
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
end time: 2015/08/15 16:55:54
duration: 0 Hours 0 Minutes 55 Seconds
slot: 2 [reset process]
process group: 1002
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:55
duration: 0 Hours 0 Minutes 56 Seconds
slot: 2 [reset process]
process group: 1001
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:56
duration: 0 Hours 0 Minutes 57 Seconds
slot: 2 [reset process]
process group: 2
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:57
duration: 0 Hours 0 Minutes 58 Seconds
slot: 2 [reset process]
process group: 10002
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:58
duration: 0 Hours 0 Minutes 59 Seconds
slot: 2 [reset process]
process group: 10003
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:50
duration: 0 Hours 0 Minutes 51 Seconds
slot: 2 [reset process]
process group: 10004
begin time: 2015/08/15 16:54:59
end time: 2015/08/15 16:55:51
duration: 0 Hours 0 Minutes 52 Seconds
slot: 2 [reboot]
begin time: 2015/08/15 16:56:13
end time: 2015/08/15 17:00:09
duration: 0 Hours 3 Minutes 56 Seconds
---------------------------------------------------------------------------
Table 3-65 Description of the display issu report command output
Item Description
Upgrade number System upgrade number.
Upgrade type Upgrade type.
● lossy.
Upgrade result Upgrade result:
● success: indicates that upgrade is
successful.
● user abort: The user exists upgrade.
● rollback: issu fails and system
rollback because of abnormal
system or rollback timer expiration.
Base package Name of the old system software.
Upgrade package Name of the new system software.
Base patch Name of the old patch file.
Base paf Name of the old PAF file.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 512
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Upgrade paf Name of the new PAF file.
Upgrade rollback time(min) Rollback timer value.
Upgrade start begin time Date and time when the ISSU start
phase begins.
Upgrade start end time Date and time when the ISSU start
phase ends.
Upgrade start total duration Duration for the ISSU start phase.
Upgrade confirm time Date and time when ISSU
confirmation is performed.
Upgrade abort time Date and time when rollback is
performed.
Upgrade procedure details Detailed information about the ISSU
progress.
slot Slot ID and upgrade mode of the
device to be upgraded.
begin time Date and time when device upgrade
begins.
end time Date and time when device upgrade
ends.
duration Duration for device upgrade.
3.9.5 display issu rollback-timer
Function
The display issu rollback-timer command displays the remaining time of the
ISSU rollback timer.
Format
display issu rollback-timer
Parameters
None
Views
User view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 513
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If the issu start [ rollback-timer [ time ] ] system-file [ patch patch-name ]
command sets the ISSU rollback timer value, you can use the display issu
rollback-timer command to view the remaining time of the ISSU rollback timer.
Prerequisites
The rollback-timer parameter has been specified in the issu start [ rollback-
timer [ time ] ] system-file [ patch patch-name ] command in ISSU start phase.
Example
# Display the remaining time of the ISSU rollback timer during ISSU.
<HUAWEI> display issu rollback-timer
-----------------------------------------
Timer Timeleft(min)
-----------------------------------------
rollback 50
-----------------------------------------
Table 3-66 Description of the display issu rollback-timer command output
Item Description
Timer Timer name.
Timeleft(min) Remaining time of the timer, in
minutes.
3.9.6 display issu state
Function
The display issu state command displays the ISSU phase.
Format
display issu state
Parameters
None
Views
User view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 514
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
You can use the display issu state command to check which ISSU phase the
system enters, which can be ISSU check, ISSU start, or ISSU confirm.
Example
# Display the ISSU phase.
<HUAWEI> display issu state
--------------------------------------------------------------------------------
Phase State Progress
--------------------------------------------------------------------------------
1.issu check : finished 100%
2.issu start : processing 90%
3.issu confirm : - 0%
--------------------------------------------------------------------------------
Table 3-67 Description of the display issu state command output
Item Description
Phase ISSU phase:
● 1. issu check: phase of checking the
ISSU upgrade.
● 2. issu start: phase of starting the
ISSU upgrade.
● 3. issu confirm: phase of confirming
the upgrade.
State ISSU state:
● processing: The phase is being
processed.
● finished: The phase has finished.
● -: The phase does not begin.
Progress Progress of the phase.
3.9.7 issu abort
Function
The issu abort command aborts ISSU.
Format
issu abort
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 515
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
While the ISSU is in progress, run the issu abort command to abort the ISSU if
necessary after the ISSU start phase is over (you can run the display issu state
command to check it, and the issu start is finished). The system then restarts and
rolls back to the previous software version.
Prerequisites
The rollback-timer parameter has been specified in the issu start command in
the ISSU start phase.
Example
# Abort ISSU.
<HUAWEI> issu abort
Warning: The upgrade operation will be aborted, and the system will reboot to old version. Continue?
Please select [Y/N]:y
3.9.8 issu check
Function
The issu check command configures the system to perform ISSU check.
Format
issu check system-file [ patch patch-name ]
Parameters
Parameter Description Value
system-file Specifies the path for The value is a string of 4 to 127
storing the system upgrade case-sensitive characters without
file and file name. spaces. The default directory is
flash:/.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 516
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
patch patch- Specifies the path for The value is a string of 5 to 63
name storing the patch file and case-sensitive characters without
file name. spaces. The default directory is
flash:/.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before performing ISSU, you need to check whether the system meets ISSU
requirements using the issu check command. ISSU check includes checking the
system running environment, new version integrity and validity, hardware
compatibility, and software compatibility.
Prerequisites
The system software to be upgraded has been uploaded to all stack member
switches.
Follow-up Procedure
If no error information is displayed in the output of the issu check command, the
check result is success. You can also run the display issu check-result command
to view the ISSU check result.
Example
# Perform ISSU check.
<HUAWEI> issu check CE6800-V100R006C00SPC600.cc
3.9.9 issu confirm
Function
The issu confirm command configures the system to confirm the upgrade result.
Format
issu confirm
Parameters
None
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 517
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When you run the issu start command and specify the rollback-timer parameter
to start ISSU, you need to run the issu confirm command to confirm ISSU before
the rollback timer expires or run the issu abort command to abort ISSU to enable
the system to roll back to the old version.
Prerequisites
The issu confirm command can be run to confirm the upgrade result only when
the rollback-timer parameter is specified in the issu start command.
Configuration Impact
After the issu confirm command is executed, the new system software is specified
as the software for the next startup. The ISSU is complete.
