Содержание
Setting Users and Passwords
Switch user configuration is done in aaa mode. First, let’s go to the switch configuration mode, and then to the aaa mode:
<huawei>system-view
[huawei]aaa
Set up a local user with a password that we allow to log in via SSH and assign the highest privileges:
[huawei-aaa]local-user stupin password irreversible-cipher $ecretP4ssw0rd
[huawei-aaa]local-user stupin service-type ssh
[huwaei-aaa]local-user stupin privilege level 15
The aaa mode can be exited with the quit command. Return to the initial mode, as usual, occurs by the command return:
[huawei-aaa]quit
[huawei]return
<huawei>
But you don’t have to exit aaa mode with the quit command if you want to return to the initial mode immediately. You can return to it directly – using the return command.
You can view the list of configured local users as follows:
<huawei>display local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
admin A TMH 15
stupin A S 15
----------------------------------------------------------------------------
Total 2 user(s)
<huawei>system-view
[huawei]aaa
[huawei-aaa]undo local-user admin
[huawei-aaa]quit
[huawei]return
<huawei>
The system will not let you delete a user if he is logged into the Switch:
[huawei-aaa]undo local-user admin
Error: Have user(s) online, can not be deleted.
Manage Files
The switch has a built-in flash memory, which stores various files, including those with the switch’s firmware. You can view the list of files using the dir command:
<huawei>dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 drw- - Aug 23 2016 03:00:30 dhcp
1 drw- - Aug 23 2016 03:00:06 user
2 -rw- 61,931,532 Jul 31 2016 02:40:56 s1720-gw-v200r010c00spc600.cc
3 -rw- 36 Aug 23 2016 03:06:25 $_patchstate_reboot
4 -rw- 3,684 Aug 23 2016 03:06:25 $_patch_history
5 drw- - Aug 23 2016 03:03:29 logfile
6 -rw- 1,034 Apr 02 2000 14:05:45 vrpcfg.zip
7 -rw- 207,239 Aug 23 2016 03:06:07 s1720-gw-v200r010sph008.pat
8 -rw- 2,107 Aug 23 2016 03:05:16 qpzq1ka1183_21980107533gja002511.dat
9 drw- - Aug 23 2016 02:59:54 $_install_mod
10 -rw- 836 Apr 01 2000 23:55:48 rr.bak
11 -rw- 836 Apr 01 2000 23:55:48 rr.dat
12 -rw- 462 Aug 23 2016 03:00:28 private-data.txt
13 drw- - Apr 02 2000 15:36:14 localuser
14 -rw- 816,438 Aug 23 2016 03:00:30 mibtree.xml
15 drw- - Apr 02 2000 01:55:42 $_backup
247,032 KB total (187,332 KB free)
You may notice that some lines are marked with the attribute d. These are directories. You can switch to them and back to the parent directory using the cd command:
<huawei>cd dhcp/
<huawei>cd ..
Directories can be created and deleted using the mkdir and rmdir commands:
<huawei>cd testdir
Error: Wrong path or none existent directory.
<huawei>mkdir testdir
<huawei>cd testdir
<huawei>cd ..
<huawei>rmdir testdir
Remove directory flash:/testdir?[Y/N]:Y
%Removing directory flash:/testdir...Done!
Files can be copied, moved, renamed and deleted using the copy, move, rename and delete commands respectively:
<huawei>copy vrpcfg.zip vrpсfg.bak
Copy flash:/vrpcfg.zip to flash:/vrpсfg.bak?[Y/N]:Y
100% complete.
Info: Copied file flash:/vrpcfg.zip to flash:/vrpсfg.bak...Done.
<huawei>move vrpcfg.bak vrpcfg.new
Move flash:/vrpcfg.bak to flash:/vrpcfg.new ?[Y/N]:Y
%Moved file flash:/vrpcfg.bak to flash:/vrpcfg.new.
<huawei>rename vrpcfg.bak vrpcfg.new
Rename flash:/vrpcfg.bak to flash:/vrpcfg.new ?[Y/N]:Y
Info: Rename file flash:/vrpcfg.bak to flash:/vrpcfg.new ......Done.
<huawei>delete vrpcfg.new
Delete flash:/vrpcfg.new?[Y/N]:Y
Info: Deleting file flash:/vrpcfg.new...succeeded.
You can save the active configuration using the save command:
<huawei>save
The current configuration (excluding the configurations of unregistered boards or cards) will be written to flash:/vrpcfg.zip.
Are you sure to continue?[Y/N]Y
Now saving the current configuration to the slot 0..
Save the configuration successfully.
You can save the current configuration to a text file as follows:
<huawei>save startup.cfg
The current configuration will be written to the device.
Are you sure to continue?[Y/N]Y
Now saving the current configuration to the slot 0..
Save the configuration successfully.
