· Passive mode (PASV)—The FTP client initiates the TCP connection. This mode is not suitable when the server does not allow the client to use a random unprivileged port greater than 1024.

FTP adopts the client/server model. Your switch can function either as the client or the server, as shown in Figure 1.

Figure 1 FTP application scenario

NOTE:

If you enable FIPS mode and reboot the switch, the FTP server function is disabled. For more information about FIPS mode, see Security Configuration Guide.

Using the device as an FTP client

To connect to an FTP server or enter FTP client view, make sure the following requirements are met:

· You have level-3 (Manage) user privileges on the device. In FTP client view, whether a directory or file management command can be successfully executed depends on the authorization set on the FTP server.

· The device and the FTP server can reach each other.

· You have a user account (including the username, password, and authorization) on the FTP server. If the FTP server supports anonymous FTP, you can directly access the FTP server without a username and password.

Establishing an FTP connection

Before you can access the FTP server, use the ftp command in user view or use the open command in FTP client view to establish a connection to the FTP server.

You can use the ftp client source command to specify a source IP address or source interface for the FTP packets sent by the device. If a source interface (typically, a loopback or dialer interface) is specified, its primary IP address is used as the source IP address for the FTP packets sent by the device. The source interface and source IP address settings overwrite each other.

The ftp client source command setting applies to all FTP sessions. When you set up an FTP session by using the ftp or ftp ipv6 command, you can also specify a different source IP address for the FTP session.

IMPORTANT:

To avoid FTP connection failures, when you specify a source interface for FTP packets, make sure the interface has been assigned a primary IP address.

To establish an IPv4 FTP connection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a source IP address for outgoing FTP packets.	ftp client source { interface interface-type interface-number \| ip source-ip-address }	Optional. By default, the primary IP address of the output interface is used as the source IP address.
3. Return to user view.	quit	N/A
4. Log in to the remote FTP server.	· (Method 1) In user view: ftp [ server-address [ I ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number \| ip source-ip-address } ] ] · (Method 2) In FTP client view: a. ftp b. open server-address [ service-port ]	Use either method. The ftp command is available in user view; and the open command is available in FTP client view.

To establish an IPv6 FTP connection:

Task	Command	Remarks
Log in to the remote FTP server.	· (Method 1) In user view: ftp ipv6 [ server-address [ service-port ] [ vpn-instance vpn-instance-name ] [ source ipv6 source-ipv6-address ] [ -i interface-type interface-number ] ] · (Method 2) In FTP client view: a. ftp ipv6 b. open ipv6 server-address [ service-port ] [ -i interface-type interface-number ]	Use either method. The ftp ipv6 command is available in user view; and the open ipv6 command is available in FTP client view.

Task

Command

Remarks

· (Method 1) In user view:
ftp ipv6 [ server-address [ service-port ] [ vpn-instance vpn-instance-name ] [ source ipv6 source-ipv6-address ] [ -i interface-type interface-number ] ]

· (Method 2) In FTP client view:

a. ftp ipv6

b. open ipv6 server-address [ service-port ] [ -i interface-type interface-number ]

Use either method.

The ftp ipv6 command is available in user view; and the open ipv6 command is available in FTP client view.

Managing the directories on the FTP server

After the device establishes a connection to the FTP server, you can create or delete folders under the authorized directory on the FTP server.

To manage the directories on an FTP server:

Task	Command
Display detailed information about a directory or file on the remote FTP server.	dir [ remotefile [ localfile ] ]
Query a directory or file on the remote FTP server.	ls [ remotefile [ localfile ] ]
Change the working directory of the remote FTP server.	cd { directory \| .. \| / }
Return to the upper level directory of the remote FTP server.	cdup
Display the working directory that is being accessed.	pwd
Create a directory on the remote FTP server.	mkdir directory
Remove the specified working directory on the remote FTP server.	rmdir directory

Working with the files on the FTP server

After you log in to the server, you can upload a file to or download a file from the authorized directory by following these steps:

1. Use the dir or ls command to display the directory and the location of the file on the FTP server.

2. Delete unused files to get more free storage space.

3. Set the file transfer mode. FTP transmits files in two modes: ASCII and binary. ASCII mode transfers files as text. Binary mode transfers files as raw data.

