Enterprise products and services are set f ort h i n the express warranty statements accompany i ng such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for techni cal or editorial errors or omissions contained herein.
Confidential computer software. Valid li cense from Hewlett Packa rd Enterprise required for posse ssion, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer S oftware
Documentation, and Te chnical Data for Commercial Items are licen sed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you out side the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel I nside®, and the Intel Inside logo are trademar ks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorpor ated.
Java and Oracle are registered trademarks of O racle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
Contents
Overview ························································································ 1
Restrictions: Applicable hardware platforms and software versions ············· 1
Logging in to the Web interface ··························································· 2
Restrictions and guidelines ·········································································································· 2
Web browser requirements ···································································································· 2
Default login settings ············································································································ 2
Concurrent login users ········································································································· 3
Logging in to the Web interface for the first time ··············································································· 3
Logging out of the Web interface ··································································································· 4
Using the Web interface ···································································· 5
Types of webpages ···················································································································· 6
Using a feature page ············································································································ 6
Using a table page ··············································································································· 6
Using a configuration page ···································································································· 7
Icons and buttons ······················································································································ 8
Performing basic tasks ················································································································ 9
Saving the configuration ······································································································· 9
Displaying or modifying settings of a table entry ········································································· 9
Rebooting the device ········································································································· 10
Dashboard menu ····················································································································· 11
Device menu ··························································································································· 11
Network menu ························································································································· 12
Resources menu ····················································································································· 16
QoS menu ······························································································································ 17
Security menu ························································································································· 17
PoE menu ······························································································································ 18
Log menu ······························································································································· 18
Stack domain ID ················································································································ 25
Stack split and stack merge ································································································· 25
Member priority ················································································································· 26
Network services features ································································ 27
Link aggregation ······················································································································ 27
Aggregation group ············································································································· 27
Link aggregation modes ······································································································ 28
Storm control ·························································································································· 31
Port isolation ··························································································································· 31
Security mode and normal mode of voice VLANs ····································································· 33
MAC ····································································································································· 33
Types of MAC address entries ····························································································· 33
Aging timer for dynamic MAC address entries ········································································· 34
MAC address learning ········································································································ 34
STP ······································································································································ 34
Spanning tree modes ········································································································· 35
Port roles ························································································································· 35
Port states ······················································································································· 36
LLDP ····································································································································· 36
IP address classes ············································································································ 39
Subnetting and masking ····································································································· 39
IP address configuration methods ························································································· 40
MTU for an interface ·········································································································· 40
ARP ······································································································································ 40
Types of ARP table entries ·································································································· 40
ACL types and match criteria ······························································································· 60
Match order ······················································································································ 60
Rule numbering ················································································································ 61
Time range ····························································································································· 62
SSL ······································································································································ 62
Public key ······························································································································ 62
Managing local key pairs ····································································································· 63
Managing peer public keys ·································································································· 63
PKI ······································································································································· 64
Index ························································································· 160
v
Overview
This user guide provides the following information:
Information Section
How to log in to the Web interface for the first time. Logging in to the Web interface for the first time
How to use the Web interface. Using the Web interface
What features you can configure from the Web
interface.
How to access the page for a feature or task.
How to use features in typical scenarios. Configuration examples
How to manage the device from the CLI. Appendix A Managing the device from the CL I
This user guide does not include step-by-step configuration procedures, because the webpages are
task oriented by design. A configuration page typically provides links to any pages that are required
to complete the task. Users do not have to navigate to multiple pages. For tasks that require
navigation to multiple pages, this user guide provides configuration examples.
Feature navigator
This user guide also does not provide detailed information about parameters. You can obtain
sufficient online help, feature i nformation, and parameter information from the webpages.
1
Restrictions: Applicable hardware
platforms and software versions
If the network has a DHCP server, you must use the DHCP assigned IP address to access the
device. For more information, see "Logging in to the Web interface for the first time."
Logging in to the Web interface
Log in to the Web interface through HTTP or HTTPS.
Restrictions and guidelines
To ensure a successful login, verify that your operating system and Web browser meet the
requirements, and follow the guidelines in this section.
Web browser requirements
As a best practice, use one of the following Web browsers to log in:
• Internet Explorer 8 or higher.
• Google Chrome 10 or higher.
• Mozilla Firefox 4 or higher.
• Opera 11.11 or higher.
• Safari 5.1 or higher.
