H3C S3100 8C SI User Manual

H3C S3100 Series Ethernet Switches

Operation Manual

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Manual Version: 20080710-C-1.05

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the content s, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Technical Support

customer_service@h3c.com http://www.h3c.com

, TOP G, , IRF, NetPilot,

G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and

About This Manual

Organization

H3C S3100 Series Ethernet Switches Operation Manual is organized as follows:

Part Contents

0 Product Overview

1 CLI

2 Login

3 Configuration File Management

4 VLAN

5 Management VLAN Introduces the management VLAN configuration.

6 IP Address-IP Performance

7 Voice VLAN

8 GVRP Introduces GVRP and the related configuration. 9 Port Basic Configuration Introduces basic port configuration.

10 Link Aggregation

Introduces the characteristics and implementations of the Ethernet switch.

Introduces the command hierarchy, command view and CLI features of the Ethernet switch.

Introduces the ways to log into an Ethernet switch.

Introduces the ways to manage configuration files.

Introduces VLAN fundamental and the related configuration.

Introduces IP address and IP performance fundamental and the related configuration.

Introduces voice VLAN fundamental and the related configuration.

Introduces link aggregation and the related configuration.

11 Port Isolation

12 Port Security-Port Binding

13 DLDP Introduces DLDP and the related configuration. 14 MAC Address Table

Management 15 MSTP Introduces STP and the related configuration. 16 Multicast Introduces the configuration of IGMP Snooping.

17 802.1x-System Guard

Introduces port isolation and the related configuration.

Introduces port security, port binding, and the related configuration.

Introduces MAC address forwarding table and the related configuration.

Introduces 802.1x, System-Guard and the related configuration.

Part Contents

18 AAA

19 MAC Address Authentication

Introduces AAA, RADIUS, HWTACACS, EAD, and the related configurations.

Introduces MAC address authentication and the related configuration.

20 ARP Introduces ARP and the related configuration.

21 DHCP

Introduces DHCP, DHCP-Snooping, and the related configurations.

22 ACL Introduces ACL and the related configuration.

23 QoS-QoS Profile

24 Mirroring

25 Stack-Cluster

26 PoE-PoE Profile

27 SNMP-RMON

Introduces QoS, QoS profile and the related configuration.

Introduces port mirroring and the related configuration.

Introduces the configuration to form clusters using HGMP V2.

Introduces PoE, PoE profile and the related configuration.

Introduces the configuration to manage network

devices through SNMP and RMON. 28 NTP Introduces NTP and the related configuration. 29 SSH Introduces SSH and the related configuration.

30 File System Management

31 FTP-SFTP-TFTP

32 Information Center

33 System Maintenance and Debugging

34 VLAN-VPN

Introduces basic configuration for file system

management.

Introduces basic configuration for FTP, SFTP,

TFTP, and the applications.

Introduces the configuration to analyze and

diagnose networks using the information center.

Introduces daily system maintenance and

debugging.

Introduces VLAN VPN and the related

configuration. 35 HWPing Introduces HWPing and the related configuration.

36 IPv6 Management

Introduces IPv6 Management and the related

configuration. 37 DNS Introduces DNS and the related config uration.

38 Smart Link-Monitor Link

Introduces Smart Link, Monitor Link and the

related configuration. 39 Appendix Lists the acronyms used in this manual.

Conventions

The manual uses the following conventions:

I. Command conventions

Convention Description

Boldface

italic

[ ]

{ x | y | ... }

[ x | y | ... ]

{ x | y | ... } *

[ x | y | ... ] *

&<1-n>

# A line starting with the # sign is comments.

The keywords of a command line are in Boldface. Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are

optional. Alternative items are grouped in braces and separated by

vertical bars. One is selected. Optional alternative items are grouped in square brackets

and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by

vertical bars. A minimum of one or a maximum of all can be selected.

Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected.

The argument(s) before the ampersand (&) sign can be entered 1 to n times.

