3COM WX3000 User Manual

3Com WX3000 Series Unified Switches Switching Engine
Operation Manual
Manual Version: 6W100
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough, MA, USA 01752 3064
Copyright © 2009, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in co ntent from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herei n are provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227 -7014 (June 1995) o r as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rig hts as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.
3Com and the 3Com logo are registered trademarks of 3Com Corporation. All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to:
Establishing environmental performance standards that comply with national legislation and regulations. Conserving energy, materials and natural resources in all operations. Reducing the waste generated by all operations. Ensuring that all wa ste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products. Ensuring that all products can be recycled, reused and disp osed of safely. Ensuring that all products are labelled according to recognized environmental standards. Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic compon ents.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-d epleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainabl e, managed forests; it is fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-f riendly, and the inks are vegetable-based with a low heavy-metal content.
About This Manual
Organization
3Com WX3000 Series Unified Switches consists of three models: the WX3024 , the WX3010 and the WX3008. 3Com WX3000 Series Unified Switches Switching Engine Operation Manual is organized as follows:
Part Contents
1 CLI
Introduces the command hierarchy, command view and CLI features of the WX3000 Series Unified Switches Switching Engine.
2 Login
3 Configuration File Management
4 VLAN Introduces VLAN-/Voice VLAN-related configuration. 5 Auto Detect Introduces auto detect and the related configuration. 6 Voice VLAN Introduces voice VLAN and the related configuration. 7 GVRP Introduces GVRP and the related configuration. 8 Basic Port Configuration Introduces basic port configuration.
9 Link Aggregation
10 Port Isolation Introduces port isolation and the related configuration.
11 Port Security-Port Binding
12 DLDP Introduces DLDP and the related configuration.
13 MAC Address Table Management
Introduces the ways to log into an WX3000 Series Unified Switches Switching Engine.
Introduces configuration file and the related configuration.
Introduces link aggregation and the related configuration.
Introduces port security, port binding, and the related configuration.
Introduces MAC address forwarding table
management. 14 MSTP Introduces STP and the related configuration. 15 802.1x and System Guard Introduces 802.1x and the related configuration.
16 AAA
17 MAC Address Authentication
18 IP Address and Performance
19 DHCP
20 ACL Introduces ACL and the related configuration. 21 QoS-QoS Profile Introduces QoS and the related configuration. 22 Mirroring Introduces mirroring and the related configuration. 23 ARP Introduces ARP and the related configuration.
Introduces AAA, RADIUS, HWTACACS, EAD, and the
related configurations.
Introduces centralized MAC address authentication
and the related configuration.
Introduces IP address and IP performance related
configuration.
Introduces DHCP-Snooping, DHCP Client and the
related configuration.
Part Contents
24 SNMP-RMON
25 Multicast
26 NTP Introduces NTP and the related configuration. 27 SSH Introduces SSH2.0 and the related configuration.
28 File System Management
29 FTP-SFTP-TFTP
30 Information Center Introduces information center configuration. 31 System Maintenance and Debugging Introduces daily system maintenance and debugging. 32 VLAN-VPN Introduces VLAN VPN and the related configuration. 33 HWPing Introduces HWPing and the related configuration. 34 DNS Introduces DNS and the related configuration.
35 Smart Link-Monitor Link
Introduces the configuration for network management
through SNMP and RMON
Introduces IGMP snooping and the related
configuration.
Introduces basic configuration for file system
management.
Introduces basic configuration for FTP, SFTP and
TFTP, and the applications.
Introduces Smart Link, Monitor Link and the related
configuration.
36 PoE-PoE Profile
37 Routing Protocol
38 UDP Helper Introduces UDP Helper and the related configuration. 39 Appendix Lists the acronyms used in this manual.
Conventions
The manual uses the following conventions:

Command conventions

Convention Description
Boldface
italic [ ] Items (keywords or arguments) in square brackets [ ] are optional.
{ x | y | ... }
Introduces PoE, PoE profile and the related
configuration.
Introduces the static route, RIP, and IP route policy
configurations.
The keywords of a command line are in Boldface. Command arguments are in italic.
Alternative items are grouped in braces and separated by vertical bars. One is selected.
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.
Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected.
Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected.
Convention Description
&<1-n>
# A line starting with the # sign is comments.
The argument(s) before the ampersand (&) sign can be entered 1 to n times.

GUI conventions

Convention Description
Boldface
>
Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.
Multi-level menus are separated by angle brackets. For example, File >
Create > Folder.

