inbound: Restricts Telnet or SSH connections established in the inbound direction through the VTY user interface. If the received packets for establishing a Telnet or SSH connection are permitted by an ACL rule, the connection is allowed to be established. When the device functions as a Telnet server or SSH server, use this keyword to control access of Telnet clients or SSH clients.

outbound: Restricts Telnet connections established in the outbound direction through the VTY user interface. If the packets sent for establishing a Telnet connection are permitted by an ACL rule, the connection is allowed to be established. When the device functions as a Telnet client, use this keyword to define Telnet servers accessible to the client.

Usage guidelines

If no ACL is referenced in VTY user interface view, the VTY user interface has no access control over establishing a Telnet or SSH connection.

If an ACL is referenced in VTY user interface view, the connection is permitted to be established only when packets for establishing a Telnet or SSH connection match a permit statement in the ACL.

The system regards the basic/advanced ACL with the inbound keyword, the basic/advanced ACL with the outbound keyword, WLAN ACL, and Ethernet frame header ACL as different types of ACLs, which can coexist in one VTY user interface. The match order is WLAN ACL, basic/advanced ACL, Ethernet frame header ACL. At most, one ACL of each type can be referenced in the same VTY user interface, and the most recently configured one takes effect.

For more information about ACL, see ACL and QoS Command Reference.

Examples

# Allow only the user with the IP address of 192.168.1.26 to access the device through Telnet or SSH.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 192.168.1.26 0

[Sysname-acl-basic-2001] quit

[Sysname] user-interface vty 0

[Sysname-ui-vty0] acl 2001 inbound

After the configuration, user A (with the IP address 192.168.1.26) can Telnet to the device, but user B (with the IP address 192.168.1.60) cannot. Upon a connection failure, the following message appears: "%connection closed by remote host!"

# Allow the device to only Telnet to the Telnet server with IP address 192.168.1.41.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit tcp destination 192.168.1.41 0

[Sysname-acl-adv-3001] quit

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] acl 3001 outbound

[Sysname-ui-vty0-4] return

After your configuration, if you Telnet to 192.168.1.46, your operation fails.

<Sysname> telnet 192.168.1.46

%Can't access the host from this terminal!

However, you can Telnet to 192.168.1.41.

<Sysname> telnet 192.168.1.41

Trying 192.168.1.41 ...

Press CTRL+K to abort

Connected to 192.168.1.41 ...

# Allow only the WLAN client with the SSID of Admin to access the device through VTY 0.

<Sysname> system-view

[Sysname] acl number 100

[Sysname-acl-wlan-100] rule permit ssid Admin

[Sysname-acl-wlan-100] quit

[Sysname] user-interface vty 0

[Sysname-ui-vty0] acl 100 inbound

activation-key

Use activation-key to define a shortcut key for starting a terminal session.

Use undo activation-key to restore the default.

Syntax

activation-key character

undo activation-key

Default

Pressing the Enter key starts a terminal session.

Views

User interface view

Default command level

3: Manage level

Parameters

character: Specifies the shortcut key for starting a terminal session. It can be a string of 1 to 3 characters, or an ASCII code value in the range of 0 to 127. If you enter a number that is greater than 127, or enter a string that is not a number, the first character is used as the shortcut key. For example, if you configure activation-key 987, the shortcut key is 9. If you configure activation-key abc, the shortcut key is a.

Usage guidelines

This command is not supported on VTY user interfaces.

To display the shortcut key you have defined, use the display current-configuration command.

Examples

# Configure character s as the shortcut key for starting a terminal session on the console user interface.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] activation-key s

# Verify the configuration:

1. Exit the console session.

[Sysname-ui-console0] return

<Sysname> quit

2. Log in to the console user interface again.

The following message appears:

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

User interface con0 is available.

Please press ENTER.

3. Press Enter.

Pressing Enter does not start a session.

4. Enter s.

A terminal session is started.

%Mar 2 18:40:27:981 2005 Sysname SHELL/5/LOGIN: Console login from con0

authentication-mode

Use authentication-mode to set the authentication mode for a user interface.

Use undo authentication-mode to restore the default.

Syntax

authentication-mode { none | password | scheme }

undo authentication-mode

Default

The authentication mode is password for VTY and AUX user interfaces, and none for the console user interface.

Views

User interface view

Default command level

3: Manage level

Parameters

none: Performs no authentication. This keyword is not supported in FIPS mode.

password: Performs local password authentication. This keyword is not supported in FIPS mode.

scheme: Performs AAA authentication. For more information about AAA, see Security Configuration Guide.

Usage guidelines

In FIPS mode, only scheme mode is supported.

Examples

# Enable the none authentication mode for user interface VTY 0.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] authentication-mode none

# Enable password authentication for user interface VTY 0 and set the password to 321.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] authentication-mode password

[Sysname-ui-vty0] set authentication password simple 321

# Enable scheme authentication for user interface VTY 0, and set the username to 123 and the password to 321.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] authentication-mode scheme

[Sysname-ui-vty0] quit

[Sysname] local-user 123

[Sysname-luser-123] password simple 321

[Sysname-luser-123] service-type telnet

[Sysname-luser-123] authorization-attribute level 3

Related commands

set authentication password

auto-execute command

CAUTION:

After configuring this command for a user interface, you might be unable to access the CLI through the user interface. Make sure you can access the CLI through a different user interface before you configure this command and save the configuration.

Use auto-execute command to specify a command that is to be automatically executed when a user logs in to the current user interface.

Use undo auto-execute command to remove the configuration.

Syntax

auto-execute command command

undo auto-execute command

Default

Command auto-execution is disabled.

