Huawei-S2300-Configuration-Guide

November 28, 2017 | Author: Andrés Espejo | Category: File Transfer Protocol, Secure Shell, Computer Terminal, Command Line Interface, Network Switch
Share Embed Donate


Short Description

Huawei-S230-CG...

Description

Quidway S2300 Series Ethernet Switches V100R006C00

Configuration Guide - Basic Configuration Issue

02

Date

2011-07-15

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd. Address:

Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China

Website:

http://www.huawei.com

Email:

[email protected]

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

i

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

About This Document

About This Document Intended Audience This document provides the basic concepts, basic configuration procedures, and configuration examples supported by the S2300. This document is intended for: l

Data configuration engineers

l

Commissioning engineers

l

Network monitoring engineers

l

System maintenance engineers

Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol

Description

DANGER

WARNING

CAUTION

Issue 02 (2011-07-15)

Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results.

TIP

Indicates a tip that may help you solve a problem or save time.

NOTE

Provides additional information to emphasize or supplement important points of the main text.

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

ii

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

About This Document

Command Conventions The command conventions that may be found in this document are defined as follows. Convention

Description

Boldface

The keywords of a command line are in boldface.

Italic

Command arguments are in italics.

[]

Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... }

Optional items are grouped in braces and separated by vertical bars. One item is selected.

[ x | y | ... ]

Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.

{ x | y | ... }*

Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.

[ x | y | ... ]*

Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.

&

The parameter before the & sign can be repeated 1 to n times.

#

A line starting with the # sign is comments.

Change History Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.

Changes in Issue 02 (2011-07-15) The second commercial release has the following updates: l

Some contents are modified according to updates in the product such as features and commands.

l

Output information of some commands is modified.

l

Some figures are optimized.

Changes in Issue 01 (2011-05-20) Initial commercial release.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

iii

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

Contents

Contents About This Document.....................................................................................................................ii 1 Logging In to Switch.....................................................................................................................1 1.1 Introduction........................................................................................................................................................2 1.1.1 Login Through the Console.......................................................................................................................2 1.1.2 Login Through Telnet................................................................................................................................2 1.2 Logging In to the Device Through the Console Port..........................................................................................2 1.2.1 Establishing the Configuration Task.........................................................................................................3 1.2.2 Establishing the Physical Connection........................................................................................................3 1.2.3 Configuring Terminals..............................................................................................................................4 1.2.4 Logging In to the Device...........................................................................................................................4 1.3 Logging In to Device Through Telnet................................................................................................................4 1.3.1 Establishing the Configuration Task.........................................................................................................5 1.3.2 Establishing the Physical Connection........................................................................................................5 1.3.3 Configuring Login User Parameters..........................................................................................................6 1.3.4 Logging In from the Telnet Client.............................................................................................................6 1.4 Configuration Examples.....................................................................................................................................6 1.4.1 Example for Logging In Through the Console Port..................................................................................6 1.4.2 Example for Logging In Through Telnet..................................................................................................9

2 CLI Overview...............................................................................................................................11 2.1 CLI Introduction...............................................................................................................................................12 2.1.1 Command Line Interface.........................................................................................................................12 2.1.2 Command Levels.....................................................................................................................................12 2.1.3 Command Views.....................................................................................................................................13 2.2 Online Help.......................................................................................................................................................15 2.2.1 Full Help..................................................................................................................................................16 2.2.2 Partial Help..............................................................................................................................................16 2.2.3 Error Messages of the Command Line Interface.....................................................................................17 2.3 Features of Command Line Interface...............................................................................................................17 2.3.1 Editing.....................................................................................................................................................17 2.3.2 Displaying................................................................................................................................................18 2.3.3 Regular Expressions................................................................................................................................19 2.3.4 History Commands..................................................................................................................................22 Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

iv

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

Contents

2.4 Shortcut Keys...................................................................................................................................................23 2.4.1 System Shortcut Keys..............................................................................................................................23 2.5 Configuration Examples...................................................................................................................................24 2.5.1 Example for Using the Tab Key..............................................................................................................24

3 How to Use Interfaces.................................................................................................................26 3.1 Introduction to Interfaces..................................................................................................................................27 3.2 Setting Basic Parameters of an Interface..........................................................................................................29 3.2.1 Establishing the Configuration Task.......................................................................................................29 3.2.2 Entering the Interface View.....................................................................................................................30 3.2.3 Viewing All the Commands in the Interface View.................................................................................30 3.2.4 Configuring the Description for an Interface...........................................................................................31 3.2.5 Starting and Shutting Down an Interface................................................................................................31 3.2.6 Further Configuration an Interface..........................................................................................................32 3.2.7 Checking the Configuration.....................................................................................................................32 3.3 Configuring the Loopback Interface.................................................................................................................33 3.3.1 Establishing the Configuration Task.......................................................................................................33 3.3.2 Configuring IPv4 Parameters of the Loopback Interface........................................................................33 3.3.3 Checking the Configuration.....................................................................................................................34 3.4 Maintaining the Interface..................................................................................................................................34 3.4.1 Clearing Statistics Information on the Interface......................................................................................34 3.4.2 Debugging the Interface..........................................................................................................................35

4 Basic Configuration.....................................................................................................................36 4.1 Basic Configuration Introduction.....................................................................................................................37 4.2 Configuring the Basic System Environment....................................................................................................37 4.2.1 Establishing the Configuration Task.......................................................................................................37 4.2.2 Configuring the Equipment Name...........................................................................................................38 4.2.3 Setting the System Clock.........................................................................................................................38 4.2.4 Configuring a Header..............................................................................................................................39 4.2.5 Configuring Command Levels................................................................................................................40 4.3 Configuring Basic User Environment..............................................................................................................41 4.3.1 Establishing the Configuration Task.......................................................................................................41 4.3.2 Configuring the Password for Switching User Levels............................................................................41 4.3.3 Switching User Levels.............................................................................................................................42 4.3.4 Locking User Interfaces...........................................................................................................................43 4.4 Displaying System Status Messages.................................................................................................................43 4.4.1 Displaying System Configuration...........................................................................................................43 4.4.2 Displaying System Status........................................................................................................................44 4.4.3 Collecting System Diagnostic Information.............................................................................................44

