01-Fundamentals Configuration Guide

HomeSupportResource CenterSwitchesH3C S7500X Switch SeriesH3C S7500X Switch SeriesTechnical DocumentsConfigureConfiguration GuidesH3C S7500X Switch Series Configuration Guides-Release758X-6W10001-Fundamentals Configuration Guide
04-FTP and TFTP configuration
Title Size Download
04-FTP and TFTP configuration 157.39 KB

Configuring FTP

File Transfer Protocol (FTP) is an application layer protocol for transferring files from one host to another over an IP network. It uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959.

FTP is based on the client/server model. The device can act as the FTP server or FTP client. Make sure the FTP server and the FTP client can reach each other before establishing the FTP connection.

Figure 1 FTP application scenario

 

FTP supports the following transfer modes:

·           Binary mode—Used to non-text files, such as .app, .bin, and .btm files.

·           ASCII mode—Used to transfer text files, such as .txt, .bat, and .cfg files.

When the device acts as the FTP client, you can set the transfer mode (binary by default). When the device acts as the FTP server, the transfer mode is determined by the FTP client.

FTP can operate in either of the following modes:

·           Active mode (PORT)—The FTP server initiates the TCP connection.

·           Passive mode (PASV)—The FTP client initiates the TCP connection. This mode is not suitable when the server does not allow the client to use a random unprivileged port greater than 1024.

FTP operation mode varies depending on the FTP client program.

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

FTP is not supported in FIPS mode.

Using the device as an FTP server

To use the device as an FTP server, you must enable the FTP server and configure authentication and authorization on the device. Other commands are optional.

Configuring basic parameters

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable the FTP server.

ftp server enable

By default, the FTP server is disabled.

3.      (Optional.) Use an ACL to control access to the FTP server.

ftp server acl { ipv4-acl-number | ipv6 ipv6-acl-number }

By default, no ACL is used for access control.

4.      (Optional.) Enable logging for FTP login attempts that are denied by the FTP login control ACL.

ftp server acl-deny-log enable

By default, logging is disabled for FTP login attempts that are denied by the FTP login control ACL.

5.      (Optional.) Associate an SSL server policy with the FTP server to ensure data security.

ftp server ssl-server-policy policy-name

By default, no SSL server policy is associated with the FTP server.

6.      (Optional.) Set the FTP connection idle-timeout timer.

ftp timeout minutes

By default, the FTP connection idle-timeout timer is 30 minutes.

If no data transfer occurs on an FTP connection within the idle-timeout interval, the FTP server closes the FTP connection to release resources.

7.      (Optional.) Set the DSCP value for outgoing FTP packets.

·          For an IPv4 FTP server:
ftp server dscp dscp-value

·          For an IPv6 FTP server:
ftp server ipv6 dscp dscp-value

By default, the DSCP value is 0.

8.      (Optional.) Set the maximum number of concurrent FTP users.

aaa session-limit ftp max-sessions

The default is 32.

Changing this setting does not affect users who are currently online. If the new list is less than the number of online FTP users, no additional FTP users can log in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

 

Configuring authentication and authorization

Perform this task on the FTP server to authenticate FTP clients and set the authorized directories that authenticated clients can access.

The following authentication modes are available:

·           Local authentication—The device looks up the client's username and password in the local user account database. If a match is found, authentication succeeds.

·           Remote authentication—The device sends the client's username and password to a remote authentication server for authentication. The user account is configured on the remote authentication server rather than the device.

The following authorization modes are available:

·           Local authorization—The device assigns authorized directories to FTP clients based on the locally configured authorization attributes.

·           Remote authorization—A remote authorization server assigns authorized directories on the device to FTP clients.

For information about configuring authentication and authorization, see Security Configuration Guide.

Manually releasing FTP connections

Execute the following commands in user view.

 

Task

Command

Manually release FTP connections.

·          Release the FTP connection established by using a specific user account:
free ftp user username

·          Release the FTP connection to a specific IP address:
free ftp user-ip [ ipv6 ] client-address [ port port-num ]

 

Displaying and maintaining the FTP server

Execute display commands in any view.