Views

User interface view

Default command level

3: Manage level

Parameters

command: Specifies the command to be automatically executed.

Usage guidelines

This command is not supported on the console user interface, or the AUX user interface when the device has only one AUX port and no console port.

The system automatically executes the specified command when a user logs in to the user interface, and tears down the user connection after the command is executed. If the command triggers another task, the system does not tear down the user connection until the task is completed.

The command auto-execute function is typically used for redirecting a Telnet user to a specific host.

Examples

# Configure the device to automatically Telnet to 192.168.1.41 after a user logs in to interface VTY 0.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname -ui-vty0] auto-execute command telnet 192.168.1.41

% This action will lead to configuration failure through ui-vty0. Are you sure?

[Y/N]:y

[Sysname-ui-vty0]

# To verify the configuration, Telnet to 192.168.1.40.

The device automatically Telnets to 192.168.1.41, and the following output is displayed:

C:\> telnet 192.168.1.40

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Trying 192.168.1.41 ...

Press CTRL+K to abort

Connected to 192.168.1.41 ...

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

<Sysname.41>

This operation is the same as directly logging in to the device at 192.168.1.41. If the Telnet connection to 192.168.1.41 is broken down, the Telnet connection to 192.168.1.40 breaks down at the same time.

command accounting

Use command accounting to enable command accounting.

Use undo command accounting to restore the default.

Syntax

command accounting

undo command accounting

Default

Command accounting is disabled, and the accounting server does not record executed commands.

Views

User interface view

Default command level

3: Manage level

Usage guidelines

When command accounting is enabled and command authorization is not, every executed command is recorded on the HWTACACS server.

When both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.

Examples

# Enable command accounting for user interface VTY 0.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] command accounting

command authorization

Use command authorization to enable command authorization.

Use undo command authorization to restore the default.

Syntax

command authorization

undo command authorization

Default

Command authorization is disabled. Logged-in users can execute commands without authorization.

Views

User interface view

Default command level

3: Manage level

Usage guidelines

With command authorization enabled, users can perform only commands authorized by the server.

Examples

# Enable command accounting for VTY 0 so users logged in to VTY 0 can perform only the commands authorized by the HWTACACS server.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] command authorization

databits

Use databits to specify the number of data bits for each character.

Use undo databits to restore the default.

Syntax

databits { 7 | 8 }

undo databits

Default

Eight data bits are used for each character.

Views

User interface view

Default command level

2: System level

Parameters

7: Uses seven data bits for each character.

8: Uses eight data bits for each character.

Usage guidelines

This command is only applicable to asynchronous serial interfaces, including AUX and console ports.

This setting must be the same as that on the configuration terminal.

Examples

# Configure AUX 0 to use 7 data bits for each character.

<Sysname> system-view

[Sysname] user-interface aux 0

[Sysname-ui-aux0] databits 7

display ip http

Use display ip http to display HTTP information.

Syntax

display ip http [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about HTTP.

<Sysname> display ip http

HTTP port: 80

WLAN ACL: 100

Basic ACL: 2222

Current connection: 0

Operation status: Running

Table 1 Command output

Field	Description
HTTP port	Port number used by the HTTP service.
WLAN ACL	WLAN ACL associated with the HTTP service.
Basic ACL	Basic ACL number associated with the HTTP service.
Current connection	Number of current connections.
Operation status	Operation status: · Running—The HTTP service is enabled. · Stopped—The HTTP service is disabled.

display ip https

Use display ip https to display information about HTTPS.

Syntax

display ip https [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about HTTPS.

<Sysname> display ip https

HTTPS port: 443

SSL server policy: test

Certificate access-control-policy:

WLAN ACL: 100

Basic ACL: 2222

Operation status: Running

Table 2 Command output

Field	Description
HTTPS port	Port number used by the HTTPS service.
SSL server policy	SSL server policy associated with the HTTPS service.
Certificate access-control-policy	Certificate attribute access control policy associated with the HTTPS service.
WLAN ACL	WLAN ACL number associated with the HTTPS service.
Basic ACL	Basic ACL number associated with the HTTPS service.
Operation status	Operation status: · Running—The HTTPS service is enabled. · Stopped—The HTTPS service is disabled.

display telnet client configuration

Use display telnet client configuration to display the configuration of the device when it serves as a Telnet client.

Syntax

display telnet client configuration [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command is not supported in FIPS mode.

Examples

# Display the configuration of the device when it serves as a Telnet client.

<Sysname> display telnet client configuration

The source IP address is 1.1.1.1.

The output shows that the device uses the source IPv4 address 1.1.1.1 for outgoing Telnet packets when it serves as a Telnet client.

display user-interface

Use display user-interface to display user interface information.

Syntax

display user-interface [ num1 | { aux | console | vty } num2 ] [ summary ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

num1: Specifies the absolute number of a user interface. The value range varies with devices and typically starts from 0. For more information, see About the H3C Access Controllers Command References.

aux: Specifies the AUX user interface. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

console: Specifies the console user interface. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

vty: Specifies the VTY user interface.

num2: Specifies the relative number of a user interface. The value range depends on the user interface type:

· AUX—0

· Console—0

· VTY—0 to 4

summary: Displays summary information about user interfaces.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about user interface 0.

<Sysname> display user-interface 0

Idx Type Tx/Rx Modem Privi Auth Int

+ 0 CON 0 9600 - 3 N -

+ : Current user-interface is active.

F : Current user-interface is active and work in async mode.

Idx : Absolute index of user-interface.

Type : Type and relative index of user-interface.

Privi: The privilege of user-interface.

