H3C S3100 8C SI User Manual

H3C S3100 Series Ethernet Switches

Operation Manual

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Manual Version: 20080710-C-1.05

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the content s, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Technical Support

customer_service@h3c.com http://www.h3c.com

, TOP G, , IRF, NetPilot,

G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and

About This Manual

Organization

H3C S3100 Series Ethernet Switches Operation Manual is organized as follows:

Part Contents

0 Product Overview

1 CLI

2 Login

3 Configuration File Management

4 VLAN

5 Management VLAN Introduces the management VLAN configuration.

6 IP Address-IP Performance

7 Voice VLAN

8 GVRP Introduces GVRP and the related configuration. 9 Port Basic Configuration Introduces basic port configuration.

10 Link Aggregation

Introduces the characteristics and implementations of the Ethernet switch.

Introduces the command hierarchy, command view and CLI features of the Ethernet switch.

Introduces the ways to log into an Ethernet switch.

Introduces the ways to manage configuration files.

Introduces VLAN fundamental and the related configuration.

Introduces IP address and IP performance fundamental and the related configuration.

Introduces voice VLAN fundamental and the related configuration.

Introduces link aggregation and the related configuration.

11 Port Isolation

12 Port Security-Port Binding

13 DLDP Introduces DLDP and the related configuration. 14 MAC Address Table

Management 15 MSTP Introduces STP and the related configuration. 16 Multicast Introduces the configuration of IGMP Snooping.

17 802.1x-System Guard

Introduces port isolation and the related configuration.

Introduces port security, port binding, and the related configuration.

Introduces MAC address forwarding table and the related configuration.

Introduces 802.1x, System-Guard and the related configuration.

Part Contents

18 AAA

19 MAC Address Authentication

Introduces AAA, RADIUS, HWTACACS, EAD, and the related configurations.

Introduces MAC address authentication and the related configuration.

20 ARP Introduces ARP and the related configuration.

21 DHCP

Introduces DHCP, DHCP-Snooping, and the related configurations.

22 ACL Introduces ACL and the related configuration.

23 QoS-QoS Profile

24 Mirroring

25 Stack-Cluster

26 PoE-PoE Profile

27 SNMP-RMON

Introduces QoS, QoS profile and the related configuration.

Introduces port mirroring and the related configuration.

Introduces the configuration to form clusters using HGMP V2.

Introduces PoE, PoE profile and the related configuration.

Introduces the configuration to manage network

devices through SNMP and RMON. 28 NTP Introduces NTP and the related configuration. 29 SSH Introduces SSH and the related configuration.

30 File System Management

31 FTP-SFTP-TFTP

32 Information Center

33 System Maintenance and Debugging

34 VLAN-VPN

Introduces basic configuration for file system

management.

Introduces basic configuration for FTP, SFTP,

TFTP, and the applications.

Introduces the configuration to analyze and

diagnose networks using the information center.

Introduces daily system maintenance and

debugging.

Introduces VLAN VPN and the related

configuration. 35 HWPing Introduces HWPing and the related configuration.

36 IPv6 Management

Introduces IPv6 Management and the related

configuration. 37 DNS Introduces DNS and the related config uration.

38 Smart Link-Monitor Link

Introduces Smart Link, Monitor Link and the

related configuration. 39 Appendix Lists the acronyms used in this manual.

Conventions

The manual uses the following conventions:

I. Command conventions

Convention Description

Boldface

italic

[ ]

{ x | y | ... }

[ x | y | ... ]

{ x | y | ... } *

[ x | y | ... ] *

&<1-n>

# A line starting with the # sign is comments.

The keywords of a command line are in Boldface. Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are

optional. Alternative items are grouped in braces and separated by

vertical bars. One is selected. Optional alternative items are grouped in square brackets

and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by

vertical bars. A minimum of one or a maximum of all can be selected.

Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected.

The argument(s) before the ampersand (&) sign can be entered 1 to n times.

II. GUI conventions

Convention Description

Boldface

III. Symbols

Convention Description

Warning

Caution

Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.

Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Means reader be extremely careful. Improper operation may cause bodily injury.

Means reader be careful. Improper operation may cause data loss or damage to equipment.

Convention Description

 Note Means a complementary description.

Chapter 1 Obtaining the Documentation

Hangzhou H3C Technologies Co., Ltd. provides various ways for you to obtain documentation, through which you can obtain the product documentations and those concerning newly added new features. The document ations are available in on e of the following ways:

z CD-ROMs shipped with the devices z H3C website z Software release notes

1.1 CD-ROM

H3C delivers a CD-ROM together with each device. The CD-ROM contains the operation manual and command manual. After installing the reader program provided by the CD-ROM, you can search for the desired contents in a convenient way through the reader interface.

The contents in the manual are subject to update on an irregular basis due to product version upgrade or some other reasons. Therefore, the contents in the CD-ROM may not be the latest version. This manual serves the purpose of user guide only. Unless otherwise noted, all the information in the document set does not claim or imply any warranty. For the latest software documentation, go to the H3C website.

1.2 H3C Website

Perform the following steps to query and download the product do cumentation from the H3C website.

Table 1-1 Acquire product documentation from the H3C website

Registering

Acquire product documentation

Access the homepage of H3C at http:// www.h3c.com and click on Registration at the top right. In the displayed page, provide your information and click on Submit to register.

Approach 1: In the homepage of H3C at http:// www.h3c.com, select Technical

Support & Document > Technical Documents from the navigation menu at the top. Then select a product for its documents.

Approach 2: In the homepage of H3C at http:// www.h3c.com, select Support >

Technical Documents. Then select a product for its documents.

1-1

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 1 Obtaining the Documentation

1.3 Software Release Notes

With software upgrade, new software features may be added. You can acquire the information about the newly added software features through software release notes.

1-2

Operation Manual – Product Overview H3C S3600 Series Ethernet Switches

Chapter 2 Correspondence Between

Documentation and Software

2.1 Manual List

Chapter 2 Correspondence Between Documentation

and Software

H3C S3100 Series Ethernet Switches Installation Manual H3C S3100 Series Ethernet Switches Quick Start H3C S3100 Series Ethernet Switches Compliance and

Safety Manual H3C S3100 Series Ethernet Switches Operation Manual H3C S3100 Series Ethernet Switches Command Manual

2.2 Software Version

H3C S3100 Series Ethernet Switches Operation Manual and H3C S3100 Series Ethernet Switches Command Manual are for the software versions list in

the S3100-SI series and S3100-EI series switches.

Table 2-1 Corresponding software versions of this manual

Switch Software Version

Manual name

Corresponding

Product

S3100-SI series S3100-EI series

Table 2-1 of

S3100-SI series Release2102, Release2107 S3100-EI series Release2104, Release2107, Release2107P01

The supported features are different between these softwa re versions.

z Compared with Release 2102, some new features are added in Release 2107 of

the S3100-SI series switches. For details, refer to

z Compared with Release 2104, some new features are added in Release 2107 and

Release 2107P01 of the S3100-EI series switches. For details, refer to

2-1

Table 2-2.

Table 2-3.

Operation Manual – Product Overview H3C S3600 Series Ethernet Switches

Table 2-2 Added features compared with the earlier software version of S3100-SI

Chapter 2 Correspondence Between Documentation

and Software

Software

Version

Added Features Compared With The

Earlier Version

Assigning MAC Addresses for Ethernet Ports

ARP Source MAC Address Consistency Check

Local authentication after failed of remote authentication

Manual

14-MAC Address Table Management

20-ARP

18-AAA

Unauthorized DHCP Server Detection 21-DHCP

Release2107

SNMP AES 128 27-SNMP-RMON rsa peer-public-key import 29-SSH FTP disconnect 31-FTP-SFTP-TFTP Identifying and Diagnosing Pluggable

Transceivers

33-System Maintenance and Debugging

IPv6 Management 36-IPv6 Management

Table 2-3 Added features compared with the earlier software version of S3100-EI

Software

Version

Release2107 P01

Release2107

Added Features Compared With The

Earlier Version

Manual

Configuring loopback detection for a list of ports in bulk

09-Port Basic Configuration

Enabling auto-shutdown of loopback ports ARP Source MAC Address Consistency

Check Assigning MAC Addresses for Ethernet

Ports

20-ARP

14-MAC Address

Table Management Traffic Shaping 23-QoS-QoS Profile SNMP AES 128 27-SNMP-RMON rsa peer-public-key import 29-SSH FTP disconnect 31-FTP-SFTP-TFTP

2-2

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 3 Product Overview

Chapter 3 Product Overview

 Note:

For the convenience of users, units of Mega bps/1000 Mega bps in the following chapters are simplified as M/G.

3.1 Overview

The H3C S3100 Series Ethernet Switches are high-performance, high-density, easy-to-install, NMS-manageable intelligent Ethernet switches which support wire-speed Layer 2 switching.

3.2 Software Features

S3100 Series Ethernet Switches have abundant software features and can meet the requirements of different applications. each module.

Table 3-1 Software features of the S3100 series

Part Features

1 CLI

2 Login

3 Configuration File Management

4 VLAN

5 Management VLAN

Table 3-1 summarizes the features provided by

z CLI z Hierarchically grouped commands z CLI online help

z Logging into a switch through the Console port z Logging into a switch through an Ethernet port by

using Telnet or SSH

z Logging into a switch through the Console port by

using modem

z Logging into a switch through Web or NMS z Saving and deleting the configuration file

z Specifying the configuration file to be used the next

time the device boots and the file attribute

z IEEE 802.1Q-compliant VLAN z Port-based VLAN z Protocol-based VLAN (Supported by only S3100-EI

series switches)

z Management VLAN configuration z Management VLAN interface configuration

3-1

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 3 Product Overview

Part Features

6 IP Address-IP Performance Configuration

7 Voice VLAN

z Configuring an IP address for a switch z Configuring the TCP attributes for a switch

Voice VLAN (Supported by only S3100-EI series switches)

8 GVRP GARP VLAN registration protocol (GVRP)

z Three port states supported: Access, Trunk, and

Hybrid

9 Port Basic Configuration

10 Link Aggregation

11 Port Isolation

12 Port Security-Port Binding

13 DLDP

z Setting broadcast storm suppression globally z Loopback detection supported z Cable test

z Link aggregation control protocol (LACP) z Manual aggregation z Static aggregation

Port isolation group

z Multiple security modes z IP address-MAC address-port binding (Supported

by only S3100-EI series switches)

Device link detection protocol (DLDP) (Supported by only S3100-EI series switches)

14 MAC Address Table Management

15 MSTP

16 Multicast

17 802.1x-System Guard

18 AAA

z Manually configuring dynamic, static, and black hole

MAC addresses

z Configuring the aging time for MAC addresses z MAC address learning limit z Disabling ports in a VLAN from learning MAC

addresses (Supported by only S3100-EI series switches)

z STP/RSTP/MSTP z Private MSTP path cost standard

Internet group management protocol snooping (IGMP Snooping) v2&v3

z 802.1X authentication z System guard z Huawei authentication bypass protocol (HABP) z Quick EAD Deployment (Supported by only

S3100-EI series switches)

z Authentication, authorization, and accounting (AAA) z Remote authentication dial-In user service

(RADIUS)

z Huawei terminal access controller access control

system (HWTACACS)

z Endpoint Admission Defense(EAD) (Supported by

only S3100-EI series switches)

19 MAC Address Authentication

MAC address authentication

3-2

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 3 Product Overview

Part Features

20 ARP

21 DHCP

22 ACL

23 QoS-QoS Profile

24 Mirroring

25 Stack-Cluster

26 PoE-PoE Profile

27 SNMP-RMON

z Gratuitous ARP z Manually configuring ARP entries

z DHCP Client z DHCP Snooping z Using Option82 in DHCP Snooping (Supported by

only S3100-EI series switches)

z Basic/Advanced ACLs (Only ACLs defined on

S3100-EI Series switches can be applied to hardware directly)

z Layer 2 ACLs (Supported by only S3100-EI series

switches)

z Quality of Service (QoS) z QoS Profile (Supported by only S3100-EI series

switches)

z Local port mirroring z Remote port mirroring

z Huawei Group Management Protocol (HGMP) v2 z Neighbor discovery protocol (NDP) z Neighbor topology discovery protocol (NTDP) z Stack

z Power over Ethernet (PoE) z PoE profile

z Simple network management protocol (SNMP) v3,

compatible with SNMP v1/v2

z Remote monitoring (RMON)

28 NTP z Network time protocol (NTP)

z SSH1 (Supported by only S3100-EI series switches)

29 SSH

z SSH2 z Operating as an SSH (Secure Shell) server/SSH

client

30 File System Management

31 FTP-SFTP-TFTP

32 Information Center

33 System Maintenance and Debugging

z File system management z File attribute configurable

z Operating as an FTP server/FTP client z Operating as an SFTP server/SFTP client z Operating as a TFTP client

z System logs z Hierarchical alarms z Debugging information output

z Configuring system time z Displaying and configuring system device state

3-3

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 3 Product Overview

Part Features

z VLAN-VPN (QinQ) z VLAN Mapping (Supported by only S3100-EI series

switches)

z Configuring TPID value (Supported by only

34 VLAN-VPN

S3100-EI series switches)

z Configuring BPDU Tunnel (Supported by only

S3100-EI series switches)

z Selective QinQ (Supported by only S3100-EI series

switches)

35 HWPing HWPing

36 IPv6 Management

37 DNS

38 Smart Link-Monitor Link

z Supporting IPv6 address z IPv6-based Ping, Traceroute, TFTP, and Telnet

z Static Domain Name System (DNS) z Dynamic DNS (Supported by only S3100-EI series

switches)

z Smart Link (Supported by only S3100-EI series

switches)

z Monitor Link (Supported by only S3100-EI series

switches)

3-4

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design

Chapter 4 Network Design

The S3100 series can be flexibly deployed in networks. They can be used in enterprise networks, or serve as broadband access points. The following examples are three typical networks using the S3100 series.

