NE40E-M2K

V800R022C00SPC600
Upgrade Guide (iMaster NCE-IP)

Issue 01
Date 2022-10-31

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://www.huawei.com
Email: [email protected]

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. i

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) About This Document

About This Document

Purpose
This document describes how to upgrade NE40E-M2Ks to V800R022C00SPC600 as well as
how to roll back the upgrade. It also provides answers to frequently asked questions (FAQs)
and troubleshooting information.

Intended Audience
This document is intended for upgrade engineers who are familiar with the following:
 Networking and NE versions of the current network
 Device O&M operations

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description
Indicates an imminently hazardous situation which, if
not avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not
avoided, may result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to
personal injury.
Calls attention to important information, best practices
and tips.
NOTE is used to address information not related to
personal injury, equipment damage, and environment
deterioration.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. ii

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) About This Document

The V800R022C00SPC600in the upgrade guide is replaced by the VXXXRXXXCXXSPCXXX.

Change History
Version Description Date Author
01 This is the first official release. 2021-04-30 liuxin

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. iii

 NE40E-M2K
Upgrade Guide (iMaster NCE-IP) Contents

Contents

About This Document ............................................................................................................... ii

1 Before You Start ........................................................................................................................ 1
1.1 Version Requirements ............................................................................................................................................ 1
1.2 Upgrade Method.................................................................................................................................................... 2
1.3 Upgrade Precautions .............................................................................................................................................. 3
1.4 Upgrade Impact ..................................................................................................................................................... 4
1.5 Telemetry Upgrade Description.............................................................................................................................. 4
1.6 Installing the IKEv1 MOD File .............................................................................................................................. 7
1.7 Security Hardening ................................................................................................................................................ 8
1.7.1 Upgrade Description of E-Trunk Deployment ..................................................................................................... 8
1.7.2 Upgrade Description of Security Hardening Related to Default Configurations ...................................................10
1.7.3 Upgrade Description of License Algorithms .......................................................................................................14
1.7.4 Upgrade Description of NCE forcibly verifies the digital signatures of software packages. ..................................14
1.7.5 Security Description of CRL File Loading..........................................................................................................15
1.7.6 Enabling Association Between First Login Through a Console Port and First Login Through a Management
Network Port..............................................................................................................................................................18

2 Upgrade Process Overview ................................................................................................... 19

3 Preparing for the Upgrade .................................................................................................... 22
3.1 Pre-upgrade Checklist...........................................................................................................................................22
3.1.1 Formulating an Upgrade Plan .............................................................................................................................23
3.1.2 Preparing Spare Parts .........................................................................................................................................23
3.1.3 Backing Up NE Data .........................................................................................................................................23
3.1.4 Using the OpenPGP Tool to Verify Integrity of a File .........................................................................................23
3.1.5 Obtaining the Target System Software ................................................................................................................23
3.1.6 Checking Whether iMaster NCE-IP Needs to Be Upgraded ................................................................................24
3.1.7 Checking NE Software Versions.........................................................................................................................24

4 Upgrade Process ..................................................................................................................... 27

4.1 Creating an Upgrade Task .....................................................................................................................................27
4.2 Executing the Upgrade Task..................................................................................................................................41
4.3 Checking the Upgrade Result ................................................................................................................................42

5 Post-upgrade Check ............................................................................................................... 43

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. iv

 NE40E-M2K
Upgrade Guide (iMaster NCE-IP) Contents

5.1 Post-upgrade Checklist .........................................................................................................................................43

6 Configuring the Default Configuration File ...................................................................... 44

7 Rolling Back to the Source Version ..................................................................................... 47
8 Installing the IKEv1 MOD Steps ......................................................................................... 48

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. v

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

1 Before You Start

About This Chapter

Before upgrading the system software, read this chapter carefully. This will help you improve
upgrade efficiency and reliability.
1.1 Version Requirements
1.2 Upgrade Method
1.3 Upgrade Precautions
1.4 Upgrade Impact
1.5 Telemetry Upgrade Description
1.6 Installing the IKEv1 MOD File
1.7 Security Hardening

1.1 Version Requirements

Table 1-1 describes the upgrade notes for different versions.

Table 1-1 Upgrade notes for different versions of NE40E-M2k

Model Version Upgrade Note

NE40E-M2K V800R010C10SPC5 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K V800R011C00SPC2 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K V800R011C10SPC1 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K V800R012C00SPC3 Refer to the procedure in this document to
00 upgrade the version
NE40E-M2K V800R012C10SPC1 Refer to the procedure in this document to
00 upgrade the version.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 1

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

Model Version Upgrade Note

NE40E-M2K V800R012C10SPC3 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K V800R013C00SPC1 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K V800R021C00SPC1 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K V800R021C10SPC5 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K V800R021C10SPC6 Refer to the procedure in this document to
00 upgrade the version.

Table 1-2 Upgrade notes for different versions of NE40E-M2K-B

Model Version Upgrade Note

NE40E-M2K-B V800R011C00SPC2 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K-B V800R011C10SPC1 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K-B V800R012C00SPC3 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K-B V800R012C10SPC1 Refer to the procedure in this document to
00 upgrade the version
NE40E-M2K-B V800R012C10SPC3 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K-B V800R013C00SPC1 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K-B V800R021C00SPC1 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K-B V800R021C10SPC5 Refer to the procedure in this document to
00 upgrade the version.
NE40E-M2K-B V800R021C10SPC6 Refer to the procedure in this document to
00 upgrade the version.

1.2 Upgrade Method

NE40E-M2Ks can be upgraded to V800R022C00SPC600using iMaster NCE-IP.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 2

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

1.3 Upgrade Precautions

The information in this document is subject to change without notice. Contact Huawei
technical support to obtain the latest upgrade guide before the upgrade.
The GUIs of iMaster NCE-IP described in this document may differ from the actual GUIs due
to iMaster NCE-IP upgrades.

Checking the NE Health Status Using a PMI Tool

Before starting an upgrade, use a preventive maintenance inspection (PMI) tool to check the
NE health status and identify possible software and hardware faults in advance. Ensure that
the NE's software and hardware are functioning properly before the upgrade. The procedure
for checking NE health status using a PMI tool is as follows:
Step 1 Contact the local representative office of Huawei and ask them to check NE health status prior
to the upgrade.
Step 2 Obtain the NE health check report from the local representative office.
Step 3 Resolve all issues identified in the NE health check before starting the upgrade.
----End

General Precautions
 Before starting the upgrade, contact Huawei technical support to confirm your upgrade
scheme. This helps minimize upgrade risks.
 Devise an emergency plan before starting the upgrade, so that you can recover services
as soon as possible if a problem occurs during the upgrade.
 If you encounter exceptions or problems you cannot resolve, such as service interruption,
during the upgrade, stop the upgrade procedure immediately and contact Huawei
technical support. Do not continue the upgrade before obtaining guidance from Huawei
engineers.
 Do not adjust the network when devices are being upgraded. Do not reset or reseat any
boards or adjust cables during the upgrade.
 Manually back up NE data before you start the upgrade, so that NE configurations can be
restored if they are lost during the upgrade.
 Do not modify service configurations during the upgrade.
 Do not use any fault collection tool or PMI tool during the upgrade. If you use such tools,
users who have logged in to target devices using iMaster NCE-IP will be forcibly logged
out.
 Ensure that no power migration operations are performed before upgrade.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 3

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

1.4 Upgrade Impact

Before upgrading an earlier version to V800R021C00SPC100, read this chapter carefully to
understand any possible impact of the upgrade, determine whether to proceed with the
upgrade, and formulate an emergency plan for possible upgrade failures.

