How it Works
HP
Loading...
A5820X
Configuration Manual
45 pgs769.28 Kb0
Configuration Manual
200 pgs2.28 Mb0

HP 5800, 5820X, A5820X, a5800 Configuration Manual

Download
HP 5820X & 5800 Switch Series Fundamentals
Configuration Guide
Abstract
This document describes the software features for the HP 5820X & 5800 Series products and guides you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
This documentation is intended for network planners, field technical support and servicing engineers, and network administrators working with the HP 5820X & 5800 Series products.
Part number: 5998-1620 Software version: Release 1211 Document version: 6W10
2-20130520
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
No par
t of this documentation may be reproduced or transmitted in any form or by any means without prior
written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents
Configuring the CLI ······················································································································································ 1
Entering the CLI ································································································································································· 1 Command conventions ····················································································································································· 2 Undo form of a command ················································································································································ 3 CLI view description ·························································································································································· 3
Entering system view ················································································································································ 4 Exiting the current view ··········································································································································· 4
Returning to user view ·············································································································································· 4 Using online help ······························································································································································ 5 Entering commands ·························································································································································· 6
Editing command lines ············································································································································· 6
Entering incomplete keywords ································································································································ 6
Configuring command aliases ································································································································ 6
Configuring CLI hotkeys ··········································································································································· 7
Redisplaying entered but not submitted commands ····························································································· 8 Checking command line errors ······································································································································· 9 Using command history ···················································································································································· 9
Accessing history commands ·································································································································· 9
Configuring the history buffer size ······················································································································ 10 Controlling the CLI display ············································································································································ 10
Multi-screen display ·············································································································································· 10
Filtering output information ·································································································································· 11 Configuring user privilege and command levels ········································································································ 14
Configuring a user privilege level ······················································································································· 15
Switching user privilege level ······························································································································· 18
Modifying the level of a command ····················································································································· 20 Saving the current configuration ·································································································································· 21 Displaying and maintaining CLI ··································································································································· 21
Login methods ···························································································································································· 22
Users and user interfaces ·············································································································································· 23
Numbering user interfaces ··································································································································· 24
CLI login ······································································································································································ 25
Logging in through the console port ···························································································································· 25
Configuration requirements ·································································································································· 25
Login procedure ····················································································································································· 26
Console login authentication modes ··················································································································· 28
Configuring none authentication for console login ··························································································· 29
Configuring password authentication for console login ··················································································· 30
Configuring scheme authentication for console login ······················································································· 32
Configuring common settings for console login (optional) ··············································································· 35 Logging in through Telnet ·············································································································································· 36
Telnet login authentication modes ······················································································································· 37
Configuring none authentication for Telnet login ······························································································ 38
Configuring password authentication for Telnet login ······················································································ 40
Configuring scheme authentication for Telnet login ·························································································· 41
Configuring common settings for VTY user interfaces (optional)······································································ 44
Configuring the device to log in to a Telnet server as a Telnet client ······························································ 46 Logging in through SSH ················································································································································ 47
iii
Configuring the SSH server ·································································································································· 47
Configuring the SSH client to log in to the SSH server ····················································································· 50 Logging in through modems ········································································································································· 51
Configuration requirements ·································································································································· 51
Login procedure ····················································································································································· 52
Modem login authentication modes ···················································································································· 54
Configuring none authentication for modem login ···························································································· 55
Configuring password authentication for modem login ···················································································· 56
Configuring scheme authentication for modem login ······················································································· 58
Configuring common settings for modem login (optional) ················································································ 61 Displaying and maintaining CLI login ························································································································· 63
Web login ·································································································································································· 64
Overview········································································································································································· 64 Configuring HTTP login ················································································································································· 65 Configuring HTTPS login ··············································································································································· 66 Displaying and maintaining web login ······················································································································· 68 Web login example ······················································································································································· 68
HTTP login example ·············································································································································· 68
HTTPS login example ············································································································································ 69
NMS login ·································································································································································· 72
Overview········································································································································································· 72 Configuring NMS login ················································································································································· 72
Configuring SNMPv1 and SNMPv2c settings ··································································································· 73
Configuring SNMPv3 settings ······························································································································ 74 NMS login example ······················································································································································ 74
User login control ······················································································································································· 77
Overview········································································································································································· 77 Configuring login control over Telnet users ················································································································· 77
Configuration preparation ··································································································································· 77
Configuring source IP-based login control over Telnet users ············································································ 77
Configuring source and destination IP-based login control over Telnet users ················································ 78
Configuring source MAC-based login control over Telnet users ······································································ 78
Source MAC-based login control configuration example ················································································· 79 Configuring source IP-based login control over NMS users ······················································································ 80
Configuration preparation ··································································································································· 80
Configuring source IP-based login control over NMS users ············································································· 80
Source IP-based login control over NMS users configuration example ·························································· 81 Configuring source IP-based login control over web users ······················································································· 82
Configuration preparation ··································································································································· 82
Configuring source IP-based login control over web users ··············································································· 82
Logging off online web users ······························································································································· 83
Source IP-based login control over web users configuration example ···························································· 83
Configuring FTP ·························································································································································· 84
Overview········································································································································································· 84
Operation ······························································································································································· 84 Configuring the FTP client ············································································································································· 85
Establishing an FTP connection ···························································································································· 85
Operating FTP server directories ························································································································· 87
Operating FTP server files ···································································································································· 87
Using another username to log in to an FTP server ··························································································· 88
Maintaining and debugging an FTP connection ································································································ 89
Terminating an FTP connection ···························································································································· 89
FTP client configuration example ························································································································· 89
iv
FTP client configuration example ························································································································· 91 Configuring the FTP server ············································································································································ 92
Configuring FTP server operating parameters ··································································································· 92
Configuring authentication and authorization on the FTP server ····································································· 93
FTP server configuration example ························································································································ 94
FTP server configuration example ························································································································ 96 Displaying and maintaining FTP ··································································································································· 98
Configuring TFTP ························································································································································ 99
Overview········································································································································································· 99
Operation ······························································································································································· 99 Configuring the TFTP client ········································································································································· 100 Displaying and maintaining the TFTP client ·············································································································· 101 TFTP client configuration example ······························································································································ 102 TFTP client configuration (IRF mode) example ·········································································································· 103
File management ····················································································································································· 105
Filename formats ················································································································································· 105 Performing directory operations ································································································································· 105
Displaying directory information ······················································································································· 106
Displaying the current working directory ·········································································································· 106
Changing the current working directory ··········································································································· 106
Creating a directory ············································································································································ 106
Removing a directory ·········································································································································· 106 Performing file operations ··········································································································································· 107
Displaying file information ································································································································· 107
Displaying file contents ······································································································································· 107
Renaming a file···················································································································································· 107
Copying a file ······················································································································································ 107
Moving a file························································································································································ 107
Deleting a file ······················································································································································ 108
Restoring a file from the recycle bin ·················································································································· 108
Emptying the recycle bin ···································································································································· 108 Performing batch operations ······································································································································· 108 Performing storage media operations ······················································································································· 109
Managing storage media space ······················································································································· 109
Displaying and maintaining the NAND flash memory ··················································································· 109 Setting prompt modes ·················································································································································· 110 File operation example ················································································································································ 111
Configuration file management ····························································································································· 112
Overview······································································································································································· 112
Types of configuration ········································································································································ 112
Configuration file format and content ··············································································································· 113
Coexistence of multiple configuration files ······································································································· 113
Startup with the configuration file ······················································································································ 114 Saving the running configuration ······························································································································· 114
Enabling configuration file auto-save ················································································································ 114
Selecting save mode for the configuration file ································································································· 114 Setting configuration rollback ····································································································································· 117
Configuration task list ········································································································································· 117
Configuring parameters for saving the running configuration ······································································· 118
Enabling automatic saving of the running configuration ················································································ 119
Manually saving the running configuration ······································································································ 120
Setting configuration rollback ···························································································································· 120 Specifying a startup configuration file to be used at the next system startup ························································ 121
v
Backing up the startup configuration file ··················································································································· 121 Deleting a startup configuration file to be used at the next startup ········································································ 122 Restoring a startup configuration file ························································································································· 122 Displaying and maintaining a configuration file ······································································································ 123
Configuring software upgrade ······························································································································· 124
Overview······································································································································································· 124 Software upgrade methods ········································································································································· 125 Upgrading the boot ROM program through a system reboot················································································· 126 Upgrading the boot file through a system reboot ····································································································· 127 Upgrading IRF member switch boot file ···················································································································· 128 Software upgrade by installing hotfixes ···················································································································· 129
Patch and patch file ············································································································································ 129
Patch types ··························································································································································· 129
Patch status ··························································································································································· 129
Configuration prerequisites ································································································································ 132
One-step patch installation ································································································································· 133
Step-by-step patch installation ···························································································································· 133
Step-by-step patch uninstallation ························································································································ 134 Displaying and maintaining the software upgrade ·································································································· 134 Software upgrade configuration examples ··············································································································· 134
Immediate upgrade configuration example ····································································································· 134
Hotfix configuration example ····························································································································· 136
Configuring ISSU ···················································································································································· 138
Overview······································································································································································· 138
ISSU process ························································································································································ 139
Boot file version rollback ···································································································································· 140 Configuring ISSU ························································································································································· 141
Configuration task list ········································································································································· 141
Prerequisites for performing ISSU ······················································································································ 141
Enabling version compatibility check ················································································································ 142
Configuring ISSU ················································································································································· 143
Configuring the ISSU version rollback timer····································································································· 145
Performing manual version rollback ·················································································································· 146
Displaying and maintaining ISSU ······················································································································ 146 ISSU configuration example ······································································································································· 146
Current network status and requirements analysis ··························································································· 146
Configuration procedure ···································································································································· 148
ISSU upgrade preparation ································································································································· 150
Performing compatible ISSU upgrade ··············································································································· 154
Performing incompatible ISSU upgrade ··········································································································· 155
Configuring device management··························································································································· 157
Overview······································································································································································· 157 Configuring the device name ····································································································································· 157 Configuring the system clock ······································································································································ 157
Displaying the system clock ······························································································································· 158 Enabling the display of copyright information ·········································································································· 161 Configuring banners ···················································································································································· 161
Input modes ·························································································································································· 162
Banner configuration example ··························································································································· 162 Configuring the exception handling method ············································································································ 163 Rebooting the device ··················································································································································· 163 Configuring scheduled tasks ······································································································································· 165
Configuring a scheduled task—Approach 1 ··································································································· 165
vi
Configuring a scheduled task—Approach 2 ··································································································· 166 Configuring the fan ventilation direction ··················································································································· 167 Configuring the detection timer ·································································································································· 167 Configuring temperature alarm thresholds for a member device ··········································································· 167 Clearing the 16-bit interface indexes not used in the current system ····································································· 169 Identifying and diagnosing pluggable transceivers ································································································· 169
Identifying pluggable transceivers ····················································································································· 170
Diagnosing pluggable transceivers ··················································································································· 170 Displaying and maintaining device management configuration ············································································ 171
Automatic configuration ········································································································································· 173
Overview······································································································································································· 173 Typical automatic configuration network ·················································································································· 173 How automatic configuration works ·························································································································· 174
Work flow ···························································································································································· 174
Using DHCP to obtain an IP address and other configuration information ·················································· 175
Obtaining the configuration file from the TFTP server ····················································································· 176
Executing the configuration file ·························································································································· 178
Support and other resources ·································································································································· 179
Contacting HP ······························································································································································ 179
Subscription service ············································································································································ 179 Related information ······················································································································································ 179
Documents ···························································································································································· 179
Websites ······························································································································································ 179 Conventions ·································································································································································· 180
Index ········································································································································································ 182
vii
Configuring the CLI
CLI enables you to interact with your device by typing text commands. At the CLI, instruct your device to perform a given task by typing a text command and then pressing Enter. Compared with the graphical user interface (GUI) where you can use a mouse to perform configurations, the CLI allows you to enter more information in one command line.
Figure 1 CLI example
Entering the CLI
HP devices provide multiple methods for entering the CLI, such as through the console port, through Telnet, or through SSH. For more information, see “Login methods.”
1
Command conventions
p
Command conventions help you understand command meanings. Commands in HP product manuals comply with the conventions listed in Table 1.
Table 1 Command conventions
Convention Descri
Boldface Bold text represents commands and keywords you enter literally as shown.
Italic Italic text represents arguments you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
&<1-n>
# A line that starts with a pound (#) sign is comments.
Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.
tion
NOTE:
The keywords of HP command lines are case insensitive.
Use clock datetime time date as an example to understand the meaning of the command line parameters according to Figure 2.
Figure 2 Read command line parameters
For example, enter the following at the CLI of your device and press Enter to set the device system time to 10 o’clock 30 minutes 20 seconds, February 23, 2010.
<sysname> clock datetime 10:30:20 2/23/2010
Read any command that is more complicated by referring to Table 1.
2
Undo form of a command
The undo form of a command restores the default, disables a function, or removes a configuration.
Almost all configuration commands have an undo form. For example, info-center enable enables the information center and undo info-center enable disables the information center.
CLI view description
Commands are grouped into different classes by function. To use a command, you must enter the class view of the command.
CLI views adopt a hierarchical structure. See Figure 3.
A
ter logging in to the switch, you are in user view. The prompt of user view is <device name>. In user
f view, perform display, debugging, and file management operations, set the system time, restart your device, and perform FTP and Telnet operations.
Enter system view from user view. In system view, configure parameters such as daylight saving time,
banners, and short-cut keys.
From system view, enter different function views. For example, enter interface view to configure interface
parameters, create a VLAN and enter its view, enter user interface view to configure login user attributes, create a local user and enter local user view to configure the password and level of the local user, and enter OSPF view to configure OSPF parameters.
NOTE:
Enter ? in any view to display all commands that can be executed in this view.
Figure 3 Command line views
……
3
Entering system view
p
When you log in to the device, you automatically enter user view, where <Device name> is displayed. Perform limited operations in user view, for example, display operations, file operations, and Telnet operations.
To perform further configuration for the device, enter system view.
Step Command
1. Enter system view from user
view.
Exiting the current view
The CLI is divided into different command views. Each view has a set of specific commands and defines the effective scope of the commands. The commands available to you at any given time depend on the view you are in.
Follow the step below to exit the current view:
Task Command
1. Return to the parent view from the
current view.
In public key code view, use public-key-code end to return to the parent view (public key view).
In public key view, use peer-public-key end to return to system view.
system-view
quit
Remarks
Required
Available in user view
Remarks
Required.
Available in any view.
In user view, quit stops the current connection between the terminal and the device.
Returning to user view
This feature allows you to return to user view from any other view, without using quit command repeatedly. Alternately, press Ctrl+Z to return to user view from the current view.
Follow the step below to exit to user view:
Ste
Command
1. Return to user view.
return
Remarks
Required.
Available in any view except user view.
4
Using online help
Enter a question mark (?) to obtain online help. See the following examples.
