Login
- Table of Contents
-
- 01-Fundamentals Configuration Guide
- 00-Preface
- 01-CLI configuration
- 02-Login management configuration
- 03-RBAC configuration
- 04-FTP and TFTP configuration
- 05-File system management configuration
- 06-Configuration file management configuration
- 07-Software upgrade configuration
- 08-ISSU configuration
- 09-Device management configuration
- 10-Python configuration
- 11-License management(HP不支持)
- 12-Preprovisioning feature configuration
- 13-Automatic configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-FTP and TFTP configuration | 175.24 KB |
Contents
Using the device as an FTP server
Configuring authentication and authorization
Manually releasing FTP connections
Displaying and maintaining the FTP server
FTP server configuration example in standalone mode
FTP server configuration example in IRF mode
Using the device as an FTP client
Establishing an FTP connection
Managing directories on the FTP server
Working with files on the FTP server
Changing to another user account
Maintaining and troubleshooting the FTP connection
Terminating the FTP connection
Displaying command help information
Displaying and maintaining the FTP client
FTP client configuration example in standalone mode
FTP client configuration example in IRF mode
Configuring the device as an IPv4 TFTP client
Configuring the device as an IPv6 TFTP client
Configuring FTP
File Transfer Protocol (FTP) is an application layer protocol based on the client/server model. It is used to transfer files from one host to another over an IP network, as shown in Figure 1.
FTP server uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959.
FTP supports the following transfer modes:
· Binary mode—Used to transfer image files, such as .app, .bin, and .btm files. This mode is also called "flow mode."
· ASCII mode—Used to transfer text files, such as .txt, .bat, and .cfg files.
By default, the transfer mode is binary.
FTP can operate in either of the following modes:
· Active mode (PORT)—The FTP server initiates the TCP connection. This mode is not suitable when the FTP client is behind a firewall, for example, when the FTP client resides in a private network.
· Passive mode (PASV)—The FTP client initiates the TCP connection. This mode is not suitable when the server does not allow the client to use a random unprivileged port greater than 1024.
FTP operation mode varies depending on the FTP client program.
The device can act as the FTP server or FTP client. Make sure the FTP server and the FTP client can reach each other before establishing the FTP connection.
Figure 1 FTP application scenario
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
FTP is not supported in FIPS mode.
Using the device as an FTP server
Perform the configuration tasks in this section to configure the device as an FTP server.
Configuring basic parameters
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the FTP server. |
ftp server enable |
By default, the FTP server is disabled. |
|
3. (Optional.) Use an ACL to control access to the FTP server. |
ftp server acl { acl-number | ipv6 acl-number } |
By default, no ACL is used for access control. |
|
4. (Optional.) Set the FTP connection idle-timeout timer. |
ftp timeout minutes |
By default, the FTP connection idle-timeout timer is 30 minutes. If no data transfer occurs on an FTP connection within the idle-timeout interval, the FTP server closes the FTP connection to release resources. |
|
5. (Optional.) Set the DSCP value for outgoing FTP packets. |
·
For an IPv4 FTP
server: ·
For an IPv6 FTP server: |
By default, the DSCP value is 0. |
|
6. (Optional.) Set the maximum number of concurrent FTP users. |
aaa session-limit ftp max-sessions |
By default, the maximum number of concurrent FTP users is 32. Changing this setting does not affect online users. If the current number of online FTP users is equal to or greater than the new setting, no additional FTP users can log in until online users log out. For more information about this command, see Security Command Reference. |
Configuring authentication and authorization
Perform this task on the FTP server to authenticate FTP clients and set the authorized directories that authenticated clients can access.
The following authentication modes are available:
· Local authentication—The device looks up the client's username and password in the local user account database. If a match is found, authentication succeeds.
· Remote authentication—The device sends the client's username and password to a remote authentication server for authentication. The user account is configured on the remote authentication server rather than the device.
The following authorization modes are available:
· Local authorization—The device assigns authorized directories to FTP clients based on the locally configured authorization attributes.
· Remote authorization—A remote authorization server assigns authorized directories on the device to FTP clients.
