H3C S5120-SI Series Ethernet Switches Configuration Guide-Release 1101-6W105

DownLoad Chapters Download(395.8 KB)

02-Login Configuration

Table of Contents

1 Logging In to an Ethernet Switch· 1-1

Logging In to an Ethernet Switch· 1-1

Introduction to User Interface· 1-1

Supported User Interfaces· 1-1

User Interface Number 1-1

Common Login in to an Ethernet Switch· 1-2

2 Logging In Through the Console Port 2-1

Introduction· 2-1

Setting Up the Connection to the Console Port 2-2

Console Port Login Configuration· 2-3

Common Configuration· 2-3

Console Port Login Configurations for Different Authentication Modes· 2-4

Console Port Login Configuration with Authentication Mode Being None· 2-5

Configuration Procedure· 2-5

Configuration Example· 2-7

Console Port Login Configuration with Authentication Mode Being Password· 2-8

Configuration Procedure· 2-8

Configuration Example· 2-10

Console Port Login Configuration with Authentication Mode Being Scheme· 2-11

Configuration Procedure· 2-11

Configuration Example· 2-13

3 Logging In Through Telnet/SSH· 3-1

Introduction· 3-1

Telnet Connection Establishment 3-2

Telnetting to a Switch from a Terminal 3-2

Telnetting to Another Switch from the Current Switch· 3-3

Common Configuration· 3-4

Telnet Configurations for Different Authentication Modes· 3-5

Telnet Configuration with Authentication Mode Being None· 3-5

Configuration Procedure· 3-5

Configuration Example· 3-7

Telnet Configuration with Authentication Mode Being Password· 3-8

Configuration Procedure· 3-8

Configuration Example· 3-9

Telnet Configuration with Authentication Mode Being Scheme· 3-10

Configuration Procedure· 3-10

Configuration Example· 3-12

Logging In Through SSH· 3-13

4 Logging in Through Web-based Network Management System·· 4-1

Introduction· 4-1

Web Server Configuration· 4-1

Displaying Web Users· 4-2

Configuration Example· 4-2

5 Logging In Through NMS· 5-1

Introduction· 5-1

Connection Establishment Using NMS· 5-1

6 Specifying Source for Telnet Packets· 6-1

Introduction· 6-1

Specifying Source IP address/Interface for Telnet Packets· 6-1

Displaying the source IP address/Interface Specified for Telnet Packets· 6-2

7 Controlling Login Users· 7-1

Introduction· 7-1

Controlling Telnet Users· 7-1

Prerequisites· 7-1

Controlling Telnet Users by Source IP Addresses· 7-1

Controlling Telnet Users by Source and Destination IP Addresses· 7-2

Controlling Telnet Users by Source MAC Addresses· 7-3

Configuration Example· 7-3

Controlling Network Management Users by Source IP Addresses· 7-4

Prerequisites· 7-4

Controlling Network Management Users by Source IP Addresses· 7-4

Configuration Example· 7-5

Controlling Web Users by Source IP Addresses· 7-6

Prerequisites· 7-6

Controlling Web Users by Source IP Addresses· 7-6

Forcing Online Web Users Offline· 7-7

Configuration Example· 7-7

 


When logging in to an Ethernet switch, go to these sections for information you are interested in:

l          Logging In to an Ethernet Switch

l          Introduction to User Interface

l          Specifying Source for Telnet Packets

l          Controlling Login Users

Logging In to an Ethernet Switch

You can log in to an H3C S5120-SI series Ethernet switch in one of the following ways:

l          Logging In Through the Console Port

l          Logging In Through Telnet/SSH

l          Logging in Through Web-based Network Management System

l          Logging In Through NMS

Introduction to User Interface

Supported User Interfaces

H3C S5120-SI series Ethernet switch supports two types of user interfaces: AUX and VTY.

Table 1-1 Description on user interface

User interface

Applicable user

Port used

Description

AUX

Users logging in through the Console port

Console port

Each switch can accommodate one AUX user.

VTY

Telnet users and SSH users

Ethernet port

Each switch can accommodate up to 16 VTY users.

 

As the AUX port and the Console port of a H3C series switch are the same one, you will be in the AUX user interface if you log in through this port.

 

User Interface Number

Two kinds of user interface index exist: absolute user interface index and relative user interface index.

1)        The absolute user interface indexes are as follows:

l          AUX user interface: 0

l          VTY user interfaces: Numbered after AUX user interfaces and increases in the step of 1

2)        A relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface type. The relative user interface indexes are as follows:

l          AUX user interface: AUX 0

l          VTY user interfaces: VTY 0, VTY 1, VTY 2, and so on.

Common Login in to an Ethernet Switch

Follow these steps to perform common user interface configuration:

To do…

Use the command…

Remarks

Lock the current user interface

lock

Optional

Execute this command in user view.

A user interface is not locked by default.

Specify to send messages to all user interfaces/a specified user interface

send { all | number | type number }

Optional

Execute this command in user view.

Disconnect a specified user interface

free user-interface [ type ] number

Optional

Execute this command in user view.

Enter system view

system-view

Set the banner

header { incoming | legal | login | shell | motd } text

Optional

Set a system name for the switch

sysname string

Optional

Enter user interface view

user-interface [ type ] first-number [ last-number ]

Define a shortcut key for aborting tasks

escape-key { default | character }

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Set the history command buffer size

history-command max-size value

Optional

The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time for the user interface

idle-timeout minutes [ seconds ]

Optional

The default timeout time of a user interface is 10 minutes.

With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

Set the maximum number of lines the screen can contain

screen-length screen-length

Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Make terminal services available

shell

Optional

By default, terminal services are available in all user interfaces.

Set the display type of a terminal

terminal type { ansi | vt100 }

Optional

By default, the terminal display type is ANSI. The device must use the same type of display as the terminal. If the terminal uses VT 100, the device should also use VT 100.

Display the information about the current user interface/all user interfaces

display users [ all ]

You can execute this command in any view.

Display the physical attributes and configuration of the current/a specified user interface

display user-interface [ type number | number ] [ summary ]

You can execute this command in any view.

