inbound: Restricts Telnet or SSH connections established in the inbound direction through the VTY user interface. If the received packets for establishing a Telnet or SSH connection are permitted by an ACL rule, the connection is allowed to be established. When the switch functions as a Telnet server or SSH server, this keyword is used to control access of Telnet clients or SSH clients.

outbound: Restricts Telnet connections established in the outbound direction through the VTY user interface. If the packets sent for establishing a Telnet connection are permitted by an ACL rule, the connection is allowed to be established. When the device functions as a Telnet client, this keyword is used to define Telnet servers accessible to the client.

Description

Use acl to reference ACLs to control access to the VTY user interface.

Use undo acl to cancel the ACL application. For more information about ACL, see ACL and QoS Command Reference.

By default, access to the VTY user interface is not restricted.

If no ACL is referenced in VTY user interface view, the VTY user interface has no access control over establishing a Telnet or SSH connection.

If an ACL is referenced in VTY user interface view, the connection is permitted to be established only when packets for establishing a Telnet or SSH connection match a permit statement in the ACL.

The system regards the basic/advanced ACL with the inbound keyword, the basic/advanced ACL with the outbound keyword, and Ethernet frame header ACL as three different types of ACLs, which can coexist in one VTY user interface. The match order is basic/advanced ACL with the inbound keyword or outbound keyword, Ethernet frame header ACL. At most one ACL of each type can be referenced in the same VTY user interface, and the most recent configuration takes effect.

Examples

# Allow only the user with the IP address of 192.168.1.26 to access the device through Telnet or SSH.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 192.168.1.26 0

[Sysname-acl-basic-2001] quit

[Sysname] user-interface vty 0

[Sysname-ui-vty0] acl 2001 inbound

After your configuration, user A (with the IP address 192.168.1.26) can Telnet to the device while user B (with the IP address 192.168.1.60) cannot Telnet to the device. Upon a connection failure, a message appears, saying "%connection closed by remote host!"

# Allow the device to only Telnet to the Telnet server with IP address 192.168.1.41.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit tcp destination 192.168.1.41 0

[Sysname-acl-adv-3001] quit

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] acl 3001 outbound

[Sysname-ui-vty0-4] return

After your configuration, if you Telnet to 192.168.1.46, your operation fails.

<Sysname> telnet 192.168.1.46

%Can't access the host from this terminal!

But you can Telnet to 192.168.1.41.

<Sysname> telnet 192.168.1.41

Trying 192.168.1.41 ...

Press CTRL+K to abort

Connected to 192.168.1.41 ...

activation-key

Syntax

activation-key character

undo activation-key

View

User interface view

Default level

3: Manage level

Parameters

character: Shortcut key for starting a terminal session, a single character (or its ASCII code value in the range of 0 to 127) or a string of 1 to 3 characters. However, only the first character functions as the shortcut key. For example, if you enter an ASCII code value of 97, the system uses its corresponding character a as the shortcut key. If you enter string b@c, the system uses the first character b as the shortcut key.

Description

Use activation-key to define a shortcut key for starting a terminal session.

Use undo activation-key to restore the default.

By default, pressing the Enter key starts a terminal session. However, if a new shortcut key is defined by the activation-key command, the Enter key no longer functions. To display the shortcut key you have defined, use the display current-configuration | include activation-key command.

The activation-key command is not supported by the VTY user interface.

Examples

# Configure character s as the shortcut key for starting a terminal session on the console port.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] activation-key s

To verify the configuration:

Exit the terminal session on the console port.

[Sysname-ui-console0] return

<Sysname> quit

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

User interface con0 is available.

Please press ENTER.

At this moment, pressing Enter does not start a session. To start the terminal session, enter s instead.

%Mar 2 18:40:27:981 2005 Sysname SHELL/5/LOGIN: Console login from con0

auto-execute command

Syntax

auto-execute command command

undo auto-execute command

View

User interface view

Default level

3: Manage level

Parameters

command: Specifies a command to be automatically executed.

Description

Use auto-execute command to specify a command to be automatically executed when a user logs in to the current user interface.

Use undo auto-execute command to remove the configuration.

By default, command auto-execution is disabled.

The console port does not support the auto-execute command command.

The system automatically executes the specified command when a user logs in to the user interface, and terminates the user connection after the command completes. If the command triggers another task, the system does not terminate the user connection until that task completes.

Typically, you use can use the auto-execute command telnet command in user interface view to enable a user to automatically Telnet to the specified host when the user logs in to the device. After the user terminates the connection with the host, the user's connection with the device is automatically terminated.

IMPORTANT:

The auto-execute command command might disable you from configuring the system through the user interface to which the command is applied. Therefore, before configuring the command and saving the configuration (by using the save command), make sure that you can access the switch by other VTY, console, or AUX interfaces to remove the configuration in case a problem occurs.

Examples

# Configure the device to automatically Telnet to 192.168.1.41 after a user logs in to interface VTY 0.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname -ui-vty0] auto-execute command display telnet 192.168.1.41

% This action will lead to configuration failure through ui-vty0. Are you sure?

[Y/N]:y

[Sysname-ui-vty0]

To verify the configuration:

Telnet to 192.168.1.40. The device automatically Telnets to 192.168.1.41. The following output is displayed:

C:\> telnet 192.168.1.40

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Trying 192.168.1.41 ...

Press CTRL+K to abort

Connected to 192.168.1.41 ...