For information about configuring authentication and authorization, see Security Configuration Guide.
Manually releasing FTP connections
|
Task |
Command |
|
Manually release FTP connections. |
·
Release the FTP
connection established by using a specific user account: ·
Release the FTP
connection to a specific IP address: |
Displaying and maintaining the FTP server
Execute display commands in any view.
|
Task |
Command |
|
Display FTP server configuration and status information. |
display ftp-server |
|
Display detailed information about online FTP users. |
display ftp-user |
FTP server configuration example in standalone mode
Network requirements
On the device, create a local user account with the username abc and password 123456 and enable the FTP server.
From the PC, use the user account to log in to the FTP server and do the following:
· Upload the file temp.bin from the FTP client to the FTP server.
· Download the configuration file startup.cfg from the FTP server to the FTP client for backup.
Configuration procedure
1. Configure IP addresses as shown in Figure 2, and make sure the device and PC can reach other. (Details not shown.)
2. Configure the device (FTP server):
# Create local user account abc and set the password to 123456.
<Sysname> system-view
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password simple 123456
# Assign the user role network-admin to the user and set the working directory to the Flash root directory of the MPU.
[Sysname-luser-manage-abc] authorization-attribute user-role network-admin work-directory flash:/
# Assign the service type FTP to the user.
[Sysname-luser-manage-abc] service-type ftp
[Sysname-luser-manage-abc] quit
|
|
NOTE: If the password control feature is configured, the password must meet the password requirements defined by the feature. For more information, see Security Configuration Guide. |
# Enable the FTP server.
[Sysname] ftp server enable
[Sysname] quit
# Examine the storage space for space insufficiency and delete unused files for more free space.
<Sysname> dir
Directory of flash:
0 -rw- 0 Sep 27 2010 14:43:34 kernel.bin
1 -rw- 0 Sep 27 2010 14:43:34 base.bin
2 drw- - Jun 29 2011 18:30:38 logfile
3 drw- - Jun 21 2011 14:51:38 diagfile
4 drw- - Jun 21 2011 14:51:38 seclog
5 -rw- 2943 Jul 02 2011 08:03:08 startup.cfg
6 -rw- 63901 Jul 02 2011 08:03:08 startup.mdb
7 -rw- 716 Jun 21 2011 14:58:02 hostkey
8 -rw- 572 Jun 21 2011 14:58:02 serverkey
9 -rw- 6541264 Aug 04 2011 20:40:49 backup.bin
473664 KB total (467080 KB free)
<Sysname> delete /unreserved flash:/backup.bin
3. Perform FTP operations from the PC (FTP client):
# Log in to the FTP server at 1.1.1.1 using the username abc and password 123456.
c:\> ftp 1.1.1.1
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):abc
331 Password required for abc.
Password:
230 User logged in.
# Use the ASCII mode to download the configuration file startup.cfg from the device to the PC for backup.
ftp> ascii
200 TYPE is now ASCII
ftp> get startup.cfg back-startup.cfg
# Use the binary mode to upload the file temp.bin from the PC to the Flash root directory of the MPU.
ftp> binary
200 TYPE is now 8-bit binary
ftp> put temp.bin
# Exit FTP.
ftp> bye
FTP server configuration example in IRF mode
Network requirements
As shown in Figure 3, a two-chassis IRF fabric has two MPUs. The global active MPU is in slot 17 of the master. The global standby MPU is in slot 17 of the subordinate member.
On the device, create a local user account with the username abc and password 123456 and enable the FTP server.
From the PC, use the user account to log in to the FTP server and do the following:
· Upload the file temp.bin from the FTP client to the FTP server.
· Download the configuration file config.cfg from the FTP server to the FTP client for backup.
Configuration procedure
1. Configure IP addresses as shown in Figure 3, and make sure the IRF fabric and the PC can reach each other. (Details not shown.)
2. Configure the FTP server:
# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)
# Create local user account abc and set the password to 123456.
<Sysname> system-view
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password simple 123456
# Assign the user role network-admin to the user and set the working directory to the Flash root directory of the global active MPU. To set the working directory to the Flash root directory of the global standby MPU, replace flash:/ in the authorization-attribute command with chassis2#slot17#flash:/.