1. Enter ? in any view to display all commands available in this view and brief descriptions of these
commands. For example:
<sysname> ? User view commands: archive Specify archive settings backup Backup next startup-configuration file to TFTP server boot-loader Set boot loader bootrom Update/read/backup/restore bootrom cd Change current directory
…Omitted…
2. Enter part of a command and a ? separated by a space.
If ? is at the position of a keyword, the CLI displays all possible keywords with a brief description for each keyword. For example:
<sysname> terminal ? debugging Send debug information to terminal logging Send log information to terminal monitor Send information output to current terminal trapping Send trap information to terminal
If ? is at the position of an argument, the CLI displays a description about this argument. For example:
<sysname> system-view [sysname] interface vlan-interface ? <1-4094> VLAN interface [sysname] interface vlan-interface 1 ? <cr> [sysname] interface vlan-interface 1
The string <cr> indicates that the command is a complete command. Execute the command by pressing Enter.
3. Enter an incomplete character string followed by a ?. The CLI displays all commands starting with the
entered character(s).
<sysname> c? cd cfd clock cluster copy <sysname> display cl? clipboard clock cluster
5
Entering commands
y
Editing command lines
Table 2 lists some shortcut keys you can use to edit command lines.
Table 2 Editing functions
Ke
Function
Common keys
Backspace
Left arrow key or Ctrl+B The cursor moves one character space to the left.
Right arrow key or Ctrl+F The cursor moves one character space to the right.
Tab
If the edit buffer is not full, pressing a common key inserts the character at the position of the cursor and moves the cursor to the right.
Deletes the character to the left of the cursor and moves the cursor back one character.
If you press Tab after entering part of a keyword, the system automatically completes the keyword:
If finding a unique match, the system substitutes the complete keyword for
the incomplete one and displays it in the next line.
If there is more than one match, press Tab repeatedly to view in cycles all
keywords starting with the character string you entered.
If there is no match, the system does not modify the incomplete keyword
and displays it again in the next line.
Entering incomplete keywords
Enter a command comprising incomplete keywords that uniquely identify the complete command.
In user view, for example, commands starting with an s include startup saved-configuration and system-view.
To enter system view, enter sy.
To set the configuration file for next startup, enter st s.
Press Tab to have an incomplete keyword automatically completed.
Configuring command aliases
The command alias function allows you to replace the first keyword of a command with your preferred keyword. For example, if you configure show as the replacement for the display keyword, then to run display xx, enter the command alias show xx.
The following guidelines apply when configuring a command alias:
Define and use a command alias. The command is not restored in its alias format.
When you define a command alias, the cmdkey and alias arguments must be in their complete form.
When you enter an incomplete keyword that partially matches both a defined alias and the keyword of
a command, the alias takes effect. To execute the command whose keyword partially matches your entry, enter the complete keyword. When you enter a character string that partially matches multiple aliases, the system gives you prompts.
6
If you press Tab after you enter the keyword of an alias, the original format of the keyword is displayed.
p
Replace only the first keyword of a non-undo command instead of the complete command; and replace
only the second keyword of undo commands.
To configure command aliases:
Ste
Command
Remarks
1. Enter system view.
2. Enable the command alias
function.
3. Configure a command alias.
Configuring CLI hotkeys
Step Command
1. Enter system view. system-view
hotkey { CTRL_G |
2. Configure CLI
hotkeys.
3. Display hotkeys. display hotkey
CTRL_L | CTRL_O | CTRL_T | CTRL_U } command
system-view
Required
command-alias enable
command-alias mapping cmdkey alias
Disabled by default, which means you cannot configure command aliases.
Required
Not configured by default.
Remarks
Optional
By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are associated with pre-defined commands and the Ctrl+T and Ctrl+U hotkeys are not.
Ctrl+G corresponds to display current-configuration.
Ctrl+L corresponds to display ip routing-table.
Ctrl+O corresponds to undo debugging all.
Available in any view.
See Table 3 for hotkeys reserved by the system.
Table 3 Hotkeys reserved by the system
The hotkeys in this table above are defined by the switch. If the same hotkeys are defined by the terminal software you use to interact with the switch, the hotkeys defined by the terminal software take effect.
Hotkey Function
Ctrl+A Moves the cursor to the beginning of the current line.
Ctrl+B Moves the cursor one character to the left.
Ctrl+C Stops performing a command.
Ctrl+D Deletes the character at the current cursor position.
Ctrl+E Moves the cursor to the end of the current line.
Ctrl+F Moves the cursor one character to the right.
Ctrl+H Deletes the character to the left of the cursor.
Ctrl+K Terminates an outgoing connection.
Ctrl+N Displays the next command in the history command buffer.
7
Hotkey Function
Ctrl+P Displays the previous command in the history command buffer.
Ctrl+R Redisplays the current line information.
Ctrl+V Pastes the content in the clipboard.
Ctrl+W Deletes all characters in a continuous string to the left of the cursor.
Ctrl+X Deletes all characters to the left of the cursor.
Ctrl+Y Deletes all characters to the right of the cursor.
Ctrl+Z Exits to user view.
Ctrl+] Terminates an incoming connection or a redirect connection.
Esc+B Moves the cursor to the leading character of the continuous string to the left.
Esc+D
Esc+F Moves the cursor to the front of the next continuous string to the right.
Esc+N Moves the cursor down by one line (available before you press Enter)
Esc+P Moves the cursor up by one line (available before you press Enter)
Esc+< Specifies the cursor as the beginning of the clipboard.
Esc+> Specifies the cursor as the ending of the clipboard.
Deletes all characters of the continuous string at the current cursor position and to the right of the cursor.
Redisplaying entered but not submitted commands
If your command input is interrupted by output system information, use this feature to redisplay the previously entered but not submitted commands.
If you have no input at the command line prompt and the system outputs system information such as logs, the system will not display the command line prompt after the output.
If the system outputs system information when you are typing interactive information (not YES/NO for confirmation), the system will not redisplay the prompt information but a line break after the output and then display what you have entered.
To enable redisplaying of entered but not submitted commands:
Step Command Remarks
1. Enter system view.
2. Enable redisplaying of
entered but not submitted
commands.
system-view
Required.
Disabled by default.
info-center synchronous
8
For more information about info-center
synchronous, see Network Management and Monitoring Configuration Guide.
Checking command line errors
If a command contains syntax errors, the CLI reports error information.
Table 4 Common command line errors
Error information Cause
% Unrecognized command found at '^' position. The command was not found.
% Incomplete command found at '^' position. Incomplete command
% Ambiguous command found at '^' position. Ambiguous command
Too many parameters Too many parameters
% Wrong parameter found at '^' position. Wrong parameters
Using command history
The CLI automatically saves the commands recently used in the history command buffer. Access and execute them again.
Accessing history commands
Task Command
Display history commands.
Display the previous history command.
Display the next history command.
NOTE:
Use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are defined differently. Use Ctrl+P or Ctrl+N instead.
The commands saved in the history command buffer are in the same format in which you entered the
commands. If you enter an incomplete command, the command saved in the history command buffer is also an incomplete one.
If you execute the same command repeatedly, the switch saves only the earliest record. However, if you
execute the same command in different formats, the system saves them as different commands. For example, if you run display cu repeatedly, the system saves only one command in the history command buffer. If you execute the command in the format of display cu and display current-configuration respectively, the system saves them as two commands.
display history­command
Up arrow key or Ctrl+P
Down arrow key or
Ctrl+N
Result
Displays valid history commands you used.
Displays the previous history command, if any.
Displays the next history command, if any.
By default, the CLI can save up to 10 commands for each user. To set the capacity of the history
command buffer for the current user interface, use history-command max-size. (For more information about history-command max-size, see “Logging in to the switch commands.”
9
Configuring the history buffer size
p
To configure the history buffer size:
Ste
Command
Enter system view system-view
user-interface { first-num1
Enter user interface view
[ last-num1 ] | { aux | vty } first-num2 [ last-num2 ] }
Remarks
Set the maximum number of commands that can be saved in the history buffer
history-command max-size size-value
NOTE:
For more information about user-interface and history-command max-size, see “Logging in to the switch commands.”
Controlling the CLI display
Multi-screen display
Controlling multi-screen display
If the output information spans multiple screens, each screen pauses after it is displayed. Perform one of the following operations to proceed.
Action Function
Press Space Displays the next screen.
Press Enter Displays the next line.
Optional
By default, the history buffer can save up to 10 commands.
Press Ctrl+C Stops the display and the command execution.
Press <PageUp> Displays the previous page.
Press <PageDown> Displays the next page.
By default, each screen displays up to 24 lines. To change the maximum number of lines displayed on the next screen, use screen-length. For more information about screen-length, see “Logging in to the switch commands.”
10
Disabling multi-screen display
p
Use the following command to disable the multi-screen display function. All of the output information is displayed at one time and the screen is refreshed continuously until the last screen is displayed.
Ste
Command
Disable the multi-screen display function
screen-length disable
Filtering output information
Use regular expressions in display commands to filter output information.
Remarks
Required
By default, a login user uses the settings of the screen-length. The default settings of the screen-length command are: multiple-screen display is enabled and up to 24 lines are displayed on the next screen.
This command is executed in user view, and takes effect for the current user only. When the user re-logs into the switch, the default configuration is restored.
The following methods are available for filtering output information:
Enter the begin, exclude, or include keyword plus a regular expression in the display to filter the output
information.
When the system displays the output information in multiple screens, use the slash (/), hyphen (-), or plus
(+) with a regular expression to filter subsequent output information. The slash character (/) equals the keyword begin, the character hyphen (-) equals the keyword exclude, and the character plus (+) equals the keyword include.
The following definitions apply to the begin, exclude, and include keywords:
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
11
A regular expression is a case-sensitive string of 1 to 256 characters. It supports the following special
g
characters.
Character Meanin
^string
string$
.
*
+
|
_
Starting sign. string appears only at the beginning of a line.
Ending sign. string appears only at the end of a line.
Matches any single character, such as a single character, a special character, and a blank.
Matches the preceding character or character group zero or multiple times.
Matches the preceding character or character group one or multiple times
Matches the preceding or succeeding character string
If it is at t he beg i nning or t he end of a regular expression, it equals ^ or $. In other cases, it equals comma, space, round bracket, or curly bracket.
Remarks
For example, regular expression “^user” only matches a string beginning with “user," not “Auser."
For example, regular expression "user$” only matches a string ending with “user," not “userA."
For example, “.s” matches “as” and “bs."
For example, “zo*” matches “z” and “zoo”; “(zo)*” matches “zo” and “zozo."
For example, “zo+” matches “zo” and “zoo," but not “z."
For example, “def|int” only matches a character string containing “def” or “int."
For example, “a_b” matches “a b” or “a(b”; “_ab” only matches a line starting with “ab”; “ab_” only matches a line ending with “ab."
-
[ ]
()
\index
It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ].
Matches a single character contained within the brackets.
A character group. It is usually used with “+” or “*."
Repeats the character string specified by the index. A character string refers to the string within () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \. If only one character group appears before \, index can only be 1; if n character groups appear before index, index can be any integer from 1 to n.
For example, “1-9” means 1 to 9 (inclusive); “a-h” means a to h (inclusive).
For example, [16A] matches a string containing any character among 1, 6, and A; [1-36A] matches a string containing any character among 1, 2, 3, 6, and A (- is a hyphen).
“]” can be matched as a common character only when it is put at the beginning of characters within the brackets, for example [ ]string]. There is no such limit on “[."
For example, (123A) means a character group “123A”; “408(12)+” matches 40812 or
408121212. But it does not match 408.
For example, (string)\1 repeats string, and a matching string must contain stringstring. (string1)(string2)\2 repeats string2, and a matching string must contain string1string2string2. (string1)(string2)\1\2 repeats string1 and string2 respectively, and a matching string must contain string1string2string1string2.
12
Character Meaning Remarks
For example, [^16A] means to match a string containing any character except 1, 6 or A, and the
[^]
Matches a single character not contained within the brackets.
matching string can also contain 1, 6 or A, but cannot contain these three characters only. For example, [^16A] matches “abc” and “m16," but not 1, 16, or 16A.
\<string
string\>
Matches a character string starting with string.
Matches a character string ending with string.
Matches character1character2.
\bcharacter2
character1 can be any character except number, letter or underline, and \b equals [^A-Za-z0-9_].
Matches a string containing
\Bcharacter
character and no space is allowed before character.
Matches character1character2.
character1\w
character2 must be a number, letter, or underline, and \w equals [^A-Za-z0-9_].
\W Equals \b.
Escape character. If a special
\
character listed in this table follows \, the specific meaning of the character is removed.
For example, “\<do” matches word “domain” and string “doa."
For example, “do\>” matches word “undo” and string “abcdo."
For example, “\ba” matches “-a” with “-“ being character1, and “a” being character2, but it does not match “2a” or “ba."
For example, “\Bt” matches “t” in “install," but not “t” in “big top."
For example, “v\w” matches “vlan," with “v” being character1, and “l” being character2. v\w also matches “service," with “i” being character2.
For example, “\Wa” matches “-a," with “-” being character1, and “a” being character2, but does not match “2a” or “ba."
For example, “\\” matches a string containing “\," “\^” matches a string containing “^," and “\\b” matches a string containing “\b."
13
Example of filtering output information
g
1. Example of using the begin keyword
# Display the configuration from the line containing “user-interface” to the last line in the current configuration (the output information depends on the current configuration).
<Sysname> display current-configuration | begin user-interface user-interface aux 0 user-interface vty 0 15 authentication-mode none user privilege level 3 # return
2. Example of using the exclude keyword
# Display the non-direct routes in the routing table (the output depends on the current configuration).
<Sysname> display ip routing-table | exclude Direct Routing Tables: Public
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 OSPF 10 2 10.1.1.2 Vlan2
3. Example of using the include keyword
# Display the route entries that contain Vlan in the routing table (the output depends on the current configuration).
<Sysname> display ip routing-table | include Vlan Routing Tables: Public
Destination/Mask Proto Pre Cost NextHop Interface
192.168.1.0/24 Direct 0 0 192.168.1.42 Vlan999
Configuring user privilege and command levels
To avoid unauthorized access, the switch defines user privilege levels and command levels. User privilege levels correspond to command levels. When a user at a specific privilege level logs in, the user can only use commands at that level, or lower levels.
All commands are categorized into four levels: visit, monitor, system, and manage, and are identified from low to high, respectively by 0 through 3. Table 2 de
Table 2 Default command levels
Level Privile
0 Visit
e Description
Involves commands for network diagnosis and accessing an external device. Configuration of commands at this level cannot survive a device restart. Upon device restart, the commands at this level are restored to the default settings.
Commands at this level include ping, tracert, telnet and ssh2.
scribes the command levels.
14
Level Privilege Description
p
Involves commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after being configured. After
1 Monitor
2 System
3 Manage
the switch is restarted, the commands at this level are restored to the default settings.
Commands at this level include debugging, terminal, refresh, reset, and send.
Involves service configuration commands, such as routing configuration commands and commands for configuring services at different network levels.
By default, commands at this level include all configuration commands except for those at the manage level.