To access the Web interface, you must use the following browser settings:
• Accept the first-party cookies (cookies from the site you are accessing).
• T o ensure co rrect display of webpage contents after sof tware upgrade or downgrade, clear data
cached by the browser before you log in.
• Enable active scripting or JavaScript, depending on the Web browser .
• If you are using a Microsoft Internet Expl orer browser, you must enable the following security
settings:
Run ActiveX controls and plug-ins.
Script ActiveX controls marked safe for scripting.
Default login settings
Use the settings in Table 1for the first login.
Table 1 Default login settings
Item Setting
Device IP (VLAN-interface 1)
IP address mask
Username
See "Logging in to the Web interfac e for the first
time."
Password None
User role network-admin
2
IMPORTANT:
As a best practice,
the first successful login for security purposes.
Concurrent login users
The Web interface allows a maximum of 32 concurrent accesses. If this limit is reached, login
attempts will fail.
Logging in to the Web interface for the first time
change the login information and assign a cc ess permissions immediately after
By default, HTTP and HTTPS are enabled.
To log in to the Web interface:
1. Use an Ethernet cable to connect the configuration ter m inal to an Ethernet port on the device.
2. Identify the IP address and mask of the device.
If the device is not connected to the network, or no DHCP server e xi sts on the network, the
device uses the default IP address an d mask. The default mas k is 255.255. 0.0. The defa ult
IP address is 169.254.xxx.xxx, where xxx.xxx depends on the last two bytes of the MAC
address. Find the MAC address label on the device and use the following rules to determine
the last two bytes for the IP addre ss:
Last two bytes of the MAC
address
All 0s 0.1
All Fs 255.1
Not all 0s or all Fs Decimal values of the last two bytes of the MAC address
If a DHCP server is available, the device obtains an IP address from the server. To identify
the address, log in to the device through the console port , and then execute the summary
command. The following is the sample output:
<Sysname> summary
Select menu option: Summary
IP Method: DHCP
IP address: 10.153.96.86
Subnet mask: 255.255.255.0
Default gateway: 0.0.0.0
For more information about console login, see the getting started guide for the device.
3. Assign the login host an IP address in the same subnet as the device.
4. Open the browser, and then enter login informatio n:
169.254.42.63 (The decimal value of 2A is 42. The
value of 3F is 63.)
3
IMPORTANT:
•
•
•
hen you log out of the Web i nterfa ce.
To prevent the loss of configuration when the device reboots, you m ust save the configuration.
a. In the address bar, enter the IP address of the device.
− HTTP access—Enter the address in the http://ip-address:port or ip-address:port
format.
−HTTPS access—Enter the address in the https://ip-address:port format.
The ip-address argument represents the IP address of the device. The port argument
represents the HTTP or HTTPS service port. The default port number is 80 for HTTP and
443 for HTTPS. You do not need to enter the port number if you have not changed the
service port setting.
b. On the login page, enter the default username (admin) and the verification code.
You do not need to enter a password at the fi rst logi n.
c. Click Login.
5. Change the login information:
To change the password of the login user (admin at the first login), click the Admin icon
.
To add ne w user accounts and a ssign access permis sions to dif ferent users, s elect Device >
Maintenance > Administrators.
Logging out of the Web interface
For security purposes, log out of the Web interface immediately after you finish your tasks.
You cannot log out by closing the browser.
The device does not automatically save the configuration w
1. Use one of the following methods to save the curre nt configuration.
Click the Save icon in the left corner.
Select Device > Maintenance > Configuration to access the configuration management
page.
2. Click Logout in the upper-left corner of the Web interface.
4
1) Banner and auxiliary area
2) Navigation tree
3) Content pane
(
1
)
(2)
(3)
Using the Web interface
The Web interface contains the following areas:
Area Description
Contains the following items:
•Basic information, including the Hewlett Packard Enterprise logo,
device name, and information about the current login user.
•Basic management icons:
(1) Banner and auxiliary area
Admin icon —Click this icon to change the login
password.
Logout icon—Click this icon to log out.
Save icon—Click this icon to save the configurat i on.
(2) Navigation tree Organizes feature menus in a tree.
Displays information and provides an area for you to configure features.
Depending on the content in this pane, the webpages include the following
types:
(3) Content pane
•Feature page—Contains functions or featur es that a feature module
can provide (see "Using a featur e page").
• Table page—Displays entries in a table (see "Using a table page").