You can view the contents of the file using the more command:
<huawei>more startup.cfg
You can view the configuration that will be applied when the switch boots, using the following command:
<huawei>display saved-configuration last
Set up time synchronization with NTP servers
Enable the use of an NTP server for switch clock synchronization:
<huawei>system-view
[huawei]undo ntp-service disable
[huawei]ntp-service unicast-peer 169.254.254.1
[huawei]return
<huawei>
You can specify the interface from which outgoing NTP requests will be sent as follows:
<huawei>system-view
[huawei]ntp-service source-interface Vlanif 2
[huawei]return
<huawei>
View sessions with NTP servers as follows:
<huawei>display ntp-service sessions
clock source: 169.254.254.1
clock stratum: 3
clock status: configured, master, sane, valid
reference clock ID: 85.21.78.8
reach: 1
current poll: 64
now: 8
offset: 0.0000 ms
delay: 0.00 ms
disper: 0.00 ms
The status of the NTP service on the switch can be seen with the following command:
<huawei>display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 169.254.254.1
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.54 ms
peer dispersion: 0.00 ms
reference time: 00:00:00.000 UTC Jan 1 1900(00000000.00000000)
synchronization state: clock set
Finally, after successful synchronization of the time, you can look at the clock:
<huawei>display clock
2020-09-24 19:54:04+05:00
Thursday
Time Zone(Asia/Yekaterinburg) : UTC+05:00
SNMP Setup
Enable SNMP and RMON
You can enable the availability of the SNMP agent for certain protocol versions using the following command:
<huawei>system-view
[huawei]snmp-agent sys-info version v2c
Warning: SNMPv1/SNMPv2c is not secure, and it is recommended to use SNMPv3.
[huawei]return
<huawei>
You can use v1, v3 or all instead of v2c.
You can use the following command to view the versions of the SNMP protocol enabled in the SNMP agent:
<huawei>display snmp-agent sys-info version
SNMP version running in the system:
SNMPv2c SNMPv3
To disable individual versions of protocols or, you can use the enable command by preceding it with the word undo:
<huawei>system-view
[huawei]undo snmp-agent sys-info version all
Warning: All SNMP versions will be disabled. Continue? [Y/N]:Y
[huawei]return
<huawei>
<huawei>system-view
[huawei]interface GigabitEthernet 0/0/1
[huawei-GigabitEthernet0/0/1]rmon-statistics enable
[huawei-GigabitEthernet0/0/1]rmon statistics 1 owner stupin
For the second interface:
[huawei-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[huawei-GigabitEthernet0/0/2]rmon-statistics enable
[huawei-GigabitEthernet0/0/2]rmon statistics 2 owner stupin
[huawei-GigabitEthernet0/0/2]quit
[huawei]return
<huawei>
After enabling RMON statistics collection, it can be seen on the switch itself using the following command:
<huawei>display rmon statistics GigabitEthernet 0/0/1
Statistics entry 1 owned by stupin is valid.
Interface : GigabitEthernet0/0/1<ifIndex.5>
Received :
octets :165447 , packets :1744
broadcast packets :182 , multicast packets:303
undersize packets :0 , oversize packets :0
fragments packets :0 , jabbers packets :0
CRC alignment errors:0 , collisions :0
Dropped packet (insufficient resources):0
Packets received according to length (octets):
64 :967 , 65-127 :1580 , 128-255 :271
256-511:100 , 512-1023:12 , 1024-1518:2
The number of the statistics element will correspond to the interface index in the table accessible via the SNMP protocol. You can check the correctness of the settings, for example, using the snmpwalk command from the net-snmp package:
$ snmpwalk -v 3 -l authPriv -u mon -a SHA 'Authentic4ti0n$ecret' -x AES -X 'Encrypti0n$ecret' huawei.lo.stupin.su 1.3.6.1.2.1.16.1.1.1.8
RMON-MIB::etherStatsCRCAlignErrors.1 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.2 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.3 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.4 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.5 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.6 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.7 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.8 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.9 = Counter32: 0 Packets
RMON-MIB::etherStatsCRCAlignErrors.10 = Counter32: 0 Packets
The value of RMON-MIB::etherStatsCRCAlignErrors.1 in this table corresponds to the line CRC alignment errors in the output of the command executed on the switch before.
Configuring SNMP Views
The SNMP view allows you to restrict access to certain OID branches. Let’s create a ro view with a single rule allowing access to the branch OID 1.3.6.1:
[huawei]snmp-agent mib-view included ro 1.3.6.1
If the view should allow access to multiple branches, then the command can be repeated, specifying rules with other OID branches. If you need to exclude a certain branch from the view, you can specify exclude in the rule instead of the include keyword.
To remove branches from the view, to the left of the command, use the undo keyword:
[huawei]undo snmp-agent mib-view included ro 1.3.6.1
You can delete the entire view as follows:
[huawei]undo snmp-agent mib-view ro
The switch does not allow to delete the ViewDefault view that exists on it by default:
[huawei]undo snmp-agent mib-view ViewDefault
Error: The default MIB view ViewDefault can not be modified or deleted.
You can view the list of views and their rules using the display snmp-agent mib-view command:
[huawei]display snmp-agent mib-view
View name:ro
MIB Subtree:internet
Subtree mask:F0(Hex)
Storage-type: nonVolatile
View Type:included
View status:active
View name:rw
MIB Subtree:internet
Subtree mask:F0(Hex)
Storage-type: nonVolatile
View Type:included
View status:active
View name:ViewDefault
MIB Subtree:internet
Subtree mask:F0(Hex)
Storage-type: nonVolatile
View Type:included
View status:active
View name:ViewDefault
MIB Subtree:snmpUsmMIB
Subtree mask:FE(Hex)
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpVacmMIB
Subtree mask:FE(Hex)
Storage-type: nonVolatile
View Type:excluded
View status:active
View name:ViewDefault
MIB Subtree:snmpCommunityMIB
Subtree mask:FE(Hex)
Storage-type: nonVolatile
View Type:excluded
View status:active
Access Control List
<huawei>system-view
[huawei]acl 2000 match-order config
Info: When the ACL that is referenced by SACL is modified, the SACL will be dynamically updated. During the update, these SACL will become invalid temporarily.