 


Logging In Through the Console Port

When logging in through the Console port, go to these sections for information you are interested in:

l          Introduction

l          Setting Up the Connection to the Console Port

l          Console Port Login Configuration

l          Console Port Login Configuration with Authentication Mode Being None

l          Console Port Login Configuration with Authentication Mode Being Password

l          Console Port Login Configuration with Authentication Mode Being Scheme

 

The default system name of an H3C S5120-SI series Ethernet switch is H3C, that is, the command line prompt is H3C. All the following examples take H3C as the command line prompt.

 

Introduction

To log in through the Console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can log in to an H3C S5120-SI series Ethernet switch through its Console port only.

To log in to an Ethernet switch through its Console port, the related configuration of the user terminal must be in accordance with that of the Console port.

Table 2-1 lists the default settings of a Console port.

Table 2-1 The default settings of a Console port

Setting

Default

Baud rate

9,600 bps

Flow control

Off

Check mode

No check bit

Stop bits

1

Data bits

8

 

After logging in to a switch, you can perform configuration for AUX users. Refer to Console Port Login Configuration for details.

Setting Up the Connection to the Console Port

l          Connect the serial port of your PC/terminal to the Console port of the switch, as shown in Figure 2-1.

Figure 2-1 Diagram for setting the connection to the Console port

 

l          If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows XP/Windows 2000) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created. Normally, the parameters of a terminal are configured as those listed in Table 2-1.

Figure 2-2 Create a connection

 

Figure 2-3 Specify the port used to establish the connection

 

Figure 2-4 Set port parameters terminal window

 

l          Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after the user presses the Enter key.

l          You can then configure the switch or check the information about the switch by executing commands. You can also acquire help by type the ? character. Refer to the following chapters for information about the commands.

Console Port Login Configuration

Common Configuration

Table 2-2 lists the common configuration of Console port login.

Table 2-2 Common configuration of Console port login

Configuration

Description

Console port configuration

Baud rate

Optional

The default baud rate is 9,600 bps.

Check mode

Optional

By default, the check mode of the Console port is set to “none”, which means no check bit.

Stop bits

Optional

The default stop bits of a Console port is 1.

Data bits

Optional

The default data bits of a Console port is 8.

Flow control

Optional

The default is none, which disables flow control.

AUX user interface configuration

Configure the command level available to the users logging in to the AUX user interface

Optional

By default, commands of level 3 are available to the users logging in to the AUX user interface.

Terminal configuration

Define a shortcut key for aborting tasks

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Define a shortcut key for starting terminal sessions

Optional

By default, pressing Enter key starts the terminal session.

Make terminal services available

Optional

By default, terminal services are available in all user interfaces

Set the maximum number of lines the screen can contain

Optional

By default, the screen can contain up to 24 lines.

Set history command buffer size

Optional

By default, the history command buffer can contain up to 10 commands.

Set the timeout time of a user interface

Optional

The default timeout time is 10 minutes.

 

Changing of Console port configuration terminates the connection to the Console port. To establish the connection again, you need to modify the configuration of the termination emulation utility running on your PC accordingly. Refer to Setting Up the Connection to the Console Port for details.

 

Console Port Login Configurations for Different Authentication Modes

Table 2-3 lists Console port login configurations for different authentication modes.

Table 2-3 Console port login configurations for different authentication modes

Authentication mode

Console port login configuration

Description

None

Perform common configuration

Perform common configuration for Console port login

Optional

Refer to Common Configuration for details.

Password

Configure the password

Configure the password for local authentication

Required

Perform common configuration

Perform common configuration for Console port login

Optional

Refer to Common Configuration for details.

Scheme

Specify to perform local authentication or RADIUS authentication

AAA configuration specifies whether to perform local authentication or RADIUS authentication

Optional

Local authentication is performed by default.

Refer to the AAA Configuration for details.

Configure user name and password

Configure user names and passwords for local/remote users

Required

l      The user name and password of a local user are configured on the switch.

l      The user name and password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for details.

Manage AUX users

Set service type for AUX users

Required

Perform common configuration

Perform common configuration for Console port login

Optional

Refer to Common Configuration for details.

 

Changes of the authentication mode of Console port login will not take effect unless you exit and enter again the CLI.

 

Console Port Login Configuration with Authentication Mode Being None

Configuration Procedure

Follow these steps to perform Console port login configuration (with authentication mode being none):

To do…

Use the command…

Remarks

Enter system view

system-view

Enter AUX user interface view

user-interface aux 0

Configure not to authenticate users

authentication-mode none

Required

By default, users logging in through the Console port are not authenticated.

Configure the Console port

Set the baud rate

speed speed-value

Optional

The default baud rate of an AUX port (also the Console port) is 9,600 bps.

Set the check mode

parity { even | mark | none | odd | space }

Optional

By default, the check mode of a Console port is set to none, that is, no check bit.

Set the stop bits

stopbits { 1 | 1.5 | 2 }

Optional

The stop bits of a Console port is 1.

Set the data bits

databits { 5 | 6 | 7 | 8 }

Optional

The default data bits of a Console port is 8.

Configure the command level available to users logging in to the user interface

user privilege level level

Optional

By default, commands of level 3 are available to users logging in to the AUX user interface.

Define a shortcut key for starting terminal sessions

activation-key character

Optional

By default, pressing Enter key starts the terminal session.

Define a shortcut key for aborting tasks

escape-key { default | character }

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Make terminal services available

shell

Optional

By default, terminal services are available in all user interfaces.

Set the maximum number of lines the screen can contain

screen-length screen-length

Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Set the history command buffer size

history-command max-size value

Optional

The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time for the user interface

idle-timeout minutes [ seconds ]

Optional

The default timeout time of a user interface is 10 minutes.

With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

 

Note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on both the authentication-mode none command and the user privilege level level command, as listed in the following table.

Table 2-4 Determine the command level (A)

Scenario

Command level

Authentication mode

User type

Command

None (authentication-mode none)

Users logging in through Console ports

The user privilege level level command not executed

Level 3

The user privilege level level command already executed

Determined by the level argument

 

Configuration Example

Network requirements

Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.

l          The user is not authenticated when logging in through the Console port.

l          Commands of level 2 are available to user logging in to the AUX user interface.

l          The baud rate of the Console port is 19200 bps.

l          The screen can contain up to 30 lines.

l          The history command buffer can contain up to 20 commands.

l          The timeout time of the AUX user interface is 6 minutes.

