Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-Login Management Commands | 194.22 KB |
acl (user interface view)
Use acl to reference ACLs to control access to the VTY user interface.
Use undo acl to cancel the ACL application.
Syntax
To use a basic or advanced ACL:
acl [ ipv6 ] acl-number { inbound | outbound }
undo acl [ ipv6 ] acl-number { inbound | outbound }
To use a WLAN or Ethernet frame header ACL:
acl acl-number inbound
undo acl acl-number inbound
Default
Access to the VTY user interface is not restricted.
Views
VTY user interface view
Default command level
2: System level
Parameters
ipv6: When this keyword is present, the command supports IPv6; otherwise, it supports IPv4.
acl-number: Specifies the number of the ACL:
· WLAN ACL—100 to 199.
· Basic ACL—2000 to 2999.
· Advanced ACL—3000 to 3999.
· Ethernet frame header ACL—4000 to 4999.
inbound: Restricts Telnet or SSH connections established in the inbound direction through the VTY user interface. If the received packets for establishing a Telnet or SSH connection are permitted by an ACL rule, the connection is allowed to be established. When the device functions as a Telnet server or SSH server, use this keyword to control access of Telnet clients or SSH clients.
outbound: Restricts Telnet connections established in the outbound direction through the VTY user interface. If the packets sent for establishing a Telnet connection are permitted by an ACL rule, the connection is allowed to be established. When the device functions as a Telnet client, use this keyword to define Telnet servers accessible to the client.
Usage guidelines
If no ACL is referenced in VTY user interface view, the VTY user interface has no access control over establishing a Telnet or SSH connection.
If an ACL is referenced in VTY user interface view, the connection is permitted to be established only when packets for establishing a Telnet or SSH connection match a permit statement in the ACL.
You can apply a basic/advanced ACL with the inbound keyword, a basic/advanced ACL with the outbound keyword, a WLAN ACL, and an Ethernet frame header ACL on a VTY user interface, because these ACLs are different ACL types. The match order is WLAN ACL, basic/advanced ACL, Ethernet frame header ACL. However, you can apply only one of the ACLs that are the same type on a VTY user interface.
For more information about ACL, see ACL and QoS Command Reference.
Examples
# Allow only the user with the IP address of 192.168.1.26 to access the device through Telnet or SSH.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 192.168.1.26 0
[Sysname-acl-basic-2001] quit
[Sysname] user-interface vty 0
[Sysname-ui-vty0] acl 2001 inbound
After the configuration, user A (with the IP address 192.168.1.26) can Telnet to the device, but user B (with the IP address 192.168.1.60) cannot. Upon a connection failure, a message appears: "%connection closed by remote host!"
# Allow the device to only Telnet to the Telnet server with IP address 192.168.1.41.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit tcp destination 192.168.1.41 0
[Sysname-acl-adv-3001] quit
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 3001 outbound
[Sysname-ui-vty0-4] return
<Sysname>
After your configuration, if you Telnet to 192.168.1.46, your operation fails.
<Sysname> telnet 192.168.1.46
%Can't access the host from this terminal!
But you can Telnet to 192.168.1.41.
<Sysname> telnet 192.168.1.41
Trying 192.168.1.41 ...
Press CTRL+K to abort
Connected to 192.168.1.41 ...
# Allow only the WLAN client with the SSID of Admin to access the device through VTY 0.
<Sysname> system-view
[Sysname] acl number 100
[Sysname-acl-wlan-100] rule permit ssid Admin
[Sysname-acl-wlan-100] quit
[Sysname] user-interface vty 0
[Sysname-ui-vty0] acl 100 inbound
activation-key
Use activation-key to define a shortcut key for starting a terminal session.
Use undo activation-key to restore the default.
Syntax
activation-key character
undo activation-key
Default
Pressing the Enter key starts a terminal session.
Views
User interface view
Default command level
3: Manage level
Parameters
character: Shortcut key for starting a terminal session, a single character (or its corresponding ASCII code value in the range of 0 to 127), or a string of 1 to 3 characters. However, only the first character functions as the shortcut key. For example, if you enter an ASCII code value of 97, the system uses its corresponding character a as the shortcut key. If you enter string b@c, the system uses the first character b as the shortcut key.
Usage guidelines
This command is not supported on VTY user interfaces.
To display the shortcut key you have defined, use the display current-configuration command.
Examples
# Configure character s as the shortcut key for starting a terminal session on the console user interface.
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0] activation-key s
# Verify the configuration:
1. Exit the console session.
[Sysname-ui-console0] return
<Sysname> quit
2. Log in to the console user interface again.
The following message appears.
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
User interface con0 is available.
Please press ENTER.
3. Press Enter.
Pressing Enter does not start a session.
4. Enter s.
A terminal session is started.
<Sysname>
%Mar 2 18:40:27:981 2005 Sysname SHELL/5/LOGIN: Console login from con0
authentication-mode
Use authentication-mode to set the authentication mode for a user interface.
Use undo authentication-mode to restore the default.
Syntax
authentication-mode { none | password | scheme }
undo authentication-mode
Default
The authentication mode is password for the VTY user interface, and none for the console user interface.
Views
User interface view
Default command level
3: Manage level
Parameters
none: Performs no authentication.
password: Performs local password authentication.
scheme: Performs AAA authentication. For more information about AAA, see Security Configuration Guide.