II. GUI conventions

Convention Description

Boldface

III. Symbols

Convention Description

Warning

Caution

Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.

Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Means reader be extremely careful. Improper operation may cause bodily injury.

Means reader be careful. Improper operation may cause data loss or damage to equipment.

Convention Description

 Note Means a complementary description.

Chapter 1 Obtaining the Documentation

Hangzhou H3C Technologies Co., Ltd. provides various ways for you to obtain documentation, through which you can obtain the product documentations and those concerning newly added new features. The document ations are available in on e of the following ways:

z CD-ROMs shipped with the devices z H3C website z Software release notes

1.1 CD-ROM

H3C delivers a CD-ROM together with each device. The CD-ROM contains the operation manual and command manual. After installing the reader program provided by the CD-ROM, you can search for the desired contents in a convenient way through the reader interface.

The contents in the manual are subject to update on an irregular basis due to product version upgrade or some other reasons. Therefore, the contents in the CD-ROM may not be the latest version. This manual serves the purpose of user guide only. Unless otherwise noted, all the information in the document set does not claim or imply any warranty. For the latest software documentation, go to the H3C website.

1.2 H3C Website

Perform the following steps to query and download the product do cumentation from the H3C website.

Table 1-1 Acquire product documentation from the H3C website

Registering

Acquire product documentation

Access the homepage of H3C at http:// www.h3c.com and click on Registration at the top right. In the displayed page, provide your information and click on Submit to register.

Approach 1: In the homepage of H3C at http:// www.h3c.com, select Technical

Support & Document > Technical Documents from the navigation menu at the top. Then select a product for its documents.

Approach 2: In the homepage of H3C at http:// www.h3c.com, select Support >

Technical Documents. Then select a product for its documents.

1-1

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 1 Obtaining the Documentation

1.3 Software Release Notes

With software upgrade, new software features may be added. You can acquire the information about the newly added software features through software release notes.

1-2

Operation Manual – Product Overview H3C S3600 Series Ethernet Switches

Chapter 2 Correspondence Between

Documentation and Software

2.1 Manual List

Chapter 2 Correspondence Between Documentation

and Software

H3C S3100 Series Ethernet Switches Installation Manual H3C S3100 Series Ethernet Switches Quick Start H3C S3100 Series Ethernet Switches Compliance and

Safety Manual H3C S3100 Series Ethernet Switches Operation Manual H3C S3100 Series Ethernet Switches Command Manual

2.2 Software Version

H3C S3100 Series Ethernet Switches Operation Manual and H3C S3100 Series Ethernet Switches Command Manual are for the software versions list in

the S3100-SI series and S3100-EI series switches.

Table 2-1 Corresponding software versions of this manual

Switch Software Version

Manual name

Corresponding

Product

S3100-SI series S3100-EI series

Table 2-1 of

S3100-SI series Release2102, Release2107 S3100-EI series Release2104, Release2107, Release2107P01

The supported features are different between these softwa re versions.

z Compared with Release 2102, some new features are added in Release 2107 of

the S3100-SI series switches. For details, refer to

z Compared with Release 2104, some new features are added in Release 2107 and

Release 2107P01 of the S3100-EI series switches. For details, refer to

2-1

Table 2-2.

Table 2-3.

Operation Manual – Product Overview H3C S3600 Series Ethernet Switches

Table 2-2 Added features compared with the earlier software version of S3100-SI

Chapter 2 Correspondence Between Documentation

and Software

Software

Version

Added Features Compared With The

Earlier Version

Assigning MAC Addresses for Ethernet Ports

ARP Source MAC Address Consistency Check

Local authentication after failed of remote authentication

Manual

14-MAC Address Table Management

20-ARP

18-AAA

Unauthorized DHCP Server Detection 21-DHCP

Release2107

SNMP AES 128 27-SNMP-RMON rsa peer-public-key import 29-SSH FTP disconnect 31-FTP-SFTP-TFTP Identifying and Diagnosing Pluggable