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

<Sysname.41>

This operation is the same as directly logging in to the device at 192.168.1.41. If the Telnet connection to 192.168.1.41 is broken down, the Telnet connection to 192.168.1.40 breaks down at the same time.

authentication-mode

Syntax

In non-FIPS mode:

authentication-mode { none | password | scheme }

undo authentication-mode

In FIPS mode:

authentication-mode scheme

undo authentication-mode

View

User interface view

Default level

3: Manage level

Parameters

none: Performs no authentication.

password: Performs local password authentication.

scheme: Performs AAA authentication. For more information about AAA, see Security Configuration Guide.

Description

Use authentication-mode to set the authentication mode when users log in to the user interface.

Use undo authentication-mode to restore the default.

In non-FIPS mode, the default authentication mode is password for VTY and AUX user interfaces and none for the console user interface.

In FIPS mode, the authentication mode can only be scheme.

Related commands: set authentication password.

Examples

# Specify that no authentication is needed when users log in to the device through VTY 0. (This mode is insecure.)

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] authentication-mode none

# Set to use password authentication when users log in to the device through VTY 0, and set the authentication password to 321.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] authentication-mode password

[Sysname-ui-vty0] set authentication password simple 321

# Set to authenticate users by username and password when the users log in to the device through VTY 0. Set the username to 123 and the password to 321.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] authentication-mode scheme

[Sysname-ui-vty0] quit

[Sysname] local-user 123

[Sysname-luser-123] password simple 321

[Sysname-luser-123] service-type telnet

[Sysname-luser-123] authorization-attribute level 3

command accounting

Syntax

command accounting

undo command accounting

View

User interface view

Default level

3: Manage level

Parameters

None

Description

Use command accounting to enable command accounting.

Use undo command accounting to restore the default.

By default, command accounting is disabled. The accounting server does not record the commands that users have executed.

When command accounting is enabled and command authorization is not, every executed command is recorded on the HWTACACS server.

When both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.

Examples

# Enable command accounting on VTY 0. Then the HWTACACS server records the commands executed by users that have logged in through VTY 0.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] command accounting

command authorization

Syntax

command authorization

undo command authorization

View

User interface view

Default level

3: Manage level

Parameters

None

Description

Use command authorization to enable command authorization.

Use undo command authorization to restore the default.

By default, command authorization is disabled. Logged-in users can execute commands without authorization.

With command authorization enabled, users logging in from the current user interface can perform only commands authorized by the server.

Examples

# Enable command accounting for VTY 0 so that users logging in from VTY 0 can perform only the commands authorized by the HWTACACS server.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] command authorization

databits

Syntax

databits { 5 | 6 | 7 | 8 }

undo databits

View

User interface view

Default level

2: System level

Parameters

5: Sets 5 data bits for each character.

6: Sets 6 data bits for each character.

7: Sets 7 data bits for each character.

8: Sets 8 data bits for each character.

Description

Use databits to set data bits for each character.

Use undo databits to restore the default.

By default, 8 data bits are set for each character.

The command is only applicable to asynchronous serial interfaces (including AUX and console ports).

The device does not support data bits 5 and 6.

The data bits settings must be identical for the user interfaces of the connecting ports on the redirect device and the terminal device for communication.

Examples

# Specify 5 data bits for each character.

<Sysname> system-view

[Sysname] user-interface aux 0

[Sysname-ui-aux0] databits 5

display ip http

Syntax

display ip http [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ip http to display HTTP information.

Examples

# Display information about HTTP.

<Sysname> display ip http

HTTP port: 80

WLAN ACL: 100

Basic ACL: 2222

Current connection: 0

Operation status: Running

Table 1 Command output

Field	Description
HTTP port	Port number used by the HTTP service.
WLAN ACL	WLAN ACL associated with the HTTP service.
Basic ACL	Basic ACL number associated with the HTTP service.
Current connection	Number of current connections.
Operation status	Operation status: · Running—The HTTP service is enabled. · Stopped—The HTTP service is disabled.

display ip https

Use display ip https to display HTTPS information.

Syntax

display ip https [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display HTTPS information.

<Sysname> display ip https

HTTPS port: 443

SSL server policy: test

Certificate access-control-policy:

WLAN ACL: 100

Basic ACL: 2222

Current connection: 0

Operation status: Running

Table 2 Command output

Field	Description
HTTPS port	Port number used by the HTTPS service.
SSL server policy	SSL server policy associated with the HTTPS service.
Certificate access-control-policy	Certificate attribute-based access control policy associated with the HTTPS service.
WLAN ACL	WLAN ACL associated with the HTTPS service.
Basic ACL	Basic ACL associated with the HTTPS service.
Current connection	Number of current connections.
Operation status	Operation status: · Running—The HTTPS service is enabled. · Stopped—The HTTPS service is disabled.

display telnet client configuration

Syntax

display telnet client configuration [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display telnet client configuration to display the related configuration information when the device serves as the Telnet client.

This command displays the source IPv4 address or source interface information of the Telnet client.

Related commands: telnet client source.

Examples

# Display the related configuration information when the device serves as the Telnet client.

<Sysname> display telnet client configuration

The source IP address is 1.1.1.1.

The output shows that the device serves as the Telnet client and it sends the Telnet packets with the source IPv4 address 1.1.1.1.

display user-interface

Syntax

display user-interface [ num1 | { aux | console | vty } num2 ] [ summary ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

num1: Absolute number of a user interface.

aux: Specifies an AUX user interface.

console: Specifies a console user interface.

vty: Specifies a VTY user interface.

num2: Relative number of a user interface, 0 or 1 for an AUX or console user interface and 0 to 15 for a VTY user interface.

summary: Displays summary about user interfaces.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display user-interface to display information about the specified or all user interfaces.