Examples
# Enable the none authentication mode for the user interface VTY 0.
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] authentication-mode none
# Enable password authentication for the user interface VTY 0 and set the password to 321.
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] authentication-mode password
[Sysname-ui-vty0] set authentication password simple 321
# Enable scheme authentication for the user interface VTY 0 and the username to 123 and the password to 321.
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] authentication-mode scheme
[Sysname-ui-vty0] quit
[Sysname] local-user 123
[Sysname-luser-123] password simple 321
[Sysname-luser-123] service-type telnet
[Sysname-luser-123] authorization-attribute level 3
Related commands
set authentication password
auto-execute command
|
|
CAUTION: After configuring this command for a user interface, you might be unable to access the CLI through the user interface. Make sure you can access the CLI through a different user interface before you configure this command and save the configuration. |
Use auto-execute command to specify a command that is to be automatically executed when a user logs in to the current user interface.
Use undo auto-execute command to remove the configuration.
Syntax
auto-execute command command
undo auto-execute command
Default
Command auto-execution is disabled.
Views
User interface view
Default command level
3: Manage level
Parameters
command: Specifies the command to be automatically executed.
Usage guidelines
This command is not supported on the console user interface.
The system automatically executes the specified command when a user logs in to the user interface, and tears down the user connection after the command is executed. If the command triggers another task, the system does not tear down the user connection until the task is completed.
The command auto-execute function is typically used for redirecting a Telnet user to a specific host.
Examples
# Configure the device to automatically Telnet to 192.168.1.41 after a user logs in to interface VTY 0.
<Sysname> system-view
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname -ui-vty0] auto-execute command telnet 192.168.1.41
% This action will lead to configuration failure through ui-vty0. Are you sure?
[Y/N]:y
[Sysname-ui-vty0]
# To verify the configuration, Telnet to 192.168.1.40.
The device automatically Telnets to 192.168.1.41, and the following output is displayed:
C:\> telnet 192.168.1.40
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Sysname>
Trying 192.168.1.41 ...
Press CTRL+K to abort
Connected to 192.168.1.41 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Sysname.41>
This operation is the same as directly logging in to the device at 192.168.1.41. If the Telnet connection to 192.168.1.41 is broken down, the Telnet connection to 192.168.1.40 breaks down at the same time.
command accounting
Use command accounting to enable command accounting.
Use undo command accounting to restore the default.
Syntax
command accounting
undo command accounting
Default
Command accounting is disabled, and the accounting server does not record executed commands.
Views
User interface view
Default command level
3: Manage level
Usage guidelines
When command accounting is enabled and command authorization is not, every executed command is recorded on the HWTACACS server.
When both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.
Examples
# Enable command accounting for the user interface VTY 0.
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] command accounting
command authorization
Use command authorization to enable command authorization.
Use undo command authorization to restore the default.
Syntax
command authorization
undo command authorization
Default
Command authorization is disabled. Logged-in users can execute commands without authorization.
Views
User interface view
Default command level
3: Manage level
Usage guidelines
With command authorization enabled, users can perform only commands authorized by the server.
Examples
# Enable command accounting for VTY 0 so users logged in to VTY 0 can perform only the commands authorized by the HWTACACS server.
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] command authorization
display ip http
Use display ip http to display HTTP information.
Syntax
display ip http [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about HTTP.
<Sysname> display ip http
HTTP port: 80
WLAN ACL: 100
Basic ACL: 2222
Current connection: 0
Operation status: Running
Table 1 Command output
|
Field |
Description |
|
HTTP port |
Port number used by the HTTP service. |
|
WLAN ACL |
WLAN ACL associated with the HTTP service. |
|
Basic ACL |
Basic ACL number associated with the HTTP service. |
|
Current connection |
Number of current connections. |
|
Operation status |
Operation status: · Running—The HTTP service is enabled. · Stopped—The HTTP service is disabled. |
display ip https
Use display ip https to display HTTPS information.
Syntax
display ip https [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display HTTPS information.
<Sysname> display ip https
HTTPS port: 443
SSL server policy: test
Certificate access-control-policy:
WLAN ACL: 100
Basic ACL: 2222
Current connection: 0
Operation status: Running
Table 2 Command output
|
Field |
Description |
|
HTTPS port |
Port number used by the HTTPS service. |
|
SSL server policy |
SSL server policy associated with the HTTPS service. |
|
Certificate access-control-policy |
Certificate attribute-based access control policy associated with the HTTPS service. |
|
WLAN ACL |
WLAN ACL associated with the HTTPS service. |
|
Basic ACL |
Basic ACL associated with the HTTPS service. |
|
Current connection |
Number of current connections. |
|
Operation status |
Operation status: · Running—The HTTPS service is enabled. · Stopped—The HTTPS service is disabled. |
display telnet client configuration
Use display telnet client configuration to display the configuration of the device when it serves as a Telnet client.
Syntax
display telnet client configuration [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the configuration of the device when it serves as a Telnet client.
<Sysname> display telnet client configuration
The source IP address is 1.1.1.1.
The output shows that the device uses the source IPv4 address 1.1.1.1 for outgoing Telnet packets when it serves as a Telnet client.
display user-interface
Use display user-interface to display user interface information.