[huawei-acl-basic-2000]
Let’s add two rules to this list:
[huawei-acl-basic-2000]rule 1 permit source 169.254.254.1 0
[huawei-acl-basic-2000]rule 2 permit source 169.254.252.2 0
[huawei-acl-basic-2000]quit
[huawei]return
<huawei>
You can view all access control lists as follows:
<huawei>display acl all
Total nonempty ACL number is 1
Basic ACL 2000, 2 rules
Acl's step is 5
rule 1 permit source 169.254.254.1 0
rule 2 permit source 169.254.252.2 0
Setting up SNMP groups
Create a group named ro:
<huawei>system-view
[huawei]snmp-agent group v3 ro privacy read-view ro acl 2000
With this team we:
- add a group named ro,
- which will work with SNMP version 3 with secrets for authentication and encryption,
- which we allow access to OIDs from the ro representation for reading,
- which has no writable OIDs,
- which has no OIDs available for sending traps.
- which we allow access from IP addresses from the access control list No. 2000.
Create a group named rw, which is similar to ro, but will have access to read and change OID values from the rw view:
[huawei]snmp-agent group v3 rw privacy read-view rw write-view rw acl 2000
To delete a group, you can use the following command:
[huawei]undo snmp-agent group v3 rw privacy
[huawei]return
<huawei>
You can view the list of configured SNMP groups as follows:
<huawei>display snmp-agent group
Group name: ro
Security model: v3 AuthPriv
Readview: ro
Writeview: <no specified>
Notifyview :<no specified>
Storage-type: nonVolatile
Acl:2000
Group name: rw
Security model: v3 AuthPriv
Readview: rw
Writeview: rw
Notifyview :<no specified>
Storage-type: nonVolatile
Acl:2000
Setting up SNMP communities
<huawei>system-view
[huawei]snmp-agent community read cipher $ecretC0mmunity acl 2000 mib-view ro
You can view the list of configured communities as follows:
[huawei]display snmp-agent community
Community name:%^%#__#tTj1LuUC=~XGiJ544zytTY01DWW8+}&TD%r<",HZ=BY2eZWo+%",,oPlW>BrY2b0UHWyz3rIecJ=Q%^%#
Group name:%^%#__#tTj1LuUC=~XGiJ544zytTY01DWW8+}&TD%r<",HZ=BY2eZWo+%",,oPlW>BrY2b0UHWyz3rIecJ=Q%^%#
Acl:2000
Storage-type: nonVolatile
You can’t see exactly which string is being used by the community this way. The name of the community and group also do not say anything, it can be quite difficult to distinguish one community from another. But fortunately, the team has an additional option that allows you to assign an alias to the community:
[huawei]snmp-agent community read cipher $ecretC0mmunity acl 2000 mib-view ro alias ro_2000
[huawei]return
<huawei>
Now this community can be easily found in the list by alias ro_2000:
<huawei>display snmp-agent community
Community name:%^%#G48%)LZ^e)O"t{IGD_,4ASvIH>9A72|"W&De*LFYeE$s!'Vr5BT'/a1()`+O\O4o<B4+CB$@aMY9b<$O%^%#
Group name:%^%#G48%)LZ^e)O"t{IGD_,4ASvIH>9A72|"W&De*LFYeE$s!'Vr5BT'/a1()`+O\O4o<B4+CB$@aMY9b<$O%^%#
Alias name:ro_2000
Acl:2000
Storage-type: nonVolatile
Unfortunately, you cannot delete a community by its pseudonym. You can delete it by the name specified in the lines Community name and Group name:
<huawei>system-view
[huawei]undo snmp-agent community %^%#G48%)LZ^e)O"t{IGD_,4ASvIH>9A72|"W&De*LFYeE$s!'Vr5BT'/a1()`+O\O4o<B4+CB$@aMY9b<$O%^%#
Or you can delete a community by its string, if you know it:
[huawei]undo snmp-agent community $ecretC0mmunity
[huawei]return
<huawei>
You can check the availability of the switch via SNMP protocol version 2c with a configured community string using utilities from the net-snmp package:
$ snmpget -v 2c -c '$ecretC0mmunity' huawei.lo.stupin.su sysObjectID.0
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2011.2.23.509
Setting up SNMPv3 users
Add an SNMP user named mon:
<huawei>system-view
[huawei]snmp-agent usm-user v3 mon group ro acl 2000
Set up authentication for the mon user using the SHA hashing algorithm and, in response to the switch suggestions, enter the secret for authentication twice:
[huawei]snmp-agent usm-user v3 mon authentication-mode sha
Please configure the authentication password (8-64)
Enter Password:
Confirm Password:
The switch provides a wide range of encryption algorithms: des56, 3des, aes128, aes192, aes256. By the way, the des56 algorithm is currently considered not an encryption algorithm, but a scrambling algorithm, because easily hacked on modern widespread equipment. Of the other algorithms, only the AES128 algorithm is approved by the RFC standard, which can be found on the net-snmp project page: Strong Authentication or Encryption
.