If the summary keyword is not included, the command displays the type of the user interface, the absolute or relative number, the transmission rate, the user privilege level, the authentication mode, and the access port.

If the summary keyword is included, the command displays all user interface numbers and types.

Examples

# Display information about user interface 0.

<Sysname> display user-interface 0

Idx Type Tx/Rx Modem Privi Auth Int

+ 0 CON 0 9600 - 3 N -

+ : Current user-interface is active.

F : Current user-interface is active and work in async mode.

Idx : Absolute index of user-interface.

Type : Type and relative index of user-interface.

Privi: The privilege of user-interface.

Auth : The authentication mode of user-interface.

Int : The physical location of UIs.

A : Authentication use AAA.

L : Authentication use local database.

N : Current UI need not authentication.

P : Authentication use current UI's password.

Table 3 Command output

Field	Description
+	The current user interface is active.
F	The current user interface is active and operating in asynchronous mode.
Idx	Absolute number of the user interface.
Type	Type and relative number of the user interface.
Tx/Rx	Transmission rate of the user interface.
Modem	Whether the modem is allowed to dial in (in), dial out (out), or both (inout). By default, the character - is displayed to indicate that this function is disabled.
Privi	Command level of a user under that user interface.
Auth	Authentication mode for users logging in from the interface, which can be A, P, L, and N.
Int	Physical port that corresponds to the user interface.
A	AAA authentication.
L	Local authentication. This value is not supported on the device.
N	No authentication.
P	Password authentication.

# Display summary about all user interfaces.

<Sysname> display user-interface summary

User interface type : [CON]

0:UX

User interface type : [AUX]

2:XX

User interface type : [VTY]

20:UXXX XXXX XXXX XXXX

2 character mode users. (U)

18 UI never used. (X)

2 total UI in use

Table 4 Command output

Field	Description
User interface type	Type of user interface (CON/AUX/VTY).
0:UX	0 represents the absolute number of the user interface. X means this user interface is not used; U means this user interface is in use. For example, 9:UXXX X shows that the absolute number of the first user interface is 9, and the user interface is in use. User interfaces 10, 11, 12, and 13 are not in use.
character mode users. (U)	Number of users, that is, the total number of character U.
UI never used. (X)	Number of user interfaces not used, that is, the total number of character X.
total UI in use	Total number of user interfaces in use.

display users

Syntax

display users [ all ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Displays information about all user interfaces that the device supports.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display users to display information about the user interfaces that are being used.

Use display users all to display information about all user interfaces supported by the device.

Examples

# Display information about the user interfaces that are being used.

<Sysname> display users

The user application information of the user interface(s):

Idx UI Delay Type Userlevel

+ 9 VTY 0 00:00:00 TEL 3

10 VTY 1 00:02:34 TEL 3

Following are more details.

VTY 0 :

Location: 192.168.1.54

VTY 1 :

Location: 192.168.1.58

+ : Current operation user.

F : Current operation user work in async mode.

The output shows that two users have logged in to the device. The user with IP address 192.168.1.54 uses VTY 0, and the other with IP address 192.168.1.58 uses VTY 1.

Table 5 Command output

Field	Description
Idx	Absolute number of the user interface.
UI	Relative number of the user interface. The first column, for example, VTY, represents user interface type, and the second column, for example, 0, represents the relative number of the user interface.
Delay	Time elapsed since the user's final input, in the format of hh:mm:ss.
Type	User type, such as Telnet or SSH.
Userlevel	User level: 0 for visit, 1 for monitor, 2 for system, and 3 for manage.
Location	IP address of the user.

display web users

Syntax

display web users [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display web users to display information about the Web users.

Examples

# Display information about the Web users.

<Sysname> display web users

UserID Name Language Level State LinkCount LoginTime LastTime

ab890000 admin Chinese Management Enable 0 14:13:46 14:14:18

Table 6 Command output

Field	Description
UserID	Web user ID.
Name	Web username.
Language	Language used in Web login.
Level	Web user level.
State	Web user status.
LinkCount	Number of tasks running for the Web user.
LoginTime	Login time.
LastTime	Last time when the Web user accessed the device.

escape-key

Syntax

escape-key { default | character }

undo escape-key

View

User interface view

Default level

3: Manage level

Parameters

character: Specifies the shortcut key for aborting a task, a single character (or its ASCII code value in the range of 0 to 127) or a string of 1 to 3 characters. Only the first character of a string functions as the shortcut key. For example, if you enter an ASCII code value 113, the system uses its corresponding character q as the shortcut key. If you enter the string q@c, the system uses the first character q as the shortcut key.

default: Restores the default escape key sequence Ctrl+C.

Description

Use escape-key to define a shortcut key for aborting a task.

Use undo escape-key to disable the shortcut key for aborting tasks.

By default, a task is terminated by using Ctrl+C.

After defining a new shortcut key by using the escape-key command, the new shortcut key functions to terminate a task. To display the shortcut key you have defined, use the display current-configuration command.

If you set the character argument in a user interface of a device, when you use the user interface to log in to the device and then Telnet to another device, the character argument can only be used as a control character to terminate a task, rather than as a common character. For example, if you specify character as e in VTY 0 user interface of Device A, when you log in to Device A by using VTY 0 on a PC (Hyper Terminal), you can enter e as a common character on the PC, and you can also use e to terminate the task running on Device A. If you Telnet to Device B from Device A, however, you can only use e to terminate the task running on Device B, rather than as a common character. A good practice is to configure character as a key sequence.