Symbols

Convention Description
Means reader be extremely careful. Improper operation may cause bodily injury.
Related Documentation
In addition to this manual, each 3Com WX3000 Series Unified Switches Switching Engine documentation set includes the following:
Manual Description
3Com WX3000 Series Unified Switches Installation Manual
3Com WX3000 Series Unified Switches Switching Engine Command Manual
3Com WX3000 Series Unified Switches User Manual
Means reader be careful. Improper operation may cause data loss or damage to equipment.
Means a complementary description.
It introduces the installation process, startup, hardware and software maintenance of WX3000 Series unified switches.
Elaborates on the operation commands for WX3000 series unified switches switching engines. It covers the operation commands for CLI, login, VLAN, GVRP, basic port configurations, MAC address table management, MSTP, 802.1x, AAA, ACL, QoS, SNMP, RMON, NTP, and SSH.
Provides a guide to the operation of WX3000 series unified switches access controller engines. It covers configurations of CLI, VLAN, system maintenance and debugging, WLAN, IPv4, IPv6, port basic configurations, multicast protocols,
802.1x, AAA, SSH, ACL, QoS, description of the acronyms used throughout the manual, and a command index.
Manual Description
3Com WX3000 Series Unified Switches Web-Based Configuration Manual
Obtaining Documentation
You can access the most up-to-date 3Com product documentation on the Wo rld Wide Web at this URL: http://www.3com.com.
Introduces the Web-based functions of the access control engine of WX3000 series unified switches access controller engines.
Table of Contents
1 CLI Configuration ······································································································································1-1
Introduction to the CLI·····························································································································1-1 Command Hierarchy·······························································································································1-1
Switching User Levels·····················································································································1-2
Setting the Level of a Command in a Specific View········································································1-3 CLI Views················································································································································1-4 CLI Features ···········································································································································1-7
Online Help······································································································································1-7
Terminal Display······························································································································1-8
Command History····························································································································1-8
Error Prompts··································································································································1-9
Command Edit·································································································································1-9
i

1 CLI Configuration

The sample output information in this manual was created on the WX3024. The output information on your device may vary.

Introduction to the CLI

A command line interfa ce (CLI) is a user interface to interact with a device. Through the CLI on a device, a user can enter commands to configure the device and check output information to verify the configuration. Each device provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage.
The CLI on the devices provide the following features, and so has good manageability and operability.
z Hierarchical command protection: After users of different levels log in, they can only use
commands at their own, or lower, levels. This prevents users from using unauthorized commands to configure devices.
z Online help: Users can gain online help at any time by entering a question mark (?). z Debugging: Abundant and detailed debugging information is provided to help users diagnose and
locate network problems.
z Command history function: This enables users to check the commands that they have lately
executed and re-execute the commands.
z Partial matching of commands: The system will use partially matching method to search for
commands. This allows users to execute a command by entering partially-spelled command keywords as long as the keywords entered can be uniquely identified by the system.