Auth : The authentication mode of user-interface.

Int : The physical location of UIs.

A : Authentication use AAA.

L : Authentication use local database.

N : Current UI need not authentication.

P : Authentication use current UI's password.

Table 3 Command output

Field	Description
Idx	Absolute number of the user interface.
Type	Type and relative number of the user interface.
Tx/Rx	Transmit/receive rate of the user interface.
Privi	Command level of a user under that user interface.
Auth	Authentication mode for the users: · A—Scheme authentication mode. · L—Local authentication mode (not supported). · N—None authentication mode. · P—Password authentication mode.
Int	Physical port that corresponds to the user interface. For console, AUX, and VTY user interfaces, a hyphen (-) is displayed.

# Display summary information about all user interfaces.

<Sysname> display user-interface summary

User interface type : [CON]

0:X

User interface type : [AUX]

1:X

User interface type : [VTY]

2:XUXU U

3 character mode users. (U)

4 UI never used. (X)

3 total UI in use

Table 4 Command output

Field	Description
0:X	0 represents the absolute number of the user interface. If the user interface is not used, an X is displayed. If the user interface is being used, a U is displayed. For example, 2:XUXU U shows there are five user interfaces of the user interface type, which use the absolute numbers 2 through 6. User interfaces 2 and 4 are not used, and the other user interfaces are being used.

display users

Use display users to display information about the user interfaces being used.

Use display users all to display information about all user interfaces supported by the device.

Syntax

display users [ all ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Displays information about all user interfaces the device supports.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about the user interfaces being used.

<Sysname> display users

The user application information of the user interface(s):

Idx UI Delay Type Userlevel

+ 178 VTY 0 00:00:00 TEL 3

179 VTY 1 00:02:34 TEL 3

Following are more details.

VTY 0 :

Location: 192.168.1.54

VTY 1 :

Location: 192.168.1.58

+ : Current operation user.

F : Current operation user work in async mode.

The output shows that two users have logged in to the device: You are using user interface VTY 0 and the other user is using VTY 1. Your IP address is 192.168.1.54.

Table 5 Command output

Field	Description
Idx	Absolute number of the user interface.
UI	Relative number of the user interface. For example, with VTY, the first column represents user interface type, and the second column represents the relative number of the user interface.
Delay	Time elapsed after the user's last input, in the format hh:mm:ss.
Type	User type, such as Telnet or SSH.
Userlevel	User level: 0 for visit, 1 for monitor, 2 for system, and 3 for manage.
+	User interface you are using.
Location	IP address of the user.
F	The current user is operating in asynchronous mode.

display web users

Use display web users to display information about the Web users.

Syntax

display web users [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about the Web users.

<Sysname> display web users

UserID Name Lang Level State Links Login LastOp Ip

ab830100 admin zn Manage Enabled 0 17:22:53 17:31:43 192.168.1

Table 6 Command output

Field	Description
UserID	Web user ID.
Name	Web username.
Lang	Language used in Web login.
Level	Web user level.
State	Web user status.
Links	Number of tasks running for the Web user.
Login	Login time.
LastOp	Last time when the Web user accessed the device.
IP	IP address of the Web user.

escape-key

Use escape-key to define a shortcut key for terminating a task.

Use undo escape-key to disable the shortcut key for terminating tasks.

Syntax

escape-key { default | character }

undo escape-key

Default

Pressing Ctrl+C terminates a task.

Views

User interface view

Default command level

3: Manage level

Parameters

character: Specifies the shortcut key for terminating a task. It can be a string of 1 to 3 characters, or an ASCII code value in the range of 0 to 127. If you enter a number that is greater than 127, or enter a string that is not a number, the first character is used as the shortcut key. For example, if you configure escape-key 987, the shortcut key is 9. If you configure escape-key abc, the shortcut key is a.

default: Restores the default escape key sequence Ctrl+C.

Usage guidelines

If you execute this command multiple times, the most recent definition takes effect. To display the effective shortcut key definition, use the display current-configuration command.

If you set the character argument in a user interface of a device, when you use the user interface to log in to the device and then Telnet to another device, the character argument can be used as a control character to terminate a task rather than being used as a common character. For example, if you specify character e in VTY 0 user interface of Device A, when you log in to Device A using VTY 0 from a PC (HyperTerminal), you can enter e as a common character on the PC, and you can also use e to terminate the task running on Device A. If you Telnet to Device B from Device A, you can only use e to terminate the task running on Device B, rather than using e as a common character. It is a good practice to specify a key sequence.

Examples

# Define character a as the shortcut key for terminating a task.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] escape-key a

# To verify the configuration:

1. Ping IP address 192.168.1.49, specifying the -c keyword to set the number of ICMP echo request packets to 20.

<Sysname> ping -c 20 192.168.1.49

PING 192.168.1.49: 56 data bytes, press a to break

Reply from 192.168.1.49: bytes=56 Sequence=1 ttl=255 time=3 ms

Reply from 192.168.1.49: bytes=56 Sequence=2 ttl=255 time=3 ms

2. Press a.

The task terminates, and the system returns to user view.

--- 192.168.1.49 ping statistics ---

2 packet(s) transmitted

2 packet(s) received

0.00% packet loss

round-trip min/avg/max = 3/3/3 ms

free user-interface

Use free user-interface to release a user interface.

Syntax

free user-interface { num1 | { aux | console | vty } num2 }

Views

User view

Default command level

3: Manage level

Parameters

aux: Specifies the AUX user interface. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

console: Specifies the console user interface. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

vty: Specifies the VTY user interface.

num2: Specifies the relative number of a user interface. The value range depends on the user interface type:

· AUX—0

· Console—0

· VTY—0 to 4

Usage guidelines

This command cannot release the connection you are using.