 

Task

Command

Display FTP server configuration and status information.

display ftp-server

Display detailed information about online FTP users.

display ftp-user

 

FTP server configuration example in standalone mode

Network requirements

·           Configure the device as an FTP server.

·           Create a local user account named abc on the FTP server. Set the password to 123456.

·           Use the user account to log in to the FTP server from the FTP client.

·           Upload the temp.bin file from the FTP client to the FTP server.

·           Download configuration file startup.cfg from the FTP server to the FTP client for backup.

Figure 2 Network diagram

 

Configuration procedure

1.      Configure IP addresses as shown in Figure 2. Make sure the device and PC can reach other. (Details not shown.)

2.      Configure the device (FTP server):

# Create a local user named abc. Set the password to 123456.

<Sysname> system-view

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password simple 123456

# Assign the network-admin user role to the user. Set the working directory to the root directory of the flash memory on the active MPU. (To set the working directory to the root directory of the flash memory on the standby MPU, replace flash:/ with slot1#flash:/.)

[Sysname-luser-manage-abc] authorization-attribute user-role network-admin work-directory flash:/

# Assign the service type FTP to the user.

[Sysname-luser-manage-abc] service-type ftp

[Sysname-luser-manage-abc] quit

# Enable the FTP server.

[Sysname] ftp server enable

[Sysname] quit

# Examine the storage space for space insufficiency and delete unused files for more free space.

<Sysname> dir

Directory of flash:

     1      drw-           -  Jun 29 2011 18:30:38     logfile

     2      drw-           -  Jun 21 2011 14:51:38     diagfile

     3      drw-           -  Jun 21 2011 14:51:38     seclog

     4      -rw-        2943  Jul 02 2011 08:03:08     startup.cfg

     5      -rw-       63901  Jul 02 2011 08:03:08     startup.mdb

     6      -rw-         716  Jun 21 2011 14:58:02     hostkey

     7      -rw-         572  Jun 21 2011 14:58:02     serverkey

     8      -rw-     6541264  Aug 04 2011 20:40:49     backup.bin

 

473664 KB total (467080 KB free)

<Sysname> delete /unreserved flash:/backup.bin

3.      Perform FTP operations from the PC (FTP client):

# Log in to the FTP server at 1.1.1.1 using username abc and password 123456.

c:\> ftp 1.1.1.1

Connected to 1.1.1.1.

220 FTP service ready.

User(1.1.1.1:(none)):abc

331 Password required for abc.

Password:

230 User logged in.

# Use the ASCII mode to download configuration file startup.cfg from the device to the PC for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> get startup.cfg back-startup.cfg

# Use the binary mode to upload the file temp.bin from the PC to the root directory of the flash memory on the active MPU.

ftp> binary

200 TYPE is now 8-bit binary

ftp> put temp.bin

# Exit FTP.

ftp> bye

FTP server configuration example in IRF mode

Network requirements

·           Configure the IRF fabric as an FTP server.

·           Create a local user account named abc on the FTP server. Set the password to 123456.

·           Use the user account to log in to the FTP server from the FTP client.

·           Upload the temp.bin file from the FTP client to the FTP server.

·           Download configuration file config.cfg from the FTP server to the FTP client for backup.

Figure 3 Network diagram

 

Configuration procedure

1.      Configure IP addresses as shown in Figure 3. Make sure the IRF fabric and the PC can reach each other. (Details not shown.)

2.      Configure the FTP server:

# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)

# Create a local user named abc. Set the password to 123456.

<Sysname> system-view

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password simple 123456

# Assign the network-admin user role to the user. Set the working directory to the root directory of the flash memory on the global active MPU. (To set the working directory to the root directory of the flash memory on one of the global standby MPUs, replace flash:/ with, for example, chassis2#slot1#flash:/.)

[Sysname-luser-manage-abc] authorization-attribute user-role network-admin work-directory flash:/

# Assign the service type FTP to the user.

[Sysname-luser-manage-abc] service-type ftp

[Sysname-luser-manage-abc] quit

# Enable the FTP server.

[Sysname] ftp server enable

[Sysname] quit

3.      Perform FTP operations from the FTP client:

# Log in to the FTP server at 1.1.1.1 using username abc and password 123456.

c:\> ftp 1.1.1.1

Connected to 1.1.1.1.