• Configuration page—Contains parameters for you to configure a
feature or function (see "Using a configuration page").
Figure 1 Web interface layout
5
Types of webpages
Webpages include feature, table, and configuration pages. This section provides basic information
about these pages. For more information about using the icons and butt ons on the pages, see "Icons
and buttons."
Using a feature page
As shown in Figure 2, a feature page contains info rmation about a feature module, i ncluding its table
entry statistics, features, and functions. From a feature page, you c an configure features prov ided by
a feature module.
Figure 2 Sample feature page
Using a table page
As shown in Figure 3, a table page displays entries in a tabl e. To sort entries by a field in ascending
or descending order, click the field. For example, click MAC Address to sort entries by MAC
address.
6
Figure 3 Sample table page
Using a configuration page
As shown in Figure 4, one configuration page contains all parameters for a configuration task. If a
parameter must be configured on another page, the conf iguration page ty pically provides a link. You
do not need to navigate to the destination page.
For example, you must use an ACL when you configure a packet filter . If no ACLs are available when
you perform the task, you can click the Add icon to create an ACL. In this situation, you do not
need to navigate to the ACL management page.
7
Counter icon
Status control icon
Search icons
Figure 4 Sample configuration page
Icons and buttons
Table 2describes icons and buttons you can use to configure and manage the d evice.
Table 2 Icons and buttons
Icon/button
Help icons
Navigation icon
Icon/button
name
Help Obtain help information for a feature.
Hint Obtain help information for a funct ion or parameter.
Counter Identify the total number of table entries.
Next
Status control
Task
Access the lower-level page to display information or
configure settings.
Control the enable status of the featur e.
•If ON is displayed, the feature is enabled. To disable
the feature, click the button.
•If OFF is displayed, the feature is disabled. To enable
the feature, click the button.
Search
Enter a search expression in the search box, and then click
this icon to perform a basic search.
8
icon
Icon/button
Entry management
icons
Advanced settings
Icon/button
name
Advanced search
Refresh Refresh t able entries manually.
Add
Detail
Delete
Bulk-delete
Field selector Select fields to be displayed.
Task
Click this icon, and then enter a combi nation of criteria to
perform an advanced search.
• Add a new entry.
• Confirm the addition of an entry and continue to add an
additional entry.
Display or modify settings of an entry.
This icon appears at the end of an entry when you hover
over the entry.
Delete an entry.
This icon appears at the end of an entry when you hover
over the entry.
Select one or multiple entries, and then click this icon to
delete the selected entries.
Advanced settings Access the configuration page to configure settings.
Performing basic tasks
This section describes the basic tasks that must be frequently performed when you configure or
manage the device.
Saving the configuration
Typically, settings take effect immediately after you create them. However, the system does not
automatically save the settings to the configuration file. They are lost when the device reboots.
To prevent settings from being lost, use one of the following methods to sav e the configuration:
• Click the Save icon in the left corner.
• Select Device > Maintenance > Configuration to access the configuration management
page.
Displaying or modifying settings of a table entry
1. Hover over the entry.
2. Click the Detail icon at the end of the entry.
9
Rebooting the device
Reboot is required for some settings (for exam pl e, the stack setup) to take effect.
To reboot the device:
1. Save the configuration.
2. Select Device > Maintenance > Reboot.
3. On the reboot page, click the reboot button.
10
NOTE:
In the navigator tables, a menu is in boldface if it has submenus.
Feature navigator
Menu items and icons available to you depend on the user roles you have. By default, you can use
any user roles to display information. To configure features, you must have the network-admin user
role.
This chapter describes all menus available for the network-admin user role. The top-level menu
includes Dashboard, Device, Network, Resources, QoS, Security, PoE, and Log. For each top
menu, a navigator table is provided. Use the navigator tables to navigate to the pages for the tasks
you want to perform.
For example:
•To change the default device name, select Device > Maintenance > Settings from the
navigation tree.
•To delete an IPv4 ACL, sel ect Resources > ACL > IPv4 from the navigation tree.
Dashboard menu
The dashboard menu provides an overview of t he sy stem and its running status, including:
• System logs.
• System utilization.
• System info.
This menu does not contain submenus.
Device menu
Use Table 3to navigate to the tasks you can perform from the Device menu.
Table 3 Device menu navigator
Menus Tasks
Maintenance
Settings
Administrators
•Configure basic device settings, including the device name, location,
and contact.