Syntax
display user-interface [ num1 | { console | vty } num2 ] [ summary ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
num1: Specifies the absolute number of a user interface. The value range typically starts from 0.
console: Specifies the console user interface.
vty: Specifies the VTY user interface.
num2: Specifies the relative number of a user interface.
summary: Displays summary information about user interfaces.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about user interface 0.
<Sysname> display user-interface 0
Idx Type Tx/Rx Modem Privi Auth Int
+ 0 CON 0 9600 - 3 N -
+ : Current user-interface is active.
F : Current user-interface is active and work in async mode.
Idx : Absolute index of user-interface.
Type : Type and relative index of user-interface.
Privi: The privilege of user-interface.
Auth : The authentication mode of user-interface.
Int : The physical location of UIs.
A : Authentication use AAA.
L : Authentication use local database.
N : Current UI need not authentication.
P : Authentication use current UI's password.
Table 3 Command output
|
Field |
Description |
|
Idx |
Absolute number of the user interface. |
|
Type |
Type and relative number of the user interface. |
|
Tx/Rx |
Transmit/receive rate of the user interface. |
|
Modem |
Whether the modem is allowed to dial in (in), dial out (out), or both (inout). If modem dial-in is disabled, a hyphen (-) is displayed. |
|
Privi |
Indicates the command level of a user under that user interface. |
|
Auth |
Authentication mode for the users: · A—Scheme authentication mode. · L—Local authentication mode (not supported). · N—None authentication mode. · P—Password authentication mode. |
|
Int |
Physical port that corresponds to the user interface. For console and VTY user interfaces, a hyphen (-) is displayed. |
# Display summary information about all user interfaces.
<Sysname> display user-interface summary
User interface type : [CON]
0:X
User interface type : [VTY]
1:UUUU X
4 character mode users. (U)
2 UI never used. (X)
4 total UI in use
Table 4 Command output
|
Field |
Description |
|
0:X |
number: Absolute number of the first user line in the user line class. status: User line status. X is for unused and U is for used. For example, if "1:UUUU X" is displayed, there are five user lines of the user line class.These user lines use the absolute numbers 1 through 5. User lines 1 through 4 are in use, and user line 5 are not. |
display users
Use display users to display information about the user interfaces being used.
Use display users all to display information about all user interfaces supported by the device.
Syntax
display users [ all ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Displays information about all user interfaces the device supports.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about the user interfaces being used.
<Sysname> display users
The user application information of the user interface(s):
Idx UI Delay Type Userlevel
1 VTY 0 00:02:24 TEL 3
+ 2 VTY 1 00:00:00 TEL 3
Following are more details.
VTY 0 :
Location: 192.168.0.210
VTY 1 :
Location: 192.168.0.214
+ : Current operation user.
F : Current operation user work in async mode.
The output shows that two users have logged in to the device: you are using the user interface VTY 1 and the other user is using VTY 0. Your IP address is 192.168.0.214 and user privilege level is 3.
Table 5 Command output
|
Field |
Description |
|
Idx |
Absolute number of the user interface. |
|
UI |
Relative number of the user interface. For example, with VTY, the first column represents user interface type, and the second column represents the relative number of the user interface. |
|
Delay |
Time elapsed after the user's last input, in the format hh:mm:ss. |
|
Type |
User type, such as Telnet or SSH. |
|
Userlevel |
User level: 0 for visit, 1 for monitor, 2 for system, and 3 for manage. |
|
+ |
Indicates the current user, the user who executed the display command. |
|
Location |
IP address of the user. |
|
F |
The current user is operating in asynchronous mode. |
display web users
Use display web users to display information about the Web users.
Syntax
display web users [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about the Web users.
<Sysname> display web users
UserID Name Lang Level State Links Login LastOp Ip
ab810000 admin zn Manage Enabled 0 12:47:37 13:04:17 192.168.100.14
Table 6 Command output
|
Field |
Description |
|
UserID |
Web user ID. |
|
Name |
Web username. |
|
Language |
Language used in Web login. |
|
Level |
Web user level. |
|
State |
Web user status. |
|
Links |
Number of tasks running for the Web user. |
|
Login |
Login time. |
|
LastOp |
Last time when the Web user accessed the device. |
|
Ip |
IP address of the host used by the user. |
escape-key
Use escape-key to define a shortcut key for terminating a task.
Use undo escape-key to disable the shortcut key for terminating tasks.
Syntax
escape-key { default | character }
undo escape-key
Default
Pressing Ctrl+C terminates a task.
Views
User interface view
Default command level
3: Manage level
Parameters
character: Specifies the shortcut key for terminating a task, a single character (or its corresponding ASCII code value in the range of 0 to 127) or a string of 1 to 3 characters. Only the first character of a string functions as the shortcut key. For example, if you enter an ASCII code value of 113, the system uses its corresponding character q as the shortcut key. If you enter the string q@c, the system uses the first character q as the shortcut key.
default: Restores the default escape key sequence Ctrl+C.
Usage guidelines
You can execute this command repeatedly, but only the last definition takes effect. To display the effective shortcut key definition, use the display current-configuration command.
If you set the character argument in a user interface of a device, when you use the user interface to log in to the device and then Telnet to another device, the character argument can be used as a control character to terminate a task rather than used as a common character. For example, if you specify character e in VTY 0 user interface of Device A, when you log in to Device A using VTY 0 from a PC (HyperTerminal), you can enter e as a common character on the PC, and you can also use e to terminate the task running on Device A. If you Telnet to Device B from Device A, you can only use e to terminate the task running on Device B, rather than use e as a common character. It is a good practice to specify a key sequence.