4.1 MAN Access Solution

In a metropolitan area network (MAN), the S3100 series can serve as access devices. In the downlink direction, they directly connect to users through 100 Mbps interfaces; and in the uplink direction, they connect to an aggregation layer (Layer 3) switches or MA5200 intelligent service gateways, which further connect to the core of the MAN through routers. This provides you a comprehensive gigabit-to-backbone 100-Mbps-to-desktop MAN solution.

Figure 4-1 Network diagram for a MAN using S3100 series

4.2 Education Network Solution

In a campus network, the S3100 series can serve as desktop switching devices at the access layer. They directly connect to users in education buildings through 100 Mbps downlink interfaces; and connect to the core switch in the campus throu gh a 1000 Mbps uplink interface; the core switch further connects to the education network through a

4-1

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design

router. This enables the users in the campus to exchange information and share resources in the scope of the education network.

Sever CoursewareNMS

Network center

1000/100M

S3100

100M

Video classroom/conference room

S3100

100M

1000M 1000M

AR28

S5600

Education

network

Classroom/laboratory

Figure 4-2 Network diagram for an education network using S3100 series

4.3 Multi-Service Carrier VLAN Solution

 Note:

S3100

100M

School building

S3100

100M

School building

Only S3100-EI series Ethernet switches support this multi-service carrier VLAN solution.

With development of various application technologies, enterprise users are increasingly relying on network services. They hope the networks can offer secure, reliable leased lines, VOIP and video conference services, thus reducing their operating costs. Additionally, apart from simple Internet surfing, individual users expect more abundant services from the networks, e.g., IPTV, video chatting, real-time gaming, etc. Meanwhile, construction of the NGN/3G carrier network will draw huge attention of carriers. If NGN/3G services can be carried on the broadband access network, the costs of the entire network solution can be lowered dramatically.

T o carry such services with different QOS requi rements, the broadband access netwo rk needs to have effective service identification and isolation capacity. VLAN is the best service identification and isolation technology at present, and is the basis for

4-2

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design

multi-service deployment. As broadband users increase explosively and services appear continuously, however, the traditional VLAN technology cannot meet the requirements of service deployments. In this situation, QinQ, VLAN mapping, etc become new choices.

The figure below shows a typical application: The IPTV service requires that the DSLAM be moved downwards into the campus to enhance users’ access bandwidth. S3100-EI acts as the DSLAM convergence switch. Selective QinQ is configured on the device, with the service VLAN identifying the DSLAM or the campus position and the customer VLAN identifying the customer. In this way, carriers can implement uniform planning and precise management: VLAN layout is simple, and is not affected by the customer side.

IP MAN

End office Switch

Campus Switch (S3100-EI)

DSLAM

…… ……

Figure 4-3 DSLAM convergence application

Another more complicated configuration example is when the LAN is connected to dense Home Gateways (HG). Generally, the ex-factory setting of an HG is simple as it uses a fixed VLAN tag to identify the attached service type (data service, IPTV, etc). Thus, precise division and management for users and services can be implemented. And VLAN mapping is then implemented on the access device S3100-EI. In this way, respective service VLANs are “translated” into the VLANs that com ply with the carrier’s deployment. In addition, QinQ is used on the upstream device to identify the campus position. Such uniform configuration implements carriers’ precise PUPSPV (respective users and respective services use their own VLANs) management.

4-3

Operation Manual – Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design

Figure 4-4 New vlan management scheme

4-4

Operation Manual – CLI H3C S3100 Series Ethernet Switches Table of Contents

Table of Contents

Chapter 1 CLI Configuration ........................................................................................................ 1-1

1.1 Introduction to the CLI ....................................................................................................... 1-1

1.2 Command Hierarchy..........................................................................................................1-1

1.2.1 Command Level and User Privilege Level..............................................................1-1

1.2.2 Modifying the Command Level................................................................................1-2

1.2.3 Switching User Level............................................................................................... 1-3

1.3 CLI Views...........................................................................................................................1-7

1.4 CLI Features....................................................................................................................1-12

1.4.1 Online Help............................................................................................................1-12

1.4.2 Terminal Display....................................................................................................1-13

1.4.3 Command History..................................................................................................1-13

1.4.4 Error Prompts........................................................................................................ 1-14

1.4.5 Command Edit.......................................................................................................1-15

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

Chapter 1 CLI Configuration

1.1 Introduction to the CLI

A command li ne interface (CLI) is a user interfa ce to interact with a switch. Throug h the CLI on a switch, a user can enter commands to configure the switch and check output information to verify the configuration. Each S3100 series Ethernet switch provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch.

The CLI on S3100 series Ethernet switches provides the following features, and so has good manageability and operability.

z Hierarchical command protection: After users of different levels log in, they can

only use commands at their own, or lower, levels. This prevents users from using unauthorized commands to configure switches.

z Online help: Users can gain online help at any time by entering a question mark

(?).

z Debugging: Abundant and detailed debugging information is provided to help

users diagnose and locate network problems.

z Command history function: This enables users to check the commands that they

have lately executed and re-execute the commands.

z Partial matching of commands: The system will use partially matching method to

search for commands. This allows users to execute a command by entering partially-spelled command keywords as long as the keywords entered can be uniquely identified by the system.

1.2 Command Hierarchy

1.2.1 Command Level and User Privilege Level

I. Command level

The S3100 series Ethernet switches use hierarchical command protection for command lines, so as to inhibit users at lower levels from using higher-level command s to configure the switches.

Based on user privilege, commands are classified into four levels, which default to:

z Visit level (level 0): Commands at this level are mainly used to diagnose network,

and they cannot be saved in configuration file. For example, ping, tracert and telnet are level 0 commands.

1-1

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

z Monitor level (level 1): Commands at this level are mainly used to maintain the

system and diagnose service faults, and they cannot be saved in configuration fil e. Such commands include debugging and terminal.

z System level (level 2): Commands at this level are mainly used to configure

services. Commands concerning routing and network layers are at this level. These commands can be used to provide network services directly.

z Manage level (level 3): Commands at this level are associated with the basic

operation modules and support modules of the system. These commands p rovide support for services. Commands concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are at this level.

II. User privilege level

Users logged into the switch fall into four user privilege levels, which correspond to the four command levels respectively. Users at a specific level can only use the commands at the same level or lower levels.

By default, the Console user (a user who logs into the switch through the Console port) is a level-3 user, and Telnet users are level-0 users.

Y ou can use the user privilege level command to set the default user privilege level for users logging in through a certain user interface. For details, refer to Login Operation.

 Note:

If a user logs in using AAA authentication, the user privilege level depends on the configuration of the AAA scheme. For details, refer to AAA Operation.

1.2.2 Modifying the Command Level

I. Modifying the Command Level

Commands fall into four levels: visit (level 0), monitor (level 1), system (level 2), and manage (level 3). By using the following command, the administrator can change the level of a command in a specific view as required.

Table 1-1 Set the level of a command in a specific view

Operation Command Remarks

Enter system view Configure the level of a

command in a specific view

system-view command-privilege level level view

view command

1-2

—

Required

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

Caution:

z It is recommended not to change the level of a command arbitrarily, for it may cause

inconvenience to maintenance and operation.

z When you change the level of a command with multiple keywords, you should input

the keywords one by one in the order they appear in the command syntax. Otherwise, your configuration will not take effect.

II. Configuration example

The network administrator (a level 3 user) wants to change some TFTP commands (such as tftp get) from level 3 to level 0, so that general Telnet users (level 0 users) are able to download files through TFTP.

# Change the tftp get command in user view (shell) from level 3 to level 0. (Originally, only level 3 users can change the level of a command.)

<Sysname> system-view [Sysname] command-privilege level 0 view shell tftp [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get [Sysname] command-privilege level 0 view shell tftp 192.168.0.1 get bootrom.btm

After the above configuration, general Telnet users can use the tftp get command to download file bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers.

1.2.3 Switching User Level

Table 1-2 User level switching configuration task list

Specifying the authentication mode for user level switching Optional Adopting super password authentication for user level switching Required Adopting HWTACACS authentication for user level switching Required Switching to a specific user level Required

Operation Remarks

I. Specifying the authentication mode for user level switching

You can switch between user levels through corresponding commands after logging into a switch successfully. The high-to-low user level switching is unlimited. However, the low-to-high user level switching requires the corresponding authentication. The

1-3

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

super password authentication mode and HWTACACS authentication mode are available at the same time to provide authentication redundancy.

The configuration of authentication mode for user level switching is performed by Level-3 users, as described in

Table 1-3.

Table 1-3 Specify the authentication mode for user level switching

Operation Command Remarks

Enter system view

Enter user interface view

Super password authentication

HWTACACS authentication

Super password

Specify the authentication mode for user level switching

authentication preferred (with the HWTACACS authentication as the backup authentication mode)

HWTACACS authentication preferred (with the super password authentication as the backup authentication mode)

system-view user-interface [ type ]

first-number [ last-number ]

super authentication-mode super-password

super authentication-mode scheme

super authentication-mode super-password scheme

super authentication-mode scheme super-password

—

Optional By default,

super password authentication is adopted for user level switching.

 Note:

When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted.

II. Adopting super password authentication for user level switching

With the super password set, you can pass the super password authentication successfully only when you provide the super password as prompted. If no super

1-4

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

password is set, the system prompts “%Password is not set” when you attempt to switch to a higher user level. In this case, you cannot pass the super password authentication.

Table 1-4 lists the operations to configure super password authentication for user level

switching, which can only be performed by level-3 users.

Table 1-4 Set a password for use level switching

Operation Command Remarks

Enter system view

Set the super password for user level switching

system-view super password [ level

level ] { cipher | simple } password

— Required

By default, the super password is not set.

III. Adopting HWTACACS authentication for user level switching

To implement HWTACACS authentication for user level switching, a level-3 user must perform the commands listed in

Table 1-5 to configure the HWTACACS authentication

scheme used for low-to-high user level switching. With HWTACACS authentication enabled, you can pass the HWTACACS authentication successfully only after you provide the right user name and the corresponding password as pr ompted. Note that if you have passed the HWTACACS authentication when logging in to the switch, only the password is required.

Table 1-5 lists the operations to configure HWTACACS authentication for user level

switching, which can only be performed by Level-3 users.

Table 1-5 Set the HWTACACS authentication scheme for user level switching

Operation Command Description

Enter system view Enter ISP domain view

Set the HWTACACS authentication scheme for user level switching

system-view domain domain-name

authentication super hwtacacs-scheme

hwtacacs-scheme-name

1-5

—

Required By default, the HWTACACS

authentication scheme for user level switching is not set.

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

 Note:

When setting the HWTACACS authentication scheme for user level switchin g using the authentication super hwtacacs-scheme command, make sure the HWTACACS authentication scheme identified by the hwtacacs-scheme-name argument already exists. Refer to AAA Operation for information about HWTACACS authentication scheme.

IV. Switching to a specific user level

Table 1-6 Switch to a specific user level

Operation Command Remarks

Switch to a specified user level

super [ level ]

Required Execute this command in user view.

 Note:

z If no user level is specified in the super password command or the super

command, level 3 is used by default.

z For security purpose, the password entered is not displayed when you switch to

another user level. You will remain at the original user level if you have tried three times but failed to enter the correct authentication information.

V. Configuration example

After a general user telnets to the switch, his/her user level is 0. Now, the network administrator wants to allow general users to switch to level 3, so that they are able to configure the switch.

1) Super password authentication co nfiguration example # A level 3 user sets a switching password for user level 3.

<Sysname> system-view [Sysname] super password level 3 simple 123

# A general user telnet s to the switch, and then uses the set p assword to switch to user level 3.

<Sysname> super 3 Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

1-6

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

# Af ter configuring the switch, the general user switches back to user level 0.

<Sysname> super 0 User privilege level is 0, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

2) HWTACACS authentication configuration example # Configure a HWTACACS authentication scheme named acs, and specify the user

name and password used for user level switching on the HWTACACS server defined in the scheme. Refer to AAA Operation for detailed configuration procedures.

# Enable HWTACACS authentication for VTY 0 user level switching.

<Sysname> system-view [Sysname] user-interface vty 0 [Sysname-ui-vty0] super authentication-mode scheme [Sysname-ui-vty0] quit

# Specify to adopt the HWTACACS authentication scheme named acs for user level switching in the ISP domain named system.

[Sysname] domain system [Sysname-isp-system] authentication super hwtacacs-scheme acs

# Switch to user level 3 (assuming that you log into the switch as a VTY 0 user by Telnet).

<Sysname> super 3 Username: user@system Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this. Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

1.3 CLI Views

CLI views are designed for different configuration tasks. They are both correlated and distinguishing. For example, once a user logs into a switch successfully , the user enters user view, where the user can perform some simple operations such as checking the operation status and statistics information of the switch. After executing the system-view command, the user enters system view, where the user can go to other views by entering corresponding commands.

Table 1-7 lists the CLI views provided by S3100 series Ethernet switches, operations

that can be performed in different CLI views and the commands used to enter specific CLI views.