Involves commands that influence the basic operation of the system and commands for configuring system support modules.
By default, commands at this level involve the configuration commands of file system, FTP, TFTP, Xmodem download, user management, level setting, and parameter settings within a system (which are not defined by any protocols or RFCs).
Configuring a user privilege level
A user privilege level can be configured by using AAA authentication parameters or under a user interface.
Configuring user privilege level by using AAA authentication parameters
If the authentication mode of a user interface is scheme, the user privilege level of users logging into the user interface is specified in AAA authentication configuration.
To configure the user privilege level by using AAA authentication parameters:
Ste
Command
Enter system view system-view
user-interface { first-num1
Enter user interface view
Specify the scheme authentication mode
Return to system view quit
Configure the authentication mode for SSH users as password
Configure the user privilege level by using AAA authentication
Using local authentication
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] }
authentication-mode scheme
For more information about SSH, see Security Configuration Guide.
Use local-user to create a local
user and enter local user view.
Use level keyword in the
authorization-attribute to
configure the user privilege level.
Remarks
Required
By default, the authentication mode for VTY users is password, and no authentication is needed for AUX login user.
Required if users use SSH to log in, and username and password are needed at authentication
Use either approach
For local authentication, if you
do not configure the user privilege level, the user privilege level is 0.
15
Step Command
p
parameters
Using remote authentication (RADIUS, HWTACACS, and LDAP authentications)
Configure the user privilege level on the authentication server
Remarks
For remote authentication, if
you do not configure the user privilege level, the user privilege level depends on the default configuration of the authentication server.
Example of configuring a user privilege level by using AAA authentication parameters
# You are required to authenticate the users that Telnet to the switch through VTY 1, verify their username and password, and specify the user privilege level as 3.
<Sysname> system-view [Sysname] user-interface vty 1 [Sysname-ui-vty1] authentication-mode scheme [Sysname-ui-vty1] quit [Sysname] local-user test [Sysname-luser-test] password cipher 12345678 [Sysname-luser-test] service-type telnet
When users Telnet to the switch through VTY 1, they must enter username test and password 12 34 5 678 . After passing the authentication, the users can only use the commands of level 0. If the users want to use commands of levels 0, 1, 2 and 3, the following configuration is required:
[Sysname-luser-test] authorization-attribute level 3
Configuring the user privilege level under a user interface
If the authentication mode of a user interface is scheme, and SSH publickey authentication type (only a
username is needed for this authentication type) is adopted, the user privilege level of users logging into the user interface is the user interface level.
If the authentication mode of a user interface is none or password, the user privilege level of users
logging into the user interface is the user interface level.
To configure the user privilege level under a user interface (SSH publickey authentication type):
Ste
Command
Configure the authentication type for SSH users as publickey
Enter system view system-view
Enter user interface view
Configure the authentication mode for any user who uses the current user interface to log in to the switch
For more information about SSH, see Security Configuration Guide.
user-interface { first-num1 [ last-num1 ] | vty first-num2 [ last-num2 ] }
authentication-mode scheme
Remarks
Required if the SSH login mode is adopted, and only username is needed during authentication.
After the configuration, the authentication mode of the corresponding user interface must be set to scheme.
Required
By default, the authentication mode for VTY users is password, and no authentication is needed for AUX users.
16
Step Command
p
Configure the privilege level for users that log in through the current user interface
user privilege level level
Remarks
Optional
By default, the user privilege level for users logged in through the AUX user interface is 3, and that for users logged in through the VTY interfaces is 0.
To configure the user privilege level under a user interface (none or password authentication mode):
Ste
Command
Enter system view system-view
user-interface { first-num1
Enter user interface view
Configure the authentication mode for any user who uses the current user interface to log in to the switch
Configure the privilege level of users logged in through the current user interface
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] }
authentication-mode { none | password }
user privilege level level
Remarks
Optional
By default, the authentication mode for VTY user interfaces is password, and no authentication is needed for AUX login user.
Optional
By default, the user privilege level for users logged in through the AUX user interface is 3, and that for users logged in through the VTY interfaces is 0.
Example of configuring a user privilege level under a user interface
# Authenticate users logged in to the switch through Telnet, verify their password, and specify their user privilege level as 2.
<Sysname> system-view [Sysname] user-interface vty 0 15 [Sysname-ui-vty0-15] authentication-mode password [Sysname-ui-vty0-15] set authentication password cipher 123 [Sysname-ui-vty0-15] user privilege level 2
By default, Telnet users can use the commands of level 0 after passing authentication. After the configuration above is completed, when users log in to the switch through Telnet, they must enter password 12 3 , and then they can use commands of levels 0, 1, and 2.
NOTE:
For more information about user interfaces, see “Logging in to the switch configuration.” For more
information about user-interface, authentication-mode, and user privilege level, see “Logging in to the switch commands.”
For more information about AAA authentication, see Security Configuration Guide. For more
information about local-user and authorization-attribute, see Security Command Reference.
For more information about SSH, see Security Configuration Guide.
17
Switching user privilege level
g
Users can switch to a different user privilege level temporarily without logging out and terminating the current connection. After the privilege level switch, users can continue to configure the switch without the must re-log in, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configure system parameters. After switching to user privilege level 0, the user can only execute simple commands, like ping and tracert, and only a few display commands. The switching operation is effective for the current login. After the user relogs in, the user privilege restores to the original level.
To avoid problems, HP recommends that administrators log in to the switch by using a lower privilege
level and view switch operating parameters, and when they have to maintain the switch, they can switch to a higher level temporarily
If the administrators need to leave for a while or ask someone else to manage the switch temporarily,
they can switch to a lower privilege level before they leave to restrict the operation by others.
Setting the authentication mode for user privilege level switch
CAUTION:
If no user privilege level is specified when you configure the password for switching the user privilege
level with super password, the user privilege level defaults to 3.
If you specify the simple keyword, the password is saved in the configuration file in plain text, which is
easy to be stolen. If you specify the cipher keyword, the password is saved in the configuration file in cipher text, which is safer.
If the user logs in from the AUX user interface (the console port), the user can switch the privile
e level to a higher level even if the authentication mode is local and no password for user privilege level switch is configured.
A user can switch to a privilege level equal to or lower than the current one unconditionally and is not
required to enter a password (if any).
For security, a user is required to enter the password (if any) to switch to a higher privilege level. The
authentication falls into one of the following four categories:
Authentication mode
local
scheme
Meaning Description
The switch authenticates a user by using the privilege level switch
Local password authentication
Remote AAA authentication through HWTACACS or RADIUS
password entered by the user.
When this mode is applied, you must set the password for privilege level switch with super password.
The switch sends the username and password for privilege level switch to the HWTACACS or RADIUS server for remote authentication.
When this mode is applied, you must perform the following configurations:
Configure HWTACACS or RADIUS scheme and reference the
created scheme in the ISP domain. For more information, see Security Configuration Guide.
Create the corresponding user and configure password on the
HWTACACS or RADIUS server.
18
Authentication
p
g
p
mode
Meaning Description
local scheme
scheme local
Performs the local password authentication first and then the remote AAA authentication
Performs remote AAA authentication first and then the local password authentication
The switch authenticates a user by using the local password first. If no local password is set, the privilege level is switched directly for the users logged in from the Console port, and remote AAA authentication is performed on the users logged in from VTY user interfaces.
AAA authentication is performed first, and if the remote HWTACACS or RADIUS server does not respond or AAA configuration on the switch is invalid, the local password authentication is performed.
To set the authentication mode for user privilege level switch:
Ste
Command
Enter system view system-view
Set the authentication mode for user privilege level switch
Configure the password for user privilege level switch
super authentication-mode { local | scheme } *
super password [ level user-level ] { simple | cipher } password
Remarks
Optional
local by default.
Required if the authentication mode is set to local.
By default, no privilege level switch password is configured.
Switching the user privilege level
CAUTION:
When the authentication mode is set to local, configure the local password before switching to a hi
user privilege level.
When the authentication mode is set to scheme, configure AAA related parameters before switching to
a higher user privilege level.
The privilege level switch fails after three consecutive unsuccessful password attempts.
For more information about user interface authentication, see “Logging in to the switch configuration.”
Follow the step to switch the user privilege level:
Ste
Command
Switch the user privilege level super [ level ]
her
Remarks
Required
When logging in to the switch, a user has a user privilege level, which depends on user interface or authentication user level.
Available in user view.
19
When you switch the user privilege level, the information you must provide varies with combinations of the user interface authentication mode and the super authentication mode.
Table 3 Information input for user privilege level switch
User interface authentication mode
none/password
User privilege level switch authentication mode
local
local scheme
scheme
scheme local
local
local scheme
Information entered for the first authentication mode
Local user privilege level switch password (configured on the switch)
Local user privilege level switch password
Username and password for privilege level switch
Username and password for privilege level switch
Local user privilege level switch password
Local user privilege level switch password
Information entered after the authentication mode changes
Username and password for privilege level switch (configured on the AAA server)
Local user privilege level switch password
Password for privilege level switch (configured on the AAA server). The system uses the username used for logging in as the privilege level switch username.
Password for privilege level
scheme
scheme
scheme local
switch (configured on the AAA server). The system uses the username used for logging in as the privilege level switch username.
Password for privilege level switch (configured on the AAA server). The system uses the username used for logging in as the privilege level switch username.
Modifying the level of a command
CAUTION:
HP recommends using the default command level or modify the command level under the guidance of professional staff. An improper change of the command level may bring inconvenience to your maintenance and operation, or even potential security problems.
All commands in a view default to different levels. The administrator can change the default level of a command to a lower level or a higher level as needed.
Local user privilege level switch password
20
To modify the command level:
p
Ste
Command
Enter system view system-view
Remarks
Configure the command level in a specified view
command-privilege level level view view command
Saving the current configuration
On the device, enter the save command in any view to save all submitted and executed commands into the configuration file. Commands saved in the configuration file can survive a reboot. The save command does not take effect on one-time commands, such as display commands, which display specified information, and reset commands, which clear specified information. The one-time commands executed are never saved.
Displaying and maintaining CLI
Task Command Remarks
Display defined command aliases and the corresponding commands.
Display the clipboard information.
display command-alias [ | { begin | exclude | include } regular-expression ]
display clipboard [ | { begin | exclude | include } regular-expression ]
Required
See Table 1 for the default settings.
Available in any view
Available in any view
21
g
Login methods
Log in to the switch by using the following methods.
Table 4 Login methods
Lo
in method Default state
CLI login
Logging in through the console po
Logging in through Telnet
Logging in through SSH
Logging in through modems
rt
By default, log in to a device through the console port, the authentication mode is None (no username or password required), and the user privilege level is 3.
By default, you cannot log in to a device through Telnet. To do so, log in to the device through the console port, and complete the following configuration:
Enable the Telnet function.
Configure the IP address of the VLAN interface, and make sure that
your device and the Telnet client can reach each other (by default, the device does not have an IP address.).
Configure the authentication mode of VTY login users (password
by default).
Configure the user privilege level of VTY login users (0 by default).
By default, you cannot log in to a device through SSH. To do so, log in to the device through the console port, and complete the following configuration:
Enable the SSH function and configure SSH attributes.
Configure the IP address of the VLAN interface, and make sure that
your device and the SSH client can reach each other (by default, your device does not have an IP address.).
Configure the authentication mode of VTY login users as scheme
(password by default).
Configure the user privilege level of VTY login users (0 by default).
By default, log in to a device through modems. The default user privilege level of modem login users is 3.
Web login
By default, you cannot log in to a device through web. To do so, log in to the device through the console port, and complete the following configuration:
Configure the IP address of the VLAN interface (by default, your
device does not have an IP address.).
Configure a username and password for web login (not configured
by default).
Configure the user privilege level for web login (not configured by
default).
Configure the Telnet service type for web login (not configured by
default).
22
Login method Default state
By default, you cannot log in to a device through a network management station (NMS). To do so, log in to the device through the console port, and complete the following configuration:
NMS login
Configure the IP address of the VLAN interface, and make sure the
device and the NMS can reach each other (by default, your device does not have an IP address.).
Configure SNMP basic parameters.
Users and user interfaces
User interface, also called “line," allows you to manage and monitor sessions between the terminal and device when you log in to the device through the console port directly, or through Telnet or SSH.
One user interface corresponds to one user interface view where you can configure a set of parameters, such as whether to authenticate users at login, whether to redirect the requests to another device, and the user privilege level after login. When the user logs in through a user interface, the parameters set for the user interface apply.
The system supports the following CLI configuration methods:
Local configuration via the console port
Local/Remote configuration through Telnet or SSH
The methods correspond to the following user interfaces.
AUX user interface: Used to manage and monitor users that log in via the Console port. The type of the
Console port is EIA/TIA-232 DCE.
VTY (virtual type terminal) user interface: Used to manage and monitor users that log in via VTY. A VTY
port used for Telnet or SSH access.
Only one user can use a user interface at a time. The configuration made in a user interface view applies to any login user. For example, if user A uses the console port to log in, the configuration in the AUX user interface view applies to user A; if user A logs in through VTY 1, the configuration in VTY 1 user interface view applies to user A.
A device can be equipped with one AUX user interface and 16 VTY user interfaces. These user interfaces do not associate with specific users. When a user initiates a connection request, the system automatically assigns an idle user interface with the smallest number to the user based on the login method. During the login, the configuration in the user interface view takes effect. The user interface varies depending on the login method and the login time.
23
Numbering user interfaces
User interfaces can be numbered by using absolute numbering or relative numbering.
Absolute numbering
Absolute numbering identifies a user interface or a group of different types of user interfaces. The specified user interfaces are numbered from number 0 with a step of 1 and in the sequence of AUX, and VTY user interfaces. Use display user-interface command without any parameters to view supported user interfaces and their absolute numbers.
Relative numbering
Relative numbering allows you to specify a user interface or a group of user interfaces of a specific type. The number format is “user interface type + number." The following rules of relative numbering apply:
AUX user interfaces are numbered from 0 in the ascending order, with a step of 1.
VTY user interfaces are numbered from 0 in the ascending order, with a step of 1.
24
g
CLI login
The CLI enables you to interact with a device by typing text commands. At the CLI, instruct your device to perform a given task by typing a text command and then pressing Enter to submit it to your device. Compared with the graphical user interface (GUI), where you can use a mouse to perform configuration, the CLI allows you to enter more information in one command line.
Log in to the device at the CLI through the console port, Telnet, SSH, or modem.
By default, log in to a device through the console port without any authentication, which introduces
security problems.
By default, you cannot log in to a device through Telnet, SSH, so you cannot remotely manage and
maintain the device.
Therefore, you must perform configurations to increase device security and manageability.
Logging in through the console port
Logging in through the console port is the most common login method, and is also the first step to configure other login methods.
By default, log in to a device through its console port only. After logging in to the device through the console port, configure other login methods.
Configuration requirements
Object Requirements
Device No configuration requirement
Run the hyper terminal program.
Terminal
Configure the hyper terminal attributes.
The port properties of the hyper terminal must be the same as the default settings of the console port shown in the following table.