[Sysname-luser-manage-abc] authorization-attribute user-role network-admin work-directory flash:/
# Assign the service type FTP to the user.
[Sysname-luser-manage-abc] service-type ftp
[Sysname-luser-manage-abc] quit
|
|
NOTE: If the password control feature is configured, the password must meet the password requirements defined by the feature. For more information, see Security Configuration Guide. |
# Enable the FTP server.
[Sysname] ftp server enable
[Sysname] quit
3. Perform FTP operations from the FTP client:
# Log in to the FTP server at 1.1.1.1 using the username abc and password 123456.
c:\> ftp 1.1.1.1
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):abc
331 Password required for abc.
Password:
230 User logged in.
# Use the ASCII mode to download the configuration file config.cfg from the server to the client for backup.
ftp> ascii
200 TYPE is now ASCII
ftp> get config.cfg back-config.cfg
# Use the binary mode to upload the file temp.bin to the Flash root directory of the master.
ftp> binary
200 TYPE is now 8-bit binary
ftp> put temp.bin
# Exit FTP.
ftp> bye
Using the device as an FTP client
Establishing an FTP connection
To access the FTP server, you must establish a connection from the FTP client to the FTP server.
To establish an IPv4 FTP connection:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Specify a source IP address for outgoing FTP packets. |
ftp client source { interface interface-type interface-number | ip source-ip-address } |
By default, no source IP address is specified, and the primary IP address of the output interface is used as the source IP address. |
|
3. Return to user view. |
quit |
N/A |
|
4. Log in to the FTP server. |
·
(Method 1.) Log in to the FTP server directly from user view: · (Method 2.) Log in to the FTP server from FTP client view: a. ftp b. open server-address [ service-port ] |
Use either method. The source IP address specified in the ftp command takes precedence over the one set by the ftp client source command. |
To establish an IPv6 FTP connection:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Specify the source IPv6 address for FTP packets sent by the FTP client. |
ftp client ipv6 source { interface interface-type interface-number | ipv6 source-ipv6-address } |
By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484. |
|
3. Return to user view. |
quit |
N/A |
|
4. Log in to the FTP server. |
·
(Method 1.) Log in to the FTP
server from user view: · (Method 2.) Log in to the FTP server from FTP client view: a.
Enter FTP client view: b.
Log in to the FTP
server: |
The source IP address specified in the ftp ipv6 command takes precedence over the one set by the ftp client ipv6 source command. |
Managing directories on the FTP server
|
Task |
Command |
|
Display directory and file information on the FTP server. |
·
Display the detailed information
of a directory or file on the FTP server: ·
Display the name of a directory
or file on the FTP server: |
|
Change the working directory on the FTP server. |
cd { directory | .. | / } |
|
Return to the upper level directory on the FTP server. |
cdup |
|
Display the working directory that is being accessed. |
pwd |
|
Create a directory on the FTP server. |
mkdir directory |
|
Delete a directory from the remote FTP server. |
rmdir directory |
Working with files on the FTP server
After you log in to the server, you can upload a file to or download a file from the authorized directory by following these steps:
1. Use the dir or ls command to display the directory and location of the file on the FTP server.
2. Delete unused files to get more free storage space.
3. Set the file transfer mode to ASCII for text files or binary for image files.
4. Use the lcd command to change the local working directory of the FTP client. You can upload the file or save the downloaded file in this directory.
