Chapter 1
Login Commands
Syntax
authentication-mode { password | scheme [ command-authorization ] |
none }
View
User interface view
Parameters
none: Specifies
not to authenticate users.
password: Authenticates
users using the local password.
scheme: Authenticates
users locally or remotely using usernames and passwords.
command-authorization: Performs command authorization on TACACS authentication server.
Description
Use the authentication-mode command
to specify the authentication mode.
l
If you specify the password keyword to
authenticate users using the local password, remember to set the local password
using the set authentication password command. Otherwise, AUX users can
log in to the switch successfully without password, but VTY users will fail the
login. VTY users must enter the correct authentication password to log in to
the switch.
l
If you specify the scheme keyword to
authenticate users locally or remotely using usernames and passwords, the
actual authentication mode, that is, local or remote, depends on other related AAA
scheme configuration of the domain.
l
If this command is executed with the command-authorization
keyword specified, authorization is performed on the TACACS server whenever you
attempt to execute a command, and the command can be executed only when you
pass the authorization. Normally, a TACACS server contains a list of the
commands available to different users.
By default, the
authentication mode is none for AUX users and password for VTY
users.
Caution:
For a VTY user interface,
to specify the none keyword or password keyword for login users,
make sure that SSH is not enabled in the user interface. Otherwise, the configuration
fails. Refer to the protocol inbound command for related configuration.
To improve security
and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet
and SSH services respectively, will be enabled or disabled after corresponding
configurations.
l
If the authentication mode is none, TCP 23 will
be enabled, and TCP 22 will be disabled.
l
If the authentication mode is password, and the
corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be
disabled.
l
If the authentication mode is scheme, there are
three scenarios: when the supported protocol is specified as telnet, TCP 23
will be enabled; when the supported protocol is specified as SSH, TCP 22 will
be enabled; when the supported protocol is specified as all, both the TCP 23
and TCP 22 port will be enabled.
Examples
l
Example of the password authentication mode
configuration
# Configure to authenticate users using the
local password on the console port, and set the authentication password to aabbcc
in plain text.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] authentication-mode
password
[Sysname-ui-aux0] set authentication
password simple aabbcc
After the configuration, when a user logs
in to the switch through the console port, the user must enter the correct
password.
l
Example of the scheme authentication mode
configuration
# Configure the authentication mode as scheme
for VTY users logging in through Telnet.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] authentication-mode
scheme
[Sysname-ui-vty0] quit
# Specify domain system as the
default domain, and set the scheme authentication mode to local for the
domain.
[Sysname] domain default enable
system
[Sysname] domain system
[Sysname-isp-system] scheme local
[Sysname-ui-vty0] quit
# Configure the local authentication
username and password.
[Sysname] local-user guest
[Sysname-luser-guest] password simple
123456
[Sysname-luser-guest] service-type telnet
level 2
After the configuration, when a user logs
in to the switch through VTY0, the user must enter the configured username and
password.
Syntax
auto-execute command text
undo auto-execute command
View
VTY user interface view
Parameters
text:
Command to be executed automatically.
Description
Use the auto-execute command command
to set the command that is executed automatically after a user logs in.
Use the undo auto-execute command
command to disable the specified command from being automatically executed.
By default, no command is configured to be executed
automatically after a user logs in.
Normally, the telnet command is
specified to be executed automatically to enable the user to Telnet to a
specific network device automatically.
Caution:
l
The auto-execute command command may
cause you unable to perform common configuration in the user interface, so use
it with caution.
l
Before executing the auto-execute command
command and save your configuration, make sure you can log in to the switch in
other modes and cancel the configuration.
Examples
# Configure the telnet 10.110.100.1
command to be executed automatically after users log in to VTY 0.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] auto-execute
command telnet 10.110.100.1
% This action will lead to
configuration failure through ui-vty0. Are you sure?[
Y/N]y
After the above configuration, when a user
logs onto the device through VTY 0, the device automatically executes the
configured command and logs off the current user.
1.1.3 copyright-info
enable
Syntax
copyright-info enable
undo copyright-info enable
View
System view
Parameters
None
Description
Use the copyright-info enable
command to enable copyright information displaying.
Use the undo copyright-info enable
command to disable copyright information displaying.
By default, copyright information
displaying is enabled. That is, the copyright information is displayed after a
user logs into a switch successfully.
Note that these two commands apply to users
logging in through the console port and by means of Telnet.
Examples
# Disable copyright information displaying.
**************************************************************************
* Copyright (c) 2004-2008 Hangzhou
H3C Tech. Co., Ltd. All rights reserved.*
* Without the owner's prior written
consent, *
* no decompiling or
reverse-engineering shall be allowed. *
**************************************************************************
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] undo copyright-info enable
# After the above configuration, no
copyright information is displayed after a user logs in, as shown below.