Impact on Services During the Upgrade

During the restart of a device, services on the device will be interrupted.

Impact on Network Communication During the Upgrade

The service interruption time during device restart is as long as the device restart time. It takes
a maximum of 10 minutes for an unconfigured device to restart. The restart time required by a
device depends on the size of the configuration file on the device.

Impact on the System After the Upgrade

None

1.5 Telemetry Upgrade Description

For an upgrade from a version earlier than V800R011C10 to the current version, there are
incompatible changes in the sampling path of Telemetry. For an upgrade from V800R011C10
or a later version to the current version, there are no incompatible changes in the sampling
path of Telemetry. In this case, you can ignore this chapter.

The following table lists the comparison between the old and new sampling paths of the router
for reference during the upgrade. For details about the sampling paths supported by the
current product, see the Telemetry-based Performance Indicator List.

Table 1-3 lists the paths.

Table 1-3 Telemetry upgrade paths

N Sampling Path Before the Upgrade Sampling Path After

O the Upgrade

1 huawei-devm:devm/cpuInfos/cpuInfo huawei-debug:debug/cpu
-infos/cpu-info
2 huawei-devm:devm/memoryInfos/memoryInfo huawei-debug:debug/me
mory-infos/memory-info
3 huawei-ifm:ifm/interfaces/interface huawei-ifm:ifm/interface
s/interface
4 huawei-devm:devm/fans/fan N/A

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 4

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

N Sampling Path Before the Upgrade Sampling Path After

O the Upgrade
5 huawei-devm:devm/temperatureInfos/temperatureInfo N/A
6 huawei-devm:devm/powerSupplys/powerSupply/powerEn N/A
vironments/powerEnvironment
7 huawei-ifm:ifm/interfaces/interface/ifDynamicInfo huawei-ifm:ifm/interface
s/interface/dynamic
8 huawei-kpi:kpi/kpiDatas/kpiData huawei-kpi:kpi/kpi-datas
/kpi-data

 Before the upgrade, delete and save the configuration of the existing telemetry sampling
path before the upgrade. For example, the configuration in V800R022C00SPC600 is as
follows :
#
telemetry
#
sensor-group sgroup1
sensor-path huawei-ifm:ifm/interfaces/interface/ifStatistics
sensor-path huawei-ifm:ifm/interfaces/interface/ifStatistics/ethPortErrSts
sensor-path huawei-devm:devm/fans/fan
sensor-path
huawei-devm:devm/powerSupplys/powerSupply/powerEnvironments/powerEnvironment
sensor-path huawei-devm:devm/temperatureInfos/temperatureInfo
sensor-path huawei-ifm:ifm/interfaces/interface
sensor-path huawei-ifm:ifm/interfaces/interface/ifClearedStat
sensor-path huawei-ifm:ifm/interfaces/interface/ifDynamicInfo
sensor-path huawei-devm:devm/ports/port/opticalInfo
sensor-path huawei-devm:devm/cpuInfos/cpuInfo
sensor-path huawei-devm:devm/memoryInfos/memoryInfo
sensor-path huawei-qos:qos/qosBuffers/qosBuffer
sensor-path
huawei-qos:qos/qosIfQoss/qosIfQos/qosPolicyApplys/qosPolicyApply/qosPolicyStats
/qosPolicyStat/qosRuleStats/qosRuleStat
sensor-path huawei-qos:qos/qosPortQueueStatInfos/qosPortQueueStatInfo
#
destination-group dest1
ipv4-address X.X.X.X port 2105 protocol grpc no-tls
#
subscription sub1
sensor-group sgroup1 sample-interval 30000
destination-group dest1
#
Need to enter sensor-group view, Delete all sensor-paths. For example:
<HUAWEI>system-view
[~HUAWEI]telemetry
[~HUAWEI-telemetry] sensor-group sgroup1
[~HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-ifm:ifm/interfaces/interface/ifStatistics
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 5

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

huawei-ifm:ifm/interfaces/interface/ifStatistics/ethPortErrSts
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-devm:devm/fans/fan
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-devm:devm/powerSupplys/powerSupply/powerEnvironments/powerEnvironment
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-devm:devm/temperatureInfos/temperatureInfo
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-ifm:ifm/interfaces/interface
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-ifm:ifm/interfaces/interface/ifClearedStat
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-ifm:ifm/interfaces/interface/ifDynamicInfo
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-devm:devm/ports/port/opticalInfo
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-devm:devm/cpuInfos/cpuInfo
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-devm:devm/memoryInfos/memoryInfo
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-qos:qos/qosBuffers/qosBuffer
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-qos:qos/qosIfQoss/qosIfQos/qosPolicyApplys/qosPolicyApply/qosPolicyStats
/qosPolicyStat/qosRuleStats/qosRuleStat
[*HUAWEI-telemetry-sensor-group-sgroup1]undo sensor-path
huawei-qos:qos/qosPortQueueStatInfos/qosPortQueueStatInfo
[*HUAWEI-telemetry-sensor-group-sgroup1]commit
[~HUAWEI-telemetry-sensor-group-sgroup1]return
<HUAWEI>save

Reconfigure the sampling path after the device is upgraded.

 After the upgrade, reconfigure the sampling path :
<HUAWEI>system-view
[~HUAWEI]telemetry
[~HUAWEI-telemetry] sensor-group sgroup1
[~HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-ifm:ifm/interfaces/interface/mib-statistics
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-ifm:ifm/interfaces/interface/mib-statistics/huawei-pic:eth-port-err-sts
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-ifm:ifm/interfaces/interface
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-ifm:ifm/interfaces/interface/common-statistics
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-ifm:ifm/interfaces/interface/dynamic
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-devm:devm/ports/port/huawei-pic:optical-module
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-debug:debug/cpu-infos/cpu-info
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-debug:debug/memory-infos/memory-info

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 6

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-qos:qos/qosBuffers/qosBuffer
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-qos:qos/global-query/interface-traffic-policy-statisticss/interface-traf
fic-policy-statistics/rule-based-staticss/rule-based-statics
[*HUAWEI-telemetry-sensor-group-sgroup1]sensor-path
huawei-qos:qos/global-query/default-queue-statisticss/default-queue-statistics
[*HUAWEI-telemetry-sensor-group-sgroup1]commit
[~HUAWEI-telemetry-sensor-group-sgroup1]return
<HUAWEI>save
 After the upgrade, the collector re-adapts to the new proto file.