5 User Management........................................................................................................................45 5.1 User Management Introduction........................................................................................................................46 5.1.1 User Interface..........................................................................................................................................46 Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

v

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

Contents

5.1.2 User Authentication.................................................................................................................................47 5.2 Logging In to the S2300 Through the Console Port.........................................................................................49 5.2.1 Establishing the Configuration Task.......................................................................................................49 5.2.2 Logging In to the S2300 Through the Console Interface........................................................................50 5.3 Configuring Console User Interface.................................................................................................................53 5.3.1 Establishing the Configuration Task.......................................................................................................53 5.3.2 Configuring Console Interface Attributes...............................................................................................54 5.3.3 Setting Console Terminal Attributes.......................................................................................................55 5.3.4 Configuring User Priority........................................................................................................................56 5.3.5 Configuring User Authentication............................................................................................................57 5.3.6 Checking the Configuration.....................................................................................................................58 5.4 Configuring VTY User Interface......................................................................................................................58 5.4.1 Establishing the Configuration Task.......................................................................................................58 5.4.2 Configuring Maximum VTY User Interfaces.........................................................................................59 5.4.3 (Optional)Configuring Limits for Incoming Calls and Outgoing Calls..................................................60 5.4.4 Configuring VTY Terminal Attributes....................................................................................................60 5.4.5 Configuring User Authentication............................................................................................................61 5.4.6 Checking the Configuration.....................................................................................................................63 5.5 Managing User Interfaces.................................................................................................................................63 5.5.1 Establishing the Configuration Task.......................................................................................................63 5.5.2 Sending Messages to Other User Interfaces............................................................................................64 5.5.3 Clearing Online User...............................................................................................................................64 5.5.4 Checking the Configuration.....................................................................................................................65 5.6 Configuring User Management........................................................................................................................65 5.6.1 Establishing the Configuration Task.......................................................................................................65 5.6.2 Configuring Authentication Mode...........................................................................................................66 5.6.3 Configuring Authentication Password.....................................................................................................66 5.6.4 Setting Username and Password for AAA Local Authentication...........................................................67 5.6.5 Configuring Non-Authentication.............................................................................................................67 5.6.6 Configuring User Priority........................................................................................................................68 5.6.7 Checking the Configuration.....................................................................................................................68 5.7 Configuration Examples...................................................................................................................................69 5.7.1 Example for Configuring Logging In to the Switch Through Password.................................................69 5.7.2 Example for Logging In to the Device Through AAA............................................................................70

6 File System Management...........................................................................................................72 6.1 Overview of the File System............................................................................................................................73 6.2 Managing a Storage Device..............................................................................................................................73 6.2.1 Establishing the Configuration Task.......................................................................................................73 6.2.2 Restoring Storage Devices with File System Troubles...........................................................................74 6.2.3 (Optional) Formatting a Storage Device.................................................................................................74 6.3 Managing the Directory....................................................................................................................................74 6.3.1 Establishing the Configuration Task.......................................................................................................74 Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

vi

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

Contents

6.3.2 Viewing the Current Directory................................................................................................................75 6.3.3 Switching a Directory..............................................................................................................................75 6.3.4 Displaying a Directory or File.................................................................................................................76 6.3.5 Creating a Directory................................................................................................................................76 6.3.6 Deleting a Directory................................................................................................................................76 6.4 Managing Files.................................................................................................................................................77 6.4.1 Establishing the Configuration Task.......................................................................................................77 6.4.2 Displaying Contents of Files...................................................................................................................78 6.4.3 Copying Files...........................................................................................................................................78 6.4.4 Moving Files............................................................................................................................................78 6.4.5 Renaming Files........................................................................................................................................79 6.4.6 Compressing Files...................................................................................................................................79 6.4.7 Deleting Files...........................................................................................................................................79 6.4.8 Deleting Files in the Recycle Bin............................................................................................................80 6.4.9 Undeleting Files.......................................................................................................................................80 6.4.10 Running Files in Batch..........................................................................................................................81 6.4.11 Configuring Prompt Modes...................................................................................................................81

7 Management of Configuration Files........................................................................................83 7.1 Management of Configuration Files Introduction............................................................................................84 7.1.1 Configuration Files..................................................................................................................................84 7.1.2 Configuration Files and Current Configurations.....................................................................................84 7.2 Managing Configuration Files..........................................................................................................................85 7.2.1 Establishing the Configuration Task.......................................................................................................85 7.2.2 Configuring System Software for a switch to Load for the Next Startup...............................................85 7.2.3 Configuring the Configuration File for Switch to Load for the Next Startup.........................................86 7.2.4 Saving Configuration File.......................................................................................................................86 7.2.5 Clearing a Configuration File..................................................................................................................87 7.2.6 Comparing Configuration Files...............................................................................................................87 7.2.7 Checking the Configuration.....................................................................................................................88

8 FTP and TFTP...............................................................................................................................90 8.1 FTP and TFTP Introduction.............................................................................................................................91 8.1.1 FTP..........................................................................................................................................................91 8.1.2 TFTP........................................................................................................................................................91 8.2 Configuring the Switch to be the FTP Server...................................................................................................91 8.2.1 Establishing the Configuration Task.......................................................................................................92 8.2.2 (Optional) Specifying a Port Number for the FTP Server.......................................................................92 8.2.3 Enabling the FTP Server..........................................................................................................................93 8.2.4 (Optional) Configuring the Timeout Period............................................................................................93 8.2.5 Configuring the Local Username and the Password...............................................................................94 8.2.6 Configuring the Service Type and Authorization Information................................................................94 8.2.7 Checking the Configuration.....................................................................................................................95 8.3 Configuring FTP ACL......................................................................................................................................95 Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