Command Hierarchy

The device uses hierarchical command protection for command lines, so as to inhibit users at lower levels from using higher-level commands to configure the device.
Based on user privilege, commands are classified into four levels:
z Visit level (level 0): Commands at this level are mainly used to diagnose network, and they cannot
be saved in configuration file. For example, ping, tracert and telnet are level 0 commands.
z Monitor level (level 1): Commands at this level are mainly used to maintain the system and
diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal.
z System level (level 2): Commands at this level are mainly used to configure services. Commands
concerning routing and network layers are at this level. These commands can be used to provide network services directly.
1-1
z Manage level (level 3): Commands at this level are associated with the basic operation modules
and support modules of the system. These commands provide support for services. Commands concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are at this level.
Users logged into the device fall into four user levels, which correspond to the four command levels respectively. Users at a specific level can only use the commands at the same level or lower levels.
By default, the Console user (a user who logs into the device through the Console port) is a level-3 user , and Telnet u s ers are level-0 users.
Switching User Levels
After logging into the device, users can change their current user levels throu gh a command. Note that:
z If a switching password is set for a specific user level by the super password command, all users
must enter the password correctly when they switch from lower user levels to this level (if a wrong password is entered, they will remain at their original levels).
z If no switching password is set for a specific user level, the Console user can dire ctly swit ch to the
level, while the Telnet users at lower levels will fail to switch to the level (they will remain at their original levels) and the information like the following will be displayed: % Password is not set.
Setting a user level switching password
Follow these steps to set a password for use level switching:
To do… Use the command… Remarks
Enter system view
Set the super password for user level switching
system-view
super password [ level level ] { cipher | simple } password
Switching to a specific user level
Follow these steps to switch to a specific user level:
To do… Use the command… Remarks
Switch to a specified user level super [ level ]
— Required
By default, the super password is not set.
Required Execute this command in user view.
z If no user level is specified in the super password command or the super command, level 3 is
used by default.
z For security purpose, the password entered is not displayed when you switch to another user level.
You will remain at the original user level if you have tried three times but failed to enter the correct password.
1-2
Configuration example
After a general user telnets to the device, his/her user level is 0. Now, the network administrator wants to allow general users to switch to level 3, so that they are able to configure the device.
# A level 3 user sets a switching password for user level 3.
<device> system-view [device] super password level 3 simple 123
# A general user telnets to the device, and then uses the set password to switch to user level 3.
<device> super 3 Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
# Af ter configuring the device, the general user switches back to user level 0.
<device> super 0 User privilege level is 0, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE
Setting the Level of a Command in a Specific View
Setting the level of a command in a specific view
Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3). By using the following command, the administrator can change the level of a command in a specific view as required.
Follow these steps to set the level of a command output description in a specific view:
To do… Use the command… Remarks
Enter system view Configure the level of a
command in a specific view
z It is recommended not to change the level of a command arbitrarily, for it may cause inconvenience
to maintenance and operation.
z When you change the level of a command with multiple keywords, you should input the keywords
one by one in the order they appear in the command syntax. Otherwise, your configuration wil l not take effect.
system-view command-privilege level
level view view command
Required
Configuration example
The network administrator (a level 3 user) wants to change some TFTP commands (such as tftp get ) from level 3 to level 0, so that general Telnet users (level 0 users) are able to download files through TFTP.
1-3
# Change the tftp get command in user view (shell) from level 3 to level 0. (Originally , only level 3 user s can change the level of a command.)
<device> system-view [device] command-privilege level 0 view shell tftp [device] command-privilege level 0 view shell tftp 192.168.0.1 [device] command-privilege level 0 view shell tftp 192.168.0.1 get [device] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm
After the above configuration, general Telnet users can use the tftp get command to download file bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers.

CLI Views

