The startup/boot process is the initial phase of operation for any administrator or engineer accessing Huawei based products operating with VRP. The boot screen informs of the system startup operation procedures as well as the version of the VRP image that is that currently implemented on the device, along with the storage location from where it is loaded. Following the initial startup procedure, an option for auto-configuration of the initial system settings prompts for a response, for which the administrator can choose whether to follow the configuration steps, or manually configure the basic system parameters. The auto-configuration process can be terminated by selecting the yes option at the given prompt.
The hierarchical command structure of VRP defines a number of command views that govern the commands for which users are able to perform operations. The command line interface has multiple command views, of which common views have been introduced in the example. Each command is registered to run in one or more command views, and such commands can run only after entering the appropriate command view. The initial command view of VRP is the User View, which operates as an observation command view for observing parameter statuses and general statistical information. For application of changes to system parameters, users must enter the System View. A number of sub command levels can also be found, in the form of the interface and protocol views for example, where sub system level tasks can be performed.The command line views can be determined based on the parenthesis, and information contained within these parenthesis. The presence of chevrons identifies that the user is currently in the User View, whereas square brackets show that a transition to the System View has occurred.
The example demonstrates a selection of common system defined shortcut keys that are widely used to simplify the navigation process within the VRP command line interface. Additional commands are as follows:
- CTRL+B moves the cursor back one character.
- CTRL+D deletes the character where the cursor is located.
- CTRL+E moves the cursor to the end of the current line.
- CTRL+F moves the cursor forward one character.
- CTRL+H deletes the character on the left side of the cursor.
- CTRL+N displays the next command in the historical command buffer.
- CTRL+P displays the previous command in the historical command buffer.
- CTRL+W deletes the word on the left side of the cursor.
- CTRL+X deletes all the characters on the left side of the cursor.
- CTRL+Y deletes all the characters on the right side of the cursor.
- ESC+B moves the cursor one word back.
- ESC+D deletes the word on the right side of the cursor.
- ESC+F moves the cursor forward one word.
Additional key functions can be used to perform similar operations, the backspace operation has the same behavior as using CTRL+H to delete a character to the left of the cursor. The left (←) and right (→) cursor keys can be used to perform the same operation as the CTRL+B and CTRL+F shortcut key functions. The down cursor key (↓) functions the same as Ctrl+N, and the up cursor key (↑) acts as an alternative to the CTRL+P operation.Additionally, the command line functions support a means of auto completion where a command word is unique. The example demonstrates how the command word interface can be auto completed by partial completion of the word to such a point that the command is unique, followed by the tab key which will provide auto completion of the command word. Where the command word is not unique, the tab function will cycle through the possible completion options each time the tab key is pressed.
There are two forms of help feature that can be found within the VRP, these come in the form of partial help and complete help functions. In entering a character string followed directly by a question mark (?), VRP will implement the partial help function to display all commands that begin with this character string. An example of this is demonstrated. In the case of the full help feature, a question mark (?) can be placed on the command line at any view to display all possible command names, along with descriptions for all commands pertaining to that view. Additionally the full help feature supports entry of a command followed by a question mark (?) that is separated by a space. All keywords associated with this command, as well as simple descriptions, are then displayed.
For the majority of industries, it is likely that multiple devices will exist, each of which needs to be managed. As such, one of the first important tasks of device commissioning involves setting device names to uniquely identify each device in the network. The system name parameter on AR2200 series router is configured as Huawei by default, for the S5720 series of switch the default system name is HUAWEI. The implementation of the system name takes effect immediately after configuration is complete.
The system clock reflects the system timestamp, and is able to be configured to comply with the rules of any given region. The system clock must be correctly set to ensure synchronization with other devices and is calculated using the formula: Coordinated Universal Time (UTC) + Time zone offset + Daylight saving time offset. The clock datetime command is used to set the system clock following the HH:MM:SS YYYY-MM-DD formula. It should be noted however that if the time zone has not been configured or is set to 0, the date and time set are considered to be UTC, therefore it is recommended that the clock timezone be set firstly before configuring the system time and date.
The setting of the local timezone is achieved using the clock timezone command and is implemented based on the time-zone-name { add | minus } offset formula, where the add value indicates that the time of time-zone-name is equal to the UTC time plus the time offset and minus indicates the time of time-zone-name is equal to the UTC time minus the time offset.
Certain regions require that the daylight saving time be implemented to maintain clock synchronization with any change in the clock timezone during specific periods of the year. VRP is able to support daylight saving features for both fixed dates and dates which are determined based on a set of predetermined rules. For example, daylight saving in the United Kingom occurs on the last Sunday of March and the last Sunday of October, therefore rules can be applied to ensure that changes occur based on such fluctuating dates.
The header command provides a means for displaying notifications during the connection to a device. The login header indicates a header that is displayed when the terminal connection is activated, and the user is being authenticated by the device. The shell header indicates a header that is displayed when the session is set up, after the user logs in to the device. The header information can be applied either as a text string or retrieved from a specified file. Where a text string is used, a start and end character must be defined as a marker to identify the information string, where in the example the “character defines the information string. The string represents a value in the range of 1 to 2000 characters, including spaces. The information based header command follows the format of header { login | shell } information text where information represents the information string, including start and end markers.