Example
# Confirm the upgrade result.
<HUAWEI> issu confirm
3.9.10 issu reset rollback-timer
Function
The issu reset rollback-timer command resets the ISSU rollback timer value in an
ISSU upgrade.
By default, the ISSU rollback timer is reset to 120 minutes.
Format
issu reset rollback-timer [ time | limitless ]
Parameters
Parameter Description Value
time Specifies the ISSU rollback timer The value is an integer that
value. ranges from 1 to 2880, in
minutes.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 518
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameter Description Value
limitless Sets the ISSU rollback timer to -
limitless.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After the system enters the ISSU start phase, the ISSU rollback timer is
automatically activated. If the ISSU rollback timer expires before the ISSU confirm
phase, the system rolls back to the old version. You can reset the ISSU rollback
timer value according to service requirements.
Prerequisites
The rollback-timer parameter has been specified in the issu start command.
Precautions
If you use the issu reset rollback-timer command to reset the ISSU rollback timer
value, the new configuration takes effect immediately and the old configuration
becomes invalid.
Example
# Reset the ISSU rollback timer to 100 minutes.
<HUAWEI> issu reset rollback-timer 100
3.9.11 issu start
Function
The issu start command starts ISSU.
Format
issu start [ rollback-timer [ time ] ] system-file [ patch patch-name ]
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 519
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
rollback-timer Specifies the ISSU rollback -
timer.
time Specifies the ISSU rollback The value is an integer that
timer value. ranges from 0 to 2880, in
minutes. The default value is
If rollback-timer is specified
120 minutes. 0 indicates that
but time is not specified, the
the time of the ISSU rollback
default value of the rollback
timer is infinite.
timer is used.
system-file Specifies the path for storing The value is a string of 4 to 127
the system upgrade file and case-sensitive characters
file name. without spaces. The default
directory is flash:/.
patch patch- Specifies the path for storing The value is a string of 5 to 63
name the patch file and file name. case-sensitive characters
without spaces. The default
directory is flash:/.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After you run the issu start command to start ISSU, the system enters the ISSU
start phase. All stack member switches upgrade from the old version to new
version.
Precautions
When you run the issu start command without specifying the rollback-timer
parameter to start ISSU, the system confirms ISSU after the ISSU start phase ends.
In this situation, you do not need to run the issu confirm command to confirm
ISSU. If you specify the rollback-timer parameter, you need to run the issu
confirm command before the rollback timer expires or run the issu abort
command to abort ISSU to enable the system to roll back to the old version.
Example
# Start ISSU and set the ISSU rollback timer to 120 minutes.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 520
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> issu start rollback-timer 120 CE6800-V100R003C00.cc
<HUAWEI> issu start rollback-timer 120 CE6800-V200R020C00.cc
3.10 Upgrade Commands
3.10.1 display license
Function
The display license command displays information about the license file in the
system.
Format
display license [ verbose ]
display license [ verbose ] slot slot-id
Parameters
Parameter Description Value
verbose Displays detailed information -
about the current active
license file.
slot slot-id Specifies a stack member. The value is an integer, and the
value range varies according to the
device configuration.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
A license file determines whether some product features are available. To view
information about an active license file, run the display license command. The
information includes the name, version, valid time, and configuration items of the
license file.
Example
# Display information about the license file on the device.
<HUAWEI> display license
MainBoard:
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 521
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Active License : flash:/CloudEngine7800.dat
License state : Demo
Revoke ticket : No ticket
No relevant customer information
Product name : CloudEngine 7800
Product version : V200R020
License Serial No : LIC20200621TNAU50
Creator : Huawei Technologies Co., Ltd.
Created Time : 2020-11-26 09:09:51
SnS End Date : 2021-02-20
-------------------------------------------------------------
Feature name : CELIC
Authorize type : demo
Expired date : PERMANENT
Trial days : --
Item name Item type Value Description
-------------------------------------------------------------
CE-LIC-VXLAN Function YES CE-LIC-VXLAN
License state: Demo. The license for the current configuration will expire in 86 day(s).
Apply for authentic license before the current license expires.
# Display detailed information about the current active license file.
<HUAWEI> display license verbose
MainBoard:
Active license : flash:/LICCloudEngine6800.dat
License state : Demo
Revoke ticket : No ticket
Product name : CloudEngine 6800
Product version : V200R005
License file ESN : 210KPK10E0121509861
License Serial No : LIC20200320QR1450
Creator : Huawei Technologies Co., Ltd.
Created Time : 2020-03-20 16:05:41
Country : English
Custom : RD of Huawei Technologies Co., Ltd.
Office : ShenZhen
SnS End Date : 2020-03-25
-------------------------------------------------------------
Feature name : CELIC
Authorize type : demo
Expired date : 2020-06-15
Trial days : --
Item name : CE-LIC-FCF-ALL
Item type : Function
Control value :1
Used value :1
Item state : Normal
Item expired date : 2020-06-15
Item trial days : 60
Description : CE-LIC-FCF-ALL
Table 3-68 Description of the display license command output
Item Description
MainBoard Information about the license file on
the master switch.
SlaveBoard Information about the license file on
the standby switch.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 522
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
Active License Name and path of the active license
file.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 523
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
License state Status of a license file:
● Normal: The license is properly
activated.
If the status of a license file on the
live network is not Normal, check
the license file.
● Trial: The license is in trial status.
– If a license in Normal status
enters the Trial status because
the device ESN changes, the
license can be used only for 60
days.
In this case, you need to apply
for a license file matching the
ESN and activate it.
– A license file expires and enters
the Trial status.
In this case, you need to apply
for an official license file and
activate it.
– A license file is revoked and
enters the Trial status.
In this case, you need to apply
for a new license file based on
the revocation code and activate
it.
● Demo: The license is in demo
status.
When you activate a temporary
license file, it enters the Demo
status. The Demo status exists only
for a demo license file used for test
and deployment.
A license file in Demo status allows
you to use functions properly within
a specified period. Before the
expiration of the license file in
Demo status, replace it with a
commercial license file.
● Default: The license is in default
status.
After a license file expires, all
license control items become invalid
(the license is restored to the status
before being activated).
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 524
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
If you want to use services after a
license file expires, apply for a new
license file and activate it.
Revoke ticket License revocation code.
RD of Huawei Technologies Co., Ltd. Customer name.
Product name Name of the product that runs the
license.
Product version Version of the product corresponding
to a license file.
NOTE
After the device is upgraded to a later
version, the license file is automatically
compatible. Therefore, the version number
of Product version may be different from
that of the system software.
License Serial No Serial number of a license file.
Creator Creator of a file.
