02-Login Configuration
Chapters Download (318.88 KB)
Table of Contents
1 Logging In to an Ethernet Switch
Logging In to an Ethernet Switch
Introduction to User Interface
Common User Interface Configuration
2 Logging In Through the Console Port
Setting Up the Connection to the Console Port
Console Port Login Configuration
Console Port Login Configurations for Different Authentication Modes
Console Port Login Configuration with Authentication Mode Being None
Console Port Login Configuration with Authentication Mode Being Password
Console Port Login Configuration with Authentication Mode Being Scheme
3 Logging In Through Telnet/SSH
Telnet Connection Establishment
Telnet Login Configuration Task List
Telnet Login Configuration with Authentication Mode Being None
Telnet Login Configuration with Authentication Mode Being Password
Telnet Login Configuration with Authentication Mode Being Scheme
Connection Establishment Using NMS
5 Specifying Source for Telnet Packets
Specifying Source IP address/Interface for Telnet Packets
Displaying the source IP address/Interface Specified for Telnet Packets
Controlling Telnet Users by Source IP Addresses
Controlling Telnet Users by Source and Destination IP Addresses
Controlling Telnet Users by Source MAC Addresses
Controlling Network Management Users by Source IP Addresses
Controlling Network Management Users by Source IP Addresses
When logging in to an Ethernet switch, go to these sections for information you are interested in:
l Logging In to an Ethernet Switch
l Introduction to User Interface
l Specifying Source for Telnet Packets
You can log in to an H3C S3600 Series EPON OLT Switches in one of the following ways:
l Logging In Through the Console Port
l Logging In Through Telnet/SSH
As the AUX port and the Console port of a S3600 Series EPON OLT Switches are the same one, you will be in the AUX user interface if you log in through this port.
H3C S3600 Series EPON OLT Switches supports two types of user interfaces: AUX and VTY.
l AUX port: Used to manage and monitor users logging in via the console port. The device provides AUX ports of EIA/TIA-232 DTE type. The port is usually used for the first access to the switch.
l VTY (virtual type terminal): Used to manage and monitor users logging in via VTY. VTY port is usually used when you access the device by means of Telnet or SSH.
Table 1-1 Description on user interface
|
User interface |
Applicable user |
Port used |
Description |
|
AUX |
Users logging in through the Console port |
Console port |
Each switch can accommodate one AUX user. |
|
VTY |
Telnet users and SSH users |
Ethernet port |
Each switch can accommodate up to five VTY users. |
A device can support one AUX ports and multiple Ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users.
l When the user initiates a connection request, based on the login type the system automatically assigns a type of idle user interface with the smallest number to the user.
l During the login, the configuration in the user interface view takes effect. The user interface varies depending on the login type and the login time.
At a time, only one user can use the user interface. The user interface configuration applies to the user that has logged in. For example, if user A uses the console port to log in, the configuration in user interface view of the console port applies to user A; if user A logs in through VTY 1, the configuration in user interface view of VTY 1 applies.
User interfaces can be numbered in two ways: absolute numbering and relative numbering.
Absolute numbering allows you to uniquely specify a user interface or a group of user interfaces. The numbering system starts from number 0 with a step of 1. The numbering approach numbers the two types of user interfaces in the sequence of AUX port and VTY.
Relative numbering can specify a user interface or a group of user interfaces of a specific type. The number is valid only when used under that type of user interface. It makes no sense when used under other types of user interfaces.
Relative numbering numbers a user interface in the form of “user interface type + number”. The rules of relative numbering are as follows:
l AUX user interface number is 0.
l VTYs are numbered from 0 in ascending order, with a step of 1.
