3Com Corporation reserves the right to revise this documentation and to make changes in co ntent from time to
time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied
or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability,
satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the
product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license
agreement included with the product as a separate document, in the hard copy documentation, or on the
removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,
please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herei n are
provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense.
Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227 -7014 (June 1995) o r
as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rig hts as are
provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.
You agree not to remove or deface any portion of any legend provided on any licensed program or
documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may
not be registered in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation.
All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we
are committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all wa ste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disp osed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic compon ents.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-d epleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainabl e, managed forests; it is fully
biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-f riendly, and the
inks are vegetable-based with a low heavy-metal content.
About This Manual
Organization
3Com WX3000 Series Unified Switches consists of three models: the WX3024 , the WX3010 and the
WX3008. 3Com WX3000 Series Unified Switches Switching Engine Operation Manual is organized as
follows:
Part Contents
1 CLI
Introduces the command hierarchy, command view
and CLI features of the WX3000 Series Unified
Switches Switching Engine.
2 Login
3 Configuration File Management
4 VLAN Introduces VLAN-/Voice VLAN-related configuration.
5 Auto Detect Introduces auto detect and the related configuration.
6 Voice VLAN Introduces voice VLAN and the related configuration.
7 GVRP Introduces GVRP and the related configuration.
8 Basic Port Configuration Introduces basic port configuration.
9 Link Aggregation
10 Port Isolation Introduces port isolation and the related configuration.
11 Port Security-Port Binding
12 DLDP Introduces DLDP and the related configuration.
13 MAC Address Table Management
Introduces the ways to log into an WX3000 Series
Unified Switches Switching Engine.
Introduces configuration file and the related
configuration.
Introduces link aggregation and the related
configuration.
Introduces port security, port binding, and the related
configuration.
Introduces MAC address forwarding table
management.
14 MSTP Introduces STP and the related configuration.
15 802.1x and System Guard Introduces 802.1x and the related configuration.
16 AAA
17 MAC Address Authentication
18 IP Address and Performance
19 DHCP
20 ACL Introduces ACL and the related configuration.
21 QoS-QoS Profile Introduces QoS and the related configuration.
22 Mirroring Introduces mirroring and the related configuration.
23 ARP Introduces ARP and the related configuration.
Introduces AAA, RADIUS, HWTACACS, EAD, and the
related configurations.
Introduces centralized MAC address authentication
and the related configuration.
Introduces IP address and IP performance related
configuration.
Introduces DHCP-Snooping, DHCP Client and the
related configuration.
Part Contents
24 SNMP-RMON
25 Multicast
26 NTP Introduces NTP and the related configuration.
27 SSH Introduces SSH2.0 and the related configuration.
28 File System Management
29 FTP-SFTP-TFTP
30 Information Center Introduces information center configuration.
31 System Maintenance and Debugging Introduces daily system maintenance and debugging.
32 VLAN-VPN Introduces VLAN VPN and the related configuration.
33 HWPing Introduces HWPing and the related configuration.
34 DNS Introduces DNS and the related configuration.
35 Smart Link-Monitor Link
Introduces the configuration for network management
through SNMP and RMON
Introduces IGMP snooping and the related
configuration.
Introduces basic configuration for file system
management.
Introduces basic configuration for FTP, SFTP and
TFTP, and the applications.
Introduces Smart Link, Monitor Link and the related
configuration.
36 PoE-PoE Profile
37 Routing Protocol
38 UDP Helper Introduces UDP Helper and the related configuration.
39 Appendix Lists the acronyms used in this manual.
Conventions
The manual uses the following conventions:
Command conventions
Convention Description
Boldface
italic
[ ] Items (keywords or arguments) in square brackets [ ] are optional.
{ x | y | ... }
Introduces PoE, PoE profile and the related
configuration.
Introduces the static route, RIP, and IP route policy
configurations.
The keywords of a command line are in Boldface.
Command arguments are in italic.
Alternative items are grouped in braces and separated by vertical bars.
One is selected.
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
Optional alternative items are grouped in square brackets and
separated by vertical bars. One or none is selected.
Alternative items are grouped in braces and separated by vertical bars.
A minimum of one or a maximum of all can be selected.
Optional alternative items are grouped in square brackets and
separated by vertical bars. Many or none can be selected.
Convention Description
&<1-n>
# A line starting with the # sign is comments.
The argument(s) before the ampersand (&) sign can be entered 1 to n
times.
GUI conventions
Convention Description
Boldface
>
Window names, button names, field names, and menu items are in
Boldface. For example, the New User window appears; click OK.
Multi-level menus are separated by angle brackets. For example, File >
Create > Folder.