Examples
# Define character a as the shortcut key for terminating a task.
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0] escape-key a
# To verify the configuration:
1. Ping IP address 192.168.1.49, specifying the -c keyword to set the number of ICMP echo request packets to 20.
<Sysname> ping -c 20 192.168.1.49
PING 192.168.1.49: 56 data bytes, press a to break
Reply from 192.168.1.49: bytes=56 Sequence=1 ttl=255 time=3 ms
Reply from 192.168.1.49: bytes=56 Sequence=2 ttl=255 time=3 ms
2. Press a.
The task terminates and the system returns to user view.
--- 192.168.1.49 ping statistics ---
2 packet(s) transmitted
2 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/3/3 ms
<Sysname>
free user-interface
Use free user-interface to release a user interface.
Syntax
free user-interface { num1 | { console | vty } num2 }
Views
User view
Default command level
3: Manage level
Parameters
num1: Specifies the absolute number of a user interface. The value range typically starts from 0.
console: Specifies the console user interface.
vty: Specifies the VTY user interface.
num2: Specifies the relative number of a user interface.
Usage guidelines
This command cannot release the connection you are using.
Examples
# Release user interface VTY 1:
1. Display which users are operating the device.
<Sysname> display users
The user application information of the user interface(s):
Idx UI Delay Type Userlevel
0 CON 0 00:07:43 3
1 VTY 0 00:02:24 TEL 3
+ 2 VTY 1 00:00:00 TEL 3
Following are more details.
VTY 0 :
Location: 192.168.0.210
VTY 1 :
Location: 192.168.0.214
+ : Current operation user.
F : Current operation user work in async mode.
2. Log out the user who is using VTY 0.
<Sysname> free user-interface vty 0
Are you sure to free user-interface vty0? [Y/N]:y
free web-users
Use free web-users to log out Web users.
Syntax
free web-users { all | user-id user-id | user-name user-name }
Views
User view
Default command level
2: System level
Parameters
all: Specifies all Web users.
user-id: Specifies a Web user by the ID, a hexadecimal number of eight digits.
user-name: Specifies a Web user by the username, a string of 1 to 80 characters.
Examples
# Log out all Web users.
<Sysname> free web-users all
Related commands
display web users
history-command max-size
Use history-command max-size to set the size of the command history buffer for a user interface.
Use undo history-command max-size to restore the default.
Syntax
history-command max-size size-value
undo history-command max-size
Default
The buffer of a user interface saves 10 history commands at most.
Views
User interface view
Default command level
2: System level
Parameters
size-value: Specifies the maximum number of history commands the buffer can store, in the range of 0 to 256.
Usage guidelines
Each user interface uses a separate command history buffer to save commands successfully executed by its user. The size of the buffer determines how many history commands the buffer can store.
To view stored history commands on your user interface, press the up arrow key or down arrow key or execute the display history-command command.
Terminating the CLI session clears the commands in the history buffer.
Examples
# Set the size of the command history buffer to 20 for the user interface Console 0.
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0] history-command max-size 20
idle-timeout
Use idle-timeout to set the session idle-timeout timer.
Use undo idle-timeout to restore the default.
Syntax
idle-timeout minutes [ seconds ]
undo idle-timeout
Default
The idle-timeout time is 10 minutes.
Views
User interface view
Default command level
2: System level
Parameters
minutes: Specifies the number of minutes for the idle-timeout time, in the range of 0 to 35791. The default is 10 minutes.
seconds: Specifies the number of seconds for the idle-timeout time, in the range of 0 to 59. The default is 0 seconds.
Usage guidelines
The system automatically terminates the user connection on the user interface if there is no information interaction between the device and the user within the idle-timeout time.
Setting the idle-timeout timer to 0 disables the idle-timeout function.
Examples
# Set the idle-timeout timer to 1 minute and 30 seconds.
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0] idle-timeout 1 30
ip http acl
Use ip http acl to associate the HTTP service with an ACL.
Use undo ip http acl to remove the association.
Syntax
ip http acl acl-number
undo ip http acl acl-number
Default
The HTTP service is not associated with any ACL.
Views
System view
Default command level
2: System level
Parameters
acl-number: Specifies the number of the ACL:
· WLAN ACL—100 to 199.
· Basic ACL—2000 to 2999.
Usage guidelines
After the HTTP service is associated with an ACL, only clients permitted by the ACL can access the device through HTTP.
The HTTP service can be associated with a WLAN ACL and a basic ACL, and the two types of ACLs will not overwrite each other. However, ACLs of the same type overwrite each other. If you execute the ip http acl command multiple times to associate the HTTP service with ACLs of the same type, the HTTP service is only associated with the last specified ACL.
When the HTTP service is associated with a WLAN ACL, the HTTP service uses this ACL to filter wireless clients only, and does not filter wired clients with this ACL.
Examples
# Associate the HTTP service with ACL 100 to allow only the wireless client with the SSID user-ssid-name to access the device through HTTP.