Created Time Creation time of a file.
SnS End Date Annual fee deadline.
Feature name Feature name.
Authorize type Authorization type:
● demo: license file for trial use
● comm: license file for commercial
use
Expired date License expiration date. PERMANENT
indicates that the license is
permanently valid.
Trial days Trial period.
Item name Name of a control item.
Item type Type of a control item.
● Function: functional control item
● Resource: resource control item
Value For a functional license, this item is
displayed as YES, indicating that the
corresponding control item is enabled.
For a resource license, the value of this
item indicates specifications of the
supported control item.
Description Description of a control item.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 525
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Item Description
License file ESN Serial number of a device.
Country Country of a customer.
Custom Customer name.
Office Customer location.
Control value Value of an authorized control item.
Used value Value of a used control item.
Item state Status of a control item.
Item expired date Expiration date of a control item.
Item trial days Trial period of a control item.
3.10.2 display license revoke-ticket
Function
The display license revoke-ticket command displays the revocation code of the
current license file of the device.
Format
display license revoke-ticket [ slot slot-id ]
Parameters
Parameter Description Value
slot slot-id The value is an integer, and the value
Specifies a stacked
range depends on the device
device.
configuration.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 526
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
The display license revoke-ticket command enables you to check the revocation
code of a license file that has become invalid on the device. This code proves that
the current license file is invalid and is used to apply for a new license.
Precautions
This command displays information only when the license file in current device
system is invalid.
Example
# Display the revocation code of the current invalid license file.
<HUAWEI> display license revoke-ticket
MainBoard:
Info: The revoke ticket is: LIC20121103006100:27C1B773ED11D9F877855CDAEE74ABFE60E07126.
3.10.3 display license state
Function
The display license state command displays the license status on the device.
Format
display license state [ trial ]
display license state slot slot-id
Parameters
Parameter Description Value
trial Displays the number of days before a -
license in Trial state expires.
If the current license is not in Trial state,
the system displays no information
when this parameter is configured.
slot slot-id Specifies a stacked device. The value is an integer,
and the value range
depends on the device
configuration.
Views
All views
Default Level
1: Monitoring level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 527
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
To check the status of the running license, run this command. The command
displays the status of the license and the number of days before the license in this
status will expire.
The system supports the following license states:
● Normal: normal license
● Demo: demonstration license
● Trial: trial license
● Default: default license
This command helps you locate license problems and verify the license status on
the device.
Example
# Display the status of the license on the device.
<HUAWEI> display license state
MainBoard:
Info: Current license state is Demo. The license for the current configuration will expire in 22 day(s).
# Display the number of days before a license in Trial state expires.
<HUAWEI> display license state trial
Info: Current license state is Trial. The trial days remains 59 day(s).
3.10.4 display paf
Function
The display paf command displays information about the product adaptive file
(PAF) in the system.
Format
display paf [ verbose ]
Parameters
None
Parameter Description Value
verbose Displays details about the -
system PAF file.
Views
All views
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 528
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Default Level
3: Management level
Usage Guidelines
A PAF file provides only required resources and features. This command can
display all the specification information about the PAF file.
Example
# View details about the PAF file.
<HUAWEI> display paf verbose
SPEC_FUNC_RAAS_ENABLED
Value :0
Default value: 0
Min value : 0
Max value : 1
Description : Raas funcation switch(1: enable, 0: disable)
SPEC_FUNC_LVRM_LRSPEC
Value :0
Default value: 0
Min value : 0
Max value : 1
Description : Logic system funcationswitch(1: enable, 0: disable)
SPEC_FUNC_LVRM_VSSPEC
Value :1
Default value: 1
Min value : 0
Max value : 1
Description : Virtual system funcationswitch(1: enable, 0: disable)
Table 3-69 Description of the display paf verbose command output
Item Description
Value Specification items in the PAF file, for
example:
● SPEC_FUNC_RAAS_ENABLED: Whether the
RAAS function is enabled.
– 0: disabled
– 1: enabled
● SPEC_RES_LVRM_LRSPEC: 8 logic systems.
Default value Default specifications in the PAF file.
Min value Minimum specifications in the PAF file.
Max value Maximum specifications in the PAF file.
Description Definition in the PAF file.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 529
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.10.5 display patch-information
Function
The display patch-information command displays information about the patch in
the current system.
Format
display patch-information [ verbose | history ]
Parameters
Parameter Description Value
verbose Displays detailed information about the patch. -
history Displays historical information about the patch in the current -
system.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
After a patch is loaded or deleted, run this command to view information about
the patch, including its version, name, and status.
Precautions
If the system has no patch loaded, the patch version, name, and status displayed
by this command are "-".
Example
# Display detailed information about the patch in the current system.
<HUAWEI> display patch-information verbose
Patch Package Name :flash:/PATCH.PAT
Patch Package Version :V100R006SPH001
Patch Package State :Running
Patch Package Run Time:2014-11-14 14:02:43
****************************************************************************
* Information about patch errors is as follows: *
****************************************************************************
SlotId CurrentVersion
----------------------------------------------------------------------------
No patch error occurs on any board
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 530
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Board Info :
----------------------------------------------------------------------------------------------
SlotId ProcId State PatchType Valid PatchEffectiveTime PatchFileName
----------------------------------------------------------------------------------------------
1 1049 Running C YES 2014-11-14 14:02:09.297 HP000012.pat
1 1049 Running C YES 2014-11-14 14:02:09.308 HP000028.pat
----------------------------------------------------------------------------------------------
Total = 2
Table 3-70 Description of the display patch-information verbose command output
Item Description
Patch Package Name Name of the patch.
Patch Package Version Version of the patch.
Patch Package State Status of the patch.
Patch Package Run Time Running time of the patch.
Board Info Information about the device with the
patch loaded.
SlotId ID of the device with the patch loaded.
ProcId ID of a patch process.
State Running status of the patch.
● Idle: none.
● Deactive: The patch is inactive.
● Active: The patch is active.
● Running: The patch is running.
PatchType Patch type.
Valid Indicates whether the patch is valid.
PatchEffectiveTime Patch effective time.
PatchFileName Patch name.
3.10.6 display upgrade rollback-timer
Function
The display upgrade rollback-timer command displays the status of the rollback
function in the current version.
Format
display upgrade rollback-timer
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 531
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
If an error occurs during an upgrade (for example, the new startup files are
damaged), cancel the current upgrade and restore the previous version used
before the upgrade.
To check whether the version rollback function is enabled, run this command.