1.6 Installing the IKEv1 MOD File

V300R006C10SPC300 and later versions do not support IKEv1. If IKEv1 is used in
V300R006C10SPC300 and later versions, IPSec services will be adversely affected after the
upgrade. To use the IKEv1 function, download an IKEv1 MOD file first. To do so, log in to
https://support.huawei.com as a carrier user or https://support.huawei.com/enterprise as an
enterprise user, apply for a software package, and download a correct MOD file together with
the software package.
Perform the following operations to check whether the IKEv1 function is enabled on a device:
Step 1 Check the IKEv1 configuration. Check whether the IKEv1 peer configuration exists.
<HUAWEI> display ike peer brief | include v1
Info: It will take a long time if the content you search is too much or the string you
input is too long, you can press CTRL_C to break.
current ike peer number: 2
---------------------------------------------------------------------
Peer Name Version Exchange-mode Proposal Id-type RemoteAddr
---------------------------------------------------------------------
peer860_1 v1 main 60 ip 40.0.0.0 40.1.4.0

The command output contains the peer configuration, indicating that the IKEv1 configuration
exists. Then go to the next step.
Step 2 Check whether an IKEv1 tunnel is established for each peer.
<HUAWEI> system-view
[~HUAWEI] display ike sa | include v1
current sa Num :2000
Single-homing :2000 Multi-homing M and M|B :0 Multi-homing S and S|B :0
None-backup sa :2000 Backup sa :0
Spu board slot 8, IKE SA Information:
Current IKE SA number: 2
-----------------------------------------------------------------------------
conn-id peer flag phase ext vpn
-----------------------------------------------------------------------------
954 10.0.0.149 RD v1:2 - -
57443 10.0.0.149 RD|ST v1:1 - -

If tunnel information is displayed, IKEv1 tunnel information is in use. In this case, the IKEv1
MOD file needs to be installed.
For details, see the "1.6 Installing the IKEv1 MOD File".

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 7

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

If the IKEv1 MOD file is not installed and an upgrade is performed, the IKEv1 configuration
will be lost, IPSec services will be adversely affected, and no IKEv1 tunnel can be
established.

 By default, the IKEv1 function is not supported in the target version. After the upgrade, the IKEv1
configuration will be lost, and IPSec services will be adversely affected.
 For the IKEv1 MOD-based upgrade in a dual-system environment, upgrade the backup device and
then the master device. If the IKEv1 MOD file is not installed on the backup device, the device
cannot receive the backup data of IKEv1 tunnels.
 If IKEv1 is configured but the IKEv1 MOD file is not specified for the next startup, the IKEv1
configuration will be lost after an upgrade. As a result, the restored configurations become
inconsistent with those on the peer end, and tunnels cannot be established. In this case, check the
IKEv1-related configurations and reconfigure the IPSec and IKE encryption and authentication
algorithms.

----End

1.7 Security Hardening

1.7.1 Upgrade Description of E-Trunk Deployment
In V800R021C00SPC100 and later versions, E-Trunk does not support authentication based
on the default key. After an E-Trunk is created, if no encryption key is configured, E-Trunk
negotiation with the peer end fails. If a version earlier than V800R021C00SPC100 is not
configured with an encryption key, the default key is used after the version is upgraded. As a
result, the E-Trunk function cannot be used after the upgrade, affecting service deployment
that depends on the function.

If E-Trunk has been deployed before an upgrade, check whether a key has been configured. If
not, configure the same key (different from the default key 00E0FC0000000000) in the
E-Trunk view on both ends of the E-Trunk before the upgrade. The default key cannot be used
for authentication after the upgrade. If you do not perform this configuration, E-Trunk
negotiation will fail after the upgrade, affecting services.

To configure an E-Trunk encryption key, perform the following steps:

Step 1 Check whether the E-Trunk feature is deployed. If not, upgrades are not affected.
[HUAWEI]display e-trunk brief
E-TRUNK-ID State VPN-Instance Peer-IP Source-IP
----------------------------------------------------------------------------------
-----------------
1 Master _public_ - -
2 Master _public_ - -
----------------------------------------------------------------------------------
-----------------
Total:2 Master:2 Backup:0 Init:0

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 8

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

Step 2 In the existing E-Trunk view, check whether an encryption key is configured. If an encryption
key is configured, as shown in the following command output, the upgrade of the E-Trunk is
not affected.
[HUAWEI-e-trunk-1]display this
#
e-trunk 1
security-key simple root@123
authentication-mode enhanced-hmac-sha256
#
return

If an encryption key is not configured in the E-Trunk view, as shown in the following
command output, the upgrade of the E-Trunk will be affected.
[HUAWEI-e-trunk-2]display this
#
e-trunk 2
authentication-mode enhanced-hmac-sha256
#
return

Step 3 Configure an encryption key in the E-Trunk view where an encryption key does not exist.
Note: Configure the same encryption key in the E-Trunk view on both ends of an E-Trunk.
[HUAWEI-e-trunk-2]security-key cipher Root@1234
[HUAWEI-e-trunk-2]disp
[HUAWEI-e-trunk-2]display this
#
e-trunk 2
security-key cipher %^%#e+,;P~l@H9Tk]{%K)b9Ad_ZgS/th}5N"i_>!E&N*%^%#
authentication-mode enhanced-hmac-sha256
#
return

Step 4 After the configuration is complete, run the display e-trunk command to check whether
E-Trunk negotiation works normally. If the State field value is Master or Backup and the
Send and Receive field values increase normally, the E-Trunk function is normal. Otherwise,
check whether the encryption keys configured on both ends of the E-Trunk are the same.
[HUAWEI-e-trunk-1]display e-trunk 1
The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 100 System-ID : 38ba-234a-ed02
VPN-Instance : _public_
Peer-IP : 1.1.1.1 Source-IP : 1.1.1.2
State : Master Causation : PRI
Send-Period (100ms) : 10 Fail-Time (100ms) : 200
Receive : 7 Send : 25
RecDrop : 0 SndDrop : 0
Peer-Priority : 100 Peer-System-ID : 38ba-26be-9a01
Peer-Fail-Time (100ms) : 200 BFD-Session : -
Description : -
Sequence : Disable
Dynamic-BFD : Disabled BFD-State : -
TX (ms) : - RX (ms) : -
Multiplier : -

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 9

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

----End

1.7.2 Upgrade Description of Security Hardening Related to

Default Configurations
In V800R022C00SPC500 and later versions, weak algorithm disabled globally by default.
To be compatible with the service functions that use the default configuration file of earlier
versions, the default-custom.defcfg file must be preinstalled. The details are as follows:

Security Configuration Removed from Configuration Added to or

Hardening the Default Configuration File Retained in the Default
Configuration File
Default - #
account crypto weak-algorithm disable

After the system is upgraded from an earlier version to V800R022C00SPC500, the

configuration of the earlier version is inherited by default and the weak algorithm is still
available. After the upgrade is successful, run the crypto weak-algorithm disable command
in the system view to disable the weak algorithm.
In V800R021C00SPC100 and later versions, the following security hardening operations are
performed on the default configurations: 1. The default account is removed, and the first-login
process is triggered upon initial login. 2. The SSH/SNMP all port listening configuration is
removed (only management network port listening is retained). 3. weak algorithms are
removed from the SSH server and SSH client. 4. By default, the DTLS data channel is used
for encryption in transmission mode.
To use the original service functions in the default configuration file, you need to pre-install
the default-custom.defcfg file. The detailed changes are as follows:
In V800R021C00SPC100 and later versions, the default account and SSH/SNMP all port
listening configuration are removed from the default configuration file (only management
network port listening is retained), but the functions of first login and password change upon
the first login are added. In addition, weak algorithms are removed from the default
configuration files of all models. By default, the DTLS data channel is used for encryption in
transmission mode, and alarms are generated when weak algorithms or protocols are used.
These removed configurations are stored in the defcfg file and can be loaded as required. The
detailed changes are as follows:
1. The default account and SNMP/SSH all port listening configurations are removed from
the default configuration file. By default, only SSH login through the management
network port or login through the serial port is supported. In addition, the first-login
process is triggered upon the first login, requiring you to create a username and password.
Note that the first-login process is disabled during SSH login if the process has been
triggered during serial port login.
Security Configuration Removed from the Configuration Added to or
Hardening Default Configuration File Retained in the Default
Configuration File
Default #
account