1-7

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

Table 1-7 CLI views

View

User view

System view

Ethernet port view

Available

operation

Display operation status and statistical information of the switch

Configure system parameters

Configure Ethernet port parameters

Prompt

example

[Sysname]

100 Mbps Ethernet port view:

[Sysname-Eth ernet1/0/1]

1000 Mbps Ethernet port view:

[Sysname-Gig abitEthernet1/ 1/1]

Enter method Quit method

Execute the Enter user view once logging into the switch.

quit

command to

log out of the

switch.

Execute the Execute the system-view command in user view.

quit or

return

command to

return to user

view.

Execute the Execute the interface

ethernet command in system view.

quit

command to

return to

system view.

Execute the

return Execute the interface

gigabitethernet command in system

command to

return to user

view. view.

Aux1/0/0 port (the console port) view

VLAN view

VLAN interface view

Loopbac k interface view

The S3100 series do not support configuration on port Aux1/0/0

Configure VLAN parameters

Configure VLAN interface parameters, including the management VLAN parameters

Configure loopback interface parameters

[Sysname-Au x1/0/0]

[Sysname-vla n1]

[Sysname-Vla n-interface1]

[Sysname-Loo pBack0]

Execute the interface aux 1/0/0 command in system view

Execute the vlan command in system view.

Execute the interface Vlan-interface command in system view.

Execute the interface loopback command in system view.

1-8

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

View

Available

operation

Prompt

example

Enter method Quit method

NULL interface view

Local user view

User interface view

FTP client view

SFTP client view

MST region view

Configure NULL interface parameters

Configure local user parameters

Configure user interface parameters

Configure FTP client parameters

Configure SFTP client parameters

Configure MST region parameters

[Sysname-NU LL0]

[Sysname-lus er-user1]

[Sysname-ui-a ux0]

[ftp]

sftp-client>

[Sysname-mst

-region]

Execute the interface null command in system view.

Execute the local-user command in system view.

Execute the user-interface command in system view.

Execute the ftp command in user view.

Execute the sftp command in system view.

Execute the stp region-configuration command in system view.

Cluster view

Public key view

Public key editing view

Configure cluster parameters

Configure the RSA public key for SSH users

Configure the RSA or DSA public key for SSH users

Edit the RSA public key for SSH users

Edit the RSA or DSA public key for SSH users

[Sysname-clu ster]

[Sysname-rsa

-public-key]

[Sysname-pee r-public-key]

[Sysname-rsa

-key-code]

[Sysname-pee r-key-code]

Execute the cluster command in system view.

Execute the rsa peer-public-key command in system view.

Execute the

public-key peer

command in system view.

Execute the

public-key-code begin command in

public key view.

Execute the

peer-public-

key end

command to

return to

system view.

Execute the

public-key-c

ode end

command to

return to

public key

view.

1-9

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

View

Available

operation

Prompt

example

Enter method Quit method

Basic ACL view

Advance d ACL view

Layer 2 ACL view

QoS profile view

Define rules for a basic ACL (with ID ranging from 2000 to 2999)

Define rules for an advanced ACL (with ID ranging from 3000 to 3999)

Define rules for an layer 2 ACL (with ID ranging from 4000 to 4999)

Supported by only S3100-EI series switches

Define QoS profile

Supported by only S3100-EI series switches

[Sysname-aclbasic-2000]

[Sysname-acladv-3000]

[Sysname-aclethernetframe

-4000]

[Sysname-qos

-profile-a123]

Execute the acl number command in system view.

Execute the qos-profile command in system view.

Execute the

quit

command to

return to

system view.

Execute the

return

command to

return to user

view.

RADIUS scheme view

ISP domain view

HWPing view

HWTAC ACS view

Configure RADIUS scheme parameters

Configure ISP domain parameters

Configure HWPing parameters

Configure HWTACACS parameters

[Sysname-radi us-1]

[Sysname-ispaaa123.net]

[Sysname-hw ping-a123-a12 3]

[Sysname-hwt acacs-a123]

1-10

Execute the radius scheme command in system view.

Execute the domain command in system view.

Execute the hwping command in system view.

Execute the hwtacacs scheme command in system view.

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

View

Available

operation

Prompt

example

Enter method Quit method

Configure PoE profile

PoE profile view

parameters Supported by

only S3100-TP-P

[Sysname-poe

-profile-a123]

Execute the poe-profile command in system view.

WR-EI series switches

Configure smart link

Smart link group view

group parameters

Supported by only S3100-EI

[Sysname-sml k-group1]

Execute the smart-link group command in system view.

series switches

Configure monitor link

Monitor link group view

group parameters

Supported by only S3100-EI

[Sysname-mtl k-group1]

Execute the monitor-link group command in system view.

series switches

Configure

Execute the vlan-vpn vid command in Ethernet port view.

The vlan-vpn enable command should be first executed.

QinQ view

QinQ parameters

Supported by only S3100-EI series

[Sysname-Eth ernet1/0/1-vid20]

switches

 Note:

The shortcut key <Ctrl+Z> is equivalent to the return command.

Execute the

quit

command to

return to

Ethernet port

view.

Execute the

return

command to

return to user

view.

1-11

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

1.4 CLI Features

1.4.1 Online Help

When configuring the switch, you can use the online help to get related help information. The CLI provides two types of online help: complete and partial.

I. Complete online help

1) Enter a question mark (?) in any view on your terminal to display all the commands available in the view and their brief descriptions. The following takes user view as an example.

<Sysname> ? User view commands: boot Set boot option cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system information

2) Enter a command, a space, and a question mark (?).

If the question mark “?” is at a keyword position in the command, all available keywords at the position and their descriptions will be displayed on your terminal.

<Sysname> clock ? datetime Specify the time and date summer-time Configure summer time timezone Configure time zone

If the question mark “?” is at an argument position in the command, the description of the argument will be displayed on your terminal.

[Sysname] interface vlan-interface ? <1-4094> VLAN interface number

If only <cr> is displayed after you enter “?”, it means no parameter is available at the “?” position, and you can enter and execute the command directly.

[Sysname] interface vlan-interface 1 ? <cr>

1-12

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

II. Partial online help

1) Enter a character/string, and then a question mark (?) next to it. All the co mmands beginning with the character/string will be displayed on your terminal. For example:

<Sysname> p? ping pwd

2) Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords beginning with the character/string (if available) are displayed on your terminal. For example:

<Sysname> display u? udp unit user-interface users

3) Enter the first several characters of a keyword of a command and then press <Tab>. If there is a unique keyword beginning with the characters just typed, the unique keyword is displayed in its complete form. If there are multiple keywords beginning with the characters, you can have them displayed one by one (in complete form) by pressing <Tab> repeatedly.

1.4.2 Terminal Display

The CLI provides the screen splitting feature to have display output suspended when the screen is full. When display output pauses, you can perform the following operations as needed (see

Table 1-8 Display-related operations

Operation Function

Press <Ctrl+C>

Press any character except <Space>, <Enter>, /, +, and - when the display output pauses

Press the space key Get to the next page. Press <Enter> Get to the next line.

1.4.3 Command History

Table 1-8).

Stop the display output and execution of the command.

Stop the display output.

The CLI provides the command history function. You can use the display history-command command to view a specific number of latest executed commands

1-13

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

and execute them again in a convenient way. By default, the CLI can store up to 10 latest executed commands for each user. You can view the command history by performing the operations listed in

Table 1-9.

Table 1-9 View history commands

Purpose Operation Remarks

Display the latest executed history commands

Recall the previous history command

Recall the next history command

Execute the display history-command command

Press the up arrow key or <Ctrl+P>

Press the down arrow key or <Ctrl+N>

This command displays the command history.

This operation recalls the previous history command (if available).

This operation recalls the next history command (if available).

 Note:

z The Windows 9x HyperTerminal explains the up and down arrow keys in a different

way, and therefore the two keys are invalid when you access history commands in such an environment. However, you can use <Ctrl+ P> and <Ctrl+ N> instead to achieve the same purpose.

z When you enter the same command multiple times consecutively, only one history

command entry is created by the command line interface.

1.4.4 Error Prompts

If a command passes the syntax check, it will be successfully executed; otherwise, an error message will be displayed.

Table 1-10 Common error messages

Error message Description

Unrecognized command

Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many. Ambiguous command The parameters entered are ambiguous.

Table 1-10 lists the common error messages.

The command does not exist. The keyword does not exist. The parameter type is wrong. The parameter value is out of range.

1-14

Operation Manual – CLI H3C S3100 Series Ethernet Switches Chapter 1 CLI Configuration

Error message Description

Wrong parameter A parameter entered is wrong. found at '^' position An error is found at the '^' position.

1.4.5 Command Edit

The CLI provides basic command edit functions and supports multi-line editing. The maximum number of characters a command can contain is 254. edit operations.

Table 1-11 Edit operations

Press… To…

Insert the corresponding character at the cursor

A common key

position and move the cursor one character to the right if the command is shorter than 254 characters.

Table 1-11 list s the CLI

Backspace key

Delete the character on the left of the cursor and

move the cursor one character to the left. Left arrow key or <Ctrl+B> Move the cursor one character to the left. Right arrow key or <Ctrl+F> Move the cursor one character to the right. Up arrow key or <Ctrl+P>

Down arrow key or <Ctrl+N>

Display history commands.

Use the partial online help. That is, when you

input an incomplete keyword and press <Tab>,

if the input parameter uniquely identifies a

complete keyword, the system substitutes the

complete keyword for the input parameter; if <Tab>

more than one keywords match the input

parameter, you can display them one by one (in

complete form) by pressing <Tab> repeatedly; if

no keyword matches the input parameter, the

system displays your original input on a new line

without any change.

1-15

Operation Manual – Login H3C S3100 Series Ethernet Switches Table of Contents

Table of Contents

Chapter 1 Logging into an Ethernet Switch ............................................................................... 1-1

1.1 Logging into an Ethernet Switch........................................................................................1-1

1.2 Introduction to the User Interface ...................................................................................... 1-1

1.2.1 Supported User Interfaces......................................................................................1-1

1.2.2 User Interface Index................................................................................................1-2

1.2.3 Common User Interface Configuration ...................................................................1-2

Chapter 2 Logging in through the Console Port........................................................................2-1

2.1 Introduction........................................................................................................................2-1

2.2 Logging in through the Console Port.................................................................................2-1

2.3 Console Port Login Configuration...................................................................................... 2-4

2.3.1 Common Configuration...........................................................................................2-4

2.3.2 Console Port Login Configurations for Different Authentication Modes..................2-5

2.4 Console Port Login Configuration with Authentication Mode Being None........................2-6

2.4.1 Configuration Procedure.........................................................................................2-6

2.4.2 Configuration Example............................................................................................2-8

2.5 Console Port Login Configuration with Authentication Mode Being Password................. 2-9

2.5.1 Configuration Procedure.........................................................................................2-9

2.5.2 Configuration Example..........................................................................................2-11

2.6 Console Port Login Configuration with Authentication Mode Being Scheme..................2-13

2.6.1 Configuration Procedure.......................................................................................2-13

2.6.2 Configuration Example..........................................................................................2-15

Chapter 3 Logging in through Telnet..........................................................................................3-1

3.1 Introduction........................................................................................................................3-1

3.1.1 Common Configuration...........................................................................................3-1

3.1.2 Telnet Configurations for Different Authentication Modes......................................3-2

3.2 Telnet Configuration with Authentication Mode Being None............................................. 3-4

3.2.1 Configuration Procedure.........................................................................................3-4

3.2.2 Configuration Example............................................................................................3-5

3.3 Telnet Configuration with Authentication Mode Being Password......................................3-6

3.3.1 Configuration Procedure.........................................................................................3-6

3.3.2 Configuration Example............................................................................................3-7

3.4 Telnet Configuration with Authentication Mode Being Scheme ........................................ 3-9

3.4.1 Configuration Procedure.........................................................................................3-9

3.4.2 Configuration Example..........................................................................................3-13

3.5 Telnetting to a Switch ...................................................................................................... 3-14

3.5.1 Telnetting to a Switch from a Terminal .................................................................3-14

3.5.2 Telnetting to another Switch from the Current Switch...........................................3-16

Operation Manual – Login H3C S3100 Series Ethernet Switches Table of Contents

Chapter 4 Logging in Using a Modem......................................................................................... 4-1

4.1 Introduction........................................................................................................................4-1

4.2 Configuration on the Switch Side.......................................................................................4-1

4.2.1 Modem Configuration..............................................................................................4-1

4.2.2 Switch Configuration...............................................................................................4-2

4.3 Modem Connection Establishment.................................................................................... 4-2

Chapter 5 Logging in through the Web-based Network Management System....................... 5-1

5.1 Introduction........................................................................................................................5-1

5.2 Establishing an HTTP Connection.....................................................................................5-1

5.3 Configuring the Login Banner............................................................................................ 5-2

5.3.1 Configuration Procedure.........................................................................................5-2

5.3.2 Configuration Example............................................................................................5-3

5.4 Enabling/Disabling the WEB Server..................................................................................5-4

Chapter 6 Logging in through NMS............................................................................................. 6-1

6.1 Introduction........................................................................................................................6-1

6.2 Connection Establishment Using NMS.............................................................................. 6-1

Chapter 7 User Control......................................................................................................... ........7-1

7.1 Introduction........................................................................................................................7-1

7.2 Controlling Telnet Users....................................................................................................7-1

7.2.1 Prerequisites ...........................................................................................................7-1

7.2.2 Controlling Telnet Users by Source IP Addresses..................................................7-2

7.2.3 Controlling Telnet Users by Source and Destination IP Addresses........................7-2

7.2.4 Controlling Telnet Users by Source MAC Addresses.............................................7-3

7.2.5 Configuration Example............................................................................................7-4

7.3 Controlling Network Management Users by Source IP Addresses................................... 7-4

7.3.1 Prerequisites ...........................................................................................................7-5

7.3.2 Controlling Network Management Users by Source IP Addresses ........................ 7-5

7.3.3 Configuration Example............................................................................................7-6

7.4 Controlling Web Users by Source IP Address...................................................................7-6

7.4.1 Prerequisites ...........................................................................................................7-7

7.4.2 Controlling Web Users by Source IP Addresses .................................................... 7-7

7.4.3 Disconnecting a Web User by Force ......................................................................7-7

7.4.4 Configuration Example............................................................................................7-7

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 1 Logging into an Ethernet Switch

Chapter 1 Logging into an Ethernet Switch

1.1 Logging into an Ethernet Switch

You can log into an S3100 Ethernet switch in one of the following ways:

z Logging in locally through the Console port z Logging in locally or remotely through an Ethernet port by means of Telnet or SSH z Telnetting to the Console port using a modem z Logging into the Web-based network management system z Logging in through NMS (network management station)

1.2 Introduction to the User Interface

1.2.1 Supported User Interfaces

 Note:

The auxiliary (AUX) port and the Console port of an H3C Ethernet switch are the same port (refereed to as Console port in the following part). You will be in the AUX user interface if you log in through this port.