Follow these steps to perform common user interface configuration:
|
To do… |
Use the command… |
Remarks |
|
Lock the current user interface |
lock |
Optional Execute this command in user view. A user interface is not locked by default. |
|
Specify to send messages to all user interfaces/a specified user interface |
send { all | number | type number } |
Optional Execute this command in user view. |
|
Disconnect a specified user interface |
free user-interface [ type ] number |
Optional Execute this command in user view. |
|
Enter system view |
system-view |
— |
|
Set the banner |
header { incoming | legal | login | shell | motd } text |
Optional |
|
Set a system name for the switch |
sysname string |
Optional The default name is H3C |
|
Enter one or more user interface views |
user-interface [ type ] first-number [ last-number ] |
— |
|
Display the information about the current user interface/all user interfaces |
display users [ all ] |
You can execute this command in any view. |
|
Display the physical attributes and configuration of the current/a specified user interface |
display user-interface [ type number | number ] [ summary ] |
You can execute this command in any view. |
When logging in through the Console port, go to these sections for information you are interested in:
l Setting Up the Connection to the Console Port
l Console Port Login Configuration
l Console Port Login Configuration with Authentication Mode Being None
l Console Port Login Configuration with Authentication Mode Being Password
l Console Port Login Configuration with Authentication Mode Being Scheme
To log in through the Console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can log in to an S3600 Series EPON OLT Switches through its Console port only.
To log in to an Ethernet switch through its Console port, the related configuration of the user terminal must be in accordance with that of the Console port.
Table 2-1 lists the default settings of a Console port.
Table 2-1 The default settings of a Console port
|
Setting |
Default |
|
Baud rate |
9,600 bps |
|
Flow control |
Off |
|
Check mode |
No check bit |
|
Stop bits |
1 |
|
Data bits |
8 |
After logging in to a switch, you can perform configuration for AUX users. Refer to Console Port Login Configuration for details.
l Connect the serial port of your PC/terminal to the Console port of the switch, as shown in Figure 2-1.
Figure 2-1 Diagram for setting the connection to the Console port
l If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created. Normally, the parameters of a terminal are configured as those listed in Table 2-1.
Figure 2-2 Create a connection
Figure 2-3 Specify the port used to establish the connection
Figure 2-4 Set port parameters terminal window
l Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after the user presses the Enter key.
l You can then configure the switch or check the information about the switch by executing commands. You can also acquire help by type the ? character. Refer to the following chapters for information about the commands.
Table 2-2 lists the common configuration of Console port login.
Table 2-2 Common configuration of Console port login
|
Configuration |
|
Description |
|
|
Enter system view |
system-view |
— |
|
|
Enter AUX user interface view |
user-interface aux 0 |
— |
|
|
Console port configuration |
Baud rate |
speed speed-value |
Optional The default baud rate is 9,600 bps. |
|
Check mode |
parity { even | mark | none | odd | space } |
Optional By default, the check mode of the Console port is set to “none”, which means no check bit. |
|
|
Stop bits |
stopbits { 1 | 1.5 | 2 } |
Optional The default stop bits of a Console port is 1. |
|
|
Data bits |
databits { 5 | 6 | 7 | 8 } |
Optional The default data bits of a Console port is 8. |
|
|
AUX user interface configuration |
Configure the command level available to the users logging in to the AUX user interface |
user privilege level level |
Optional By default, commands of level 3 are available to the users logging in to the AUX user interface. |
|
Terminal configuration |
Make terminal services available |
shell |
Optional By default, terminal services are available in all user interfaces |
|
Set the maximum number of lines the screen can contain |
screen-length screen-length |
Optional By default, the screen can contain up to 24 lines. |
|
|
Set history command buffer size |
history-command max-size value |
Optional By default, the history command buffer can contain up to 10 commands. |
|
|
Set the timeout time of a user interface |
idle-timeout minutes [ seconds ] |
Optional The default timeout time is 10 minutes. |
|
Changing of Console port configuration terminates the connection to the Console port. To establish the connection again, you need to modify the configuration of the termination emulation utility running on your PC accordingly. Refer to Setting Up the Connection to the Console Port for details.
Table 2-3 lists Console port login configurations for different authentication modes.