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 10

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

aaa
local-user root password
irreversible-cipher
$1c$]f(3Q<j7uS$!0!)8@e`\+lj]vQx\2
l&y-$M(|\n_ERFU_BF$!6X$
local-user root service-type ssh
local-user root user-group
manage-ug
#
ssh user root
ssh user root authentication-type
password
ssh user root service-type stelnet
snetconf
ssh user root service-type stelnet
Enabling snmp-agent protocol source undo snmp-agent protocol source
SNMP and all-interface all-interface
SSH on all undo ssh server-source
interfaces all-interface
undo ssh ipv6 server-source
all-interface
ssh server-source -i Ethernet0/0/0

2. For system security purposes, the default behavior in V800R021C00SPC100 is to

forcibly change the initial password by default. However, considering the compatibility
in upgrade scenarios, the user-password password-force-change disable command is
added in the AAA view by default to disable the function of forcibly changing the initial
password. After the function is disabled, the passwords of local management users that
have been created before an upgrade do not need to be forcibly changed after the
upgrade.
If you want to forcibly change the initial password of a new user or a user whose
password has been reset after an upgrade, run the undo user-password
password-force-change disable command to enable the function of forcibly changing
the initial password. After the function is enabled, users are forced to change their
passwords when they log in to the system using initial passwords, improving security.
3. weak algorithms are removed from the default configuration file. If SSH-based login is
used, ensure that the login tool supports the security algorithms in the default
configuration file.

Security Configuration Removed from the Default Configuration Added to or

Hardenin Configuration File Retained in the Default
g Configuration File
Insecure ssh server key-exchange ssh server key-exchange
algorithm dh_group_exchange_sha256 dh_group_exchange_sha256
dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256
ecdh_sha2_nistp384 ecdh_sha2_nistp521

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 11

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

ssh server publickey ecc rsa rsa_sha2_256 ssh server publickey

rsa_sha2_512 rsa_sha2_256 rsa_sha2_512

ssh client key-exchange ssh client key-exchange

dh_group_exchange_sha256 dh_group_exchange_sha256
dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256
ecdh_sha2_nistp384 ecdh_sha2_nistp521

ssh client publickey ecc rsa rsa_sha2_256 ssh client publickey

rsa_sha2_512 rsa_sha2_256 rsa_sha2_512

4. If weak algorithms and protocols exist in the system, an alarm is reported to prompt you
to perform rectification.

1. According to security requirements, if the system contains weak algorithms or protocols,

an alarm needs to be reported.

a. If weak algorithms and protocols exist in the system, the system generates the
following alarm:
<HUAWEI>display alarm active | include secure
Info: It will take a long time if the content you search is too much or the
string you input is too long, you can press CTRL_C to break.
1:Critical 2:Major 3:Minor 4:Warning
--------------------------------------------------------------------------
------
Sequence AlarmId Level Date Time Description
--------------------------------------------------------------------------
------
59 0xF10466 2 2021-10-07 11:18:40 With the development of
cryptographic technologies and the improvement of computing capabilities, some
cryptographic algorithm and protocols are deprecated. Please use more secure
algorithms and protocols. (Type=insecure algorithm)
58 0xF10466 2 2021-10-07 11:18:40 With the development of
cryptographic technologies and the improvement of computing capabilities, some
cryptographic algorithm and protocols are deprecated. Please use more secure
algorithms and protocols. (Type=insecure protocol)
--------------------------------------------------------------------------
------
b. You can run the display security risk command to query the weak protocols or
algorithms used in the system. Perform security hardening based on Repair Action
displayed to clear the alarm.
<HUAWEI>display security risk
Risk Level : high
Feature Name : SSH_CLIENT
Risk Type : insecure-algorithm
Risk Information : Insecure key exchange algorithms (dh_group1_sha1,
dh_group_exchange_sha1, dh_group14_sha1, ecdh_sha2_nistp256,
ecdh_sha2_nistp384, ecdh_sha2_nistp521) are enabled in SSH client

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 12

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

Repair Action : It is recommended to disable the insecure key exchange

algorithms
Risk Level : medium
Feature Name : TELNET
Risk Type : insecure-protocol
Risk Information : The Telnet server function is used
Repair Action : Use Stelnet
If weak algorithms or protocols need to be reserved for compatibility, you can use
the following methods to shield the alarm:
Run the info-center command in the system view to filter out the alarm.
[~HUAWEI]info-center filter-id bymodule-alias system hwsecurityrisk
[~HUAWEI]info-center filter-id bymodule-alias system hwsecurityriskclear
5. In transmission mode, the DCN DTLS encryption channel is enabled by default. A
device uses this default configuration cannot interwork with a device running an earlier
version or a device that is not enabled with the DTLS encryption channel. If such two
devices are interconnected, the DCN login fails in transmission mode.
To keep the default behavior of the device the same as that before an upgrade, run the
startup default-configuration configuration-file command to customize the defcfg file.
Security Configuration Removed from the Default Configuration Added to or
Hardenin Configuration File Retained in the Default
g Configuration File
Insecure #
algorithm dtls policy qx_dtls_client
#
dcn security-mode enable
#

 Before running the reset saved-configuration command or using the reset button to clear the
configuration, check whether the defcfg file is specified.
 If the default behavior of the device needs to be the same as the previous one, you can run the
startup default-configuration configuration-file command to specify the customized defcfg file
during the production of a new device.
 You can also customize the defcfg file for a live-network device when it is upgraded to
V800R021C00SPC100 or later If you add the preceding removed configurations to the customized
defcfg, the device retains the same default configuration restoration behavior as that in the earlier
version. For details about how to load the configuration file, see 6 Configuring the Default
Configuration File.
 If a device is downgraded to a version earlier than V800R021C00SPC100, delete the default
configuration file or load the defcfg file customized for the source version.
 You can disable the weak algorithm in V800R022C00SPC600. If you do not need to disable it,
setting the latest .defcfg file is recommended. This prevents the weak algorithm from becoming
unavailable after the configuration is cleared using the reset saved-configuration command or the
reset button.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 13

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

1.7.3 Upgrade Description of License Algorithms

License version compatibility: To cope with the increasingly severe security situation, the
digital signature algorithm of the product license is upgraded from V800R021C00SPC100 to
RSA3072. Therefore, pay attention to the version compatibility when using the license file.
 The license applied for in V800R021C00SPC100 and later versions cannot be used in
V800R013C00 and earlier versions.
 The license applied for in V800R013C00 and earlier versions can continue to be used in
V800R021C00SPC100 and later versions.
If the license file of the new algorithm is replaced after the upgrade to V800R021C00SPC100,
the rollback will be incompatible. This section describes the impact of version rollback.