Examples

# Release user interface VTY 1:

1. Display which users are operating the device.

<Sysname> display users

The user application information of the user interface(s):

Idx UI Delay Type Userlevel

+ 82 VTY 0 00:00:00 TEL 3

83 VTY 1 00:00:03 TEL 3

Following are more details.

VTY 0 :

Location: 192.168.1.26

VTY 1 :

Location: 192.168.1.20

+ : Current operation user.

F : Current operation user work in async mode.

2. If the operations of the user on VTY 1 affect your operations, log out the user.

<Sysname> free user-interface vty 1

Are you sure to free user-interface vty1? [Y/N]:y

free web-users

Use free web-users to log out Web users.

Syntax

free web-users { all | user-id user-id | user-name user-name }

Views

User view

Default command level

2: System level

Parameters

all: Specifies all Web users.

user-id: Web user ID, a hexadecimal number of eight digits.

user-name: Web user name, a string of 1 to 80 characters.

Examples

# Log out all Web users.

<Sysname> free web-users all

Related commands

display web users

history-command max-size

Use history-command max-size to set the size of the command history buffer for a user interface.

Use undo history-command max-size to restore the default.

Syntax

history-command max-size size-value

undo history-command max-size

Default

The buffer of a user interface saves 10 history commands at most.

Views

User interface view

Default command level

2: System level

Parameters

size-value: Specifies the maximum number of history commands the buffer can store, in the range of 0 to 256.

Usage guidelines

Each user interface uses a separate command history buffer to save commands successfully executed by its user. The size of the buffer determines how many history commands the buffer can store.

To view stored history commands on your user interface, press the up arrow key or down arrow key or execute the display history-command command.

Terminating the CLI session clears the commands in the history buffer.

Examples

# Set the size of the command history buffer to 20 for user interface Console 0.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] history-command max-size 20

idle-timeout

Use idle-timeout to set the session idle-timeout timer.

Use undo idle-timeout to restore the default.

Syntax

idle-timeout minutes [ seconds ]

undo idle-timeout

Default

The idle-timeout time is 10 minutes.

Views

User interface view

Default command level

2: System level

Parameters

minutes: Specifies the number of minutes for the idle-timeout time, in the range of 0 to 35791. The default is 10 minutes.

seconds: Specifies the number of seconds for the idle-timeout time, in the range of 0 to 59. The default is 0 seconds.

Usage guidelines

The system automatically terminates the user connection on the user interface if there is no information interaction between the device and the user within the idle-timeout time.

Setting the idle-timeout timer to 0 disables the idle-timeout function.

Examples

# Set the idle-timeout timer to 1 minute and 30 seconds.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] idle-timeout 1 30

ip http acl

Use ip http acl to associate the HTTP service with an ACL.

Use undo ip http acl to remove the association.

Syntax

ip http acl acl-number

undo ip http acl acl-number

Default

The HTTP service is not associated with any ACL.

Views

System view

Default command level

2: System level

Parameters

acl-number: ACL number. The value range depends on the ACL category:

· WLAN ACL—100 to 199

· Basic IPv4 ACL—2000 to 2999

Usage guidelines

After the HTTP service is associated with an ACL, only the clients permitted by the ACL can access the device through HTTP.

The HTTP service can be associated with a WLAN ACL and a basic ACL, and the two types of ACLs will not overwrite each other. However, ACLs of the same type will overwrite each other. If you execute the ip http acl command multiple times to associate the HTTP service with the same type of ACLs, the HTTP service is only associated with the most recently specified ACL.

When the HTTP service is associated with a WLAN ACL, the HTTP service uses this ACL to filter wireless clients only, and does not filter wired clients with this ACL.

Examples

# Associate the HTTP service with ACL 100 to allow only the wireless client with the SSID user-ssid-name to access the device through HTTP.

<Sysname> system-view

[Sysname] acl number 100

[Sysname-acl-wlan-100] rule permit ssid user-ssid-name

[Sysname-acl-wlan-100] quit

[Sysname] ip http acl 100

# Associate the HTTP service with ACL 2001 to only allow the clients within the 10.10.0.0/16 network to access the device through HTTP.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-basic-2001] quit

[Sysname] ip http acl 2001

Related commands

· display ip http

· acl number (ACL and QoS Command Reference)

ip http enable

Use ip http enable to enable the HTTP service.

Use undo ip http enable to disable the HTTP service.

Syntax

ip http enable

undo ip http enable

Default

The HTTP service is enabled.

Views

System view

Default command level

2: System level

Usage guidelines

The default setting of this command varies with devices.

The device can act as the HTTP server that can be accessed only after the HTTP service is enabled.

Examples

# Enable the HTTP service.

<Sysname> system-view

[Sysname] ip http enable

# Disable the HTTP service.

<Sysname> system-view

[Sysname] undo ip http enable

Related commands

display ip http

ip http port

Use ip http port to configure the port number of the HTTP service.

Use undo ip http port to restore the default.

Syntax

ip http port port-number

undo ip http port

Default

The port number of the HTTP service is 80.

Views

System view

Default command level

3: Manage level

Parameters

port-number: Port number of the HTTP service, which ranges from 1 to 65535.

Usage guidelines

Verify that the port number is not used by another service, because this command does not check for conflicts with configured port numbers.

Examples

# Configure the port number of the HTTP service as 8080.

<Sysname> system-view

[Sysname] ip http port 8080

Related commands

display ip http

ip https acl

Use ip https acl to associate the HTTPS service with an ACL.