Examples

# Define key a as the shortcut key for aborting a task.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] escape-key a

# Verify the configuration:

1. Use the ping command to check the reachability of the device with the IP address of 192.168.1.49 and use the -c argument to specify the number of ICMP echo packets to be sent as 20.

<Sysname> ping -c 20 192.168.1.49

PING 192.168.1.49: 56 data bytes, press a to break

Reply from 192.168.1.49: bytes=56 Sequence=1 ttl=255 time=3 ms

Reply from 192.168.1.49: bytes=56 Sequence=2 ttl=255 time=3 ms

2. Enter a. The task terminates immediately and the system returns to system view.

--- 192.168.1.49 ping statistics ---

2 packet(s) transmitted

2 packet(s) received

0.00% packet loss

round-trip min/avg/max = 3/3/3 ms

flow-control

Syntax

flow-control { hardware | none | software }

undo flow-control

View

User interface view

Default level

2: System level

Parameters

hardware: Performs hardware flow control.

none: Performs no flow control.

software: Performs software flow control.

Description

Use flow-control to configure flow control mode.

Use undo flow-control to restore the default.

By default, no flow control is performed.

A flow control mode takes effect on both inbound and outbound directions. In inbound flow control, the local device listens to the remote device for flow control information while in the outbound flow control, the local device sends flow control information to the remote device.

Two ends must be configured with the same flow control mode.

The device does support hardware and software flow control.

The command is only applicable to asynchronous serial interfaces (including AUX and console ports).

Examples

# Configure software flow control in the inbound and outbound directions for port console 0.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] flow-control software

free user-interface

Syntax

free user-interface { num1 | { aux | console | vty } num2 }

View

User view

Default level

3: Manage level

Parameters

num1: Absolute number of a user interface.

aux: Specifies an AUX user interface.

console: Specifies a console user interface.

vty: Specifies a VTY user interface.

num2: Relative number of a user interface, 0 or 1 for an AUX or console user interface and 0 to 15 for a VTY user interface.

Description

Use free user-interface to release the connection established on the specified user interface.

This command cannot release the connection that you are using.

Examples

# Release the connection to user interface VTY 1:

1. Display which user interfaces are being used on the switch.

<Sysname> display users

The user application information of the user interface(s):

Idx UI Delay Type Userlevel

+ 82 VTY 0 00:00:00 TEL 3

83 VTY 1 00:00:03 TEL 3

Following are more details.

VTY 0 :

Location: 192.168.1.26

VTY 1 :

Location: 192.168.1.20

+ : Current operation user.

F : Current operation user work in async mode.

2. To prevent the user on VTY 1 from operating the switch, release the connection to VTY 1.

<Sysname> free user-interface vty 1

Are you sure to free user-interface vty1? [Y/N]:y

free web-users

Syntax

free web-users { all | user-id user-id | user-name user-name }

View

User view

Default level

2: System level

Parameters

all: Specifies all Web users.

user-id: Web user ID, a hexadecimal number of eight digits.

user-name: Web user name, a string of 1 to 80 characters.

Description

Use free web-users to log out Web users.

Related commands: display web users.

Examples

# Log out all Web users.

<Sysname> free web-users all

history-command max-size

Syntax

history-command max-size size-value

undo history-command max-size

View

User interface view

Default level

2: System level

Parameters

size-value: Specifies the number of history commands that the buffer can store. The value range is 0 to 256.

Description

Use history-command max-size to set the size of history command buffer of the current user interface.

Use undo history-command max-size to restore the default.

By default, the buffer saves 10 history commands.

The history command buffer saves validated history commands individually per user interface and buffers for different user interfaces do not affect each other. To display the commands that are stored in the history buffer, use the display history-command command. To view the recently executed commands, press the upper arrow key or lower arrow key. For more information about the display history-command command, see "CLI configuration commands."

After you terminate the current session, the system automatically removes the commands saved in the related history buffer.

Examples

# Set the buffer to store 20 history commands at most.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] history-command max-size 20

idle-timeout

Syntax

idle-timeout minutes [ seconds ]

undo idle-timeout

View

User interface view

Default level

2: System level

Parameters

minutes: Specifies timeout time in minutes, in the range of 0 to 35791. The default is 10 minutes.

seconds: Specifies timeout time in seconds, in the range of 0 to 59. The default is 0 seconds.

Description

Use idle-timeout to set the idle-timeout timer. When it expires, user sessions are terminated.

Use undo idle-timeout to restore the default.

The default idle-timeout is 10 minutes.

The system automatically terminates the user's connection if there is no information interaction between the device and the user in timeout time.

Setting idle-timeout to zero disables the timer. In this case, connections are maintained unless you terminate them.

Examples

# Set the idle-timeout timer to 1 minute and 30 seconds.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] idle-timeout 1 30

ip alias

Syntax

ip alias ip-address port-number

undo ip alias ip-address

View

System view

Default level

2: System level

Parameters

ip-address: IP address associated with the Telnet redirect listening port. The IP address cannot be an interface's address on the switch, but can be in the same subnet as an interface's address.

port-number: Specifies the Telnet redirect listening port in the range of 2000 to 50000.

Description

Use ip alias to associate a Telnet redirect listening port with an IP address.

Use undo ip alias to restore the default.

By default, a Telnet redirect listening port is not associated with any IP address.

For example, a user is connected to device A, and device A is connected to device B through its serial port. If the redirect enable and redirect listen-port port-number commands are configured on device A, the user can log in to device B by Telnetting to the IP address of device A and the specified port number. If you associate device A's IP address with the specified port number with the ip alias ip-address port-number command, the user can log in to device B by only Telnetting to the IP address of device A.