Set up authentication for the mon user using the AES128 encryption algorithm and, in response to the switch suggestions, enter the secret for encryption twice:
[huawei]snmp-agent usm-user v3 mon privacy-mode aes128
Please configure the privacy password (8-64)
Enter Password:
Confirm Password:
It is important to set up the secrets in this order. If you try to set the encryption secret before setting the authentication secret, the Switch will report an error:
[huawei]snmp-agent usm-user v3 mon privacy-mode aes128
Error: Please configure the authentication password first.
You can delete a configured user using the following command:
[huawei]undo snmp-agent usm-user v3 mon
[huawei]return
<huawei>
You can view the list of configured users as follows:
<huawei>display snmp-agent usm-user
User name: mon
Engine ID: 800007DB03289E97FB41B4 active
Authentication Protocol: sha
Privacy Protocol: aes128
Group name: ro
Acl: 2000
You can check the availability of the switch via SNMPv3 protocol for the mon user using the following command from the net-snmp package:
$ snmpget -v 3 -l authPriv -u mon -a SHA -A 'Authentic4ti0n$ecret' -x AES -X 'Encrypti0n$ecret' huawei.lo.stupin.su sysObjectID.0
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2011.2.23.509
Configuring Ports and VLANs
Go to switch settings mode:
<huawei>system-view
Enter system view, return user view with Ctrl+Z.
Enter port setting mode (exit by command quit):
[huawei]interface GigabitEthernet 0/0/8
[huawei-GigabitEthernet0/0/8]
In the interface setting mode, you can set its description:
[huawei-GigabitEthernet0/0/8]description new manage port
[huawei-GigabitEthernet0/0/8]
Before configuring the VLAN on the switch ports, you can configure the description of each VLAN:
[huawei]vlan 2 configuration
[huawei-vlan2]name System
[huawei-vlan1]name default
[huawei-vlan1]quit
[huawei]
You can add ports to VLANs, or you can add VLANs to a port.
Ports in VLAN are added as follows:
[huawei-vlan2]port GigabitEthernet 0/0/8
[huawei-vlan2]quit
[huawei]
In this way, you can add a port to a VLAN in access mode only.
You can also configure VLAN in port access mode like this:
[huawei]interface GigabitEthernet 0/0/8
[huawei-GigabitEthernet0/0/8]port default vlan 2
[huawei-GigabitEthernet0/0/8]
By default, all switch ports are configured in VLAN 1 access mode – accept untagged Ethernet frames and mark them as belonging to VLAN 1.
You can switch the switch port to trunk mode as follows:
[huawei-GigabitEthernet0/0/4]port link-type trunk
Warning: This command will delete VLANs on this port. Continue?[Y/N]:Y
Info: This operation may take a few seconds. Please wait for a moment...done.
[huawei-GigabitEthernet0/0/4]
You can add new tagged VLANs to the trunk port as follows:
[huawei-GigabitEthernet0/0/8]port trunk allow-pass vlan 1
Info: This operation may take a few seconds. Please wait a moment...done.
To remove unnecessary tagged VLANs from a port, you can specify a list of those VLANs that you want to keep:
[huawei-GigabitEthernet0/0/8]port trunk allow-pass only-vlan 1 3
You can remove all tagged VLANs from a port by specifying the none keyword instead of the VLAN list:
[huawei-GigabitEthernet0/0/8]port trunk allow-pass only-vlan none
In addition to trunk mode, you can configure the switch port to hybrid mode using the hybrid keyword:
[huawei-GigabitEthernet0/0/4]port link-type hybrid
In hybrid mode, the default VLAN for incoming packets can be configured as follows:
[huawei-GigabitEthernet0/0/4]port hybrid pvid vlan 2
You can allow packets from VLAN 2 to leave the port in untagged mode as follows:
[huawei-GigabitEthernet0/0/4]port hybrid untagged vlan 2
Info: This operation may take a few seconds. Please wait a moment.done.
[huawei-GigabitEthernet0/0/4]
Finally, this is how you can allow tagged packets belonging to VLAN 3 to pass through the port:
[huawei-GigabitEthernet0/0/4]port hybrid tagged vlan 3
Info: This operation may take a few seconds. Please wait a moment.done.
[huawei-GigabitEthernet0/0/4]
You can switch the switch port back to access mode using the access keyword:
[huawei-GigabitEthernet0/0/4]port link-type access
View Port and VLAN Status
You can view the current state of the ports using the display interface brief command:
<huawei>display interface brief
PHY: Physical
*down: administratively down
#down: LBDT down
(l): loopback
(s): spoofing
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet0/0/1 up up 0% 0% 0 0
GigabitEthernet0/0/2 down down 0% 0% 0 0
GigabitEthernet0/0/3 down down 0% 0% 0 0
GigabitEthernet0/0/4 down down 0% 0% 0 0
GigabitEthernet0/0/5 down down 0% 0% 0 0
GigabitEthernet0/0/6 down down 0% 0% 0 0
GigabitEthernet0/0/7 down down 0% 0% 0 0
GigabitEthernet0/0/8 down down 0% 0% 0 0
GigabitEthernet0/0/9 down down 0% 0% 0 0
GigabitEthernet0/0/10 down down 0% 0% 0 0
NULL0 up up(s) 0% 0% 0 0
Vlanif1 up up -- -- 0 0
Vlanif2 down down -- -- 0 0
You can view the list of VLANs and the list of ports in these VLANs using the display port vlan command:
<huawei>display port vlan
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 auto 1 1-4094
GigabitEthernet0/0/2 auto 1 1-4094
GigabitEthernet0/0/3 auto 1 1-4094
GigabitEthernet0/0/4 auto 1 1-4094
GigabitEthernet0/0/5 auto 1 1-4094
GigabitEthernet0/0/6 auto 1 1-4094
GigabitEthernet0/0/7 auto 1 1-4094
GigabitEthernet0/0/8 auto 2 1-4094
GigabitEthernet0/0/9 auto 1 1-4094
GigabitEthernet0/0/10 auto 1 1-4094
Switch firmware update
<huawei>tftp 169.254.254.1 get S1720-GW-V200R019C10SPC500.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
100%
TFTP: Downloading the file successfully.