In the case of a file based header, the format header { login | shell } file file-name is applied, where file-name represents the directory and file from which the information string can be retrieved.
The system structures access to command functions hierarchically to protect system security. The system administrator sets user access levels that grant specific users access to specific command levels. The command level of a user is a value ranging from 0 to 3, whilst the user access level is a value ranging from 0 to 15. Level 0 defines a visit level for which access to commands that run network diagnostic tools, (such as ping and traceroute), as well as commands such as telnet client connections, and select display commands.
The Monitoring level is defined at a user level of 1 for which command levels 0 and 1 can be applied, allowing for the majority of display commands to be used, with exception to display commands showing the current and saved configuration. A user level of 2 represents the Configuration level for which command levels up to 2 can be defined, enabling access to commands that configure network services provided directly to users, including routing and network layer commands. The final level is the Management level which represents a user level of 3 through to 15 and a command level of up to 3, enabling access to commands that control basic system operations and provide support for services.
These commands include file system, FTP, TFTP, configuration file switching, power supply control, backup board control, user management, level setting, system internal parameter setting, and debugging commands for fault diagnosis. The given example demonstrates how a command privilege can be changed, where in this case, the save command found under the user view requires a command level of 3 before the command can be used.
Each user interface is represented by a user interface view or command line view provided by the system. The command line view is used to configure and manage all the physical and logical interfaces in asynchronous mode. Users wishing to interface with a device will be required to specify certain parameters in order to allow a user interface to become accessible. Two common forms of user interface implemented are the console interface (CON) and the virtual teletype terminal (VTY) interface.The console port is an asynchronous serial port provided by the main control board of the device, and uses a relative number of 0. VTY is a logical terminal line that allows a connection to be set up when a device uses telnet services to connect to a terminal for local or remote access to a device. A maximum of 15 users can use the VTY logical user interface to log in to the device by extending the range from 0 – 4 achieved by applying the user-interface maximum-vty 15 command. If the set maximum number of login users is 0, no users are allowed to log in to the router through telnet or SSH. The display user-interface command can be used to display relevant information regarding the user interface.
For both the console and VTY terminal interfaces, certain attributes can be applied to modify the behavior as a means of extending features and improving security. A user allows a connection to remain idle for a given period of time presents a security risk to the system. The system will wait for a timeout period before automatically terminating the connection. This idle timeout period on the user interface is set to 10 minutes by default.
Where it may be necessary to increase or reduce the number of lines displayed on the screen of a terminal when using the display command for example, the screenlength command can be applied. This by default is set to 24 however is capable of being increased to a maximum of 512 lines. A screen-length of 0 however is not recommended since no output will be displayed.
For each command that is used, a record is stored in the history command buffer which can be retrieved through navigation using the (↑) or CTRL+P and the (↓) or Ctrl+N key functions. The number of recorded commands in the history command buffer can be increased using the history-command max-size command to define up to 256 stored commands. The number of commands stored by default is 10.
Access to user terminal interfaces provides a clear point of entry for unauthorized users to access a device and implement configuration changes. As such the capability to restrict access and limit what actions can be performed is necessary as a means of device security. The configuration of user privilege and authentication are two means by which terminal security can be improved. User privilege allows a user level to be defined which restricts the capability of the user to a specific command range. The user level can be any value in the range of 0 – 15, where values represent a visit level (0), monitoring level (1), configuration level (2), and management level (3) respectfully.
Authentication restricts a user capability to access a terminal interface by requesting the user be authenticated using a password or a combination of username and password before access via the user interface is granted. In the case of VTY connections, all users must be authenticated before access is possible. For all user interfaces, three possible authentication modes exist, in the form of AAA, password authentication and non-authentication. AAA provides user authentication with high security for which a user name and password must be entered for login. Password authentication requires that only the login password is needed therefore a single password can be applied to all users. The use of nonauthentication removes any authentication applied to a user interface. It should be noted that the console interface by default uses the non-authentication mode.
It is generally recommended that for each user that is granted telnet access, the user be identified through usernames and passwords to allow for distinction of individual users. Each user should also be granted privilege levels, based on each users role and responsibility.
In order to run IP services on an interface, an IP address must be configured for the interface. Generally, an interface needs only the primary IP address. In special cases, it is possible for a secondary IP address to be configured for the interface. For example, when an interface of a router such as the AR2200 connects to a physical network, and hosts on this physical network belong to two network segments.
In order to allow the AR2200 to communicate with all the hosts on the physical network, configure a primary IP address and a secondary IP address for the interface. The interface has only one primary IP address. If a new primary IP address is configured on an interface that already has a primary IP address, the new IP address overrides the original one. The IP address can be configured for an interface using the command ip address <ip-address > { mask | mask-length } where mask represents the 32 bit subnet mask e.g. 255.255.255.0, and masklength represents the alternative mask-length value e.g. 24, both of which can be used interchangeably.
The loopback interface represents a logical interface that is applied to represent a network or IP host address, and is often used as a form of management interface in support of a number of protocols through which communication is made to the IP address of the loopback interface, as opposed to the IP address of the physical interface on which data is being received.
SUMMARY
The console interface is capable of supporting only a single user at any given time; this is represented by the console 0 user interface view.
The loopback interface represents a logical interface that is not present in a router until it is created. Once created, the loopback interface is considered up. On ARG3 devices, the loopback interfaces can however be shut down.