<Sysname>
Syntax
databits {
7 | 8 }
undo databits
View
AUX user interface view
Parameters
7: Sets the
databits to 7.
8: Sets the
databits to 8.
Description
Use the databits command to set the
databits for the user interface.
Use the undo databits command to
revert to the default databits.
The default databits is 8.
Examples
# Set the databits to 7.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] databits 7
Syntax
display user-interface [ type number | number ] [ summary ]
View
Any view
Parameters
type: User
interface type, which can be AUX (for AUX user interface) and VTY (for VTY user
interface).
number: User
interface index. A user interface index can be relative or absolute.
l
In relative user interface number scheme, the type
argument is required. In this case, AUX user interfaces are numbered from AUX0
through AUX7; VTY user interfaces are numbered from VTY0 through VTY4.
l
In absolute user interface number scheme, the type
argument is not required. In this case, user interfaces are numbered from 0 to
12.
summary:
Displays the summary information about a user interface.
Description
Use the display user-interface
command to display the information about a specified user interface or all user
interfaces. If the summary keyword is not specified, this command
displays user interface type, absolute/relative user interface index,
transmission speed, available command level, authentication mode, and physical
position. If the summary keyword is specified, this command displays the
number and type of the user interfaces, including those that are in use and those
that are not in use.
Examples
# Display the information about user
interface 0.
<Sysname>
display user-interface 0
Idx Type Tx/Rx Modem
Privi Auth Int Super
F 0 AUX 0 9600 -
3 N - S
+ : Current user-interface is
active.
F : Current user-interface is
active and work in async mode.
Idx : Absolute index of
user-interface.
Type : Type and relative index of
user-interface.
Privi: The privilege of
user-interface.
Auth : The authentication mode of
user-interface.
Int : The physical location of
UIs.
Super: The Super authentication
mode of UIs.
A : Authentication use AAA.
N : Current UI need not
authentication.
P : Authentication use current
UI's password.
S : Authentication use super
password.
Table 1-1 Descriptions on the fields of the display user-interface
command
|
Filed
|
Description
|
|
+
|
The user interface is in use.
|
|
F
|
The user interface operates in asynchronous
mode.
|
|
Idx
|
The absolute index of the user interface
|
|
Type
|
User interface type and the relative
index
|
|
Tx/Rx
|
Transmission speed of the user interface
|
|
Modem
|
Indicates whether or not a modem is used.
|
|
Privi
|
Available command level
|
|
Auth
|
Authentication mode
|
|
Int
|
Physical position of the user interface
|
|
Super
|
The authentication mode used for a user
to switch from the current lower user level to a higher level, including S,
A, SA and AS.
S: Super password authentication
A: HWTACACS authentication
SA: Super password authentication is
preferred, with HWTACACS authentication being a backup
AS: HWTACACS authentication is preferred,
with super password authentication being a backup
For details about the four authentication
modes, refer to the CLI part of the manual.
|
|
A
|
The current user authentication mode is
scheme.
|
|
N
|
The current user authentication mode is
none.
|
|
P
|
The current user authentication mode is
password.
|
|
S
|
Super password authentication
|
# Display the summary information about the
user interface.
<Sysname> display user-interface
summary
User interface type : [AUX]
0:UXXX XXXX
User interface type : [VTY]
8:UUUU X
5 character mode users. (U)
8 UI never used. (X)
5 total UI in use
Table 1-2 Description on the fields of
the display user-interface summary command
|
Field
|
Description
|
|
User
interface type
|
User
interface type: AUX or VTY
|
|
0:UXXX
XXXX/8:UUUU X
|
0 and 8
represent the least absolute number for AUX user interfaces and VTY user
interfaces. “U” and “X” indicate the usage state of an
interface: U indicates that the corresponding user interface is used; X
indicates that the corresponding user interface is idle. The total number of
Us and Xs is the total number of user interfaces that are available.
|
|
character mode users. (U)
|
The number of current users, that is, the
number of Us
|
|
UI never used. (X)
|
The number of user interfaces not being
used currently, that is, the number of Xs
|
|
total UI in use.
|
The total number of user interfaces being
used currently, that is, the total number of users currently logging in to
the switch successfully
|
Syntax
display users [ all ]
View
Any view
Parameters
all:
Displays the user information about all user interfaces.
Description
Use the display users command to
display the user information about user interfaces.
If you do not specify the all
keyword, only the user information about the current user interface is
displayed.