<Sysname> system-view
[Sysname] acl number 100
[Sysname-acl-wlan-100] rule permit ssid user-ssid-name
[Sysname-acl-wlan-100] quit
[Sysname] ip http acl 100
# Associate the HTTP service with ACL 2001 to allow only users from 10.10.0.0/16 to access the device through HTTP.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-basic-2001] quit
[Sysname] ip http acl 2001
· acl number (ACL and QoS Command Reference)
· display ip http
ip http enable
Use ip http enable to enable the HTTP service.
Use undo ip http enable to disable the HTTP service.
Syntax
ip http enable
undo ip http enable
Default
The HTTP service is disabled.
Views
System view
Default command level
2: System level
Usage guidelines
To allow users to access the device through HTTP, you must enable the HTTP service.
Examples
# Enable the HTTP service.
<Sysname> system-view
[Sysname] ip http enable
# Disable the HTTP service.
<Sysname> system-view
[Sysname] undo ip http enable
Related commands
display ip http
ip http port
Use ip http port to configure the port number of the HTTP service.
Use undo ip http port to restore the default.
Syntax
ip http port port-number
undo ip http port
Default
The port number of the HTTP service is 80.
Views
System view
Default command level
3: Manage level
Parameters
port-number: Specifies a port number for the HTTP service, in the range of 1 to 65535.
Usage guidelines
Verify that the port number is not used by another service, because this command does not check for conflicts with configured port numbers.
Examples
# Configure the port number of the HTTP service as 8080.
<Sysname> system-view
[Sysname] ip http port 8080
Related commands
display ip http
ip https acl
Use ip https acl to associate the HTTPS service with an ACL.
Use undo ip https acl to remove the association.
Syntax
ip https acl acl-number
undo ip https acl acl-number
Default
The HTTPS service is not associated with any ACL.
Views
System view
Default command level
3: Manage level
Parameters
acl-number: Specifies the number of the ACL:
· WLAN ACL—100 to 199.
· Basic ACL—2000 to 2999.
Usage guidelines
After the HTTPS service is associated with an ACL, only the clients permitted by the ACL can access the device.
The HTTPS service can be associated with a WLAN ACL and basic ACL, and the two types of ACLs will not overwrite each other. However, ACLs of the same type overwrite each other. If you execute the ip https acl command multiple times to associate the HTTPS service with ACLs of the same type, the HTTPS service is only associated with the last specified ACL.
When the HTTPS service is associated with a WLAN ACL, the HTTPS service uses this ACL to filter wireless clients only, and does not filter wired clients with this ACL.
Examples
# Associate the HTTPS service with ACL 100 to allow only the wireless client with the SSID user-ssid-name to access the device through HTTPS.
<Sysname> system-view
[Sysname] acl number 100
[Sysname-acl-wlan-100] rule permit ssid user-ssid-name
[Sysname-acl-wlan-100] quit
[Sysname] ip https acl 100
# Associate the HTTPS service with ACL 2001 to allow only clients within the 10.10.0.0/16 network segment to access the HTTPS server through HTTPS.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-basic-2001] quit
[Sysname] ip https acl 2001
· acl number (ACL and QoS Command Reference)
· display ip https
ip https certificate access-control-policy
Use ip https certificate access-control-policy to associate the HTTPS service with a certificate attribute-based access control policy.
Use undo ip https certificate access-control-policy to remove the association.
Syntax
ip https certificate access-control-policy policy-name
undo ip https certificate access-control-policy
Default
The HTTPS service is not associated with any certificate attribute-based access control policy.
Views
System view
Default command level
3: Manage level
Parameters
policy-name: Specifies a certificate attribute-based access control policy by its name, a string of 1 to 16 characters.
Usage guidelines
The device uses the associated certificate attribute-based access control policy to control client access rights.
Examples
# Associate the HTTPS service to certificate attribute-based access control policy myacl.
<Sysname> system-view
[Sysname] ip https certificate access-control-policy myacl
· display ip https
· pki certificate access-control-policy (Security Command Reference)
ip https enable
Use ip https enable to enable the HTTPS service.
Use undo ip https enable to disable the HTTPS service.
Syntax
ip https enable
undo ip https enable
Default
The HTTPS service is disabled.
Views
System view
Default command level
3: Manage level
Usage guidelines
To allow users to access the device through HTTPS, you must enable the HTTPS service.
Enabling the HTTPS service triggers an SSL handshake negotiation process:
· If a local certificate exists on the device, the SSL negotiation succeeds and the HTTPS service starts up.
· If no local certificate exists, a certificate application process is triggered. Because the application process takes much time, the SSL negotiation often fails and the HTTPS service cannot be started. In that case, execute this command multiple times to start the HTTPS service.
Examples
# Enable the HTTPS service.
<Sysname> system-view
[Sysname] ip https enable
ip https port
Use ip https port to set the HTTPS service port number.
Use undo ip https port to restore the default.
Syntax
ip https port port-number
undo ip https port
Default
The HTTPS service port number is 443.
Views
System view
Default command level
3: Manage level
Parameters
port-number: HTTPS service port number in the range of 1 to 65535.
Usage guidelines
Make sure the port number is not used by any other service. This command does not check for port number conflicts.
Examples
# Set the HTTPS service port number to 6000.
<Sysname> system-view
[Sysname] ip https port 6000
Related commands
display ip https
ip https ssl-server-policy
Use ip https ssl-server-policy to associate the HTTPS service with an SSL server policy.
Use undo ip https ssl-server-policy to remove the association.