Example
# Display the status of the rollback function in the current version (the version
rollback function is enabled).
<HUAWEI> display upgrade rollback-timer
Info:The state of upgrade rollback is enable. Limit time is 10 minutes.
# Display the status of the rollback function in the current version (the version
rollback function is disabled).
<HUAWEI> display upgrade rollback-timer
Info:The state of upgrade rollback is disable.
3.10.7 license
Function
The license command creates a license view and enters the view.
NOTE
The CE6850EI, CE6810EI, CE6810LI, CE5855EI, CE5850HI, CE5850EI and CE5810EI do not support
this command.
Format
license
Parameters
None
Views
System view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 532
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Level
3: Management level
Task Name and Operations
Task Name Operations
license execute
Usage Guidelines
To create and enter a license view, run the license command.
Example
# Create and enter a license view.
<HUAWEI> system-view
[~HUAWEI] license
[~HUAWEI-license]
3.10.8 license active
Function
The license active command activates the license file saved in the storage
medium of the device.
Format
license active file-name
Parameters
Parameter Description Value
file-name Specifies the name of The value must be the
the license file to be name of an existing
activated. license file.
Views
User view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 533
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Usage Guidelines
Usage Scenario
When the current license file on a device expires or feature speculations of a
device need to be expanded, you can replace or upgrade the license file. The initial
state of a license file is inactive and the license file does not take effect in the
system. You can run this command to activate the new or updated license file.
The license active command can be used to activate a license file in the following
situations:
● The license file needs to be activated for the first time.
You can directly run this command to activate the license file.
● The current license file needs to be updated.
If the specifications of the new license file are lower than those of the current
license file, the system displays a message asking you whether to continue
after this command is run. If you choose No, the system retains the current
license file. If you choose Yes, the device activates the license file and the
system uses the new license file.
NOTICE
If the configuration items of the new license file are lower than those of the
current license file, check whether the configuration items required by services
exist in the new license file. If not, apply for a correct license file and activate
it. Otherwise, services may be interrupted due to lack of dependent license
configuration items after the device is restarted.
Prerequisites
The new license file has been uploaded to the device.
Precautions
● The license file must use .dat or .zip as the file name extension and be saved
to the default root directory in the storage medium of the device.
● In a stack with multiple switches, if a license file is applied for each stack
member, you need to compress multiple .dat license files into a .zip file,
upload the .zip file to the stack master, and then load the file.
● Before activating a license file, you can run the license verify command to
verify the license file.
Example
# Activate License.dat in the storage medium of the device.
<HUAWEI> license active license.dat
Now activing the license.................................done.
MainBoard:
Info: Succeeded in activating the license file.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 534
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.10.9 license backup
Function
The license backup command backs up license information in the license partition
to the specified file.
NOTE
The CE5800 series switches (excluding CE5880EI) do not support this command.
Format
license backup flash file-name
Parameters
Parameter Description Value
flash Backs up license -
information in the
license partition in
specified files.
file-name Specifies the name of The value is a string of 1
the backup file. to 127 case-sensitive
characters without
spaces. When double
quotation marks are
used around the string,
spaces are allowed in the
string.
Views
User view
Default Level
3: Management level
Usage Guidelines
To check whether the activated license is the same as the loaded license, run the
license backup flash command to back up the activated license in specified files
and then compare it with the loaded license file. The license file can be opened in
text mode.
After you run this command, the system backs up two files using the file name
extensions .master.zip and .slave.zip, and saves the files to the root directory on
the default storage of the device. The backup license file in the primary license
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 535
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
partition uses the file name extension .master.zip, and that in the secondary
license partition uses the file name extension .slave.zip.
Example
# Back up license information in the license partition to the files
switch.master.zip and switch.slave.zip.
<HUAWEI> license backup flash switchInfo: Succeeded in backing up the license file to hswitchmaster.zip
and hswitchslave.zip.
3.10.10 license delete
Function
The license delete command deletes a specified license file in the $_license
directory.
Format
license delete file-name
Parameters
Parameter Description Value
file-name Specifies the name of the The value is a string of 1 to 127
license file to be deleted. case-sensitive characters without
spaces.
Views
User view
Default Level
3: Management level
Usage Guidelines
After a license file is activated using the license active command, the system
automatically backs up the license file in the $_license directory. After you
upgrade the license file, the expired license file backed up in the $_license
directory still exists and occupies system resources. To delete redundant license
files in the $_license directory, run the license delete command.
To view files in the $_license directory, run the dir command.
<HUAWEI> cd $_license
<HUAWEI> dir
Directory of flash:/$_license/
Idx Attr Size(Byte) Date Time FileName
0 -r-- 1,710 Nov 04 2014 11:50:57 LICENSE.dat
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 536
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3,480,880 KB total (2,307,848 KB free)
Example
# Delete the license file named license.dat in the $_license directory.
<HUAWEI> license delete license.dat
Warning: The file license.dat cannot be recycled. Continue? [Y/N]:y
3.10.11 license export
Function
The license export command stores a license file which is activated in the current
system in the root directory of a storage device.
By default, an activated license file is not stored in the root directory.
Format
license export file-name
Parameters
Parameter Description Value
file-name Specifies the name of the The value is a string of 5 to 127
license file to be saved to the case-sensitive characters without
root directory. spaces. The extension of a file is
".zip".
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can run this command to save the license file to the root directory on the
storage of the device.
Precautions
The saved license file must use .zip as the file name extension.
Example
# Save the license file to the root directory on the storage of the device.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 537
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> license export license.zip
Info: Succeeded in exporting the license file to license.zip.
3.10.12 license revoke
Function
The license revoke command revokes a license file.
Format
license revoke [ slot slot-id ]
Parameters
Parameter Description Value
slot slot-id The value is an integer, and the value
Specifies a stacked
range depends on the device
device.
configuration.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
You can upgrade a license file to:
● Add new features.
● Optimizes device performance.
● Fix bugs in the current version.
Before updating a license file, run the license revoke command to revoke the
existing license. The system then returns a license revocation code. This code is the
evidence for license invalidation and is used to apply for a new license.
NOTE
A license revocation code is a character string generated after a license file becomes invalid.
You can determine that a license file is invalid based on the corresponding revocation code.
Precautions
After you run the license revoke command, the license file enters the Trial state
and cannot be activated again regardless of how long the license file will expire. A
license file in Trial state can be used only for 60 days. After the license file in Trial
state expires, the successfully delivered features controlled by the license are still
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 538
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
valid. The features can be deleted, but cannot be added. To add functions
controlled by the license, re-apply for a license file and activate it.