•Configure the system time settings. You can manually set the system
time, or configure the device to obtain the UTC time from a trusted time
source and calculate the system time.
• Create, modify, or delete user roles.
• Create, modify, or delete user accounts.
• Assign user roles to administrators for access control.
• Manage passwords.
11
Menus Tasks
• Save the running configuration.
• Import configuration and export the running configuration. This task is
Configuration
File System
Upgrade
not supported in Release 3111P02.
• Display the running configuration.
• Restore the factory-default configuration.
• Display storage medium information.
• Display file and folder information.
• Delete files.
• Download and upload files
• Upgrade software images.
• Display software image lists, incl uding:
Current software images.
Main and backup startup software images.
Diagnostics
Reboot Reboot the device.
About
Virtualization
IRF
Network menu
Use Table 4to navigate to the tasks you can perform from the Network menu.
Collect diagnostic information used for system diagnostics and
troubleshooting.
Display basic device information, including:
• Device name.
• Serial number.
• Version information.
• Electronic label.
• Legal statement.
• Configure the following settings to set up an HPE OfficeConnect 1950
stack:
Member ID.
Priority.
Domain ID.
Stack port bindings.
• Display the stack topology.
Table 4 Network menu navigator
Menus Tasks
Probe
Ping
Tracert
Interfaces
• Test the connectivity to a device in an IPv4 network.
• Test the connectivity to a device in an IPv6 network.
• IPv4 Tracert.
• IPv6 Tracert.
12
Menus Tasks
• Display interfaces and their attributes, including:
Interface status.
IP address.
Interfaces
Speed and duplex mode.
Interface description.
• Change interface settings.
• Delete logical interfaces.
Link Aggregation Create, modify, or delete Layer 2 aggregation groups.
•Set the statistics polling interval.
Storm Constrain
• Set storm control parameters.
• Display storm control informati on.
Isolation
Links
VLAN
• Create isolation groups.
• Modify isolation groups.
• Configure port-based VLANs.
• Create VLAN-interfaces.
• Assign ports to voice VLANs.
• Set the port mode to manual or automatic.
Voice VLAN
• Set the voice VLAN mode to normal or security.
• Configure the QoS settings for voice packets.
• Add OUI addresses.
• Create or delete static MAC entries, dynamic MAC entries, and
MAC
blackhole MAC entries.
• Display existing MAC entries.
• Enable or disable STP globally.
• Enable or disable STP on interfaces.
STP
• Configure the STP operating mode as STP, RSTP, PVST, or MSTP.
• Configure instance priorities.
• Configure MST regions.
• Enable or disable LLDP.
LLDP
• Modify the LLDP operating mode.
• Modify the interface mode.
• Configure LLDP to advertise the specified TLVs.
• Configure a port as a trusted or untrusted port.
• Record and back up DHCP snooping entries.
• Configure the following features for DHCP snooping ports:
•Enable support for Option 82. If Option 82 is enabled, you can configure
the handling strategy, the padding format, and the padding contents for
Option 82.
IP
IP
• Configure the method to obtain an IP address (DHCP or static).
• Configure the IP address or MTU of an interfac e.
• Create a loopback interface.
13
Menus Tasks
•Manage dynamic ARP entries and static ARP entries.
ARP
DNS
• Configure ARP proxy.
• Configure gratuitous ARP .
• Configure ARP attack protection.
• Configure IPv4 static domain name resolut ion.
• Configure IPv4 dynamic domain name resolution.
• Configure the DNS proxy.
• Configure IPv4 domain name suffixes.
Dynamic DNS
IPv6
IPv6
ND
DNS
• Manage dynamic DNS policies.
• Configure an interface to be associat ed with the dynamic DNS policy.
• Configure the method to obtain an IPv6 address (manual assignment,
dynamic assignment, or auto generati on).
• Configure the IPv6 address of an interface.
• Create a loopback interface.
• Manage dynamic ND entries and static ND entries.
• Configure RA settings for an interface, including:
RA message suppression.
Maximum and minimum intervals for sending RA messages.
Hop limit.
M-flag.
O-flag.
Router lifetime.
NS retransmission interval.
Router preference.
Neighbor reachable time.
• Enable common and local ND proxy on an interface.
• Configure ND rules for the interface.
• Configure static and dynamic IPv 6 domain name resolution.
• Configure the IPv6 DNS proxy.