CLI views are designed for different configuration tasks. They are both correlated and distinguishing. For example, once a user logs into a device successfully , the user enters user view, where the user can perform some simple operations such as checking the operation st atus an d stati stics information of the device. After executing the system-view command, the user enters system view, where the user can go to other views by entering corresponding commands.
Table 1-1 lists the CLI views provided by the device, operations that can be performed in different CLI
views and the commands used to enter specific CLI views.
Table 1-1 CLI views
View
Available
operation
Display operation
User view
status and statistical information of the device
System view
Configure system parameters
Prompt example Enter method Quit method
Execute the quit command to log out of the
<device>
Enter user view once logging into the device.
device.
Execute the quit or return command to return to user
[device]
Execute the system-view command in user view.
view.
1-4
View
Ethernet port view
VLAN view
VLAN interface view
Loopback interface view
NULL interface view
Local user view
Available
operation
Configure Ethernet port parameters
Configure VLAN parameters
Configure VLAN interface parameters
Configure loopback interface parameters
Configure NULL interface parameters
Configure local user parameters
Prompt example Enter method Quit method
1000 Mbps Ethernet port view:
[device-GigabitEth ernet1/0/1]
10 Gigabit Ethernet port view:
[device-TenGigabit Ethernet1/1/1]
[device-vlan1]
[device-Vlan-interf ace1]
[device-LoopBack 0]
Execute the interface gigabitethernet command in system view.
Execute the interface tengigabitethernet command in system view.
Execute the vlan command in system view.
Execute the interface Vlan-interface command in system view.
Execute the interface loopback command in system view.
Execute the quit command to return to
[device-NULL0]
Execute the interface null command in system view.
system view. Execute the
return
[device-luser-user 1]
Execute the local-user command in system view.
command to return to user view.
User interface view
FTP client view
SFTP client view
MST region view
Cluster view
Public key view
Configure user interface parameters
Configure FTP client parameters
Configure SFTP client parameters
Configure MST region parameters
Configure cluster parameters
Configure the RSA public key for SSH users
Configure the RSA or DSA public key for SSH users
[device-ui-aux0]
[ftp]
sftp-client>
[device-mst-region ]
[device-cluster]
[device-rsa-public­key]
[device-peer-public
-key]
Execute the user-interface aux command in system view.
Execute the ftp command in user view.
Execute the sftp command in system view.
Execute the stp region-configuration command in system view.
Execute the cluster command in system view.
Execute the rsa peer-public-key command in system view.
Execute the public-key peer command in system view.
Execute the
peer-public­key end
command to return to system view.
1-5
View
Public key editing view
Basic ACL view
Advanced ACL view
Layer 2 ACL view
Available
operation
Edit the RSA public key for SSH users
Edit the RSA or DSA public key for SSH users
Define rules for a basic ACL (with ID ranging from 2000 to
2999) Define rules for
an advanced ACL (with ID ranging from 3000 to 3999)
Define rules for an layer 2 ACL (with ID ranging from 4000 to
4999)
Prompt example Enter method Quit method
[device-rsa-key-co de]
[device-peer-key-c ode]
[device-acl-basic-2 000]
[device-acl-adv-30 00]
[device-acl-ethern etframe-4000]
Execute the
public-key-code begin
command in public key view.
Execute the acl number command in system view.
Execute the acl number command in system view.
Execute the acl number command in system view.
Execute the
public-key-c ode end
command to return to public key view.
QoS profile view
RADIUS scheme view
ISP domain view
HWPing view
HWTACA CS view
PoE profile view
Smart-link group view
Define QoS profile
Configure RADIUS scheme parameters
Configure ISP domain parameters
Configure HWPing parameters
Configure HWTACACS parameters
Configure PoE profile parameters
Configure smart-link group parameters
[device-qos-profile
-a123]
[device-radius-1]
[device-isp-aaa123 .net]
[device-hwping-a1 23-a123]
[device-hwtacacs­a123]
[device-poe-profile
-a123]
[device-smlk-group 1]
Execute the qos-profile command in system view.
Execute the radius scheme command in system view.
Execute the domain command in system view.
Execute the hwping command in system view.
Execute the hwtacacs scheme command in system view.
Execute the poe-profile command in system view.
Execute the smart-link group command in system view.
Execute the quit command to return to system view.
Execute the return command to return to user view.
Monitor-lin k group view
Port-group view
Configure monitor-link group parameters
Configure port-group parameters
[device-mtlk-group 1]
[device-port-group­1]
1-6
Execute the monitor-link group command in system view.
Execute the port-group command in system view.
View
Available
operation
Prompt example Enter method Quit method
Execute the vlan-vpn vid command in Ethernet port
QinQ view
Configure QinQ parameters
[device-GigabitEth ernet1/0/1-vid-20]
view. The vlan-vpn enable
command should be first executed.
The shortcut key combination Ctrl+Z is equivalent to the return command.
Execute the quit command to return to Ethernet port view.
Execute the return command to return to user view.