Examples

# Associate the Telnet redirect listening port 2000 with the IP address 1.1.1.1.

<Sysname> system-view

[Sysname] ip alias 1.1.1.1 2000

ip http acl

Syntax

ip http acl acl-number

undo ip http acl

View

System view

Default level

2: System level

Parameters

acl-number: ACL number. A basic IPv4 ACL is in the range of 2000 to 2999.

Description

Use ip http acl to associate the HTTP service with an ACL.

Use undo ip http acl to remove the association.

By default, the HTTP service is not associated with any ACL.

After the HTTP service is associated with an ACL, only the clients permitted by the ACL can access the device through HTTP.

Related commands: display ip http; acl number (ACL and QoS Command Reference).

Examples

# Associate the HTTP service with ACL 2001 to only allow the clients within the 10.10.0.0/16 network to access the device through HTTP.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-basic-2001] quit

[Sysname] ip http acl 2001

ip http enable

Syntax

ip http enable

undo ip http enable

View

System view

Default level

2: System level

Parameters

None

Description

Use ip http enable to enable the HTTP service.

Use undo ip http enable to disable the HTTP service.

By default, the HTTP service is disabled.

The device can act as the HTTP server that can be accessed only after the HTTP service is enabled.

Related commands: display ip http.

Examples

# Enable the HTTP service.

<Sysname> system-view

[Sysname] ip http enable

# Disable the HTTP service.

<Sysname> system-view

[Sysname] undo ip http enable

ip http port

Syntax

ip http port port-number

undo ip http port

View

System view

Default level

3: Manage level

Parameters

port-number: Port number of the HTTP service, in the range of 1 to 65535.

Description

Use ip http port to configure the port number of the HTTP service.

Use undo ip http port to restore the default.

By default, the port number of the HTTP service is 80.

Verify that the port number is not used by another service, because this command does not check for conflicts with configured port numbers.

Related commands: display ip http.

Examples

# Configure the port number of the HTTP service as 8080.

<Sysname> system-view

[Sysname] ip http port 8080

ip https acl

Use ip https acl to associate the HTTPS service with an ACL.

Use undo ip https acl to remove the association.

Syntax

ip https acl acl-number

undo ip https acl

Default

The HTTPS service is not associated with any ACL.

Views

System view

Default command level

3: Manage level

Parameters

acl-number: ACL number in the range of 2000 to 2999.

Usage guidelines

After the HTTPS service is associated with an ACL, only clients permitted by the ACL can access the switch.

If you execute the ip https acl command multiple times to associate the HTTPS service with multiple ACLs, the HTTPS service is only associated with the most recently specified ACL.

Examples

# Associate the HTTPS service with ACL 2001 to allow only clients within the 10.10.0.0/16 network segment to access the HTTPS server through HTTPS.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-basic-2001] quit

[Sysname] ip https acl 2001

Related commands

· display ip https

· acl number (ACL and QoS Command Reference)

ip https certificate access-control-policy

Use ip https certificate access-control-policy to associate the HTTPS service with a certificate attribute-based access control policy.

Use undo ip https certificate access-control-policy to remove the association.

Syntax

ip https certificate access-control-policy policy-name

undo ip https certificate access-control-policy

Default

The HTTPS service is not associated with any certificate attribute-based access control policy.

Views

System view

Default command level

3: Manage level

Parameters

policy-name: Name of the certificate attribute-based access control policy, a string of 1 to 16 characters.

Usage guidelines

The switch uses the associated certificate attribute-based access control policy to control client access rights.

Examples

# Associate the HTTPS server with certificate attribute-based access control policy myacl.

<Sysname> system-view

[Sysname] ip https certificate access-control-policy myacl

Related commands

· display ip https

· pki certificate access-control-policy (Security Command Reference)

ip https enable

Use ip https enable to enable the HTTPS service.

Use undo ip https enable to disable the HTTPS service.

Syntax

ip https enable

undo ip https enable

Default

The HTTPS service is disabled.

Views

System view

Default command level

3: Manage level

Usage guidelines

After the HTTPS service is enabled, the device can act as the HTTPS server and you can access and manage the switch through HTTPS.

Enabling the HTTPS service triggers an SSL handshake negotiation process:

· If a local certificate exists on the switch, the SSL negotiation succeeds and the HTTPS service starts up.

· If no local certificate exists, a certificate application process is triggered. Because the application process takes much time, the SSL negotiation often fails and the HTTPS service cannot be started. In that case, execute this command multiple times to start the HTTPS service.

Examples

# Enable the HTTPS service.

<Sysname> system-view

[Sysname] ip https enable

ip https port

Use ip https port to set the HTTPS service port number.

Use undo ip https port to restore the default.

Syntax

ip https port port-number

undo ip https port

Default

The HTTPS service port number is 443.

Views

System view

Default command level

3: Manage level

Parameters

port-number: HTTPS service port number in the range of 1 to 65535.

Usage guidelines

Make sure the port number is not used by any other service. This command does not check for port number conflicts.

Examples

# Set the HTTPS service port number to 6000.

<Sysname> system-view

[Sysname] ip https port 6000

Related commands

display ip https

ip https ssl-server-policy

Use ip https ssl-server-policy to associate the HTTPS service with an SSL server policy.

Use undo ip https ssl-server-policy to remove the association.

Syntax

ip https ssl-server-policy policy-name

undo ip https ssl-server-policy

Default

The HTTPS service is not associated with any SSL server policy, and the device uses a self-signed certificate for authentication. (A self-signed certificate is generated and signed by the device itself, rather than the CA.)