Syntax
ip https ssl-server-policy policy-name
undo ip https ssl-server-policy
Default
The HTTPS service is not associated with any SSL server policy, and the device uses a self-signed certificate for authentication. (A self-signed certificate is generated and signed by the device itself, rather than the CA.)
Views
System view
Default command level
3: Manage level
Parameters
policy-name: Specifies an SSL server policy name, a string of 1 to 16 characters.
Usage guidelines
The HTTPS service can be enabled only after this command is configured successfully.
After the HTTPS service is enabled, you cannot modify the associated SSL server policy or remove the association.
Examples
# Associate the HTTPS service with SSL server policy myssl.
<Sysname> system-view
[Sysname] ip https ssl-server-policy myssl
Related commands
· display ip https
· ssl server-policy (Security Command Reference)
lock
Use lock to lock the current user interface.
Syntax
lock
Default
This function is disabled.
Views
User view
Default command level
3: Manage level
Usage guidelines
When you must leave the device for a while, use this command to lock the current user interface to prevent unauthorized access.
After you enter this command, you are asked to enter a password (up to 16 characters) and then confirm it by entering the password again.
To unlock the user interface, press Enter and enter the correct password.
Examples
# Lock the current user interface and then unlock it.
<Sysname> lock
Please input password<1 to 16> to lock current user terminal interface:
Password:
Again:
locked !
Password:
<Sysname>
protocol inbound
Use protocol inbound to enable a user interface to support Telnet, SSH, or both of them.
Use undo protocol inbound to restore the default.
Syntax
protocol inbound { all | ssh | telnet }
undo protocol inbound
Default
Both SSH and Telnet are supported.
Views
VTY interface view
Default command level
3: Manage level
Parameters
all: Supports both SSH and Telnet.
ssh: Supports SSH only.
telnet: Supports Telnet only.
Usage guidelines
This configuration is effective only for a user who logs in to the user interface after the configuration is made.
Before configuring a user interface to support SSH, set the authentication mode to scheme for the user interface. For more information, see authentication-mode.
Examples
# Enable the VTYs 0 through 4 to support only SSH.
<Sysname> system-view
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] authentication-mode scheme
[Sysname-ui-vty0-4] protocol inbound ssh
screen-length
Use screen-length to set the maximum number of lines to be displayed on a screen.
Use undo screen-length to restore the default.
Syntax
screen-length screen-length
undo screen-length
Default
Up to 24 lines are displayed on a screen.
Views
User interface view
Default command level
2: System level
Parameters
screen-length: Specifies the maximum number of lines to be displayed on a screen, in the range of 0 to 512. The value of 0 disables pausing between screens of output.
Usage guidelines
When screen output pauses, press the Space key to display the next screen. Not all terminals support this setting. For example, assume you set screen-length to 40, but the terminal can display 24 lines in one screen at most. When you press Space, the device sends 40 lines to the terminal, but the screen displays only lines 18 through 40. To view the first 17 lines, press the page up or page down key.
To disable pausing between screens of output for the current session, use the screen-length disable command.
Examples
# Set the maximum number of lines to be displayed on a screen to 30 for the user interface Console 0.
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0] screen-length 30
Related commands
screen-length disable
send
Use send to send messages to user interfaces.
Syntax
send { all | num1 | { console | vty } num2 }
Views
User view
Default command level
1: Monitor level
Parameters
all: Specifies all user interfaces.
num1: Specifies the absolute number of a user interface. The value range typically starts from 0.
console: Specifies a console user interface.
vty: Specifies a VTY user interface.
num2: Specifies the relative number of a user interface.
Usage guidelines
To end message input, press Ctrl+Z. To cancel message input and return to user view, press Ctrl+C.
Examples
# Send message hello abc to your own user interface Console 0.
<Sysname> send console 0
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
hello abc^Z
Send message? [Y/N]:y
<Sysname>
***
***
***Message from con0 to con0
***
hello abc
<Sysname>
# Before you restart the device, inform other login users so they prepare for the reboot:
1. Display which user interfaces are being used.
<Sysname> display users
The user application information of the user interface(s):
Idx UI Delay Type Userlevel
+ 1 VTY 0 00:06:13 TEL 3
2 VTY 1 00:00:00 TEL 3
3 VTY 2 00:00:15 TEL 3
Following are more details.
VTY 0 :
Location: 192.168.0.210
VTY 1 :
Location: 192.168.0.214
VTY 2 :
Location: 192.168.0.222
+ : Current operation user.
F : Current operation user work in async mode.
// The output shows that you are using VTY 0 and two other users are using VTY 1 and VTY 2.
2. Send a notification message to the user of VTY 1.
<Sysname> send vty 1
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
Your attention, please. I will reboot the system in 3 minutes!^Z
Send message? [Y/N]:y
The message should appear on the screen of the user's configuration terminal. In the following example, the user was entering the interface vlan-interface command when the message arrived:
[Sysname] interface vla
***
***
***Message from vty0 to vty1
***
Note please. I will reboot the system in 3 minutes!
set authentication password
Use set authentication password to set a password for password authentication.
Use undo set authentication password to remove the password.
Syntax
set authentication password { cipher | simple } password
undo set authentication password
Default
No password is set for password authentication.
Views
User interface view
Default command level
3: Manage level
Parameters
cipher: Sets a ciphertext password.
simple: Sets a plaintext password.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters.