Symbols
Convention Description
Means reader be extremely careful. Improper operation may cause
bodily injury.
Related Documentation
In addition to this manual, each 3Com WX3000 Series Unified Switches Switching Engine
documentation set includes the following:
Manual Description
3Com WX3000 Series Unified Switches
Installation Manual
3Com WX3000 Series Unified Switches
Switching Engine Command Manual
3Com WX3000 Series Unified Switches User
Manual
Means reader be careful. Improper operation may cause data loss or
damage to equipment.
Means a complementary description.
It introduces the installation process, startup,
hardware and software maintenance of WX3000
Series unified switches.
Elaborates on the operation commands for
WX3000 series unified switches switching
engines. It covers the operation commands for
CLI, login, VLAN, GVRP, basic port configurations,
MAC address table management, MSTP, 802.1x,
AAA, ACL, QoS, SNMP, RMON, NTP, and SSH.
Provides a guide to the operation of WX3000
series unified switches access controller engines.
It covers configurations of CLI, VLAN, system
maintenance and debugging, WLAN, IPv4, IPv6,
port basic configurations, multicast protocols,
802.1x, AAA, SSH, ACL, QoS, description of the
acronyms used throughout the manual, and a
command index.
Manual Description
3Com WX3000 Series Unified Switches
Web-Based Configuration Manual
Obtaining Documentation
You can access the most up-to-date 3Com product documentation on the Wo rld Wide Web at this URL:
http://www.3com.com.
Introduces the Web-based functions of the access
control engine of WX3000 series unified switches
access controller engines.
Introduction to the CLI·····························································································································1-1
Command Hierarchy·······························································································································1-1
Switching User Levels·····················································································································1-2
Setting the Level of a Command in a Specific View········································································1-3
CLI Views················································································································································1-4
CLI Features ···········································································································································1-7
The sample output information in this manual was created on the WX3024. The output information on
your device may vary.
Introduction to the CLI
A command line interfa ce (CLI) is a user interface to interact with a device. Through the CLI on a device,
a user can enter commands to configure the device and check output information to verify the
configuration. Each device provides an easy-to-use CLI and a set of configuration commands for the
convenience of the user to configure and manage.
The CLI on the devices provide the following features, and so has good manageability and operability.
zHierarchical command protection: After users of different levels log in, they can only use
commands at their own, or lower, levels. This prevents users from using unauthorized commands
to configure devices.
z Online help: Users can gain online help at any time by entering a question mark (?).
z Debugging: Abundant and detailed debugging information is provided to help users diagnose and
locate network problems.
zCommand history function: This enables users to check the commands that they have lately
executed and re-execute the commands.
zPartial matching of commands: The system will use partially matching method to search for
commands. This allows users to execute a command by entering partially-spelled command
keywords as long as the keywords entered can be uniquely identified by the system.
Command Hierarchy
The device uses hierarchical command protection for command lines, so as to inhibit users at lower
levels from using higher-level commands to configure the device.
Based on user privilege, commands are classified into four levels:
zVisit level (level 0): Commands at this level are mainly used to diagnose network, and they cannot
be saved in configuration file. For example, ping, tracert and telnet are level 0 commands.
zMonitor level (level 1): Commands at this level are mainly used to maintain the system and
diagnose service faults, and they cannot be saved in configuration file. Such commands include
debugging and terminal.
zSystem level (level 2): Commands at this level are mainly used to configure services. Commands
concerning routing and network layers are at this level. These commands can be used to provide
network services directly.
1-1
zManage level (level 3): Commands at this level are associated with the basic operation modules
and support modules of the system. These commands provide support for services. Commands
concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are
at this level.
Users logged into the device fall into four user levels, which correspond to the four command levels
respectively. Users at a specific level can only use the commands at the same level or lower levels.
By default, the Console user (a user who logs into the device through the Console port) is a level-3 user ,
and Telnet u s ers are level-0 users.
Switching User Levels
After logging into the device, users can change their current user levels throu gh a command. Note that:
zIf a switching password is set for a specific user level by the super password command, all users
must enter the password correctly when they switch from lower user levels to this level (if a wrong
password is entered, they will remain at their original levels).
zIf no switching password is set for a specific user level, the Console user can dire ctly swit ch to the
level, while the Telnet users at lower levels will fail to switch to the level (they will remain at their
original levels) and the information like the following will be displayed: % Password is not set.
Setting a user level switching password
Follow these steps to set a password for use level switching:
Follow these steps to switch to a specific user level:
To do… Use the command… Remarks
Switch to a specified user level super [ level ]
—
Required
By default, the super password is
not set.