Network diagram

Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode being none)

 

Configuration procedure

# Enter system view.

<Sysname> system-view

# Enter AUX user interface view.

[Sysname] user-interface aux 0

# Specify not to authenticate the user logging in through the Console port.

[Sysname-ui-aux0] authentication-mode none

# Specify commands of level 2 are available to the user logging in to the AUX user interface.

[Sysname-ui-aux0] user privilege level 2

# Set the baud rate of the Console port to 19200 bps.

[Sysname-ui-aux0] speed 19200

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-aux0] screen-length 30

# Set the maximum number of commands the history command buffer can store to 20.

[Sysname-ui-aux0] history-command max-size 20

# Set the timeout time of the AUX user interface to 6 minutes.

[Sysname-ui-aux0] idle-timeout 6

After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.

Console Port Login Configuration with Authentication Mode Being Password

Configuration Procedure

Follow these steps to perform Console port login configuration (with authentication mode being password):

To do…

Use the command…

Remarks

Enter system view

system-view

Enter AUX user interface view

user-interface aux 0

Configure to authenticate users using the local password

authentication-mode password

Required

By default, users logging in through the Console port are not authenticated, while users logging in through the Telnet need to pass the password authentication.

Set the local password

set authentication password { cipher | simple } password

Required

Configure the Console port

Set the baud rate

speed speed-value

Optional

The default baud rate of an AUX port (also the Console port) is 9,600 bps.

Set the check mode

parity { even | mark | none | odd | space }

Optional

By default, the check mode of a Console port is set to none, that is, no check bit.

Set the stop bits

stopbits { 1 | 1.5 | 2 }

Optional

The default stop bits of a Console port is 1.

Set the data bits

databits { 5 | 6 | 7 | 8 }

Optional

The default data bits of a Console port is 8.

Configure the command level available to users logging in to the user interface

user privilege level level

Optional

By default, commands of level 3 are available to users logging in to the AUX user interface.

Define a shortcut key for starting terminal sessions

activation-key character

Optional

By default, pressing Enter key starts the terminal session.

Define a shortcut key for aborting tasks

escape-key { default | character }

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Make terminal services available to the user interface

shell

Optional

By default, terminal services are available in all user interfaces.

Set the maximum number of lines the screen can contain

screen-length screen-length

Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Set history command buffer size

history-command max-size value

Optional

The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time for the user interface

idle-timeout minutes [ seconds ]

Optional

The default timeout time of a user interface is 10 minutes.

With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

 

Note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the authentication-mode password and the user privilege level level command, as listed in the following table.

Table 2-5 Determine the command level (B)

Scenario

Command level

Authentication mode

User type

Command

Local authentication (authentication-mode password)

Users logging in to the AUX user interface

The user privilege level level command not executed

Level 3

The user privilege level level command already executed

Determined by the level argument

 

Configuration Example

Network requirements

Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the Console user at the following aspects.

l          The user is authenticated against the local password when logging in through the Console port.

l          The local password is set to 123456 (in plain text).

l          The commands of level 2 are available to users logging in to the AUX user interface.

l          The baud rate of the Console port is 19,200 bps.

l          The screen can contain up to 30 lines.

l          The history command buffer can store up to 20 commands.

l          The timeout time of the AUX user interface is 6 minutes.

Network diagram

Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being password)

 

Configuration procedure

# Enter system view.

<Sysname> system-view

# Enter AUX user interface view.

[Sysname] user-interface aux 0

# Specify to authenticate the user logging in through the Console port using the local password.

[Sysname-ui-aux0] authentication-mode password

# Set the local password to 123456 (in plain text).

[Sysname-ui-aux0] set authentication password simple 123456

# Specify commands of level 2 are available to the user logging in to the AUX user interface.

[Sysname-ui-aux0] user privilege level 2

# Set the baud rate of the Console port to 19200 bps.

[Sysname-ui-aux0] speed 19200

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-aux0] screen-length 30

# Set the maximum number of commands the history command buffer can store to 20.

[Sysname-ui-aux0] history-command max-size 20

# Set the timeout time of the AUX user interface to 6 minutes.

[Sysname-ui-aux0] idle-timeout 6

After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.

Console Port Login Configuration with Authentication Mode Being Scheme

Configuration Procedure

Follow these steps to perform Console port login configuration (with authentication mode being scheme):

To do…

Use the command…

Remarks

Enter system view

system-view

Configure the authentication mode

Enter the default ISP domain view

domain domain name

Optional

By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well.

If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well:

l      Perform AAA-RADIUS configuration on the switch. (Refer to AAA Configuration for details.)

l      Configure the user name and password accordingly on the AAA server. (Refer to the user manual of AAA server.)

Specify the AAA scheme to be applied to the domain

authentication default { local | none | radius-scheme radius-scheme-name [ local ] }

Quit to system view

quit

Create a local user (Enter local user view.)

local-user user-name

Required

No local user exists by default.

Set the authentication password for the local user

password { simple | cipher } password

Required

Specify the service type for AUX users

service-type terminal

Required

Quit to system view

quit

Enter AUX user interface view

user-interface aux 0

Configure to authenticate users locally or remotely

authentication-mode scheme

Required

The specified AAA scheme determines whether to authenticate users locally or remotely.

Users are authenticated locally by default.

Configure the Console port

Set the baud rate

speed speed-value

Optional

The default baud rate of the AUX port (also the Console port) is 9,600 bps.

Set the check mode

parity { even | mark | none | odd | space }

Optional

By default, the check mode of a Console port is set to none, that is, no check bit.

Set the stop bits

stopbits { 1 | 1.5 | 2 }

Optional

The default stop bits of a Console port is 1.

Set the data bits

databits { 5 | 6 | 7 | 8 }

Optional

The default data bits of a Console port is 8.

Configure the command level available to users logging in to the user interface

user privilege level level

Optional

By default, commands of level 3 are available to users logging in to the AUX user interface.

Define a shortcut key for starting terminal sessions

activation-key character

Optional

By default, pressing Enter key starts the terminal session.

Define a shortcut key for aborting tasks

escape-key { default | character }

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Make terminal services available to the user interface

shell

Optional

By default, terminal services are available in all user interfaces.