S3100 series Ethernet switches support two types of user interfaces: AUX and V TY.

z AUX user interface: A view when you log in through the AUX port. AUX port is a

line device port.

z Virtual type terminal (VTY) user interface: A view when you log in through VTY.

VTY port is a logical terminal line used when you access the device by means of Telnet or SSH.

Table 1-1 Description on user interface

User interface Applicable user Port used Description

AUX

Users logging in through the Console port

Console port

Each switch can accommodate one AUX user.

VTY

Telnet users and SSH users

1-1

Ethernet port

Each switch can accommodate up to five VTY users.

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 1 Logging into an Ethernet Switch

1.2.2 User Interface Index

Two kinds of user interface index exist: absolute user interface index and relative user interface index.

1) The absolute user interface indexes are as follows:

z The absolute AUX user interfaces is numbered 0. z VTY user interface indexes follow AUX user interface indexes. The first absolute

VTY user interface is numbered 1, the second is 2, and so on.

2) A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows:

z AUX user interfaces is numbered 0. z VTY user interfaces are numbered VTY0, VTY1, and so on.

1.2.3 Common User Interface Configuration

Table 1-2 Common user interface configuration

Operation Command Description

Optional

Lock the current user interface

lock

Execute this command in user view.

A user interface is not locked by default.

Specify to send messages to all user interfaces/a specified

send { all | number | type number }

user interface

Free a user interface

Enter system view

free user-interface

[ type ] number

system-view header [ incoming |

Set the banner

legal | login | shell ]

text

Set a system name for the switch

sysname string

Optional Execute this command in user

view. Optional

Execute this command in user view.

— Optional

By default, no banner is configured

Optional By default, the system name

is H3C.

Enable copyright information displaying

Optional By default, copyright

displaying is enabled. That is, the copy right information is displayed on the terminal after a user logs in successfully.

1-2

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 1 Logging into an Ethernet Switch

Operation Command Description

Enter user interface view

user-interface [ type ] first-number

[ last-number ]

Display the information about the current user interface/all user

display users [ all ]

interfaces Display the physical

attributes and configuration of the current/a specified user

display user-interface [ type number | number ]

interface Display the information

about the current web

display web users

users

—

Optional You can execute the display

command in any view.

1-3

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Chapter 2 Logging in through the Console Port

2.1 Introduction

T o log in through the Co nsole port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. By default, you can locally log into an S3100 Ethernet switch through its Console port only.

Table 2-1 lists the default settings of a Console port.

Table 2-1 The default settings of a Console port

Setting Default

Baud rate 9,600 bps Flow control None Check mode (Parity) None Stop bits 1 Data bits 8

To log into a switch through the Console port, make sure the settings of both the Console port and the user terminal are the same.

After logging into a switch, you can perform configuration for AUX users. Refer to section

2.3 “Console Port Login Configuration” for more.

2.2 Logging in through the Console Port

Following are the procedures to connect to a switch through the Console port.

1) Connect the serial port of your PC/terminal to the Console port of the switch, as shown in

Figure 2-1 Diagram for connecting to the Console port of a switch

Figure 2-1.

2-1

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

2) If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are runnin g Windows XP) and perform the configuration shown in

Figure 2-2 through Figure 2-4 for the

connection to be created. Normally, both sides (that is, the serial port of the PC and the Console port of the switch) are configured as those listed in

Table 2-1.

Figure 2-2 Create a connection

Figure 2-3 Specify the port used to establish the connection

2-2

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Figure 2-4 Set port parameters

3) Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after you press the Enter key, as shown in

Figure 2-5.

Figure 2-5 HyperTerminal CLI

4) You can then configure the switch or check the information about the switch by executing the corresponding commands. You can also acquire h elp by typing the ? character. Refer to related parts in this manual for information about the commands used for configuring the switch.

2-3

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

2.3 Console Port Login Configuration

2.3.1 Common Configuration

Table 2-2 lists the common configuration of Console port login.

Table 2-2 Common configuration of Console port login

Configuration Remarks

Console port configuration

AUX user interface configuration

Terminal configuration

Baud rate

Check mode

Stop bits

Data bits

Configure the command level available to the users logging into the AUX user interface

Make terminal services available

Set the maximum number of lines the screen can contain

Set history command buffer size

Optional The default baud rate is 9,600 bps.

Optional By default, the check mode of the Console

port is set to “none”, which means no check bit.

Optional The default stop bits of a Console port is 1.

Optional The default data bits of a Console port is 8.

Optional By default, commands of level 3 are

available to the users logging into the AUX user interface.

Optional By default, terminal services are available in

all user interfaces Optional

By default, the screen can contain up to 24 lines.

Optional By default, the history command buffer can

contain up to 10 commands.

Set the timeout time of a user interface

Optional The default timeout time is 10 minutes.

2-4

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Caution:

The change to Console port configuration takes effect immediately, so the connection may be disconnected when you log in through a Console port and then configure this Console port. To configure a console port, you are recommended to log into the switch in other ways. To log into a switch through its Console port after you modify the Console port settings, you need to modify the corresponding settings of the terminal emulation utility running on your PC accordingly in the dialog box shown in

Figure 2-4.

2.3.2 Console Port Login Configurations for Different Authentication Modes

Table 2-3 lists Console port login configurations for different authentication modes.

Table 2-3 Console port login configurations for different authentication modes

Authentication

mode

None

Password

Console port login

configuration

Perform common configuration

Configure the password

Perform common configuration

Perform common configuration for Console port login

Configure the password for local authentication

Perform common configuration for Console port login

Optional Refer to

Required

Optional Refer to

Remarks

Table 2-2.

2-5

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Authentication

mode

Console port login

configuration

Remarks

Scheme

Specify to perform local authenticatio n or remote RADIUS authenticatio n

Configure user name and password

Manage AUX users

Perform common configuration

AAA configuration specifies whether to perform local authentication or RADIUS authentication

Configure user names and passwords for local/RADIUS users

Set service type for AUX users

Perform common configuration for Console port login

Optional Local authentication is

performed by default. Refer to the AAA part for

more.

Required

z The user name and

password of a local user are configured on the switch.

z The user name and

password of a RADIUS user are configured on the RADIUS server. Refer to user manual of RADIUS server for more.

Required

Optional Refer to

Table 2-2.

 Note:

Changes made to the authentication mode for Console port login takes effect after you quit the command-line interface and then log in again.

2.4 Console Port Login Configuration with Authentication Mode Being None

2.4.1 Configuration Procedure

Table 2-4 Console port login configuration with the authentication mode being none

Operation Command Description

Enter system view Enter AUX user interface

view

system-view

user-interface aux 0 —

—

2-6

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Operation Command Description

Required

Configure not to authenticate users

authentication-mode none

By default, users logging in through the Console port (AUX user interface) are not authenticated.

Set the baud rate

Set the check

Configure the

mode

Console port

Set the stop bits

Set the data bits

Configure the command level available to users logging into the user interface

speed speed-value

parity { even | none | odd }

stopbits { 1 | 1.5 | 2 }

databits { 7 | 8 }

user privilege level

level

Optional The default baud rate of a

Console port is 9,600 bps. Optional

By default, the check mode of a Console port is none, that is, no check is performed.

Optional The stop bits of a Console

port is 1. Optional

The default data bits of a Console port is 8.

Optional By default, commands of

level 3 are available to users logging into the AUX user interface, and commands of level 0 are available to users logging into the VTY user interface.

Enable terminal services

Set the maximum number of lines the screen can contain

Set the history command buffer size

shell

screen-length

history-command max-size value

2-7

Optional By default, terminal services

are available in all user interfaces.

Optional By default, the screen can

contain up to 24 lines. You can use the

screen-length 0 command to disable the function to display information in pages.

Optional The default history command

buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Operation Command Description

Optional The default timeout time of a

user interface is 10 minutes. With the timeout time being

10 minutes, the connection to

Set the timeout time for the user interface

idle-timeout minutes [ seconds ]

a user interface is terminated if no operation is performed in the user interface within 10 minutes.

Y ou can use the idle-timeout 0 command to disable the timeout function.

2.4.2 Configuration Example

I. Network requirements

Assume that the switch is configured to allow users to log in through Telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the Console port (AUX user interface).

z Do not authenticate the users. z Commands of level 2 are available to the users logging into the AUX user

interface.

z The baud rate of the Console port is 19,200 bps. z The screen can contain up to 30 lines. z The history command buffer can contain up to 20 commands. z The timeout time of the AUX user interface is 6 minutes.

II. Network diagram

Ethernet1/0/1

Ethernet

User PC running Telnet

Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being none)

2-8

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

III. Configuration procedure

# Enter system view.

<Sysname> system-view

# Enter AUX user interface view.

[Sysname] user-interface aux 0

# Specify not to authenticate users logging in through the Console port.

[Sysname-ui-aux0] authentication-mode none

# Specify commands of level 2 are available to users logging into the AUX user interface.

[Sysname-ui-aux0] user privilege level 2

# Set the baud rate of the Console port to 19,200 bps.

[Sysname-ui-aux0] speed 19200

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-aux0] screen-length 30

# Set the maximum number of commands the history comm and bu ffer can store to 20.

[Sysname-ui-aux0] history-command max-size 20

# Set the timeout time of the AUX user interface to 6 minute s.

[Sysname-ui-aux0] idle-timeout 6

After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in

Figure 2-4 to

log into the switch successfully.

2.5 Console Port Login Configuration with Authentication Mode Being Password

2.5.1 Configuration Procedure

Table 2-5 Console port login configuration with the authentication mode being

password

Operation Command Description

Enter system view Enter AUX user

interface view

system-view

user-interface aux 0—

—

2-9

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Operation Command Description

Required

Configure to authenticate users using the local

authentication-mod e password

password

By default, users logging into a switch through the Console port are not authenticated; while those logging in through Modems or Telnet are authenticated.

set authentication

Set the local password

password { cipher |

Required

simple } password

Optional

Set the baud rate

speed speed-value

The default baud rate of an AUX port (also the Console port) is 9,600 bps.

Set the Configure the

check

mode Console port

Set the

stop bits

Set the

data bits

Configure the command level available to users logging into the user interface

Make terminal services available to the user interface

Set the maximum number of lines the screen can contain

parity { even | none |

odd }

stopbits { 1 | 1.5 | 2 }

databits { 7 | 8 }

user privilege level

level

shell

screen-length

Optional By default, the check mode of a

Console port is set to none, that is, no check bit.

Optional The default stop bits of a

Console port is 1. Optional

The default data bits of a Console port is 8.

Optional By default, commands of level 3

are available to users logging into the AUX user interface.

Optional By default, terminal services are

available in all user interfaces. Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Set history command buffer size

history-command max-size value

2-10

Optional The default history command

buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Operation Command Description

Optional The default timeout time of a

user interface is 10 minutes. With the timeout time being 10

Set the timeout time for the user interface

idle-timeout minutes [ seconds ]

minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

2.5.2 Configuration Example

I. Network requirements

Assume the switch is configured to allow users to log in through Telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the Console port (AUX user interface).

z Authenticate the users using passwords. z Set the local password to 123456 (in plain text). z The commands of level 2 are available to the users. z The baud rate of the Console port is 19,200 bps. z The screen can contain up to 30 lines. z The history command buffer can store up to 20 commands. z The timeout time of the AUX user interface is 6 minutes.

II. Network diagram

Ethernet1/0/1

Ethernet

User PC running Telnet

Figure 2-7 Network diagram for AUX user interface configuration (with the authentication mode being password)

2-11

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

III. Configuration procedure

# Enter system view.

<Sysname> system-view

# Enter AUX user interface view.

[Sysname] user-interface aux 0

# Specify to authenticate users logging in through the Console port using the local password.

[Sysname-ui-aux0] authentication-mode password

# Set the local password to 123456 (in plain text).

[Sysname-ui-aux0] set authentication password simple 123456

# Specify commands of level 2 are available to users logging into the AUX user interface.

[Sysname-ui-aux0] user privilege level 2

# Set the baud rate of the Console port to 19,200 bps.

[Sysname-ui-aux0] speed 19200

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-aux0] screen-length 30

# Set the maximum number of commands the history comm and bu ffer can store to 20.

[Sysname-ui-aux0] history-command max-size 20

# Set the timeout time of the AUX user interface to 6 minute s.

[Sysname-ui-aux0] idle-timeout 6

After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in

Figure 2-4 to

log into the switch successfully.