vii

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

Contents

8.3.1 Establishing the Configuration Task.......................................................................................................95 8.3.2 Enabling the FTP Server..........................................................................................................................96 8.3.3 Configuring a Basic ACL........................................................................................................................96 8.3.4 Configuring the Basic FTP ACL.............................................................................................................97 8.3.5 Checking the Configuration.....................................................................................................................97 8.4 Configuring the Switch to Be the FTP Client...................................................................................................98 8.4.1 Establishing the Configuration Task.......................................................................................................98 8.4.2 Logging In to the FTP Server..................................................................................................................99 8.4.3 Configuring Data Type and Transmission Mode for the File...............................................................100 8.4.4 (Optional) Viewing Online Help of the FTP Command.......................................................................100 8.4.5 Uploading or Downloading Files..........................................................................................................101 8.4.6 Managing Directories............................................................................................................................101 8.4.7 Managing Files......................................................................................................................................102 8.4.8 (Optional) Changing Login Users.........................................................................................................102 8.4.9 Disconnecting from the FTP Server......................................................................................................103 8.5 Configuring the Switch to Be the TFTP Client..............................................................................................103 8.5.1 Establishing the Configuration Task.....................................................................................................104 8.5.2 (Optional) Configuring a Source IP Address for a TFTP Client...........................................................104 8.5.3 Downloading Files Through TFTP........................................................................................................105 8.5.4 Uploading Files Through TFTP............................................................................................................105 8.6 Limiting the Access to the TFTP Server........................................................................................................106 8.6.1 Establishing the Configuration Task.....................................................................................................106 8.6.2 Configuring the Basic ACL...................................................................................................................106 8.6.3 Configuring the Basic TFTP ACL.........................................................................................................107 8.7 Configuration Examples.................................................................................................................................107 8.7.1 Example for Configuring the FTP Server..............................................................................................107 8.7.2 Example for Configuring an ACL of the FTP Server...........................................................................110 8.7.3 Example for Configuring the FTP Client..............................................................................................111 8.7.4 Example for Configuring the TFTP Client............................................................................................114

9 Telnet and SSH..........................................................................................................................116 9.1 Telnet and SSH Introduction..........................................................................................................................117 9.1.1 Overview of User Login........................................................................................................................117 9.1.2 Telnet Terminal Services.......................................................................................................................117 9.1.3 SSH Terminal Services..........................................................................................................................118 9.2 Configuring Telnet Terminal Services...........................................................................................................119 9.2.1 Establishing the Configuration Task.....................................................................................................119 9.2.2 Enabling the Telnet Service...................................................................................................................120 9.2.3 Establishing a Telnet Connection..........................................................................................................121 9.2.4 (Optional) Configuring a Telnet Server Port Number...........................................................................121 9.2.5 (Optional) Scheduled Telnet Disconnection..........................................................................................122 9.2.6 Checking the Configuration...................................................................................................................122 9.3 Configuring SSH Users..................................................................................................................................123 Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

viii

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

Contents

9.3.1 Establishing the Configuration Task.....................................................................................................123 9.3.2 Creating SSH User.................................................................................................................................124 9.3.3 Configuring SSH for the VTY User Interface.......................................................................................125 9.3.4 Generating a Local RSA Key Pair.........................................................................................................125 9.3.5 Configuring the Authentication Mode for SSH Users...........................................................................126 9.3.6 (Optional) Configuring the Basic Authentication Information for SSH Users.....................................127 9.3.7 (Optional) Authorizing SSH Users Through the Command Line.........................................................128 9.3.8 Configuring the Service Type of SSH Users.........................................................................................128 9.3.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users.......................129 9.3.10 Checking the Configuration.................................................................................................................129 9.4 Configuring the SSH Server Function............................................................................................................130 9.4.1 Establishing the Configuration Task.....................................................................................................130 9.4.2 Enabling the STelnet Service................................................................................................................131 9.4.3 Enabling the SFTP Service....................................................................................................................131 9.4.4 Enabling SCP Services..........................................................................................................................131 9.4.5 (Optional) Enabling the Earlier Version - Compatible Function...........................................................132 9.4.6 (Optional) Configuring the Number of the Port Monitored by the SSH Server....................................132 9.4.7 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server..............................133 9.4.8 Checking the Configuration...................................................................................................................133 9.5 Configuring the STelnet Client Function.......................................................................................................134 9.5.1 Establishing the Configuration Task.....................................................................................................134 9.5.2 Enabling the First-Time Authentication on the SSH Client..................................................................135 9.5.3 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................136 9.5.4 Enabling the STelnet Client...................................................................................................................137 9.5.5 Checking the Configuration...................................................................................................................138 9.6 Configuring the SFTP Client Function...........................................................................................................138 9.6.1 Establishing the Configuration Task.....................................................................................................138 9.6.2 Configuring the First-Time Authentication on the SSH Client.............................................................139 9.6.3 (Optional) Assigning an RSA Public Key to the SSH Server...............................................................140 9.6.4 Enabling the SFTP Client......................................................................................................................141 9.6.5 (Optional) Managing the Directory.......................................................................................................142 9.6.6 (Optional) Managing the File................................................................................................................143 9.6.7 (Optional) Displaying the SFTP Client Command Help.......................................................................144 9.6.8 Checking the Configuration...................................................................................................................145 9.7 Configuring the SCP Client............................................................................................................................146 9.7.1 Establishing the Configuration Task.....................................................................................................146 9.7.2 (Optional) Configuring a Source IP Address for the SCP Client..........................................................146 9.7.3 Copying Files.........................................................................................................................................147 9.7.4 Checking the Configuration...................................................................................................................148 9.8 Configuration Examples.................................................................................................................................148 9.8.1 Example for Configuring the Telnet Terminal Service.........................................................................148 9.8.2 Example for Configuring the PC as the STelnet Client to Connect to the SSH Server........................150 Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

ix

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

Contents

9.8.3 Example for Configuring the Switch as the STelnet Client to Connect to the SSH Server .................153 9.8.4 Example for Connecting the SFTP Clinet and the SSH Server.............................................................160 9.8.5 Example for Configuring the SSH Server to Support the Access from Another Port...........................165 9.8.6 Example for Authenticating SSH Through RADIUS............................................................................172 9.8.7 Example for Configuring the SCP Client..............................................................................................177