CLI Features

Online Help
When configuring the device, you can use the online help to get related help information. The CLI provides two types of online help: complete and partial.
Complete online help
1) Enter a question mark (?) in any view on your terminal to display all the commands available in the view and their brief descriptions. The following takes user view as an example.
<device> ? User view commands: boot Set boot option cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system information
<Other information is omitted>
2) Enter a command, a space, and a question mark (?).
If the question mark “?” is at a keyword position in the command, all available keywords at the position and their descriptions will be displayed on your terminal.
<device> clock ? datetime Specify the time and date summer-time Configure summer time
1-7
timezone Configure time zone
If the question mark (?) is at an argument position in the command, the description of the argument will be displayed on your terminal.
[device] interface vlan-interface ? <1-4094> VLAN interface number
If only <cr> is displayed after you enter a question mark (?), it means no parameter is avail able at the ? position, and you can enter and execute the command directly.
[device] interface vlan-interface 1 ? <cr>
Partial online help
1) Enter a character/string, and then a question mark (?) next to it. All the commands beginning with the character/string will be displayed on your terminal. For example:
<device> p? ping pwd
2) Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords beginning with the character/string (if available) are displayed on your terminal. For example:
<device> display v? version vlan voice
3) Enter the first several characters of a keyword of a command and then press Tab. If there is a unique keyword beginning with the characters just typed, the unique keyword is displayed in its complete form. If there are multiple keywords beginning with the characters, you can have them displayed one by one (in complete form) by pressing Tab repeatedly.
Terminal Display
The CLI provides the screen splitting feature to have display output suspended when the screen is full. When display output pauses, you can perform the following operations as needed (see
Table 1-2 Display-related operations
Ctrl+C
Any character except the space, Enter, the forward slash (/), plus sign (+), and minus sign (-) when the display output pauses
The space key Go to the next page.
Enter
Table 1-2).
Press To
Stop the display output and execution of the command.
Stop the display output.
Go to the next line.
Command History
The CLI provides the command history function. You can use the display history-command command to view a specific number of latest executed commands and execute them again in a convenient way.
1-8
By default, the CLI can store up to 10 latest executed commands for each user. You can view the command history by performing the operations listed in
Table 1-3.
Table 1-3 View history commands
Purpose Operation Remarks
Display the latest executed history commands
Recall the previous history command
Recall the next history command
Execute the display history-command command
Press the up arrow key or Ctrl+P
Pressing the down arrow key or Ctrl+N
This command displays the command history.
This operation recalls the previous history command (if available).
This operation recalls the next history command (if available).
z Because the Windows 9x HyperTerminal explains the up and down arrow keys in a different way,
the two keys are invalid when you access history commands in a Windows 9x HyperTerminal environment. However, you can use Ctrl+P and Ctrl+N instead to achieve the same purpose.
z When you enter the same command multiple times con secutively, only one history command ent ry
is created by the command line interface.
Error Prompts
If a command passes the syntax check, it will be successfully executed; otherwise, an error message will be displayed.
Table 1-4 Common error messages
Unrecognized command
Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many. Ambiguous command The parameters entered are ambiguous. Wrong parameter A parameter entered is wrong. found at '^' position An error is found at the '^' position.
Table 1-4 lists the co mmon error messages.
Error message Description
The command does not exist. The keyword does not exist. The parameter type is wrong. The parameter value is out of range.
Command Edit
The CLI provides basic command edit functions and supports multi-line editing. The maximum number of characters a command can contain is 254.
Table 1-5 list s the CLI edit operations.
1-9
Table 1-5 Edit operations
Press… To…
Insert the corresponding character at the cursor position and move
A common key
the cursor one character to the right if the command is shorter than 254 characters.
Backspace key
Delete the character on the left of the cursor and move the cursor
one character to the left. Left arrow key or Ctrl+B Move the cursor one character to the left. Right arrow key or Ctrl+F Move the cursor one character to the right. Up arrow key or Ctrl+P
Down arrow key or Ctrl+N
Display history commands.
Use the partial online help. That is, when you input an incomplete
keyword and press Tab, if the input parameter uniquely identifies a
complete keyword, the system substitutes the complete keyword for Tab
the input parameter; if more than one keywords match the input
parameter, you can display them one by one (in complete form) by
pressing Tab repeatedly; if no keyword matches the input
parameter, the system displays your original input on a new line
without any change.
1-10
Table of Contents
1 Logging In to the Switching Engine ········································································································1-1
Logging In to the Switching Engine·········································································································1-1 Introduction to the User Interface············································································································1-1
Supported User Interfaces ··············································································································1-1 User Interface Index························································································································1-2 Common User Interface Configuration····························································································1-2
2 Logging In Through OAP··························································································································2-1
OAP Overview·········································································································································2-1 Logging In to the Switching Engine Through OAP ·················································································2-1 Configuring the Management IP Address of the OAP Software System················································2-1
Conf i g u ri n g t h e M a n a g ement I P A ddres s o f th e O A P S o f t w a r e S y s t e m o n t h e S w itchi n g E n g in e·······2-2 Configuring the Management IP Address of the OAP Software System of the Access Control Engine·············································································································································
Resetting the OAP Software System······································································································2-3
3 Logging In Through Telnet·······················································································································3-1
Introduction ·············································································································································3-1
Common Configuration····················································································································3-1 Telnet Configurations for Different Authentication Modes·······························································3-2
Telnet Configuration with Authentication Mode Being None ··································································3-3
Configuration Procedure··················································································································3-3 Configuration Example····················································································································3-4
Telnet Configuration with Authentication Mode Being Password···························································3-5
Configuration Procedure··················································································································3-5 Configuration Example····················································································································3-6
Telnet Configuration with Authentication Mode Being Scheme······························································3-7
Configuration Procedure··················································································································3-7 Configuration Example··················································································································3-10
Telnetting to the Switching Engine········································································································3-11
Telnetting to the Switching Engine from a Terminal······································································3-11 Telnetting to the Switching Engine from the Access Control Engine············································3-13
2-2
4 Logging In from the Web-Based Network Management System··························································4-1
Introduction ·············································································································································4-1 Setting Up a Web Configuration Environment························································································4-2 Configuring the Login Banner·················································································································4-3
Configuration Procedure··················································································································4-3 Configuration Example····················································································································4-4
Enabling/Disabling the WEB Server ·······································································································4-5
5 Logging In from NMS ································································································································5-1
Introduction ·············································································································································5-1 Connection Establishment Using NMS···································································································5-1
6 Configuring Source IP Address for Telnet Service Packets·································································6-1
Overview·················································································································································6-1
i
Configuring Source IP Address for Telnet Service Packets ···································································6-1 Displaying Source IP Address Configuration··························································································6-2
7 User Control···············································································································································7-1
Introduction ·············································································································································7-1 Controlling Telnet Users ·························································································································7-1
Prerequisites····································································································································7-1 Controlling Telnet Users by Source IP Addresses··········································································7-1 Controlling Telnet Users by Source and Destination IP Addresses················································7-2 Controlling Telnet Users by Source MAC Addresses ·····································································7-3 Configuration Example····················································································································7-3
Controlling Network Management Users by Source IP Addresses························································7-4
Prerequisites····································································································································7-4 Controlling Network Management Users by Source IP Addresses·················································7-4 Configuration Example····················································································································7-5
Controlling Web Users by Source IP Address························································································7-5
Prerequisites····································································································································7-6 Controlling Web Users by Source IP Addresses·············································································7-6 Disconnecting a Web User by Force·······························································································7-6 Configuration Example····················································································································7-6
ii