Required
Execute this command in user view.
zIf no user level is specified in the super password command or the super command, level 3 is
used by default.
zFor security purpose, the password entered is not displayed when you switch to another user level.
You will remain at the original user level if you have tried three times but failed to enter the correct
password.
1-2
Configuration example
After a general user telnets to the device, his/her user level is 0. Now, the network administrator wants
to allow general users to switch to level 3, so that they are able to configure the device.
# A level 3 user sets a switching password for user level 3.
<device> system-view
[device] super password level 3 simple 123
# A general user telnets to the device, and then uses the set password to switch to user level 3.
<device> super 3
Password:
User privilege level is 3, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
# Af ter configuring the device, the general user switches back to user level 0.
<device> super 0
User privilege level is 0, and only those commands can be used
whose level is equal or less than this.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
Setting the Level of a Command in a Specific View
Setting the level of a command in a specific view
Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3).
By using the following command, the administrator can change the level of a command in a specific
view as required.
Follow these steps to set the level of a command output description in a specific view:
To do… Use the command… Remarks
Enter system view
Configure the level of a
command in a specific view
zIt is recommended not to change the level of a command arbitrarily, for it may cause inconvenience
to maintenance and operation.
zWhen you change the level of a command with multiple keywords, you should input the keywords
one by one in the order they appear in the command syntax. Otherwise, your configuration wil l not
take effect.
system-view
command-privilege level
levelviewview command
—
Required
Configuration example
The network administrator (a level 3 user) wants to change some TFTP commands (such as tftp get )
from level 3 to level 0, so that general Telnet users (level 0 users) are able to download files through
TFTP.
1-3
# Change the tftp get command in user view (shell) from level 3 to level 0. (Originally , only level 3 user s
can change the level of a command.)
After the above configuration, general Telnet users can use the tftp get command to download file
bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers.
CLI Views
CLI views are designed for different configuration tasks. They are both correlated and distinguishing.
For example, once a user logs into a device successfully , the user enters user view, where the user can
perform some simple operations such as checking the operation st atus an d stati stics information of the
device. After executing the system-view command, the user enters system view, where the user can
go to other views by entering corresponding commands.
Table 1-1 lists the CLI views provided by the device, operations that can be performed in different CLI
views and the commands used to enter specific CLI views.
Table 1-1 CLI views
View
Available
operation
Display
operation
User view
status and
statistical
information of
the device
System
view
Configure
system
parameters
Prompt exampleEnter method Quit method
Execute the
quit
command to
log out of the
<device>
Enter user view once logging
into the device.
device.
Execute the
quit or return
command to
return to user
[device]
Execute the system-view
command in user view.
view.
1-4
View
Ethernet
port view
VLAN view
VLAN
interface
view
Loopback
interface
view
NULL
interface
view
Local user
view
Available
operation
Configure
Ethernet port
parameters
Configure
VLAN
parameters
Configure
VLAN interface
parameters
Configure
loopback
interface
parameters
Configure
NULL interface
parameters
Configure local
user
parameters
Prompt exampleEnter method Quit method
1000 Mbps
Ethernet port view:
[device-GigabitEth
ernet1/0/1]
10 Gigabit
Ethernet port view:
[device-TenGigabit
Ethernet1/1/1]
[device-vlan1]
[device-Vlan-interf
ace1]
[device-LoopBack
0]
Execute the interface gigabitethernet command in
system view.
Execute the interface tengigabitethernet
command in system view.
Execute the vlan command
in system view.
Execute the interface Vlan-interface command in
system view.
Execute the interface loopback command in
system view.
Execute the
quit
command to
return to
[device-NULL0]
Execute the interface null
command in system view.
system view.
Execute the
return
[device-luser-user
1]
Execute the local-user
command in system view.
command to
return to user
view.
User
interface
view
FTP client
view
SFTP
client view
MST
region
view
Cluster
view
Public key
view
Configure user
interface
parameters
Configure FTP
client
parameters
Configure
SFTP client
parameters
Configure MST
region
parameters
Configure
cluster
parameters
Configure the
RSA public key
for SSH users
Configure the
RSA or DSA
public key for
SSH users
[device-ui-aux0]
[ftp]
sftp-client>
[device-mst-region
]
[device-cluster]
[device-rsa-publickey]
[device-peer-public
-key]
Execute the user-interface aux command in system
view.
Execute the ftp command in
user view.
Execute the sftp command
in system view.
Execute the stp region-configuration
command in system view.
Execute the cluster
command in system view.
Execute the rsa peer-public-key command
in system view.
Execute the public-key peer
command in system view.
Execute the
peer-publickey end
command to
return to
system view.