Table 2-3 Console port login configurations for different authentication modes
|
Authentication mode |
Console port login configuration |
Description |
|
|
None |
Perform common configuration |
Perform common configuration for Console port login |
Optional Refer to Common Configuration for details. |
|
Password |
Configure the password |
Configure the password for local authentication |
Required |
|
Perform common configuration |
Perform common configuration for Console port login |
Optional Refer to Common Configuration for details. |
|
|
Scheme |
Specify to perform local authentication or RADIUS authentication |
AAA configuration specifies whether to perform local authentication or RADIUS authentication |
Optional Local authentication is performed by default. Refer to the AAA Configuration in the Security Volume for details. |
|
Configure user name and password |
Configure user names and passwords for local/remote users |
Required l The user name and password of a local user are configured on the switch. l The user name and password of a remote user are configured on the RADIUS server. Refer to user manual of RADIUS server for details. |
|
|
Manage AUX users |
Set service type for AUX users |
Required |
|
|
Perform common configuration |
Perform common configuration for Console port login |
Optional Refer to Common Configuration for details. |
|
Changes of the authentication mode of Console port login will not take effect unless you exit and enter again the CLI.
Follow these steps to perform Console port login configuration (with authentication mode being none):
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter AUX user interface view |
user-interface aux 0 |
— |
|
Configure not to authenticate users |
authentication-mode none |
Required By default, users logging in through the Console port are not authenticated. |
Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.
l The user is not authenticated when logging in through the Console port.
l Commands of level 2 are available to user logging in to the AUX user interface.
l The baud rate of the Console port is 19200 bps.
l The screen can contain up to 30 lines.
l The history command buffer can contain up to 20 commands.
l The timeout time of the AUX user interface is 6 minutes.
Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode being none)
# Enter system view.
<Sysname> system-view
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Specify not to authenticate the user logging in through the Console port.
[Sysname-ui-aux0] authentication-mode none
# Specify commands of level 2 are available to the user logging in to the AUX user interface.
[Sysname-ui-aux0] user privilege level 2
# Set the baud rate of the Console port to 19200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.
Follow these steps to perform Console port login configuration (with authentication mode being password):
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter AUX user interface view |
user-interface aux 0 |
— |
|
Configure to authenticate users using the local password |
authentication-mode password |
Required By default, users logging in through the Console port are not authenticated, while users logging in through the Telnet need to pass the password authentication. |
|
Set the local password |
set authentication password { cipher | simple } password |
Required |
Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the Console user at the following aspects.
l The user is authenticated against the local password when logging in through the Console port.
l The local password is set to 123456 (in plain text).
l The commands of level 2 are available to users logging in to the AUX user interface.
l The baud rate of the Console port is 19,200 bps.
l The screen can contain up to 30 lines.
l The history command buffer can store up to 20 commands.
l The timeout time of the AUX user interface is 6 minutes.
Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being password)
# Enter system view.
<Sysname> system-view
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Specify to authenticate the user logging in through the Console port using the local password.
[Sysname-ui-aux0] authentication-mode password
# Set the local password to 123456 (in plain text).
[Sysname-ui-aux0] set authentication password simple 123456
# Specify commands of level 2 are available to the user logging in to the AUX user interface.
[Sysname-ui-aux0] user privilege level 2
# Set the baud rate of the Console port to 19200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.
Follow these steps to perform Console port login configuration (with authentication mode being scheme):
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter AUX user interface view |
user-interface aux 0 |
— |
|
|
Configure to authenticate users locally or remotely |
authentication-mode scheme [ command-authorization ] |
Required The specified AAA scheme determines whether to authenticate users locally or remotely. By default, users logging in through the Console port are not authenticated |
|
|
Quit to system view |
quit |
— |
|
|
Configure the authentication mode |
Enter the default ISP domain view |
domain domain name |
Optional By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well. If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well: l Perform AAA-RADIUS configuration on the switch. (Refer to AAA Configuration in the Security Volume for details.) l Configure the user name and password accordingly on the AAA server. (Refer to the user manual of AAA server.) |
|
Specify the AAA scheme to be applied to the domain |
authentication default { hwtacacs- scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } |
||
|
Quit to system view |
quit |
||
|
Create a local user (Enter local user view.) |
local-user user-name |
Required No local user exists by default. |
|
|
Set the authentication password for the local user |
password { simple | cipher } password |
Required By default, a user is authorized with no password |
|
|
Specifies the level of the local user |
authorization-attribute level level |
By default, no authorization attribute is configured for a local user |
|
|
Specify the service type for AUX users |
service-type terminal |
Required By default, a user is authorized with no service |
|
Note that, when you log in to an Ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the AAA scheme.
When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command.