Transceivers

33-System Maintenance and Debugging

IPv6 Management 36-IPv6 Management

Table 2-3 Added features compared with the earlier software version of S3100-EI

Software

Version

Release2107 P01

Release2107

Added Features Compared With The

Earlier Version

Manual

Configuring loopback detection for a list of ports in bulk

09-Port Basic Configuration

Enabling auto-shutdown of loopback ports ARP Source MAC Address Consistency

Check Assigning MAC Addresses for Ethernet

Ports

20-ARP

14-MAC Address

Table Management Traffic Shaping 23-QoS-QoS Profile SNMP AES 128 27-SNMP-RMON rsa peer-public-key import 29-SSH FTP disconnect 31-FTP-SFTP-TFTP

2-2

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 3 Product Overview

Chapter 3 Product Overview

 Note:

For the convenience of users, units of Mega bps/1000 Mega bps in the following chapters are simplified as M/G.

3.1 Overview

The H3C S3100 Series Ethernet Switches are high-performance, high-density, easy-to-install, NMS-manageable intelligent Ethernet switches which support wire-speed Layer 2 switching.

3.2 Software Features

S3100 Series Ethernet Switches have abundant software features and can meet the requirements of different applications. each module.

Table 3-1 Software features of the S3100 series

Part Features

1 CLI

2 Login

3 Configuration File Management

4 VLAN

5 Management VLAN

Table 3-1 summarizes the features provided by

z CLI z Hierarchically grouped commands z CLI online help

z Logging into a switch through the Console port z Logging into a switch through an Ethernet port by

using Telnet or SSH

z Logging into a switch through the Console port by

using modem

z Logging into a switch through Web or NMS z Saving and deleting the configuration file

z Specifying the configuration file to be used the next

time the device boots and the file attribute

z IEEE 802.1Q-compliant VLAN z Port-based VLAN z Protocol-based VLAN (Supported by only S3100-EI

series switches)

z Management VLAN configuration z Management VLAN interface configuration

3-1

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 3 Product Overview

Part Features

6 IP Address-IP Performance Configuration

7 Voice VLAN

z Configuring an IP address for a switch z Configuring the TCP attributes for a switch

Voice VLAN (Supported by only S3100-EI series switches)

8 GVRP GARP VLAN registration protocol (GVRP)

z Three port states supported: Access, Trunk, and

Hybrid

9 Port Basic Configuration

10 Link Aggregation

11 Port Isolation

12 Port Security-Port Binding

13 DLDP

z Setting broadcast storm suppression globally z Loopback detection supported z Cable test

z Link aggregation control protocol (LACP) z Manual aggregation z Static aggregation

Port isolation group

z Multiple security modes z IP address-MAC address-port binding (Supported

by only S3100-EI series switches)

Device link detection protocol (DLDP) (Supported by only S3100-EI series switches)

14 MAC Address Table Management

15 MSTP

16 Multicast

17 802.1x-System Guard

18 AAA

z Manually configuring dynamic, static, and black hole

MAC addresses

z Configuring the aging time for MAC addresses z MAC address learning limit z Disabling ports in a VLAN from learning MAC

addresses (Supported by only S3100-EI series switches)

z STP/RSTP/MSTP z Private MSTP path cost standard

Internet group management protocol snooping (IGMP Snooping) v2&v3

z 802.1X authentication z System guard z Huawei authentication bypass protocol (HABP) z Quick EAD Deployment (Supported by only

S3100-EI series switches)

z Authentication, authorization, and accounting (AAA) z Remote authentication dial-In user service

(RADIUS)

z Huawei terminal access controller access control

system (HWTACACS)

z Endpoint Admission Defense(EAD) (Supported by

only S3100-EI series switches)