1-5
View
Public key
editing
view
Basic ACL
view
Advanced
ACL view
Layer 2
ACL view
Available
operation
Edit the RSA
public key for
SSH users
Edit the RSA or
DSA public key
for SSH users
Define rules for
a basic ACL
(with ID ranging
from 2000 to
2999)
Define rules for
an advanced
ACL (with ID
ranging from
3000 to 3999)
Define rules for
an layer 2 ACL
(with ID ranging
from 4000 to
4999)
Prompt exampleEnter method Quit method
[device-rsa-key-co
de]
[device-peer-key-c
ode]
[device-acl-basic-2
000]
[device-acl-adv-30
00]
[device-acl-ethern
etframe-4000]
Execute the
public-key-code begin
command in public key view.
Execute the acl number
command in system view.
Execute the acl number
command in system view.
Execute the acl number
command in system view.
Execute the
public-key-c
ode end
command to
return to
public key
view.
QoS profile
view
RADIUS
scheme
view
ISP
domain
view
HWPing
view
HWTACA
CS view
PoE profile
view
Smart-link
group view
Define QoS
profile
Configure
RADIUS
scheme
parameters
Configure ISP
domain
parameters
Configure
HWPing
parameters
Configure
HWTACACS
parameters
Configure PoE
profile
parameters
Configure
smart-link
group
parameters
[device-qos-profile
-a123]
[device-radius-1]
[device-isp-aaa123
.net]
[device-hwping-a1
23-a123]
[device-hwtacacsa123]
[device-poe-profile
-a123]
[device-smlk-group
1]
Execute the qos-profile
command in system view.
Execute the radius scheme
command in system view.
Execute the domain
command in system view.
Execute the hwping
command in system view.
Execute the hwtacacs scheme command in system
view.
Execute the poe-profile
command in system view.
Execute the smart-link group command in system
view.
Execute the
quit
command to
return to
system view.
Execute the
return
command to
return to user
view.
Monitor-lin
k group
view
Port-group
view
Configure
monitor-link
group
parameters
Configure
port-group
parameters
[device-mtlk-group
1]
[device-port-group1]
1-6
Execute the monitor-link group command in system
view.
Execute the port-group
command in system view.
View
Available
operation
Prompt exampleEnter method Quit method
Execute the vlan-vpn vid
command in Ethernet port
QinQ view
Configure QinQ
parameters
[device-GigabitEth
ernet1/0/1-vid-20]
view.
The vlan-vpn enable
command should be first
executed.
The shortcut key combination Ctrl+Z is equivalent to the return command.
Execute the
quit
command to
return to
Ethernet port
view.
Execute the
return
command to
return to user
view.
CLI Features
Online Help
When configuring the device, you can use the online help to get related help information. The CLI
provides two types of online help: complete and partial.
Complete online help
1) Enter a question mark (?) in any view on your terminal to display all the commands available in the
view and their brief descriptions. The following takes user view as an example.
<device> ?
User view commands:
boot Set boot option
cd Change current directory
clock Specify the system clock
cluster Run cluster command
copy Copy from one file to another
debugging Enable system debugging functions
delete Delete a file
dir List files on a file system
display Display current system information
<Other information is omitted>
2) Enter a command, a space, and a question mark (?).
If the question mark “?” is at a keyword position in the command, all available keywords at the position
and their descriptions will be displayed on your terminal.
<device> clock ?
datetime Specify the time and date
summer-time Configure summer time
1-7
timezone Configure time zone
If the question mark (?) is at an argument position in the command, the description of the argument will
be displayed on your terminal.
[device] interface vlan-interface ?
<1-4094> VLAN interface number
If only <cr> is displayed after you enter a question mark (?), it means no parameter is avail able at the ?
position, and you can enter and execute the command directly.
[device] interface vlan-interface 1 ?
<cr>
Partial online help
1) Enter a character/string, and then a question mark (?) next to it. All the commands beginning with
the character/string will be displayed on your terminal. For example:
<device> p?
ping
pwd
2) Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords
beginning with the character/string (if available) are displayed on your terminal. For example:
<device> display v?
version
vlan
voice
3) Enter the first several characters of a keyword of a command and then press Tab. If there is a
unique keyword beginning with the characters just typed, the unique keyword is displayed in its
complete form. If there are multiple keywords beginning with the characters, you can have them
displayed one by one (in complete form) by pressing Tab repeatedly.
Terminal Display
The CLI provides the screen splitting feature to have display output suspended when the screen is full.