2-12

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

2.6 Console Port Login Configuration with Authentication Mode Being Scheme

2.6.1 Configuration Procedure

Table 2-6 Console port login configuration with the authentication mode being scheme

Operation Command Description

Enter system view

Enter the default ISP domain view

Specify the AAA scheme to be applied

Configur e the authentic ation mode

to the domain

Quit to system view

system-view

domain domain-name

scheme { local | none | radius-scheme

radius-scheme-name [ local ] | hwtacacs-scheme

hwtacacs-scheme-na me [ local ] }

quit

— Optional

By default, the local AAA scheme is applied.

If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well.

If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well:

z Perform AAA&RADIUS

configuration on the switch. (Refer to the AAA part for more.)

z Configure the user name

and password accordingly on the AAA server. (Refer to the user manual of AAA server.)

Create a local user (Enter local user view.)

Set the authentication password for the local user

Specify the service type for AUX users

Quit to system view Enter AUX user interface

view

local-user user-name

password { simple |

cipher } password

service-type terminal [ level

level ]

quit

user-interface aux 0—

2-13

Required No local user exists by default.

Required

—

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Operation Command Description

Required The specified AAA scheme

determines whether to authenticate users locally or remotely.

By default, users logging in

Configure to authenticate users locally or remotely

authentication-mod e scheme [ commandauthorization ]

through the Console port (AUX user interface) are not authenticated.

Optional

Set the baud rate

speed speed-value

The default baud rate of the AUX port (also the Console port) is 9,600 bps.

Optional

Configure the Console port

Set the check mode

Set the stop bits

parity { even | none | odd }

stopbits { 1 | 1.5 | 2 }

By default, the check mode of a Console port is set to none, that is, no check bit.

Optional The default stop bits of a

Console port is 1.

Set the data bits

databits { 7 | 8 }

Configure the command level available to users logging into the user

user privilege level level

interface

Make terminal services available to the user

shell

interface

Set the maximum number of lines the screen can contain

Set history command buffer size

screen-length screen-length

history-command max-size value

Optional The default data bits of a

Console port is 8. Optional

By default, commands of level 3 are available to users logging into the AUX user interface.

Optional By default, terminal services

are available in all user interfaces.

Optional By default, the screen can

contain up to 24 lines. You can use the screen-length

0 command to disable the function to display information in pages.

Optional The default history command

buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

2-14

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

Operation Command Description

Optional The default timeout time of a

user interface is 10 minutes. With the timeout time being 10

minutes, the connection to a

Set the timeout time for the user interface

idle-timeout minutes

[ seconds ]

user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

Note that if you configure to authenticate the users in the scheme mode, the command level available to users logging into a switch depends on the command level specified in the service-type terminal [ level level ] command.

2.6.2 Configuration Example

I. Network requirements

z Configure the local user name as “guest”. z Set the authentication password of the local user to 123456 (in plain text). z Set the service type of the local user to Terminal and the command level to 2. z Configure to authenticate the users in the scheme mode. z The baud rate of the Console port is 19,200 bps. z The screen can contain up to 30 lines. z The history command buffer can store up to 20 commands. z The timeout time of the AUX user interface is 6 minutes.

2-15

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

II. Network diagram

Ethernet1/0/1

Ethernet

User PC running Telnet

Figure 2-8 Network diagram for AUX user interface configuration (with the authentication mode being scheme)

III. Configuration procedure

# Enter system view.

<Sysname> system-view

# Create a local user named guest and enter local user view.

[Sysname] local-user guest

# Set the authentication password to 123456 (in plain text).

[Sysname-luser-guest] password simple 123456

# Set the service type to Terminal, Specify commands of level 2 are available to users logging into the AUX user interface.

[Sysname-luser-guest] service-type terminal level 2 [Sysname-luser-guest] quit

# Enter AUX user interface view.

[Sysname] user-interface aux 0

# Configure to authenticate users logging in through the Console port in the scheme mode.

[Sysname-ui-aux0] authentication-mode scheme

# Set the baud rate of the Console port to 19,200 bps.

[Sysname-ui-aux0] speed 19200

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-aux0] screen-length 30

# Set the maximum number of commands the history comm and bu ffer can store to 20.

[Sysname-ui-aux0] history-command max-size 20

# Set the timeout time of the AUX user interface to 6 minute s.

2-16

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 2 Logging in through the Console Port

[Sysname-ui-aux0] idle-timeout 6

After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in

Figure 2-4 to

log into the switch successfully.

2-17

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Chapter 3 Logging in through Telnet

3.1 Introduction

S3100 series Ethernet switches support Telnet. Y ou can manage and maintai n a switch remotely by Telnetting to the switch.

To log into a switch through Telnet, the corresponding configuration is required on both the switch and the Telnet terminal.

You can also log into a switch through SSH. SSH is a secure shell added to Telnet. Refer to the SSH Operation for related information.

Table 3-1 Requirements for Telnetting to a switch

Item Requirement

The IP address is configured for the VLAN of the switch, and the route between the switch and the Telnet terminal is reachable.

Switch

(Refer to the IP Address Configuration – IP Performance Configuration and Routing Protocol parts for more.)

The authentication mode and other settings are configured. Refer

Table 3-2 and Table 3-3.

Telnet terminal

 Note:

Telnetting to a switch using IPv6 protocols is similar to Telnetting to a switch usi ng IPv4 protocols. Refer to the IPv6 Management part for related information.

Telnet is running. The IP address of the VLAN of the switch is available.

3.1.1 Common Configuration

Table 3-2 lists the common Telnet configuration.

3-1

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Table 3-2 Common Telnet configuration

Configuration Description

Configure the command level available to users logging into the VTY user interface

VTY user interface configuration

Configure the protocols the user interface supports

Set the commands to be executed automatically after a user log into the user interface successfully

Make terminal services available

Set the maximum number of lines the screen can

VTY terminal

contain

configuration

Set history command buffer size

Optional By default, commands of level 0 are

available to users logging into a VTY user interface.

Optional By default, Telnet and SSH protocol

are supported. Optional

By default, no command is executed automatically after a user logs into the VTY user interface.

Optional By default, terminal services are

available in all user interfaces Optional

By default, the screen can contain up to 24 lines.

Optional By default, the history command buffer

can contain up to 10 commands.

Set the timeout time of a user interface

Optional The default timeout time is 10 minutes.

3.1.2 Telnet Configurations for Different Authentication Modes

Table 3-3 lists Telnet configurations for different authentication modes.

Table 3-3 Telnet configurations for different authentication modes

Authenticati

on mode

None

Password

Perform common configuration

Configure the password

Perform common configuration

Telnet configuration Description

Perform common Telnet configuration

Optional Refer to

Configure the password for local

Required

authentication

Perform common Telnet configuration

Optional Refer to

Table 3-2.

3-2

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Authenticati

on mode

Telnet configuration Description

Scheme

Specify to perform local authentication or remote RADIUS authentication

Configure user name and password

Manage VTY users

Perform common configuration

AAA configuration specifies whether to perform local authentication or RADIUS authentication

Configure user names and passwords for local/RADIUS users

Set service type for VTY users

Perform common Telnet configuration

Optional Local authentication is

performed by default. Refer to the AAA part for

more. Required

z The user name and

password of a local user are configured on the switch.

z The user name and

password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for more.

Required

Optional Refer to

Table 3-2.

 Note:

To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations.

z If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be

disabled.

z If the authentication mode is password, and the corresponding password has been

set, TCP 23 will be enabled, and TCP 22 will be disabled.

z If the authentication mode is scheme, there are three scenarios: when the

supported protocol is specified as telnet, TCP 23 will be enabled; when the supported protocol is specified as ssh, TCP 22 will be enabled; when the supported protocol is specified as all, both the TCP 23 and TCP 22 port will be enabled.

3-3

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

3.2 Telnet Configuration with Authentication Mode Being None

3.2.1 Configuration Procedure

Table 3-4 Telnet configuration with the authentication mode being none

Operation Command Description

Enter system view

Enter one or more VTY user interface views

Configure not to authenticate users logging into VTY user interfaces

Configure the command level available to users logging into VTY user interface

Configure the protocols to be supported by the VTY user interface

Set the commands to be executed automatically after a user login to the user interface successfully

system-view user-interface vty

first-number [ last-number ]

authentication-mode none

user privilege level

level

protocol inbound { all | ssh | telnet }

auto-execute command text

—

Required By default, VTY users are

authenticated after logging in.

Optional By default, commands of level 0

are available to users logging into VTY user interfaces.

Optional By default, both Telnet protocol

and SSH protocol are supported.

Optional By default, no command is

executed automatically after a user logs into the VTY user interface.

Make terminal services available

Set the maximum number of lines the screen can contain

Set the history command buffer size

shell

screen-length

history-command max-size value

Optional By default, terminal services

are available in all user interfaces.

Optional By default, the screen can

contain up to 24 lines. You can use the screen-length

0 command to disable the function to display information in pages.

Optional The default history command

buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

3-4

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Operation Command Description

Optional The default timeout time of a

user interface is 10 minutes. With the timeout time being 10

minutes, the connection to a

Set the timeout time of the VTY user interface

idle-timeout minutes [ seconds ]

user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

Note that if you configure not to authenticate the users, the command level available to users logging into a switch depends on the user privilege level level command

3.2.2 Configuration Example

I. Network requirements

Assume current user logins through the Console port, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through VTY 0 using Telnet.

z Do not authenticate the users. z Commands of level 2 are available to the users. z Telnet protocol is supported. z The screen can contain up to 30 lines. z The history command buffer can contain up to 20 commands. z The timeout time of VTY 0 is 6 minutes.

II. Network diagram

Figure 3-1 Network diagram for Telnet configuration (with the authentication mode

being none)

III. Configuration procedure

# Enter system view.

<Sysname> system-view

# Enter VTY 0 user interface view.

[Sysname] user-interface vty 0

3-5

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

# Configure not to authenticate Telnet users logging into VTY 0.

[Sysname-ui-vty0] authentication-mode none

# Specify commands of level 2 are available to users logging into VTY 0.

[Sysname-ui-vty0] user privilege level 2

# Configure Telnet protocol is supported.

[Sysname-ui-vty0] protocol inbound telnet

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-vty0] screen-length 30

# Set the maximum number of commands the history comm and bu ffer can store to 20.

[Sysname-ui-vty0] history-command max-size 20

# Set the timeout time to 6 minutes.

[Sysname-ui-vty0] idle-timeout 6

3.3 Telnet Configuration with Authentication Mode Being Password

3.3.1 Configuration Procedure

Table 3-5 Telnet configuration with the authentication mode being password

Operation Command Description

Enter system view

Enter one or more VTY user interface views

Configure to authenticate users logging into VTY user interfaces using the local password

Set the local password

Configure the command level available to users logging into the user interface

system-view

—

user-interface vty first-number

—

[ last-number ]

authentication-mode password

Required

set authentication password { cipher |

Required

simple } password

Optional By default, commands of

user privilege level level

level 0 are available to users logging into VTY user interface.

Configure the protocol to be supported by the user interface

protocol inbound { all | ssh | telnet }

3-6

Optional By default, both Telnet

protocol and SSH protocol are supported.

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Operation Command Description

Set the commands to be executed automatically after a user login to the user

auto-execute command

text

interface successfully

Make terminal services available

Set the maximum number of lines the screen can contain

Set the history command buffer size

shell

screen-length

history-command max-size value

Optional By default, no command is

executed automatically after a user logs into the VTY user interface.

Optional By default, terminal services

are available in all user interfaces.

Optional By default, the screen can

contain up to 24 lines. You can use the

screen-length 0 command to disable the function to display information in pages.

Optional The default history command

buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time of the user interface

When the authentication mode is password, the command level available to users logging into the user interface is determined by the user privilege level command.

3.3.2 Configuration Example

I. Network requirements

Assume current user logins through the Console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging into VTY 0 using Telnet.

idle-timeout minutes [ seconds ]

Optional The default timeout time of a

user interface is 10 minutes. With the timeout time being

10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

3-7

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

z Authenticate users using the local password. z Set the local password to 123456 (in plain text). z Commands of level 2 are available to the users. z Telnet protocol is supported. z The screen can contain up to 30 lines. z The history command buffer can contain up to 20 commands. z The timeout time of VTY 0 is 6 minutes.

II. Network diagram

Figure 3-2 Network diagram for Telnet configuration (with the authentication mode

being password)

III. Configuration procedure

# Enter system view.

<Sysname> system-view

# Enter VTY 0 user interface view.

[Sysname] user-interface vty 0

# Configure to authenticate users logging into VTY 0 using the password.

[Sysname-ui-vty0] authentication-mode password

# Set the local password to 123456 (in plain text).

[Sysname-ui-vty0] set authentication password simple 123456

# Specify commands of level 2 are available to users logging into VTY 0.

[Sysname-ui-vty0] user privilege level 2

# Configure Telnet protocol is supported.

[Sysname-ui-vty0] protocol inbound telnet

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-vty0] screen-length 30

# Set the maximum number of commands the history comm and bu ffer can store to 20.

[Sysname-ui-vty0] history-command max-size 20

# Set the timeout time to 6 minutes.

[Sysname-ui-vty0] idle-timeout 6

3-8

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

3.4 Telnet Configuration with Authentication Mode Being Scheme

3.4.1 Configuration Procedure

Table 3-6 Telnet configuration with the authentication mode being scheme

Operation Command Description

Enter system view

Enter the default ISP domain view

Configure the AAA scheme to

Configure the authentic ation scheme

be applied to the domain

Quit to system view

system-view

domain domain-name

scheme { local | none | radius-scheme

radius-scheme-name [ local ] | hwtacacs-scheme

hwtacacs-scheme-nam e [ local ] }

quit

— Optional

By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well.