220 FTP service ready.

User(1.1.1.1:(none)):abc

331 Password required for abc.

Password:

230 User logged in.

# Use the ASCII mode to download configuration file config.cfg from the server to the client for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> get config.cfg back-config.cfg

# Use the binary mode to upload the temp.bin file to the root directory of the flash memory on the global active MPU.

ftp> binary

200 TYPE is now 8-bit binary

ftp> put temp.bin

# Exit FTP.

ftp> bye

Using the device as an FTP client

Establishing an FTP connection

To access an FTP server, you must establish a connection from the FTP client to the FTP server.

To establish an IPv4 FTP connection:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      (Optional.) Specify a source IP address for outgoing FTP packets.

ftp client source { interface interface-type interface-number | ip source-ip-address }

By default, no source IP address is specified. The device uses the primary IP address of the output interface as the source IP address.

3.      Return to user view.

quit

N/A

4.      Log in to the FTP server.

·          (Method 1.) Log in to the FTP server from user view:
ftp ftp-server [ service-port ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value | source { interface { interface-name | interface-type interface-number } | ip source-ip-address } ] *

·          (Method 2.) Log in to the FTP server from FTP client view:

a.   Enter FTP client view:
ftp

b.   Log in to the FTP server:
open server-address [ service-port ]

The source IP address specified in the ftp command takes precedence over the one set by the ftp client source command.

 

To establish an IPv6 FTP connection:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      (Optional.) Specify the source IPv6 address for FTP packets sent by the FTP client.

ftp client ipv6 source { interface interface-type interface-number | ipv6 source-ipv6-address }

By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484.

3.      Return to user view.

quit

N/A

4.      Log in to the FTP server.

·          (Method 1.) Log in to the FTP server from user view:
ftp ipv6 ftp-server [ service-port ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 source-ipv6-address } ] * [ -i interface-type interface-number ]

·          (Method 2.) Log in to the FTP server from FTP client view:

a.   Enter FTP client view:
ftp ipv6

b.   Log in to the FTP server:
open server-address [ service-port ]

The source IP address specified in the ftp ipv6 command takes precedence over the one set by the ftp client ipv6 source command.

 

Managing directories on the FTP server

Perform the following tasks in FTP client view:

 

Task

Command

Display directory and file information on the FTP server.

·          Display the detailed information of a directory or file on the FTP server:
dir [ remotefile [ localfile ] ]

·          Display the name of a directory or file on the FTP server:
ls [ remotefile [ localfile ] ]

Change the working directory on the FTP server.

cd { directory | .. | / }

Return to the upper level directory on the FTP server.

cdup

Display the working directory that is being accessed.

pwd

Create a directory on the FTP server.

mkdir directory

Delete a directory from the remote FTP server.

rmdir directory

 

Working with files on the FTP server

After you log in to the server, you can upload a file to or download a file from the authorized directory by following these steps:

1.      Use the dir or ls command to display the directory and location of the file on the FTP server.

2.      Delete unused files to get more free storage space.

3.      Set the file transfer mode to ASCII for text files or to binary for non-text files.

4.      Use the lcd command to change the local working directory of the FTP client. You can upload the file or save the downloaded file in this directory.

5.      Upload or download the file.

To work with files on an FTP server, execute the following commands in FTP client view:

 

Task

Command

Remarks

Display directory or file information on the FTP server.

·          Display the detailed information of a directory or file on the FTP server:
dir [ remotefile [ localfile ] ]

·          Display the name of a directory or file on the FTP server:
ls [ remotefile [ localfile ] ]

N/A

Delete a file from the FTP server permanently.

delete remotefile

N/A

Set the file transfer mode.

·          Set the file transfer mode to ASCII:
ascii

·          Set the file transfer mode to binary:
binary

The default file transfer mode is binary.

Change the FTP operation mode.

passive

The default mode is passive.