19 MAC Address Authentication

MAC address authentication

3-2

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 3 Product Overview

Part Features

20 ARP

21 DHCP

22 ACL

23 QoS-QoS Profile

24 Mirroring

25 Stack-Cluster

26 PoE-PoE Profile

27 SNMP-RMON

z Gratuitous ARP z Manually configuring ARP entries

z DHCP Client z DHCP Snooping z Using Option82 in DHCP Snooping (Supported by

only S3100-EI series switches)

z Basic/Advanced ACLs (Only ACLs defined on

S3100-EI Series switches can be applied to hardware directly)

z Layer 2 ACLs (Supported by only S3100-EI series

switches)

z Quality of Service (QoS) z QoS Profile (Supported by only S3100-EI series

switches)

z Local port mirroring z Remote port mirroring

z Huawei Group Management Protocol (HGMP) v2 z Neighbor discovery protocol (NDP) z Neighbor topology discovery protocol (NTDP) z Stack

z Power over Ethernet (PoE) z PoE profile

z Simple network management protocol (SNMP) v3,

compatible with SNMP v1/v2

z Remote monitoring (RMON)

28 NTP z Network time protocol (NTP)

z SSH1 (Supported by only S3100-EI series switches)

29 SSH

z SSH2 z Operating as an SSH (Secure Shell) server/SSH

client

30 File System Management

31 FTP-SFTP-TFTP

32 Information Center

33 System Maintenance and Debugging

z File system management z File attribute configurable

z Operating as an FTP server/FTP client z Operating as an SFTP server/SFTP client z Operating as a TFTP client

z System logs z Hierarchical alarms z Debugging information output

z Configuring system time z Displaying and configuring system device state

3-3

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 3 Product Overview

Part Features

z VLAN-VPN (QinQ) z VLAN Mapping (Supported by only S3100-EI series

switches)

z Configuring TPID value (Supported by only

34 VLAN-VPN

S3100-EI series switches)

z Configuring BPDU Tunnel (Supported by only

S3100-EI series switches)

z Selective QinQ (Supported by only S3100-EI series

switches)

35 HWPing HWPing

36 IPv6 Management

37 DNS

38 Smart Link-Monitor Link

z Supporting IPv6 address z IPv6-based Ping, Traceroute, TFTP, and Telnet

z Static Domain Name System (DNS) z Dynamic DNS (Supported by only S3100-EI series

switches)

z Smart Link (Supported by only S3100-EI series

switches)

z Monitor Link (Supported by only S3100-EI series

switches)

3-4

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design

Chapter 4 Network Design

The S3100 series can be flexibly deployed in networks. They can be used in enterprise networks, or serve as broadband access points. The following examples are three typical networks using the S3100 series.

4.1 MAN Access Solution

In a metropolitan area network (MAN), the S3100 series can serve as access devices. In the downlink direction, they directly connect to users through 100 Mbps interfaces; and in the uplink direction, they connect to an aggregation layer (Layer 3) switches or MA5200 intelligent service gateways, which further connect to the core of the MAN through routers. This provides you a comprehensive gigabit-to-backbone 100-Mbps-to-desktop MAN solution.

Figure 4-1 Network diagram for a MAN using S3100 series

4.2 Education Network Solution

In a campus network, the S3100 series can serve as desktop switching devices at the access layer. They directly connect to users in education buildings through 100 Mbps downlink interfaces; and connect to the core switch in the campus throu gh a 1000 Mbps uplink interface; the core switch further connects to the education network through a

4-1

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design

router. This enables the users in the campus to exchange information and share resources in the scope of the education network.

Sever CoursewareNMS

Network center

1000/100M

S3100

100M

Video classroom/conference room

S3100

100M

1000M 1000M

AR28

S5600

Education

network

Classroom/laboratory

Figure 4-2 Network diagram for an education network using S3100 series

4.3 Multi-Service Carrier VLAN Solution

 Note:

S3100

100M

School building

S3100

100M

School building

Only S3100-EI series Ethernet switches support this multi-service carrier VLAN solution.