Set the maximum number of lines the screen can contain

screen-length screen-length

Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Set history command buffer size

history-command max-size value

Optional

The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time for the user interface

idle-timeout minutes [ seconds ]

Optional

The default timeout time of a user interface is 10 minutes.

With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

 

Note that the level the commands of which are available to users logging in to a switch depends on the authentication-mode scheme command, and the user privilege level level command.

Configuration Example

Network requirements

Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.

l          Configure the name of the local user to be “guest”.

l          Set the authentication password of the local user to 123456 (in plain text).

l          Set the service type of the local user to Terminal.

l          Configure to authenticate the user logging in through the Console port in the scheme mode.

l          The baud rate of the Console port is 19,200 bps.

l          The screen can contain up to 30 lines.

l          The history command buffer can store up to 20 commands.

l          The timeout time of the AUX user interface is 6 minutes.

Network diagram

Figure 2-7 Network diagram for AUX user interface configuration (with the authentication mode being scheme)

 

Configuration procedure

# Enter system view.

<Sysname> system-view

# Create a local user named guest and enter local user view.

[Sysname] local-user guest

# Set the authentication password to 123456 (in plain text).

[Sysname-luser-guest] password simple 123456

# Set the service type to Terminal.

[Sysname-luser-guest] service-type terminal

[Sysname-luser-guest] quit

# Enter AUX user interface view.

[Sysname] user-interface aux 0

# Configure to authenticate the user logging in through the Console port in the scheme mode.

[Sysname-ui-aux0] authentication-mode scheme

# Set the baud rate of the Console port to 19200 bps.

[Sysname-ui-aux0] speed 19200

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-aux0] screen-length 30

# Set the maximum number of commands the history command buffer can store to 20.

[Sysname-ui-aux0] history-command max-size 20

# Set the timeout time of the AUX user interface to 6 minutes.

[Sysname-ui-aux0] idle-timeout 6

After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.

 


Logging In Through Telnet/SSH

When logging in through Telnet, go to these sections for information you are interested in:

l          Introduction

l          Telnet Configuration with Authentication Mode Being None

l          Telnet Configuration with Authentication Mode Being Password

l          Telnet Configuration with Authentication Mode Being Scheme

l          Telnet Connection Establishment

Introduction

You can telnet to a remote switch to manage and maintain the switch. To achieve this, you need to configure both the switch and the Telnet terminal properly.

Table 3-1 Requirements for Telnet to a switch

Item

Requirement

Switch

Start the Telnet Server

The IP address of the VLAN of the switch is configured and the route between the switch and the Telnet terminal is available.

The authentication mode and other settings are configured. Refer to Table 3-2 and Table 3-3.

Telnet terminal

Telnet is running.

The IP address of the management VLAN of the switch is available.

 

l          After you log in to the switch through Telnet, you can issue commands to the switch by way of pasting session text, which cannot exceed 2000 bytes, and the pasted commands must be in the same view; otherwise, the switch may not execute the commands correctly.

l          If the session text exceeds 2000 bytes, you can save it in a configuration file, upload the configuration file to the switch and reboot the switch with this configuration file. For details, refer to File System Management.

 

Telnet Connection Establishment

Telnetting to a Switch from a Terminal

You can telnet to a switch and then configure the switch if the interface of the management VLAN of the switch is assigned with an IP address. (By default, VLAN 1 is the management VLAN.)

Following are procedures to establish a Telnet connection to a switch:

Step 1: Log in to the switch through the Console port, enable the Telnet server function and assign an IP address to the management VLAN interface of the switch.

l          Connect to the Console port. Refer to Setting Up the Connection to the Console Port.

l          Execute the following commands in the terminal window to enable the Telnet server function and assign an IP address to the management VLAN interface of the switch.

# Enable the Telnet server function and configure the IP address of the management VLAN interface as 202.38.160.92, and .the subnet mask as 255.255.255.0.

<Sysname> system-view

[Sysname] telnet server enable

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0

Step 2: Before Telnet users can log in to the switch, corresponding configurations should have been performed on the switch according to different authentication modes for them. Refer to Telnet Configuration with Authentication Mode Being None, Telnet Configuration with Authentication Mode Being Password, and Telnet Configuration with Authentication Mode Being Scheme for details. By default, Telnet users need to pass the password authentication to login.

Step 3: Connect your PC to the Switch, as shown in Figure 3-1. Make sure the Ethernet port to which your PC is connected belongs to the management VLAN of the switch and the route between your PC and the switch is available.

Figure 3-1 Network diagram for Telnet connection establishment

 

Step 4: Launch Telnet on your PC, with the IP address of the management VLAN interface of the switch as the parameter, as shown in the following figure.

Figure 3-2 Launch Telnet

 

Step 5: Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <H3C>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A H3C series Ethernet switch can accommodate up to 16 Telnet connections at same time.

Step 6: After successfully Telnetting to a switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the following chapters for the information about the commands.

 

l          A Telnet connection will be terminated if you delete or modify the IP address of the VLAN interface in the Telnet session.

l          By default, commands of level 0 are available to Telnet users authenticated by password. Refer to Basic System Configuration for information about command hierarchy.

 

Telnetting to Another Switch from the Current Switch

You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.

As shown in Figure 3-3, after Telnetting to a switch (labeled as Telnet client), you can Telnet to another switch (labeled as Telnet server) by executing the telnet command and then to configure the later.

Figure 3-3 Network diagram for Telnetting to another switch from the current switch

 

Step 1: Configure the user name and password for Telnet on the switch operating as the Telnet server. Refer to section Telnet Configuration with Authentication Mode Being None”, section Telnet Configuration with Authentication Mode Being Password, and Telnet Configuration with Authentication Mode Being Scheme for details. By default, Telnet users need to pass the password authentication to login.

Step 2: Telnet to the switch operating as the Telnet client.

Step 3: Execute the following command on the switch operating as the Telnet client:

<Sysname> telnet xxxx

Where xxxx is the IP address or the host name of the switch operating as the Telnet server. You can use the ip host to assign a host name to a switch.

Step 4: Enter the password. If the password is correct, the CLI prompt (such as <H3C>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.

Step 5: After successfully Telnetting to the switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the following chapters for the information about the commands.