Prerequisites
1. The version is upgraded. By default, the new version still uses the license file of the old
version.
2. The license file of the new algorithm is activated.
3. Rollback is performed.

Impact of the Rollback

1. Upgrades are not affected.
2. If the license file is not replaced in the new version, the rollback has no impact.
3. A direct rollback is not allowed after the license file of the new algorithm is activated in
the new version. When the system software package for next startup is specified, the
system checks whether the current license file matches the system software package for
next startup. If they do not match, an error message is displayed to indicate that the
license file is incompatible with the system software package.
4. The rollback is allowed after the license file of the old version is used.

1.7.4 Upgrade Description of NCE forcibly verifies the digital

signatures of software packages.
In V800R021C00 and later versions，to improve the capabilities for trustworthy release and
deployment, the software package verification mechanism of NCE (V100R021C00SPC200)
is modified. The integrity of imported software packages is verified using CMS signature
verification.
The CMS digital signature file is available on the Huawei technical support website. Users
can download the software package and its CMS signature file at the same time and import
them to NCE for integrity verification. The integrity of the software package is not verified
manually using PGP.
Table 1-1 lists the operation items before and after the change.

Table 1-4 Comparison before and after the change

Operat Before After

ion
Item
Verific The software integrity is The software integrity is verified automatically using

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 14

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

Operat Before After

ion
Item
ation verified manually using the CMS signature file.
method PGP Verify.

Softwar The software file and its The software package and its CMS signature file are
e PGP signature file are downloaded.
downlo downloaded.
ading
Softwar The software file that Both the software package and its CMS signature file
e has been manually are imported.
import verified is imported.
NE Software files can be Software files to be imported can be selected only
upgrad selected from the from the software library.
e software library or the
FTP directory on the
server.

For details, see 3.1.4 Using the OpenPGP Tool to Verify Integrity of a File.

1.7.5 Security Description of CRL File Loading

The device allows you to load the certificate revocation list (CRL) file.
If the device runs V800R021C00SPC100 or a later version, it checks whether the CRL is
empty when loading the CRL file. If it is empty, the CRL file fails to be loaded. The device,
however, does not check whether the CRL is empty in a configuration restoration scenario
after a device restart.
To check whether the CRL is empty, you can download the CRL file to a local PC and
double-click the file to perform the check.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 15

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

If the device runs V800R021C00SPC100 or a later version, it checks whether the CRL file is
updated too long ago. If the time during which the CRL file is not updated exceeds the
precaution threshold, the device reports an alarm (SSLCertificateExpiredEarlyWarning)
indicating that the CRL file has expired.
To check the next update time of the CRL, you can download the CRL file to a local PC and
double-click the file to perform the check.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 16

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

You can run the ssl certificate alarm-threshold early-alarm <time> command in the system
view to set the time threshold for the CRL file. The default time threshold is 90 days.
If you need to use the CRL file, update it periodically to prevent the device from reporting
alarms due to expiration.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 17

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 1 Before You Start

1.7.6 Enabling Association Between First Login Through a

Console Port and First Login Through a Management Network
Port
1. Run the user-security-policy first-login-linkage enable command in the system view.
This configuration cannot be manually delivered and can only be preset in the factory
configuration file.
2. After the command is executed, if the password authentication mode and login password
are not configured on the console port where the user-interface console 0 command is
run, the user cannot log in to the device through the console port by setting the password
upon the first login.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 18

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 2 Upgrade Process Overview

2 Upgrade Process Overview

This chapter describes the process for upgrading an earlier version to the target version and
lists the estimated time required for each procedure.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 19

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 2 Upgrade Process Overview

Figure 2-1 Upgrade flowchart

Table 2-1 Upgrade schedule

Procedure Recommended Start Time Time Required (Minutes)

3 Preparing for Work hours (8:30 to 18:00) Approximately 30 minutes
the Upgrade
4.1 Creating an Work hours (8:30 to 18:00) Approximately 20 minutes
Upgrade Task
4.2 Executing  Work hours for operations Approximately 30 to 40 minutes
the Upgrade such as pre-check, for each device, depending on
Task configuration saving, data device configurations (service and
backup, and target system board quantities)
software loading NOTE
 Off-peak hours for activating The time required to replace boards is
excluded.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 20

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 2 Upgrade Process Overview

Procedure Recommended Start Time Time Required (Minutes)

the target system software
4.3 Checking Off-peak hours (01:00 to 05:00) Approximately 30 minutes
the Upgrade
Result

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 21

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 3 Preparing for the Upgrade

3 Preparing for the Upgrade

3.1 Pre-upgrade Checklist

3.1 Pre-upgrade Checklist

Before beginning the upgrade, check your preparations against the checklist shown in Table
3-1 and fill in the check results.

Table 3-1 Pre-upgrade checklist

No. Check Item Expected Result Check Result

1 3.1.1 Formulate a detailed upgrade plan based on

Formulating upgrade risks and the number of NEs to be
an Upgrade upgraded. The service interruption time
Plan during the upgrade is specified in the upgrade
plan.
2 3.1.2 Spare parts for at least one device and
Preparing network cables are available at the site.
Spare Parts
3 3.1.3 Backing The data of NEs whose data needs to be
Up NE Data backed up has been backed up.
4 3.1.4 Using Before a software package is used in
the OpenPGP installation or upgrade, its digital signature
Tool to Verify also needs to be verified according to the
Integrity of a OpenPGP Signature Verification Guide to
File ensure that the software package is not
tampered with.
5 3.1.5 The target system software (.cc file) and
Obtaining the reference documents have been obtained from
Target System Huawei technical support or the support
Software website.
6 3.1.6 The iMaster NCE-IP version is correct.
Checking
Whether

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 22

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 3 Preparing for the Upgrade

No. Check Item Expected Result Check Result

iMaster
NCE-IP
Needs to Be
Upgraded
7 3.1.7 The NE software versions are the expected
Checking NE source versions.
Software
Versions

3.1.1 Formulating an Upgrade Plan

Formulate a detailed upgrade plan based on upgrade risks and the number of NEs to be
upgraded and specify the service interruption time in the upgrade plan.

3.1.2 Preparing Spare Parts

Prepare spare parts for at least one device and network cables at the site.

3.1.3 Backing Up NE Data

Before the upgrade, check whether the data of NEs to be upgraded needs to be backed up. If
the data of some NEs needs to be backed up, back up it.