92742804 byte(s) received in 1848 second(s).
<huawei>tftp 169.254.254.1 get S1720-GW-V200R019SPH010.pat
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
100%
TFTP: Downloading the file successfully.
2959607 byte(s) received in 59 second(s).
Make sure the files have downloaded:
<huawei>dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName
0 drw- - Aug 23 2016 03:00:30 dhcp
1 drw- - Aug 23 2016 03:00:06 user
2 -rw- 61,931,532 Jul 31 2016 02:40:56 s1720-gw-v200r010c00spc600.cc
3 -rw- 36 Aug 23 2016 03:06:25 $_patchstate_reboot
4 -rw- 3,388 Sep 26 2020 16:15:57 startup.cfg
5 -rw- 3,684 Aug 23 2016 03:06:25 $_patch_history
6 drw- - Aug 23 2016 03:03:29 logfile
7 -rw- 1,510 Oct 01 2020 19:53:36 vrpcfg.zip
8 -rw- 207,239 Aug 23 2016 03:06:07 s1720-gw-v200r010sph008.pat
9 -rw- 2,107 Aug 23 2016 03:05:16 qpzq1ka1183_21980107533gja002511.dat
10 drw- - Aug 23 2016 02:59:54 $_install_mod
11 -rw- 836 Sep 26 2020 12:51:45 rr.bak
12 -rw- 836 Sep 26 2020 12:51:45 rr.dat
13 -rw- 462 Aug 23 2016 03:00:26 private-data.txt
14 drw- - Sep 26 2020 13:17:42 localuser
15 -rw- 816,438 Aug 23 2016 03:00:28 mibtree.xml
16 drw- - Apr 02 2000 01:55:42 $_backup
17 -rw- 4 Sep 26 2020 12:49:54 snmpnotilog.txt
18 -rw- 92,742,804 Oct 03 2020 21:23:33 s1720-gw-v200r019c10spc500.cc
19 -rw- 2,959,607 Oct 03 2020 23:40:53 s1720-gw-v200r019sph010.pat
247,032 KB total (95,852 KB free)
Let’s set the new files as used on the next boot:
<huawei>startup system-software s1720-gw-v200r019c10spc500.cc ..........
Info: Succeeded in setting the software for booting system.
<huawei>startup patch s1720-gw-v200r019sph010.pat
Info: Succeeded in setting main board resource file for system.
Make sure the new files will be used the next time the Switch boots:
<huawei>display startup
MainBoard:
Configured startup system software: flash:/s1720-gw-v200r010c00spc600.cc
Startup system software: flash:/s1720-gw-v200r010c00spc600.cc
Next startup system software: flash:/s1720-gw-v200r019c10spc500.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Next startup paf file: default
Startup license file: default
Next startup license file: default
Startup patch package: flash:/s1720-gw-v200r010sph008.pat
Next startup patch package: flash:/s1720-gw-v200r019sph010.pat
<huawei>reboot
Info: The system is now comparing the configuration, please wait.
Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:Y
Comparing the firmware versions.............................
Warning: It will take a few minutes to upgrade firmware. Please do not switchover, reset, remove, or power off the board when upgrade is being performed. Please keep system stable..........................................................................................
Info: Online upgrade firmware on slot 0 successfully.
Info: System is rebooting, please wait...
Switch reboot takes 4-5 minutes.
After rebooting, the following message appears when logging in:
Info: Smart-upgrade is currently disabled. Enable Smart-upgrade to get recommended version information.
Make sure the Switch starts up with the new firmware:
<huawei>display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (S1720GWR V200R019C10SPC500)
Copyright (C) 2000-2020 HUAWEI TECH Co., Ltd.
HUAWEI S1720-10GW-2P-E Routing Switch uptime is 0 week, 0 day, 10 hours, 15 minutes
ES5D2T10S000 0(Master) : uptime is 0 week, 0 day, 10 hours, 14 minutes
DDR Memory Size : 512 M bytes
FLASH Total Memory Size : 512 M bytes
FLASH Available Memory Size : 241 M bytes
Pcb Version : VER.B
BootROM Version : 0213.0000
BootLoad Version : 0213.0000
Software Version : VRP (R) Software, Version 5.170 (V200R019C10SPC500)
FLASH Version : 0000.0000
<huawei>display startup
MainBoard:
Configured startup system software: flash:/s1720-gw-v200r019c10spc500.cc
Startup system software: flash:/s1720-gw-v200r019c10spc500.cc
Next startup system software: flash:/s1720-gw-v200r019c10spc500.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Next startup paf file: default
Startup license file: default
Next startup license file: default
Startup patch package: flash:/s1720-gw-v200r019sph010.pat
Next startup patch package: flash:/s1720-gw-v200r019sph010.pat
Let’s try to follow the recommendations from the message displayed by the switch when logging in and try to enable smart-upgrade:
[huawei]smart-upgrade enable
Error: Please bind ssl policy first.