When the RADIUS or HWTACACS authentication mode is used, the user levels are set on the corresponding RADIUS or HWTACACS servers.
For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security Volume.
Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.
l Configure the name of the local user to be “guest”.
l Set the authentication password of the local user to 123456 (in plain text).
l Set the service type of the local user to Terminal.
l Configure to authenticate the user logging in through the Console port in the scheme mode.
l The baud rate of the Console port is 19,200 bps.
l The screen can contain up to 30 lines.
l The history command buffer can store up to 20 commands.
l The timeout time of the AUX user interface is 6 minutes.
Figure 2-7 Network diagram for AUX user interface configuration (with the authentication mode being scheme)
1) Configure the switch
# Enter system view.
<Sysname> system-view
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the authentication password to 123456 (in plain text).
[Sysname-luser-guest] password simple 123456
# Set the service type to Terminal.
[Sysname-luser-guest] service-type terminal
[Sysname-luser-guest] quit
# Enter AUX user interface view.
[Sysname] user-interface aux 0
# Configure to authenticate the user logging in through the Console port in the scheme mode.
[Sysname-ui-aux0] authentication-mode scheme
# Set the baud rate of the Console port to 19200 bps.
[Sysname-ui-aux0] speed 19200
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-aux0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-aux0] history-command max-size 20
# Set the timeout time of the AUX user interface to 6 minutes.
[Sysname-ui-aux0] idle-timeout 6
2) Configure the authentication scheme
Configure the authentication server by referring to related parts in AAA Configuration.
After the above configurations, you need to modify the configurations of the terminal emulation utility running on the user PC accordingly, as shown in Figure 2-4, thus ensuring the consistency between the configurations of the terminal emulation utility and those of the switch. Otherwise, you will fail to log in to the switch.
When logging in through Telnet, go to these sections for information you are interested in:
l Telnet Connection Establishment
l Telnet Login Configuration with Authentication Mode Being None
l Telnet Login Configuration with Authentication Mode Being Password
l Telnet Login Configuration with Authentication Mode Being Scheme
You can telnet to a remote switch to manage and maintain the switch. To achieve this, you need to configure both the switch and the Telnet terminal properly.
Table 3-1 Requirements for Telnet to a switch
|
Item |
Requirement |
|
Switch |
Start the Telnet Server |
|
The IP address of the VLAN of the switch is configured and the route between the switch and the Telnet terminal is available. |
|
|
The authentication mode and other settings are configured. Refer to Table 3-2 and Table 3-3. |
|
|
Telnet terminal |
Telnet is running. |
|
The IP address of the management VLAN of the switch is available. |
You can telnet to a switch and then configure the switch if the interface of the management VLAN of the switch is assigned with an IP address. (By default, VLAN 1 is the management VLAN.)
Following are procedures to establish a Telnet connection to a switch:
Step 1: Log in to the switch through the Console port, enable the Telnet server function and assign an IP address to the management VLAN interface of the switch.
l Connect to the Console port. Refer to Setting Up the Connection to the Console Port.
l Execute the following commands in the terminal window to enable the Telnet server function and assign an IP address to the management VLAN interface of the switch.
# Enable the Telnet server function and configure the IP address of the management VLAN interface as 202.38.160.92, and .the subnet mask as 255.255.255.0.
<Sysname> system-view
[Sysname] telnet server enable
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0
Step 2: Before Telnet users can log in to the switch, corresponding configurations should have been performed on the switch according to different authentication modes for them. Refer to Telnet Login Configuration with Authentication Mode Being None, Telnet Login Configuration with Authentication Mode Being Password, and Telnet Login Configuration with Authentication Mode Being Scheme for details. By default, Telnet users need to pass the password authentication to login.
Step 3: Connect your PC to the Switch, as shown in Figure 3-1. Make sure the Ethernet port to which your PC is connected belongs to the management VLAN of the switch and the route between your PC and the switch is available.
Figure 3-1 Network diagram for Telnet connection establishment
Step 4: Launch Telnet on your PC, with the IP address of the management VLAN interface of the switch as the parameter, as shown in the following figure.
Step 5: Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <H3C>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A H3C series Ethernet switch can accommodate up to five Telnet connections at same time.