• Configure IPv6 domain name suffixes.
Mirroring
Port Mirroring
Routing
Routing Table
• Configure local mirroring groups.
• Configure remote mirroring groups.
Display IPv4 and IPv6 routing table information, including brief routin g table
information and route statistics.
14
Menus Tasks
Static Routing
Policy-Based Routing
Multicast
IGMP Snooping
MLD Snooping
Service
DHCP
HTTP/HTTPS
SSH (not available in
Release 3111P02)
FTP
• Display IPv4 and IPv6 static route ent ries.
• Create, modify, and delete IPv4 and IPv6 static route entries.
• Create, modify, and delete IPv4 and IPv6 policies.
• Configure interface PBR.
• Configure local PBR.
• Configure IGMP snooping functions, including:
Enable dropping unknown mul ticast data.
Configure the IGMP snooping querier.
Enable fast-leave processing.
Set the maximum number of multicas t groups on a port.
• Configure MLD snooping functions, including:
Enable dropping unknown IPv 6 m ul ticast data.
Configure the MLD snooping querier.
Enable fast-leave processing.
Set the maximum number of IPv6 multi c ast groups on a port.
• Configure DHCP server functions, including:
Configure DHCP services.
Configure the interface to operate in the DHCP server mode.
Configure DHCP address pools.
Configure the IP address conflict detection.
Configure DHCP services.
Configure the DHCP relay agent mode
Configure the IP address of the DHCP server
• Configure settings for DHCP relay entry, include:
Recording of DHCP relay entries.
Periodic refreshing of DHCP relay entr i es .
Interval for refreshing DHCP relay ent r i es .
• Enable or disable HTTP service.
• Enable or disable HTTPS service.
• Set the Web connection idle timeout.
• Set the HTTP service port number.
• Set the HTTPS service port number.
• Specify Web access control ACLs.
• Enable the Stelnet, SFTP, and SCP services.
• Set the DSCP in packets sent by the device.
• Filter SSH clients by using an ACL.
• Set the SFTP connection idle timeout time.
• Enable or disable FTP service.
• Set the DSCP value for the device to use for outgoing FTP packets.
• Specify the FTP access control ACL.
• Set the FTP connection idle timeout.
15
Public key
NOTE:
You can create ACLs from ACL pages or during th e process of configuring a featu re that uses ACLs.
However, to modify or delete an ACL, you must access the ACL menu.
Menus Tasks
Telnet
NTP Configure the device to use the local cloc k as the reference clock.
SNMP
Resources menu
The Resources menu contains common resources that can be used by multiple features. For
example, you can use an ACL both in a p acket filter to filter traffic and in a QoS pol icy to match traf fic.
Use Table 5to navigate to the tasks you can perform from the Resources menu.
Table 5 Resources menu navigator
• Enable or disable Telnet service.
• Set the DSCP values for the device to use for outgoing IPv4 or IPv6
Telnet packets.
• Specify Telnet access control ACLs.
• Enable SNMP.
• Configure SNMP parameters such as version, community name, group,
and users.
•Configure the notification sendi ng function.
Menus Tasks
ACLs
IPv4
IPv6
Ethernet Create, modify, or delete an Ethernet frame header ACL.
Time Range
Time Range
SSL
SSL
Public key
PKI
PKI
Certificate Access Control
• Create, modify, or delete an IPv4 basic ACL.
• Create, modify, or delete an IPv4 advanced ACL.
• Create, modify, or delete an IPv6 basic ACL.
• Create, modify, or delete an IPv6 advanced ACL.
• Create, modify, or delete an SSL client policy.
• Create, modify, or delete an SSL server policy.
• Manage local asymmetric key pairs.
• Manage peer host public keys.
• Manage CA and local certificates.
• Create, modify, or delete a PKI domain or PKI entity.
• Create, modify, or delete a certificate access control policy.
• Create, modify, or delete a certificate attribute group.
16
QoS
Packet Filter
QoS menu
Use Table 6to navigate to the tasks you can perform from the QoS menu.
Use Table 7to navigate to the tasks you can perform from the Security menu.
Table 7 Security menu navigator
• Create, modify, or delete interface QoS policies.
• Create, modify, or delete VLAN QoS policies.
• Create, modify, or delete global QoS policies.
• Configure the port priority.
• Configure the priority trust mode for a port.
• Configure priority maps:
Apply and reset the 802.1p-to-local priority map.