Common Configuration

Table 3-2 lists the common Telnet configuration.

Table 3-2 Common Telnet configuration

Configuration

Remarks

VTY user interface configuration

Configure the command level available to users logging in to the VTY user interface

Optional

By default, commands of level 0 are available to users logging in to a VTY user interface.

Configure the protocols the user interface supports

Optional

By default, Telnet and SSH protocol are supported.

Set the command that is automatically executed when a user logs into the user interface

Optional

By default, no command is automatically executed when a user logs into a user interface.

VTY terminal configuration

Define a shortcut key for aborting tasks

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Make terminal services available

Optional

By default, terminal services are available in all user interfaces

Set the maximum number of lines the screen can contain

Optional

By default, the screen can contain up to 24 lines.

Set history command buffer size

Optional

By default, the history command buffer can contain up to 10 commands.

Set the timeout time of a user interface

Optional

The default timeout time is 10 minutes.

 

l          The auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution.

l          Before executing the auto-execute command command and save your configuration, make sure you can log in to the switch in other modes and cancel the configuration.

 

Telnet Configurations for Different Authentication Modes

Table 3-3 lists Telnet configurations for different authentication modes.

Table 3-3 Telnet configurations for different authentication modes

Authentication mode

Telnet configuration

Remarks

None

Perform common configuration

Perform common Telnet configuration

Optional

Refer to Table 3-2.

Password

Configure the password

Configure the password for local authentication

Required

Perform common configuration

Perform common Telnet configuration

Optional

Refer to Table 3-2.

Scheme

Specify to perform local authentication or RADIUS authentication

AAA configuration specifies whether to perform local authentication or RADIUS authentication

Optional

Local authentication is performed by default.

Refer to AAA Configuration for details.

Configure user name and password

Configure user names and passwords for local/remote users

Required

l      The user name and password of a local user are configured on the switch.

l      The user name and password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for details.

Manage VTY users

Set service type for VTY users

Required

Perform common configuration

Perform common Telnet configuration

Optional

Refer to Table 3-2.

 

Telnet Configuration with Authentication Mode Being None

Configuration Procedure

Follow these steps to perform Telnet configuration (with authentication mode being none):

To do…

Use the command…

Remarks

Enter system view

system-view

Enter one or more VTY user interface views

user-interface vty first-number [ last-number ]

Configure not to authenticate users logging in to VTY user interfaces

authentication-mode none

Required

By default, VTY users are authenticated after logging in.

Configure the command level available to users logging in to VTY user interface

user privilege level level

Optional

By default, commands of level 0 are available to users logging in to VTY user interfaces.

Configure the protocols to be supported by the VTY user interface

protocol inbound { all | ssh | telnet }

Optional

By default, both Telnet protocol and SSH protocol are supported.

Set the command that is automatically executed when a user logs into the user interface

auto-execute command text

Optional

By default, no command is automatically executed when a user logs into a user interface.

Define a shortcut key for aborting tasks

escape-key { default | character }

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Make terminal services available

shell

Optional

By default, terminal services are available in all user interfaces.

Set the maximum number of lines the screen can contain

screen-length screen-length

Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Set the history command buffer size

history-command max-size value

Optional

The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time of the VTY user interface

idle-timeout minutes [ seconds ]

Optional

The default timeout time of a user interface is 10 minutes.

With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

 

Note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on both the authentication-mode none command and the user privilege level level command, as listed in Table 3-4.

Table 3-4 Determine the command level when users logging in to switches are not authenticated

Scenario

Command level

Authentication mode

User type

Command

None (authentication-mode none)

VTY users

The user privilege level level command not executed

Level 0

The user privilege level level command already executed

Determined by the level argument

 

Configuration Example

Network requirements

Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0:

l          Do not authenticate users logging in to VTY 0.

l          Commands of level 2 are available to users logging in to VTY 0.

l          Telnet protocol is supported.

l          The screen can contain up to 30 lines.

l          The history command buffer can contain up to 20 commands.

l          The timeout time of VTY 0 is 6 minutes.

Network diagram

Figure 3-4 Network diagram for Telnet configuration (with the authentication mode being none)

 

Configuration procedure

# Enter system view, and enable the Telnet service.

<Sysname> system-view

[Sysname] telnet server enable

# Enter VTY 0 user interface view.

[Sysname] user-interface vty 0

# Configure not to authenticate Telnet users logging in to VTY 0.

[Sysname-ui-vty0] authentication-mode none

# Specify commands of level 2 are available to users logging in to VTY 0.

[Sysname-ui-vty0] user privilege level 2

# Configure Telnet protocol is supported.

[Sysname-ui-vty0] protocol inbound telnet

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-vty0] screen-length 30

# Set the maximum number of commands the history command buffer can store to 20.

[Sysname-ui-vty0] history-command max-size 20

# Set the timeout time to 6 minutes.

[Sysname-ui-vty0] idle-timeout 6

Telnet Configuration with Authentication Mode Being Password

Configuration Procedure

Follow these steps to perform Telnet configuration (with authentication mode being password):

To do…

Use the command…

Remarks

Enter system view

system-view

Enter one or more VTY user interface views

user-interface vty first-number [ last-number ]

Configure to authenticate users logging in to VTY user interfaces using the local password

authentication-mode password

Required

Set the local password

set authentication password { cipher | simple } password

Required

Configure the command level available to users logging in to the user interface

user privilege level level

Optional

By default, commands of level 0 are available to users logging in to VTY user interface.

Configure the protocol to be supported by the user interface

protocol inbound { all | ssh | telnet }

Optional

By default, both Telnet protocol and SSH protocol are supported.

Set the command that is automatically executed when a user logs into the user interface

auto-execute command text

Optional

By default, no command is automatically executed when a user logs into a user interface.

Define a shortcut key for aborting tasks

escape-key { default | character }

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Make terminal services available

shell

Optional

By default, terminal services are available in all user interfaces.

Set the maximum number of lines the screen can contain

screen-length screen-length

Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Set the history command buffer size

history-command max-size value

Optional

The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time of the user interface

idle-timeout minutes [ seconds ]

Optional

The default timeout time of a user interface is 10 minutes.

With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

 

Note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the authentication-mode password command and the user privilege level level command, as listed in Table 3-5.