If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well:

z Perform AAA&RADIUS

z Configure the user name

configuration on the switch. (Refer to the AAA part for more.)

and password accordingly on the AAA server. (Refer to the user manual of AAA server.)

Create a local user and enter local user view

Set the authentication password for the local user

Specify the service type for VTY users

Quit to system view

Enter one or more VTY user interface views

local-user user-name

password { simple | cipher } password

service-type telnet [ level level ]

quit user-interface vty

first-number [ last-number ]

3-9

No local user exists by default.

Required

—

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Operation Command Description

Required

The specified AAA scheme Configure to authenticate users locally or remotely

authentication-mode scheme [ commandauthorization ]

determines whether to

authenticate users locally or

remotely.

Users are authenticated

locally by default.

Configure the command level available to users logging into the user

user privilege level level

interface

Configure the supported protocol

protocol inbound { all | ssh | telnet }

Set the commands to be executed automatically after a user login to the user interface

auto-execute command text

successfully

Make terminal services available

Set the maximum number of lines the screen can contain

shell

screen-length

Optional

By default, commands of level

0 are available to users

logging into the VTY user

interfaces.

Optional

Both Telnet protocol and SSH

protocol are supported by

default.

Optional

By default, no command is

executed automatically after a

user logs into the VTY user

interface.

Optional

Terminal services are

available in all use interfaces

by default.

Optional

By default, the screen can

contain up to 24 lines.

You can use the

screen-length 0 command to

disable the function to display

information in pages.

Set history command buffer size

history-command max-size value

3-10

Optional

The default history command

buffer size is 10. That is, a

history command buffer can

store up to 10 commands by

default.

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Operation Command Description

Optional

The default timeout time of a

user interface is 10 minutes.

With the timeout time being

10 minutes, the connection to Set the timeout time for

the user interface

idle-timeout minutes [ seconds ]

a user interface is terminated

if no operation is performed in

the user interface within 10

minutes.

You can use the idle-timeout

0 command to disable the

timeout function.

Note that if you configure to authenticate the users in the scheme mode, the command level available to the users logging into the switch depends on the user privilege level level command and the service-type { ftp | lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in

Table 3-7.

Table 3-7 Determine the command level when users logging into switches are authenticated in the scheme mode

Scenario

Command

Authenticati

on mode

authenticatio n-mode scheme [ command-a uthorization ]

User type Command

The user privilege level level command is not executed, and the service-type command does not specify the available command level.

The user privilege level level command is not executed, and

VTY users that are AAA&RADIUS

the service-type command specifies the available command level.

level

Level 0

Determined by the service-type command

authenticated or locally authenticated

The user privilege level level command is executed, and the service-type command does not

Level 0 specify the available command level.

The user privilege level level command is executed, and the service-type command specifies the available command level.

Determined

by the

service-type

command

3-11

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Scenario

Command

Authenticati

on mode

User type Command

level

The user privilege level level command is not executed, and the service-type command does not specify the available command level.

Level 0 The user privilege level level

command is not executed, and

VTY users that are authenticated in the RSA mode of SSH

the service-type command specifies the available command level.

The user privilege level level command is executed, and the service-type command does not specify the available command level.

The user privilege level level command is executed, and the

Determined

by the user

privilege

level level

command service-type command specifies

the available command level.

 Note:

The user privilege level level command is not executed, and the service-type command does not specify the available command level.

The user privilege level level command is not executed, and

VTY users that are authenticated

the service-type command specifies the available command level.

in the password mode of SSH

The user privilege level level command is executed, and the service-type command does not specify the available command level.

The user privilege level level command is executed, and the service-type command specifies the available command level.

Level 0

Determined

by the

service-type

command

Level 0

Determined

by the

service-type

command

Refer to AAA Operation and SSH Operation of this manual for information about AAA, RADIUS, and SSH.

3-12

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

3.4.2 Configuration Example

I. Network requirements

Assume current user logins through the Console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging into VTY 0 using Telnet.

z Configure the local user name as “guest”. z Set the authentication password of the local user to 123456 (in plain text). z Set the service type of VTY users to Telnet and the command level to 2. z Configure to authenticate users logging into VTY 0 in scheme mode. z Only Telnet protocol is supported in VTY 0. z The screen can contain up to 30 lines. z The history command buffer can store up to 20 commands. z The timeout time of VTY 0 is 6 minutes.

II. Network diagram

Figure 3-3 Network diagram for Telnet configuration (with the authentication mode

being scheme)

III. Configuration procedure

# Enter system view.

<Sysname> system-view

# Create a local user named “guest” and enter local user view.

[Sysname] local-user guest

# Set the authentication password of the local user to 123456 (in plain text).

[Sysname-luser-guest] password simple 123456

# Set the service type to Telnet, Specify commands of level 2 are available to users logging into VTY 0..

[Sysname-luser-guest] service-type telnet level 2 [Sysname-luser-guest] quit

# Enter VTY 0 user interface view.

[Sysname] user-interface vty 0

# Configure to authenticate users logging into VTY 0 in the scheme mode.

[Sysname-ui-vty0] authentication-mode scheme

# Configure Telnet protocol is supported.

3-13

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

[Sysname-ui-vty0] protocol inbound telnet

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-vty0] screen-length 30

# Set the maximum number of commands the history comm and bu ffer can store to 20.

[Sysname-ui-vty0] history-command max-size 20

# Set the timeout time to 6 minutes.

[Sysname-ui-vty0] idle-timeout 6

3.5 Telnetting to a Switch

3.5.1 Telnetting to a Switch from a Terminal

1) Assign an IP address to VLAN-interface 1 of the switch (VLAN 1 is the default VLAN of the switch).

z Connect the serial port of your PC/terminal to the Console port of the switch, as

shown in

Figure 3-4

Figure 3-4 Diagram for establishing connection to a Console port

z Launch a terminal emulation utility (such as Terminal in Windows 3.X or

HyperTerminal in Windows 95/Windows 98/Windows NT/Windows 2000/Windows XP) on the PC terminal, with the baud rate set to 9,600 bps, data bits set to 8, parity check set to none, and flow control set to none.

z Turn on the switch and press Enter as prompted. The prompt (such as <H3C>)

appears, as shown in the following figure.

3-14

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

Figure 3-5 The terminal window

z Perform the following operations in the terminal window to assign IP address

202.38.160.92/24 to VLAN–interface 1 of the switch.

<Sysname> system-view [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0

2) Perform Telnet-related configuration on the switch. Refer to section 3.2 "Telnet

Configuration with Authentication Mode Being None Configuration with Authentication Mode Being Password Configuration with Authentication Mode Being Scheme

3) Connect your PC/terminal and the Switch to an Ethernet, as shown in

”, section 3.3 “Telnet

”, and section 3.4 “Telnet

” for more.

Figure 3-6.

Make sure the port through which the switch is connected to the Ethernet belongs to VLAN 1 and the route between your PC and VLAN-interface 1 is reachable.

Figure 3-6 Network diagram for Telnet connection establishment

3-15

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

4) Launch Telnet on your PC, with the IP address of VLAN–interface 1 of the switch as the parameter, as shown in

Figure 3-7.

Figure 3-7 Launch Telnet

5) If the password authentication mode is specified, enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A H3C series Ethernet switch can accommodate up to five Telnet connections at same time.

6) After successfully Telnetting to the switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the relevant parts in this manual for the information about the commands.

 Note:

z A Telnet connection is terminated if you delete or modify the IP address of the VLAN

interface in the Telnet session.

z By default, commands of level 0 are available to Telnet users authenticated by

password. Refer to section 1.2 “Command Hierarchy/Command View” in CLI part for information about command hierarchy.

3.5.2 Telnetting to another Switch from the Current Switch

Y ou can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.

3-16

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 3 Logging in through Telnet

As shown in Figure 3-8, after Telnetting to a switch (labeled as Telnet client), you can Telnet to another switch (labeled as Telnet server) by executing the telnet command and then configure it.

Figure 3-8 Network diagram for Telnetting to another switch from the current switch

1) Perform Telnet-related configuration on the switch operating as the Telnet server. Refer to section section section

3.3 “Telnet Configuration with Authentication Mode Being Password”, and

3.4 “Telnet Configuration with Authentication Mode Being Scheme” for

3.2 "Telnet Configuration with Authentication Mode Being None”,

more.

2) Telnet to the switch operating as the Telnet client.

3) Execute the following command on the switch operating as the Telnet client:

<Sysname> telnet xxxx

Note that xxxx is the IP address or the host name of the switch operating as the Telnet server. You can use the ip host to assign a host name to a switch.

4) After successful login, the CLI prompt (such as <Sysname>) appears. If all the VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.

5) After successfully Telnetting to the switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the following chapters for the information about the commands.

3-17

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 4 Logging in Using a Modem

Chapter 4 Logging in Using a Modem

4.1 Introduction

The administrator can log into the Console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely. When a network operates improperly or is inaccessible, you can manage switches in the network remotely in this way.

To log into a switch in this way, you need to configure the administrator side and the switch properly, as listed in the following table.

Table 4-1 Requirements for logging into a switch using a modem

Item Requirement

The PC can communicate with the modem connected to it.

Administrator side

Switch side

The modem is properly connected to PSTN. The telephone number of the switch side is available. The modem is connected to the Console port of the switch properly. The modem is properly configured. The modem is properly connected to PSTN and a telephone set. The authentication mode and other related settings are configured

on the switch. Refer to

Table 2-3.

4.2 Configuration on the Switch Side

4.2.1 Modem Configuration

Perform the following configuration on the modem directly connected to the switch:

AT&F ----------------------- Restore the factory settings ATS0=1 ----------------------- Configure to answer automatically after the first ring AT&D ----------------------- Ignore DTR signal AT&K0 ----------------------- Disable flow control AT&R1 ----------------------- Ignore RTS signal AT&S0 ----------------------- Set DSR to high level by force ATEQ1&W ----------------------- Disable the Modem from returning command response and the result, save the changes

4-1

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 4 Logging in Using a Modem

You can verify your configuration by executing the AT&V command.

 Note:

The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration.

4.2.2 Switch Configuration

 Note:

After logging into a switch through its Console port by using a m odem, you will enter the AUX user interface. The corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that:

z When you log in through the Console port using a modem, the baud rate of the

Console port is usually set to a value lower than the transmission speed of the modem. Otherwise, packets may get lost.

z Other settings of the Console port, such as the check mode, the stop bits, and the

data bits, remain the default.

The configuration on the switch depends on the authentication mode the user is in. Refer to

Table 2-3 for the information about authentication mode configuration.

I. Configuration on switch when the authentication mode is none

Refer to section 2.4 “Console Port Login Configuration with Authentication Mode Being

”.

None

II. Configuration on switch when the authentication mode is password

Refer to section 2.5 “Console Port Login Configuration with Authentication Mode Being

Password

”.

III. Configuration on switch when the authentication mode is scheme

Refer to section 2.6 “Console Port Login Configuration with Authentication Mode Being

Scheme

”.

4.3 Modem Connection Establishment

1) Before using Modem to log in the switch, perform corresponding configuration for different authentication modes on the switch. Refer to section

2.4 "Console Port

4-2

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 4 Logging in Using a Modem

Login Configuration with Authentication Mode Being None”, section 2.5 “Console Port Login Configuration with Authentication Mode Being Password

”, and section

2.6 “Console Port Login Configuration with Authentication Mode Being Scheme”

for more.

2) Perform the following configuration to the modem directly connected to the switch. Refer to section

3) Connect your PC, the modems, and the switch, as shown in

4.2.1 “Modem Configuration” for related configuration. Figure 4-1. Make sure

the modems are properly connected to telephone lines.

Modem serial cable

Telephone line

PSTN

Modem

Telephone number

of the romote end:

82882285

Console port

Modem

Figure 4-1 Establish the connection by using modems

4) Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in

Figure 4-2 through Figure 4-4. Note that you need to set the telephone number to that of the modem

directly connected to the switch.

Figure 4-2 Create a connection

4-3

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 4 Logging in Using a Modem

Figure 4-3 Set the telephone number

Figure 4-4 Call the modem

5) If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help. Refer to the related parts in this manual for information about the configuration commands.

 Note:

If you perform no AUX user-related configuration on the switch, the command s of level 3 are available to modem users. Refer to the CLI part for information about command level.

4-4

Operation Manual – Login H3C S3100 Series Ethernet Switches

Chapter 5 Logging in through the Web-based

Network Management System

Chapter 5 Logging in through the Web-based

Network Management System

5.1 Introduction

An S3100 Ethernet switch has a Web server built in. It enables yo u to log into an S3100 Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

To log into an S3100 Ethernet switch through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.

Table 5-1 Requirements for logging into a switch through the Web-based netwo rk management system

Item Requirement

The VLAN interface of the switch is assigned an IP address, and the route between the switch and the Web network management terminal is reachable. (Refer to the

Switch

PC operating as the network management terminal

IP Address Configuration – IP Performance Configuration and Routing Protocol parts for related information.)