10 Web System Configuration...................................................................................................180 10.1 Overview of Web System.............................................................................................................................181 10.2 Starting Web System....................................................................................................................................181 10.2.1 Logging In to the S2300 Through the Console Interface....................................................................181 10.2.2 Setting the Management IP Address of the S2300..............................................................................185 10.2.3 Uploading Web Page Files..................................................................................................................186 10.2.4 Loading a Web Page File.....................................................................................................................187 10.2.5 Creating a Web Account......................................................................................................................187 10.2.6 Logging In to the Web System............................................................................................................188

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

x

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

1

Logging In to Switch

About This Chapter Before configuring switches, you need to log in to the switch. 1.1 Introduction You can log in to switches through console port or Telnet. 1.2 Logging In to the Device Through the Console Port This section describes how to connect a terminal to a switch through the console port to establish the configuration environment. 1.3 Logging In to Device Through Telnet This section describes how to connect a terminal to a switch through Telnet to establish the configuration environment. 1.4 Configuration Examples This section provides examples for configuring users to log in to the switch through the console port or Telnet together with the configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

1

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

1.1 Introduction You can log in to switches through console port or Telnet.

1.1.1 Login Through the Console When a switch is powered on for the first time or a switch needs to be locally configured, you can log in to the switch through the console port. In the following cases, a switch can be configured only through the console port: l

The switch is powered on for the first time.

l

The subscriber cannot login through Telnet.

1.1.2 Login Through Telnet If you know the IP address of a switch, you can log in to the switch through Telnet to perform local or remote configurations. YYou need to pre-configure the IP addresses of interfaces, the user account, the authentication mode, and the incoming and outgoing call restriction through the console interface on the switch. Also, ensure that directly-connected or reachable switch exist between terminals and the switch. The destination switch authenticates the user based on the configured parameters in three modes: l

Password authentication: indicates that the login user should enter the correct password.

l

AAA local authentication: indicates that the login user should enter the correct user name and password.

l

None authentication: indicates that the login user need not enter the user name or password.

If the login succeeds, a command line prompt such as appears on the Telnet client interface. Enter a command to check the running status of the switch or to configure the switch. Enter "?" for help. NOTE

Do not modify the IP address of the switch when you configure the switch through Telnet because the modification may terminate Telnet connection. Otherwise, set up the connection again after entering a new IP address.

1.2 Logging In to the Device Through the Console Port This section describes how to connect a terminal to a switch through the console port to establish the configuration environment.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

2

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

1.2.1 Establishing the Configuration Task Before configuring login to the switch through the console port, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment If you log in to the switch for the first time or perform the local configuration, you need to log in to the switch through the console port. NOTE

If you cannot log in to the switch through the telnet, you need to log in to the switch through the console port.

Pre-configuration Tasks Before configuring login to the switch through the console port, complete the following tasks: l

Preparing the PC/terminal (including serial port and RS-232 cable)

l

Installing terminal emulation program on the PC (such as Windows XP HyperTerminal)

Data Preparation To login the switch through the console port, you need the following data. NOTE

If the AAA authentication mode is configured for users to log in to the switch through the console interface, the correct user name and password must be entered for a successful login.

No.

Data

1

Terminal communication parameters l Baud rate l Data bit l Parity l Stop bit l Flow-control mode

2

(Optional) User name and password to be entered for a successful login in AAA authentication mode

1.2.2 Establishing the Physical Connection This part describes how to physically connect a terminal to a switch before login to the switch through the console port.

Context Do as follows on the switch: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

3

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

Procedure Step 1 Connect the COM port on the PC and the console port on the switch by a cable. Step 2 Power on all devices to perform a self-check. ----End

1.2.3 Configuring Terminals This part describes how to configure the terminal before login to the switch through the console port.

Context Do as follows on the PC:

Procedure Step 1 Run the terminal emulation program on the PC, setting the communication parameters as follows: l Baud rate: 9600 bps l Data bit: 8 l Stop bit: 1 l Parity: none l Flow control: none ----End

1.2.4 Logging In to the Device This part describes how to log in to the switch through the console port.

Context Do as follows on the PC:

Procedure Step 1 Press Enter until a command line prompt such as appears. Now the user view is displayed for you to configure the switch. NOTE

If the AAA or Password authentication mode is configured for users to log in to the switch through the console interface, the correct user name and password must be entered for a successful login.

----End

1.3 Logging In to Device Through Telnet This section describes how to connect a terminal to a switch through Telnet to establish the configuration environment. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

4

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

1.3.1 Establishing the Configuration Task Before configuring login to the switch through Telnet, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment If you know the IP address of the switch, you can log in to the switch through Telnet for local or remote configuration.

Pre-configuration Tasks Before configuring the switch through Telnet, complete the following tasks: l

Powering on devices and performing a self-check

l

Preparing the PC (including the serial port and Ethernet crossover/direct cable)

Data Preparation To log in to the switch through Telnet, you need the following data. No.

Data

1

IP address of the PC

2

IP address of the Ethernet interface on the switch

3

User information accessed through Telnet: l User name l Password l Authentication mode

1.3.2 Establishing the Physical Connection This part describes how to physically connect a terminal to a switch before login to the switch through Telnet.

Prerequisite Establishing the Physical Connection are complete.

Procedure Step 1 Connect the switch and the PC directly or connect the switch and the PC to the network through cables. ----End Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

5

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

1.3.3 Configuring Login User Parameters This part describes how to configure user parameters for login to the switch through Telnet.

Context Do as follows on the switch:

Procedure Step 1 Configure the authentication mode of login users. Step 2 Configure the authority limitation of login user. For details, see 5.4 Configuring VTY User Interface and 5.6 Configuring User Management. ----End

1.3.4 Logging In from the Telnet Client This part describes how to log in to the switch through Telnet.

Context Do as follows on the PC:

Procedure Step 1 Run the Telnet program on the PC that functions as a client, and enter the IP address of the interface on the destination switch that provides the Telnet service. Step 2 Enter the user name and password in the login window. After authentication, a command line prompt such as appears. Now enter the configuration environment in the user view. ----End

1.4 Configuration Examples This section provides examples for configuring users to log in to the switch through the console port or Telnet together with the configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.

1.4.1 Example for Logging In Through the Console Port In this example, you can configure the PC so as to log in to the switch through the console port.