Step 6: After successfully Telnetting to a switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the following chapters for the information about the commands.
l A Telnet connection will be terminated if you delete or modify the IP address of the VLAN interface in the Telnet session.
l By default, commands of level 0 are available to Telnet users authenticated by password. Refer to Basic System Configuration in the System Volume for information about command hierarchy.
You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.
As shown in Figure 3-3, after Telnetting to a switch (labeled as Telnet client), you can Telnet to another switch (labeled as Telnet server) by executing the telnet command and then to configure the later.
Figure 3-3 Network diagram for Telnetting to another switch from the current switch
Step 1: Configure the user name and password for Telnet on the switch operating as the Telnet server. Refer to section Telnet Login Configuration with Authentication Mode Being None”, section Telnet Login Configuration with Authentication Mode Being Password, and Telnet Login Configuration with Authentication Mode Being Scheme for details. By default, Telnet users need to pass the password authentication to login.
Step 2: Telnet to the switch operating as the Telnet client.
Step 3: Execute the following command on the switch operating as the Telnet client:
<Sysname> telnet xxxx
Where xxxx is the IP address or the host name of the switch operating as the Telnet server. You can use the ip host to assign a host name to a switch.
Step 4: Enter the password. If the password is correct, the CLI prompt (such as <H3C>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
Step 5: After successfully Telnetting to the switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the following chapters for the information about the commands.
Table 3-2 lists the common Telnet configuration.
Table 3-2 Common Telnet configuration
|
Configuration |
|
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Make the switch to operate as a Telnet Server |
telnet server enable |
By default, a switch does not operate as a Telnet server |
|
|
Enter one or more VTY user interface views |
user-interface vty first-number [ last-number ] |
— |
|
|
VTY user interface configuration |
Configure the command level available to users logging in to the VTY user interface |
user privilege level level |
Optional By default, commands of level 0 are available to users logging in to a VTY user interface. |
|
Configure the protocols the user interface supports |
protocol inbound { all | ssh | telnet } |
Optional By default, Telnet and SSH protocol are supported. |
|
|
Set the command that is automatically executed when a user logs into the user interface |
auto-execute command text |
Optional By default, no command is automatically executed when a user logs into a user interface. |
|
|
VTY terminal configuration |
Make terminal services available |
shell |
Optional By default, terminal services are available in all user interfaces |
|
Set the maximum number of lines the screen can contain |
screen-length screen-length |
Optional By default, the screen can contain up to 24 lines. |
|
|
Set history command buffer size |
history-command max-size value |
Optional By default, the history command buffer can contain up to 10 commands. |
|
|
Set the timeout time of a user interface |
idle-timeout minutes [ seconds ] |
Optional The default timeout time is 10 minutes. |
|
Telnet login configurations vary when different authentication modes are adopted.
Table 3-3 Telnet login configuration tasks when different authentication modes are adopted
|
Task |
Description |
|
Telnet Login Configuration with Authentication Mode Being None |
Configure not to authenticate users logging in user interfaces |
|
Telnet Login Configuration with Authentication Mode Being Password |
Configure to authenticate users logging in to user interfaces using a local password and configure the local password |
|
Telnet Login Configuration with Authentication Mode Being Scheme |
l Configure to authenticate users using the scheme authentication mode; l Set the authentication scheme, which can be local authentication or remote server authentication; l Configure the authentication usernames and passwords for local users. |
Follow these steps to perform Telnet configuration (with authentication mode being none):
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter one or more VTY user interface views |
user-interface vty first-number [ last-number ] |
— |
|
Configure not to authenticate users logging in to VTY user interfaces |
authentication-mode none |
Required By default, VTY users are authenticated after logging in. |
Note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on both the authentication-mode none command and the user privilege level level command.
1) Network requirements
Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0:
l Do not authenticate users logging in to VTY 0.
l Commands of level 2 are available to users logging in to VTY 0.
l Telnet protocol is supported.
l The screen can contain up to 30 lines.
l The history command buffer can contain up to 20 commands.
l The timeout time of VTY 0 is 6 minutes.