Settin
Default
Bits per second 9,600 bps
Flow control None
Parity None
Stop bits 1
Data bits 8
25
W
g
W
Login procedure
ARNING!
Identify interfaces to avoid connection errors.
1. As shown in Figure 2, use the console cable shipped with the device to connect the PC and the device.
Plug the DB-9 connector of the console cable into the serial port of the PC, and plug the RJ-45 connector into the console port of your device.
Figure 2 Connect the device and PC through a console cable
The serial port of a PC does not support hot-swap. Do not plug or unplug the console cable into or from the PC when your device is powered on.
To connect the PC to the device, first plug the DB-9 connector of the console cable into the PC, and then
plug the RJ-45 connector of the console cable into your device.
To disconnect the PC from the device, first unplug the RJ-45 connector and then the DB-9 connector.
2. Launch a terminal emulation program (such as HyperTerminal in Windows XP/Windows 2000). The
following takes the HyperTerminal of Windows XP as an example. Select a serial port to be connected to the device, and set terminal parameters as follows: set Bits per second to 9600, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None, as shown in Figure 3 through Figure 5.
NOTE:
On Windows 2003 Server operating system, you must add the HyperTerminal program first, and then lo in to and manage the device as described in this document. On Windows 2008 Server, Windows 7,
indows Vista, or some other operating system, you must obtain a third party terminal control program
first, and follow the user guide or online help of that program to log in to the device.
Figure 3 Connection description
26
Figure 4 Specify the serial port used to establish the connection
Figure 5 Set the properties of the serial port
27
Turn on the device. You are prompted to press Enter if the device successfully completes the power-on
3.
self-test (POST). A prompt such as <HP> appears after you press Enter, as shown in Figure 6.
Figure 6 Configuration page
4. Execute commands to configure the device or check the running status of the device. To get help,
enter ?.
Console login authentication modes
The following authentication modes are available for console port login: none, password, and scheme.
none—Requires no username and password at the next login through the console port. This mode is
insecure.
password—Requires password authentication at the next login through the console port. Keep your
password.
scheme—Requires username and password authentication at the next login through the console port.
Authentication falls into local authentication and remote authentication. To use local authentication, configure a local user and related parameters. To use remote authentication, configure the username and password on the remote authentication server. For more information about authentication modes and parameters, see Security Configuration Guide. Keep your username and password.
28
A
The following table lists console port login configurations for different authentication modes:
Authenticat ion mode
None Configure not to authenticate users.
Password
Scheme
Configuration Remarks
Configure the device to authenticate users by using the local password.
Set the local password.
Configure the authentication scheme.
Remote AAA authentication
Select an authentication scheme.
Local authentication
Configure RADIUS/ HWTACACS scheme.
Configure AAA scheme used by the domain.
Configure username and password on the AAA server.
Configure authentication username and password.
Configure AAA scheme used by the domain as local.
For more information, see “Configuring none authentication for
console login.”
For more information, see “Configuring password
authentication fo
For more information, see “Configuring scheme authentication
for console login.”
r console login.”
NOTE:
newly configured authentication mode does not take effect unless you exit and enter the CLI again.
Configuring none authentication for console login
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”
29
Procedure
To configure none authentication for console login:
Step Command Remarks
1. Enter system view. system-view
user-interface aux
2. Enter AUX user interface view.
3. Specify the none
authentication mode.
first-number [ last-number ]
authentication-mode none
Required.
By default, log in to the device through the console port without authentication, and have user privilege level 3 after login.
4. Configure common settings
for AUX user interface view.
Optional.
See “Configuring common settings for console
login (optional).”
After the configuration, the next time you log in to the device through the console port, you are prompted to press enter. A prompt such as <HP> appears after you press Enter, as shown in Figure 7.
Figure 7 Configuration page
Configuring password authentication for console login
Prerequisites
You have logged in to the device.
30
p
Procedure
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”
To configure password authentication for console login:
Ste
Command
Remarks
1. Enter system view.
2. Enter AUX user interface view.
3. Configure the authentication
mode as local password authentication.
4. Set the local password.
5. Configure common settings
for AUX user interface view.
system-view
user-interface aux
first-number [ last-number ]
authentication-mode password
set authentication password { cipher | simple } password
Required.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login.
Required.
By default, no local password is set.
Optional.
See “Configuring common settings for console
login (optional).”
When you log in to the device through the console port after the configuration, you are prompted to enter a login password. A prompt such as <HP> appears after you enter the password and press Enter, as shown in Figure 8.
Figure 8 Configuration page
31
p
Configuring scheme authentication for console login
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see
Procedure
Configuration requirements.”
To configure scheme authentication for console login:
Ste
Command
Remarks
1. Enter system view.
2. Enter AUX user interface
view.
3. Specify scheme
authentication mode.
4. Enable command
authorization.
system-view
user-interface aux
first-number [ last-number ]
authentication­mode scheme
Required.
Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme.
By default, users that log in through the console port are not authenticated.
Optional.
By default, command authorization is not enabled.
By default, the command level depends on the user
command authorization
Before enabling command authorization, configure
privilege level. A user is authorized a command level not higher than the user privilege level. With command authorization enabled, the command level for a login user is determined by both the user privilege level and AAA authorization. If a user executes a command of the corresponding command level, the authorization server checks whether the command is authorized. If it is, the command can be executed.
the AAA authorization server. After you enable command authorization, only commands authorized by the AAA authorization server can be executed.
32
Step Command
Remarks
Optional.
By default, command accounting is disabled. The
Command accounting allows the HWTACACS
5. Enable command
accounting.
command accounting
Configure the AAA accounting server before
6. Return to system view. quit
Enter ISP domain view
Apply
7. Configure
the authenticatio n mode.
8. Create a local user and
enter local user view.
specified AAA scheme to the domain
Exit to system view
domain domain-name
authentication default { hwtacacs­scheme hwtacacs-
scheme-name [ local ] | local |
none | radius­scheme radius-
scheme- name [ local ] }
quit
local-user user-name
Optional.
By default, the AAA scheme is local.
If you specify the local AAA scheme, you must perform local user configuration. If you specify an existing scheme by providing the radius-scheme-name argument, perform the following configuration as well:
For RADIUS and HWTACACS configuration, see
Configure the username and password on the AAA
Required.
By default, no local user exists.
accounting server does not record the commands executed by users.
server to record all commands executed by users, regardless of command execution results. This helps control and monitor user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.
enabling command accounting.
Security Configuration Guide.
server. (For more information about AAA, see Security Configuration Guide.)
9. Set the authentication
password for the local user.
10. Specifies the command
level of the local user.
11. Specify the service type
for the local user.
12. Configure common
settings for AUX user interface view.
password { cipher | simple }
password
authorization­attribute level level
service-type terminal
Required.
Optional.
By default, the command level is 0.
Required.
By default, no service type is specified.
Optional.
See “Configuring common settings for console login
(optional).”
33
After you enable command authorization, you must perform the following configuration to make the function take effect:
Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information about AAA, see Security Configuration Guide.
Reference the created HWTACACS scheme in the ISP domain. For more information about AAA, see
Security Configuration Guide.
After you enable command accounting, you must perform the following configuration to make the function take effect:
Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information about AAA, see Security Configuration Guide.
Reference the created HWTACACS scheme in the ISP domain. For more information about AAA, see
Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute level
level.
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the RADIUS
or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see Security Configuration Guide.
When you log in to the device through the console port after the configuration, you are prompted to enter a login username and password. A prompt such as <HP> appears after you enter the password and username and press Enter, as shown in
Figure 9.
Figure 9 Configuration page
34
g
Configuring common settings for console login (optional)
CAUTION:
The common settings configured for console login take effect immediately. If you configure the common settin
s after you log in through the console port, the current connection may be interrupted, so you should use another login method. After you configure common settings for console login, you must modify the settings on the terminal to make them consistent with those on the device.
Step Command
1. Enter system view.
2. Enable display of copyright
information.
3. Enter AUX user interface view.
Configure baud rate.
Configure parity check mode.
system-view
copyright-info enable
user-interface aux
first-number [ last-number ]
speed speed-value
parity { even | mark | none | odd | space }
Remarks
Optional.
Enabled by default.
Optional.
By default, the transmission rate is 9600 bps.
Transmission rate is the number of bits that the device transmits to the terminal per second.
Optional.
none by default.
4. Configure
AUX user interface view properties.
Configure stop bits.
Configure data bits.
Define shortcut key for enabling a terminal session.
Define shortcut key for terminating tasks.
stopbits { 1 | 1.5 | 2 }
databits { 5 | 6 | 7 | 8 }
activation-key character
escape-key { default |
character }
Optional.
By default, the stop bit of the console port is 1.
Stop bits are the last bits transmitted in data transmission to unequivocally indicate the end of a character. The more the bits are, the slower the transmission is.
Optional.
By default, the data bit of the console port is 8.
Data bits is the number of bits representing one character. The setting depends on the contexts to be transmitted. For example, set it to 7 if standard ASCII characters are to be sent, and set it to 8 if extended ASCII characters are to be sent.
Optional.
By default, press Enter to enable a terminal session.
Optional.
By default, press Ctrl+C to terminate a task.
35
Step Command
Configure flow control mode.
Configure type of terminal display
Configure user privilege level for login users
Set the maximum number of lines on the next screen.
flow-control { hardware | none | software }
terminal type { ansi | vt100 }
user privilege level level
screen-length screen-length
Remarks
Optional.
By default, the value is none
Optional
By default, the terminal display type is ANSI.
The device supports two types of terminal display: ANSI and VT100. HP recommends setting the display type of both the device and the client to VT100. If the device and the client use different display types (for example, hyper terminal or Telnet terminal) or both are set to ANSI, when the total number of characters of the edited command line exceeds 80, an anomaly such as cursor corruption or abnormal display of the terminal display may occur on the client.
Optional
By default, the default command level is 3 for the AUX user interface.
Optional
By default, the next screen displays 24 lines.
A value of 0 disables the function.
Set the size of history command buffer
Set the idle-timeout timer
history-command max-size value
idle-timeout minutes
[ seconds ]
Logging in through Telnet
The device supports Telnet. Telnet to the device to remotely manage and maintain it, as shown in Figure 10.
Figure 10 Telnet login
Optional
By default, the buffer saves 10 history commands at most.
Optional
The default idle-timeout is 10 minutes. The system automatically terminates the user’s connection if no information interaction occurs between the device and the user within the idle-timeout time.
Setting idle-timeout to 0 disables the timer.
36
j
The following table shows the configuration requirements of Telnet login.
Ob
ect Requirements
Configure the IP address of the VLAN interface, and make sure the Telnet
Telnet server
Telnet client
server and client can reach each other.
Configure the authentication mode and other settings.
Run the Telnet client program.
Obtain the IP address of the VLAN interface on the server.
By default, the device is enabled with the Telnet server and client functions.
On a device that serves as the Telnet client, log in to a Telnet server to perform operations on the server.
On a device that serves as the Telnet server, configure the authentication mode and user privilege level
for Telnet users. By default, you cannot log in to the device through Telnet. Before Telnet to the device, you must log in to the device through the console port, enable Telnet server, and configure the authentication mode, user privilege level, and common settings.
Telnet login authentication modes
Three authentication modes are available for Telnet login: none, password, and scheme.
none—Requires no username and password at the next login through Telnet. This mode is insecure.
password—Requires password authentication at the next login through Telnet. Keep your password. If you
lose your password, log in to the device through the console port to view or modify the password.
scheme—Requires username and password authentication at the next login through Telnet. Authentication
falls into local authentication and remote authentication. To use local authentication, configure a local user and related parameters. To use remote authentication, configure the username and password on the remote authentication server. For more information about authentication modes and parameters, see Security Configuration Guide. Keep your username and password. If you lose your local authentication password, log in to the device through the console port to view or modify the password. If you lose your remote authentication password, contact the administrator.
The following table lists Telnet login configurations for different authentication modes.
Authentication mode
None Configure not to authenticate users.
Password
Configuration Remarks
For more information, see “Configuring none authentication for
Telnet login.”
Configure the device to authenticate users by using the local password.
Set the local password.
For more information, see “Configuring password
authentication for Telnet login.”
37
p
Authentication mode
Scheme
Configuration Remarks
Configure the authentication scheme.
Configure RADIUS/HWT ACACS scheme.
Configure
Remote AAA authentication
Select authentication scheme.
Local authentication
AAA scheme used by the domain.
Configure username and password on the AAA server.
Configure authentication username and password.
Configure AAA scheme used by the domain as local.
For more information, see “Configuring scheme authentication
for Telnet login.”
Configuring none authentication for Telnet login
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see
Procedure
Configuration requirements.”
To configure none authentication for Telnet login:
Ste
Command
1. Enter system view. system-view
2. Enable Telnet.
3. Enter one or multiple VTY
user interface views.
4. Specify the none
authentication mode.
telnet server enable
user-interface vty
first-number [ last-number ]
authentication-mode none
Remarks
Required.
By default, the Telnet service is disenabled.
Required.
By default, authentication mode for VTY user interfaces is password.
38
Step Command
5. Configure the command level
for login users on the current user interfaces.
6. Configure common settings
for VTY user interfaces.
user privilege level level
When you log in to the device through Telnet again:
You enter the VTY user interface, as shown in Figure 11.
If “A
ll user interfaces are used, please try later!” is displayed, it means the current login users exceed the
maximum number. Please try later.
Figure 11 Configuration page
Remarks
Required.
By default, the default command level is 0 for VTY user interfaces.
Optional.
See “Configuring common settings for VTY
user interfaces (optional).”
39
p
Configuring password authentication for Telnet login
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see
Procedure
Configuration requirements.”
To configure password authentication for Telnet login:
Ste
Command
Remarks
1. Enter system view.
2. Enable Telnet.
3. Enter one or multiple VTY
user interface views.
4. Specify the password
authentication mode.
5. Set the local password.
6. Configure the user privilege
level for login users.
7. Configure common settings
for VTY user interfaces.
system-view
Required.
telnet server enable
user-interface vty first-number
[ last-number ]
authentication-mode password
set authentication password { cipher | simple } password
user privilege level level
By default, the Telnet service is disenabled.
Required.
By default, authentication mode for VTY user interfaces is password.
Required.
By default, no local password is set.
Required.
0 by default.
Optional.
See “Configuring common settings for
VTY user interfaces (optional).”
When you log in to the device through Telnet again:
You are required to enter the login password. A prompt such as <HP> appears after you enter the
correct password and press Enter, as shown in Figure 12.
If “A
ll user interfaces are used, please try later!” is displayed, it means the number of current concurrent
login users exceed the maximum. Please try later.
40
Figure 12 Configuration page
Configuring scheme authentication for Telnet login
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”
Procedure
Step Command
1. Enter system view. system-view
2. Enable Telnet.
3. Enter one or multiple
VTY user interface views.
4. Specify scheme
authentication mode.
telnet server enable
user-interface vty
first-number [ last-number ]
authentication-mod e scheme
Remarks
Required.