The Switch requires you to assign an SSL policy first.
To do this, the switch needs to specify the name of the policy:
[huawei]smart-upgrade ssl-policy ?
STRING<1-23> Name of SSL policy, only permits '_', letters(ignoring case)
and numbers
View available policies:
[huawei]display ssl policy
Error: No policy exists.
They are not. Create one:
[huawei]ssl policy default
[huawei-ssl-policy-default]
Let’s look at the settings of this policy:
[huawei-ssl-policy-default]display this
#
ssl policy default
ssl minimum version tls1.2
#
return
And leave the policy setting mode:
[huawei-ssl-policy-default]quit
Now let’s try to assign this smart-upgrade policy and enable it:
[huawei]smart-upgrade ssl-policy default
[huawei]smart-upgrade enable
[huawei]smart-upgrade download
Info: Getting version information from houp, please wait ...........
Info: No download required, status is netError.
Switcher clock setting
Before setting the current time, it is better to set the current time zone first, as when changing the time zone, the set time will change along with the time zone, and then the time will have to be set again.
You can use the following command to set the time zone:
<huawei>clock timezone Asia/Yekaterinburg add 05:00:00
The name of the time zone can be any text with a length of one to 32 characters. I used the default Unix name Asia/Yekaterinburg, setting the offset to 5 hours from UTC.
In the switch’s default configuration, Daylight Savings Time is disabled. But just in case, if it was configured on the switch before, you can reset it using the following command:
<huawei>undo clock daylight-saving-time
Info: This operation will take several seconds. Please wait...
To set the clock, you can use the following command:
<huawei>clock datetime 13:48:00 2020-09-19
To see the current time, use the following command:
<huawei>display clock
2020-09-19 13:48:20+05:00
Saturday
Time Zone(Asia/Yekaterinburg) : UTC+05:00
If you need to look at the calendar, but are too lazy to take your hands off the keyboard, then Huawei switches provide an almost unique opportunity to do this using the command:
<huawei>display calendar
September 2020
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30
Today is 19 September 2020.
You can view the calendar for any month. For example, for January 2021:
<huawei>display calendar January 2021
January 2021
Sun Mon Tue Wed Thu Fri Sat
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31
Today is 19 September 2020.
You can specify only the month, and then the calendar for the month of the current year will be displayed.
Logging setup
You can view the local switch log as follows:
<huawei>display logbuffer
Logging buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 512
Channel number : 4 , Channel name : logbuffer
Dropped messages : 0
Overwritten messages : 0
Current messages : 23
Sep 24 2020 19:55:02+05:00 huawei %%01CFM/4/SAVE(s)[0]:The user chose Y when deciding whether to save the configuration to the device.
Sep 24 2020 19:53:08+05:00 huawei %%01NTP/4/STRATUM_CHANGE(l)[1]:System stratum changes from 16 to 4. (SourceAddress=169.254.254.1)
Enable logging service:
<huawei>system-view
[huawei]info-center enable
Info: Information center is enabled.
[huawei]return
<huawei>
Enable sending logs from logbuffer to syslog server:
<huawei>system-view
[huawei]info-center loghost 169.254.254.1 channel logbuffer transport udp port 514 source-ip 169.254.254.28
Warning: There is security risk as this operation enables a non secure syslog protocol.
[huawei]return
<huawei>
To configure rsyslog to receive syslog packets from the switch and write to a separate log, create the /etc/rsyslog.d/huawei.conf file with the following settings:
$ModLoad imudp
$UDPServerRun 514
:FROMHOST, isequal, "169.254.254.28" /var/log/huawei.log
:FROMHOST, isequal, "169.254.254.28" ~
After that, restart rsyslogd:
# systemctl restart rsyslog
If UDP port 512 is blocked by a network filter, be sure to open it.
You can configure logrotate to set log rotation for /var/log/huawei.log. To do this, create a file /etc/logrotate.d/huawei with the following content:
/var/log/huawei.log {
weekly
missingok
rotate 10
compress
delaycompress
notifempty
create 640 root root
}
If everything is done correctly, then in the logs on the syslog server you can see log entries:
Sep 29 04:08:52 huawei %%01SSH/4/SSH_FAIL(s)[86]: Failed to login through SSH. (IP=169.254.254.1, VpnInstanceName= , UserName=stupin, Times=1, FailedReason=User public key authentication failed)
Sep 29 04:09:30 huawei %%01SSH/4/SSH_FAIL(s)[87]: Failed to login through SSH. (IP=169.254.254.1, VpnInstanceName= , UserName=stupin, Times=1, FailedReason=User public key authentication failed)
Similar messages can be seen on the switch itself:
Sep 29 2020 09:09:30+05:00 huawei %%01SSH/4/SSH_FAIL(s)[4]:Failed to login through SSH. (IP=169.254.254.1, VpnInstanceName= , UserName=stupin, Times=1, FailedReason=User public key authentication failed)
Sep 29 2020 09:08:52+05:00 huawei %%01SSH/4/SSH_FAIL(s)[5]:Failed to login through SSH. (IP=169.254.254.1, VpnInstanceName= , UserName=stupin, Times=1, FailedReason=User public key authentication failed)
DNS client setup
First, enable the DNS client on the switch:
<huawei>system-view
[huawei]dns resolve
[huawei]return
<huawei>
As you guessed, you can disable it with the undo dns resolve command.