4. Use the lcd command to display the local working directory of the FTP client. You can upload the file or save the downloaded file under this directory.

5. Upload or download a file.

To work with the files on an FTP server:

Task	Command	Remarks
Display detailed information about a directory or file on the remote FTP server.	dir [ remotefile [ localfile ] ]	The ls command displays the name of a directory or file only, while the dir command displays detailed information such as the file size and creation time.
Query a directory or file on the remote FTP server.	ls [ remotefile [ localfile ] ]	The ls command displays the name of a directory or file only, while the dir command displays detailed information such as the file size and creation time.
Delete the specified file on the remote FTP server permanently.	delete remotefile	N/A
Set the file transfer mode to ASCII.	ascii	By default, ASCII mode is used.
Set the file transfer mode to binary.	binary	By default, ASCII mode is used.
Set the data transmission mode to passive.	passive	Passive by default.
Display the local working directory of the FTP client.	lcd	N/A
Upload a file to the FTP server.	put localfile [ remotefile ]	N/A
Download a file from the FTP server.	get remotefile [ localfile ]	N/A

Switching to another user account

After you log in to the FTP server with one user account, you can switch to another user account to get a different privilege without reestablishing the FTP connection. You must correctly enter the new username and password. A wrong username or password can cause the FTP connection to disconnect.

To switch to another user account:

Task	Command
Change the username after FTP login.	user username [ password ]

Maintaining and troubleshooting an FTP connection

After a device serving as the FTP client has established a connection with the FTP server, you can perform the following operations to locate and diagnose FTP connection problems. For more information about establishing an FTP connection, see "Establishing an FTP connection."

To maintain or debug an FTP connection:

Task	Command	Remarks
Display the help information of FTP-related commands supported by the remote FTP server.	remotehelp [ protocol-command ]	N/A
Enable information display in a detailed manner.	verbose	By default, the function is enabled.
Enable FTP related debugging when the device acts as the FTP client.	debugging	By default, the function is disabled.

Terminating an FTP connection

To terminate an FTP connection, perform one of the following tasks:

Task	Command	Remarks
Terminate the FTP connection without exiting FTP client view.	· disconnect · close	Use either command in FTP client view.
Terminate the FTP connection and return to user view.	· bye · quit	Use either command in FTP client view.

Task

Command

Remarks

Terminate the FTP connection without exiting FTP client view.

· disconnect

· close

Use either command in FTP client view.

Terminate the FTP connection and return to user view.

· bye

· quit

Use either command in FTP client view.

FTP client configuration example (standalone mode)

Network requirements

As shown in Figure 2, Device and PC are reachable to each other. On PC, an FTP user account has been created for the FTP client, with the username abc and the password abc.

From Device, download a system software image file from PC for upgrade, and upload the configuration file to PC for backup.

Figure 2 Network diagram

Configuration procedure

# Examine the storage medium of the device for insufficiency or impairment. If no sufficient free space is available, use the fixdisk command to fix the storage medium or use the delete/unreserved file-url command to delete unused files. (Details not shown.)

# Log in to the server through FTP.

<Sysname> dir

Directory of flash:/

0 drw- - Dec 07 2008 10:00:57 filename

1 drw- - Jan 02 2008 14:27:51 logfile

2 -rw- 1216 Jan 02 2008 14:28:59 config.cfg

3 -rw- 1216 Jan 02 2008 16:27:26 backup.cfg

129794 KB total (127362 KB free)

<Sysname> delete /unreserved flash:/backup.cfg

# Download the system software image file from the FTP server.

<Sysname> ftp 10.1.1.1

Trying 10.1.1.1 ...

Press CTRL+K to abort

Connected to 10.1.1.1.