The user name and password for logging into the Web-based network management system are configured.

IE is available. The IP address of the VLAN interface of the switch, the

user name, and the password are available.

5.2 Establishing an HTTP Connection

1) Assign an IP address to VLAN-interface 1 of the switch (VLAN 1 is the default VLAN of the switch). See section related information.

2) Configure the user name and the password on the switch for the Web network management user to log in.

3.5.1 "Telnetting to a Switch from a Terminal" for

# Create a Web user account, setting both the user name and the password to “admin ” and the user level to 3.

<Sysname> system-view [Sysname] local-user admin [Sysname-luser-admin] service-type telnet level 3

5-1

Operation Manual – Login H3C S3100 Series Ethernet Switches

[Sysname-luser-admin] password simple admin

3) Establish an HTTP connection between your PC and the switch, as shown in

Figure 5-1.

Figure 5-1 Establish an HTTP connection between your PC and the switch

4) Log into the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar. (Make sure the route between the Web-based network management terminal and the switch is available.)

5) When the login authentication interface (as shown in the user name and the password configured in step 2 and click <Login> to bring up the main page of the Web-based network management system.

Chapter 5 Logging in through the Web-based

Network Management System

Figure 5-2) appears, enter

Figure 5-2 The login page of the Web-based network management system

5.3 Configuring the Login Banner

5.3.1 Configuration Procedure

If a login banner is configured with the header command, when a user logs in through Web, the banner page is displayed before the user login authentication page. The contents of the banner page are the login banner information configured with the header command. Then, by clicking <Continue> on the banner page, the user can enter the user login authentication page, and enter the main page of the Web-based network management system after passing the authentication. If no login banner is configured by the header command, a user logging in through Web directly enters the user login authentication page.

5-2

Operation Manual – Login H3C S3100 Series Ethernet Switches

Table 5-2 Configure the login banner

Operation Command Description

Chapter 5 Logging in through the Web-based

Network Management System

Enter system view Configure the banner to be

displayed when a user logs in through Web

5.3.2 Configuration Example

I. Network requirements

z A user logs in to the switch through Web. z The banner page is desired when a user logs into the switch.

II. Network diagram

Figure 5-3 Network diagram for login banner configuration

system-view

header login text

— Required

By default, no login banner is configured.

III. Configuration Procedure

# Enter system view.

<Sysname> system-view

# Configure the banner "Welcome" to be displayed when a user logs into the switch through Web.

[Sysname] header login %Welcome%

Assume that a route is available between the user terminal (the PC) and the switch. After the above-mentioned configuration, if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press <Enter>, the browser will display the banner page, as shown in

Figure 5-4.

5-3

Operation Manual – Login H3C S3100 Series Ethernet Switches

Figure 5-4 Banner page displayed when a user logs in to the switch through Web

Click <Continue> to enter user login authentication page. You will enter the main page of the Web-based network management system if the authentication succeeds.

Chapter 5 Logging in through the Web-based

Network Management System

5.4 Enabling/Disabling the WEB Server

Table 5-3 Enable/Disable the WEB Server

Operation Command Description

Enter system view Enable the Web

server Disable the Web

server

 Note:

To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

z Enabling the Web server (by using the undo ip http shutdown command) opens

TCP 80 port.

z Disabling the Web server (by using the ip http shutdown command) closes TCP

80 port.

system-view

ip http shutdown

undo ip http shutdown

—

Required By default, the Web server is enabled.

Required

5-4

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 6 Logging in through NMS

Chapter 6 Logging in through NMS

6.1 Introduction

You can also log into a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent. Refer to the SNMP-RMON part for related information.

To log into a switch through an NMS, you need to perform related configuration on both the NMS and the switch.

Table 6-1 Requirements for logging into a switch through an NMS

Item Requirement

The IP address of the VLAN interface of the switch i s configured. The route between the NMS and the switch is reachable. (Refer

Switch

to the IP Address Configuration – IP Performance Configuration and Routing Protocol parts for related information.)

The basic SNMP functions are configured. (Refer to the SNMP-RMON part for related information.)

NMS

The NMS is properly configured. (Refer to the user manual of your NMS for related information.)

6.2 Connection Establishment Using NMS

Switch

Network

NMS

Figure 6-1 Network diagram for logging in through an NMS

6-1

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 7 User Control

Chapter 7 User Control

 Note:

Refer to the ACL part for information about ACL.

7.1 Introduction

A switch provides ways to control different types of login users, as listed in Table 7-1.

Table 7-1 Ways to control different types of login users

Telnet

SNMP

WEB

Control

method

By source IP address

By source and destination IP address

By source MAC address

By source IP addresses

Disconnect Web users by force

Implementation Related section

Through basic ACL

Through advanced ACL

Through Layer 2 ACL

Through basic ACL

By executing commands in CLI

Section 7.2.2 “”Controlling Telnet

Users by Source IP Addresses

Section 7.2.3 “Controlling Telnet

Users by Source and Destination IP Addresses

Section

Users by Source MAC Addresses

Section

Management Users by Source IP Addresses

Section 7.4 Controlling Web

Users by Source IP Address

Section

Web User by Force

”.

7.2.4 “Controlling Telnet

”

7.3 “Controlling Network

”.

7.4.3 Disconnecting a

7.2 Controlling Telnet Users

7.2.1 Prerequisites

The controlling policy against Telnet users is determined, including the source IP addresses, destination IP addresses and source MAC addresses to be controlled and the controlling actions (permitting or denying).

7-1

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 7 User Control

7.2.2 Controlling Telnet Users by Source IP Addresses

Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.

Table 7-2 Control Telnet users by source IP addresses

Operation Command Description

Enter system view

Create a basic ACL or enter basic ACL view

Define rules for the ACL

Quit to system view Enter user

interface view

Apply the ACL to control Telnet users by source IP addresses

system-view

acl number acl-number [ match-order { config | auto } ]

rule [ rule-id ] { deny | permit } [ rule-string ]

quit user-interface [ type ]

first-number [ last-number ]

acl acl-number { inbound | outbound }

— As for the acl number

command, the config keyword is specified by default.

Required

—

Required The inbound keyword

specifies to filter the users trying to Telnet to the current switch.

The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch.

7.2.3 Controlling Telnet Users by Source and Destination IP Addresses

Controlling Telnet users by source and destination IP addresses is achieved by applying advanced ACLs, which are numbered from 3000 to 3999.

Table 7-3 Control Telnet users by source and destination IP addresses

Operation Command Description

Enter system view Create an

advanced ACL or enter advanced ACL view

Define rules for the ACL

system-view

acl number acl-number [ match-order { config | auto } ]

rule [ rule-id ] { deny | permit } protocol

[ rule-string ]

7-2

—

As for the acl number command, the config keyword is specified by default.

Required You can define rules as needed to

filter by specific source and destination IP addresses.

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 7 User Control

Operation Command Description

Quit to system view

Enter user interface view

quit user-interface [ type ]

first-number [ last-number ]

—

Required

Apply the ACL to control Telnet users by specified source and destination IP addresses

acl acl-number { inbound | outbound }

The inbound keyword specifies to filter the users trying to Telnet to the current switch.

The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch.

7.2.4 Controlling Telnet Users by Source MAC Addresses

Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs, which are numbered from 4000 to 4999.

Table 7-4 Control Telnet users by source MAC addresses

Operation Command Description

Enter system view Create or enter

Layer 2 ACL view

system-view

acl number acl-number

—

Required

Define rules for the ACL

rule [ rule-id ] { deny | permit } [ rule-string ]

You can define rules as needed to filter by specific

source MAC addresses. Quit to system view Enter user

interface view

quit user-interface [ type ]

first-number [ last-number ]

—

Apply the ACL to control Telnet users by specified source MAC

acl acl-number inbound

Required

By default, no ACL is applied

for Telnet users. addresses

7-3

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 7 User Control

7.2.5 Configuration Example

I. Network requirements

Only the Telnet users sourced from the IP address of 10.110.100.52 are permitted to access the switch.

II. Network diagram

10.110.100.46 Host A

IP network

Switch

Host B

10.110.100.52

Figure 7-1 Network diagram for controlling Telnet users using ACLs

III. Configuration procedure

# Define a basic ACL.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit

# Apply the ACL.

[Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound

7.3 Controlling Network Management Users by Source IP Addresses

You can manage an S3100 Ethernet switch through network management software. Network management users can access switches through SNMP.

Y ou need to perform the following two operatio ns to control network management users by source IP addresses.

z Defining an ACL z Applying the ACL to control users accessing the switch through SNMP

7-4

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 7 User Control

7.3.1 Prerequisites

The controlling policy against network management users is determined, including the source IP addresses to be controlled a nd the controlling actions (permitting or denying).

7.3.2 Controlling Network Management Users by Source IP Addresses

Controlling network management users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.

Follow these steps to control network management users by source IP addresses:

To do… Use the command… Remarks

Enter system view

Create a basic ACL or enter basic ACL view

Define rules for the ACL

Quit to system view Apply the ACL while

configuring the SNMP community name

Apply the ACL while configuring the SNMP group name

Apply the ACL while configuring the SNMP user name

system-view

acl number acl-number [ match-order { auto | config } ]

rule [ rule-id ] { deny | permit }

[ rule-string ]

quit

snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]*

snmp-agent group { v1 | v2c }

group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view

write-view ] [ notify-view notify-view ] [ acl acl-number ]

snmp-agent usm-user { v1 | v2c }

user-name group-name [ acl acl-number ]

snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha }

auth-password [ privacy-mode { des56 | aes128 } priv-password ] ] [ acl acl-number ]

— As for the acl

number command, the config keyword is specified by default.

Required

—

Required According to the

SNMP version and configuration customs of NMS users, you can reference an ACL when configuring community name, group name or username. For the detailed configuration, refer to SNMP-RMON for more.

7-5

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 7 User Control

7.3.3 Configuration Example

I. Network requirements

Only SNMP users sourced from the IP addresses of 10.110.100.52 are permitted to log into the switch.

II. Network diagram

10.110.100.46 Host A

IP network

Switch

Host B

10.110.100.52

Figure 7-2 Network diagram for controlling SNMP users using ACLs

III. Configuration procedure

# Define a basic ACL.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit

# Apply the ACL to only permit SNMP users sourced from the IP addresses of

10.110.100.52 to access the switch.

[Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000

7.4 Controlling Web Users by Source IP Address

You can manage an S3100 Ethernet switch remotely through Web. Web users can access a switch through HTTP connections.

You need to perform the following two operations to control Web users by source IP addresses.

z Defining an ACL z Applying the ACL to control Web users

7-6

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 7 User Control

7.4.1 Prerequisites

The controlling policy against Web users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).

7.4.2 Controlling Web Users by Source IP Addresses

Controlling Web users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.

Table 7-5 Control Web users by source IP addresses

Operation Command Description

Enter system view

Create a basic ACL or enter basic ACL view

Define rules for the ACL

Quit to system view

Apply the ACL to control Web users

system-view

acl number acl-number [ match-order { config | auto } ]

rule [ rule-id ] { deny | permit } [ rule-string ]

quit

ip http acl acl-number

7.4.3 Disconnecting a Web User by Force

The administrator can disconnect a Web user by force using the related commands.

Table 7-6 Disconnect a Web user by force

Operation Command Description

— As for the acl number

command, the config keyword is specified by default.

Required

— Optional

By default, no ACL is applied for Web users.

Disconnect a Web user by force

free web-users { all | user-id user-id | user-name

user-name }

7.4.4 Configuration Example

I. Network requirements

Only the Web users sourced from the IP address of 10.110.100.52 are permitted to access the switch.

Required Execute this command in user

view.

7-7

Operation Manual – Login H3C S3100 Series Ethernet Switches Chapter 7 User Control

II. Network diagram

10.110.100.46 Host A

IP network

Switch

Host B

10.110.100.52

Figure 7-3 Network diagram for controlling Web users using ACLs

III. Configuration procedure

# Define a basic ACL.

<Sysname> system-view [Sysname] acl number 2030 [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2030] quit

# Apply ACL 2030 to only permit the Web users sourced from the IP address of

10.110.100.52 to access the switch.

[Sysname] ip http acl 2030

7-8

Operation Manual – Configuration File Management H3C S3100 Series Ethernet Switches Table of Contents

Table of Contents

Chapter 1 Configuration File Management................................................................................. 1-1

1.1 Introduction to Configuration File....................................................................................... 1-1

1.2 Management of Configuration File.....................................................................................1-2

1.2.1 Saving the Current Configuration............................................................................ 1-2

1.2.2 Erasing the Startup Configuration File....................................................................1-4

1.2.3 Specifying a Configuration File for Next Startup..................................................... 1-4

1.2.4 Displaying Device Configuration.............................................................................1-5

Operation Manual – Configuration File Management H3C S3100 Series Ethernet Switches Chapter 1 Configuration File Management

Chapter 1 Configuration File Management

1.1 Introduction to Configuration File

A configuratio n file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.

I. Types of configuration

The configuration of a device falls into two types:

z Saved configuration, a configuration file used for initialization. If this file does not

exist, the device starts up without loading any configuration file.

z Current configuration, which refers to the user’s configuration du ring the operation

of a device. This configuration is stored in dynamic random-access memory (DRAM). It is removed when rebooting.

II. Format of configuration file

Configuration files are saved as text files for ease of reading. They:

z Save configuration in the form of commands. z Save only non-default configuration settings. z The commands are grouped into sections by command view. The commands tha t

are of the same command view are grouped into one section. Sections are separated by comment lines. (A line is a comment line if it starts with the character “#”.)

z The sections are listed in this order: system configuration section, logical interface

configuration section, physical port configuration section, routing protocol configuration section, user interface configuration, and so on.

z End with a return.