By default, the Telnet service is disabled.
Required.
Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme.
By default, local authentication is adopted.
41
Step Command
Remarks
Optional.
By default, command authorization is not enabled.
By default, the command level depends on the user
5. Enable command
authorization.
command authorization
Before enabling command authorization, configure the
Optional.
By default, command accounting is disabled. The
Command accounting allows the HWTACACS server
6. Enable command
accounting.
command accounting
Configure the AAA accounting server before enabling
7. Exit to system view. quit
Enter
8. Configur
e authentic ation mode.
default ISP domain view.
Specify AAA scheme to be applied to the domain.
Exit to system view.
domain domain-name
authentication default { hwtacacs­scheme hwtacacs-
scheme-name [ local ] | local |
none | radius­scheme radius-
scheme-name [ local ] }
quit
Optional.
By default, the AAA scheme is local.
If you specify the local AAA scheme, perform the configuration concerning local user as well. If you specify an existing scheme by providing the radius-scheme-name argument, perform the following configuration as well:
For RADIUS and HWTACACS configuration, see
Configure the username and password on the AAA
privilege level. A user is authorized a command level not higher than the user privilege level. With command authorization enabled, the command level for a login user is determined by both the user privilege level and AAA authorization. If a user executes a command of the corresponding command level, the authorization server checks whether the command is authorized. If it is, the command can be executed.
AAA authorization server. After you enable command authorization, only commands authorized by the AAA authorization server can be executed.
accounting server does not record the commands executed by users.
to record all executed commands that are supported by the device, regardless of the command execution result. This helps control and monitor user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.
command accounting.
Security Configuration Guide.
server. (For more information, see Security Configuration Guide.)
42
Step Command
9. Create local user and
enter local user view.
10. Set local password.
11. Specify command
level of the local user.
12. Specify service type
for the local user.
13. Exit to system view.
14. Configure common
settings for VTY user interfaces.
local-user user-name By default, no local user exists.
password { cipher | simple } password
authorization-attrib ute level level
service-type telnet
quit
Remarks
Required.
By default, no local password is set.
Optional.
By default, the command level is 0.
Required.
By default, no service type is specified.
Optional.
See “Configuring common settings for VTY user interfaces
(optional).”
After you enable command authorization, you must perform the following configuration to make the function take effect:
Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information, see Security Configuration Guide.
Reference the created HWTACACS scheme in the ISP domain. For more information, see Security
Configuration Guide.
After you enable command accounting, you must perform the following configuration to make the function take effect:
Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information, see Security Configuration Guide.
Reference the created HWTACACS scheme in the ISP domain. For more information, see Security
Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute level
level.
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the RADIUS
or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see Security Configuration Guide.
When you log in to the device through Telnet again:
You are required to enter the login username and password. A prompt such as <HP> appears after you
enter the correct username (for example, admin) and password and press Enter, as shown in
A
f
ter entering the correct username and password, if the device prompts you to enter another password
Figure 13.
of the specified type, you will be authenticated for the second time. In other words, to pass authentication, you must enter a correct password as prompted.
If “All user interfaces are used, please try later!” is displayed, it means the current login users exceed the
maximum number. Please try later.
43
w
Figure 13 Configuration page
Configuring common settings for VTY user interfaces (optional)
CAUTION:
The auto-execute command command may disable you from configuring the system through the user interface to which the command is applied. Use it with caution.
Before executing the auto-execute command command and saving the configuration (by using save). Be sure you can access the device through VTY and AUX user interfaces so you can remove the configuration
hen a problem occurs.
Step Command
1. Enter system view. system-view
2. Enable display of copyright
information.
3. Create a VLAN interface and enter
VLAN interface view.
4. Specify an IP address for a VLAN
interface.
copyright-info enable
interface vlan­interface vlan- interface-id
ip address ip-
address { mask | mask-length }
Remarks
Optional.
Enabled by default.
Required.
If the VLAN interface already exists, the command enters the VLAN interface view.
Required.
By default, no IP address is specified for a VLAN interface.
5. Return to system view.
6. Enter one or multiple VTY user
interface views.
quit
user-interface vty
first-number [ last-number ]
44
Step Command
7. User
interfac e configur ation
Enable the terminal service.
Enable the current user interfaces to support either Telnet, SSH, or both of them.
Define a shortcut key for terminating tasks.
Configure the type of terminal display.
Set the maximum number of lines on the next screen.
Set the size of history command buffer.
Set the idle-timeout timer.
shell
protocol inbound { all | ssh | telnet }
escape-key { default | character }
terminal type { ansi | vt100 }
screen-length screen-length
history-command max-size value
idle-timeout minutes [ seconds ]
Remarks
Optional.
Enabled by default.
Optional.
By default, both protocols are supported.
The configuration takes effect next time you log in.
Optional.
By default, press Ctrl+C to terminate a task.
Optional.
By default, the terminal display type is ANSI.
Optional.
By default, the next screen displays 24 lines.
A value of 0 disables the function.
Optional.
By default, the buffer saves 10 history commands.
Optional.
The default idle-timeout is 10 minutes for all user interfaces.
The system automatically terminates the user’s connection if no information interaction occurs between the device and the user in timeout time.
Setting idle-timeout to 0 disables the timer.
Optional
By default, command auto-execution is disabled.
Specify a command to be automatically executed when a user logs in to the current user interface
auto-execute command command
45
The system automatically executes the specified command when a user logs in to the user interface, and tears down the user connection after the command is executed. If the command triggers another task, the system does not tear down the user connection until the task is completed. A Telnet command is usually specified to enable the user to automatically Telnet to the specified device.
p
Configuring the device to log in to a Telnet server as a Telnet client
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”
NOTE:
Procedure
Figure 14 Log in to anot
her device from the current device
If the Telnet client port and the Telnet server port that connect them are not in the same subnet, make sure that the two devices can reach each other.
Follow the step below to configure the device to log in to a Telnet server as a Telnet client:
Ste
Command
1. Configure the device to log in to a
Telnet server as a Telnet client.
telnet remote-host [ service-port ] [ [ vpn-instance vpn-instance-name ] | [ source { interface interface-type
interface-number | ip ip-address } ] ]
telnet ipv6 remote-host [ -i
interface-type interface-number ] [ port-number ] [ vpn-instance
vpn-instance-name ]
Remarks
Required.
Use either command.
Available in user view.
2. Specify the source IPv4 address or
source interface for sending Telnet packets.
telnet client source { interface
interface-type interface-number | ip ip-address }
46
Optional.
By, no source IPv4 address or source interface is specified. The source IPv4 address is selected by routing.
j
n
Logging in through SSH
SSH offers an approach to log into a remote device securely. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain-text password interception. The device supports SSH, and you can log in to the device through SSH to remotely manage and maintain the device, as shown in Figure 15.
Figure 15 SSH login dia
g
ram
The following table shows the configuration requirements of SSH login.
Ob
ect Requirements
Configure the IP address of the VLAN interface, and make sure the SSH server
SSH server
SSH client
and client can reach each other.
Configure the authentication mode and other settings.
Run the SSH client program.
Obtain the IP address of the VLAN interface on the server.
By default, the device is enabled with the SSH server and client functions.
On a device that serves as the SSH client, log in to an SSH server to perform operations on the server.
On a device that serves as the SSH server, configure the authentication mode and user level for SSH
users. By default, password authentication is adopted for SSH login, but no login password is configured, so you cannot log in to the device through SSH by default. Before log in to the device through SSH, you must log in to the device through the console port and configure the authentication mode, user level, and common settings.
Configuring the SSH server
NOTE:
This chapter describes how to configure an SSH client by using password authentication. For more information about SSH and how to configure an SSH client by using publickey, see
Guide
.
Prerequisites
You have logged in to the device, and want to log in to the device through SSH in the future.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”
Security Configuratio
47
p
Procedure
To configure the device that serves as an SSH server:
Ste
Command
Remarks
1. Enter system view.
2. Create local key pairs.
3. Enable SSH server. ssh server enable
4. Enter one or more VTY user
interface views.
5. Specify the scheme
authentication mode.
6. Enable the current user
interface to support SSH.
7. Enable command
authorization.
system-view
public-key local create { dsa | rsa }
user-interface vty
first-number [ last-number ]
authentication-mode scheme
protocol inbound { all | ssh }
command authorization
Required.
By default, no local key pairs are created.
Required.
By default, SSH server is disabled.
Required.
By default, authentication mode for VTY user interfaces is password.
Optional.
By default, Telnet and SSH protocols are both supported.
Optional.
By default, command authorization is not
enabled.
By default, command level for a login user
depends on the user privilege level. The user is authorized the command with the default level not higher than the user privilege level. With the command authorization configured, the command level for a login user is determined by both the user privilege level and AAA authorization. If a user executes a command of the corresponding command level, the authorization server checks whether the command is authorized. If it is, the command can be executed.
48
Step Command
8. Enable command accounting. command accounting
9. Exit to system view
Enter the default ISP domain view.
10. Configure the
authentication mode.
11. Create a local user and enter
local user view.
Apply the specified AAA scheme to the domain.
Exit to system view.
quit
domain domain-name
authentication default { hwtacacs-scheme
hwtacacs-scheme-nam e [ local ] | local |
none | radius-scheme
radius-scheme-name [ local ] }
quit
local-user user-name
Remarks
Optional
By default, command accounting is
disabled. The accounting server does not record the commands executed by users.
Command accounting allows the
HWTACACS server to record all executed commands that are supported by the device, regardless of the command execution result. This helps control and monitor user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.
Optional.
By default, the AAA scheme is local.
If you specify the local AAA scheme, perform the configuration concerning local user as well. If you specify an existing scheme by providing the radius-scheme-name argument, perform the following configuration as well:
For RADIUS and HWTACACS
configuration, see Security Configuration Guide.
Configure the username and password on
the AAA server. (For more information, see Security Configuration Guide.)
Required.
By default, no local user exists.
12. Set the local password.
13. Specify the command level of
the local user.
14. Specify the service type for the
local user.
15. Return to system view. quit
password { cipher | simple } password
authorization-attribute level level
service-type ssh
49
Required.
By default, no local password is set.
Optional.
By default, the command level is 0.
Required.
By default, no service type is specified.
Step Command
ssh user username service-type stelnet
16. Create an SSH user, and
specify the authentication mode for the SSH user.
17. Configure common settings
for VTY user interfaces.
authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }
Remarks
Required.
By default, no SSH user exists, and no authentication mode is specified.
Optional.
See “Configuring common settings for VTY user
interfaces (optional).”
After you enable command authorization or command accounting, you must perform the following configuration to make the function take effect:
Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters.
Reference the created HWTACACS scheme in the ISP domain.
For more information, see Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute level
level.
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the RADIUS
or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see Security Configuration Guide.
Configuring the SSH client to log in to the SSH server
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”
Figure 16 Log in to anot
NOTE:
her device from the current device
If the SSH client and the SSH server are not in the same subnet, make sure that the two devices can reach each other.
50
p
j
Procedure
Configure other settings for the SSH client to work with the SSH server. For more information, see Security Configuration Guide. To configure the SSH client to log in to the SSH server:
Ste
Command
Log in to an IPv4 SSH server. ssh2 server
Log in to an IPv6 SSH server. ssh2 ipv6 server
Remarks
Required
server is the IPv4 address or host name of the server.
Available in user view
Required
server is the IPv6 address or host name of the server.
Available in user view
Logging in through modems
The administrator can use two modems to remotely maintain a switch through its Console port over the Public Switched Telephone Network (PSTN) when the IP network connection is broken.
Configuration requirements
By default, no authentication is needed when you log in through modems, and the default user privilege level is 3.
To use this method, perform necessary configurations at both the device side and administrator side.
The following table shows the configuration requirements of remote login through the console port by using modem dial-in:
Ob
ect Requirement
The PC is correctly connected to the modem.
Administrator side
Device side
The modem is connected to a telephone cable that works normally.
The telephone number of the remote modem connected to the Console port of the remote switch is obtained.
The Console port is correctly connected to the modem.
Configurations have been configured on the modem.
The modem is connected to a telephone cable that works properly.
Authentication configuration has been completed on the remote switch.
51
g
g
W
Login procedure
1. Set up a configuration environment as shown in Figure 2: connect the serial port of the PC and the
Console port of the device to a modem respectively.
Figure 2 Set up a configuration terminal
2. Configuration on the administrator side
The PC and the modem are correctly connected, the modem is connected to a telephone cable, and the telephone number of the remote modem connected to the Console port of the remote switch is obtained.
NOTE:
On the device:
The baud rate of the Console port is lower than the transmission rate of the modem. Otherwise, packets
may be lost.
The parity check mode, stop bits, and data bits of the Console port adopt the default settings.
3. Perform the following configurations on the modem that is directly connected to the device:
AT&F ----------------------- Restore the factory defaults ATS0=1 ----------------------- Configure auto-answer on first ring AT&D ----------------------- Ignore data Terminal Ready signals AT&K0 ----------------------- Disable local flow control AT&R1 ----------------------- Ignore Data Flow Control signals AT&S0 ----------------------- Force DSR to remain on ATEQ1&W ----------------------- Disable the modem from response to commands and save the
configuration
To verify your configuration, enter AT&V to show the configuration results.
NOTE:
The configuration commands and the output for different modems may be different. For more information, see the user guide of your modem.
4. Launch a terminal emulation utility (such as HyperTerminal in Windows XP/Windows 2000), create a
new connection (the telephone number is the number of the modem connected to the device).
NOTE:
On Windows 2003 Server operatin in to and manage the device as described in this document. On Windows 2008 Server, Windows 7,
indows Vista, or some other operating system, you must obtain a third party terminal control program
first, and follow the user guide or online help of that program to log in to the device.
5. Dial the destination number on the PC to establish a connection with the device, as shown in Figure 3
through Figure 5.
system, you must add the HyperTerminal program first, and then lo
52
Figure 3 Connection Description
Figure 4 Enter the phone number
Figure 5 Dial the number
53
6.
Character string CONNECT9600 is displayed on the terminal. Then a prompt appears when you press Enter.
Figure 6 Configuration page
7. If the authentication mode is password, a prompt (for example, HP) appears when you enter the
configured password on the remote terminal. Then configure or manage the router. To get help, enter ?.
8. Execute commands to configure the device or check the running status of the device. To get help,
enter ?.
NOTE:
To terminate the connection between the PC and device, run ATH command on the terminal to terminate
the connection between the PC and modem. If you cannot execute the command on the terminal, enter AT+ + + and then press Enter. When you are prompted OK, run ATH, and the connection is terminated
if OK is displayed. Alternately, terminate the connection between the PC and device by clicking on the hyper terminal window.
Do not close the hyper terminal directly. Otherwise, the remote modem remains online, and you will fail
to dial in at the next time.
Modem login authentication modes
The following authentication modes are available for modem dial-in login: none, password, and scheme.
none—Requires no username and password at the next login through modems. This mode is insecure.
password—Requires password authentication at the next login through the console port. Keep your
password.
scheme—Requires username and password authentication at the next login through the console port.