Networking Requirements Initialize the configuration of the switch when the switch is powered on for the first time. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

6

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

Figure 1-1 Networking diagram of logging in through the console port

PC

Switch

Configuration Roadmap The configuration roadmap is as follows: 1.

Connect the PC and the switch through the console port.

2.

Configure the login on the PC end.

3.

Log in to the switch.

Data Preparation To complete the configuration, you need the terminal communication parameters (including baud rate, data bit, parity, stop bit, and flow control).

Procedure Step 1 Connect the serial port of the PC (or terminal) to the console port of the switch through a standard RS-232 cable. The local configuration environment is established. Step 2 Run the terminal emulation program on the PC. Set the terminal communication parameters to be 9600 bps, data bit to be 8, stop bit to be 1. Specify no parity and no flow control as shown from Figure 1-2 to Figure 1-4. Figure 1-2 New connection

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

7

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

Figure 1-3 Setting the port

Figure 1-4 Setting the port communication parameters

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

8

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

Step 3 Power on the switch to perform a self-check and the system performs automatic configuration. When the self-check ends, you are prompted to press Enter until a command line prompt such as appears. Enter the command to check the running status of the switch or configure the switch. Enter "?" for help. ----End

1.4.2 Example for Logging In Through Telnet In this example, you can configure user parameters so as to log in to the switch from the PC or other terminals through Telnet.

Networking Requirements You can log in to the switch on other network segments through the PC or other terminals to perform remote maintenance. Figure 1-5 Establishing the configuration environment through WAN

IP Network PC

Switch

Target Switch

Configuration Roadmap The configuration roadmap is as follows: 1.

Establish the physical connection.

2.

Configure user login parameters.

3.

Log in to the switch from the client side.

Data Preparation To complete the configuration, you need the following data l

IP address of the PC

l

IP address of the Ethernet interface on the switch

l

User information accessed through Telnet (including the user name, password, and authentication mode)

Procedure Step 1 Connect the PC and the switch to the network. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

9

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

1 Logging In to Switch

Step 2 Configure login user parameters on the target switch. # Configure the login address system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 0/0/1 [Quidway-GigabitEthernet0/0/1] port link-type hybrid [Quidway-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet0/0/1] port untagged vlan 10 [Quidway-GigabitEthernet0/0/1] quit [Quidway]interface vlanif 10 [Quidway-vlanif10] ip address 202.38.160.92 255.255.0.0 [Quidway-vlanif10] quit

# Configure login authentication mode [Quidway] aaa [Quidway-aaa] local-user huawei password cipher hello [Quidway-aaa] local-user huawei service-type telnet [Quidway-aaa] local-user huawei level 3 [Quidway-aaa] quit [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-14] authentication-mode aaa

Step 3 Configure the client login. Run the Telnet on the PC, as shown in Figure 1-6. Figure 1-6 Running the Telnet program on the PC

Click OK. Enter the user name and password in the login window. After authentication, a command line prompt such as appears. Now enter the configuration environment in the user view. NOTE

Before logging in to the switch, ensure that the PC and switch can ping each other.

----End

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

10

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

2

CLI Overview

About This Chapter Users operate devices, that is, configure the device and perform routine maintenance, by entering command lines. 2.1 CLI Introduction The command line interface (CLI) is the common tool for running commands. 2.2 Online Help When you enter command lines or configure services, online help offers real-time help in addition to the configuration guide. 2.3 Features of Command Line Interface You can edit command lines, display command lines, use the regular expression for command lines, and invoke historical commands. 2.4 Shortcut Keys Using the system shortcut keys makes it easier to enter commands. 2.5 Configuration Examples This section provides several examples for using command lines.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

11

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

2.1 CLI Introduction The command line interface (CLI) is the common tool for running commands.

2.1.1 Command Line Interface You can configure and manage a switch by using the CLI commands. When a prompt appears, you enter the command line interface (CLI) and interact with switch through CLI. The system provides a series of configuration commands. You can configure and manage the switch by entering commands on CLI. The characteristics of CLI are as follows: l

Local configuration through console port.

l

Local or remote configuration through Telnet or Secure Shell (SSH).

l

A user interface view for specific configuration management.

l

Hierarchical command protection for users of different levels, that is, running the commands of the corresponding level.

l

None authentication, password authentication and Authentication, Authorization and Accounting (AAA) to prevent the unauthorized user from accessing the switch.

l

Entering "?" for online help at any time.

l

Network testing commands such as tracert and ping for rapidly diagnosing a network.

l

Abundant debugging information to help in diagnosing the network.

l

The telnet command for directly logging in to and manage other switch.

l

FTP service for file uploading and downloading.

l

Running a history command, like DosKey.

l

A command line interpreter provides intelligent command resolution methods such as key word fuzzy match and context conjunction. These methods make it easy for users to enter their commands. NOTE

l The system supports the command with up to 512 characters. The command can be incomplete. l The system saves the incomplete command to the configuration files in the complete form; therefore, the command may have more than 512 characters. When the system is restarted, however, the incomplete command cannot be restored. Therefore, pay attention to the length of the incomplete command.

2.1.2 Command Levels The system adopts a hierarchical protection mode that has 16 command levels. The default command levels are as follows: l

Issue 02 (2011-07-15)

Level 0-Visit level: Commands of this level include commands of network diagnosis tool (such as ping and tracert) and commands that start from the local device and visit external device (such as Telnet client side). Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

12

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

l

Level 1-Monitoring level: Commands of this level, including the display commands, are used for system maintenance and fault diagnosis.

l

Level 2-Configuration level: Commands of this level are service configuration commands that provide direct network service to the user, including routing and network layer commands.

l

Level 3-Management level: Commands of this level are commands that influence the basic operation of the system and provide support to the service. They include file system commands, FTP commands, TFTP commands, XModem downloading commands, configuration file switching commands, power supply control commands, backup board control commands, user management commands, level setting commands, system internal parameter setting commands, and debugging commands that are used for fault diagnosis.