5. Upload or download the file.
To work with files on an FTP server, execute the following commands in FTP client view:
|
Task |
Command |
Remarks |
|
Display directory or file information on the FTP server. |
·
Display the
detailed information of a directory or file on the FTP server: ·
Display the name of a directory
or file on the FTP server: |
N/A |
|
Delete the specified file on the FTP server permanently. |
delete remotefile |
N/A |
|
Set the file transfer mode to ASCII. |
ascii |
The default file transfer mode is binary. |
|
Set the file transfer mode to binary. |
binary |
The default file transfer mode is binary. |
|
Set the FTP operation mode to passive. |
passive |
The default mode is passive. |
|
Display or change the local working directory of the FTP client. |
lcd [ directory | / ] |
N/A |
|
Upload a file to the FTP server. |
put localfile [ remotefile ] |
N/A |
|
Download a file from the FTP server. |
get remotefile [ localfile ] |
N/A |
|
Add the content of a file on the FTP client to a file on the FTP server. |
append localfile [ remotefile ] |
N/A |
|
Specify the retransmit marker. |
restart marker |
Use this command together with the put, get, or append command. |
|
Update the local file. |
newer remotefile |
N/A |
|
Get the missing part of a file. |
reget remotefile [ localfile ] |
N/A |
|
Rename the file. |
rename [ oldfilename [ newfilename ] ] |
N/A |
Changing to another user account
After you log in to the FTP server with one user account, you can change to another user account to get a different privilege without reestablishing the FTP connection. You must correctly enter the new username and password. A wrong username or password can cause the FTP connection to disconnect.
To change to another user account, execute the following command in user view:
|
Task |
Command |
|
Change to another user account. |
user username [ password ] |
Maintaining and troubleshooting the FTP connection
|
Task |
Command |
Remarks |
|
Display FTP commands on the FTP server. |
rhelp |
N/A |
|
Display FTP commands help information on the FTP server. |
rhelp protocol-command |
N/A |
|
Display FTP server status. |
rstatus |
N/A |
|
Display detailed information about a directory or file on the FTP server. |
rstatus remotefile |
N/A |
|
Display FTP connection status. |
status |
N/A |
|
Display the system information of the FTP server. |
system |
N/A |
|
Enable or disable FTP operation information displaying. |
verbose |
By default, FTP operation information displaying is enabled. |
|
Enable or disable FTP client debugging. |
debug |
By default, FTP client debugging is disabled. |
|
Clear the reply information in the buffer. |
reset |
N/A |
Terminating the FTP connection
|
Task |
Command |
Remarks |
|
Terminate the connection to the FTP server without exiting FTP client view. |
· disconnect · close |
Use either command in FTP client view. |
|
Terminate the connection to the FTP server and return to user view. |
· bye · quit |
Use either command in FTP client view. |
Displaying command help information
To display command help information after you log in to the server:
|
Task |
Command |
Remarks |
|
Display command help information. |
· help [ command-name ] · ? [ command-name ] |
Use either command. |
Displaying and maintaining the FTP client
Execute the display command in any view.
|
Task |
Command |
|
Display source IP address information on the FTP client. |
display ftp client source |
FTP client configuration example in standalone mode
Network requirements
As shown in Figure 4, a PC acts as the FTP server. An FTP user account with the username abc and password 123456 is configured on the FTP server.
Use the device as the FTP client to log in to the FTP server and do the following:
· Download the file temp.bin from the PC to the device.
· Upload the configuration file startup.cfg from the device to the PC for backup.
Configuration procedure
# Configure IP addresses as shown in Figure 4 and make sure the device and PC can reach each other. (Details not shown.)
# Examine the storage space of the device. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)
# Log in to the FTP server at 10.1.1.1 using the username abc and password 123456.
<Sysname> ftp 10.1.1.1
Press CTRL+C to abort.
Connected to 10.1.1.1 (10.1.1.1).
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User (10.1.1.1:(none)): abc
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is MSDOS.
200 Type is Image (Binary)
# Download the file temp.bin from the PC to the device.
ftp> get temp.bin
local: temp.bin remote: temp.bin
150 Connecting to port 47457
226 File successfully transferred
23951480 bytes received in 95.399 seconds (251.0 kbyte/s)
# Set the file transfer mode to ASCII. Upload the configuration file startup.cfg from the device to the PC for backup.
ftp> ascii
200 TYPE is now ASCII
ftp> put startup.cfg back-startup.cfg
local: startup.cfg remote: back-startup.cfg
150 Connecting to port 47461
226 File successfully transferred
3494 bytes sent in 5.646 seconds (618.00 kbyte/s)
ftp> bye
221-Goodbye. You uploaded 2 and downloaded 2 kbytes.