Examples
# Display the user information about the
current user interface.
<Sysname> display users
UI Delay Type
Ipaddress Username Userlevel
+ 8
VTY 0 00:00:00 TEL 192.168.0.208 3
+ :
Current operation user.
F :
Current operation user work in async mode.
Table 1-3 Descriptions on the fields of the display users command
|
Field
|
Description
|
|
UI
|
The numbers in the left sub-column are
the absolute user interface indexes, and those in the right sub-column are
the relative user interface indexes.
|
|
Delay
|
The period (in seconds) the user
interface idles for.
|
|
Type
|
User type
|
|
Ipaddress
|
The IP address from which the user logs
in.
|
|
Username
|
The login name of the user that logs into
the user interface.
|
|
Userlevel
|
The level of the commands available to
the users logging in to the user interface
|
|
F
|
The information is about the current user
interface, and the current user interface operates in asynchronous mode.
|
|
+
|
The user interface is in use.
|
Syntax
display web users
View
Any view
Parameters
None
Description
Use the display web users command to
display the information about the current on-line Web users.
Examples
# Display the information about the current
on-line Web users.
<Sysname> display web users
ID Name Language Level
Login Time Last Req. Time
00800003 admin English Management
06:16:32 06:18:35
Table 1-4 Description
on the fields of the display web users command
|
Field
|
Description
|
|
ID
|
ID of a Web user
|
|
Name
|
Name of a Web user
|
|
Language
|
Language a Web user uses
|
|
Level
|
Level of a Web user
|
|
Login Time
|
Time when a Web user logs in
|
|
Last Req. Time
|
Time when the latest request is made
|
Syntax
free user-interface [ type ] number
View
User view
Parameters
type: User
interface type, which can be AUX (for AUX user interface) and VTY (for VTY user
interface).
number: User
interface index. A user interface index can be relative or absolute.
l
In relative user interface index scheme, the type
argument is required. In this case, AUX user interfaces are numbered from AUX0 through
AUX7; VTY user interfaces are numbered from VTY0 through VTY4.
l
In absolute user interface index scheme, the type
argument is not required. In this case, user interfaces are numbered from 0 to
12.
Description
Use the free user-interface command
to free a user interface. That is, this command tears down the connection
between a user and a user interface.
Note that the current user interface cannot
be freed.
Examples
# Release user interface VTY 1.
<Sysname> free user-interface
vty 1
Are you sure you want to free
user-interface vty1 [Y/N]? y
[OK]
After you perform the above operation, the
user connection on user interface VTY1 is torn down. The user in it must log in
again to connect to the switch.
Syntax
header [
incoming | legal | login | shell ] text
undo header {
incoming | legal | login | shell }
View
System view
Parameters
incoming: Sets
the login banner for users that log in through modems. If you specify to
authenticate login users, the banner appears after a user passes the
authentication. (The session does not appear in this case.)
legal: Sets
the authorization banner, which is displayed when a user enters user view.
login: Sets
the login banner. The banner set by this keyword is valid only when users are
authenticated before they log in to the switch and appears while the switch
prompts for user name and password. If a user logs in to the switch through
Web, the banner text configured will be displayed on the banner page.
shell: Sets
the session banner, which appears after a session is established. If you
specify to authenticate login users, the banner appears after a user passes the
authentication.
text: Banner
to be displayed. If no keyword is specified, this argument is the login banner.
You can provide this argument in two ways. One is to enter the banner in the
same line as the command (A command line can accept up to 254 characters.) The
other is to enter the banner in multiple lines (you can start a new line by
pressing Enter,) where you can enter a banner that can contain up to 2000
characters (including the invisible characters such as carriage return). Note
that the first character is the beginning character and the end character of
the banner. After entering the end character, you can press Enter to exit the
interaction.
Description
Use the header command to set the
banners that are displayed when a user logs into a switch. The login banner is
displayed on the terminal when the connection is established. And the session
banner is displayed on the terminal if a user successfully logs in.
Use the undo header command to
disable displaying a specific banner or all banners.
By default, no banner is configured.
Note the following:
l
If you specify any one of the four keywords
without providing the text argument, the specified keyword will be regarded
as the login information.
l
The banner configured with the header
incoming command is displayed after a modem user logs in successfully or
after a modem user passes the authentication when authentication is required. In
the latter case, the shell banner is not displayed.
l
The banner configured with the header legal command
is displayed when you enter the user interface. If password authentication is
enabled or an authentication scheme is specified, this banner is displayed
before login authentication.
l
With password authentication enabled or an
authentication scheme specified, the banner configured with the header login
command is displayed after the banner configured with the header legal command
and before login authentication.
l
The banner configured with the header shell
command is displayed after a non-modem user session is established.