Please apply for a new license and activate it before the original license expires so
that services are not affected.
Example
# Revoke the current license file.
<HUAWEI> license revoke
Warning: The license will switch to trial state. Continue? [Y/N]:y
MainBoard:
Info: Succeeded in revoking the license. The revoke ticket is
LIC201411261KSC50:87CE09A70A7401C7D0E1853B7931E3FA755AC88D.
3.10.13 license verify
Function
The license verify command verifies the license file of a device.
Format
license verify file-name
Parameters
Parameter Description Value
file-name Specifies the name of the license The value must be the name of
file to be verified. an existing license file.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
Before running the license active command to activate a license file, verify the
license file.
You can run the license verify command to verify the license file on the MPU. The
verification result can be the following:
● Major error
The license file cannot be activated.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 539
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● Minor error
The license file may fail to be activated.
● Success
The license file can be activated.
Prerequisites
The license file has been saved on the device.
Example
# Verify the license file named license.dat on the device.
<HUAWEI> license verify license.dat
MainBoard:
Info: Verify license succeeded.
3.10.14 patch active all
Function
The patch active all command activates the patches on the current system.
By default, the loaded patches on the current system are inactive.
Format
patch active all
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you do not specify the active or run keyword when running the patch load
command, run the patch active all command to activate all the loaded patches to
make them effect.
Prerequisites
Patches have been loaded using the patch load command.
Configuration Impact
● After a non-incremental patch is loaded and the patch active all command is
run, the patches in the current system are activated.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 540
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
● If an incremental patch is loaded and the previous patch package is running,
the previous patch package is still in running state after you run the patch
active all command. The new patch package is activated.
Follow-up Procedure
After running the patch active all command, use the patch run all command to
run the activated patch.
Precautions
After you run the patch active all command:
● If the device is restarted, all the active patches become inactive. To reactivate
the patches, run the patch active all command.
Example
# Activate all patches.
<HUAWEI> patch active all
3.10.15 patch configuration-synchronize
Function
The patch configuration-synchronize command synchronizes the patch
configuration and patch file of the master switch to other member switches in a
stack.
Format
patch configuration-synchronize
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
After you replace or add a member switch in a stack and start the new member
switch, run this command to synchronize the patch configuration and patch file
from the master switch if the patch file of the new member switch is incorrect.
Example
# Run the following commands on the new member switch to synchronize the
patch configurations and patch files to the new member switch.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 541
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> patch configuration-synchronize
3.10.16 patch deactive all
Function
The patch deactive all command deactivates the patches on the current system.
Format
patch deactive all
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If you find errors in some patches after using the patch active all command to
activate the loaded patches, run the patch deactive all command to deactivate
patches on the current system to prevent them from taking effect.
Prerequisites
Active patches exist on the current system.
Precautions
After the patch deactive all command is run, patches in the active state are
deactivated.
The patch deactive all command makes patches on the current system
ineffective. To make the loaded patches take effect again, run the patch active all
command.
Example
# Deactivate patches on the current system.
<HUAWEI> patch deactive all
3.10.17 patch delete
Function
The patch delete command deletes patches from the current system.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 542
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
patch delete all
Parameters
Parameter Description Value
all Deletes all patches on all the boards. -
Views
User view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
patch write
Usage Guidelines
Usage Scenario
Before installing a non-incremental patch, you need to run the patch delete all
command to delete existing patches from the current system and then install a
new patch package.
Configuration Impact
After the patch delete all command is run, patches on the system are deleted
regardless of their status.
Precautions
● The patch delete all command may affect the performance of the system.
So, confirm the action before you use this command.
● When the patch delete all command is run to delete patches from the
current system, the system prompts you whether to delete patches.
● After the patch delete all command is run to delete existing patches from
the current system, the deleted patches cannot be restored. So, confirm the
action before you use this command.
Example
# Delete all hot patches from the current system.
<HUAWEI> patch delete all
This will delete the patch. Are you sure? [Y/N]:y
Info: Operating, please wait for a moment....done.
Info:Succeeded in deleting the patch.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 543
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
# Delete all cold patches from the current system.
<HUAWEI> patch delete all
This will delete the patch. Are you sure? [Y/N]:y
Info: Operating, please wait for a moment.......done.
****************************************************************************
* Warning: Perform the following operations to deal with the cold patch. *
****************************************************************************
----------------------------------------
Device Type Upgrade mode
----------------------------------------
10 MPU reset board
----------------------------------------
Info: Succeeded in deleting the patch.
3.10.18 patch load
Function
The patch load command loads a matching patch in the patch package to the
current system.
Format
patch load file-name all [ active | run ]
Parameters
Parameter Description Value
file-name The value is a string of 5 to
Specifies the storage path and file
127 case-sensitive characters
name of a patch package. The path
without spaces. The value of
name is an absolute path name or a
the patch name is a string of
relative path name.
5 to 63 characters.
all Installs patches on all boards. -
active Activates a patch after the patch is -
loaded.
run Runs a patch after the patch is -
loaded.
Views
User view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 544
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
patch execute
Usage Guidelines
Usage Scenario
Before loading a patch, the system resolves the patch package to check the
validity of patch files and obtain the attributes of patch files.
When loading a patch to the current system, the system searches the patch
package for a matching patch file according to the attributes of the patch file.
● If a matching patch file is found in the patch package, the system loads the
patch.
● If no matching patch file is found in the patch package, the system does not
load the patch.
Prerequisites
The desired patch file has been uploaded to the master main control board of the
device.
Configuration Impact
After the patch load command is run, the system loads all types of patches in the
patch package.
● If the parameter active is used in the patch load command, the system
activates the patch file after loading it. Then, you can run the patch run all
command to run the patch file.
● If the parameter run is used in the patch load command, the system runs the
patch file after loading it.
Precautions
The device is reset before a cold patch takes effect.
Example
# Load and run the cold patch package on the current system.
<HUAWEI> patch load CloudEngineV200R003SPH001.PAT all run
Info: Operating, please wait for a moment...
****************************************************************************
* Warning: Perform the following operations to deal with the cold patch. *
****************************************************************************
----------------------------------------
Device Type Upgrade mode
----------------------------------------
11 MPU reset board
12 MPU reset board
----------------------------------------
Info: Succeeded in running the patch.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 545
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.10.19 patch run all
Function
The patch run all command runs the patches on the current system.
Format
patch run all
Parameters
None
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
When the device is restarted, the active patches become deactivated and need to
be activated again. To enable the active patches to retain in running start after a
device restart, use this command to run these active patches.