Views

System view

Default command level

3: Manage level

Parameters

policy-name: SSL server policy name, a string of 1 to 16 characters.

Usage guidelines

If you disable the HTTPS service, the system automatically de-associates the HTTPS service from the SSL service policy. Before re-enabling the HTTPS service, re-associate the HTTPS service with an SSL server policy.

If the HTTPS service has been enabled, any changes to the SSL server policy associated with it do not take effect.

Examples

# Associate the HTTPS service with SSL server policy myssl.

<Sysname> system-view

[Sysname] ip https ssl-server-policy myssl

Related commands

· display ip https

· ssl server-policy (Security Command Reference)

lock

Syntax

lock

View

User view

Default level

3: Manage level

Parameters

None

Description

Use lock to lock the user interface by password protection. This method prevents unauthorized users from using the user interface.

This command is supported only in non-FIPS mode.

When entering the lock command, you are asked to enter a password (up to 16 characters) and then confirm it by entering the password again. To successfully set the password, enter the same passwords. After locking the user interface, next time you enter this user interface, you must press Enter and enter the correct password.

By default, this function is disabled.

Examples

# Lock the current user interface.

<Sysname> lock

Please input password<1 to 16> to lock current user terminal interface:

Password:

Again:

locked !

Password:

parity

Syntax

parity { even | mark | none | odd | space }

undo parity

View

User interface view

Default level

2: System level

Parameters

even: Performs an even parity check.

mark: Performs a mark parity check.

none: Performs no parity check.

odd: Performs an odd parity check.

space: Performs a space parity check.

Description

Use parity to set a parity check method.

Use undo parity to restore the default.

By default, no parity check is performed.

The command is only applicable to asynchronous serial interfaces (including AUX and console ports).

The parity check settings must be identical for the user interfaces of the connecting ports on the redirect device and the target terminal device for communication.

Examples

# Configure the AUX port to perform odd parity check.

<Sysname> system-view

[Sysname] user-interface aux 0

[Sysname-ui-aux0] parity odd

protocol inbound

Syntax

In non-FIPS mode:

protocol inbound { all | ssh | telnet }

undo protocol inbound

In FIPS mode:

protocol inbound { all | ssh }

undo protocol inbound

View

VTY interface view

Default level

3: Manage level

Parameters

all: Supports both Telnet and SSH. Telnet is not included in FIPS mode.

ssh: Supports SSH only.

telnet: Supports Telnet only. This keyword is not supported in FIPS mode.

Description

Use protocol inbound to enable the current user interface to support either Telnet or SSH, or both of them.

Use undo protocol inbound to restore the default.

By default, all the three protocols are supported.

The configuration takes effect next time you log in.

Before configuring a user interface to support SSH, set the authentication mode to scheme for users logging in through the user interface; otherwise, the protocol inbound ssh command fails. For more information, see authentication-mode.

By default, the authentication mode of the Telnet protocol is password.

Examples

# Enable the VTYs 0 through 15 to support SSH only.

<Sysname> system-view

[Sysname] user-interface vty 0 15

[Sysname-ui-vty0-15] authentication-mode scheme

[Sysname-ui-vty0-15] protocol inbound ssh

screen-length

Syntax

screen-length screen-length

undo screen-length

View

User interface view

Default level

2: System level

Parameters

screen-length: Number of lines on a screen, in the range of 0 to 512. The value of 0 disables pausing between screens of output.

Description

Use screen-length to set the maximum number of lines on a screen.

Use undo screen-length to restore the default.

By default, a screen displays 24 lines at most.

When screen output pauses, press the Space key to display the next screen. Not all display terminals support this command setting. For example, assume that you set screen-length to 40, but the terminal screen can display 24 lines at most. When you press Space, the device sends 40 lines to the terminal display, but the next screen displays only lines 18 through 40. To view the first 17 lines, you must press Page Up or Page Down.

To disable pausing between screens of output for the current session, use the screen-length disable command.

Examples

# Set the user interface of console port 0 to display up to 30 lines on a screen.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] screen-length 30

send

Syntax

send { all | num1 | { aux | console | vty } num2 }

View

User view

Default level

1: Monitor level

Parameters

all: Sends messages to all user interfaces.

num1: Absolute number of a user interface.

aux: Sends messages to an AUX user interface.

console: Sends messages to a console user interface.

vty: Sends messages to a VTY user interface.

num2: Relative number of a user interface, 0 or 1 for an AUX or console user interface and 0 to 15 for a VTY user interface.

Description

Use send to send messages to the specified user interfaces.

To end message input, press Ctrl+Z. To cancel message input and exit to user view, press Ctrl+C.

Examples

# Send message hello abc to the console user interface.

<Sysname> send console 0

Enter message, end with CTRL+Z or Enter; abort with CTRL+C:

hello abc^Z

Send message? [Y/N]:y

***

***Message from con0 to con0

***

hello abc

# Before you restart the device, inform the user on user interface VTY 1 so the user prepare for the reboot.

<Sysname> send vty 1

Enter message, end with CTRL+Z or Enter; abort with CTRL+C:

Note please, I will reboot the system!^Z

Send message? [Y/N]:y

The message should appear on the screen of the user's configuration terminal. The following example assumes that the user was executing the interface GigabitEthernet command when the message arrived:

[Sysname] interface Giga

***

***Message from vty0 to vty1

***

Note please, I will reboot the system!

set authentication password

Syntax

set authentication password [ hash ] { cipher | simple } password

undo set authentication password

View

User interface view

Default level

3: Manage level

Parameters

hash: Enables hash-based encryption.