Usage guidelines
For secrecy, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Set the password for password authentication on user interface Console 0 to plaintext hello.
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0] authentication-mode password
[Sysname-ui-console0] set authentication password simple hello
Related commands
authentication-mode
shell
Use shell to enable the terminal service for a user interface.
Use undo shell to disable the terminal service for a user interface.
Syntax
shell
undo shell
Default
The terminal service is enabled on all user interfaces.
Views
User interface view
Default command level
3: Manage level
Usage guidelines
The console user interface does not support the undo shell command.
You cannot disable the terminal service on the user interface you are using.
Examples
# Disable the terminal service for the user interfaces VTY 0 through VTY 4 so no user can log in to the device through the user interfaces.
<Sysname> system-view
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] undo shell
% Disable ui-vty0-4 , are you sure? [Y/N]:y
[Sysname-ui-vty0-4]
The following message appears when a user tries to Telnet to the device:
The connection was closed by the remote host!
speed (user interface view)
Use speed to set the transmission rate (also called the "baud rate") on a user interface.
Use undo speed to restore the default.
Syntax
speed speed-value
undo speed
Default
The transmission rate is 9600 bps.
Views
User interface view
Default command level
2: System level
Parameters
speed-value: Transmission rate in bps. The transmission rates available for asynchronous serial interfaces include: 300 bps, 600 bps, 1200 bps, 2400 bps, 4800 bps, 9600 bps, 19200 bps, 38400 bps, 57600 bps, and 115200 bps. The transmission rate varies with devices and configuration environments.
Usage guidelines
This command is only applicable to the console port.
The configuration terminal and the device must be configured with the same transmission rate to communicate.
Examples
# Set the transmission rate on the user interface Console 0 to 19200 bps.
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0] speed 19200
telnet
Use telnet to Telnet to a host in an IPv4 network.
Syntax
telnet remote-host [ service-port ] [ source { interface interface-type interface-number | ip ip-address } ]
Views
User view
Default command level
0: Visit level
Parameters
remote-host: Specifies the IPv4 address or host name of a remote host, a case-insensitive string of 1 to 20 characters.
service-port: Specifies the TCP port number for the Telnet service on the remote host. It ranges from 0 to 65535 and defaults to 23.
source: Specifies a source IPv4 address or source interface for outgoing Telnet packets.
interface interface-type interface-number: Specifies the source interface. The primary IPv4 address of the interface will be used as the source IPv4 address for outgoing Telnet packets.
ip ip-address: Specifies the source IPv4 address for outgoing Telnet packets.
Usage guidelines
To terminate the current Telnet connection, press Ctrl+K or execute the quit command.
The source IPv4 address or source interface specified by this command is only applicable to the current Telnet connection.
Examples
# Telnet to host 1.1.1.2, using 1.1.1.1 as the source IP address for outgoing Telnet packets.
<Sysname> telnet 1.1.1.2 source ip 1.1.1.1
telnet client source
Use telnet client source to specify a source IPv4 address or source interface for outgoing Telnet packets when the device serves as a Telnet client.
Use undo telnet client source to remove the configuration.
Syntax
telnet client source { interface interface-type interface-number | ip ip-address }
undo telnet client source
Default
No source IPv4 address or source interface is specified for outgoing Telnet packets. The source IPv4 address is the primary IPv4 address of the outbound interface.
Views
System view
Default command level
2: System level
Parameters
interface interface-type interface-number: Specifies a source interface. The primary IP address of this interface will be used as the source IPv4 address for outgoing Telnet packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
The source IPv4 address or source interface specified by this command is applicable to all Telnet connections. However, if a user specifies a source IPv4 address or source interface when executing the telnet command, the setting specified by the user takes effect.
Examples
# Set the source IPv4 address for outgoing Telnet packets to 1.1.1.1 when the device serves as a Telnet client.
<Sysname> system-view
[Sysname] telnet client source ip 1.1.1.1
Related commands
display telnet client configuration
telnet ipv6
Use telnet ipv6 to Telnet to a host in an IPv6 network
Syntax
telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ]
Views
User view
Default command level
0: Visit level
Parameters
remote-host: Specifies the IP address or host name of a remote host, a case-insensitive string of 1 to 46 characters.
-i interface-type interface-number: Specifies the outbound interface for sending Telnet packets. This option is required when the destination address is a link-local address.
port-number: Specifies the TCP port number for the Telnet service on the remote host. It ranges from 0 to 65535 and defaults to 23.
Usage guidelines
To terminate the current Telnet connection, press Ctrl+K or execute the quit command.
Examples
# Telnet to the host at 5000::1.
<Sysname> telnet ipv6 5000::1
telnet server enable
Use telnet server enable to enable the Telnet server function.
Use undo telnet server enable to disable the Telnet server function.
Syntax
telnet server enable
undo telnet server enable
Default
The Telnet server function is enabled.
Views
System view
Default command level
3: Manage level
Examples
# Enable the Telnet server function.
<Sysname> system-view
[Sysname] telnet server enable
terminal type
Use terminal type to specify the terminal display type.
Use undo terminal type to restore the default.
Syntax
terminal type { ansi | vt100 }
undo terminal type
Default
The terminal display type is ANSI.
Views
User interface view
Default command level
2: System level
Parameters
ansi: Specifies the terminal display type ANSI.
vt100: Specifies the terminal display type VT100.