Authentication falls into local authentication and remote authentication. To use local authentication, configure a local user and related parameters. To use remote authentication, configure the username and
54
password on the remote authentication server. For more information about authentication modes and parameters, see Security Configuration Guide. Keep your username and password.
The following table lists modem login configurations for different authentication modes:
Authentication mode
None Configure not to authenticate users.
Password
Scheme
Configuration Remarks
Configure the device to authenticate users by using the local password.
Set the local password.
Configure the authentication scheme.
Remote AAA authentication
Select an authentic ation scheme.
Local authentication
Configure a RADIUS/HWTACAC S scheme.
Configure the AAA scheme used by the domain.
Configure the username and password on the AAA server.
Configure the authentication username and password.
Configure the AAA scheme used by the domain as local.
For more information, see “Configuring none
authentication for modem login.”
For more information, see “Configuring password
authentication for modem login.”
For more information, see “Configuring scheme
authentication for modem login.”
NOTE:
Modem login authentication changes do not take effect until you exit the CLI and log in again.
Configuring none authentication for modem login
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”
55
Procedure
Step Command
1. Enter system view.
2. Enter one or more AUX user interface
views.
3. Specify the none authentication mode.
4. Configuring common settings for
modem login.
system-view
user-interface aux
first-number [ last-number ]
authentication-mode none
Remarks
Required.
By default, users that log in through the console port are not authenticated.
Optional.
See “Configuring common settings for
modem login (optional).”
When you log in to the device through modems after the configuration, you are prompted to press Enter. A prompt such as <HP> appears after you press Enter, as shown in Figure 7.
Figure 7 Configuration page
Configuring password authentication for modem login
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”
56
p
Procedure
To configure password authentication for modem login:
Ste
Command
Enter system view system-view
Remarks
Enter one or more AUX user interface views
Specify the password authentication mode
Set the local password
Configuring common settings for modem login
user-interface aux first-number [ last-number ]
authentication-mode password
set authentication password
{ cipher | simple } password
Required
By default, the authentication mode is none for modem users
Required
By default, no local password is set.
Optional
For more information, see “Configuring common settings for
modem login (o
ptional).”
When you log in to the device through modems after the configuration, you are prompted to enter a login password. A prompt such as <HP> appears after you enter the password and press Enter, as shown in Figure
8.
Figure 8 Configuration page
57
p
Configuring scheme authentication for modem login
Prerequisites
You have logged in to the device.
By default, log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see
Procedure
Configuration requirements.”
To configure scheme authentication for modem login:
Ste
Command
Remarks
1. Enter system view.
2. Enter AUX user interface view.
3. Specify the scheme
authentication mode.
4. Enable command authorization.
system-view
user-interface aux
first-number [ last-number ]
authentication­mode scheme
Required.
Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme.
By default, the authentication mode is none for modem users.
Optional.
By default, command authorization is not
By default, command level for a login user
command authorization
Before enabling command authorization,
enabled.
depends on the user privilege level. The user is authorized the command with the default level not higher than the user privilege level. With the command authorization configured, the command level for a login user is determined by both the user privilege level and AAA authorization. If a user executes a command of the corresponding command level, the authorization server checks whether the command is authorized. If it is, the command can be executed.
configure the AAA authorization server. After you enable command authorization, only commands authorized by the AAA authorization server can be executed.
58
Step Command
Remarks
Optional.
By default, command accounting is
Command accounting allows the
5. Enable command accounting.
command accounting
Configure the AAA accounting server
6. Exit to system view quit
Enter the default ISP domain view.
7. Configure
the authenticatio n mode.
8. Create a local user and enter
local user view.
Apply the specified AAA scheme to the domain.
Return to system view.
domain domain-name
authentication default { hwtacacs­scheme hwtacacs-
scheme-name [ local ] | local |
none | radius­scheme radius-
scheme-name [ local ] }
quit
local-user user-name
Optional.
By default, the AAA scheme is local.
If you specify the local AAA scheme, perform the configuration concerning local user as well. If you specify an existing scheme by providing the radius-scheme-name argument, perform the following configuration as well:
For RADIUS and HWTACACS
Configure the username and password on
Required.
By default, no local user exists.
disabled. The accounting server does not record the commands executed by users.
HWTACACS server to record all executed commands that are supported by the device, regardless of the command execution result. This helps control and monitor user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.
before enabling command accounting.
configuration, see Security Configuration Guide.
the AAA server. (For more information, see Security Configuration Guide.)
9. Set the authentication password
for the local user.
10. Specifies the command level of
the local user.
11. Specify the service type for the
local user.
12. Configuring common settings for
modem login.
password { cipher | simple }
password
authorization-attri bute level level
service-type terminal
59
Required.
Optional.
By default, the command level is 0.
Required.
By default, no service type is specified.
Optional.
See “Configuring common settings for modem
login (optional).”
After you enable command authorization, you must perform the following configuration to make the function take effect:
Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information, see Security Configuration Guide.
Reference the created HWTACACS scheme in the ISP domain. For more information, see Security
Configuration Guide.
After you enable command accounting, you must perform the following configuration to make the function take effect:
Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information, see Security Configuration Guide.
Reference the created HWTACACS scheme in the ISP domain. For more information, see Security
Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute level
level.
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the RADIUS
or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see Security Configuration Guide.
When you log in to the device through modems after the configuration, you are prompted to enter a login username and password. A prompt such as <HP> appears after you enter the password and username and press Enter, as shown in
Figure 9.
Figure 9 Configuration page
60
g
Configuring common settings for modem login (optional)
CAUTION:
The common settin
settings after you log in through the Console port, the current connection may be interrupted. To avoid this problem, use another login method. After you configure the common settings for Console login, you must modify the settings on the terminal to make them consistent with those on the device.
The baud rate of the Console port must be lower than the transmission rate of the modem. Otherwise,
packets may be lost.
Step Command
1. Enter system view. system-view
2. Enable display of copyright
information.
3. Enter one or more AUX user
interface views.
s configured for Console login take effect immediately. If you configure the common
Remarks
Optional
Enabled by default.
Optional
By default, the baud rate is 9600 bps.
Transmission rate is the number of bits that the device transmits to the terminal per second.
Configure baud rate
copyright-info enable
user-interface aux
first-number [ last-number ]
speed speed-value
4. Configure AUX
user interface properties.
Configure parity check mode
Configure stop bits
Configure data bits
Define shortcut key for starting a session
parity { even | mark | none | odd | space }
stopbits { 1 | 1.5 | 2 }
databits { 5 | 6 | 7 | 8 }
activation-key character
Optional
By default, the parity check mode is none, which means no check bit.
Optional
By default, the stop bit of the console port is
1.
Stop bits are the last bits transmitted in data transmission to unequivocally indicate the end of a character. The more the bits are, the slower the transmission is.
Optional
By default, the data bit is 8.
Data bits is the number of bits representing one character. The setting depends on the contexts to be transmitted. For example, set it to 7 if standard ASCII characters are to be sent, and set it to 8 if extended ASCII characters are to be sent.
Optional
By default, press Enter to start a session.
61
Step Command
Define shortcut key for terminating tasks
Configure flow control mode
Configure type of terminal display
escape-key { default | character }
flow-control { hardware | none | software }
terminal type { ansi | vt100 }
Remarks
Optional
By default, press Ctrl+C to terminate a task.
Optional
By default, the value is none
Optional
By default, the terminal display type is ANSI.
The device supports two types of terminal display: ANSI and VT100. HP recommends setting the display type of both the device and the client to VT100. If the device and the client use different display types (for example, hyper terminal or Telnet terminal) or both are set to ANSI, when the total number of characters of the edited command line exceeds 80, an anomaly such as cursor corruption or abnormal display of the terminal display may occur on the client.
Configure user privilege level for login
user privilege level level
Optional
3 by default.
users
Set maximum number of lines on the next screen
Set size of the history command buffer
screen-length screen-length
history-command max-size value
Optional
By default, the next screen displays 24 lines at most.
A value of 0 disables the function.
Optional
By default, the buffer saves 10 history commands at most.
Optional
The default idle-timeout is 10 minutes. The
Set idle­timeout timer
idle-timeout minutes
[ seconds ]
system automatically terminates the user’s connection if no information interaction occurs between the device and the user within the idle-timeout time.
Setting idle-timeout to 0 disables the timer.
62
Displaying and maintaining CLI login
Task Command
Display the source IP address/ interface specified for Telnet packets.
Display information about the user interfaces that are being used.
Displays information about all user interfaces that the device supports.
Display user interface information.
Release a specified user interface.
display telnet client configuration [ | { begin | exclude | include } regular- expression ]
display users [ | { begin | exclude | include }
regular- expression ]
display users all [ | { begin | exclude |
include } regular
-expression ]
display user-interface [ num1 | { aux | vty } num2 ] [ summary ] [ | { begin | exclude |
include } regular- expression ]
free user-interface { num1 | { aux | vty } num2 }
Remarks
Available in any view.
Available in any view.
Available in any view.
Available in any view.
Available in user view.
Multiple users can log in to the system to simultaneously configure the device. In some circumstances, when the administrator wants to make configurations without interruption from the users that have logged in through other user interfaces, the administrator can execute the command to release the connections established on the specified user interfaces.
You cannot use this command to release the connection you are using.
Lock the current user interface. lock
Send messages to the specified user interfaces.
send { all | num1 | { aux | vty } num2 }
63
Available in user view.
By default, the current user interface is not locked.
Available in user view.
j
Web login
Overview
The device provides a built-in web server. It enables you to log in to the web interface of the device from a PC. Web login is disabled by default.
To enable web login, log in to the device via the console port, and perform the following configuration:
Enable HTTP or HTTPS service.
Configure the IP address of the VLAN interface.
Configure a username and password.
The device supports the following web login methods:
HTTP login—Used for transferring web page information across the Internet. It is an application-layer
protocol in the TCP/IP protocol suite. The connection-oriented Transport Control Protocol (TCP) is adopted at the transport layer. The device supports HTTP 1.0.
HTTPS login—Supports the SSL protocol and uses it to encrypt the data exchanged between the HTTPS
client and the server to ensure data security and integrity. Define a certificate attribute-based access control policy to allow legal clients to access the device securely and prohibit illegal clients.
The following table shows the configuration requirements of web login.
Ob
ect Requirements
Configure the IP address of the VLAN interface.
Make sure the device and the PC can reach each other.
Device
PC
Configuring HTTP login
Required to use one approach.
Configuring HTTPS login
Install a web browser.
Obtain the IP address of the VLAN interface of the device.
64
Configuring HTTP login
Step Command
1. Enter system view.
2. Enable the HTTP service.
3. Configure the HTTP service port
number.
4. Associate the HTTP service with an
ACL.
5. Create a local user and enter local
user view.
6. Configure a password for the local
user.
system-view
ip http enable
ip http port port-number
ip http acl acl-number
local-user user-name
password { cipher | simple } password
Remarks
Required.
Enabled by default.
Optional.
80 by default.
If you execute the command multiple times, the last one takes effect.
Optional.
By default, the HTTP service is not associated with any ACL.
Associating the HTTP service with an ACL enables the device to allow only clients permitted by the ACL to access the device.
Required.
By default, no local user is configured.
Required.
By default, no password is configured for the local user.
7. Specify the command level of the
local user.
8. Specify the Telnet service type for
the local user.
9. Exit to system view.
10. Create a VLAN interface and enter
its view.
11. Assign an IP address and subnet
mask to the VLAN interface.
authorization-attribute level level
service-type telnet
quit
interface vlan-interface vlan-interface-id
ip address ip-address
{ mask | mask-length }
Required.
No command level is configured for the local user.
Required.
By default, no service type is configured for the local user.
Required.
If the VLAN interface already exists, the command enters its view.
Required.
By default, no IP address is assigned to the VLAN interface.
65
Configuring HTTPS login
Step Command
1. Enter system view.
2. Configure PKI and
SSL related features.
3. Associate the HTTPS
service with an SSL server policy.
4. Enable the HTTPS
service.
system-view
ip https ssl-server-policy
policy-name
ip https enable
Remarks
Required
By default, PKI and SSL are not configured.
For more information about PKI, see Security
Configuration Guide.
For more information about SSL, see Security
Configuration Guide.
Required
By default, the HTTPS service is not associated with any SSL server policy.
If you disable the HTTPS service, the system
automatically de-associates the HTTPS service from the SSL service policy. Before re-enabling the HTTPS service, associate the HTTPS service with an SSL server policy first.
Any changes to the SSL server policy associated
with the HTTP service that is enabled do not take effect.
Required
Disabled by default.
Enabling the HTTPS service triggers an SSL handshake negotiation process. During the process:
If the local certificate of the device exists, the SSL
negotiation succeeds, and the HTTPS service can be started normally.
If no local certificate exists, a certificate application
process is triggered by the SSL negotiation.
Because the application process takes much time, the SSL negotiation often fails and the HTTPS service cannot be started normally. In that case, you must run ip https enable multiple times to start the HTTPS service.
66
Step Command
5. Associate the HTTPS
service with a certificate attribute-based access control policy.
6. Configure the port
number of the HTTPS service.
7. Associate the HTTPS
service with an ACL.
8. Create a local user
and enter local user view.
9. Configure a
password for the local user.
ip https certificate access-control-policy policy-name
ip https port port-number
ip https acl acl-number
local-user user-name
password { cipher | simple } password
Remarks
Optional.
By default, the HTTPS service is not associated with any certificate-based attribute access control policy.
Associating the HTTPS service with a
certificate-based attribute access control policy enables the device to control the access rights of clients.
You must configure client-verify enable in the
associated SSL server policy. If not, no clients can log in to the device.
The associated SSL server policy must contain at
least one permit rule. Otherwise, no clients can log in to the device.
For more information about certificate
attribute-based access control policies, see Security Configuration Guide.
Optional.
443 by default.
Required.
By default, the HTTPS service is not associated with any ACL.
Associating the HTTPS service with an ACL enables the device to allow only clients permitted by the ACL to access the device.
Required.
By default, no local user is configured.
Required.
By default, no password is configured for the local user.
10. Specify the command
level of the local user.
11. Specify the Telnet
service type for the local user.
12. Exit to system view. quit
13. Create a VLAN
interface and enter its view.
14. Assign an IP address
and subnet mask to the VLAN interface.
authorization-attribute level level
service-type telnet
interface vlan-interface vlan-interface-id
ip address ip-address
{ mask | mask-length }
67
Required.
By default, no command level is configured for the local user.
Required.
By default, no service type is configured for the local user.
Required.
If the VLAN interface already exists, the command enters its view.
Required.
By default, no IP address is assigned to the VLAN interface.
Displaying and maintaining web login
Task Command Remarks
Display information about web users.
Display HTTP state information.
Display HTTPS state information.
display web users [ | { begin | exclude | include } regular-expression ]
display ip http [ | { begin | exclude | include } regular-expression ]
display ip https [ | { begin | exclude | include } regular-expression ]
Web login example
HTTP login example
Network requirements
As shown in Figure 10, the PC is connected to the device over an IP network. The IP address of the Device is
192.168.20.66/24.