Prerequisites
Patches have been loaded and activated on the system.
Configuration Impact
After you run this command to run patches on the current system, the patches
remain in the running state if a device restart occurs.
After the patch run all command is run, the patches enter running state and
cannot be restored to the previous state. Confirm the action before you run the
command.
Example
# Run active patches in the current system.
<HUAWEI> patch run all
3.10.20 reset patch-configure
Function
The reset patch-configure command deletes the configuration of the patch file
for next startup.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 546
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
reset patch-configure next-startup
Parameters
Parameter Description Value
next-startup Deletes the configuration of the patch file for next startup. -
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
After you run the startup patch command to specify the patch file for next
startup, you can use the reset patch-configure command to delete the
configuration.
Precautions
If you run the reset patch-configure command, the patch file for next startup is
empty. When the device restarts, the system does not load and run the patch file.
Example
# Delete the configuration of the patch file for next startup.
<HUAWEI> reset patch-configure next-startup
Info: Succeeded in clearing startup the patch.
3.10.21 upgrade rollback
Function
The upgrade rollback command enables the system rollback function and sets
the time the system has to wait before rollback.
The undo upgrade rollback command disables the rollback function.
By default, the rollback function is disabled.
Format
upgrade rollback rollback-timer time-value
undo upgrade rollback
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 547
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
rollback-timer time- Specifies the value of the The value is an integer that
value rollback timer. ranges from 10 to 360, in
minutes.
Views
User view
Default Level
3: Management level
Usage Guidelines
Usage Scenario
If an error occurs during an upgrade (for example, the new startup files are
damaged), cancel the current upgrade and restore the previous version used
before the upgrade.
After the version rollback function is enabled and the system package is restarted,
the system will perform a version rollback to roll back the system package and
patch if no users successfully log in to the device in a specified period of time.
After the version rollback function is disabled, the system version does not roll
back regardless whether any user is authenticated and logs in to the system
within the specified period.
By default, the version rollback function is disabled. After each version rollback
completes, the version rollback function is disabled again.
Precautions
If any user successfully logs in to the device, the rollback timer is canceled.
After you run this command, the current system resets the rollback timer.
Example
# Configure the rollback timer for the current system upgrade.
<HUAWEI> upgrade rollback rollback-timer 300
Info:The state of upgrade rollback is enable. Limit time is 300 minutes.
If no User cancels the function, the main MPU will restart by the bootfile flash:/software.cc.
# Disable the rollback function.
<HUAWEI> undo upgrade rollback
3.11 HTTP Configuration Commands
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 548
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.11.1 acl (Service-Restconf view)
Function
The acl command configures an HTTP access control list (ACL).
The undo acl command deletes an HTTP ACL.
By default, no HTTP ACL is configured.
Format
acl { acl-name | acl-number }
undo acl
Parameters
Parameter Description Value
acl-name Specifies the name The value is a string of 1 to 32 case-sensitive
of an ACL. characters, spaces not supported. The value
starts with a letter or digit but cannot contain
only digits.
acl-number Specifies an ACL The value is an integer ranging from 2000 to
number. 3999.
● ACLs numbered 2000 to 2999 are basic
ACLs.
● ACLs numbered 3000 to 3999 are advanced
ACLs.
Views
Service-Restconf view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
Usage Scenario
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 549
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
To configure an HTTP ACL, run the acl command. An ACL limits clients that access
the server, improving server security.
Prerequisites
Create an ACL of a specified type.
● Run acl { name basic-acl-name { basic | [ number ] basic-acl-number } |
[ number ] basic-acl-number } command, create an basic ACL.
● Run acl { name advance-acl-name [ advance ] | [ number ] advance-acl-
number } command, create an advanced ACL.
Precautions
If the ACL configured in this command has not been created in the system view,
no client is allowed to access the HTTP server.
Example
# Configure an HTTP ACL named policy1.
<HUAWEI> system-view
[~HUAWEI] acl policy1
[*HUAWEI-acl4-advance-policy1] quit
[*HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] acl policy1
# Configure an HTTP ACL numbered 2100.
<HUAWEI> system-view
[~HUAWEI] acl 2100
[*HUAWEI-acl4-basic-2100] quit
[*~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] acl 2100
3.11.2 idle-timeout (Service-Restconf view)
Function
The idle-timeout command sets a timeout period for an idle HTTP connection.
The undo idle-timeout command restores the default timeout period of an idle
HTTP connection.
By default, the timeout period of an idle HTTP connection is 20 minutes.
Format
idle-timeout minutes
undo idle-timeout
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 550
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Parameters
Parameter Description Value
minutes Specifies a timeout period for an The value is an integer ranging
idle HTTP connection. from 1 to 60, in minutes.
Views
Service-Restconf view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
Before a client transmits HTTP services, it logs in to an HTTP server and
establishes a TCP connection with the server. However, if the connection is torn
down unexpectedly, the HTTP server cannot detect the disconnection and still
retains the connection, which wastes resources. To resolve this problem, run the
idle-timeout command to configure a timeout period for an idle HTTP
connection. If the client does not send any packet during the timeout period, the
HTTP server considers the connection invalid and tears down the TCP connection
with the client after the timeout period elapses.
Example
# Set the timeout period to 30 minutes for an idle HTTP connection.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] idle-timeout 30
3.11.3 secure-server enable
Function
The secure-server enable command enables the HTTPS listening function.
The undo secure-server enable command disables the HTTPS listening function.
By default, the HTTPS listening function is disabled.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 551
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Format
secure-server enable
undo secure-server enable
Parameters
None
Views
Service-Restconf view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
Usage Scenario
HTTP is an application-layer protocol that transports hypertext from WWW servers
to local browsers. HTTP uses the client/server model in which requests and replies
are exchanged.
To enable the HTTPS listening service, run the secure server enable command.
HTTPS encrypts data before transmitting it, enhancing security.
Precautions
HTTPS has a higher security than HTTP, and therefore using HTTPS is
recommended.
Currently, HTTPS listening supports only IPv4.
Example
# Enable the HTTPS listening function.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] secure-server enable
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 552
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.11.4 secure-server port
Function
The secure-server port command configures an HTTPS service listening port.
The undo secure-server port command restores the default HTTPS service
listening port.
By default, HTTPS service listening uses port 443.
Format
secure-server port port-number
undo secure-server port
Parameters
Parameter Description Value
port-number Specifies the number for an The value can be 443 or an
HTTPS service listening port. integer ranging from 1025 to
65535.