2) Network diagram
Figure 3-4 Network diagram for Telnet configuration (with the authentication mode being none)
3) Configuration procedure
# Enter system view, and enable the Telnet service.
<Sysname> system-view
[Sysname] telnet server enable
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure not to authenticate Telnet users logging in to VTY 0.
[Sysname-ui-vty0] authentication-mode none
# Specify commands of level 2 are available to users logging in to VTY 0.
[Sysname-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
Follow these steps to perform Telnet configuration (with authentication mode being password):
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter one or more VTY user interface views |
user-interface vty first-number [ last-number ] |
— |
|
Configure to authenticate users logging in to VTY user interfaces using the local password |
authentication-mode password |
Required |
|
Set the local password |
set authentication password { cipher | simple } password |
Required |
Note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the authentication-mode password command and the user privilege level level command.
1) Network requirements
Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0:
l Authenticate users logging in to VTY 0 using the local password.
l Set the local password to 123456 (in plain text).
l Commands of level 2 are available to users logging in to VTY 0.
l Telnet protocol is supported.
l The screen can contain up to 30 lines.
l The history command buffer can contain up to 20 commands.
l The timeout time of VTY 0 is 6 minutes.
2) Network diagram
Figure 3-5 Network diagram for Telnet configuration (with the authentication mode being password)
3) Configuration procedure
# Enter system view, and enable the Telnet service.
<Sysname> system-view
[Sysname] telnet server enable
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure to authenticate users logging in to VTY 0 using the local password.
[Sysname-ui-vty0] authentication-mode password
# Set the local password to 123456 (in plain text).
[Sysname-ui-vty0] set authentication password simple 123456
# Specify commands of level 2 are available to users logging in to VTY 0.
[Sysname-ui-vty0] user privilege level 2
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
Follow these steps to perform Telnet configuration (with authentication mode being scheme):
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter one or more VTY user interface views |
user-interface vty first-number [ last-number ] |
— |
|
|
Configure to authenticate users locally or remotely |
authentication-mode scheme [ command-authorization ] |
Required The specified AAA scheme determines whether to authenticate users locally or remotely. Users are authenticated locally by default. |
|
|
Quit to system view |
quit |
— |
|
|
Configure the authentication scheme |
Enter the default ISP domain view |
domain domain name |
Optional By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well. If you specify to apply an existing scheme by providing the radius-scheme-name argument, you need to perform the following configuration as well: l Perform AAA-RADIUS configuration on the switch. (Refer to AAA Configuration in the Security Volume for details.) l Configure the user name and password accordingly on the AAA server. (Refer to the user manual of AAA server.) |
|
Configure the AAA scheme to be applied to the domain |
authentication default { hwtacacs-scheme hwtacacs-scheme- name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } |
||
|
Quit to system view |
quit |
||
|
Create a local user and enter local user view |
local-user user-name |
No local user exists by default. |
|
|
Set the authentication password for the local user |
password { simple | cipher } password |
Required By default, a user is authorized with no password |
|
|
Specifies the level of the local user |
authorization-attribute level level |
By default, no authorization attribute is configured for a local user |
|
|
Specify the service type for AUX users |
service-type telnet |
Required By default, a user is authorized with no service |
|
Note that, when you log in to an Ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the AAA scheme.
When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command.
When the RADIUS or HWTACACS authentication mode is used, the user levels are set on the corresponding RADIUS or HWTACACS servers.
For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security Volume.
1) Network requirements
Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0:
l Configure the name of the local user to be “guest”.
l Set the authentication password of the local user to 123456 (in plain text).
l Set the service type of VTY users to Telnet.
l Configure to authenticate users logging in to VTY 0 in scheme mode.
l The commands of level 2 are available to users logging in to VTY 0.
l Telnet protocol is supported in VTY 0.
l The screen can contain up to 30 lines.
l The history command buffer can store up to 20 commands.
l The timeout time of VTY 0 is 6 minutes.
Figure 3-6 Network diagram for Telnet configuration (with the authentication mode being scheme)
2) Configuration procedure
l Configure the switch
l # Enter system view, and enable the Telnet service.