Apply and reset the DSCP-to-802.1p pr iority map.
Apply and reset the DSCP-to-DSCP priorit y map.
Menus Tasks
•Create, modify, or delete a packet filter for an interface, a VLAN, or the
Packet Filter
IP Source Guard Configure an interface-specific static IPv4 source guard binding.
Access Control
802.1X
MAC Authentication
Port Security
system.
• Configure the default action for t he packet filter.
• Enable or disable 802.1X.
• Configure the 802.1X authentication method.
• Configure the port access control met hod.
• Configure the port authorization state.
• Configure the authentication ISP domain on a por t.
• Enable or disable MAC authentication.
• Configure the username format.
• Configure the MAC authentication IS P domain.
• Enable or disable port security
• Configure the port security mode.
• Configure the intrusion protection action.
• Configure the NTK mode.
• Configure secure MAC aging mode.
17
Authentication
Menus Tasks
• Configure a portal authentication server.
• Configure a portal Web server.
Portal
ISP Domains Conf igure ISP domains.
• Configure a local portal Web server.
• Create portal-free rules.
• Create interface policies.
RADIUS Configure RADIUS schemes.
TACACS Configure TACACS schemes.
Local Users Configure local users.
PoE menu
Use Table 8to navigate to the tasks you can perform from the PoE menu.
Table 8 PoE menu navigator
Menus Tasks
PoE
Log menu
Use Table 9to navigate to the tasks you can perform from the Log menu.
•Configure the maximum PoE power and power alarm threshold for the
device.
• Enable or disable PoE on an interface.
• Configure the maximum PoE power, power supply priority, PD
description, and fault descript ion for an interface.
Table 9 Log menu navigator
Menus Tasks
Log
System Log
Settings
• Display log information.
• Query, collect, and delete log information.
• Enable or disable log output to the log buffer, and configure the
• Configure the address and port number of log hosts.
maximum number of logs in the log buffer.
18
Device management
Settings
Access the Settings page to change the device name, location, and system time.
System time sources
Correct system time is essential to network managem ent and communic ation. Configur e the system
time correctly before you run the device on the network.
The device can use the manually set system time, or obtain the UTC time fr om a time source on the
network and calculate the system time.
•When using the locally set system time, the device uses the clock signals generated by its
built-in crystal oscillator to maintain the system time.
•If you change the time zone or daylight saving settings without changing the date or time, the
device adjusts the system time based on the new settings.
•After obtaining the UTC time from a time source, the dev i ce uses the UTC time and the time
zone and daylight saving settings to calculate the system time. Then, the device periodically
synchronizes the UTC time and recalculates the sy st em time.
•If you change the time zone or daylight saving settings, the device recalculates the system time.
The system time calculated by using the UTC time from a time source is more precise.
Make sure the time zone and daylight saving setting are the same as the parameters of the place
where the device resides.
If the system time does not change accordingly when the daylight saving period ends, refresh the
Web interface.
Clock synchronization protocols
The device supports the following clock synchronization protocols:
•NTP—Network Time Protocol. NTP is typically used in large networks to dynamically
synchronize time among network devices. It provides higher clock accuracy than manual
system time configuration.
•SNTP—Simple NTP, a simpler implementation of NTP. SNTP uses the same packet formats
and exchange procedures as NTP. However, SNTP simplifies the clock synchronization
procedure. Compared with NTP, SNTP uses less resources and implements clock
synchronization in shorter time, but it is not as accurate as NTP.
NTP/SNTP operating modes
NTP supports two operating modes: client/server mode and symmetric active/passive mode. The
device can act only as a client in client/server mode or the active peer in symmetr ic active/passive
mode.
SNTP supports only the client/server mode. The device can act only as a client.
19
Table 10 NTP/SNTP operating modes
Mode Operating process Principle Application scenario
1. A client sends a clock
synchronization message to
the NTP servers.
2. Upon receiving the
message, the servers
automatically operate in
server mode and send a
Client/server
Symmetric
active/passive
reply.
3. If the client is synchronized
to multiple time servers, it
selects an optimal clock and
synchronizes its local clock
to the optimal reference
source.
You can configure multiple time
servers for a client.
This operating mode requires
that you specify the IP address of
the NTP server on the client.
1. A symmetric active peer
periodically sends clock
synchronization messages
to a symmetric passive
peer.
2. The symmetric passive peer
automatically operates in
symmetric passive mode
and sends a reply.