Use undo ip https acl to remove the association.

Syntax

ip https acl acl-number

undo ip https acl acl-number

Default

The HTTPS service is not associated with any ACL.

Views

System view

Default command level

3: Manage level

Parameters

acl-number: ACL number. The value range depends on the ACL category:

· WLAN ACL—100 to 199

· Basic IPv4 ACL—2000 to 2999

Usage guidelines

After the HTTPS service is associated with an ACL, only the clients permitted by the ACL can access the device.

The HTTPS service can be associated with a WLAN ACL and basic ACL, and the two types of ACLs will not overwrite each other. However, ACLs of the same type will overwrite each other. If you execute the ip https acl command multiple times to associate the HTTPS service with the same type of ACLs, the HTTPS service is only associated with the most recently specified ACL.

When the HTTPS service is associated with a WLAN ACL, the HTTPS service uses this ACL to filter wireless clients only, and does not filter wired clients with this ACL.

Examples

# Associate the HTTPS service with ACL 100 to only allow the wireless client with the SSID user-ssid-name to access the device through HTTP.

<Sysname> system-view

[Sysname] acl number 100

[Sysname-acl-wlan-100] rule permit ssid user-ssid-name

[Sysname-acl-wlan-100] quit

[Sysname] ip https acl 100

# Associate the HTTPS service with ACL 2001 to only allow the clients within the 10.10.0.0/16 network segment to access the HTTPS server through HTTP.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-basic-2001] quit

[Sysname] ip https acl 2001

Related commands

· display ip https

· acl number (ACL and QoS Command Reference)

ip https certificate access-control-policy

Use ip https certificate access-control-policy to associate the HTTPS service with a certificate attribute access control policy.

Use undo ip https certificate access-control-policy to remove the association.

Syntax

ip https certificate access-control-policy policy-name

undo ip https certificate access-control-policy

Default

The HTTPS service is not associated with any certificate attribute access control policy.

Views

System view

Default command level

3: Manage level

Parameters

policy-name: Name of the certificate attribute access control policy, a string of 1 to 16 characters.

Usage guidelines

Association of the HTTPS service with a certificate attribute access control policy can control the access rights of clients.

Examples

# Associate the HTTPS server to certificate attribute access control policy myacl.

<Sysname> system-view

[Sysname] ip https certificate access-control-policy myacl

Related commands

· display ip https

· pki certificate access-control-policy (Security Command Reference)

ip https enable

Use ip https enable to enable the HTTPS service.

Use undo ip https enable to disable the HTTPS service.

Syntax

ip https enable

undo ip https enable

Default

The HTTPS service is disabled.

Views

System view

Default command level

3: Manage level

Usage guidelines

The device can act as the HTTP server that can be accessed only after the HTTP service is enabled.

Enabling the HTTPS service triggers an SSL handshake negotiation process:

· If the local certificate of the device exists, the SSL negotiation succeeds, and the HTTPS service can be started.

· If no local certificate exists, the SSL negotiation triggers a certificate application process that often fails because it times out. If that happens, execute the ip https enable command multiple times to start the HTTPS service.

Examples

# Enable the HTTPS service.

<Sysname> system-view

[Sysname] ip https enable

ip https port

Use ip https port to configure the port number of the HTTPS service.

Use undo ip https port to restore the default.

Syntax

ip https port port-number

undo ip https port

Default

The port number of the HTTPS service is 443.

Views

System view

Default command level

3: Manage level

Parameters

port-number: Port number of the HTTPS service, which ranges from 1 to 65535.

Usage guidelines

Verify that the port number is not used by another service, because this command does not check for conflicts with configured port numbers.

Examples

# Configure the port number of the HTTPS service as 6000.

<Sysname> system-view

[Sysname] ip https port 6000

Related commands

display ip https

ip https ssl-server-policy

Use ip https ssl-server-policy to associate the HTTPS service with an SSL server-end policy.

Use undo ip https ssl-server-policy to remove the association.

Syntax

ip https ssl-server-policy policy-name

undo ip https ssl-server-policy

Default

The HTTPS service is not associated with any SSL server-end policy, and the device uses a self-signed certificate for authentication. (A self-signed certificate is generated and signed by the device itself, rather than the CA.)

Views

System view

Default command level

3: Manage level

Parameters

policy-name: Name of an SSL server policy, a string of 1 to 16 characters.

Usage guidelines

The HTTPS service can be enabled only after this command is configured successfully.

With the HTTPS service enabled, you cannot modify the associated SSL server-end policy or remove the association between the HTTPS service and the SSL server-end policy after the HTTPS service is enabled.

Examples

# Associate the HTTPS service with SSL server-end policy myssl.

<Sysname> system-view

[Sysname] ip https ssl-server-policy myssl

Related commands

· display ip https

· ssl server-policy (Security Command Reference)

lock

Use lock to lock the current user interface.

Syntax

lock

Default

This function is disabled.

Views

User view

Default command level

3: Manage level

Usage guidelines

When you must leave the device for a while, use this command to lock the current user interface to prevent unauthorized access.

After you enter this command, you are asked to enter a password (up to 16 characters) and then confirm it by entering the password again.

To unlock the user interface, press Enter and enter the correct password.

This command is not supported in FIPS mode.

Examples

# Lock the current user interface and then unlock it.

<Sysname> lock

Please input password<1 to 16> to lock current user terminal interface:

Password:

Again:

locked !

Password:

parity

Use parity to specify a parity check mode.

Use undo parity to restore the default.

Syntax

parity { even | none | odd }

undo parity

Default

The setting is none, and no parity check is performed.