Figure 10 Network diagram for configuring HTTP login
Available in any view.
Available in any view.
Available in any view.
Procedure
1. Configuration on the device
# Log in to the device via the console port and configure the IP address of VLAN 1 of the device. VLAN 1 is the default VLAN.
<Sysname> system-view [Sysname] interface vlan-interface 1 [Sysname-VLAN-interface1] ip address 192.168.20.66 255.255.255.0 [Sysname-VLAN-interface1] quit
# Create a local user named admin, and set the password to admin for the user. Specify the Telnet service type for the local user, and set the command level to 3 for this user.
[Sysname] local-user admin [Sysname-luser-admin] service-type telnet [Sysname-luser-admin] authorization-attribute level 3 [Sysname-luser-admin] password simple admin
68
2. Configuration on the PC
# On the PC, run the web browser. Enter the IP address of the device in the address bar, 192.168.20.66 in this example. The web login page appears, as shown in Figure 4.
Figure 4 Web login page
# Enter the user name, password, verify code, select English, and click Login. The homepage appears. After login, configure device settings through the web interface.
HTTPS login example
Network requirements
As shown in Figure 5, to prevent unauthorized users from accessing the Device, configure HTTPS login as follows:
Configure the Device as the HTTPS server, and request a certificate for it.
The Host acts as the HTTPS client. Request a certificate for it.
In this example, Windows Server acts as the CA. Install Simple Certificate Enrollment Protocol (SCEP) add-on on the CA. The name of the CA that issues certificates to the Device and Host is new-ca.
Before performing the following configuration, make sure that the Device, Host, and CA can reach each other.
69
Figure 5 Network diagram for configuring HTTPS login
Procedure
1. Configure the device that acts as the HTTPS server
# Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the entity as ssl.security.com.
<Device> system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit
# Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and the entity for certificate request as en.
[Device] pki domain 1 [Device-pki-domain-1] ca identifier new-ca [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] quit
# Create RSA local key pairs.
[Device] public-key loc al create rsa
# Retrieve the CA certificate from the certificate issuing server.
[Device] pki retrieval-certificate ca domain 1
# Request a local certificate from a CA through SCEP for the device.
[Device] pki request-certificate domain 1
# Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.
[Device] ssl server-policy myssl [Device-ssl-server-policy-myssl] pki-domain 1 [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit
70
# Create a certificate attribute group mygroup1, and configure a certificate attribute rule, specifying that the Distinguished Name (DN) in the subject name includes the string of new-ca.
[Device] pki certificate attribute-group mygroup1 [Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca [Device-pki-cert-attribute-group-mygroup1] quit
# Create a certificate attribute-based access control policy myacp. Configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp.
[Device] pki certificate access-control-policy myacp [Device-pki-cert-acp-myacp] rule 1 permit mygroup1 [Device-pki-cert-acp-myacp] quit
# Associate the HTTPS service with SSL server policy myssl.
[Device] ip https ssl-server-policy myssl
# Associate the HTTPS service with certificate attribute-based access control policy myacp.
[Device] ip https certificate access-control-policy myacp
# Enable the HTTPS service.
[Device] ip https enable
# Create a local user named usera, set the password to 123 for the user, and specify the Telnet service type for the local user.
[Device] local-user usera [Device-luser-usera] password simple 123 [Device-luser-usera] service-type telnet
2. Configure the host that acts as the HTTPS client
On the host, run the IE browser. In the address bar, enter http://10.1.2.2/certsrv and request a certificate for the host as prompted.
3. Verify the configuration
Enter ht tps :/ /10 .1.1.1 in the address bar, and select the certificate issued by new-ca. Then the web login page of the Device appears. On the login page, type the username usera, and password 12 3 to enter the web management page.
To log in to the web interface through HTTPS, enter the URL address starting with https://. To log in to the web interface through HTTP, enter the URL address starting with http://.
For more information about PKI configuration commands, see Security Command Reference.
For more information about the public-key local create rsa command, see Security Command Reference.
For more information about SSL configuration commands, see Security Command Reference.
71
j
NMS login
Overview
A Network Management Station (NMS) runs the SNMP client software. It offers a user-friendly interface to facilitate network management. An agent is a program that resides in the device. It receives and handles requests from the NMS. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the NMS. The NMS and agents exchange information through the SNMP protocol. The device supports multiple NMS programs, such as iMC and CAMS.
By default, you cannot log in to the device through NMS. To enable NMS login, log in to the device via the console port and make the configurations described in the following table.
The following table shows the configuration requirements of NMS login.
Ob
ect Requirements
Device
Configure the IP address of the VLAN interface.
Make sure the device and the NMS can reach each other.
Configure SNMP settings.
NMS Configure the NMS. For more information, see the manual of your NMS.
Configuring NMS login
Connect the Ethernet port of the PC to an Ethernet port of VLAN 1 of the device, as shown in Figure 6. Make sure the PC and VLAN 1 interface can reach each other.
The device supports three SNMP versions: SNMPv1, SNMPv2c and SNMPv3. For more information about SNMP, see Network Management and Monitoring Configuration Guide.
Figure 6 Network diagram for configuring NMS login
72
Configuring SNMPv1 and SNMPv2c settings
Step Command
1. Enter system view. system-view
2. Enable SNMP agent. snmp-agent
snmp-agent mib-view
3. Create or update MIB view information.
Configure an
Directly
4. Configure
SNMP NMS access right.
Indirectly
SNMP community.
Configure an SNMP group.
Add a user to the SNMP group.
{ excluded | included }
view-name oid-tree [ mask mask-value ]
snmp-agent community { read | write }
community-name [ acl acl-number | mib-view view-name ]*
snmp-agent group { v1 | v2c } group-name
[ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]
Remarks
Optional.
Disabled by default.
Enable SNMP agent with this command or any command that begins with snmp-agent.
Optional.
By default, the MIB view name is ViewDefault and OID is 1.
Required.
Use either approach.
The direction configuration approach is for SNMPv1 or SNMPv2c. The community name configured on the NMS should be consistent with the username configured on the agent.
The indirect configuration approach is for SNMPv3.
73
Configuring SNMPv3 settings
Step Command
1. Enter system view. system-view
2. Enable SNMP agent. snmp-agent
3. Configure an SNMP
group and specify its access right.
4. Add a user to the SNMP
group.
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]
snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-
mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | des56 }
priv-password ] ] [ acl acl-number ]
Remarks
Optional.
Disabled by default.
Enable SNMP agent with this command or any command that begins with snmp-agent.
Required.
By default, no SNMP group is configured.
Required.
If the cipher keyword is specified, both auth-password and priv-password are cipher-text passwords.
NMS login example
In this example, iMC is used as the NMS.
1. Configuration on the device
# Assign IP address of device. Make sure the device and the NMS can reach each other. (Configuration steps are omitted.)
# Enter system view.
<Sysname> system-view
# Enable the SNMP agent.
[Sysname] snmp-agent
# Configure an SNMP group.
[Sysname] snmp-agent group v3 managev3group read-view test write-view test
# Add a user to the SNMP group.
[Sysname] snmp-agent usm-user v3 managev3user managev3group
74
2. Configuration on the NMS
On the PC, start the browser. In the address bar, enter http://192.168.20.107:8080/imc, where
192.168.20.107 is the IP address of the iMC.
Figure 7 iMC login page
75
Enter the username and password, and then click Login. The iMC homepage appears, as shown in Figure 8.
Figure 8 iMC homepage
Log in to the iMC and configure SNMP settings for the iMC to find the device. After the device is found, manage and maintain the device through the iMC. For example, query device information or configure device parameters.
The SNMP settings on the iMC must be the same as those configured on the device. If not, the device cannot be found or managed by the iMC. See the iMC manuals for more information.
Click Help in the upper right corner of each configuration page to get corresponding help information.
76
p
User login control
Overview
The device provides the following login control methods.
Login Through Login control methods ACL used
Telnet
NMS
Web
Configuring source IP-based login control over Telnet users
Configuring source and destination IP-based login control over Telnet users
Configuring source MAC-based login control over Telnet users
Configuring source IP-based login co users
Configuring source IP-based login co users
ntrol over NMS
ntrol over web
Basic ACL
Advanced ACL
Ethernet frame header ACL
Basic ACL
Basic ACL
Configuring login control over Telnet users
Configuration preparation
Before configuration, determine the permitted or denied source IP addresses, source MAC addresses, and destination IP addresses.
Configuring source IP-based login control over Telnet users
Because basic ACLs match the source IP addresses of packets, use basic ACLs to implement source IP-based login control over Telnet users. Basic ACLs are numbered from 2000 to 2999. For more information about ACL, see ACL and QoS Configuration Guide.
To configure source IP-based login control over Telnet users:
Ste
Command
1. Enter system view.
2. Create a basic ACL and enter its view, or
enter the view of an existing basic ACL.
3. Configure rules for this ACL.
Remarks
system-view
acl [ ipv6 ] number
acl-number [ match-order { config | auto } ]
rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]*
77
Required.
By default, no basic ACL exists.
Required.
p
Step Command
4. Exit the basic ACL view.
5. Enter user interface view.
6. Use the ACL to control user login by
source IP address.
quit
user-interface [ type ]
first-number [ last-number ]
acl [ ipv6 ] acl-number { inbound | outbound }
Remarks
Required.
inbound—Filters incoming
Telnet packets.
outbound—Filters
outgoing Telnet packets.
Configuring source and destination IP-based login control over Telnet users
Because advanced ACLs can match both source and destination IP addresses of packets, use advanced ACLs to implement source and destination IP-based login control over Telnet users. Advanced ACLs are numbered from 3000 to 3999. For more information about ACL, see ACL and QoS Configuration Guide.
To configure source and destination IP-based login control over Telnet users:
Ste
Command
1. Enter system view.
system-view
Remarks
2. Create an advanced ACL and enter its
view, or enter the view of an existing advanced ACL.
3. Configure rules for the ACL.
4. Exit advanced ACL view. quit
5. Enter user interface.
6. Use the ACL to control user login by
source and destination IP addresses.
acl [ ipv6 ] number acl-number [ match-order { config | auto } ]
rule [ rule-id ] { permit | deny } rule-string
user-interface [ type ]
first-number [ last-number ]
acl [ ipv6 ] acl-number { inbound | outbound }
Required.
By default, no advanced ACL exists.
Required.
Required.
inbound—Filters incoming
Telnet packets.
outbound—Filters outgoing
Telnet packets.
Configuring source MAC-based login control over Telnet users
Ethernet frame header ACLs can match the source MAC addresses of packets, so use Ethernet frame header ACLs to implement source MAC-based login control over Telnet users. Ethernet frame header ACLs are numbered from 4000 to 4999. For more information about ACL, see ACL and QoS Configuration Guide.
78
p
To configure source MAC-based login control over Telnet users:
Ste
Command
Remarks
1. Enter system view.
2. Create an Ethernet frame header
ACL and enter its view.
3. Configure rules for the ACL.
4. Exit the advanced ACL view.
5. Enter user interface view.
6. Use the ACL to control user login by
source MAC address.
system-view
acl number acl-number [ match-order { config | auto } ]
rule [ rule-id ] { permit | deny }
rule-string
quit
user-interface [ type ] first-number
[ last-number ]
acl acl-number inbound
Required.
By default, no advanced ACL exists.
Required.
Required.
inbound: Filters incoming Telnet packets.
NOTE:
The above configuration does not take effect if the Telnet client and server are not in the same subnet.
Source MAC-based login control configuration example
Network requirements
As shown in Figure 9, configure an ACL on the Device to permit only incoming Telnet packets sourced from Host A and Host B.
Figure 9 Network diagram for configuring source MAC-based login control
79
p
Procedure
# Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit packets sourced from Host A.
<Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] quit
# Reference ACL 2000 in user interface view to allow Telnet users from Host A and Host B to access the Device.
[Sysname] user-interface vty 0 15 [Sysname-ui-vty0-15] acl 2000 inbound
Configuring source IP-based login control over NMS users
Log in to the NMS to remotely manage the devices. SNMP is used for communication between the NMS and the agent that resides in the device. By using the ACL, control SNMP user access to the device.
Configuration preparation
Before configuration, determine the permitted or denied source IP addresses.
Configuring source IP-based login control over NMS users
Because basic ACLs match the source IP addresses of packets, use basic ACLs to implement source IP-based login control over NMS users. Basic ACLs are numbered from 2000 to 2999. For more information about ACL, see ACL and QoS Configuration Guide.
To configure source IP-based login control over NMS users:
Ste
Command
1. Enter system view.
2. Create a basic ACL and enter its
view, or enter the view of an existing basic ACL.
3. Create rules for this ACL.
4. Exit the basic ACL view.
system-view
acl [ ipv6 ] number acl-number [ match-order { config | auto } ]
rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]*
quit
Remarks
Required.
By default, no basic ACL exists.
Required.
5. Associate this SNMP community with
the ACL.
snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]*
80
Required.
Associate the ACL
Step Command
snmp-agent group { v1 | v2c } group- name [ read-view read-view ] [ write­view write-view ] [ notify-view notify-
6. Associate the SNMP group with the
ACL.
7. Associate the user with the ACL.
view ] [ acl acl-number ]
snmp-agent group v3 group-name [ authentication | privacy ] [ read-view
read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl- number ]
snmp-agent usm-user { v1 | v2c }
user-name group-name [ acl acl­number ]
snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-
mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 |
des56 } priv-password ] ] [ acl acl-number ]
Remarks
when creating the community, the SNMP group, and the user.
For more information about SNMP, see
Network Management and Monitoring Configuration Guide.
Source IP-based login control over NMS users configuration example
Network requirements
As shown in Figure 10, configure the device to allow only NMS users from Host A and Host B to access.
Figure 10 Network diagram for configuring source IP-based login control over NMS users
Procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit packets sourced from Host A.
<Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] quit
81
p
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000
Configuring source IP-based login control over web users
Log in to the web management page of the device through HTTP/HT TPS to remotely manage the devices. By using the ACL, control web user access to the device.
Configuration preparation
Before configuration, determine the permitted or denied source IP addresses.
Configuring source IP-based login control over web users
Because basic ACLs match the source IP addresses of packets, use basic ACLs to implement source IP-based login control over web users. Basic ACLs are numbered from 2000 to 2999. For more information about ACL, see ACL and QoS Configuration Guide.
To configure source IP-based login control over web users:
Ste
Command
1. Enter system view.
2. Create a basic ACL and enter its view, or enter the
view of an existing basic ACL.
3. Create rules for this ACL.
4. Exit the basic ACL view.
5. Associate the HTTP service with the ACL.
6. Associate the HTTPS service with the ACL. ip https acl acl-number
system-view
acl [ ipv6 ] number
acl-number [ match-order { config | auto } ]
rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]*
quit
ip http acl acl-number
Remarks
Required.
By default, no basic ACL exists.
Required.
Required to use one command.
82
Logging off online web users
Step Command
1. Log off online web users.
free web-users { all | user-id user-id | user-name user-name }
Remarks
Required.