221 Logout.
<Sysname>
FTP client configuration example in IRF mode
Network requirements
As shown in Figure 5, a PC acts as the FTP server. An FTP user account with the username abc and password 123456 is configured on the FTP server. A two-chassis IRF fabric has two MPUs. The global active MPU is in slot 17 of the master. The global standby MPU is in slot 17 of the subordinate member.
Use the IRF fabric as the FTP client to log in to the FTP server and do the following:
· Download the file temp.bin from the PC to the IRF fabric.
· Upload the configuration file config.cfg from the IRF fabric to the PC for backup.
Configuration procedure
# Configure IP addresses for devices and make sure they can reach other. (Details not shown.)
# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)
# Log in to the FTP server using the username abc and password 123456.
<Sysname> ftp 10.1.1.1
Press CTRL+C to abort.
Connected to 10.1.1.1 (10.1.1.1).
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User (10.1.1.1:(none)): abc
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is MSDOS.
200 Type is Image (Binary)
# Download the file temp.bin from the PC to the Flash root directory of the global active MPU.
ftp> get temp.bin
local: temp.bin remote: temp.bin
150 Connecting to port 47457
226 File successfully transferred
23951480 bytes received in 95.399 seconds (251.0 kbyte/s)
# Download the file temp.bin from the PC to the Flash root directory of the global standby MPU.
ftp> get temp.bin chassis2#slot17#flash:/temp.bin
# Upload the configuration file config.cfg from the IRF fabric to the PC for backup.
ftp> ascii
200 TYPE is now ASCII
ftp> put config.cfg back-config.cfg
local: config.cfg remote: back-config.cfg
150 Connecting to port 47461
226 File successfully transferred
3494 bytes sent in 5.646 seconds (618.00 kbyte/s)
ftp> bye
221-Goodbye. You uploaded 2 and downloaded 2 kbytes.
221 Logout.
<Sysname>
Configuring TFTP
Trivial File Transfer Protocol (TFTP) is a simplified version of FTP for file transfer over secure reliable networks. TFTP uses UDP port 69 for data transmission. In contrast to TCP-based FTP, TFTP does not require authentication or complex message exchanges, and is easier to deploy. TFTP is suited for reliable network environments.
As shown in Figure 6, the device can only act as a TFTP client. You can upload a file from the device to the TFTP server or download a file from the TFTP server to the device. If you download a file with a file name that exists in the target directory, the device deletes the existing file and saves the new one. If file download fails due to network disconnection or other reasons, the original file cannot be restored. Therefore, use a nonexistent file name instead.
Figure 6 TFTP application scenario
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
TFTP is not supported in FIPS mode.
Configuring the device as an IPv4 TFTP client
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Use an ACL to control the client's access to TFTP servers. |
tftp-server acl acl-number |
By default, no ACL is used for access control. |
|
3. Specify the source IP address for TFTP packets sent by the TFTP client. |
tftp client source { interface interface-type interface-number | ip source-ip-address } |
By default, no source IP address is specified, and the primary IP address of the output interface is used as the source IP address. |
|
4. Return to user view. |
quit |
N/A |
|
5. Download or upload a file in an IPv4 network. |
tftp tftp-server { get | put | sget } source-filename [ destination-filename ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value | source { interface interface-type interface-number | ip source-ip-address } ] * |
The source IP address specified in this command takes precedence over the one set by the tftp client source command. Use this command in user view. |
Configuring the device as an IPv6 TFTP client
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Use an ACL to control the client's access to TFTP servers. |
tftp-server ipv6 acl ipv6-acl-number |
By default, no ACL is used for access control. |
|
3. Specify the source IPv6 address for TFTP packets sent by the TFTP client. |
tftp client ipv6 source { interface interface-type interface-number | ipv6 source-ipv6-address } |
By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484. |
|
4. Return to user view. |
quit |
N/A |
|
5. Download or upload a file in an IPv6 network. |
tftp ipv6 tftp-server [ -i interface-type interface-number ] { get | put | sget } source-filename [ destination-filename ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 source-ipv6-address } ] * |
The source IP address specified in this command takes precedence over the one set by the tftp client ipv6 source command. Use this command in user view. |