Views

User interface view

Default command level

2: System level

Parameters

even: Performs even parity check.

none: Disables parity check.

odd: Performs odd parity check.

Usage guidelines

This command is only applicable to asynchronous serial interfaces, including AUX and console ports.

The configuration terminal and the device must be configured with the same parity check mode to communicate.

Examples

# Configure user interface AUX 0 to perform odd parity check.

<Sysname> system-view

[Sysname] user-interface aux 0

[Sysname-ui-aux0] parity odd

protocol inbound

Use protocol inbound to enable a user interface to support Telnet, SSH, or both of them.

Use undo protocol inbound to restore the default.

Syntax

In non-FIPS mode:

protocol inbound { all | ssh | telnet }

undo protocol inbound

In FIPS mode:

protocol inbound { all | ssh }

undo protocol inbound

Default

Both Telnet and SSH are supported.

Views

VTY interface view

Default command level

3: Manage level

Parameters

all: Supports both Telnet and SSH in non-FIPS mode and supports SSH in FIPS mode.

ssh: Supports SSH only.

telnet: Supports Telnet only. This keyword is not supported in FIPS mode.

Usage guidelines

This configuration is effective only for a user who logs in to the user interface after the configuration is made.

Before configuring a user interface to support SSH, set the authentication mode to scheme for the user interface. For more information, see authentication-mode.

Examples

# Enable the VTYs 0 through 4 to support only SSH.

<Sysname> system-view

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] authentication-mode scheme

[Sysname-ui-vty0-4] protocol inbound ssh

screen-length

Use screen-length to set the maximum number of lines to be displayed on a screen.

Use undo screen-length to restore the default.

Syntax

screen-length screen-length

undo screen-length

Default

Up to 24 lines are displayed on a screen.

Views

User interface view

Default command level

2: System level

Parameters

screen-length: Specifies the maximum number of lines to be displayed on a screen, in the range of 0 to 512. The value of 0 disables pausing between screens of output.

Usage guidelines

When screen output pauses, press the Space key to display the next screen. Not all terminals support this setting. For example, assume you set screen-length to 40, but the terminal can display 24 lines in one screen at most. When you press Space, the device sends 40 lines to the terminal, but the screen displays only lines 18 through 40. To view the first 17 lines, press the page up or page down key.

To disable pausing between screens of output for the current session, use the screen-length disable command.

Examples

# Set the maximum number of lines to be displayed on a screen to 30 for user interface Console 0.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] screen-length 30

Related commands

screen-length disable

send

Use send to send messages to user interfaces.

Syntax

send { all | num1 | { aux | console | vty } num2 }

Views

User view

Default command level

1: Monitor level

Parameters

all: Specifies all user interfaces.

aux: Specifies the AUX user interface. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

console: Specifies the console user interface. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

vty: Specifies the VTY user interface.

num2: Specifies the relative number of a user interface. The value range depends on the user interface type:

· AUX—0

· Console—0

· VTY—0 to 4

Usage guidelines

To end message input, press Ctrl+Z. To cancel message input and return to user view, press Ctrl+C.

Examples

# Send message hello abc to your own user interface Console 0.

<Sysname> send console 0

Enter message, end with CTRL+Z or Enter; abort with CTRL+C:

hello abc^Z

Send message? [Y/N]:y

***

***Message from con0 to con0

***

hello abc

# Before you restart the device, inform other login users so they can prepare for the reboot:

1. Display information about the user interfaces that are being used.

<Sysname> display users

The user application information of the user interface(s):

Idx UI Delay Type Userlevel

+ 82 VTY 0 00:00:00 TEL 3

83 VTY 1 00:00:03 TEL 3

Following are more details.

VTY 0 :

Location: 192.168.1.26

VTY 1 :

Location: 192.168.1.20

+ : Current operation user.

F : Current operation user work in async mode.

The output shows that you are using VTY 0 and another user is using VTY 1.

2. Send a notification message to the user of VTY1.

<Sysname> send vty 1

Enter message, end with CTRL+Z or Enter; abort with CTRL+C:

Your attention, please. I will reboot the system in 3 minutes!^Z

Send message? [Y/N]:y

The message should appear on the screen of the user's configuration terminal. The following example assumes that the user was executing the interface gigabitethernet command when the message arrived:

[Sysname] interface gigabitethernet

***

***Message from vty0 to vty1

***

Note please, I will reboot the system in 3 minutes!

set authentication password

Use set authentication password to set a password for password authentication.

Use undo set authentication password to remove the password.

Syntax

set authentication password [ hash ] { cipher | simple } password

undo set authentication password

Default

No password is set for password authentication.

Views

User interface view

Default command level

3: Manage level

Parameters

hash: Enables hash-based encryption.

{ cipher | simple } password: Specifies a case-sensitive password string. The password length and form requirements vary with the keywords or keyword combinations.

Table 7 Password length and form requirements for the password argument

Keyword combination	Password string form	Length (in characters)
simple	Plain text	1 to 16
hash simple	Plain text	1 to 16
cipher	Plain text, cipher text	Plain text: 1 to 16 Cipher text: 1 to 53
hash cipher	Cipher text (hashed form)	1 to 110

Usage guidelines

For security purposes, all passwords, including passwords configured in plain text, are saved in cipher text.

This command is not supported in FIPS mode.

Examples

# Set the password for password authentication on user interface Console 0 to plaintext hello.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0] authentication-mode password

[Sysname-ui-console0] set authentication password simple hello

Related commands

authentication-mode

shell

Use shell to enable the terminal service for a user interface.