Examples
# Configure banners.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] header login %Welcome to
login!%
[Sysname] header shell %
Input banner text, and quit with the
character '%'.
Welcome to shell!%
[Sysname] header incoming %
Input banner text, and quit with the
character '%'.
Welcome to incoming!%
[Sysname] header legal %
Input banner text, and quit with the
character '%'.
Welcome to legal!%
l
The character % is the starting/ending character
of text in this example. Entering % after the displayed text quits the header
command.
l
As the starting and ending character, % is not a
part of a banner.
# Test the configuration remotely using
Telnet. (only when login authentication is configured can the login banner be
displayed).
**************************************************************************
* Copyright (c) 2004-2008 Hangzhou
H3C Tech. Co., Ltd. All rights reserved.*
* Without the owner's prior written
consent, *
* no decompiling or
reverse-engineering shall be allowed. *
**************************************************************************
Welcome to legal!
Press Y or ENTER to continue, N to
exit.
Welcome to login!
Login authentication
Password:
Welcome to shell!
<Sysname>
Syntax
history-command max-size value
undo history-command max-size
View
User interface view
Parameters
value: Size of
the history command buffer, ranging from 0 to 256 (in terms of commands).
Description
Use the history-command max-size
command to set the size of the history command buffer.
Use the undo history-command max-size
command to revert to the default history command buffer size.
By default, the history command buffer can
contain up to ten commands.
Related commands: display
history-command.
Examples
# Set the size of the history command
buffer of AUX 0 to 20 to enable it to store up to 20 commands.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] history-command
max-size 20
Syntax
idle-timeout minutes [ seconds ]
undo idle-timeout
View
User interface view
Parameters
minutes:
Number of minutes. This argument ranges from 0 to 35,791.
seconds:
Number of seconds. This argument ranges from 0 to 59.
Description
Use the idle-timeout command to set
the timeout time. The connection to a user interface is terminated if no
operation is performed in the user interface within the timeout time.
Use the undo idle-timeout command to
revert to the default timeout time.
You can use the idle-timeout 0
command to disable the timeout function.
The default timeout time is 10 minutes.
Examples
# Set the timeout time of AUX 0 to 1
minute.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] idle-timeout 1
Syntax
ip http shutdown
undo ip http shutdown
View
System view
Parameters
None
Description
Use the ip
http shutdown command to shut down the WEB Server.
Use the undo
ip http shutdown command to launch the WEB Server.
By default, the WEB Server is launched.
To improve security
and prevent attacks to the unused Sockets, TCP 80 port for HTTP service will be
enabled or disabled after corresponding configurations.
l
TCP 80 port is enabled only after you use the undo
ip http shutdown command to enable the Web server.
l
If you use the ip http shutdown command
to disabled the Web server, TCP 80 port is disabled.
Caution:
After the Web file
is upgraded, you need to use the boot web-package command to specify
a new Web file or specify a new Web file from the boot menu after reboot for
the Web server to operate properly. Refer to the File System Management
part in this manual for information about the boot web-package
command.
Examples
# Shut down the WEB Server.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] ip http shutdown
# Launch the WEB Server.
[Sysname] undo ip http shutdown
1.1.13 lock
Syntax
lock
View
User view
Parameters
None
Description
Use the lock command to lock the
current user interface to prevent unauthorized operations in the user
interface.
After you execute this command, the system
prompts you for the password and prompts you to confirm the password. The user
interface is locked only when the password entered is correct.
To unlock a user interface, press Enter and
then enter the password as prompted.
Note that if you set a password containing
more than 16 characters, the system matches only the first 16 characters of the
password entered for unlocking the user interface. That is, the system unlocks
the user interface as long as the first 16 characters of the password entered
are correct.
By default, the current user interface is
not locked.
Examples
# Lock the current user interface.
<Sysname> lock
Press Enter, enter a password, and then
confirm it as prompted. (The password entered is not displayed).
Password:
Again:
locked !
In this case, the user interface is locked.
To operate the user interface again, you need to press Enter and provide the
password as prompted.
Password:
<Sysname>
Syntax
parity { even | none | odd | }
undo
parity
View
AUX user interface view
Parameters
even:
Performs even checks.
none: Does
not check.
odd:
Performs odd checks.
Description
Use the parity command to set the
check mode of the user interface.
Use the undo parity command to
revert to the default check mode.
By default, no check is performed.
Examples
# Set to perform even checks.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] parity even
Syntax
protocol inbound { all | ssh | telnet }
View
VTY user interface view
Parameters
all:
Supports both Telnet protocol and SSH protocol.
ssh:
Supports SSH protocol.
telnet:
Supports Telnet protocol.