1 Logging In to the Switching Engine

The sample output information in this manual was created on the WX3024. The output information on your device may vary.

Logging In to the Switching Engine

You can log in to the switching engine of the device in one of the following ways:
z Logging in through OAP z Logging in locally or remotely through an Ethernet port by means of Telnet or SSH z Logging in to the Web-based network management system z Logging in through NMS (network management station)

Introduction to the User Interface

Supported User Interfaces
The auxiliary (AUX) port and the console port of the device are the same port (referred to as console port in the following part). You will be in the AUX user interface if you log in through this port.
The device supports two types of user interfaces: AUX and VTY.
z AUX user interface: A view when you log in through the console port. z Virtual type terminal (VTY) user interface: A view when you log in through VTY. VTY port is a
logical terminal line used when you access the device by means of Telnet or SSH.
Table 1-1 Description on user interface
User interface Applicable user Port used Description
AUX
VTY
Users logging in through the console port
Telnet users and SSH users
Console port
Ethernet port
1-1
Each device can accommodate one AUX user.
Each device can accommodate up to five VTY users.
User Interface Index
Two kinds of use r interfa ce index exist: absolute user interface index and relative user interface index.
1) The absolute user interface indexes are as follows:
z The absolute AUX user interfaces is numbered 0. z VTY user interface indexes follow AUX user interface indexes. The first absolute VTY user
interface is numbered 1, the second is 2, and so on.
2) A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows:
z AUX user interfaces is numbered 0. z VTY user interfaces are numbered VTY0, VTY1, and so on.
Common User Interface Configuration
Follow these steps to configure common user interface:
To do… Use the command… Remarks
Lock the current user interface
lock
Optional Execute this command in user view. A user interface is not locked by
default.
Specify to send messages to all user interfaces/a specified user interface
Free a user interface
Enter system view
Set the banner
Set a system name for the switching engine
Enable copyright information displaying
Enter user interface view
send { all | number | type number }
free user-interface [ type ] number
system-view header [ incoming | legal |
login | shell ] text
sysname string
copyright-info enable
user-interface [ type ]
first-number [ last-number ]
Optional Execute this command in user view.
Optional Execute this command in user view.
— Optional
By default, no banner is configured. Optional
By default, the system name is device.
Optional By default, copyright displaying is
enabled. That is, the copy right information is displayed on the terminal after a user logs in successfully.
1-2
To do… Use the command… Remarks
Display the information about the current user interface/all
display users [ all ]
user interfaces Display the physical
attributes and configuration of the current/a specified user interface
Display the information about the current web users
display user-interface [ type number | number ]
display web users
Optional You can execute the display
command in any view.
1-3

2 Logging In Through OAP

OAP Overview

As an open software and hardware system, Open Application Architecture (OAA) provides a set of complete standard software and hardware interfaces. The third party vendors can develop products with special functions. These products can be comp atible with each other as long as they conform to the OAA interface standards. Therefore the functions of single network product can be expanded and the users can get more benefits.
Open Application Platform (OAP) is a physical platform developed based on OAA. It can be an independent network device, or a board or pro gram used as an extended part of a device. An OAP runs an independent operating system. You can load software such as security and voice in the operating system as needed.

Logging In to the Switching Engine Through OAP

You can log in to the access control engine through the console port on the device and perform the following configurations on the access control engine. Then, you can log in to the switching engine.
1) Execute the oap connect slot 0 command in user view of the access control engine to log in to the switching engine.
<device> oap connect slot 0 Connected to OAP!
2) Press Enter to enter user view of the switching engine.
<device_LSW>
z To distinguish between the access control engine and the switching engine, the name of the
switching engine is changed to device_LSW here. In fact, the default name of the switching engine is device.
z You can press Ctrl+K to return to the command line interface of the access control engine.