Use undo shell to disable the terminal service for a user interface.

Syntax

shell

undo shell

Default

The terminal service is enabled on all user interfaces.

Views

User interface view

Default command level

3: Manage level

Usage guidelines

The console user interface does not support the undo shell command.

The AUX user interface does not support the undo shell command when the device has only one AUX port and no console port.

You cannot disable the terminal service on the user interface you are using.

Examples

# Disable the terminal service for user interface VTY 0 through VTY 4 so no user can log in to the device through the user interfaces.

<Sysname> system-view

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] undo shell

% Disable ui-vty0-4 , are you sure? [Y/N]:y

[Sysname-ui-vty0-4]

The following message appears when a user tries to Telnet to the device:

The connection was closed by the remote host!

speed (user interface view)

Use speed to set the transmission rate (also called the "baud rate") on a user interface.

Use undo speed to restore the default.

Syntax

speed speed-value

undo speed

Default

The transmission rate is 9600 bps.

Views

User interface view

Default command level

2: System level

Parameters

speed-value: Transmission rate in bps. The transmission rates available for asynchronous serial interfaces include 2400 bps, 9600 bps, 19200 bps, 38400 bps, 57600 bps, and 115200 bps. The transmission rate varies with devices and configuration environments.

Usage guidelines

This command is only applicable to asynchronous serial interfaces, including AUX and console ports.

The configuration terminal and the device must be configured with the same transmission rate to communicate.

Examples

# Set the transmission rate on the user interface AUX 0 to 19200 bps.

<Sysname> system-view

[Sysname] user-interface aux 0

[Sysname-ui-aux0] speed 19200

stopbits

Use stopbits to specify the number of stop bits for a character.

Use undo stopbits to restore the default.

Syntax

stopbits { 1 | 2 }

undo stopbits

Default

One stop bit is used.

Views

User interface view

Default command level

2: System level

Parameters

1: Uses one stop bit.

2: Uses two stop bits.

Usage guidelines

This command is only applicable to asynchronous serial interfaces, including AUX and console ports.

The configuration terminal and the device must be configured to use the same number of stop bits to communicate.

Examples

# Set the number of stop bits to 1 for user interface AUX 0.

<Sysname> system-view

[Sysname] user-interface aux 0

[Sysname-ui-aux0] stopbits 1

Related commands

stopbit-error intolerance

telnet

Use telnet to Telnet to a host in an IPv4 network.

Syntax

telnet remote-host [ service-port ] [ source { interface interface-type interface-number | ip ip-address } ]

Views

User view

Default command level

0: Visit level

Parameters

remote-host: Specifies the IPv4 address or host name of a remote host, a case-insensitive string of 1 to 20 characters.

service-port: Specifies the TCP port number for the Telnet service on the remote host. It ranges from 0 to 65535 and defaults to 23.

source: Specifies a source IPv4 address or source interface for outgoing Telnet packets.

interface interface-type interface-number: Specifies the source interface. The primary IPv4 address of the interface will be used as the source IPv4 address for outgoing Telnet packets.

ip ip-address: Specifies the source IPv4 address for outgoing Telnet packets.

Usage guidelines

To terminate the current Telnet connection, press Ctrl+K or execute the quit command.

The source IPv4 address or source interface specified by this command is only applicable to the current Telnet connection.

This command is not supported in FIPS mode.

Examples

# Telnet to host 1.1.1.2, using 1.1.1.1 as the source IP address for outgoing Telnet packets.

<Sysname> telnet 1.1.1.2 source ip 1.1.1.1

telnet client source

Use telnet client source to specify a source IPv4 address or source interface for outgoing Telnet packets when the device serves as a Telnet client.

Use undo telnet client source to remove the configuration.

Syntax

telnet client source { interface interface-type interface-number | ip ip-address }

undo telnet client source

Default

No source IPv4 address or source interface is specified for outgoing Telnet packets. The source IPv4 address is the primary IPv4 address of the outbound interface.

Views

System view

Default command level

2: System level

Parameters

interface interface-type interface-number: Specifies a source interface. The primary IP address of this interface will be used as the source IPv4 address for outgoing Telnet packets.

ip ip-address: Specifies a source IPv4 address.

Usage guidelines

The source IPv4 address or source interface specified by this command is applicable to all Telnet connections. However, if a user specifies a source IPv4 address or source interface when executing the telnet command, the setting specified by the user takes effect.

This command is not supported in FIPS mode.

Examples

# Set the source IPv4 address for outgoing Telnet packets to 1.1.1.1 when the device serves as a Telnet client.

<Sysname> system-view

[Sysname] telnet client source ip 1.1.1.1

Related commands

display telnet client configuration

telnet ipv6

Use telnet ipv6 to Telnet to a host in an IPv6 network.

Syntax

telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ]

Views

User view

Default command level

0: Visit level

Parameters

remote-host: Specifies the IP address or host name of a remote host, a case-insensitive string of 1 to 46 characters.

-i interface-type interface-number: Specifies the outbound interface for sending Telnet packets. This option is required when the destination address is a link-local address.

port-number: Specifies the TCP port number for the Telnet service on the remote host. It ranges from 0 to 65535 and defaults to 23.

Usage guidelines

To terminate the current Telnet connection, press Ctrl+K or execute the quit command.

This command is not supported in FIPS mode.

Examples

# Telnet to the host at 5000::1.

<Sysname> telnet ipv6 5000::1

telnet server enable

Use telnet server enable to enable the Telnet server function.

Use undo telnet server enable to disable the Telnet server function.

Syntax

telnet server enable

undo telnet server enable

Default

The Telnet server function is enabled.