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user

User(10.1.1.1:(none)):abc

331 Give me your password, please

Password:

230 Logged in successfully

# Set the file transfer mode to binary.

[ftp] binary

200 Type set to I.

# Download the system software image file newest.bin from PC to Device:

· Download system software image file newest.bin from PC to the root directory of the active MPU.

[ftp] get newest.bin

227 Entering Passive Mode (10,1,1,1,10,68).

125 BINARY mode data connection already open, transfer starting for /newest.bin.

226 Transfer complete.

FTP: 23951480 byte(s) received in 95.399 second(s), 251.00K byte(s)/sec.

· Download system software image file newest.bin from PC to the root directory of the standby MPU in slot 1.

[ftp] get newest.bin slot1#flash:/newest.bin

# Upload the configuration file config.cfg of the device to the server for backup.

[ftp] ascii

[ftp] put config.cfg back-config.cfg

227 Entering Passive Mode (10,1,1,1,4,2).

125 ASCII mode data connection already open, transfer starting for /config.cfg.

226 Transfer complete.

FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec.

[ftp] bye

221 Server closing.

# Specify newest.bin as the main system software image file used at the next startup.

· For the active MPU:

<Sysname> boot-loader file newest.bin slot 0 main

This command will set the boot file of the specified board. Continue? [Y/N]:y

The specified file will be used as the main boot file at the next reboot on slot 0!

· For the standby MPU (in slot 1):

<Sysname> boot-loader file slot1#flash:/newest.bin slot 1 main

This command will set the boot file of the specified board. Continue? [Y/N]:y

The specified file will be used as the main boot file at the next reboot on slot 1!

IMPORTANT:

The system software image file used for the next startup must be saved in the root directory of the storage medium. If the storage medium is partitioned, the system software image file must be saved in the first partition. You can copy or move a file to the Flash root directory.

FTP client configuration example (IRF mode)

Network requirements

As shown in Figure 3:

· The device is an IRF fabric, which is composed of a master and a subordinate device. The member ID of the master is 1, and the slot numbers of the active MPU and the standby MPU on the master are 0 and 1 respectively. The member ID of the subordinate device is 2, and the slot numbers of the active MPU and standby MPU on the subordinate device are 0 and 1 respectively.

· The device serves as an FTP client. The PC serves as the FTP server. They can reach each other.

· On the PC, an FTP user account has been created for the FTP client, with the username abc and the password abc.

From the device, download a system software image file from the PC for upgrade, and upload the configuration file to the PC for backup.

Figure 3 Network diagram

Configuration procedure

# Log in to the server through FTP.

<Sysname> ftp 10.1.1.1

Trying 10.1.1.1 ...

Press CTRL+K to abort

Connected to 10.1.1.1.

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user

User(10.1.1.1:(none)):abc

331 Give me your password, please

Password:

230 Logged in successfully

# Set the file transfer mode to binary to transmit system software image file.

[ftp] binary

200 Type set to I.

# Download the system software image file newest.bin from the PC to the device:

· Download the system software image file newest.bin from the PC to the root directory of the storage medium on the active MPU of the IRF fabric (the active MPU on the master).

[ftp] get newest.bin

· Download the system software image file newest.bin from the PC to the Flash root directories of the standby MPUs (any MPU except the active MPU of the IRF fabric). (Suppose the IRF fabric has three standby MPUs: one in slot 1 of member device 1, one in slot 0 of member device 2, and one in slot 1 of member device 2.)

[ftp] get newest.bin chassis1#slot1#flash:/newest.bin

227 Entering Passive Mode (10,1,1,1,10,68).

125 BINARY mode data connection already open, transfer starting for chassis1#slot1#flash:/newest.bin.

226 Transfer complete.

FTP: 23951480 byte(s) received in 95.399 second(s), 251.00K byte(s)/sec.