With development of various application technologies, enterprise users are increasingly relying on network services. They hope the networks can offer secure, reliable leased lines, VOIP and video conference services, thus reducing their operating costs. Additionally, apart from simple Internet surfing, individual users expect more abundant services from the networks, e.g., IPTV, video chatting, real-time gaming, etc. Meanwhile, construction of the NGN/3G carrier network will draw huge attention of carriers. If NGN/3G services can be carried on the broadband access network, the costs of the entire network solution can be lowered dramatically.

T o carry such services with different QOS requi rements, the broadband access netwo rk needs to have effective service identification and isolation capacity. VLAN is the best service identification and isolation technology at present, and is the basis for

4-2

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design

multi-service deployment. As broadband users increase explosively and services appear continuously, however, the traditional VLAN technology cannot meet the requirements of service deployments. In this situation, QinQ, VLAN mapping, etc become new choices.

The figure below shows a typical application: The IPTV service requires that the DSLAM be moved downwards into the campus to enhance users’ access bandwidth. S3100-EI acts as the DSLAM convergence switch. Selective QinQ is configured on the device, with the service VLAN identifying the DSLAM or the campus position and the customer VLAN identifying the customer. In this way, carriers can implement uniform planning and precise management: VLAN layout is simple, and is not affected by the customer side.

IP MAN

End office Switch

Campus Switch (S3100-EI)

DSLAM

…… ……

Figure 4-3 DSLAM convergence application

Another more complicated configuration example is when the LAN is connected to dense Home Gateways (HG). Generally, the ex-factory setting of an HG is simple as it uses a fixed VLAN tag to identify the attached service type (data service, IPTV, etc). Thus, precise division and management for users and services can be implemented. And VLAN mapping is then implemented on the access device S3100-EI. In this way, respective service VLANs are “translated” into the VLANs that com ply with the carrier’s deployment. In addition, QinQ is used on the upstream device to identify the campus position. Such uniform configuration implements carriers’ precise PUPSPV (respective users and respective services use their own VLANs) management.

4-3

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design

Figure 4-4 New vlan management scheme

4-4

Operation Manual – CLI H3C S3100 Series Ethernet Switches Table of Contents

Table of Contents

Chapter 1 CLI Configuration ........................................................................................................ 1-1

1.1 Introduction to the CLI ....................................................................................................... 1-1

1.2 Command Hierarchy..........................................................................................................1-1

1.2.1 Command Level and User Privilege Level..............................................................1-1

1.2.2 Modifying the Command Level................................................................................1-2

1.2.3 Switching User Level............................................................................................... 1-3

1.3 CLI Views...........................................................................................................................1-7

1.4 CLI Features....................................................................................................................1-12

1.4.1 Online Help............................................................................................................1-12

1.4.2 Terminal Display....................................................................................................1-13

1.4.3 Command History..................................................................................................1-13

1.4.4 Error Prompts........................................................................................................ 1-14

1.4.5 Command Edit.......................................................................................................1-15

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

Chapter 1 CLI Configuration

1.1 Introduction to the CLI

A command li ne interface (CLI) is a user interfa ce to interact with a switch. Throug h the CLI on a switch, a user can enter commands to configure the switch and check output information to verify the configuration. Each S3100 series Ethernet switch provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch.

The CLI on S3100 series Ethernet switches provides the following features, and so has good manageability and operability.

z Hierarchical command protection: After users of different levels log in, they can

only use commands at their own, or lower, levels. This prevents users from using unauthorized commands to configure switches.

z Online help: Users can gain online help at any time by entering a question mark

(?).

z Debugging: Abundant and detailed debugging information is provided to help

users diagnose and locate network problems.

z Command history function: This enables users to check the commands that they

have lately executed and re-execute the commands.

z Partial matching of commands: The system will use partially matching method to

search for commands. This allows users to execute a command by entering partially-spelled command keywords as long as the keywords entered can be uniquely identified by the system.

1.2 Command Hierarchy

1.2.1 Command Level and User Privilege Level

I. Command level

The S3100 series Ethernet switches use hierarchical command protection for command lines, so as to inhibit users at lower levels from using higher-level command s to configure the switches.