CAUTION Not all display commands are of the monitoring level. For example, the display currentconfiguration and display saved-configuration commands are of the management level. For the level of a command, see the Quidway S2300 Series Command Reference. To implement efficient management, you can increase the command levels to 0-15. For the increase in the command levels, refer to Chapter 4 "Basic Configuration" Configuring Command Levels in the Quidway S2300 Series Configuration Guide - Basic Configurations. NOTE

l The default command level may be higher than the command level defined according to the command rules in application. l Login users have the same 16 levels as the command levels. The login users can use only the command of the levels that are equal to or lower than their own levels. For details of login user levels, refer to User Management.

2.1.3 Command Views The command line interface has different command views. All the commands must register in one or more command views. You can run a command only when you enter the corresponding command view.

Basic Concepts of Command Views # Establish connection with the switch. If the switch adopts the default configuration, you can enter the user view with the prompt of .

# Type system-view, and you can enter the system view. system-view [Quidway]

# Type aaa in the system view, and you can enter the AAA view. [Quidway] aaa [Quidway-aaa]

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

13

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

NOTE

The prompt indicates the default switch name. The prompt indicates the user view and the prompt [] indicates other views.

Some commands that are implemented in the system view can also be implemented in the other views; however, the functions that can be implemented are command view-specific.

Common Views The S2300 provides various command line views. For the methods of entering the command line views except the following views, see the Quidway S2300 Command Reference. l

l

l

User View Item

Description

Function

Displays the running status and statistics of the S2300.

Entry command

Enters the user view after the connection is set up.

Prompt upon entry



Quit command

quit

Prompt upon quit

None.

System View Item

Description

Function

Sets the system parameters of the S2300, and enters other function views from this view.

Entry command

system-view

Prompt upon entry

[Quidway]

Quit command

[Quidway] quit

Prompt upon quit



Ethernet Interface View – Fast Ethernet (FE) interface view

Issue 02 (2011-07-15)

Item

Description

Function

Sets parameters related to FE interfaces of the S2300 and manages the FE interfaces.

Entry command

[Quidway] interface ethernet X/Y/Z

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

14

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

Item

Description

Prompt upon entry

[Quidway-EthernetX/Y/Z]

Quit command

[Quidway-EthernetX/Y/Z] quit

Prompt upon quit

[Quidway]

NOTE

X/Y/Z indicates the number of an FE interface that needs to be configured. It is in the format of slot number/sub card number/interface sequence number.

– GE interface view Item

Description

Function

Configures related parameters about the GE interfaces of the S2300 and manages the GE interfaces.

Entry command

[Quidway] interface GigabitEthernet X/Y/Z

Prompt upon entry

[Quidway-GigabitEthernetX/Y/Z]

Quit command

[Quidway-GigabitEthernetX/Y/Z] quit

Prompt upon quit

[Quidway]

NOTE

X/Y/Z indicates the number of a GE interface that needs to be configured. It is in the format of slot number/sub card number/interface sequence number. If an LPU provides GE interfaces and 10GE interfaces, the difference lies in the subcard where the 10GE interfaces reside. Generally, the sequence number of a 10GE interface is 1. If an LPU provides only 10GE interfaces, the method of entering the 10GE interface view is the same as the method of entering the GE interface view.

2.2 Online Help When you enter command lines or configure services, online help offers real-time help in addition to the configuration guide.

Context The command line of S2300 provides three types of online help: l Issue 02 (2011-07-15)

Full help Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

15

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

l

Partial help

l

Error Messages of the Command Line Interface

2 CLI Overview

2.2.1 Full Help When you enter a command line, you can view the description of keywords or parameters in the command line through the Full Help. You can obtain full help from a command view in the following methods: l

In a command view, enter ? to obtain all the commands in this command view and descriptions of the commands. ?

l

Enter a command and a ? separated by a space. If a keyword is in place of the ?, all keywords and their descriptions are listed. Here is an example. [Quidway-ui-vty0] authentication-mode ? aaa AAA authentication none Login without checking password Authentication through the password of a user terminal interface [Quidway-ui-vty0] authentication-mode aaa ? [Quidway-ui-vty0] authentication-mode aaa

aaa, none and password are keywords. AAA authentication, Login without checking and Authentication through the password of a user terminal interface are the descriptions of the two keywords. indicates that no key word or parameter is in this position and you can press Enter to repeat the command in the next command line. l

Enter a command and a ? separated by a space. If a parameter is in place of the ?, all parameters and their descriptions are listed. Here is an example. system-view [Quidway] sysname ? TEXT Host name(1 to 246 characters)

TEXT is a parameter and Host name (1 to 246 characters) is the description.

2.2.2 Partial Help When you enter a command line, you can obtain prompts on the keywords or parameters at the beginning of the string through the Partial Help.

Context You can obtain the partial help of the command line in the following ways.

Procedure l

Enter a character string with a "?" closely following it to display all commands that begin with this character string. d? debugging dir

l

delete display

Enter a command and a character string with "?" closely following it to display all the key words that begin with this character string. display b?

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

16

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration bfd bootrom bpdu-tunnel

l

2 CLI Overview bgp bpdu buffer

Enter the first several letters of a key word in the command and then press Tab to display the complete key word on the condition that the letters uniquely identify the key word. Otherwise, if you continue to press Tab, different key words are displayed. You can select the needed key word.

----End

2.2.3 Error Messages of the Command Line Interface If an entered command passes the syntax check, the system executes it. Otherwise, the system prompts an error message. All the commands entered by the user are run correctly, if the grammar check has been passed. Otherwise, error messages are reported to the user. See Table 2-1 for the common error messages. Table 2-1 Common error messages of the command line Error messages

Cause of the error

Unrecognized command

The command cannot be found The key word cannot be found

Wrong parameter

Parameter type error The parameter value exceeds the limit

Incomplete command

Incomplete command entered

Too many parameters

Too many parameters entered

Ambiguous command

Indefinite parameters entered

2.3 Features of Command Line Interface You can edit command lines, display command lines, use the regular expression for command lines, and invoke historical commands.

2.3.1 Editing The editing function of command lines helps you edit command lines or obtain help by using certain keys. The command line supports multi-line edition. The maximum length of each command is 512 characters. Keys for editing that are often used are shown in Table 2-2.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

17

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

Table 2-2 Keys for editing Key

Function

Common key

Inserts a character in the current position of the cursor if the editing buffer is not full and the cursor moves to the right. Otherwise, an alarm is generated.