Description
Use the protocol
inbound command to specify the protocols supported by the user interface.
Both Telnet protocol and SSH protocol are
supported by default.
Related commands: user-interface vty.
To improve security and prevent attacks to the unused Sockets, TCP
23 and TCP 22 (ports for Telnet and SSH services respectively) will be enabled
or disabled after corresponding configurations.
l
If the authentication mode is none, TCP 23 will
be enabled, and TCP 22 will be disabled.
l
If the authentication mode is password, and the
corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be
disabled.
l
If the authentication mode is scheme, there are
three scenarios: when the supported protocol is specified as telnet, TCP 23
will be enabled; when the supported protocol is specified as ssh, TCP 22 will
be enabled; when the supported protocol is specified as all, both the TCP 23
and TCP 22 port will be enabled.
Caution:
To configure a user
interface to support SSH, you need to set the authentication mode to scheme
for users to log in successfully. If the authentication mode is set to password
or none for login users, the protocol inbound ssh command will
fail. Refer to the authentication-mode command for the related
configuration.
Examples
# Configure that only SSH protocol is
supported in VTY 0.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface vty 0
[Sysname-ui-vty0] protocol inbound
ssh
Syntax
screen-length screen-length
undo screen-length
View
User
interface view
Parameters
screen-length: Number of lines the screen can contain. This argument ranges from
0 to 512.
Description
Use the screen-length command to set
the number of lines the terminal screen can contain.
Use the undo screen-length command
to revert to the default number of lines.
By default, the terminal screen can contain
up to 24 lines.
You can use the screen-length 0
command to disable the function to display information in pages.
Examples
# Set the number of lines the terminal
screen can contain to 20.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] user-interface aux 0
[Sysname-ui-aux0] screen-length 20
1.1.17 send
Syntax
send { all
| number | type number }
View
User view
Parameters
all: Sends
messages to all user interfaces.
type: User
interface type, which can be AUX (for AUX user interface) and VTY (for VTY user
interface).
number: User
interface index. A user interface index can be relative or absolute.
l
In relative user interface index scheme, the type
argument is required. In this case, AUX user interfaces are numbered from AUX0
through AUX7; VTY user interfaces are numbered from VTY0 through VTY4.
l
In absolute user interface index scheme, the type
argument is not required. In this case, user interfaces are numbered from 0 to
12.
Description
Use the send command to send messages
to a user interface or all the user interfaces.
Examples
# Send “hello” to all user
interfaces.
<Sysname> send all
Enter message, end with CTRL+Z or
Enter; abort with CTRL+C:
hello^Z
Send message? [Y/N]y
The current user interface will receive the
following information:
<Sysname>
***
***
***Message from vty1 to vty1
***
hello
Syntax
service-type
{ ftp | lan-access | { ssh | telnet | terminal
}* [ level level ] }
undo service-type { ftp | lan-access | { ssh | telnet |
terminal }* }
View
Local user view
Parameters
ftp:
Specifies the users to be of FTP type.
lan-access:
Specifies the users to be of LAN-access type, which normally means Ethernet
users, such as 802.1x users.
ssh:
Specifies the users to be of SSH type.
telnet:
Specifies the users to be of Telnet type.
terminal: Makes
terminal services available to users logging in through the console port.
level level: Specifies the user level for Telnet users, Terminal users, or SSH
users. The level argument ranges from 0 to 3 and defaults to 0.
Description
Use the service-type command to
specify the login type and the corresponding available command level.
Use the undo service-type command to
cancel login type configuration.
Commands fall into four command levels: visit,
monitor, system, and manage, which are described as follows:
l
Visit level: Commands at this level are used to
diagnose network and change the language mode of user interface, such as the ping,
tracert, and language-mode command. The telnet command is
also at this level. Commands at this level cannot be saved in configuration
files.
l
Monitor level: Commands at this level are used
to maintain the system, to debug service problems, and so on. The display
and debugging commands are at monitor level. Commands at this level
cannot be saved in configuration files.
l
System level: Commands at this level are used to
configure services. Commands concerning routing and network layers are at
system level. You can utilize network services by using these commands.
l
Manage level: Commands at this level are for the
operation of the entire system and the system supporting modules. Services are
supported by these commands. Commands concerning file system, file transfer
protocol (FTP), trivial file transfer protocol (TFTP), downloading using
XModem, user management, and level setting are at administration level.
Refer to CLI for detailed
introduction to the command level.
Examples
# Configure commands at level 0 are
available to the users loggi