When display output pauses, you can perform the following operations as needed (see
Table 1-2 Display-related operations
Ctrl+C
Any character except the space, Enter, the
forward slash (/), plus sign (+), and minus
sign (-) when the display output pauses
The space key Go to the next page.
Enter
Table 1-2).
Press To
Stop the display output and execution of the
command.
Stop the display output.
Go to the next line.
Command History
The CLI provides the command history function. You can use the display history-command command
to view a specific number of latest executed commands and execute them again in a convenient way.
1-8
By default, the CLI can store up to 10 latest executed commands for each user. You can view the
command history by performing the operations listed in
Table 1-3.
Table 1-3 View history commands
Purpose Operation Remarks
Display the latest executed
history commands
Recall the previous history
command
Recall the next history
command
Execute the display history-command command
Press the up arrow key or
Ctrl+P
Pressing the down arrow key or
Ctrl+N
This command displays the
command history.
This operation recalls the
previous history command (if
available).
This operation recalls the next
history command (if available).
zBecause the Windows 9x HyperTerminal explains the up and down arrow keys in a different way,
the two keys are invalid when you access history commands in a Windows 9x HyperTerminal
environment. However, you can use Ctrl+P and Ctrl+N instead to achieve the same purpose.
zWhen you enter the same command multiple times con secutively, only one history command ent ry
is created by the command line interface.
Error Prompts
If a command passes the syntax check, it will be successfully executed; otherwise, an error message
will be displayed.
Table 1-4 Common error messages
Unrecognized command
Incomplete command The command entered is incomplete.
Too many parameters The parameters entered are too many.
Ambiguous command The parameters entered are ambiguous.
Wrong parameter A parameter entered is wrong.
found at '^' position An error is found at the '^' position.
Table 1-4 lists the co mmon error messages.
Error message Description
The command does not exist.
The keyword does not exist.
The parameter type is wrong.
The parameter value is out of range.
Command Edit
The CLI provides basic command edit functions and supports multi-line editing. The maximum number
of characters a command can contain is 254.
Table 1-5 list s the CLI edit operations.
1-9
Table 1-5 Edit operations
Press… To…
Insert the corresponding character at the cursor position and move
A common key
the cursor one character to the right if the command is shorter than
254 characters.
Backspace key
Delete the character on the left of the cursor and move the cursor
one character to the left.
Left arrow key or Ctrl+BMove the cursor one character to the left.
Right arrow key or Ctrl+FMove the cursor one character to the right.
Up arrow key or Ctrl+P
Down arrow key or Ctrl+N
Display history commands.
Use the partial online help. That is, when you input an incomplete
keyword and press Tab, if the input parameter uniquely identifies a
complete keyword, the system substitutes the complete keyword for
Tab
the input parameter; if more than one keywords match the input
parameter, you can display them one by one (in complete form) by
pressing Tab repeatedly; if no keyword matches the input
parameter, the system displays your original input on a new line
without any change.
1-10
Table of Contents
1 Logging In to the Switching Engine ········································································································1-1
Logging In to the Switching Engine·········································································································1-1
Introduction to the User Interface············································································································1-1
Supported User Interfaces ··············································································································1-1
User Interface Index························································································································1-2
Common User Interface Configuration····························································································1-2
2 Logging In Through OAP··························································································································2-1
OAP Overview·········································································································································2-1
Logging In to the Switching Engine Through OAP ·················································································2-1
Configuring the Management IP Address of the OAP Software System················································2-1
Conf i g u ri n g t h e M a n a g ement I P A ddres s o f th e O A P S o f t w a r e S y s t e m o n t h e S w itchi n g E n g in e·······2-2
Configuring the Management IP Address of the OAP Software System of the Access Control
Engine·············································································································································
Resetting the OAP Software System······································································································2-3
3 Logging In Through Telnet·······················································································································3-1
Common Configuration····················································································································3-1
Telnet Configurations for Different Authentication Modes·······························································3-2
Telnet Configuration with Authentication Mode Being None ··································································3-3
Telnetting to the Switching Engine········································································································3-11
Telnetting to the Switching Engine from a Terminal······································································3-11
Telnetting to the Switching Engine from the Access Control Engine············································3-13
2-2
4 Logging In from the Web-Based Network Management System··························································4-1
Introduction ·············································································································································4-1
Setting Up a Web Configuration Environment························································································4-2
Configuring the Login Banner·················································································································4-3
Enabling/Disabling the WEB Server ·······································································································4-5
5 Logging In from NMS ································································································································5-1
Introduction ·············································································································································5-1
Connection Establishment Using NMS···································································································5-1
6 Configuring Source IP Address for Telnet Service Packets·································································6-1
Configuring Source IP Address for Telnet Service Packets ···································································6-1
Displaying Source IP Address Configuration··························································································6-2
7 User Control···············································································································································7-1
Prerequisites····································································································································7-1
Controlling Telnet Users by Source IP Addresses··········································································7-1
Controlling Telnet Users by Source and Destination IP Addresses················································7-2
Controlling Telnet Users by Source MAC Addresses ·····································································7-3
Configuration Example····················································································································7-3
Controlling Network Management Users by Source IP Addresses························································7-4
Prerequisites····································································································································7-4
Controlling Network Management Users by Source IP Addresses·················································7-4
Configuration Example····················································································································7-5
Controlling Web Users by Source IP Address························································································7-5
Prerequisites····································································································································7-6
Controlling Web Users by Source IP Addresses·············································································7-6
Disconnecting a Web User by Force·······························································································7-6
Configuration Example····················································································································7-6
ii
1 Logging In to the Switching Engine
The sample output information in this manual was created on the WX3024. The output information on
your device may vary.