<huawei>system-view
[huawei]dns server 169.254.254.1
[huawei]return
<huawei>
You can view the list of configured DNS servers with the following command:
<huawei>display dns server
IPv4 Dns Servers :
Domain-server IpAddress
1 169.254.254.1
IPv6 Dns Servers :
No configured servers.
<huawei>system-view
[huawei]dns server source-ip 169.254.254.28
[huawei]return
<huawei>
To be able not to specify the right part of the domain in domain names, you can set one or more default domains:
<huawei>system-view
[huawei]dns domain lo.stupin.su
[huawei]return
<huawei>
You can view the configured default domains with the following command:
<huawei>display dns domain
No Domain-name
1 lo.stupin.su
2 wi.stupin.su
3 vm.stupin.su
You can remove domains from this list using the undo dns domain command with the name of the domain to be removed.
<huawei>ping stupin.su
PING stupin.su (188.234.148.179): 56 data bytes, press CTRL_C to break
Reply from 188.234.148.179: bytes=56 Sequence=1 ttl=64 time=1 ms
Reply from 188.234.148.179: bytes=56 Sequence=2 ttl=64 time=1 ms
Reply from 188.234.148.179: bytes=56 Sequence=3 ttl=64 time=1 ms
--- stupin.su ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Switch configuration and firmware management
You can view the bootloader settings using the display startup command. The command displays the names of the firmware, configuration, license and patch files that were used when the Switch was booted or will be used at the next boot:
<huawei>display startup
MainBoard:
Configured startup system software: flash:/s1720-gw-v200r019c10spc500.cc
Startup system software: flash:/s1720-gw-v200r019c10spc500.cc
Next startup system software: flash:/s1720-gw-v200r019c10spc500.cc
Startup saved-configuration file: flash:/startup.cfg
Next startup saved-configuration file: flash:/startup.cfg
Startup paf file: default
Next startup paf file: default
Startup license file: default
Next startup license file: default
Startup patch package: flash:/s1720-gw-v200r019sph010.pat
Next startup patch package: flash:/s1720-gw-v200r019sph010.pat
Lines beginning with the word Startup display the name of the file that was used to boot the Switch. Lines beginning with the word Next display the name of the file that will be used the next time the Switch boots.
To change the firmware file that will be used the next time the Switch boots up, you can use the following command:
<huawei>startup system-software flash:/s1720-gw-v200r010c00spc600.cc
Info: Operating, please wait for a moment.....................
Info: Succeeded in setting the software for booting system.
To change the configuration file that will be used on the next boot, you can use the following command:
<huawei>startup saved-configuration flash:/startup.cfg
Info: Succeeded in setting the configuration for booting system.
You can change the name of the patch file that will be used the next time the Switch boots up with the following command:
<huawei>startup patch flash:/s1720-gw-v200r010sph008.pat..
Info: Succeeded in setting main board resource file for system.
The license, patch, and paf commands are also used to manage licenses, patches, and paf files, respectively. The display license, display patch-information, and display paf commands are provided to view information about licenses, patches, and paf files.
IP Address and Gateway Setting
<huawei>display interface Vlanif main
Vlanif1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2000-04-02 15:20:20
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 192.168.1.253/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 289e-97fb-41b4
Current system time: 2020-09-21 16:12:24+05:00
Input bandwidth utilization : --
Output bandwidth utilization : --
Let’s configure a new interface in VLAN 2. To do this, first go to the setup mode:
<huawei>system-view
Enter system view, return user view with Ctrl+Z.
[huawei]interface Vlanif 2
[huawei-Vlanif2]ip address 169.254.254.28 24
[huawei-Vlanif2]undo ip address 169.254.254.28 24
Add a description to the interface:
[huawei-Vlanif2]description Uplink, dlink.lo.stupin.su, port 5
Apply settings to the interface:
[huawei-Vlanif2]restart
Exit interface setting mode:
[huawei-Vlanif2]quit
Add a default route. This will be a permanent static route through VLAN 2:
[huawei]ip route-static 0.0.0.0 0 Vlanif 2 169.254.254.1 permanent
You can view the current routing table as follows:
[huawei]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 D 169.254.254.1 Vlanif2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.253 Vlanif1
192.168.1.253/32 Direct 0 0 D 127.0.0.1 Vlanif1
Connecting to the switch
I am not interested in the web interface, so all further description refers to the command line interface.
Set up SSH, disable telnet and web interface
<huawei>system-view
[huawei]stelnet server enable
[huawei]return
<huawei>
Add an SSH server user that can authenticate with a password and use SSH:
<huawei>system-view
[huawei]ssh user stupin
[huawei]ssh user stupin authentication-type password
[huawei]ssh user stupin service-type stelnet
[huawei]return
<huawei>
The Switch remembers the last 5 user passwords and does not allow you to set a password that has already been used:
[email protected]:~$ ssh [email protected]
User Authentication
Password:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]: y
Please enter old password:
Please enter new password:
Please confirm new password:
Error: The password has appeared in recent 5 times.
In this case, the password change dialog above is repeated until the N key is pressed.
To clear a user’s memorized passwords, you can use the following command:
<huawei>system-view
[huawei]aaa
[huawei-aaa]reset local-user stupin password history record
Warning: Clear history password records, there is a security risk.continue?[Y/N]Y
[huawei-aaa]quit
[huawei]return
<huawei>
After that, it will be possible to set the previously used password.