Based on user privilege, commands are classified into four levels, which default to:

z Visit level (level 0): Commands at this level are mainly used to diagnose network,

and they cannot be saved in configuration file. For example, ping, tracert and telnet are level 0 commands.

1-1

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

z Monitor level (level 1): Commands at this level are mainly used to maintain the

system and diagnose service faults, and they cannot be saved in configuration fil e. Such commands include debugging and terminal.

z System level (level 2): Commands at this level are mainly used to configure

services. Commands concerning routing and network layers are at this level. These commands can be used to provide network services directly.

z Manage level (level 3): Commands at this level are associated with the basic

operation modules and support modules of the system. These commands p rovide support for services. Commands concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are at this level.

II. User privilege level

Users logged into the switch fall into four user privilege levels, which correspond to the four command levels respectively. Users at a specific level can only use the commands at the same level or lower levels.

By default, the Console user (a user who logs into the switch through the Console port) is a level-3 user, and Telnet users are level-0 users.

Y ou can use the user privilege level command to set the default user privilege level for users logging in through a certain user interface. For details, refer to Login Operation.

 Note:

If a user logs in using AAA authentication, the user privilege level depends on the configuration of the AAA scheme. For details, refer to AAA Operation.

1.2.2 Modifying the Command Level

I. Modifying the Command Level

Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3). By using the following command, the administrator can change the level of a command in a specific view as required.

Table 1-1 Set the level of a command in a specific view

Operation Command Remarks

Enter system view Configure the level of a

command in a specific view

system-view command-privilege level level view

view command

1-2

—

Required

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

Caution:

z It is recommended not to change the level of a command arbitrarily, for it may cause

inconvenience to maintenance and operation.

z When you change the level of a command with multiple keywords, you should input

the keywords one by one in the order they appear in the command syntax. Otherwise, your configuration will not take effect.

II. Configuration example

The network administrator (a level 3 user) wants to change some TFTP commands (such as tftp get) from level 3 to level 0, so that general Telnet users (level 0 users) are able to download files through TFTP.

# Change the tftp get command in user view (shell) from level 3 to level 0. (Originally, only level 3 users can change the level of a command.)

<Sysname> system-view [Sysname] command-privilege level 0 view shell tftp [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm

After the above configuration, general Telnet users can use the tftp get command to download file bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers.

1.2.3 Switching User Level

Table 1-2 User level switching configuration task list

Specifying the authentication mode for user level switching Optional Adopting super password authentication for user level switching Required Adopting HWTACACS authentication for user level switching Required Switching to a specific user level Required

Operation Remarks

I. Specifying the authentication mode for user level switching

You can switch between user levels through corresponding commands after logging into a switch successfully. The high-to-low user level switching is unlimited. However, the low-to-high user level switching requires the corresponding authentication. The

1-3

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

super password authentication mode and HWTACACS authentication mode are available at the same time to provide authentication redundancy.

The configuration of authentication mode for user level switching is performed by Level-3 users, as described in

Table 1-3.

Table 1-3 Specify the authentication mode for user level switching

Operation Command Remarks

Enter system view

Enter user interface view

Super password authentication

HWTACACS authentication

Super password

Specify the authentication mode for user level switching

authentication preferred (with the HWTACACS authentication as the backup authentication mode)

HWTACACS authentication preferred (with the super password authentication as the backup authentication mode)

system-view user-interface [ type ]

first-number [ last-number ]

super authentication-mode super-password

super authentication-mode scheme

super authentication-mode super-password scheme

super authentication-mode scheme super-password

—

Optional By default,

super password authentication is adopted for user level switching.

 Note:

When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted.

II. Adopting super password authentication for user level switching

With the super password set, you can pass the super password authentication successfully only when you provide the super password as prompted. If no super

1-4

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

password is set, the system prompts “%Password is not set” when you attempt to switch to a higher user level. In this case, you cannot pass the super password authentication.