Views
Service-Restconf view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
● When the default HTTP service listening port is being used, run the secure-
server port command to configure an HTTP service listening port so that the
firewall can filter packets on this port. This enhances network security.
● Currently, the HTTPS service listening port supports only IPv4.
● A port number that is being used cannot be specified.
Example
# Configure port 1028 for HTTPS listening.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 553
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] secure-server port 1028
3.11.5 server enable
Function
The server enable command enables the HTTP listening service.
The undo server enable command disables the HTTP listening service.
By default, the HTTP listening function is disabled.
Format
server enable
undo server enable
Parameters
None
Views
Service-Restconf view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
HTTP is an application-layer protocol that transports hypertext from WWW servers
to local browsers. HTTP uses the client/server model in which requests and replies
are exchanged.
To enable the HTTP listening service so that the HTTP server can identify the
connection requests from clients, run the server enable command.
Currently, the HTTP listening service supports only IPv4.
Example
# Enable the HTTP listening service.
<HUAWEI> system-view
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 554
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] server enable
3.11.6 server port
Function
The server port command configures an HTTP service listening port.
The undo server port command restores the default HTTP service listening port.
By default, HTTP service listening uses port 80.
Format
server port port-number
undo server port
Parameters
Parameter Description Value
port-number Specifies the number for an The value can be 80 or an integer
HTTP service listening port. ranging from 1025 to 65535.
Views
Service-Restconf view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
● When the default HTTP service listening port is being used, run the server
port command to configure an HTTP service listening port so that the firewall
can filter packets on this port. This enhances network security.
● Currently, the HTTP service listening port supports only IPv4.
● A port number that is being used cannot be specified.
Example
# Configure port 1028 for HTTP service listening.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 555
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
[*HUAWEI-http-service-restconf] server port 1028
3.11.7 service restconf
Function
The service restconf command creates the Service-Restconf view and displays it,
or displays the Service-Restconf view that has been created.
The undo service restconf command deletes the Service-Restconf view and all
configurations in this view.
By default, the Service-Restconf view is not created.
Format
service restconf
undo service restconf
Parameters
None
Views
HTTP view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
Before you perform HTTP configurations, run the service restconf command to
enter the Service-Restconf view.
Example
# Display the Service-Restconf view.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service restconf
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 556
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
3.11.8 ssl-policy (Service-Restconf view)
Function
The ssl-policy command configures an SSL policy for an HTTP server.
The undo ssl-policy command deletes the SSL policy on an HTTP server.
By default, no SSL policy is configured on an HTTP server.
Format
ssl-policy policy-name
undo ssl-policy
Parameters
Parameter Description Value
policy-name Specifies the name of an The value is a string of 1 to 23 case-
SSL policy. insensitive characters, spaces not
supported.
Views
Service-Restconf view
Default Level
3: Management level
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
Usage Scenario
Conventional HTTP does not have any security mechanism. It transmits data in
plaintext and does not verify the identities of communications parties. Therefore,
data transmitted over HTTP may be tampered with. In applications that require
high security, such as e-commerce and online banking, HTTP is inapplicable. To
enhance security, run the ssl-policy command to specify an SSL policy for an
HTTP server.
Configuration Impact
HTTP security is enhanced with the SSL security mechanisms, such as data
encryption, identity verification, and message integrity check.
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 557
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Prerequisites
The following configurations must have been complete before you run the ssl-
policy command.
1. An SSL policy has been created and the SSL policy view is displayed using the
ssl policy policy-name command in the system view.
2. A digital certificate or certificate chain has been loaded using the certificate
load command in the SSL policy view.
3. The HTTPS listening function has been enabled using the secure-server
enable command in the Service-Restconf view.
Precautions
An HTTP server can only have one SSL policy configured. If the ssl-policy
command is run more than once, the latest configuration overrides the previous
one.
Example
# Configure an SSL policy named policy1 for an HTTP server.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service-restconf
[*HUAWEI-http-service-restconf] secure-server enable
[*HUAWEI-http-service-restconf] ssl-policy policy1
3.11.9 ssl-verify peer (Service-Restconf view)
Function
The ssl-verify peer command configures an HTTP server to perform SSL
verification on HTTP clients.
The undo ssl-verify command disables an HTTP server from performing SSL
verification on HTTP clients.
By default, an HTTP server does not perform SSL verification on HTTP clients.
Format
ssl-verify peer
undo ssl-verify
Parameters
None
Views
Service-Restconf view
Default Level
3: Management level
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 558
CloudEngine 8800, 7800, 6800, and 5800 Series
Switches
Command Reference 3 Basic Configurations Commands
Task Name and Operations
Task Name Operations
https write
Usage Guidelines
Usage Scenario
To prevent access of unauthorized HTTP clients, run the ssl-verify-mode
command to configure an HTTP server to perform SSL verification on HTTP
clients. This configuration enhances security.
Precautions
If a client does not have a certificate loaded or has an incorrect certificate loaded,
the verification fails, and the server disconnects the client.