Configuring the Management IP Address of the OAP Software System

In the OAA system of the device, the access cont rol engine and the switching engine integ rate together and function as one device. For the snmp UDP Domain-based network management station (NMS), however, the access control engine and t he switching engine are independent SNMP agents. Physically , two agents are on the same managed object; while logically, they belong to two different systems, and they manage their own MIB objects on the access control engine and the switching engine separately.
2-1
Therefore, when you use the NMS to manage the access control engine and the switching engine on the same interface, you must first obtain the management IP addresses of the two SNMP agents and obtain the link relationship between them, and then you can access the two agents. By default, the management IP address of an OAP mod ule is not con f igured.
Before configuring the management IP address of the OAP software system, you must configure the same IP address at the engine side where the OAP software system resides; otherwise, the NMS cannot access the OAP software system by using the configured management IP address.
Follow these steps to configure the management IP address of the OAP software system:
To do… Use the command… Remarks
Enter system view Configure the management IP
address of an OAP module
system-view oap management-ip
ip-address slot 0
— Required
Not configured by default.
Configuring the Management IP Address of the OAP Software System on the Switching Engine
1) Configure the management IP address of the OAP software system on the switching engine side.
<device_LSW> system-view [device_LSW] interface vlan-interface 1 [device_LSW-Vlan-interface1] ip address 192.168.0.2 24
Press Ctrl+K to return to the command line operating interface of the access control engine.
2) Configure the management IP address of the SNMP agent on the access control engine.
<device> system-view [device] oap management-ip 192.168.0.2 slot 0
Configuring the Management IP Address of the OAP Software System of the Access Control Engine
1) Configure the management IP address of the OAP software system on the access control engine side.
<device> system-view [device] interface Vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 24
2) Log in to the switching engine, and configure the management IP address of the SNMP agent on the switching engine.
<device> oap connect slot 0 Connected to OAP! <device_LSW> system-view [device_LSW] oap management-ip 192.168.0.1 slot 0
2-2

Resetting the OAP Software System

If the operating system works abnormally or is under other anomali es, you ca n reset the OAP software system.
Follow these steps to reset the OA P software system:
To do… Use the command… Remarks
Reset the OAP software system
The reset operation may cause data loss and service interruption. Therefore, before resetting the OAP software system, you need to save the data on the operating system to avoid service interruption and hardware data loss.
oap reboot slot 0
Required Available in user view
2-3

3 Logging In Through Telnet

Introduction

The device supports Telnet. Y ou can manage an d maintain the swit ching engine remotely by Telnetting to the switching engine.
To log in to the switching engine through Telnet, the corresponding configuration is required on both the switching engine and the Telnet terminal.
Y ou can also log in to the switching engine through SSH. SSH is a secure shell added to Telnet. Refer to the SSH Operation for related information.
Table 3-1 Requirements for Telnetting to the switching engine
Item Requirement
Switching engine
Telnet terminal
Common Configuration
Table 3-2 lists the common Telnet configuration.
Table 3-2 Common Telnet configuration
Configuration Description
Configure the command level available to users logging in to the VTY user interface
The IP address is configured for the VLAN of the switching engine, and the route between the switching engine and the Telnet termi nal is reachable. (Refer to the IP Address and Performance Operation and Routing Protocol parts for more.)
The authentication mode and other settings are configured. Refer to
Table 3-2 and Table 3-3.
Telnet is running. The IP address of the VLAN of the switching engine is available.
Optional By default, commands of level 0 are available
to users logging in to a VTY user interface.
VTY user interface configuration
Configure the protocols the user interface supports
Set the commands to be executed automatically after a user log in to the user interface successfully
3-1
Optional By default, Telnet and SSH protocol are
supported. Optional
By default, no command is executed automatically after a user logs into the VTY user interface.
Configuration Description
Optional
Make terminal services available
By default, terminal services are available in all user interfaces
Optional By default, the screen can contain up to 24
lines.
VTY terminal
Set the maximum number of lines the screen can contain
configuration
Optional
Set history command buffer size
By default, the history command buffer can contain up to 10 commands.
Set the timeout time of a user interface
Optional The default timeout time is 10 minutes.
Telnet Configurations for Different Authentication Modes
Table 3-3 lists Telnet configurations for different authentication modes.
Table 3-3 Telnet configurations for different authentication modes
Authentication
mode
None
Perform common configuration
Telnet configuration Description
Perform common Telnet configuration
Optional Refer to
Table 3-2.
Password
Scheme
Configure the password
Perform common configuration
Specify to perform local authentication or remote RADIUS authentication
Configure user name and password
Manage VTY users
Configure the password for local authentication
Perform common Telnet configuration
AAA configuration specifies whether to perform local authentication or RADIUS authentication
Configure user names and passwords for local/RADIUS users
Set service type for VTY users
Required
Optional Refer to
Table 3-2.
Optional Local authentication is
performed by default. Refer to the AAA part for more.
Required
z The user name and
password of a local user are configured on the switching engine.
z The user name and
password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for more.
Required
Perform common configuration
Perform common Telnet configuration
Optional Refer to
Table 3-2.
3-2
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations.
z If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. z If the authentication mode is password, and the corresponding password has been set, TCP 23
will be enabled, and TCP 22 will be disabled.
z If the authentication mode is scheme, there are three scenarios: when the supported protocol is
specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as ssh, TCP 22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22 port will be enabled.