Table 1-4 lists the operations to configure super password authentication for user level

switching, which can only be performed by level-3 users.

Table 1-4 Set a password for use level switching

Operation Command Remarks

Enter system view

Set the super password for user level switching

system-view super password [ level

level ] { cipher | simple } password

— Required

By default, the super password is not set.

III. Adopting HWTACACS authentication for user level switching

To implement HWTACACS authentication for user level switching, a level-3 user must perform the commands listed in

Table 1-5 to configure the HWTACACS authentication

scheme used for low-to-high user level switching. With HWTACACS authentication enabled, you can pass the HWTACACS authentication successfully only after you provide the right user name and the corresponding password as pr ompted. Note that if you have passed the HWTACACS authentication when logging in to the switch, only the password is required.

Table 1-5 lists the operations to configure HWTACACS authentication for user level

switching, which can only be performed by Level-3 users.

Table 1-5 Set the HWTACACS authentication scheme for user level switching

Operation Command Description

Enter system view Enter ISP domain view

Set the HWTACACS authentication scheme for user level switching

system-view domain domain-name

authentication super hwtacacs-scheme

hwtacacs-scheme-name

1-5

—

Required By default, the HWTACACS

authentication scheme for user level switching is not set.

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

 Note:

When setting the HWTACACS authentication scheme for user level switchin g using the authentication super hwtacacs-scheme command, make sure the HWTACACS authentication scheme identified by the hwtacacs-scheme-name argument already exists. Refer to AAA Operation for information about HWTACACS authentication scheme.

IV. Switching to a specific user level

Table 1-6 Switch to a specific user level

Operation Command Remarks

Switch to a specified user level

super [ level ]

Required Execute this command in user view.

 Note:

z If no user level is specified in the super password command or the super

command, level 3 is used by default.

z For security purpose, the password entered is not displayed when you switch to

another user level. You will remain at the original user level if you have tried three times but failed to enter the correct authentication information.

V. Configuration example

After a general user telnets to the switch, his/her user level is 0. Now, the network administrator wants to allow general users to switch to level 3, so that they are able to configure the switch.

1) Super password authentication co nfiguration example # A level 3 user sets a switching password for user level 3.

<Sysname> system-view [Sysname] super password level 3 simple 123

# A general user telnet s to the switch, and then uses the set p assword to switch to user level 3.

<Sysname> super 3 Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

1-6

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

# Af ter configuring the switch, the general user switches back to user level 0.

<Sysname> super 0 User privilege level is 0, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

2) HWTACACS authentication configuration example # Configure a HWTACACS authentication scheme named acs, and specify the user

name and password used for user level switching on the HWTACACS server defined in the scheme. Refer to AAA Operation for detailed configuration procedures.

# Enable HWTACACS authentication for VTY 0 user level switching.

<Sysname> system-view [Sysname] user-interface vty 0 [Sysname-ui-vty0] super authentication-mode scheme [Sysname-ui-vty0] quit

# Specify to adopt the HWTACACS authentication scheme named acs for user level switching in the ISP domain named system.

[Sysname] domain system [Sysname-isp-system] authentication super hwtacacs-scheme acs

# Switch to user level 3 (assuming that you log into the switch as a VTY 0 user by Telnet).

<Sysname> super 3 Username: user@system Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

1.3 CLI Views

CLI views are designed for different configuration tasks. They are both correlated and distinguishing. For example, once a user logs into a switch successfully , the user enters user view, where the user can perform some simple operations such as checking the operation status and statistics information of the switch. After executing the system-view command, the user enters system view, where the user can go to other views by entering corresponding commands.

Table 1-7 lists the CLI views provided by S3100 series Ethernet switches, operations

that can be performed in different CLI views and the commands used to enter specific CLI views.