Logging In to the Switching Engine
You can log in to the switching engine of the device in one of the following ways:
z Logging in through OAP
z Logging in locally or remotely through an Ethernet port by means of Telnet or SSH
z Logging in to the Web-based network management system
z Logging in through NMS (network management station)
Introduction to the User Interface
Supported User Interfaces
The auxiliary (AUX) port and the console port of the device are the same port (referred to as console
port in the following part). You will be in the AUX user interface if you log in through this port.
The device supports two types of user interfaces: AUX and VTY.
z AUX user interface: A view when you log in through the console port.
z Virtual type terminal (VTY) user interface: A view when you log in through VTY. VTY port is a
logical terminal line used when you access the device by means of Telnet or SSH.
Table 1-1 Description on user interface
User interface Applicable user Port used Description
AUX
VTY
Users logging in through
the console port
Telnet users and SSH
users
Console port
Ethernet port
1-1
Each device can accommodate
one AUX user.
Each device can accommodate
up to five VTY users.
User Interface Index
Two kinds of use r interfa ce index exist: absolute user interface index and relative user interface index.
1) The absolute user interface indexes are as follows:
z The absolute AUX user interfaces is numbered 0.
z VTY user interface indexes follow AUX user interface indexes. The first absolute VTY user
interface is numbered 1, the second is 2, and so on.
2) A relative user interface index can be obtained by appending a number to the identifier of a user
interface type. It is generated by user interface type. The relative user interface indexes are as
follows:
z AUX user interfaces is numbered 0.
z VTY user interfaces are numbered VTY0, VTY1, and so on.
Common User Interface Configuration
Follow these steps to configure common user interface:
To do… Use the command… Remarks
Lock the current user
interface
lock
Optional
Execute this command in user view.
A user interface is not locked by
default.
Specify to send messages to
all user interfaces/a specified
user interface
Free a user interface
Enter system view
Set the banner
Set a system name for the
switching engine
Enable copyright information
displaying
Enter user interface view
send { all | number | type
number }
free user-interface [ type ]
number
system-view
header [ incoming | legal |
login | shell ] text
sysname string
copyright-info enable
user-interface [ type ]
first-number [ last-number ]
Optional
Execute this command in user view.
Optional
Execute this command in user view.
—
Optional
By default, no banner is configured.
Optional
By default, the system name is
device.
Optional
By default, copyright displaying is
enabled. That is, the copy right
information is displayed on the
terminal after a user logs in
successfully.
—
1-2
To do… Use the command… Remarks
Display the information about
the current user interface/all
display users [ all ]
user interfaces
Display the physical
attributes and configuration
of the current/a specified
user interface
Display the information about
the current web users
display user-interface
[ type number | number ]
display web users
Optional
You can execute the display
command in any view.
1-3
2 Logging In Through OAP
OAP Overview
As an open software and hardware system, Open Application Architecture (OAA) provides a set of
complete standard software and hardware interfaces. The third party vendors can develop products
with special functions. These products can be comp atible with each other as long as they conform to the
OAA interface standards. Therefore the functions of single network product can be expanded and the
users can get more benefits.
Open Application Platform (OAP) is a physical platform developed based on OAA. It can be an
independent network device, or a board or pro gram used as an extended part of a device. An OAP runs
an independent operating system. You can load software such as security and voice in the operating
system as needed.
Logging In to the Switching Engine Through OAP
You can log in to the access control engine through the console port on the device and perform the
following configurations on the access control engine. Then, you can log in to the switching engine.
1) Execute the oap connect slot 0 command in user view of the access control engine to log in to the
switching engine.
<device> oap connect slot 0
Connected to OAP!
2) Press Enter to enter user view of the switching engine.