Telnet Configuration with Authentication Mode Being None

Configuration Procedure
Follow these steps to perform Telnet configuration with the authentication mode being none:
To do… Use the command… Remarks
Enter system view
Enter one or more VTY user interface views
Configure not to authenticate users logging in to VTY user interfaces
Configure the command level available to users logging in to VTY user interface
Configure the protocols to be supported by the VTY user interface
Set the commands to be executed automatically after a user login to the user interface successfully
system-view user-interface vty
first-number [ last-number ]
authentication-mode none
user privilege level
level
protocol inbound { all | ssh | telnet }
auto-execute command text
Required By default, VTY users are authenticated
after logging in. Optional
By default, commands of level 0 are available to users logging in to VTY user interfaces.
Optional By default, both Telnet protocol and
SSH protocol are supported. Optional
By default, no command is executed automatically after a user logs in to the VTY user interface.
Make terminal services available
Set the maximum number of lines the screen can contain
shell
screen-length
screen-length
3-3
Optional By default, terminal services are
available in all user interfaces. Optional
By default, the screen can contain up to 24 lines.
You can use the screen-length 0 command to disable the function to display information in pages.
To do… Use the command… Remarks
Optional
Set the history command buffer size
history-command max-size value
The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.
Optional The default timeout time of a user
interface is 10 minutes. With the timeout time being 10 minutes,
Set the timeout time of the VTY user interface
idle-timeout minutes [ seconds ]
the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.
You can use the idle-timeout 0 command to disable the timeout function.
Note that if you configure not to authenticate the users, the command level available to users logging in to the switching engine depends on the user privilege level level command
Configuration Example
Network requirements
As shown in Figure 3-1, assume current user logs in using the oap connect slot 0 command, and the user level is set to the manage level (level 3). Perform the following configurations for users logging in through VTY 0 using Telnet.
z Do not authenticate the users. z Commands of level 2 are available to the users. z Telnet protocol is supported. z The screen can contain up to 30 lines. z The history command buffer can contain up to 20 commands. z The timeout time of VTY 0 is 6 minutes.
Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none)
Configuration procedure
# Enter system view.
<device> system-view
# Enter VTY 0 user interface view.
[device] user-interface vty 0
# Configure not to authenticate Telnet users logging in through VTY 0.
[device-ui-vty0] authentication-mode none
3-4
# Specify commands of level 2 are available to users logging in through VTY 0.
[device-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.
[device-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[device-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[device-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[device-ui-vty0] idle-timeout 6

Telnet Configuration with Authentication Mode Being Password

Configuration Procedure
Follow these steps to perform Telnet configuration with the authentication mode being pa ssword:
To do… Use the command… Remarks
Enter system view Enter one or more VTY user
interface views Configure to authenticate users
logging in to VTY user interfaces using the local password
Set the local password
Configure the command level available to users logging in to the user interface
Configure the protocol to be supported by the user interface
Set the commands to be executed automatically after a user login to the user interface successfully
system-view user-interface vty
first-number [ last-number ]
authentication-mode password
set authentication password { cipher | simple } password
user privilege level level
protocol inbound { all | ssh | telnet }
auto-execute command
text
Required
Required
Optional By default, commands of level 0
are available to users logging in to VTY user interface.
Optional By default, both Telnet protocol
and SSH protocol are supported. Optional
By default, no command is executed automatically after a user logs into the VTY user interface.
Make terminal services available
Set the maximum number of lines the screen can contain
shell
screen-length
screen-length
3-5
Optional By default, terminal services are
available in all user interfaces. Optional
By default, the screen can contain up to 24 lines.
You can use the screen-length 0 command to disable the function to display information in pages.
Loading...
+ 685 hidden pages