{ cipher | simple } password: Specifies a case-sensitive password string. The password length and form requirements vary with the keyword combinations (see Table 7).

Table 7 Password length and form requirements for the password argument

Keyword combination	Password string form	Length (in characters)
simple	Plain text	1 to 16
hash simple	Plain text	1 to 16
cipher	Plain text, ciphertext	Plain text: 1 to 16 Ciphertext: 1 to 53
hash cipher	Ciphertext (hashed form)	1 to 110

Description

Use set authentication password to set a local authentication password.

Use undo set authentication password to remove the local authentication password.

By default, no local authentication password is set.

This command is supported only in non-FIPS mode.

For security purposes, all passwords, including passwords configured in plain text, are saved in cipher text.

Store the plaintext forms of the local authentication password in a safe place. If a user interface is password protected, you must provide the password in plain text when logging in to the user interface.

Related commands: authentication-mode.

Examples

# Set the local authentication password for user interface console 0 to hello.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] authentication-mode password

[Sysname-ui-console0] set authentication password simple hello

shell

Syntax

shell

undo shell

View

User interface view

Default level

3: Manage level

Parameters

None

Description

Use shell to enable terminal services on the user interface.

Use undo shell to disable terminal services.

You cannot disable the terminal services on the user interface where you are logged in.

The undo shell command is not supported by the console port.

By default, terminal services are enabled on all user interfaces.

Examples

# Disable terminal services on VTYs 0 through 4, which means you cannot log in to the switch from VTYs 0 through 4.

<Sysname> system-view

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] undo shell

% Disable ui-vty0-4 , are you sure? [Y/N]:y

[Sysname-ui-vty0-4]

The following message appears when a terminal tries to Telnet to the device:

The connection was closed by the remote host!

speed (user interface view)

Syntax

speed speed-value

undo speed

View

User interface view

Default level

2: System level

Parameters

speed-value: Transmission rate in bps.

Description

Use speed to set the transmission rate on the user interface.

Use undo speed to restore the default transmission rate.

By default, the transmission rate is 9600 bps.

The command is only applicable to asynchronous serial interfaces (including AUX and console ports).

The transmission rate settings must be identical for the user interfaces of the connecting ports on the redirect device and the target terminal device for communication.

Examples

# Set the transmission rate on the user interface AUX 0 to 19200 bps.

<Sysname> system-view

[Sysname] user-interface aux 0

[Sysname-ui-aux0] speed 19200

stopbits

Syntax

stopbits { 1 | 1.5 | 2 }

undo stopbits

View

User interface view

Default level

2: System level

Parameters

1: One stop bit.

1.5: One and a half stop bits.

2: Two stop bits.

Description

Use stopbits to set the number of stop bits transmitted per byte.

Use undo stopbits to restore the default.

By default, one stop bit is used.

The command is only applicable to asynchronous serial interfaces (including AUX and console ports).

The device does not support stop bits 1.5.

The stop bits settings must be the identical for the user interfaces of the connecting ports on the redirect device and the target device for communication.

Examples

# Set the stop bits on the user interface AUX 0 to 1.

<Sysname> system-view

[Sysname] user-interface aux 0

[Sysname-ui-aux0] stopbits 1

telnet

Syntax

telnet remote-host [ service-port ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number | ip ip-address } ]

View

User view

Default level

0: Visit level

Parameters

remote-host: IPv4 address or host name of the remote host. The host name is a case-insensitive string of 1 to 20 characters.

service-port: TCP port number for the remote Telnet server, in the range of 0 to 65535. The default is 23.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the remote system belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the remote system is on the public network, do not specify this option.

source: Specifies the source interface or source IPv4 address of Telnet packets.

interface interface-type interface-number: Specifies the source interface. The source IPv4 address of the Telnet packets sent is the IPv4 address of the specified source interface. interface-type interface-number represents the interface type and number.

ip ip-address: Specifies the source IPv4 address of Telnet packets.

Description

Use telnet to Telnet to a remote host. To stop the current Telnet login, press Ctrl+K or use the quit command.

The source IPv4 address or source interface specified by this command is applicable to the current Telnet connection only.

Examples

# Telnet to the remote host with the IP address 1.1.1.2, and specify the source IP address of Telnet packets as 1.1.1.1.

<Sysname> telnet 1.1.1.2 source ip 1.1.1.1

telnet client source

Syntax

telnet client source { interface interface-type interface-number | ip ip-address }

undo telnet client source

View

System view

Default level

2: System level

Parameters

interface interface-type interface-number: Specifies the source interface. The source IPv4 address of the Telnet packets sent is the IPv4 address of the specified interface. interface-type interface-number represents the interface type and number.

ip ip-address: Specifies the source IPv4 address of Telnet packets.

Description

Use telnet client source to specify the source IPv4 address or source interface for sending Telnet packets when the device serves as the Telnet client.

Use undo telnet client source to remove the configuration.

By default, no source IPv4 address or source interface is specified for Telnet packets, and the system uses the IPv4 address of the interface determined by the matched route as the source IPv4 address of Telnet packets.

The source IPv4 address or source interface specified by this command is applicable to all Telnet connections.

If you use both this command and the telnet command to specify the source IPv4 address or source interface, the source IPv4 address or interface specified by the telnet command takes effect.

Related commands: display telnet client configuration.

telnet ipv6

Syntax

telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ] [ vpn-instance vpn-instance-name ]

View

User view

Default level

0: Visit level

Parameters

remote-host: IP address or host name of the remote host. The host name is a case-insensitive string of 1 to 46 characters.