Example
# Configure an HTTP server to perform forcible SSL verification on HTTP clients.
<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] service-restconf
[*HUAWEI-http-service-restconf] ssl-verify peer
Issue 07 (2021-03-10) Copyright © Huawei Technologies Co., Ltd. 559
You might also like
- Ruijie RG Is2700g Series Switches Rgos Command Reference Release 10.43b16t2No ratings yetRuijie RG Is2700g Series Switches Rgos Command Reference Release 10.43b16t21,076 pages
- Ruijie RG-WLAN Series Access Points Command Reference, RGOS11.9 (6) W1B1 (V1.1)No ratings yetRuijie RG-WLAN Series Access Points Command Reference, RGOS11.9 (6) W1B1 (V1.1)1,319 pages
- Ruijie RG-S2915-L Series Switches RGOS 11.4 (1) B82 Command Reference (V1.1)No ratings yetRuijie RG-S2915-L Series Switches RGOS 11.4 (1) B82 Command Reference (V1.1)1,273 pages
- Ruijie RG-WLAN Series Access Points Command Reference, RGOS11.9 (6) W3B3 (V1.0)No ratings yetRuijie RG-WLAN Series Access Points Command Reference, RGOS11.9 (6) W3B3 (V1.0)1,317 pages
- CloudEngine 8800, 7800, 6800, and 5800 V200R005C10 Configuration Guide - Ethernet SwitchingNo ratings yetCloudEngine 8800, 7800, 6800, and 5800 V200R005C10 Configuration Guide - Ethernet Switching769 pages
- All-Products Esuprt Ser Stor Net Esuprt Force10 Force10-S4820 Reference Guide2 En-UsNo ratings yetAll-Products Esuprt Ser Stor Net Esuprt Force10 Force10-S4820 Reference Guide2 En-Us1,114 pages
- S8600 Series Switch Configuration Guide v10.4 (3b7)No ratings yetS8600 Series Switch Configuration Guide v10.4 (3b7)2,268 pages
- Training On UNIX Fundamentals V1 (1) .0-20050405-BNo ratings yetTraining On UNIX Fundamentals V1 (1) .0-20050405-B70 pages
- Training On UNIX Fundamentals V1 (1) .0-20050405-BNo ratings yetTraining On UNIX Fundamentals V1 (1) .0-20050405-B70 pages
- NE9000 V800R023C00SPC500 Configuration Guide 01 Basic ConfigurationNo ratings yetNE9000 V800R023C00SPC500 Configuration Guide 01 Basic Configuration400 pages
- Force10-S25p - Reference Guide - En-Us PDFNo ratings yetForce10-S25p - Reference Guide - En-Us PDF1,262 pages
- Skill Language Programming: Lecture Manual July 16, 2012No ratings yetSkill Language Programming: Lecture Manual July 16, 2012609 pages
- 01-03 Basic Configurations Commands PDFNo ratings yet01-03 Basic Configurations Commands PDF286 pages
- CloudEngine 6800&5800 V100R001C00 Configuration Guide - QoS 04 PDFNo ratings yetCloudEngine 6800&5800 V100R001C00 Configuration Guide - QoS 04 PDF99 pages
- FTOS Configuration Guide For The S55 System FTOS 8.3.5.5No ratings yetFTOS Configuration Guide For The S55 System FTOS 8.3.5.5780 pages
- SG7000 Data Configuration (V200R005C02 - 02)No ratings yetSG7000 Data Configuration (V200R005C02 - 02)385 pages
- CloudEngine 7800&6800&5800 V100R005 (C00&C10) Configuration Guide - Ethernet SwitchingNo ratings yetCloudEngine 7800&6800&5800 V100R005 (C00&C10) Configuration Guide - Ethernet Switching637 pages
- HP ProCurve - Management and Configuration Guide W.14.03100% (1)HP ProCurve - Management and Configuration Guide W.14.03618 pages
- CloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04 PDFNo ratings yetCloudEngine 6800&5800 V100R001C00 Configuration Guide - Security 04 PDF200 pages
- CloudEngine 6800&5800 V100R001C00 Configuration Guide - Network Management 04 PDFNo ratings yetCloudEngine 6800&5800 V100R001C00 Configuration Guide - Network Management 04 PDF177 pages
- CloudEngine 6800&5800 V100R001C00 Configuration Guide - Device Management 04 PDFNo ratings yetCloudEngine 6800&5800 V100R001C00 Configuration Guide - Device Management 04 PDF146 pages
- CBSS Configuration and Adjustment Guide (CBSS9.0 - 01) (PDF) - enNo ratings yetCBSS Configuration and Adjustment Guide (CBSS9.0 - 01) (PDF) - en475 pages
- PDB - Mulit Inverter - Unidades ExternasNo ratings yetPDB - Mulit Inverter - Unidades Externas169 pages
- CloudEngine 6800&5800 V100R003C00 Troubleshooting Guide 01No ratings yetCloudEngine 6800&5800 V100R003C00 Troubleshooting Guide 01167 pages
- SG7000 Configuration Examples (V200R005C02 - 02)No ratings yetSG7000 Configuration Examples (V200R005C02 - 02)73 pages
- Chapter 2-Basic Switch and End Device Configuration 4No ratings yetChapter 2-Basic Switch and End Device Configuration 434 pages
- CloudEngine 6800&5800 V100R001C00 Configuration Guide - Basic Configuration 04 PDFNo ratings yetCloudEngine 6800&5800 V100R001C00 Configuration Guide - Basic Configuration 04 PDF201 pages
- FactoryTalk Historian SE Basic Lab (RAcbi) - 8-28-2018-IN05No ratings yetFactoryTalk Historian SE Basic Lab (RAcbi) - 8-28-2018-IN05100 pages
- HP Storageworks: Modular Smart Array 1000 (Msa1000) Command Line InterfaceNo ratings yetHP Storageworks: Modular Smart Array 1000 (Msa1000) Command Line Interface64 pages
- CloudEngine 6800&5800 V100R001C00 Configuration Guide - Interface Management 04 PDFNo ratings yetCloudEngine 6800&5800 V100R001C00 Configuration Guide - Interface Management 04 PDF48 pages
- Do Not Reprint © Fortinet: Fortigate Infrastructure Lab GuideNo ratings yetDo Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide140 pages
- HPE - Sd00003375en - Us - Smart Update Manager 10.5.0 CLI GuideNo ratings yetHPE - Sd00003375en - Us - Smart Update Manager 10.5.0 CLI Guide60 pages
- Huawei Firewall USG5300 Configuring System Parameters100% (1)Huawei Firewall USG5300 Configuring System Parameters4 pages
- Modules & Test Case With Tricentis ToscaNo ratings yetModules & Test Case With Tricentis Tosca38 pages
- Python For Desktop Applications Tran Duc Loi Sample50% (2)Python For Desktop Applications Tran Duc Loi Sample22 pages
- SAP HANA Studio Installation Update Guide enNo ratings yetSAP HANA Studio Installation Update Guide en54 pages
- EDT Citrix Guide: © 2006 Landmark Graphics CorporationNo ratings yetEDT Citrix Guide: © 2006 Landmark Graphics Corporation58 pages
- Basics of Python Programming: A Quick Guide for BeginnersFrom EverandBasics of Python Programming: A Quick Guide for BeginnersNo ratings yet
- PowerShell SysAdmin Crash Course: Unlock the Full Potential of PowerShell with Advanced Techniques, Automation, Configuration Management and IntegrationFrom EverandPowerShell SysAdmin Crash Course: Unlock the Full Potential of PowerShell with Advanced Techniques, Automation, Configuration Management and IntegrationNo ratings yet
- Mastering Go Network Automation: Automating Networks, Container Orchestration, Kubernetes with Puppet, Vegeta and Apache JMeterFrom EverandMastering Go Network Automation: Automating Networks, Container Orchestration, Kubernetes with Puppet, Vegeta and Apache JMeterNo ratings yet
- Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3From EverandCisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #34.5/5 (2)