Views

System view

Default command level

3: Manage level

Usage guidelines

This command is not supported in FIPS mode.

Examples

# Enable the Telnet server function.

<Sysname> system-view

[Sysname] telnet server enable

terminal type

Use terminal type to specify the terminal display type.

Use undo terminal type to restore the default.

Syntax

terminal type { ansi | vt100 }

undo terminal type

Default

The terminal display type is ANSI.

Views

User interface view

Default command level

2: System level

Parameters

ansi: Specifies the terminal display type ANSI.

vt100: Specifies the terminal display type VT100.

Usage guidelines

The device supports two terminal display types: ANSI and VT100. To ensure proper display on the terminal, set the display type of both the device and the configuration terminal to VT100. Otherwise, when a command line has more than 80 characters, an anomaly such as cursor positioning error or abnormal display might occur.

Examples

# Set the terminal display type to VT100.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] terminal type vt100

user privilege level

Use user privilege level to configure the user privilege level. Users logging into the user interface are assigned a user privilege level.

Use undo user privilege level to restore the default.

Syntax

user privilege level level

undo user privilege level

Default

The command level is 3 for the console user interface and 0 for other user interfaces.

Views

User interface view

Default command level

3: Manage level

Parameters

level: Specifies a user privilege level, which ranges from 0 to 3.

Usage guidelines

User privilege levels include visit, monitor, system, and manage, represented by the numbers 0, 1, 2, and 3, respectively. You can change the user privilege level when necessary.

In FIPS mode, only scheme authentication is supported, and this command is not available.

Examples

# Set the command level for users logging in through VTY 0 to 0.

<Sysname> system-view

[Sysname] user-interface vty 0

[Sysname-ui-vty0] user privilege level 0

After you Telnet to the device through VTY 0, the terminal only displays commands of level 0 in the help information:

<Sysname> ?

User view commands:

cluster Run cluster command

display Display current system information

ping Ping function

quit Exit from current command view

rsh Establish one RSH connection

ssh2 Establish a secure shell client connection

super Set the current user priority level

telnet Establish one TELNET connection

tracert Trace route function

user-interface

Use user-interface to enter user interface view.

Syntax

user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-num2 ] }

Views

System view

Default command level

2: System level

Parameters

first-num1: Specifies the absolute number of the first user interface. The value range varies with devices and typically starts from 0. For more information, see About the H3C Access Controllers Command References.

last-num1: Specifies the absolute number of the last user interface. The value range varies with devices typically starts from 0, and cannot be smaller than first-num1. For more information, see About the H3C Access Controllers Command References.

aux: Specifies the AUX user interface. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

console: Specifies the console user interface. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

vty: Specifies the VTY user interface.

first-num2: Specifies the relative number of the first user interface. The value range depends on the user interface type:

· AUX—0

· Console—0

· VTY—0 to 4

last-num2: Specifies the relative number of the last user interface. For a VTY user interface, the value range is 1 to 4. This argument cannot be smaller than first-num2.

Usage guidelines

If you use this command to enter a single user interface view, your configuration applies only to the user interface.

If you use this command to enter multiple user interface views, your configuration applies to all the specified user interfaces.

Examples

# Enter the view of user interface Console 0.

<Sysname> system-view

[Sysname] user-interface console 0

[Sysname-ui-console0]

# Enter the views of user interfaces VTY 0 to VTY 4.

<Sysname> system-view

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4]

web https-authorization mode

Use web https-authorization mode to specify the authentication mode for users trying to log in to the device through HTTPS.

Use undo web https-authorization mode to restore the default.

Syntax

web https-authorization mode { auto | manual }

undo web https-authorization mode

Default

A user must enter correct username and password to log in through HTTPS.

Views

System view

Default command level

2: System level

Parameters

auto: Uses the PKI certificates of HTTPS users to automatically authenticate them.

manual: Provides a login page for HTTPS users to enter the correct username and password.

Usage guidelines

When the auto mode is enabled:

· If the PKI certificate of the user is correct and not expired, the CN field in the certificate is used as the username to perform AAA authentication. If the authentication succeeds, the user automatically enters the Web interface of the device.

· If the PKI certificate of the user is correct and not expired, but the AAA authentication fails, the device shows the Web login page. The user can log in to the device after entering correct username and password.

· When the PKI certificate of the user is incorrect or expired, the HTTPS connection is terminated.

Examples

# Specify the auto authentication mode for users trying to log in to the device through HTTPS.

<Sysname> system-view

[Sysname] web https-authorization mode auto

web idle-timeout

Use web idle-timeout to set the Web user connection timeout time.

Use undo web idle-timeout to restore the default.

Syntax

web idle-timeout minutes

undo web idle-timeout

Default

The Web user connection timeout time is 10 minutes.

Views

System view

Default command level

2: System level

Parameters

minutes: Timeout time in minutes, in the range of 1 to 999.

Examples

# Set the Web user connection timeout time to 20 minutes.

<System> system-view

[System] web idle-timeout 20

web logbuffer size

Use web logbuffer size to set the size of the buffer for Web login logging.

Use undo web logbuffer size to restore the default.

Syntax

web logbuffer size pieces

undo web logbuffer size

Default

The buffer for Web login logging can store 512 log messages.

Views

System view

Default command level

2: System level

Parameters

pieces: Size of the buffer for Web login logging, in the number of log messages. The value range is 1 to 1024.

Examples

# Set the size of the buffer for Web login logging to 800.

<System> system-view

[System] web logbuffer size 800

01-Fundamentals Command Reference

ip http enable

ip https enable

screen-length

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us