<device_LSW>
zTo distinguish between the access control engine and the switching engine, the name of the
switching engine is changed to device_LSW here. In fact, the default name of the switching engine
is device.
zYou can press Ctrl+K to return to the command line interface of the access control engine.
Configuring the Management IP Address of the OAP Software
System
In the OAA system of the device, the access cont rol engine and the switching engine integ rate together
and function as one device. For the snmp UDP Domain-based network management station (NMS),
however, the access control engine and t he switching engine are independent SNMP agents. Physically ,
two agents are on the same managed object; while logically, they belong to two different systems, and
they manage their own MIB objects on the access control engine and the switching engine separately.
2-1
Therefore, when you use the NMS to manage the access control engine and the switching engine on
the same interface, you must first obtain the management IP addresses of the two SNMP agents and
obtain the link relationship between them, and then you can access the two agents. By default, the
management IP address of an OAP mod ule is not con f igured.
Before configuring the management IP address of the OAP software system, you must configure the
same IP address at the engine side where the OAP software system resides; otherwise, the NMS
cannot access the OAP software system by using the configured management IP address.
Follow these steps to configure the management IP address of the OAP software system:
To do… Use the command… Remarks
Enter system view
Configure the management IP
address of an OAP module
system-view
oap management-ip
ip-address slot 0
—
Required
Not configured by default.
Configuring the Management IP Address of the OAP Software System on the Switching
Engine
1) Configure the management IP address of the OAP software system on the switching engine side.
If the operating system works abnormally or is under other anomali es, you ca n reset the OAP software
system.
Follow these steps to reset the OA P software system:
To do… Use the command… Remarks
Reset the OAP software
system
The reset operation may cause data loss and service interruption. Therefore, before resetting the OAP
software system, you need to save the data on the operating system to avoid service interruption and
hardware data loss.
oap reboot slot0
Required
Available in user view
2-3
3 Logging In Through Telnet
Introduction
The device supports Telnet. Y ou can manage an d maintain the swit ching engine remotely by Telnetting
to the switching engine.
To log in to the switching engine through Telnet, the corresponding configuration is required on both the
switching engine and the Telnet terminal.
Y ou can also log in to the switching engine through SSH. SSH is a secure shell added to Telnet. Refer to
the SSH Operation for related information.
Table 3-1 Requirements for Telnetting to the switching engine
Item Requirement
Switching engine
Telnet terminal
Common Configuration
Table 3-2 lists the common Telnet configuration.
Table 3-2 Common Telnet configuration
Configuration Description
Configure the command level
available to users logging in to
the VTY user interface
The IP address is configured for the VLAN of the switching engine,
and the route between the switching engine and the Telnet termi nal is
reachable. (Refer to the IP Address and Performance Operation and
Routing Protocol parts for more.)
The authentication mode and other settings are configured. Refer to
Table 3-2 and Table 3-3.
Telnet is running.
The IP address of the VLAN of the switching engine is available.
Optional
By default, commands of level 0 are available
to users logging in to a VTY user interface.
VTY user
interface
configuration
Configure the protocols the user
interface supports
Set the commands to be
executed automatically after a
user log in to the user interface
successfully
3-1
Optional
By default, Telnet and SSH protocol are
supported.
Optional
By default, no command is executed
automatically after a user logs into the VTY
user interface.
Configuration Description
Optional
Make terminal services available
By default, terminal services are available in
all user interfaces
Optional
By default, the screen can contain up to 24
lines.
VTY terminal
Set the maximum number of
lines the screen can contain
configuration
Optional
Set history command buffer size
By default, the history command buffer can
contain up to 10 commands.
Set the timeout time of a user
interface
Optional
The default timeout time is 10 minutes.
Telnet Configurations for Different Authentication Modes
Table 3-3 lists Telnet configurations for different authentication modes.
Table 3-3 Telnet configurations for different authentication modes
Authentication
mode
None
Perform common
configuration
Telnet configuration Description
Perform common
Telnet configuration
Optional
Refer to
Table 3-2.
Password
Scheme
Configure the
password
Perform common
configuration
Specify to
perform local
authentication or
remote RADIUS
authentication
Configure user
name and
password
Manage VTY
users
Configure the
password for local
authentication
Perform common
Telnet configuration
AAA configuration
specifies whether to
perform local
authentication or
RADIUS authentication
Configure user names
and passwords for
local/RADIUS users
Set service type for
VTY users
Required
Optional
Refer to
Table 3-2.
Optional
Local authentication is
performed by default.
Refer to the AAA part for more.