The operating interface provided by the configuration file management function is user-friendly. With it, you can easily manage your configuration files.

III. Main/backup attribute of the configuration file

Main and backup indicate the main and backup attribute of the configuration file respectively . A main configuratio n file and a backup configuration file can coexist on the device. As such, when the main configuration file is missing or damaged, the backup file can be used instead. This increases the safety and reliability of the file system compared with the device that only support one configuration file. You can configure a file to have both main and backup attribute, but only one file of either main or backup attribute is allowed on a device.

The following three situations are concerned with the main/backup attributes:

1-1

Operation Manual – Configuration File Management H3C S3100 Series Ethernet Switches Chapter 1 Configuration File Management

z When saving the current configuration, you can specify the file to be a main or

backup or normal configuration file.

z When removing a configuration file from a device, you can specify to remove the

main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.

z When setting the configuration file for next startup, you can specify to use the main

or backup configuration file.

IV. Startup with the configuration file

When booting, the system chooses the configuration files following the rules below:

1) If the main configuration file exists, the device initializes with this configuration.

2) If the main configuration file does not exist but the backup configuration file exists, the device initializes with the backup configuration.

3) If neither the main nor the backup configuration file exists:

z For an S3100-SI Ethernet switch, the switch starts up without loading the

configuration file;

z For an S3100-EI Ethernet switch, if the default configuration file config.def exists,

the switch initializes with the default configuration file; if the default configuration file does not exist, the switch starts up without loading the configuration file.

1.2 Management of Configuration File

Table 1-1 Complete these tasks to configure configuration file management

Task Remarks

Saving the Current Configuration Optional Erasing the Startup Configuration File Optional Specifying a Configuration File for Next Startup Optional

1.2.1 Saving the Current Configuration

Y ou can modify the configuration on your device at the comm and line interface (CLI). To use the modified configuration for your subsequent startup s, you must save it (using the

save command) as a configuration file. Table 1-2 Save current configuration

Operation Command Description

Save current configuration

save [ cfgfile | [ safely ] [ backup | main ] ]

Required Available in any view

1-2

Operation Manual – Configuration File Management H3C S3100 Series Ethernet Switches Chapter 1 Configuration File Management

I. Modes in saving the configuration

z Fast saving mode. This is the mode when you use the save command without the

safely keyword. The mode saves the file quicker but is likely to lose the original

configuration file if the device reboots or the power fails during the process.

z Safe mode. This is the mode when you use the save command with the safely

keyword. The mode saves the file slower but can retain the original configuration file in the device even if the device reboots or the power fails during the process.

Caution:

S3100 series Ethernet switches do not support the safe mode. When you are sav ing a configuration file using the save safely command, if the device reboots or the power fails during the saving process, the configuration file will be lost.

II. Three attributes of the configuration file

z Main attribute. When you use the save [ [ safely ] [ main ] ] command to save the

current configuration, the configuration file you get has main attribute. If this configuration file already exists and has backup attribute, the file will have both main and backup attributes after execution of this command. If the filename you entered is different from that existing in the system, this command will erase its main attribute to allow only one main attribute configuration file in the device.

z Backup attribute. When you use the save [ safely ] backup command to save the

current configuration, the configuration file you get has backup attribute. If this configuration file already exists and has main attribute, the file will have both main and backup attributes after execution of this command. If the filename you entered is different from that existing in the system, this command will erase its backup attribute to allow only one backup attribute configuration file in the device.

z Normal attribute. When you use the save cfgfile command to save the current

configuration, the configuration file you get has normal attribute if it is not an existing file. Otherwise, the attribute is dependent on the original attribute of the file.

 Note:

The extension name of the configuration file must be .cfg.

1-3

Operation Manual – Configuration File Management H3C S3100 Series Ethernet Switches Chapter 1 Configuration File Management

1.2.2 Erasing the Startup Configuration File

Y ou can cl ear the configuration files save d on the device through commands. After you clear the configuration files, the device starts up without loading the configuration file the next time it is started up.

Table 1-3 Erase the configuration file

Operation Command Description

Erase the startup configuration file from the storage device

reset saved-configuration

[ backup | main ]

Required Available in user view

You may need to erase the configuration file for one of these reasons:

z After you upgrade software, the old configuration file does not match the new

software.

z The startup configuration file is corrupted or not the one you needed.

The following two situations exist:

z While the reset saved-configuration [ main ] command erases the configuration

file with main attribute, it only erases the main attribute of a configuration file having both main and backup attribute.

z While the reset saved-configuration backup command erases the configuration

file with backup attribute, it only erases the backup attribute of a configuration file having both main and backup attribute.

Caution:

This command will permanently delete the configuration file from the device.

1.2.3 Specifying a Configuration File for Next Startup

Table 1-4 Specify a configuration file for next startup

Operation Command Description

Specify a configuration file for next startup

You can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file.

startup saved-configuration

cfgfile [ backup | main ]

1-4

Required Available in user view

Operation Manual – Configuration File Management H3C S3100 Series Ethernet Switches Chapter 1 Configuration File Management

I. Assign main attribute to the startup configuration file

z If you save the current configuration to the main configuration file, the system will

automatically set the file as the main startup configuration file.

z You can also use the startup saved-configuration cfgfile [ main ] command to

set the file as main startup configuration file.

II. Assign backup attribute to the startup configuration file

z If you save the current configuration to the backup configuration file, the system

will automatically set the file as the backup startup configuration file.

z You can also use the startup saved-configuration cfgfile backup command to

set the file as backup startup configuration file.

Caution:

The configuration file must use “.cfg” as its extension name and the startup configuration file must be saved at the root directory of the device.

1.2.4 Displaying Device Configuration

After the above configuration, you can execute the display command in any view to display the current and initial configurations of the device, so as to verify your configuration.

1-5

Operation Manual – Configuration File Management H3C S3100 Series Ethernet Switches Chapter 1 Configuration File Management

Table 1-5 Display Device Configuration

Operation Command Description

Display the initial configuration file saved in the storage device

Display the configuration file used for this and next startup

Display the current VLAN configuration of the device

Display the validated configuration in current view

Display current configuration

display saved-configuration [ unit unit-id ] [ by-linenum ]

display startup [ unit unit-id ]

display current-configuration vlan [ vlan-id ] [ by-linenum ]

display this [ by-linenum ]

display current-configuration

[ configuration [ configuration-type ] | interface [ interface-type ] [ interface-number ] ] [ by-linenum ] [ | { begin |

exclude | include } regular-expression ]

You can execute the

display

command in any view.

1-6

Operation Manual – VLAN H3C S3100 Series Ethernet Switches Table of Contents

Table of Contents

Chapter 1 VLAN Overview............................................................................................................1-1

1.1 VLAN Overview..................................................................................................................1-1

1.1.1 Introduction to VLAN...............................................................................................1-1

1.1.2 Advantages of VLANs.............................................................................................1-2

1.1.3 VLAN Fundamentals...............................................................................................1-2

1.1.4 VLAN Interface........................................................................................................ 1-4

1.1.5 VLAN Classification................................................................................................. 1-5

1.2 Port-Based VLAN...............................................................................................................1-5

1.2.1 Link Types of Ethernet Ports...................................................................................1-5

1.2.2 Assigning an Ethernet Port to Specified VLANs.....................................................1-6

1.2.3 Configuring the Default VLAN ID for a Port ............................................................ 1-6

1.3 Protocol-Based VLAN........................................................................................................1-7

1.3.1 Introduction to Protocol-Based VLAN.....................................................................1-7

1.3.2 Encapsulation Format of Ethernet Data..................................................................1-8

1.3.3 Encapsulation Formats ........................................................................................... 1-9

1.3.4 Implementation of Protocol-Based VLAN ............................................................... 1-9

Chapter 2 VLAN Configuration .................................................................................................... 2-1

2.1 VLAN Configuration...........................................................................................................2-1

2.1.1 VLAN Configuration Task List................................................................................. 2-1

2.1.2 Basic VLAN Configuration....................................................................................... 2-1

2.1.3 Basic VLAN Interface Configuration .......................................................................2-2

2.1.4 Displaying VLAN Configuration...............................................................................2-3

2.2 Configuring a Port-Based VLAN........................................................................................ 2-3

2.2.1 Configuring an Access-Port-Based VLAN .............................................................. 2-3

2.2.2 Configuring a Hybrid-Port-Based VLAN.................................................................. 2-4

2.2.3 Configuring a Trunk-Port-Based VLAN................................................................... 2-5

2.2.4 Displaying and Maintaining Port-Based VLAN........................................................2-6

2.2.5 Port-Based VLAN Configuration Example..............................................................2-6

2.2.6 Troubleshooting Ethernet Port Configuration.......................................................... 2-8

2.3 Configuring a Protocol-Based VLAN .................................................................................2-8

2.3.1 Protocol-Based VLAN Configuration Task List.......................................................2-8

2.3.2 Configuring a Protocol Template for a Protocol-Based VLAN................................2-8

2.3.3 Associating a Port with a Protocol-Based VLAN.....................................................2-9

2.3.4 Displaying Protocol-Based VLAN Configuration................................................... 2-10

2.3.5 Protocol-Based VLAN Configuration Example......................................................2-10

Operation Manual – VLAN H3C S3100 Series Ethernet Switches Chapter 1 VLAN Overview

Chapter 1 VLAN Overview

This chapter covers these topics:

z VLAN Overview z Port-Based VLAN z Protocol-Based VLAN

1.1 VLAN Overview

1.1.1 Introduction to VLAN

The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs o r swit che s. Hubs a nd switches, which are the basic network connection devices, have limited forwarding functions.

z A hub is a physical layer device without the switching function, so it forwards the

received packet to all ports except the inbound port of the packet.

z A switch is a link layer device which can forward a packet according to the MAC

address of the packet. However, when the switch receives a broadcast packet or an unknown unicast packet whose MAC address is not included in the MAC address table of the switch, it will forward the packet to all the ports except the inbound port of the packet.

The above scenarios could result in the following network problems.

z Large quantity of broadcast packets or unknown unicast packets may exist in a

network, wasting network resources.

z A host in the network receives a lot of packets whose destination is not the host

itself, causing potential serious security problems.

Isolating broadcast domains is the solution for the above problem s. The traditional way is to use routers, which forward packets according to the destination IP address and does not forward broadcast packets in the link layer. However, routers are expensive and provide few ports, so they cannot split the network efficiently. Therefore, using routers to isolate broadcast domains has many limitations.

The Virtual Local Area Network (VLA N) technology is developed for switches to control broadcasts in LANs.

A VLAN can sp an multiple physical spaces. This enables host s in a VLAN to be located in different physical locations.

By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs, each of which has a broadcast domain of its own. Hosts in the same VLAN communicate in the traditional Ethernet way . Howeve r , host s in diff erent VLANs cannot

1-1

H3C S3100 8C SI User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

I. Command conventions

II. GUI conventions

III. Symbols

Chapter 1 Obtaining the Documentation

1.1 CD-ROM

1.2 H3C Website

1.3 Software Release Notes

2.1 Manual List

2.2 Software Version

Chapter 3 Product Overview

3.1 Overview

3.2 Software Features

Chapter 4 Network Design

4.1 MAN Access Solution

4.2 Education Network Solution

4.3 Multi-Service Carrier VLAN Solution

Chapter 1 CLI Configuration

1.1 Introduction to the CLI

1.2 Command Hierarchy

1.2.1 Command Level and User Privilege Level

I. Command level

II. User privilege level

1.2.2 Modifying the Command Level

I. Modifying the Command Level

II. Configuration example

1.2.3 Switching User Level

I. Specifying the authentication mode for user level switching

II. Adopting super password authentication for user level switching

III. Adopting HWTACACS authentication for user level switching

IV. Switching to a specific user level

V. Configuration example

1.3 CLI Views

1.4 CLI Features

1.4.1 Online Help

I. Complete online help

II. Partial online help

1.4.2 Terminal Display

1.4.3 Command History

1.4.4 Error Prompts

1.4.5 Command Edit

Chapter 1 Logging into an Ethernet Switch

1.1 Logging into an Ethernet Switch

1.2 Introduction to the User Interface

1.2.1 Supported User Interfaces

1.2.2 User Interface Index

1.2.3 Common User Interface Configuration

Chapter 2 Logging in through the Console Port

2.1 Introduction

2.2 Logging in through the Console Port

2.3 Console Port Login Configuration

2.3.1 Common Configuration

2.3.2 Console Port Login Configurations for Different Authentication Modes

2.4 Console Port Login Configuration with Authentication Mode Being None

2.4.1 Configuration Procedure

2.4.2 Configuration Example

I. Network requirements

II. Network diagram

III. Configuration procedure

2.5 Console Port Login Configuration with Authentication Mode Being Password

2.5.1 Configuration Procedure

2.5.2 Configuration Example

I. Network requirements

II. Network diagram

III. Configuration procedure

2.6 Console Port Login Configuration with Authentication Mode Being Scheme

2.6.1 Configuration Procedure

2.6.2 Configuration Example

I. Network requirements

II. Network diagram

III. Configuration procedure

Chapter 3 Logging in through Telnet

3.1 Introduction

3.1.1 Common Configuration

3.1.2 Telnet Configurations for Different Authentication Modes

3.2 Telnet Configuration with Authentication Mode Being None

3.2.1 Configuration Procedure