3.1.4 Using the OpenPGP Tool to Verify Integrity of a File

To prevent a software package from being maliciously tampered with during transmission or
storage, download the corresponding digital signature file for integrity verification when
downloading the software package.
After the software package is downloaded, verify its PGP digital signature according to the
OpenPGP Signature Verification Guide. If the software package fails the verification, do not
use the software package, and contact Huawei technical support engineers.
Before a software package is used in installation or upgrade, its digital signature also needs to
be verified according to the OpenPGP Signature Verification Guide to ensure that the software
package is not tampered with.
Visit either of the following websites to obtain the OpenPGP Signature Verification Guide:
 Carrier customers: https://support.huawei.com/carrier/digitalSignatureAction
 Enterprise customers:
https://support.huawei.com/enterprise/en/tool/pgp-verify-TL1000000054

3.1.5 Obtaining the Target System Software

Contact Huawei technical support or log in to the support website to obtain the target system
software and reference documents.
The procedure for obtaining the target system software and reference documents from the
support website is as follows:

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 23

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 3 Preparing for the Upgrade

Step 1 Log in to https://support.huawei.com as a carrier user or https://support.huawei.com/enterprise

as an enterprise user.
If you visit the website for the first time, go to Step 2 for registration. If you are already a
registered user, go to Step Step 3.
Step 2 Click Register and complete the registration process as prompted. If the registration succeeds,
you will receive your username and password. Keep your password secure.
Step 3 Enter the username, password, and verification code. Then click Login.
Step 4 Carrier user: Choose Support from the main menu. On the page that is displayed, click the
Software tab and then click Network. On the page that is displayed, choose Data
Communication > Service Router from the navigation pane. Select the desired device model
and download the system software (.cc file). Then choose Support from the main menu. On
the Product Support tab page, click Data Communication. On the page that is displayed,
choose Service Router from the navigation pane. Select the desired device model and
download the reference documents.
Enterprise user: Choose TECHNICAL SUPPORT > Product Support > Enterprise
Network > Routers from the main menu. On the page that is displayed, select the desired
device model and download the system software (.cc file) and reference documents.
----End

3.1.6 Checking Whether iMaster NCE-IP Needs to Be Upgraded

Check whether the iMaster NCE-IP version is correct. If an upgrade is needed, contact
Huawei technical support or log in to the support website to obtain the target iMaster NCE-IP
software.

3.1.7 Checking NE Software Versions

Perform the following steps to check NE software versions.

Procedure
Step 1 Open the Network Management app and choose Maintenance > NE Software Management >
NE Data Backup/Restoration from the main menu.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 24

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 3 Preparing for the Upgrade

Step 2 On the NE View tab page, select one or more NEs and click Update Version.

Step 3 After the version information is updated, click Close.

Step 4 In the Version column, check whether the current NE software version is the same as the
source version.
Step 5 (Optional) Back up the NE data of the current version. If you have backed up NE data earlier,
skip this step.
----End

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 25

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 3 Preparing for the Upgrade

Operation Result
If the operation is successful, the updated version information is displayed on the NE View
tab page and the NE Type area.

Troubleshooting
If the operation fails, the Update Version dialog box displays the cause in the Operation
Result column. Rectify the fault based on the displayed failure cause. The failure cause may
contain a hyperlink that you can click for more detailed information.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 26

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

4 Upgrade Process

4.1 Creating an Upgrade Task

4.2 Executing the Upgrade Task
4.3 Checking the Upgrade Result

4.1 Creating an Upgrade Task

Procedure
Step 1 Import the target system software to the NE software library of iMaster NCE-IP.
1. Open the Network Management app and choose Maintenance > NE Software
Management > NE Software Library Management from the main menu.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 27

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

2. Right-click on the NE Software Library Management page and choose Import from
the shortcut menu.

3. In the Import dialog box, choose NE Series > NE40E(V8) > NE40E-M2K from the

NE Type area and click on the right of Path.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 28

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

4. Specify the storage path of the target system software, upload the software, and enter
descriptive text in the Description text box.

5. Click OK to import the target system software to the NE software library on iMaster
NCE-IP.
6. (Optional) On the NE Software Management Library page, you can also import patch
packages, PAF files, and License files. To import a Patch Package, set File Type to
Patch Package.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 29

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

Set Path to the storage path of the patch package, set Version and Description, and click
OK.

The method of importing a PAF file or License file is the same as that of importing a
patch package.
Step 2 Choose Maintenance > NE Software Management > NE Upgrade Task Management
from the main menu.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 30

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

Step 3 Right-click in the Task View area and choose New Task > Software Upgrade/Downgrade
Task from the shortcut menu.

Step 4 Configure basic information about the upgrade task.

1. In the Create Task [Software Upgrade] dialog box, configure task information,
including Task Type, Task Name, NE Type, and NE Version. After setting NE Type,
you can use NE Version as a filter criterion to display desired NEs.
2. Select desired NEs in the NE Tree area. These NEs will then be displayed in the NE
Table area.

Devices of different types cannot be upgraded at the same time.

3. Click Next.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 31

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

You need to obtain the version information. If the version information has not been obtained,
perform the operation described in Step 2 in section 3.1.7 Checking NE Software Versions.

Step 5 Select upgrade operations.

1. Set Target Version.
Before setting the target version, check whether the target system software has been
imported. If not, import the target system software according to Step 1.
Select the target version from the Target Version drop-down list.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 32

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

2. In the Confirm dialog box, click Yes after confirming that the selected software version
is correct.

3. In the Select Software dialog box, check whether the path, name, and type of the
selected file are correct. If not, delete the file from the right pane and select the file again
in the specified directory in the left pane.

(Optional) Import the patch package and PAF file. Select the desired files on the left and
click xxx[L(1] to move the files to the right.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 33

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

(Optional) Import the configuration file and license file. Click Select File. In the dialog
box that is displayed, select the desired file on the left, click to move the file to the
right, and click OK.

4. Click Check NE(s) Memory to check whether the available space of the CF card on the
NE is sufficient.
a. If Memory Status is No Need to Clear for the NE, click Close. Then proceed to
Step 1

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 34

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

b. If Memory Status is Need to Clear for the NE, click Need to Clear.

c. Select unneeded files, move them to the right pane, and click Delete.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 35

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

Exercise caution when deleting files. Ensure that these files will not be used later.
d. In the High Risk dialog box, confirm that the files to be deleted are correct, select
the check box, and click Yes.

e. Check that the files are deleted successfully. Then click Close.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 36

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

f. Click Close to close the Select NE File(s) dialog box. Then, click Close to close the
Memory Status for NE(s) dialog box.
g. Click Check NE(s) Memory again to check the memory space status. If the
memory space is still insufficient, continue to delete unnecessary files.
h. Click OK.

i. If Configure Operation changes to Select Software to Load for Load Software, as shown
in the following figure, the loading is successful.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 37

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

5. (Optional) Set the start time of the upgrade task.

In the Operation Configuration [Software Upgrade] dialog box, set Start Time to
specify the time when iMaster NCE-IP automatically starts the upgrade task.

6. (Optional) Click Configure Activation.In the Configure Activation dialog box, set
Activation Type and other information according to the upgrade plan.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 38

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

7. (Optional) Configure the upgrade procedure.

 You can select Pause Before Current Operation for each operation (except Precheck) to delay the
operation as required. If you want each upgrade operation to be performed immediately after the
previous operation is completed, leave Pause Before Current Operation unselected. It is
recommended that you select Pause Before Current Operation for the Activate operation.
 If the upgrade time is tight at night, you can load, save, and back up files during the daytime, select
Pause Before Current Operation for the Activate operation, and continue the upgrade task at
night.