Backspace

Deletes the character on the left of the cursor that moves to the left. When the cursor reaches the head of the command, an alarm is generated.

Left cursor key ← or Ctrl_B

Moves the cursor to the left by the space of a character. When the cursor reaches the head of the command, an alarm is generated.

Right cursor key → or Ctrl_F

Moves the cursor to the right by the space of a character. When the cursor reaches the end of the command, an alarm is generated.

Tab

Press Tab after typing the incomplete key word and the system runs the partial help: l If the matching key word is unique, the system replaces the typed one with the complete key word and displays it in a new line with the cursor a space behind. l If there are several matches or no match at all, the system displays the prefix first. Then you can press Tab to view the matching key word one by one. In this case, the cursor closely follows the end of the word and you can type a space to enter the next word. l If a wrong key word is entered, press Tab and the word is displayed in a new line.

2.3.2 Displaying All command lines have the same displaying feature. You can construct the displaying mode as required. You can control the display of information on CLI as follows: l

Display prompt and help information in both Chinese and English.

l

When the information displayed exceeds a full screen, it provides the pause function. In this case, the user has three choices as shown in Table 2-3.

Table 2-3 Keys for displaying Key

Function

Ctrl_C

Stops the display and running of the command. NOTE You can also press any of the keys except the spacebar and Enter key to stop the display and running of the command.

Space Issue 02 (2011-07-15)

Continues to display the information on the next screen. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

18

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

Key

Function

Enter

Continues to display the information on the next line.

2.3.3 Regular Expressions The regular expression is a mode matching tool. You can construct the matching mode based on certain rules, and then match the mode with the target object. The regular expression is an expression that describes a set of strings. It consists of common characters (such as letters from "a" to "z") and particular characters (also named metacharacters). The regular expression is a template according to which you can search for the required string. A regular expression can provide the following functions: l

Searching for and obtaining a sub-string that matches a rule in the string.

l

Substituting a string according to a certain matching rule.

Formal Language Theory of the Regular Expression The regular expression consists of common characters and particular characters. l

Common characters Common characters are used to match themselves in a string, including all upper-case and lower-case letters, digits, punctuations, and special symbols. For example, a matches the letter "a" in "abc", 202 matches the digit "202" in "202.113.25.155", and @ matches the symbol "@" in "[email protected]".

l

Particular characters Particular characters are used together with common characters to match the complex or particular string combination. Table 2-4 describes particular characters and their syntax. Table 2-4 Description of particular characters

Issue 02 (2011-07-15)

Particul ar characte r

Syntax

Example

\

Defines an escape character, which is used to mark the next character (common or particular) as the common character.

\* matches "*".

^

Matches the starting position of the string.

^10 matches "10.10.10.1" instead of "20.10.10.1".

$

Matches the ending position of the string.

1$ matches "10.10.10.1" instead of "10.10.10.2".

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

19

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

Particul ar characte r

Syntax

Example

*

Matches the preceding element zero or more times.

10* matches "1", "10", "100", and "1000". (10)* matches "null", "10", "1010", and "101010".

+

Matches the preceding element one or more times

10+ matches "10", "100", and "1000". (10)+ matches "10", "1010", and "101010".

?

.

Matches the preceding element zero or one time.

10? matches "1" and "10".

Matches any single character.

0.0 matches "0x0" and "020".

(10)? matches "null" and "10".

.oo matches "book", "look", and "tool". ()

Defines a subexpression, which can be null. Both the expression and the subexpression should be matched.

100(200)+ matches "100200" and "100200200".

x|y

Matches x or y.

100|200 matches "100" or "200". 1(2|3)4 matches "124" or "134", instead of "1234", "14", "1224", and "1334".

[xyz]

Matches any single character in the regular expression.

[123] matches the character 2 in "255".

[^xyz]

Matches any character that is not contained within the brackets.

[^123] matches any character except for "1", "2", and "3".

[a-z]

Matches any character within the specified range.

[0-9] matches any character ranging from 0 to 9.

[^a-z]

Matches any character beyond the specified range.

[^0-9] matches all non-numeric characters.

_

Matches a comma "," left brace "{", right brace "}", left parenthesis "(", and right parenthesis ")".

_2008_ matches "2008", "space 2008 space", "space 2008", "2008 space", ",2008,", "{2008}", "(2008)", "{2008", and "(2008}".

Matches the starting position of the input string. Matches the ending position of the input string. Matches a space.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

20

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

NOTE

Unless otherwise specified, all characters in the preceding table are displayed on the screen.

l

Degeneration of particular characters Certain particular characters, when being placed at the following positions in the regular expression, degenerate to common characters. – The particular characters following "\" is transferred to match particular characters themselves. – The particular characters "*", "+", and "?" placed at the starting position of the regular expression. For example, +45 matches "+45" and abc(*def) matches "abc*def". – The particular character "^" placed at any position except for the start of the regular expression. For example, abc^ matches "abc^". – The particular character "$" placed at any position except for the end of the regular expression. For example, 12$2 matches "12$2". – The right bracket such as ")" or "]" being not paired with its corresponding left bracket "(" or "[". For example, abc) matches "abc)" and 0-9] matches "0-9]". NOTE

Unless otherwise specified, degeneration rules are applicable when preceding regular expressions serve as subexpressions within parentheses.

l

Combination of common and particular characters In actual application, a regular expression combines multiple common and particular characters to match certain strings.

Specifying a Filtering Mode in Command

CAUTION The Quidway S2300 Series uses a regular expression to implement the filtering function of the pipe character. A display command supports the pipe character only when there is excessive output information. When the output information is queried according to the filtering conditions, the first line of the command output starts with the information containing the regular expression. The command can carry the parameter | count to display the number of matching entries. The parameter | count can be used together with other parameters. For the commands supporting regular expressions, the three filtering methods are as follows: l

| begin regular-expression: displays the information that begins with the line that matches regular expression.

l

| exclude regular-expression: displays the information that excludes the lines that match regular expression.

l

| include regular-expression: displays the information that includes the lines that match regular expression. NOTE

The value of regular-expression is a string of 1 to 255 characters.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

21

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

Specify a Filtering Mode when Information is Displayed When a lot of information is displayed, you can specify a filtering mode in the prompt "---- More ----". l

/regular-expression: displays the information that begins with the line that matches regular expression.

l

-regular-expression: displays the information that excludes lines that match regular expression.

l

+regular-expression: displays the information that includes lines that match regular expression.