[ftp] get newest.bin chassis2#slot0#flash:/newest.bin

227 Entering Passive Mode (10,1,1,1,12,43).

125 BINARY mode data connection already open, transfer starting for chassis2#slot0#flash:/newest.bin.

226 Transfer complete.

FTP: 23951480 byte(s) received in 95.399 second(s), 251.00K byte(s)/sec.

[ftp] get newest.bin chassis2#slot1#flash:/newest.bin

227 Entering Passive Mode (10,1,1,1,5,49).

125 BINARY mode data connection already open, transfer starting for chassis2#slot1#flash:/newest.bin.

226 Transfer complete.

FTP: 23951480 byte(s) received in 95.399 second(s), 251.00K byte(s)/sec.

# Upload the configuration file config.cfg of the device to the server for backup.

[ftp] ascii

[ftp] put config.cfg back-config.cfg

227 Entering Passive Mode (10,1,1,1,4,2).

125 ASCII mode data connection already open, transfer starting for /config.cfg.

226 Transfer complete.

FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec.

[ftp] bye

221 Server closing.

# Specify newest.bin as the main system software image file for the next startup of the active MPU of the IRF fabric.

<Sysname> boot-loader file newest.bin chassis 1 slot 0 main

This command will set the boot file of the specified board. Continue? [Y/N]:y

The specified file will be used as the main boot file at the next reboot on chassis 1 slot 0!

# Specify newest.bin as the main system software image file for the next startup of the standby MPUs of the IRF fabric.

<Sysname> boot-loader file chassis1#slot1#flash:/newest.bin chassis 1 slot 1 main

This command will set the boot file of the specified board. Continue? [Y/N]:y

The specified file will be used as the main boot file at the next reboot on chassis 1 slot 1!

<Sysname> boot-loader file chassis2#slot0#flash:/newest.bin chassis 2 slot 0 main

This command will set the boot file of the specified board. Continue? [Y/N]:y

The specified file will be used as the main boot file at the next reboot on chassis 2 slot 0!

<Sysname> boot-loader file chassis2#slot1#flash:/newest.bin chassis 2 slot 1 main

This command will set the boot file of the specified board. Continue? [Y/N]:y

The specified file will be used as the main boot file at the next reboot on chassis 2 slot 1!

IMPORTANT:

# Reboot the device, and the system software image file is updated at the system reboot.

<Sysname> reboot

Using the device as an FTP server

If the device is operating as an FTP server, make sure the following requirements are met to ensure successful FTP operations:

· The device and the FTP server can reach each other.

· Configure a user account (including the username, password, and authorization) on the device or a remote authentication server for an FTP user. This task is required because the device does not support anonymous FTP for security reasons. By default, authenticated users can access the root directory of the device.

· The FTP user provides the correct username and password.

NOTE:

When you use the Internet Explorer browser to log in to the device operating as an FTP server, some FTP functions are not available. This is because multiple connections are required during the login process but the device supports only one connection at a time.

Configuring basic parameters

The FTP server uses one of the following modes to update a file when you upload the file (use the put command) to the FTP server:

· Fast mode—The FTP server starts writing data to the storage medium after a file is transferred to the memory. This prevents the existing file on the FTP server from being corrupted in the event that anomaly, such as a power failure, occurs during a file transfer.

· Normal mode—The FTP server writes data to the storage medium while receiving data. This means that any anomaly, such as a power failure, during file transfer might result in file corruption on the FTP server. This mode, however, consumes less memory space than the fast mode.

To configure basic parameters for the FTP server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the FTP server.	ftp server enable	Disabled by default.
3. Use an ACL to control FTP clients' access to the device.	ftp server acl acl-number	Optional. By default, no ACL is used to control FTP clients' access to the device.
4. Configure the idle-timeout timer.	ftp timeout minutes	Optional. 30 minutes by default. Within the idle-timeout time, if there is no information interaction between the FTP server and client, the connection between them is terminated.
5. Set the file update mode for the FTP server.	ftp update { fast \| normal }	Optional. Normal update is used by default.
6. Return to user view.	quit	N/A
7. Manually release the FTP connection established with the specified username.	free ftp user username	Optional.