-i interface-type interface-number: Specifies the outbound interface for sending Telnet packets, where interface-type interface-number represents the interface type and number. You must provide the -i interface-type interface-number argument if the destination address is a link-local address.

port-number: TCP port number of the remote Telnet server, in the range of 0 to 65535. The default is 23.

Description

Use telnet ipv6 to Telnet to a remote IPv6 host. To stop the current Telnet login, press Ctrl+K or use the quit command.

Examples

# Telnet the remote host with the IPv6 address 2000::1.

<Sysname> telnet ipv6 2000::1

telnet server enable

Syntax

telnet server enable

undo telnet server enable

View

System view

Default level

3: Manage level

Parameters

None

Description

Use telnet server enable to enable the Telnet server.

Use undo telnet server enable to disable the Telnet server.

The Telnet server is disabled by default.

Examples

# Enable the Telnet server.

<Sysname> system-view

[Sysname] telnet server enable

terminal type

Syntax

terminal type { ansi | vt100 }

undo terminal type

View

User interface view

Default level

2: System level

Parameters

ansi: Specifies the terminal display type as ANSI.

vt100: Specifies the terminal display type as VT100.

Description

Use terminal type to configure the type of terminal display under the current user interface.

Use undo terminal type to restore the default.

By default, the terminal display type is ANSI.

The device supports two terminal display types: ANSI and VT100. H3C recommends that you set the display type to VT100 on both the device and the configuration terminal. If either side uses the ANSI type, a display problem such as cursor positioning error might occur when a command line has more than 80 characters.

Examples

# Set the terminal display type to VT100.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] terminal type vt100

user privilege level

Syntax

user privilege level level

undo user privilege level

View

User interface view

Default level

3: Manage level

Parameters

level: Specifies a command level in the range of 0 to 3.

Description

Use user privilege level to configure the command level for login users on the current user interface.

Use undo user privilege level to restore the default.

By default, the default command level is 3 for the console and AUX user interfaces and 0 for the other user interfaces.

This command is supported only in non-FIPS mode.

Command levels include visit, monitor, system, and manage, represented by the number 0, 1, 2, and 3 respectively. You can change the command level of a user when necessary.

Examples

# Set the command level for the user logging in from VTY 0 to 0.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] user privilege level 0

After you Telnet to the device from VTY 0, the terminal only displays commands of level 0 in the help information:

<Sysname> ?

User view commands:

display Display current system information

ping Ping function

quit Exit from current command view

ssh2 Establish a secure shell client connection

super Set the current user priority level

telnet Establish one TELNET connection

tracert Trace route function

user-interface

Syntax

user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] }

View

System view

Default level

2: System level

Parameters

first-num1: Absolute number of the first user interface.

last-num1: Absolute number of the last user interface. The value typically starts from 0 and cannot be smaller than the first-num1.

aux: Specifies an AUX user interface.

console: Specifies a console user interface.

vty: Specifies a VTY user interface.

first-num2: Relative number of the first user interface, 0 or 1 for an AUX or console user interface and 0 to 15 for a VTY user interface.

last-num2: Relative number of the last user interface. For VTY user interfaces, the value range is (first-num2+1) to 15.

Description

Use user-interface to enter a single or multiple user interface views.

In a single user interface view, the configuration takes effect in the user view only.

In multiple user interface views, the configuration takes effect in these user views.

Examples

# Enter console user interface view.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0]

# Enter the user interface view of VTY 0 to 4.

<Sysname> system-view

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4]

web captcha

Syntax

web captcha verification-code

undo web captcha

View

User view

Default level

3: Manage level

Parameters

verification-code: Fixed verification code for Web login, a case-sensitive 4-character string.

Description

Use web captcha to specify a fixed verification code for Web login.

Use undo web captcha to restore the default.

By default, a Web user must enter the verification code indicated on the login page to log in.

After you configure a fixed verification code for Web login, a Web user can use the code for login, without caring about the verification code displayed on the login page. This feature is intended for test environments where a script is usually used for Web function tests. Eliminating the requirement for entering the verification code every time, this feature helps improve the test efficiency.

For Web access security, do not use this feature in production environments.

This command is not saved to the configuration file and cannot survive a reboot.

Examples

# Specify a fixed verification code for Web login

<Sysname> web captcha test

web https-authorization mode

Use web https-authorization mode to set the HTTPS user authentication mode.

Use undo web https-authorization mode to restore the default.

Syntax

web https-authorization mode { auto | manual }

undo web https-authorization mode

Default

The HTTPS user authentication mode is manual.

Views

System view

Default command level

2: System level

Parameters

auto: Uses the PKI certificates of HTTPS clients to authenticate them.

manual: Provides a login page for HTTPS users to enter the correct username and password.

Usage guidelines

In manual mode, a user must enter the correct username and password to log in through HTTPS.

In auto mode, the switch first checks the certificate of the client:

· If the certificate is correct and not expired, the CN field in the certificate is used as the username to perform AAA authentication. If the authentication succeeds, the Web interface of the device appears on the user's terminal.

· If the certificate is correct and not expired, but the AAA authentication fails, the device shows the Web login page and the user must enter the correct username and password to log in.

· If the certificate is incorrect or expired, the HTTPS connection is terminated.

Examples

# Set the HTTPS user authentication mode to auto.

<Sysname> system-view

[Sysname] web https-authorization mode auto

01-Fundamentals Command Reference

activation-key

authentication-mode

command accounting

display ip http

display user-interface

display users

flow-control

free web-users

ip http enable

ip https enable

screen-length

send

set authentication password

speed (user interface view)

terminal type

user-interface

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us