Table 3-5 Determine the command level when users logging in to switches are authenticated in the password mode

Scenario

Command level

Authentication mode

User type

Command

Password (authentication-mode password)

VTY users

The user privilege level level command not executed

Level 0

The user privilege level level command already executed

Determined by the level argument

 

Configuration Example

Network requirements

Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0:

l          Authenticate users logging in to VTY 0 using the local password.

l          Set the local password to 123456 (in plain text).

l          Commands of level 2 are available to users logging in to VTY 0.

l          Telnet protocol is supported.

l          The screen can contain up to 30 lines.

l          The history command buffer can contain up to 20 commands.

l          The timeout time of VTY 0 is 6 minutes.

Network diagram

Figure 3-5 Network diagram for Telnet configuration (with the authentication mode being password)

 

Configuration procedure

# Enter system view, and enable the Telnet service.

<Sysname> system-view

[Sysname] telnet server enable

# Enter VTY 0 user interface view.

[Sysname] user-interface vty 0

# Configure to authenticate users logging in to VTY 0 using the local password.

[Sysname-ui-vty0] authentication-mode password

# Set the local password to 123456 (in plain text).

[Sysname-ui-vty0] set authentication password simple 123456

# Specify commands of level 2 are available to users logging in to VTY 0.

[Sysname-ui-vty0] user privilege level 2

# Configure Telnet protocol is supported.

[Sysname-ui-vty0] protocol inbound telnet

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-vty0] screen-length 30

# Set the maximum number of commands the history command buffer can store to 20.

[Sysname-ui-vty0] history-command max-size 20

# Set the timeout time to 6 minutes.

[Sysname-ui-vty0] idle-timeout 6

Telnet Configuration with Authentication Mode Being Scheme

Configuration Procedure

Follow these steps to perform Telnet configuration (with authentication mode being scheme):

To do…

Use the command…

Remarks

Enter system view

system-view

Configure the authentication scheme

Enter the default ISP domain view

domain domain name

Optional

By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well.

If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well:

l      Perform AAA-RADIUS configuration on the switch. (Refer to AAA Configuration for details.)

l      Configure the user name and password accordingly on the AAA server. (Refer to the user manual of AAA server.)

Configure the AAA scheme to be applied to the domain

authentication default { local | none | radius-scheme radius-scheme-name [ local ] }

Quit to system view

quit

Create a local user and enter local user view

local-user user-name

No local user exists by default.

Set the authentication password for the local user

password { simple | cipher } password

Required

Specify the service type for VTY users

service-type telnet

Required

Quit to system view

quit

Enter one or more VTY user interface views

user-interface vty first-number [ last-number ]

Configure to authenticate users locally or remotely

authentication-mode scheme

Required

The specified AAA scheme determines whether to authenticate users locally or remotely.

Users are authenticated locally by default.

Configure the command level available to users logging in to the user interface

user privilege level level

Optional

By default, commands of level 0 are available to users logging in to the VTY user interfaces.

Configure the supported protocol

protocol inbound { all | ssh | telnet }

Optional

Both Telnet protocol and SSH protocol are supported by default.

Set the command that is automatically executed when a user logs into the user interface

auto-execute command text

Optional

By default, no command is automatically executed when a user logs into a user interface.

Define a shortcut key for aborting tasks

escape-key { default | character }

Optional

The default shortcut key combination for aborting tasks is < Ctrl + C >.

Make terminal services available

shell

Optional

Terminal services are available in all use interfaces by default.

Set the maximum number of lines the screen can contain

screen-length screen-length

Optional

By default, the screen can contain up to 24 lines.

You can use the screen-length 0 command to disable the function to display information in pages.

Set history command buffer size

history-command max-size value

Optional

The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.

Set the timeout time for the user interface

idle-timeout minutes [ seconds ]

Optional

The default timeout time of a user interface is 10 minutes.

With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes.

You can use the idle-timeout 0 command to disable the timeout function.

 

Note that if you configure to authenticate the users in the scheme mode, the command level available to users logging in to a switch depends on the authentication-mode  scheme command and the user privilege level level command.

 

Refer to AAA Configuration and SSH2.0 Configuration for configuration about AAA, RADIUS and SSH..

 

Configuration Example

Network requirements

Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0:

l          Configure the name of the local user to be “guest”.

l          Set the authentication password of the local user to 123456 (in plain text).

l          Set the service type of VTY users to Telnet.

l          Configure to authenticate users logging in to VTY 0 in scheme mode.

l          The commands of level 2 are available to users logging in to VTY 0.

l          Telnet protocol is supported in VTY 0.

l          The screen can contain up to 30 lines.

l          The history command buffer can store up to 20 commands.

l          The timeout time of VTY 0 is 6 minutes.

Network diagram

Figure 3-6 Network diagram for Telnet configuration (with the authentication mode being scheme)

 

Configuration procedure

# Enter system view, and enable the Telnet service.

<Sysname> system-view

[Sysname] telnet server enable

# Create a local user named guest and enter local user view.

[Sysname] local-user guest

# Set the authentication password of the local user to 123456 (in plain text).

[Sysname-luser-guest] password simple 123456

# Set the service type to Telnet.

[Sysname-luser-guest] service-type

# Enter VTY 0 user interface view.

[Sysname] user-interface vty 0

# Configure to authenticate users logging in to VTY 0 in the scheme mode.

[Sysname-ui-vty0] authentication-mode scheme

# Configure Telnet protocol is supported.

[Sysname-ui-vty0] protocol inbound telnet

# Set the maximum number of lines the screen can contain to 30.

[Sysname-ui-vty0] screen-length 30

# Set the maximum number of commands the history command buffer can store to 20.

[Sysname-ui-vty0] history-command max-size 20

# Set the timeout time to 6 minutes.

[Sysname-ui-vty0] idle-timeout 6

Logging In Through SSH

Secure Shell (SSH) offers an approach to logging into a remote device securely. With encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. For the security features provided by SSH, see SSH Configuration.

 


Logging in Through Web-based Network Management System

Introduction

An S5120-SI series switch has a Web server built in. You can log in to an S5120-SI series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server.

To log in to an S5120-SI series switch through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.