Operation Mandatory Description

Precheck Optional Perform a check before the upgrade. This operation is
performed by default.
Load Mandatory Load the target NE software. Note that the file is suffixed
Software with .cc.
Save Mandatory Save the current NE configurations.
Backup Optional Back up the current NE data before the upgrade task is
performed.
Using the default configuration is recommended.
Prepare Optional Prepare for the upgrade by setting Startup Configuration
Upgrade Type to Startup the loaded file(s).
Using the default configuration is recommended.
Activate Mandatory Activate the target NE software. Activation Type can be
Reboot, No Service Interruption, Delay Boot, or
Scheduled Boot.
Reboot means to perform activation immediately, Delay
Boot means to perform activation after the specified delay
time, and Scheduled Boot means to perform activation at

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 39

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

Operation Mandatory Description

the scheduled time.
NOTE
In-service software upgrade (ISSU) is not supported.
It is recommended that you set Activation Type to Delay Boot
during the upgrade to ensure that all NEs can be upgraded
successfully. If you want to use another activation type, contact
Huawei technical support.

Post Optional Perform post-upgrade processing. Currently, you can

Upgrade select Activate GTL license. If you do not need to load
the GTL file after the upgrade, do not select Activate
GTL license.

8. Click Next.
Step 6 Confirm upgrade task information.
Step 7 Click OK.

----End

Operation Result
After the upgrade task is created, it is displayed on the NE Upgrade Task Management
page.

The procedure for creating a batch upgrade task is the same as that for creating a common upgrade task,
as shown in the following figure.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 40

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

After the batch upgrade task is created, the result is as follows.

Follow-up Procedure
After the upgrade task is created, start the task manually if the start time is not specified
during task creation.

4.2 Executing the Upgrade Task

Procedure
Step 1 Open the Network Management app and choose Maintenance > NE Software Management >
NE Upgrade Task Management from the main menu.
Step 2 On the NE Upgrade Task Management page, right-click the upgrade task and choose Start
Task from the shortcut menu.
Step 3 If the operation status of the upgrade task is Stop, the Operation Result column displays
Operation suspended, indicating that the upgrade task is stopped temporarily. Determine
whether it is appropriate to resume the upgrade task. If yes, right-click the upgrade task and
choose Continue Task from the shortcut menu.
Step 4 In the upgrade task list, select the upgrade task or NE to be upgraded. On the lower part of the
page, select each upgrade step to learn the execution status of the upgrade task.

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 41

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 4 Upgrade Process

: : Being : To be : Paused : Execution

Execution executed executed failure
completed

----End

Operation Result
If Operation Status is Succeeded after the upgrade task is executed, the upgrade task is
complete. If Operation Status is Failed, check the failure cause by clicking the hyperlink in
the Operation Status column. Then re-create the upgrade task and perform the upgrade
again.

4.3 Checking the Upgrade Result

After an upgrade task is executed, check whether the upgrade is successful.

Procedure
Step 1 Check the post-upgrade inspection report.
1. On the NE Upgrade Task Management tab page, click on the left of the upgrade
task and select one or more NEs.

2. After the status of the Postcheck operation is displayed as , learn the execution
status of each check item.
Step 2 Check the upgrade report.
1. Select the upgrade task and click Generate Report. Wait 1 to 3 minutes until the report
is generated.
2. In the report, view the alarms generated before and after the upgrade. The alarm data
highlighted in red indicates that the alarms are generated before the upgrade, and the
alarm data highlighted in blue indicates that the alarms are generated after the upgrade.
----End

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 42

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 5 Post-upgrade Check

5 Post-upgrade Check

5.1 Post-upgrade Checklist

5.1 Post-upgrade Checklist

After the upgrade, view the post-upgrade check report to determine whether abnormalities
have occurred.
Table 5-1 lists the check items in the report.

Table 5-1 Post-upgrade check items

Check Item Purpose
NE alarms Check that no new alarms are generated during the upgrade.
NE status Check that the status of upgraded NEs is normal during and
after the upgrade.

NE services Check that service information remains unchanged after the

upgrade. This item includes many sub-items and you need to
read the report carefully.
Current configurations Check that NE configurations are consistent before and after
the upgrade.

To double-check whether services on the network are normal after the upgrade, perform the
following steps:
Step 1 Use iMaster NCE-IP to check whether new fault alarms are generated on NEs.
Step 2 Use iMaster NCE-IP to check whether services are normal based on the service topology and
other information.
----End

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 43

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 6 Configuring the Default Configuration File

6 Configuring the Default Configuration

File

To resolve the differences between versions caused by the security hardening of the default
behavior, the function of loading the default configuration file defcfg is provided. You can
save the login user information required for DCN plug-and-play and the default
configurations required by other customers to the defcfg file and load the file to the
device.Activate the pre-configuration file after the upgrade.

Before running the reset saved-configuration command or pressing the reset button to clear
configurations, you are advised to check whether the .defcfg file is configured as required.

Procedure
Step 1 Run the display ha component running-state | include CFG9 command to check the ID of
the process where the CFG component resides. The value in the Process column is the ID of
the process where the CFG component resides.
<HUAWEI> system-view
[~HUAWEI] diagnose
[~HUAWEI-diagnose] display ha component running-state | include CFG9
Info: It will take a long time if the content you search is too much or the string you
input is too long, you can press CTRL_C to break.
--------------------------------------------------------------------------------
NAME CID PID Type Version Board
Process State
--------------------------------------------------------------------------------
CFG9 0x80CB000C 0xCB0009 0xCB 1.2.103 17
3 PRIMARY
--------------------------------------------------------------------------------

Step 2 Run the display cmf-info file debug-info process locationId command to check whether the
device has a default configuration file.
In the preceding command, locationId indicates the ID of the process where the CFG
component resides. An example is as follows:
<HUAWEI> system-view
[~HUAWEI] diagnose
[~HUAWEI-diagnose] display cmf-info file debug-info process 3

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 44

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 6 Configuring the Default Configuration File

Startup default-configuration file summary info :

Setting state : true
File size : 8751

If the value of Setting state is true, the device has a default configuration file.
If no command output is displayed, the device does not have a default configuration file. In
this case, perform step 3 to set a default configuration file.
Step 3 Set .defcfg file.
1. Create a configuration file with the file name extension .defcfg.
2. The following is an example of the content of the .defcfg file:
!Router function begin
#
undo crypto weak-algorithm disable
#
aaa
local-user root password irreversible-cipher
$1c$]f(3Q<j7uS$!0!)8@e`\+lj]vQx\2l&y-$M(|\n_ERFU_BF$!6X$
local-user root service-type ssh
local-user root user-group manage-ug
local-user root expire 2000-01-01
user-password password-force-change disable
#
snmp-agent protocol source all-interface
#
stelnet server enable
snetconf server enable
ssh user root
ssh user root authentication-type password
ssh user root service-type stelnet snetconf
ssh server-source all-interface
ssh ipv6 server-source all-interface
#
ssh server key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
ssh server publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
ssh client publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
return
!Router function end

!Transport function begin

#
undo crypto weak-algorithm disable
#
aaa
local-user root password irreversible-cipher
$1c$]f(3Q<j7uS$!0!)8@e`\+lj]vQx\2l&y-$M(|\n_ERFU_BF$!6X$
local-user root service-type ssh mml