Let’s switch to the current terminal setting mode and see the terminal configuration:
<huawei>system-view
[huawei]user-interface current
[huawei-ui-vty1]display this
#
user-interface con 0
authentication-mode aaa
user-interface vty 0
authentication-mode aaa
user privilege level 15
user-interface vty 1 4
authentication-mode aaa
user privilege level 15
protocol inbound telnet
user-interface vty 16 20
#
return
[huawei-ui-vty1]quit
[huawei]return
<huawei>
As you can see, virtual terminals 1 to 4 can be accessed via telnet. Replace telnet with ssh with the following commands:
<huawei>system-view
[huawei]user-interface vty 1 4
[huawei-ui-vty1-4]protocol inbound ssh
[huawei-ui-vty1-4]quit
[huawei]return
<huawei>
To disable telnet and web interfaces at the switch level as a whole, use the following commands:
<huawei>system-view
[huawei]undo telnet server enable
Warning: The operation will stop the Telnet server. Continue? [Y/N]:y
[huawei]undo http server enable
Warning: The operation will stop HTTP service. Continue? [Y/N]:Y
[huawei]undo http secure-server enable
Warning: The operation will stop HTTP secure service. Continue? [Y/N]:Y
[huawei]return
<huawei>
Switch configuration backup
Save the current switch configuration in text form to a file called startup.cfg:
<huawei>save startup.cfg
The current configuration will be written to the device.
Are you sure to continue?[Y/N]Y
Now saving the current configuration to the slot 0..
Save the configuration successfully.
Now this file can be sent to the TFTP server:
<huawei>tftp 169.254.254.1 put startup.cfg
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait...
100%
TFTP: Uploading the file successfully.
3388 byte(s) sent in 1 second(s).
Now delete the configuration file startup.cfg:
<huawei>delete startup.cfg
Delete flash:/startup.cfg?[Y/N]:Y
Info: Deleting file flash:/startup.cfg...succeeded.
And download a copy of this file from the TFTP server:
<huawei>tftp 169.254.254.1 get startup.cfg
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
100%
TFTP: Downloading the file successfully.
3388 byte(s) received in 1 second(s).
View switch information
Viewing the switch model, the amount of RAM and flash memory, versions of the software installed on it:
<huawei>display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.170 (S1720GWR V200R010C00SPC600)
Copyright (C) 2000-2016 HUAWEI TECH CO., LTD
HUAWEI S1720-10GW-2P-E Routing Switch uptime is 0 week, 0 day, 15 hours, 53 minutes
ES5D2T10S000 0(Master) : uptime is 0 week, 0 day, 15 hours, 52 minutes
DDR Memory Size : 512 M bytes
FLASH Memory Size : 241 M bytes
Pcb Version : VER.B
BootROM Version : 020a.0001
BootLoad Version : 020a.0001
Software Version : VRP (R) Software, Version 5.170 (V200R010C00SPC600)
View switch model, power status and stack status and role:
<huawei>display device
S1720-10GW-2P-E's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
0 - S1720-10GW-2P Present PowerOn Registered Normal Master
View serial number:
<huawei>display device manufacture-info
Slot Sub Serial-number Manu-date
- - - - - - - - - - - - - - - - - - - - - -
0 - 21980107533GJA002511 2018-10-30
View device status in stack:
<huawei>display device slot 0
*down: administratively down
S1720-10GW-2P-E's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
0 - S1720-10GW-2P Present PowerOn Registered Normal Master
-------------------------------------------------------------------------------
Board Type : S1720-10GW-2P
Board Description : 8 Ethernet 10/100/1000 ports, 2 Gig SFP, with license, AC 110/220V
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Port Port Optic MDI Speed Duplex Flow- Port PoE
Type Status (Mbps) Ctrl State State
-------------------------------------------------------------------------------
0/0/1 GE(C) Absent Auto 1000 Full Disable Up -
0/0/2 GE(C) Absent Auto 1000 Full Disable Down -
0/0/3 GE(C) Absent Auto 1000 Full Disable Down -
0/0/4 GE(C) Absent Auto 1000 Full Disable Down -
0/0/5 GE(C) Absent Auto 1000 Full Disable Down -
0/0/6 GE(C) Absent Auto 1000 Full Disable Down -
0/0/7 GE(C) Absent Auto 1000 Full Disable Down -
0/0/8 GE(C) Absent Auto 1000 Full Disable Down -
0/0/9 GE(F) Absent - 1000 Full Disable Down -
0/0/10 GE(F) Absent - 1000 Full Disable Down -
-------------------------------------------------------------------------------
To view the MAC address of the switch, you can use the following command:
<huawei>display bridge mac-address
System bridge MAC address: 289e-97fb-41b4
Узнайте больше о Huawei
- Как узнать емкость батареи на Android-смартфоне или планшете?
Huawei Maiman 7- Как включить разделение экрана на Хонор и Хуавей на 2 части: режим «Два окна»
Как установить часы хуавей на лелефон ксиоми
Huawei Honor 5А – обзор смартфона, фото с камеры, видео
Модем Huawei 3.0
Что делать, если компьютер не видит телефон через USB-порт – Huawei Devices- »Huawei MediaPad T2 10.0 Pro«
(1 оценок, среднее: 4,00 из 5)
Загрузка...