Table 4-1 Requirements for logging in to a switch through the Web-based network management system

Item

Requirement

Switch

Start the Web server

The IP address of the management VLAN of the switch is configured. The route between the switch and the network management terminal is available. (Refer to the module “IP Addressing and Performance” and “IP Routing” for more.)

The user name and password for logging in to the Web-based network management system are configured.

PC operating as the network management terminal

IE is available.

The IP address of the management VLAN interface of the switch is available.

 

Web Server Configuration

Logging in Through Web-based Network Management configuration.

To do…

Use the command…

Remarks

Enter system view

system-view

-

Add a local user and enter local user view

local-user user-name

Required

No local user exists by default.

Configure a password for the local user

password { cipher | simple } password

Required

No password exists by default.

Configure the authorization attributes for the local user

authorization-attribute level level

Optional

By default, no authorization attribute is configured for a local user.

Specify the service types for the local user

service-type telnet

Optional

By default, no service is authorized to a user.

Start the Web server

ip http enable

Required

Execute this command in system view.

 

Displaying Web Users

After the above configurations, execute the display command in any view to display the information about Web users, and thus to verify the configuration effect.

Table 4-2 Display information about Web users

To do…

Use the command…

Display information about Web users

display web users

 

Configuration Example

Step 1: Log in to the switch through the console port and assign an IP address to the management VLAN interface of the switch. By default, VLAN 1 is the management VLAN.

l          Connect to the console port. Refer to section Setting Up the Connection to the Console Port.

l          Execute the following commands in the terminal window to assign an IP address to the management VLAN interface of the switch.

# Configure the IP address of the management VLAN interface to be 10.153.17.82 with the mask 255.255.255.0.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] ip address 10.153.17.82 255.255.255.0

Step 2: Configure the user name and the password for the Web-based network management system.

# Configure the user name to be admin.

[Sysname] local-user admin

# Set the password to admin.

[Sysname-luser-admin] password simple admin

Step 3: Establish an HTTP connection between your PC and the switch, as shown in the following figure.

Figure 4-1 Establish an HTTP connection between your PC and the switch

 

Step 4: Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.)

Step 5: When the login interface (shown in Figure 4-2) appears, enter the user name and the password configured in step 2 and click <Login> to bring up the main page of the Web-based network management system.

Figure 4-2 The login page of the Web-based network management system

 


When logging in through NMS, go to these sections for information you are interested in:

l          Introduction

l          Connection Establishment Using NMS

Introduction

You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.

l          The agent here refers to the software running on network devices (switches) and as the server.

l          SNMP (simple network management protocol) is applied between the NMS and the agent.

To log in to a switch through an NMS, you need to perform related configuration on both the NMS and the switch.

Table 5-1 Requirements for logging in to a switch through an NMS

Item

Requirement

Switch

The IP address of the management VLAN of the switch is configured. The route between the NMS and the switch is available.

The basic SNMP functions are configured. (Refer to SNMP Configuration for details.)

NMS

The NMS is properly configured. (Refer to the user manual of the NMS for details.)

 

Connection Establishment Using NMS

Figure 5-1 Network diagram for logging in through an NMS

 

 


When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in:

l          Introduction

l          Specifying Source IP address/Interface for Telnet Packets

l          Displaying the source IP address/Interface Specified for Telnet Packets

Introduction

To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.

Usually, Loopback interface IP addresses are used as the source IP addresses of Telnet packets. After you specify the IP address of a Loopback interface as the source IP address of Telnet packets, all the packets exchanged between the Telnet client and the Telnet server use the IP address as their source IP addresses, regardless of the ports through which they are transmitted. In such a way, the actual IP addresses used are concealed. This helps to improve security. Specifying source IP address/interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses.

Specifying Source IP address/Interface for Telnet Packets

The configuration can be performed in user view and system view. The configuration performed in user view only applies to the current session. Whereas the configuration performed in system view applies to all the subsequent sessions. Priority in user view is higher than that in system view.

Specifying source IP address/interface for Telnet packets in user view

Follow these steps to specify source IP address/interface for Telnet packets in user view:

To do…

Use the command…

Remarks

Specify source IP address/interface for Telnet packets (the switch operates as a Telnet client)

telnet remote-system [ port-number ] [ source { ip ip-address | interface interface-type interface-number } ]

Optional

By default, no source IP address/interface is specified.

 

Specifying source IP address/interface for Telnet packets in system view

Follow these steps to specify source IP address/interface for Telnet packets in system view:

To do…

Use the command…

Remarks

Enter system view

system-view

Specify source IP address/interface for Telnet packets

telnet client source { ip ip-address | interface interface-type interface-number }

Optional

By default, no source IP address/interface is specified.

 

l          The IP address specified must be a local IP address.

l          When specifying the source interface for Telnet packets, make sure the interface already exists.

l          Before specifying the source IP address/interface for Telnet packets, make sure the route between the interface and the Telnet server is reachable.

 

Displaying the source IP address/Interface Specified for Telnet Packets

Follow these steps to display the source IP address/interface specified for Telnet packets:

To do…

Use the command…

Remarks

Display the source IP address/interface specified for Telnet packets

display telnet client configuration

Available in any view

 


When controlling login users, go to these sections for information you are interested in:

l          Introduction

l          Controlling Telnet Users

l          Controlling Network Management Users by Source IP Addresses

Introduction

Multiple ways are available for controlling different types of login users, as listed in Table 7-1.

Table 7-1 Ways to control different types of login users

Login mode

Control method

Implementation

Related section

Telnet

By source IP addresses

Through basic ACLs

 Controlling Telnet Users by Source IP Addresses

By source and destination IP addresses

Through advanced ACLs

 Controlling Telnet Users by Source and Destination IP Addresses

By source MAC addresses

Through Layer 2 ACLs

Controlling Telnet Users by Source MAC Addresses

SNMP

By source IP addresses

Through basic ACLs

 Controlling Network Management Users by Source IP Addresses

 

Controlling Telnet Users

Prerequisites

The controlling policy against Telnet users is determined, including the source and destination IP addresses to be controlled and the controlling actions (permitting or denying).

Controlling Telnet Users by Source IP Addresses

This configuration needs to be implemented by basic ACL; a basic ACL ranges from 2000 to 2999. For the definition of ACL, refer to ACL Configuration.