Configuring authentication and authorization

Perform this task on the FTP server to authenticate FTP clients and specify the directories that authenticated clients can access.

The following authentication modes are available:

· Local authentication—The device looks up the client's username and password in the local user account database. If a match is found, authentication succeeds.

· Remote authentication—The device sends the client's username and password to a remote authentication server for authentication. If this method is used, the user account is configured on the remote authentication server rather than the device.

To assign an FTP user write access (including upload, delete, and create) to the device, assign level-3 (Manage) user privileges to the user. For read-only access to the file system, any user privilege level is OK.

For more information, see the chapter on AAA configuration in Security Configuration Guide.

To configure authentication and authorization for FTP server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a local user and enter its view.	local-user user-name	No FTP authorized local user exists by default, and the system does not support FTP anonymous user access.
3. Assign a password to the user.	password { simple \| cipher } password	N/A
4. Assign the FTP service to the user.	service-type ftp	By default, the system does not support anonymous FTP access, and does not assign any service. If the FTP service is assigned, the root directory of the switch is used by default.
5. Configure user properties.	authorization-attribute { acl acl-number \| callback-number callback-number \| idle-cut minute \| level level \| user-profile profile-name \| user-role { guest \| guest-manager \| security-audit } \| vlan vlan-id \| work-directory directory-name } *	Optional. By default, the FTP/SFTP users can access the root directory of the switch, and the user level is 0. You can change the default configuration by using this command.

For more information about the local-user, password, service-type ftp, and authorization-attribute commands, see Security Command Reference.

FTP server configuration example (standalone mode)

Network requirements

As shown in Figure 4, PC keeps the latest system software image file of the device. Device and PC are reachable to each other.

Use Device as an FTP server, and the PC as the FTP client. Configure an account on the server with the username abc and the password abc for the FTP client. Use FTP to upgrade the device and back up the configuration file.

Figure 4 Network diagram

Configuration procedure

1. Configure the device (FTP server):

# Create an FTP user account abc, and set its password to abc and the user privilege level to level 3 (the manage level). Allow user abc to access the root directory of the flash, and specify user abc to use FTP.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] password simple abc

[Sysname-luser-abc] authorization-attribute level 3

[Sysname-luser-abc] authorization-attribute work-directory flash:/

# To access the root directory on the standby MPU (in slot 1), change flash:/ to slot1#flash:/.

[Sysname-luser-abc] service-type ftp

[Sysname-luser-abc] quit

# Enable the FTP server.

[Sysname] ftp server enable

[Sysname] quit

# Examine the storage space for space insufficiency and delete unused files for more free space.

<Sysname> dir

Directory of flash:/

0 drw- - Dec 07 2005 10:00:57 filename

1 drw- - Jan 02 2006 14:27:51 logfile

2 -rw- 1216 Jan 02 2006 14:28:59 config.cfg

3 -rw- 1216 Jan 02 2006 16:27:26 back.cfg

4 drw- - Jan 02 2006 15:20:21 ftp

129794 KB total (127263 KB free)

<Sysname> delete /unreserved flash:/back.cfg

2. Configure the PC (FTP client):

# Log in to the FTP server through FTP.

c:\> ftp 1.1.1.1

Connected to 1.1.1.1.

220 FTP service ready.

User(1.1.1.1:(none)):abc

331 Password required for abc.

Password:

230 User logged in.

ftp> put aaa.bin bbb.bin

# Download the configuration file config.cfg of the device to the PC for backup.

ftp> get config.cfg back-config.cfg

# Upload the configuration file newest.bin to Device.

ftp> put newest.bin

200 Port command okay.

150 Opening ASCII mode data connection for /newest.bin.

226 Transfer complete.

ftp> bye

221 Server closing.

c:\>

NOTE:

· This FTP procedure also applies to upgrading configuration files.

· After you finish transferring the Boot ROM image through FTP, execute the bootrom upgrade command to upgrade the BootROM.