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 45

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 6 Configuring the Default Configuration File

local-user root user-group manage-ug

local-user root expire 2000-01-01
user-password password-force-change disable
#
snmp-agent protocol source all-interface
#
stelnet server enable
snetconf server enable
ssh user root
ssh user root authentication-type password
ssh user root service-type stelnet snetconf
ssh server-source all-interface
ssh ipv6 server-source all-interface
#
ssh server key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
ssh server publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
ssh client key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1
dh_group14_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521
#
ssh client publickey ecc rsa rsa_sha2_256 rsa_sha2_512
#
undo dcn security-mode enable
#
undo dtls policy qx_dtls_client
#
return
!Transport function end
The default configurations of the router mode and transport mode can be combined in a
defcfg file. The following keywords are used to distinguish the default configurations:
!Router function begin
Custom configuration in router mode
!Router function end

!Transport function begin

Custom configuration in PTN mode
!Transport function end

 The ssh server-source all-interface and snmp-agent protocol source-status all-interface

command listens for 0.0.0.0, which increases system security risks. Therefore, you are not advised to
run either of the two commands.
 The password in the file can be a customized simple password. To improve security, it is
recommended that a password include two or more types of characters, including upper-case letters,
lower-case letters, digits, and special characters.
3. Transfer the file to the device.
4. Run the startup default-configuration configuration-file command in the user view to
set the file as the default configuration file.
5. Run the reset saved-configuration command to clean the current configuration file. The
configuration takes effect after the device is restarted.
----End

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 46

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 7 Rolling Back to the Source Version

7 Rolling Back to the Source Version

An NE40E-M2K can be rolled back to the source version using a software downgrade task.

Procedure
The procedure for creating a software downgrade task is similar to that for creating a software
upgrade task. The difference lies in that Task Type is Downgrade for a software downgrade
task. For details, see section "4.1 Creating an Upgrade Task".

Success Criteria
 The device version is the source version.
 The device runs properly, and all services are normal.

Troubleshooting
None

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 47

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 8 Installing the IKEv1 MOD Steps

8 Installing the IKEv1 MOD Steps

Step 1 (Optional) To use the IKEv1 function, load the MOD file for the upgrade. Log in to
https://support.huawei.com, apply for the system software package, download the MOD file
with the system software package, and copy the MOD file to the root directory on CF cards or
FLASH.

 Before upgrading the device to V800R022C00SPC600, upload MOD to the $_install_mod directory
of the CF cards or FLASH and specify the MOD file to be loaded for the next startup.
 In a dual-system scenario, load the MOD file on the backup device first. If the IKEv1 MOD file is
not loaded on the backup device, the device cannot receive IKEv1 backup data.
 If the MOD file is not installed, the IKEv1 function is unavailable and related commands cannot be
run.

For an upgrade to V800R022C00SPC600, pay attention to steps 1 to 3.

1. Log in to https://support.huawei.com, download the
V800R022C00SPC600_IKE_V1.X.MOD file with the software package, and copy the
file to the $_install_mod directory on CF cards or FLASH.
2. Specify the MOD file to be loaded for the next startup.
For an upgrade to V800R022C00SPC600, pay attention to steps 1 to 4;
1. Log in to https://support.huawei.com, download the MOD file with the software package,
and copy the file to the $_install_mod directory on CF cards or FLASH, this use
V800R022C00SPC600_IKE_V1.X.MOD for example.
2. Specify the MOD file to be loaded for the next startup.
<HUAWEI> install-module V800R022C00SPC600_IKE_V1.X.MOD next-startup
Info: Operating, please wait for a moment...
Info: Use ike v1 enable to start ike v1 after reboot.
.done.
Info: Succeeded in setting startup the module.
3. Restart the device. If the new configuration file is used to start the device, the
configuration does not need to be saved.
<HUAWEI> reboot
MPU 11:
Next startup system software: cfcard:/XXX_V800R022C00SPC600.cc
Next startup saved-configuration file: cfcard:/vrpcfg.zip
Next startup paf file: default
Next startup patch package: NULL

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 48

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 8 Installing the IKEv1 MOD Steps

The configuration information of any other MPU is the same as that of MPU 11.
System will reboot! Continue? [Y/N]:y
4. Run the system-view command to enter the system view. Run the ike v1 enable
command to enable IKEv1 and save the configuration.
<HUAWEI> system-view
[~HUAWEI] ike v1 enable
[*HUAWEI] commit
[~HUAWEI] quit

Save the configuration.

<HUAWEI> save
Warning: The current configuration will be written to the device.
Are you sure to continue? [Y/N]:y
Now saving the current configuration to the slot 3 ............
Info: Save the configuration successfully.
5. If the device does not have the MOD file loaded or IKEv1 is not enabled, an alarm
indicating that IKEv1 is not supported is generated, after the device receives IKEv1
negotiation packets.
<HUAWEI> display alarm all
-------------------------------------------------------------------------------
-
Index Level Date Time Info
-------------------------------------------------------------------------------
-
1 Critical 2020-10-15 22:49:16.806 The local device does not support IKE V1
service.
[OID:1.3.6.1.4.1.2011.5.25.224.5.9]
-------------------------------------------------------------------------------
-
6. (Optional) Uninstall IKE MOD.
a. To Uninstall IKE MOD file, need run the undo ike v1 enable command to disable
IKEv1. If IKEv1 is configured, delete the configuration first:
<HUAWEI>system-view
[~HUAWEI]undo ike v1 enable
Error: You can not disable IKE v1 without delete V1 in ike peer config
Check IKEv1 peer information.
[~HUAWEI] display ike peer brief | include v1
Info: It will take a long time if the content you search is too much or the
string you input is too long, you can press CTRL_C to break.
current ike peer number: 512
---------------------------------------------------------------------
Peer Name Version Exchange-mode Proposal Id-type RemoteAddr
---------------------------------------------------------------------
todta9 v1 main 100 ip 23.0.0.9
Run the system-view command to enter the system view. Then run the ike peer
todta9 command to enter the IKE peer view, and delete the current configuration.
<HUAWEI> system-view
[~HUAWEI] ike peer todta9
[*HUAWEI-ike-peer-todta9] undo version v1
[*HUAWEI-ike-peer-todta9] commit
[~HUAWEI-ike-peer-todta9] quit

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 49

NE40E-M2K
Upgrade Guide (iMaster NCE-IP) 8 Installing the IKEv1 MOD Steps

Repeat the preceding steps to delete all IKEv1 configurations, and then continue the
uninstallation process.
b. Run the system-view command to enter the system view, run the undo ike v1
enable command to disable IKEv1, and save the configuration.
[~HUAWEI] undo ike v1 enable
[*HUAWEI] commit
After IKEv1 is disabled, wait for 240 seconds to ensure that all resources are
released. An attempt made within 240s to uninstall the file fails, and the system
displays a message indicating that the uninstallation cannot be performed.
c. Run the command uninstall-module V800R022C00SPC600_IKE_V1.X.MOD to
uninstall MOD file.
<HUAWEI> uninstall-module V800R022C00SPC600_IKE_V1.X.MOD
This will uninstall the module. Are you sure? [Y/N]:y
Info: Operating, please wait for a moment...
Info: uninstalling V800R022C00SPC600_IKE_V1.X.MOD
.........done.
Info: Succeeded in uninstalling the module.

 Before uninstalling the IKEv1 MOD file, you need to disable IKEv1 and wait for 240 seconds.
 Before disabling IKEv1, you must delete IKE configurations. Otherwise, an error message is
displayed.

----End

Issue 01 (2022-10-31) Copyright © Huawei Technologies Co., Ltd. 50