<Sysname> system-view
[Sysname] telnet server enable
# Create a local user named guest and enter local user view.
[Sysname] local-user guest
# Set the authentication password of the local user to 123456 (in plain text).
[Sysname-luser-guest] password simple 123456
# Set the service type to Telnet.
[Sysname-luser-guest] service-type
# Enter VTY 0 user interface view.
[Sysname] user-interface vty 0
# Configure to authenticate users logging in to VTY 0 in the scheme mode.
[Sysname-ui-vty0] authentication-mode scheme
# Configure Telnet protocol is supported.
[Sysname-ui-vty0] protocol inbound telnet
# Set the maximum number of lines the screen can contain to 30.
[Sysname-ui-vty0] screen-length 30
# Set the maximum number of commands the history command buffer can store to 20.
[Sysname-ui-vty0] history-command max-size 20
# Set the timeout time to 6 minutes.
[Sysname-ui-vty0] idle-timeout 6
l Configure the authentication scheme
Configure the authentication server by referring to related parts in AAA Configuration.
Secure Shell (SSH) offers an approach to logging into a remote device securely. With encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. For the security features provided by SSH, see SSH Configuration in the Security Volume.
When logging in through NMS, go to these sections for information you are interested in:
l Connection Establishment Using NMS
You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.
l The agent here refers to the software running on network devices (switches) and as the server.
l SNMP (simple network management protocol) is applied between the NMS and the agent.
To log in to a switch through an NMS, you need to perform related configuration on both the NMS and the switch.
Table 4-1 Requirements for logging in to a switch through an NMS
|
Item |
Requirement |
|
Switch |
The IP address of the management VLAN of the switch is configured. The route between the NMS and the switch is available. |
|
The basic SNMP functions are configured. (Refer to SNMP Configuration in the System Volume for details.) |
|
|
NMS |
The NMS is properly configured. (Refer to the user manual of the NMS for details.) |
Figure 4-1 Network diagram for logging in through an NMS
When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in:
l Specifying Source IP address/Interface for Telnet Packets
l Displaying the source IP address/Interface Specified for Telnet Packets
To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.
Usually, Loopback interface IP addresses are used as the source IP addresses of Telnet packets. After you specify the IP address of a Loopback interface as the source IP address of Telnet packets, all the packets exchanged between the Telnet client and the Telnet server use the IP address as their source IP addresses, regardless of the ports through which they are transmitted. In such a way, the actual IP addresses used are concealed. This helps to improve security. Specifying source IP address/interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses.
The configuration can be performed in user view and system view. The configuration performed in user view only applies to the current session. Whereas the configuration performed in system view applies to all the subsequent sessions. Priority in user view is higher than that in system view.
Follow these steps to specify source IP address/interface for Telnet packets in user view:
|
To do… |
Use the command… |
Remarks |
|
Specify source IP address/interface for Telnet packets (the switch operates as a Telnet client) |
telnet remote-system [ port-number ] [ source { ip ip-address | interface interface-type interface-number } ] |
Optional By default, no source IP address/interface is specified. |
Follow these steps to specify source IP address/interface for Telnet packets in system view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Specify source IP address/interface for Telnet packets |
telnet client source { ip ip-address | interface interface-type interface-number } |
Optional By default, no source IP address/interface is specified. |
l The IP address specified must be a local IP address.
l When specifying the source interface for Telnet packets, make sure the interface already exists.
l Before specifying the source IP address/interface for Telnet packets, make sure the route between the interface and the Telnet server is reachable.
Follow these steps to display the source IP address/interface specified for Telnet packets:
|
To do… |
Use the command… |
Remarks |
|
Display the source IP address/interface specified for Telnet packets |
display telnet client configuration |
Available in any view |
When controlling login users, go to these sections for information you are interested in:
l Controlling Network Management Users by Source IP Addresses
Multiple ways are available for controlling different types of login users, as listed in Table 6-1.
Table 6-1 Ways to control different types of login users
|
Login mode |
Control method |
Implementation |
Related section |
|
Telnet |
By source IP addresses |
Through basic ACLs |
|
|
By source and destination IP addresses |
Through advanced ACLs |
Controlling Telnet Users by Source and Destination IP Addresses |
|
|
By source MAC addresses |
Through Layer 2 ACLs |
||
|
SNMP |
By source IP addresses |
Through basic ACLs |
The controlling policy against Telnet users is determined, including the source and destination IP addresses to be controlled and the controlling actions (permitting or denying).