3. Upgrade Device:

# Copy newest.bin to the root directory of the memory on the standby MPU in slot 1.

<Sysname> copy newest.bin slot1#flash:/

# Specify newest.bin as the main system software image file for the next startup:

¡ For the active MPU.

<Sysname> boot-loader file newest.bin slot 0 main

This command will set the boot file of the specified board. Continue? [Y/N]:y

The specified file will be used as the main boot file at the next reboot on slot 0!

¡ For the standby MPU.

<Sysname> boot-loader file slot1#flash:/newest.bin slot 1 main

This command will set the boot file of the specified board. Continue? [Y/N]:y

The specified file will be used as the main boot file at the next reboot on slot 1!

IMPORTANT:

The system software image file used for the next startup and the startup configuration file must be saved in the root directory of the storage medium. If the storage medium is partitioned, they must be saved in the first partition. You can copy or move a file to the Flash root directory.

# Reboot the device.

<Sysname> reboot

FTP server configuration example (IRF mode)

Network requirements

As shown in Figure 5, an IRF fabric comprises a master and a subordinate device. The member ID of the master is 1, and the slot numbers of the active MPU and the standby MPU on the master are 0 and 1 respectively. The member ID of the subordinate device is 2, and the slot numbers of the active MPU and standby MPU on the subordinate device are 0 and 1 respectively. The IRF fabric and the PC are reachable to each other.

Use the IRF fabric serves as an FTP server, and create an FTP user account with the username abc and password abc for the FTP client. From the IRF fabric, download a system software image file from PC for upgrade, and uploads the configuration file to PC for backup.

Figure 5 Network diagram

Configuration procedure

1. Configure the IRF fabric (FTP server):

# Create an FTP user account abc, set its password to abc and the user privilege level to level 3 (the manage level). Allow user abc to access the root directory of the flash on the active MPU of the IRF fabric, and specify abc to use FTP.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] password simple abc

[Sysname-luser-abc] authorization-attribute level 3

[Sysname-luser-abc] authorization-attribute work-directory flash:/

To access a standby MPU of the IRF fabric (suppose that the member ID and slot number of the member device where the standby MPU resides are 2 and 1 respectively), replace flash:/ with chassis2#slot1#flash:/ in authorization-attribute work-directory flash:/.

[Sysname-luser-abc] service-type ftp

[Sysname-luser-abc] quit

# Enable FTP server.

[Sysname] ftp server enable

[Sysname] quit

2. Configure the PC (FTP client):

# Log in to the FTP server through FTP.

c:\> ftp 1.1.1.1

Connected to 1.1.1.1.

220 FTP service ready.

User(1.1.1.1:(none)):abc

331 Password required for abc.

Password:

230 User logged in.

# Download the configuration file config.cfg of the IRF fabric to the PC for backup.

ftp> get config.cfg back-config.cfg

# Upload the configuration file newest.bin to the root directory of the storage medium on the active MPU of the IRF fabric.

ftp> put newest.bin

200 Port command okay.

150 Opening ASCII mode data connection for /newest.bin.

226 Transfer complete.

ftp> bye

221 Server closing.

c:\>

NOTE:

· This FTP procedure also applies to upgrading configuration files.

· After you finish transferring the Boot ROM image through FTP, execute the bootrom upgrade command to upgrade the BootROM.

3. Upgrade the IRF fabric:

# Copy the system software image file newest.bin from the PC to the Flash root directories of the IRF fabric's standby MPUs. (Suppose the IRF fabric has three standby MPUs: one in slot 1 of member device 1, one in slot 0 of member device 2, and one in slot 1 of member device 2.)

<Sysname> copy newest.bin chassis1#slot1#flash:/

<Sysname> copy newest.bin chassis2#slot0#flash:/

<Sysname> copy newest.bin chassis2#slot1#flash:/

# Specify newest.bin as the main system software image file for the next startup of all the MPUs of the IRF fabric.