Follow these steps to control Telnet users by source IP addresses:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a basic ACL or enter basic ACL view

acl number acl-number [ match-order { config | auto } ]

As for the acl number command, the config keyword is specified by default.

Define rules for the ACL

rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } |  time-range time-name | fragment | logging ]*

Required

Quit to system view

quit

Enter user interface view

user-interface [ type ] first-number [ last-number ]

Apply the ACL to control Telnet users by source IP addresses

acl acl-number { inbound | outbound }

Required

The inbound keyword specifies to filter the users trying to Telnet to the current switch.

The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch.

 

Controlling Telnet Users by Source and Destination IP Addresses

This configuration needs to be implemented by advanced ACL; an advanced ACL ranges from 3000 to 3999. For the definition of ACL, refer to ACL Configuration.

Follow these steps to control Telnet users by source and destination IP addresses:

To do…

Use the command…

Remarks

Enter system view

system-view

Create an advanced ACL or enter advanced ACL view

acl number acl-number [ match-order { config | auto } ]

As for the acl number command, the config keyword is specified by default.

Define rules for the ACL

rule [ rule-id ] { permit | deny } rule-string

Required

You can define rules as needed to filter by specific source and destination IP addresses.

Quit to system view

quit

Enter user interface view

user-interface [ type ] first-number [ last-number ]

Apply the ACL to control Telnet users by specified source and destination IP addresses

Acl acl-number { inbound | outbound }

Required

The inbound keyword specifies to filter the users trying to Telnet to the current switch.

The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch.

 

Controlling Telnet Users by Source MAC Addresses

This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For the definition of ACL, refer to ACL Configuration.

Follow these steps to control Telnet users by source MAC addresses:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a basic ACL or enter basic ACL view

acl number acl-number [ match-order { config | auto } ]

As for the acl number command, the config keyword is specified by default.

Define rules for the ACL

rule [ rule-id ] { permit | deny } rule-string

Required

You can define rules as needed to filter by specific source MAC addresses.

Quit to system view

quit

Enter user interface view

user-interface [ type ] first-number [ last-number ]

Apply the ACL to control Telnet users by source MAC addresses

acl acl-number  inbound

Required

The inbound keyword specifies to filter the users trying to Telnet to the current switch.

 

Layer 2 ACL is invalid for this function if the source IP address of the Telnet client and the interface IP address of the Telnet server are not in the same subnet.

Configuration Example

Network requirements

Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46 are permitted to log in to the switch.

Network diagram

Figure 7-1 Network diagram for controlling Telnet users using ACLs

 

Configuration procedure

# Define a basic ACL.

<Sysname> system-view

[Sysname] acl number 2000 match-order config

[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0

[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-basic-2000] rule 3 deny source any

[Sysname-acl-basic-2000] quit

# Apply the ACL.

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] acl 2000 inbound

Controlling Network Management Users by Source IP Addresses

You can manage a H3C S5120-SI series Ethernet switch through network management software. Network management users can access switches through SNMP.

You need to perform the following two operations to control network management users by source IP addresses.

l          Defining an ACL

l          Applying the ACL to control users accessing the switch through SNMP

Prerequisites

The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).

Controlling Network Management Users by Source IP Addresses

Follow these steps to control network management users by source IP addresses:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a basic ACL or enter basic ACL view

acl number acl-number [ match-order { config | auto } ]

As for the acl number command, the config keyword is specified by default.

Define rules for the ACL

rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } |  time-range time-name | fragment | logging ]*

Required

Quit to system view

quit

Apply the ACL while configuring the SNMP community name

snmp-agent community { read | write } community-name [ mib-view view-name  |  acl acl-number ]*

Required

According to the SNMP version and configuration customs of NMS users, you can reference an ACL when configuring community name, group name or username. For the detailed configuration, refer to SNMP Configuration.

Apply the ACL while configuring the SNMP group name

snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

Apply the ACL while configuring the SNMP user name

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | des56 } priv-password ] ] [ acl acl-number ]

 

Configuration Example

Network requirements

Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to access the switch.

Network diagram

Figure 7-2 Network diagram for controlling SNMP users using ACLs

 

Configuration procedure

# Define a basic ACL.

<Sysname> system-view

[Sysname] acl number 2000 match-order config

[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0

[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-basic-2000] rule 3 deny source any

[Sysname-acl-basic-2000] quit

# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch.

[Sysname] snmp-agent community read h3c acl 2000

[Sysname] snmp-agent group v2c h3cgroup acl 2000

[Sysname] snmp-agent usm-user v2c h3cuser h3cgroup acl 2000

Controlling Web Users by Source IP Addresses

The Ethernet switches support Web-based remote management, which allows Web users to access the switches using the HTTP protocol. By referencing access control lists (ACLs), you can control the access of Web users to the switches.

Prerequisites

The control policies to be implemented on Web users are decided, including the source IP addresses to be controlled and the control action, that is, whether to allow or deny the access.

Controlling Web Users by Source IP Addresses

This feature is achieved through the configuration of basic ACLs, the numbers of which are in the range 2000 to 2999. For the definition of ACLs, see ACL Configuration.

Follow these steps to configure controlling Web users by source IP addresses:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a basic ACL or enter basic ACL view

acl number acl-number [ match-order { config | auto } ]

Required

The config keyword is specified by default.

Define rules for the ACL

rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]*

Required

Quit to system view

quit

Reference the ACL to control Web users

ip http acl acl-number

Required

 

Forcing Online Web Users Offline

The network administrators can run a command to force online Web users offline.

Perform the following operation to force online Web users offline:

To do…

Use the command…

Remarks

Force online Web users offline

free web-users { all | user-id user-id | user-name user-name }

Required

Use this command in user view

 

Configuration Example

Network requirements

Configure a basic ACL to allow only Web users using IP address 10.110.100.52 to access the switch.

Figure 7-3 Configure an ACL to control the access of HTTP users to the switch

 

Configuration procedure

# Create a basic ACL.

<Sysname> system-view

[Sysname] acl number 2030 match-order config

[Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0

# Reference the ACL to allow only Web users using IP address 10.110.100.52 to access the switch.

[Sysname] ip http acl 2030

 

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.