This configuration needs to be implemented by basic ACL; a basic ACL ranges from 2000 to 2999. For the definition of ACL, refer to ACL Configuration in the Security Volume.
Follow these steps to control Telnet users by source IP addresses:
|
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Create a basic ACL or enter basic ACL view |
acl number acl-number [ match-order { config | auto } ] |
As for the acl number command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]* |
Required |
|
Quit to system view |
quit |
— |
|
Enter user interface view |
user-interface [ type ] first-number [ last-number ] |
— |
|
Apply the ACL to control Telnet users by source IP addresses |
acl acl-number { inbound | outbound } |
Required The inbound keyword specifies to filter the users trying to Telnet to the current switch. The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch. |
This configuration needs to be implemented by advanced ACL; an advanced ACL ranges from 3000 to 3999. For the definition of ACL, refer to ACL Configuration in the Security Volume.
Follow these steps to control Telnet users by source and destination IP addresses:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create an advanced ACL or enter advanced ACL view |
acl number acl-number [ match-order { config | auto } ] |
As for the acl number command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { permit | deny } rule-string |
Required You can define rules as needed to filter by specific source and destination IP addresses. |
|
Quit to system view |
quit |
— |
|
Enter user interface view |
user-interface [ type ] first-number [ last-number ] |
— |
|
Apply the ACL to control Telnet users by specified source and destination IP addresses |
acl acl-number { inbound | outbound } |
Required The inbound keyword specifies to filter the users trying to Telnet to the current switch. The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch. |
This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For the definition of ACL, refer to ACL Configuration in the Security Volume.
Follow these steps to control Telnet users by source MAC addresses:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a basic ACL or enter basic ACL view |
acl number acl-number [ match-order { config | auto } ] |
As for the acl number command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { permit | deny } rule-string |
Required You can define rules as needed to filter by specific source MAC addresses. |
|
Quit to system view |
quit |
— |
|
Enter user interface view |
user-interface [ type ] first-number [ last-number ] |
— |
|
Apply the ACL to control Telnet users by source MAC addresses |
acl acl-number inbound |
Required The inbound keyword specifies to filter the users trying to Telnet to the current switch. |
Layer 2 ACL is invalid for this function if the source IP address of the Telnet client and the interface IP address of the Telnet server are not in the same subnet.
Only the Telnet users sourced from the IP address of 10.110.100.52 and 10.110.100.46 are permitted to log in to the switch.
Figure 6-1 Network diagram for controlling Telnet users using ACLs
# Define a basic ACL.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] rule 3 deny source any
[Sysname-acl-basic-2000] quit
# Apply the ACL.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
You can manage a S3600 Series EPON OLT Switches through network management software. Network management users can access switches through SNMP.
You need to perform the following two operations to control network management users by source IP addresses.
l Defining an ACL
l Applying the ACL to control users accessing the switch through SNMP
The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
Follow these steps to control network management users by source IP addresses:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a basic ACL or enter basic ACL view |
acl number acl-number [ match-order { config | auto } ] |
As for the acl number command, the config keyword is specified by default. |
|
Define rules for the ACL |
rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | time-range time-name | fragment | logging ]* |
Required |
|
Quit to system view |
quit |
— |
|
Apply the ACL while configuring the SNMP community name |
snmp-agent community { read | write } community-name [ mib-view view-name | acl acl-number ]* |
Required According to the SNMP version and configuration customs of NMS users, you can reference an ACL when configuring community name, group name or username. For the detailed configuration, refer to SNMP Configuration in the System Volume. |
|
Apply the ACL while configuring the SNMP group name |
snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] |
|
|
Apply the ACL while configuring the SNMP user name |
snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | des56 | aes128 } priv-password ] ] [ acl acl-number ] |
Only SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to access the switch.
Figure 6-2 Network diagram for controlling SNMP users using ACLs
# Define a basic ACL.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] rule 3 deny source any
[Sysname-acl-basic-2000] quit
# Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch.
[Sysname] snmp-agent community read h3c acl 2000
[Sysname] snmp-agent group v2c h3cgroup acl 2000