Execute the command in user interface view.
Source IP-based login control over web users configuration example
Network requirements
As shown in Figure 11, configure the device to allow only web users from Host B to access.
Figure 11 Network diagram for configuring source IP-based login control
Procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B.
<Sysname> system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0
# Associate the ACL with the HTTP service so that only web users from Host B are allowed to access the device.
[Sysname] ip http acl 2030
83
g
Configuring FTP
Overview
FTP is an application layer protocol for sharing files between server and client over a TCP/IP network.
FTP uses TCP ports 20 and 21 for file transfer. Port 20 is used to transmit data, and port 21 to transmit control commands. For more information about FTP basic operations, see RFC 959.
FTP transfers files in the following modes:
ASCII mode—Transfers files as text, like .txt, .bat, and .cfg files.
Binary mode—Transfers files as raw data, like .app, .bin, and .btm files.
Operation
CAUTION:
Make sure that the FTP server and the FTP client can reach each other before establishing the FTP
connection.
When you use IE to log in to the device serving as the FTP server, some FTP functions are not available.
This is because multiple connections are established during the login process but the device supports only one connection at a time.
FTP adopts the client/server model. Your device can function either as the client or the server (as shown in Figure 12).
W
When the device serves as the FTP server, run the FTP client program on the PC to establish a connection
Figure 12 Network diagram for FTP
hen the device serves as th e FTP client, use Telne t or an emulation p rogram to l og in to the d evice from
the PC, run ftp to establish a connection from the device (FTP client) to the PC (FTP server), and then upload/download files to/from the server.
to the FTP server and upload/download files to/from the server.
When the device serves as the FTP client, you must perform the following configuration:
Table 5 Configuration when the device serves as the FTP client
Device Confi
Device (FTP client)
uration
Use ftp to establish the connection to the remote FTP server.
84
Remarks
If the remote FTP server supports anonymous FTP, the device can log in to it directly; if not, the device must obtain the FTP username and password first to log in to the remote FTP server.
g
Device Configuration
Enable FTP server on the PC, and
PC (FTP server)
configure the username, password, user privilege level, and so on.
Remarks
When the device serves as the FTP server, you must perform the following configuration:
Table 6 Configuration when the device serves as the FTP server
Device Confi
Device (FTP server)
PC (FTP client)
uration Remarks
Enable the FTP server function.
Configure authentication and authorization.
Configure the FTP server operating parameters.
Use the FTP client program to log in to the FTP server.
Disabled by default.
Use display ftp-server to view the FTP server configuration on the device.
Configure the username, password, and authorized directory for an FTP user.
The device does not support anonymous FTP for security reasons. You must set a valid username and password. By default, authenticated users can access the root directory of the device.
Parameters such as the FTP connection timeout time.
Log in to the FTP server only after you enter the correct FTP username and password.
Configuring the FTP client
Only users with the manage level can use ftp to log in to an FTP server, enter FTP client view, and execute directory and file related commands. However, whether the commands can be executed successfully depends on the authorizations of the FTP server.
Establishing an FTP connection
Before access the FTP server, you must first establish a connection from the FTP client to the FTP server. Either use ftp to establish the connection directly or use open command in FTP client view to establish the connection.
When using ftp, specify the source interface (such as a loopback) or source IP address. The primary IP address of the specified source interface or the specified source IP address is used as the source IP address of sent FTP packets. The source address of the transmitted packets is selected following these rules:
If no source address is specified, the FTP client uses the IP address of the interface determined by the
matched route as the source IP address to communicate with an FTP server.
If the source address is specified with the ftp client source or ftp, this source address is used to
communicate with an FTP server.
If you use ftp client source and ftp to specify a source address respectively, the source address specified
with ftp is used to communicate with an FTP server.
The source address specified with ftp client source is valid for all FTP connections and the source address
specified with ftp is valid only for the current FTP connection.
85
p
p
To establish an IPv4 FTP connection:
Ste
Command
Remarks
1. Enter system view.
2. Configure the source address of the FTP
client.
3. Exit to system view.
4. Log in to the remote FTP server directly in
user view.
5. Log in to the remote FTP server indirectly
in FTP client view.
system-view
Optional.
ftp client source { interface interface-type interface-number | ip source-ip-address }
quit
ftp [ server-address
[ service-port ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number | ip source-ip-address } ] ]
ftp
open server-address
[ service-port ]
A switch uses the IP address of the interface determined by the matched route as the source IP address to communicate with the FTP server by default.
Use either approach.
The ftp command is available in user view, and open is available in FTP client view.
If no primary IP address is configured on the specified source interface, you cannot establish an FTP connection.
If you use ftp client source to configure a source interface and then use it to configure a source IP address, the source IP address overwrites the source interface, and vice versa.
To establish an IPv6 FTP connection:
Ste
Command
1. Log in to the remote FTP server
directly in user view.
2. Log in to the remote FTP server
indirectly in FTP client view.
ftp ipv6 [ server-address [ service-port ] [ vpn-instance vpn-instance-name ] [ source ipv6 source-ipv6-address ] [ -i interface-type interface-number ] ]
ftp ipv6
open ipv6 server-address [ service-port ] [ -i interface-type interface-number ]
Remarks
Use either approach.
The ftp ipv6 command is available in user view; and open ipv6 is available in FTP client view.
86
Operating FTP server directories
After the switch serving as the FTP client has established a connection with an FTP server, create or delete folders under the authorized directory of the FTP server. For more information about establishing an FTP connection, see “Establishing an FTP connection.”
o operate the directories on an FTP server:
T
Task Command
Display detailed information about a directory or file on the remote FTP server.
Query a directory or file on the remote FTP server. ls [ remotefile [ localfile ] ] Optional
Change the working directory of the remote FTP server. cd { directory | .. | / } Optional
Exit the current working directory and return to an upper level directory of the remote FTP server.
Display the working directory that is being accessed. pwd Optional
Create a directory on the remote FTP server. mkdir directory Optional
Remove the specified working directory on the remote FTP server. rmdir directory Optional
Operating FTP server files
After the switch serving as the FTP client has established a connection with an FTP server, upload a file to or download a file from the FTP server under the authorized directory of the FTP server by following these steps. For information about establishing an FTP connection, see “Establishing an FTP connection.”
e dir or ls to view the directory and the location of the file on the FTP server.
Us
Delete useless files for effective use of the storage space.
Remarks
dir [ remotefile [ localfile ] ] Optional
cdup Optional
Set the file transfer mode. FTP transmits files in two modes:
ASCII mode—Transfers files as text.
Binary mode—Transfers files as raw data.
Use lcd to view the local working directory of the FTP client. Upload the file under this directory, or save the downloaded file under this directory.
Upload or download the file.
87
To operate the files on an FTP server:
Task Command
Display detailed information about a directory or file on the remote FTP server.
Query a directory or file on the remote FTP server.
Delete the specified file on the remote FTP server permanently.
Set the file transfer mode to ASCII. ascii
Set the file transfer mode to binary. binary
Set the data transmission mode to passive. passive
dir [ remotefile [ localfile ] ]
ls [ remotefile [ localfile ] ]
delete remotefile Optional.
Remarks
Optional.
The ls command only displays the name of a directory or file. The dir command displays detailed information such as the file size and creation time.
Optional.
The ls command only displays the name of a directory or file. The dir command displays detailed information such as the file size and creation time.
Optional.
ASCII by default.
Optional.
ASCII by default.
Optional.
Passive by default.
Display the local working directory of the FTP client. lcd Optional.
Upload a file to the FTP server.
Download a file from the FTP server.
put localfile [ remotefile ]
get remotefile [ localfile ]
Optional.
Optional.
Using another username to log in to an FTP server
After the switch serving as the FTP client has established a connection with the FTP server, use another username to log in to the FTP server. For more information about establishing an FTP connection, see “Establishing an FTP connection.”
his feature allows you to switch to different user levels without affecting the current FTP connection; if you
T enter an incorrect username or password, the current connection is terminated, and you must log in again to access the FTP server.
Follow the step below to use another username to log in to the FTP server:
Task Command
Use another username to re-log in after successfully logging in to the FTP server.
user username [ password ] Optional.
Remarks
88
Maintaining and debugging an FTP connection
After a switch serving as the FTP client has established a connection with the FTP server, perform the following operations to locate and diagnose problems encountered in an FTP connection. For more information about establishing an FTP connection, see “Establishing an FTP connection.”
Task Command
Display the help information of FTP-related commands supported by the remote FTP server.
Enable information display in a detailed manner. verbose
Enable FTP related debugging when the switch acts as the FTP client.
Terminating an FTP connection
After the switch serving as the FTP client has established a connection with the FTP server, use any of the following commands to terminate an FTP connection. For more information about establishing an FTP connection, see “Establishing an FTP connection.”
Task Command
Terminate the connection to the FTP server without exiting FTP client view.
Terminate the connection to the FTP server without exiting FTP client view.
disconnect
close
Remarks
remotehelp [ protocol-command ]
debugging
Optional.
Optional.
Enabled by default.
Optional.
Disabled by default.
Remarks
Optional.
Equal to the close.
Optional.
Equal to disconnect.
Terminate the connection to the FTP server and return to user view.
Terminate the connection to the FTP server and return to user view.
bye
quit
FTP client configuration example
Network requirements
As shown in Figure 13, use Device as an FTP client and PC as the FTP server. Their IP addresses are
10.2.1.1/16 and 10.1.1.1/16 respectively. Device and PC are reachable to each other.
Device downloads a boot file from PC for device upgrade, and uploads the configuration file to PC for
backup.
On PC, an FTP user account has been created for the FTP client, with the username being abc and the
password being pwd.
Optional.
Equal to the quit command in FTP client view.
Optional.
Available in FTP client view, equal to the bye.
89
Procedure
Figure 13 Network diagram for FTPing a boot file from an FTP server
CAUTION:
The boot file used for the next startup must be saved under the root directory of the storage medium.
Copy or move a file to the root directory of the storage medium. For more information about boot-loader, see
Fundamentals Command Reference.
If the available memory space of the device is not enough, use fixdisk to clear the memory or use delete
file-url
/unreserved
to delete the files not in use and then perform the following operations.
# Log in to the server through FTP.
<Sysname> ftp 10.1.1.1 Trying 10.1.1.1 Connected to 10.1.1.1 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(10.1.1.1:(none)):abc 331 Give me your password, please Password: 230 Logged in successfully
# Set the file transfer mode to binary to transmit boot file.
[ftp] binary 200 Type set to I.
# Download the boot file newest.bin from PC to Device.
[ftp] get newest.bin
# Upload the configuration file config.cfg of Device to the server for backup.
[ftp] ascii [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /config.cfg. 226 Transfer complete. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye
# Specify newest.bin as the main boot file to be used at the next startup.
<Sysname> boot-loader file newest.bin main
# Reboot the device, and the boot file is updated at the system reboot.
<Sysname> reboot
90
FTP client configuration example
Network requirements
As shown in Figure 14, use Device as an FTP client and PC as the FTP server. Their IP addresses are
10.2.1.1/16 and 10.1.1.1/16 respectively. Device and PC are reachable to each other.
Device downloads a boot file from PC for device upgrade, and uploads the configuration file to PC for
backup.
On PC, an FTP user account has been created for the FTP client, with the username being abc and the
password being pwd.
Figure 14 Network diagram for FTPing a boot file from an FTP server
Procedure
CAUTION:
The boot file used for the next startup must be saved under the root directory of the storage medium.
Copy or move a file to the root directory of the storage medium. For more information about boot-loader, see
Fundamentals Command Reference.
If the available memory space of the device is not enough, use fixdisk to clear the memory or use delete
file-url
/unreserved
to delete the files not in use and then perform the following operations.
# Log in to the server through FTP.
<Sysname> ftp 10.1.1.1 Trying 10.1.1.1 ... Connected to 10.1.1.1. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(10.1.1.1:(none)):abc 331 Give me your password, please Password: 230 Logged in successfully
# Set the file transfer mode to binary to transmit boot file.
[ftp] binary 200 Type set to I.
# Download the boot file newest.bin from PC to the device.
Download the boot file newest.bin from PC to the root directory of the storage medium on the master.
[ftp] get newest.bin
91
Download the boot file newest.bin from PC to the root directory of the storage medium of a subordinate
switch (with member ID of 2).
[ftp] get newest.bin slot2#flash:/newest.bin
# Upload the configuration file config.cfg of the device to the server for backup.
[ftp] ascii [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /config.cfg. 226 Transfer complete. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye
# Specify newest.bin as the main boot file to be used at the next startup for all member devices.
<Sysname> boot-loader file newest.bin slot all main This command will set the boot file of the specified board. Continue? [Y/N]:y The specified file will be used as the main boot file at the next reboot on slot 1! The specified file will be used as the main boot file at the next reboot on slot 2!
# Reboot the device, and the boot file is updated at the system reboot.
<Sysname> reboot
Configuring the FTP server
Configuring FTP server operating parameters
The FTP server uses one of the following modes to update a file when you upload the file (use put) to the FTP server:
Fast mode—The FTP server starts writing data to the storage medium after a file is transferred to the
memory. This prevents the existing file on the FTP server from being corrupted in the event that anomaly, power failure for example, occurs during a file transfer.
Normal mode—The FTP server writes data to the storage medium while receiving data. This means that
any anomaly, power failure for example, during file transfer might result in file corruption on the FTP server. This mode, however, consumes less memory space than the fast mode.
92
To configure the FTP server:
Step Command Remarks
1. Enter system view. system-view
2. Enable the FTP server
3. Use an ACL to control FTP
clients’ access to the switch.
4. Configure the idle-timeout
timer.
5. Set the file update mode for
the FTP server.
6. Quit to user view.
7. Manually release the FTP
connection established with the specified username.
ftp server enable
ftp server acl acl-number
ftp timeout minutes
ftp update { fast | normal }
quit
free ftp user username
Required.
Disabled by default.
Optional.
By default, no ACL is used to control FTP clients’ access to the switch.
Optional.
30 minutes by default.
Within the idle-timeout time, if there is no information interaction between the FTP server and client, the connection between them is terminated.
Optional.
Normal update is used by default.
Optional.
Available in user view.
Configuring authentication and authorization on the FTP server
To allow an FTP user to access certain directories on the FTP server, you must create an account for the user, authorizing access to the directories and associating the username and password with the account.
The following configuration is used when the FTP server authenticates and authorizes a local FTP user. If the FTP server needs to authenticate a remote FTP user, you must configure authentication, authorization and accounting (AAA) policy instead of the local user. For detailed configuration, see the Security Command Reference.
In local authentication, the switch checks the entered username and password against those configured on the switch. In remote authentication, the switch sends the entered username and password to the remote authentication server, which then checks whether they are consistent with those configured on the switch.
When the switch serves as the FTP server, if the client is to perform the write operations (upload, delete, create, and delete for example) on the device’s file system, the FTP login users must be level 3 users; if the client is to perform other operations, for example, read operation, the switch has no restriction on the user level of the FTP login users.
93
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use