Usage guidelines
The device supports two terminal display types: ANSI and VT100. To ensure proper display on the terminal, set the display type of both the device and the configuration terminal to VT100. Otherwise, when a command line has more than 80 characters, an anomaly such as cursor positioning error or abnormal display might occur.
Examples
# Set the terminal display type to VT100.
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] terminal type vt100
user privilege level
Use user privilege level to configure the user privilege level. Users logging into the user interface are assigned a user privilege level.
Use undo user privilege level to restore the default.
Syntax
user privilege level level
undo user privilege level
Default
The command level is 3 for the console user interface and 0 for other user interfaces.
Views
User interface view
Default command level
3: Manage level
Parameters
level: Specifies a user privilege level, which ranges from 0 to 3.
Usage guidelines
User privilege levels include visit, monitor, system, and manage, represented by the number 0, 1, 2 and 3 respectively. You can change the user privilege level when necessary.
Examples
# Set the command level for users logging in through VTY 0 to 0.
<Sysname> system-view
[Sysname] user-interface vty 0
[Sysname-ui-vty0] user privilege level 0
After you Telnet to the device through VTY 0, the terminal only displays commands of level 0 in the help information:
<Sysname> ?
User view commands:
display Display current system information
ping Ping function
quit Exit from current command view
ssh2 Establish a secure shell client connection
super Set the current user priority level
telnet Establish one TELNET connection
tracert Trace route function
user-interface
Use user-interface to enter user interface view.
Syntax
user-interface { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] }
Views
System view
Default command level
2: System level
Parameters
first-num1: Specifies the absolute number of the first user interface. The value range typically starts from 0.
last-num1: Specifies the absolute number of the last user interface. This number cannot be smaller than first-num1.
console: Specifies the console user interface.
vty: Specifies the VTY user interface.
first-num2: Specifies the relative number of the first user interface.
last-num2: Specifies the relative number of the last user interface. This number cannot be smaller than first-num2.
Usage guidelines
If you use this command to enter a single user interface view, your configuration applies only to the user interface.
If you use this command to enter multiple user interface views, your configuration applies to all the specified user interfaces.
Examples
# Enter the view of user interface Console 0.
<Sysname> system-view
[Sysname] user-interface console 0
[Sysname-ui-console0]
# Enter the views of user interfaces VTY 0 to VTY 4.
<Sysname> system-view
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4]
web captcha
Use web captcha to specify a fixed verification code for Web login.
Use undo web captcha to restore the default.
Syntax
web captcha verification-code
undo web captcha
Default
A Web user must enter the verification code displayed on the login page to log in.
Views
User view
Default command level
3: Manage level
Parameters
verification-code: Specifies the fixed verification code for Web login, a case-sensitive 4-character string.
Usage guidelines
If you configure the web captcha command multiple times, the most recent configuration takes effect.
After you configure a fixed verification code for Web login, a Web user can use the code for login, without caring about the verification code displayed on the login page. This feature is intended for test environments where a script is usually used for Web function tests. Eliminating the requirement for entering the verification code every time, this feature helps improve test efficiency.
For Web access security, do not use this feature in production environments.
This command is not saved to the configuration file and cannot survive a reboot.
Examples
# Specify a fixed verification code for Web login.
<Sysname> web captcha test
web https-authorization mode
Use web https-authorization mode to set the HTTPS user authentication mode.
Use undo web https-authorization mode to restore the default.
Syntax
web https-authorization mode { auto | manual }
undo web https-authorization mode
Default
The HTTPS user authentication mode is manual.
Views
System view
Default command level
2: System level
Parameters
auto: Uses the PKI certificates of HTTPS clients to authenticate them.
manual: Provides a login page for HTTPS users to enter the correct username and password.
Usage guidelines
In manual mode, a user must enter the correct username and password to log in through HTTPS.
In auto mode, the switch first checks the certificate of the client:
· If the certificate is correct and not expired, the CN field in the certificate is used as the username to perform AAA authentication. If the authentication succeeds, the Web interface of the device appears on the user's terminal.
· If the certificate is correct and not expired, but the AAA authentication fails, the device shows the Web login page and the user must enter the correct username and password to log in.
· If the certificate is incorrect or expired, the HTTPS connection is terminated.
Examples
# Set the HTTPS user authentication mode to auto.
<Sysname> system-view
[Sysname] web https-authorization mode auto
web idle-timeout
Use web idle-timeout to set the Web user connection timeout time.
Use undo web idle-timeout to restore the default.
Syntax
web idle-timeout minutes
undo web idle-timeout
Default
The Web user connection timeout time is 10 minutes.
Views
System view
Default command level
2: System level
Parameters
minutes: Specifies the timeout time in minutes, in the range of 1 to 999.
Examples
# Set the Web user connection timeout time to 20 minutes.
<System> system-view
[System] web idle-timeout 20
web logbuffer size
Use web logbuffer size to set the size of the Web login log buffer.
Use undo web logbuffer size to restore the default.
Syntax
web logbuffer size pieces
undo web logbuffer size
Views
System view
Default command level
2: System level
Parameters
pieces: Size of the Web login log buffer, in the number of log messages. The value range is 0 to 1024. The default is 512.
Examples
# Set the size of the Web login log buffer to 800.
<System> system-view
[System] web logbuffer size 800