3. If the symmetric active peer
can be synchronized to
multiple time servers, it
selects an optimal clock and
synchronizes its local clock
to the optimal reference
source.
You must specify the IP address
of the symmetric passive peer on
the symmetric active peer.
A client can synchronize
to a server, but a server
cannot synchronize to a
client.
A symmetric active peer
and a symmetric
passive peer can be
synchronized to each
other. If both of them are
synchronized, the peer
with a higher stratum is
synchronized to the
peer with a lower
stratum.
This mode is intended for
scenarios where devices
of a higher stratum
synchronize to devices
with a lower stratum.
This mode is most often
used between servers
with the same stratum to
operate as a backup for
one another. If a server
fails to communicate with
all the servers of a lower
stratum, the server can
still synchronize to the
servers of the same
stratum.
NTP/SNTP time source authentication
The time source authentication function enables the device to authenticate the received NTP or
SNTP packets. This feature ensures that the device obtains the correct GMT.
Administrators
An administrator configures and manages the device from the following aspects:
•User account management—Manages user account i nformat ion a nd att ribute s ( for ex ample,
username and password).
• Role-based access control—Manages user access permissions by user role.
• Password control—Manages user passwords and controls user login status based on
predefined policies.
20
IMPORTANT:
The security
supported on the current Web interface, so do not assign the security-audit user role to any users.
The service type of an administrator can be SSH, Telnet, FTP, HTTP, HTTPS, PAD, or terminal. A
terminal user can access the device through the console, Aux, or Async port.
User account management
A user account on the device manages attributes for users who log in to the device with the same
username. The attributes include the username, password, services, and password control
parameters.
Role-based access control
Assign users user roles to control the users' access to functions and system resources. Assigning
permissions to a user role includes the following:
• Defines a set of rules to determine accessible or i naccessible functions for the user role.
• Configures resource access policies to s pecify which interfaces and VLANs are accessible to
the user role.
To configure a function related to a resource (an interface or VLAN), a user role must have access to
both the function and the resource.
Resource access policies
Resource access policies control access of user roles to syst em resources and include the following
types:
• Interface policy—Controls access to interfaces.
• VLAN policy—Controls access to VLANs.
You can perform the following tasks on an accessible interface, VLAN:
• Create or remove the interface or VLAN.
• Configure attributes for the interface or VLA N.
• Apply the interface or VLAN to other parameters.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources
(interfaces and VLANs). Their access permissions differ.
If the predefined user roles cannot meet t he access requirements, you can define new user roles to
control the access permissions for users.
-audit user role has access only to securit y log menus. Security log menus are not
Assigning user roles
Depending on the authentication method, user role assignment has the following methods:
•Local authorization—If the user passes local authorization, the device assigns the user roles
specified in the local user account.
•Remote authorization—If the user passes remote authorization, the remote AAA server
assigns the user roles specified on the server.
A user who fails to obtain a user role is logged out of the device.
If multiple user roles are assigned to a user, the user can use the collection of functions and
resources accessible to all the user roles.
21
Password control
Password control allows you to implement the following features:
•Manage login and super password setup, ex pi rat i ons, and updates for device management
users.
•Control user login status based on predefined policies.
Local users are divided into device management users and network access users. This feature
applies only to device management users.
Minimum password length
You can define the minimum length of user passwords. If a user enters a password that is shorter
than the minimum length, the system rejects the password.
Password composition policy
A password can be a combination of characters from the following types:
• Uppercase letters A to Z.
• Lowercase letters a to z.
• Digits 0 to 9.
• Special characters. See Table 11.
Table 11 Special characters
Character name Symbol Character name Symbol
Ampersand sign & Apostrophe '
Asterisk * At sign @
Back quote ` Back slash \
Blank space N/A Caret ^
Colon : Comma ,
Dollar sign $ Dot .
Equal sign = Exclamation point !
Left angle bracket < Left brace {
Left bracket [ Left parenthesis (
Minus sign - Percent sign %
Plus sign + Pound sign #
Quotation marks " Right angle bracket >
Right brace } Right brac k et ]
Right parenthesis ) Semi-colon ;
Slash / Tilde ~
Underscore _ Vertical bar |
Depending on the system's security requirements, you can set the minimum number of character
types a password must contain and the minimum number of characters for each type, as shown in
Table 12.
22
Loading...
+ 151 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.