Display or change the local working directory of the FTP client.

lcd [ directory | / ]

N/A

Upload a file to the FTP server.

put localfile [ remotefile ]

N/A

Download a file from the FTP server.

get remotefile [ localfile ]

N/A

Add the content of a file on the FTP client to a file on the FTP server.

append localfile [ remotefile ]

N/A

Specify the retransmit marker.

restart marker

Use this command together with the put, get, or append command.

Update the local file.

newer remotefile

N/A

Get the missing part of a file.

reget remotefile [ localfile ]

N/A

Rename the file.

rename [ oldfilename [ newfilename ] ]

N/A

 

Changing to another user account

After you log in to the FTP server, you can initiate an FTP authentication to change to a new account. By changing to a new account, you can get a different privilege without re-establishing the FTP connection.

For successful account change, you must enter the new username and password correctly. A wrong username or password can cause the FTP connection to be disconnected.

To change to another user account, execute the following command in user view:

 

Task

Command

Initiate an FTP authentication on the current FTP connection.

user username [ password ]

 

Maintaining and troubleshooting the FTP connection

Perform the following tasks in FTP client view:

 

Task

Command

Remarks

Display FTP commands on the FTP server.

rhelp

N/A

Display FTP commands help information on the FTP server.

rhelp protocol-command

N/A

Display FTP server status.

rstatus

N/A

Display detailed information about a directory or file on the FTP server.

rstatus remotefile

N/A

Display FTP connection status.

status

N/A

Display the system information of the FTP server.

system

N/A

Enable or disable FTP operation information display.

verbose

By default, this function is enabled.

Enable or disable FTP client debugging.

debug

By default, FTP client debugging is disabled.

Clear the reply information in the buffer.

reset

N/A

 

Terminating the FTP connection

Execute one of the following commands in FTP client view:

 

Task

Command

Terminate the connection to the FTP server without exiting FTP client view.

·          disconnect

·          close

Terminate the connection to the FTP server and return to user view.

·          bye

·          quit

 

Displaying command help information

Execute one of the following commands in FTP client view:

 

Task

Command

Display command help information.

·          help [ command-name ]

·          ? [ command-name ]

 

Displaying and maintaining the FTP client

Execute the display command in any view.

 

Task

Command

Display source IP address information on the FTP client.

display ftp client source

 

FTP client configuration example in standalone mode

Network requirements

As shown in Figure 4, the PC is acting as an FTP server. A user account with the username abc and password 123456 has been created on the PC.

·           Use the device as an FTP client to log in to the FTP server.

·           Download the temp.bin file from the PC to the device.

·           Upload configuration file startup.cfg from the device to the PC for backup.

Figure 4 Network diagram

 

Configuration procedure

# Configure IP addresses as shown in Figure 4. Make sure the device and PC can reach each other. (Details not shown.)

# Examine the storage space of the device. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)

# Log in to the FTP server at 10.1.1.1 using username abc and password 123456.

<Sysname> ftp 10.1.1.1

Press CTRL+C to abort.

Connected to 10.1.1.1 (10.1.1.1).

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user

User (10.1.1.1:(none)): abc

331 Give me your password, please

Password:

230 Logged in successfully

Remote system type is MSDOS.

ftp>

# Set the file transfer mode to binary.

ftp> binary

200 TYPE is now 8-bit binary

# Download the temp.bin file from the PC to the root directory of the flash memory on the active MPU.

ftp> get temp.bin

local: temp.bin remote: temp.bin

150 Connecting to port 47457

226 File successfully transferred

23951480 bytes received in 95.399 seconds (251.0 kbyte/s)

# Download the temp.bin file from the PC to the root directory of the flash memory on the standby MPU (in slot 1).

ftp> get temp.bin slot1#flash:/temp.bin

# Use the ASCII mode to upload configuration file startup.cfg from the device to the PC for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> put startup.cfg back-startup.cfg

local: startup.cfg remote: back-startup.cfg

150 Connecting to port 47461

226 File successfully transferred

3494 bytes sent in 5.646 seconds (618.00 kbyte/s)

ftp> bye

221-Goodbye. You uploaded 2 and downloaded 2 kbytes.

221 Logout.

<Sysname>

FTP client configuration example in IRF mode

Network requirements

As shown in Figure 5, the PC is acting as an FTP server. A user account with the username abc and password 123456 has been created on the PC.