1-7

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

Table 1-7 CLI views

View

User view

System view

Ethernet port view

Available

operation

Display operation status and statistical information of the switch

Configure system parameters

Configure Ethernet port parameters

Prompt

example

[Sysname]

100 Mbps Ethernet port view:

[Sysname-Eth ernet1/0/1]

1000 Mbps Ethernet port view:

[Sysname-Gig abitEthernet1/ 1/1]

Enter method Quit method

Execute the Enter user view once logging into the switch.

quit

command to

log out of the

switch.

Execute the Execute the system-view command in user view.

quit or

return

command to

return to user

view.

Execute the Execute the interface

ethernet command in system view.

quit

command to

return to

system view.

Execute the

return Execute the interface

gigabitethernet command in system

command to

return to user

view. view.

Aux1/0/0 port (the console port) view

VLAN view

VLAN interface view

Loopbac k interface view

The S3100 series do not support configuration on port Aux1/0/0

Configure VLAN parameters

Configure VLAN interface parameters, including the management VLAN parameters

Configure loopback interface parameters

[Sysname-Au x1/0/0]

[Sysname-vla n1]

[Sysname-Vla n-interface1]

[Sysname-Loo pBack0]

Execute the interface aux 1/0/0 command in system view

Execute the vlan command in system view.

Execute the interface Vlan-interface command in system view.

Execute the interface loopback command in system view.

1-8

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

View

Available

operation

Prompt

example

Enter method Quit method

NULL interface view

Local user view

User interface view

FTP client view

SFTP client view

MST region view

Configure NULL interface parameters

Configure local user parameters

Configure user interface parameters

Configure FTP client parameters

Configure SFTP client parameters

Configure MST region parameters

[Sysname-NU LL0]

[Sysname-lus er-user1]

[Sysname-ui-a ux0]

[ftp]

sftp-client>

[Sysname-mst

-region]

Execute the interface null command in system view.

Execute the local-user command in system view.

Execute the user-interface command in system view.

Execute the ftp command in user view.

Execute the sftp command in system view.

Execute the stp region-configuration command in system view.

Cluster view

Public key view

Public key editing view

Configure cluster parameters

Configure the RSA public key for SSH users

Configure the RSA or DSA public key for SSH users

Edit the RSA public key for SSH users

Edit the RSA or DSA public key for SSH users

[Sysname-clu ster]

[Sysname-rsa

-public-key]

[Sysname-pee r-public-key]

[Sysname-rsa

-key-code]

[Sysname-pee r-key-code]

Execute the cluster command in system view.

Execute the rsa peer-public-key command in system view.

Execute the

public-key peer

command in system view.

Execute the

public-key-code begin command in

public key view.

Execute the

peer-public-

key end

command to

return to

system view.

Execute the

public-key-c

ode end

command to

return to

public key

view.

1-9

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

View

Available

operation

Prompt

example

Enter method Quit method

Basic ACL view

Advance d ACL view

Layer 2 ACL view

QoS profile view

Define rules for a basic ACL (with ID ranging from 2000 to 2999)

Define rules for an advanced ACL (with ID ranging from 3000 to 3999)

Define rules for an layer 2 ACL (with ID ranging from 4000 to 4999)

Supported by only S3100-EI series switches

Define QoS profile

Supported by only S3100-EI series switches

[Sysname-aclbasic-2000]

[Sysname-acladv-3000]

[Sysname-aclethernetframe

-4000]

[Sysname-qos

-profile-a123]

Execute the acl number command in system view.

Execute the qos-profile command in system view.

Execute the

quit

command to

return to

system view.

Execute the

return

command to

return to user

view.

RADIUS scheme view

ISP domain view

HWPing view

HWTAC ACS view

Configure RADIUS scheme parameters

Configure ISP domain parameters

Configure HWPing parameters

Configure HWTACACS parameters

[Sysname-radi us-1]

[Sysname-ispaaa123.net]

[Sysname-hw ping-a123-a12 3]

[Sysname-hwt acacs-a123]

1-10

Execute the radius scheme command in system view.

Execute the domain command in system view.

Execute the hwping command in system view.

Execute the hwtacacs scheme command in system view.

+ 914 hidden pages