Required
zThe user name and
password of a local user are
configured on the switching
engine.
zThe user name and
password of a remote user
are configured on the
RADIUS server. Refer to
user manual of RADIUS
server for more.
Required
Perform common
configuration
Perform common
Telnet configuration
Optional
Refer to
Table 3-2.
3-2
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet
and SSH services respectively, will be enabled or disabled after corresponding configurations.
z If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled.
z If the authentication mode is password, and the corresponding password has been set, TCP 23
will be enabled, and TCP 22 will be disabled.
zIf the authentication mode is scheme, there are three scenarios: when the supported protocol is
specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as ssh, TCP
22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22
port will be enabled.
Telnet Configuration with Authentication Mode Being None
Configuration Procedure
Follow these steps to perform Telnet configuration with the authentication mode being none:
To do… Use the command… Remarks
Enter system view
Enter one or more VTY user
interface views
Configure not to authenticate
users logging in to VTY user
interfaces
Configure the command level
available to users logging in to
VTY user interface
Configure the protocols to be
supported by the VTY user
interface
Set the commands to be
executed automatically after a
user login to the user interface
successfully
system-view
user-interface vty
first-number
[ last-number ]
authentication-mode
none
user privilege level
level
protocol inbound { all |
ssh | telnet }
auto-execute
command text
—
—
Required
By default, VTY users are authenticated
after logging in.
Optional
By default, commands of level 0 are
available to users logging in to VTY
user interfaces.
Optional
By default, both Telnet protocol and
SSH protocol are supported.
Optional
By default, no command is executed
automatically after a user logs in to the
VTY user interface.
Make terminal services
available
Set the maximum number of
lines the screen can contain
shell
screen-length
screen-length
3-3
Optional
By default, terminal services are
available in all user interfaces.
Optional
By default, the screen can contain up to
24 lines.
You can use the screen-length 0
command to disable the function to
display information in pages.
To do… Use the command… Remarks
Optional
Set the history command
buffer size
history-command
max-size value
The default history command buffer
size is 10. That is, a history command
buffer can store up to 10 commands by
default.
Optional
The default timeout time of a user
interface is 10 minutes.
With the timeout time being 10 minutes,
Set the timeout time of the
VTY user interface
idle-timeoutminutes
[ seconds ]
the connection to a user interface is
terminated if no operation is performed
in the user interface within 10 minutes.
You can use the idle-timeout 0
command to disable the timeout
function.
Note that if you configure not to authenticate the users, the command level available to users logging in
to the switching engine depends on the user privilege levellevel command
Configuration Example
Network requirements
As shown in Figure 3-1, assume current user logs in using the oap connect slot 0 command, and the
user level is set to the manage level (level 3). Perform the following configurations for users logging in
through VTY 0 using Telnet.
z Do not authenticate the users.
z Commands of level 2 are available to the users.
z Telnet protocol is supported.
z The screen can contain up to 30 lines.
z The history command buffer can contain up to 20 commands.
z The timeout time of VTY 0 is 6 minutes.
Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none)
Configuration procedure
# Enter system view.
<device> system-view
# Enter VTY 0 user interface view.
[device] user-interface vty 0
# Configure not to authenticate Telnet users logging in through VTY 0.
[device-ui-vty0] authentication-mode none
3-4
# Specify commands of level 2 are available to users logging in through VTY 0.
[device-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.
[device-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[device-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[device-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[device-ui-vty0] idle-timeout 6
Telnet Configuration with Authentication Mode Being Password
Configuration Procedure
Follow these steps to perform Telnet configuration with the authentication mode being pa ssword:
To do… Use the command… Remarks
Enter system view
Enter one or more VTY user
interface views
Configure to authenticate users
logging in to VTY user interfaces
using the local password
Set the local password
Configure the command level
available to users logging in to
the user interface
Configure the protocol to be
supported by the user interface
Set the commands to be
executed automatically after a
user login to the user interface
successfully
system-view
user-interface vty
first-number [ last-number ]
authentication-mode
password
set authentication
password { cipher |
simple } password
user privilege level level
protocol inbound { all |
ssh | telnet }
auto-execute command
text
—
—
Required
Required
Optional
By default, commands of level 0
are available to users logging in to
VTY user interface.
Optional
By default, both Telnet protocol
and SSH protocol are supported.
Optional
By default, no command is
executed automatically after a
user logs into the VTY user
interface.
Make terminal services
available
Set the maximum number of
lines the screen can contain
shell
screen-length
screen-length
3-5
Optional
By default, terminal services are
available in all user interfaces.
Optional
By default, the screen can contain
up to 24 lines.
You can use the screen-length 0
command to disable the function
to display information in pages.
Loading...
+ 685 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.