·           Use the IRF fabric as an FTP client to log in to the FTP server.

·           Download the temp.bin file from the FTP server to the FTP client.

·           Upload configuration file config.cfg from the FTP client to the FTP server for backup.

Figure 5 Network diagram

 

 

Configuration procedure

# Configure IP addresses as shown in Figure 5. Make sure the IRF fabric and PC can reach each other. (Details not shown.)

# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)

# Log in to the FTP server using username abc and password 123456.

<Sysname> ftp 10.1.1.1

Press CTRL+C to abort.

Connected to 10.1.1.1 (10.1.1.1).

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user

User (10.1.1.1:(none)): abc

331 Give me your password, please

Password:

230 Logged in successfully

Remote system type is MSDOS.

ftp>

# Set the file transfer mode to binary.

ftp> binary

200 TYPE is now 8-bit binary

# Download the temp.bin file from the PC to the root directory of the flash memory on the global active MPU.

ftp> get temp.bin

local: temp.bin remote: temp.bin

150 Connecting to port 47457

226 File successfully transferred

23951480 bytes received in 95.399 seconds (251.0 kbyte/s)

# Download the temp.bin file from the PC to the root directory of the flash memory on the global standby MPUs.

ftp> get temp.bin chassis1#slot1#flash:/temp.bin

ftp> get temp.bin chassis2#slot0#flash:/temp.bin

ftp> get temp.bin chassis2#slot1#flash:/temp.bin

# Use the ASCII mode to upload configuration file config.cfg from the IRF fabric to the PC for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> put config.cfg back-config.cfg

local: config.cfg remote: back-config.cfg

150 Connecting to port 47461

226 File successfully transferred

3494 bytes sent in 5.646 seconds (618.00 kbyte/s)

ftp> bye

221-Goodbye. You uploaded 2 and downloaded 2 kbytes.

221 Logout.

<Sysname>


Configuring TFTP

Trivial File Transfer Protocol (TFTP) is a simplified version of FTP for file transfer over secure reliable networks. TFTP uses UDP port 69 for data transmission. In contrast to TCP-based FTP, TFTP does not require authentication or complex message exchanges, and is easier to deploy. TFTP is suited for reliable network environments.

The device can only act as a TFTP client. You can upload a file from the device to the TFTP server or download a file from the TFTP server to the device. If you download a file with a file name that exists in the target directory, the device deletes the existing file and saves the new one. If file download fails due to network disconnection or other reasons, the original file cannot be restored. Therefore, use a nonexistent file name instead.

Figure 6 TFTP application scenario

 

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

TFTP is not supported in FIPS mode.

Configuring the device as an IPv4 TFTP client

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      (Optional.) Use an ACL to control the client's access to TFTP servers.

tftp-server acl acl-number

By default, no ACL is used for access control.

3.      Specify the source IP address for TFTP packets sent by the TFTP client.

tftp client source { interface interface-type interface-number | ip source-ip-address }

By default, no source IP address is specified. The device uses the primary IP address of the output interface as the source IP address.

4.      Return to user view.

quit

N/A

5.      Download or upload a file in an IPv4 network.

tftp tftp-server { get | put | sget } source-filename [ destination-filename ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value | source { interface interface-type interface-number | ip source-ip-address } ] *

The source IP address specified in this command takes precedence over the one set by the tftp client source command.

Use this command in user view.

 

Configuring the device as an IPv6 TFTP client

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      (Optional.) Use an ACL to control the client's access to TFTP servers.

tftp-server ipv6 acl ipv6-acl-number

By default, no ACL is used for access control.

3.      Specify the source IPv6 address for TFTP packets sent by the TFTP client.

tftp client ipv6 source { interface interface-type interface-number | ipv6 source-ipv6-address }

By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484.

4.      Return to user view.

quit

N/A

5.      Download or upload a file in an IPv6 network.

tftp ipv6 tftp-server [ -i interface-type interface-number ] { get | put | sget } source-filename [ destination-filename ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 source-ipv6-address } ] *

The source IP address specified in this command takes precedence over the one set by the tftp client ipv6 source command.

Use this command in user view.