2.3.4 History Commands The command line interface provides a function similar to DosKey, which can automatically save historical commands. You can invoke the historical commands saved on the command line interface at any time and run them again. By default, the system saves 10 history commands at most for each user. The operations are as shown in Table 2-5. Table 2-5 Access the history commands Action

Key or Command

Result

Display the history commands.

display historycommand

Display the history commands entered by users.

Access the last history command.

Up cursor key↑ or Ctrl_P

Display the last history command if there is an earlier history command. Otherwise, a bell is generated.

Access the next history command.

Down cursor key ↓ or Ctrl_N

Display the next history command if there is a later history command. Otherwise, the command is cleared and a bell is generated.

NOTE

On the HyperTerminal of Windows 9X, cursor key ↑ is invalid as the HyperTerminals of Windows 9X define the keys differently. In this case, you can replace the cursor key ↑ with Ctrl_P.

When you use the history commands, note the following: l

The saved history commands are the same as that those entered by users. For example, if the user enters an incomplete command, the saved command also is incomplete.

l

If the user runs the same command several times, the earliest command is saved. If the command is entered in different forms, they are considered as different commands. For example, if the display ip routing-table command is run several times, only one history command is saved. If the disp ip routing command and the display ip routing-table command are run, two history commands are saved.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

22

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

2.4 Shortcut Keys Using the system shortcut keys makes it easier to enter commands.

2.4.1 System Shortcut Keys System-defined shortcut keys with fixed functions are defined by the system. Table 2-6 lists the system-defined shortcut keys. NOTE

Different terminal software defines these keys differently. Therefore, the shortcut keys on the terminal may be different from those listed in this section.

Table 2-6 System-defined shortcut keys

Issue 02 (2011-07-15)

Key

Function

CTRL_A

The cursor moves to the beginning of the current line.

CTRL_B

The cursor moves to the left by the space of a character.

CTRL_C

Terminates the running function.

CTRL_D

Deletes the character where the cursor lies.

CTRL_E

The cursor moves to the end of the current line.

CTRL_F

The cursor moves to the right by the space of a character.

CTRL_H

Deletes one character on the left of the cursor.

CTRL_K

Stops the creation of the outbound connection.

CTRL_N

Displays the next command in the history command buffer.

CTRL_P

Displays the previous command in the history command buffer.

CTRL_R

Repeats the display of the information of the current line.

CTRL_T

Terminates the outbound connection.

CTRL_V

Pastes the contents on the clipboard.

CTRL_W

Deletes a character string or character on the left of the cursor.

CTRL_X

Deletes all the characters on the left of the cursor.

CTRL_Y

Deletes all the characters on the right of the cursor.

CTRL_Z

Returns to the user view.

CTRL_]

Terminates the inbound or redirection connections.

ESC_B

The cursor moves to the left by the space of a word.

ESC_D

Deletes a word on the right of the cursor. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

23

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

2 CLI Overview

Key

Function

ESC_F

The cursor moves to the right to the end of next word.

ESC_N

The cursor moves downward to the next line.

ESC_P

The cursor moves upward to the previous line.

2.5 Configuration Examples This section provides several examples for using command lines.

2.5.1 Example for Using the Tab Key You can obtain prompts on keywords or check whether the entered keywords are correct by pressing Tab.

Procedure l

If only one keyword contains the incomplete keyword, do as follows on the S2300. 1.

Enter an incomplete keyword. [Quidway] info-

2.

Press Tab. The system replaces the incomplete keyword with a complete keyword and displays the complete keyword in another line. There is only one space between the cursor and the end of the keyword. [Quidway] info-center

l

If more than one keyword contains the incomplete keyword, do as follows on the S2300. # The keyword info-center can be followed by the following keywords. [Quidway] info-center log? logbuffer

1.

loghost

Enter an incomplete keyword. [Quidway] info-center l

2.

Press Tab. The system displays the prefix of all the matched keywords. The prefix in this example is log. [Quidway] info-center log

3.

Continue to press Tab to display all the keywords. There is no space between the cursor and the end of the keywords. [Quidway] info-center loghost [Quidway] info-center logbuffer

Stop pressing Tab when you find the required keyword logbuffer. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

24

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4.

2 CLI Overview

Enter a space and enter the next keyword channel. [Quidway] info-center logbuffer channel

----End

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

25

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

3

How to Use Interfaces

About This Chapter This chapter describes the concept of the interface and the basic configuration about the interface. 3.1 Introduction to Interfaces This section describes different types of interfaces. The interfaces are provided by the S2300 to receive and send data. 3.2 Setting Basic Parameters of an Interface This section describes how to set the basic parameters of an interface. 3.3 Configuring the Loopback Interface This section describes how to configure the loopback interface. 3.4 Maintaining the Interface This section describes how to maintain the interface.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

26

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

3.1 Introduction to Interfaces This section describes different types of interfaces. The interfaces are provided by the S2300 to receive and send data. Interfaces are classified into management interfaces and service interfaces based on their functions; interfaces are classified into physical interfaces and logical interfaces based on their physical forms. NOTE

A physical interface is sometimes called a port. Both physical interfaces and logical interfaces are called interfaces in this document.

Management Interface Management interfaces are used to manage and configure a device. You can log in to the S2300 through a management interface to configure and manage the S2300. Management interfaces do not transmit service data. The management interface of the S2300 is a console interface. Table 3-1 Description of management interfaces Name

Description

Usage

Console interface

The console interface complies with the EIA/TIA-232 standard and the interface type is DCE.

The console interface is connected to the COM series port of a configuration terminal. It is used to set up the onsite configuration environment.

The following table shows the rule for numbering management interfaces. Table 3-2 Management interface numbers Name

Number

Console interface

Console 0

Classification of Service Interfaces Service interfaces are used to transmit service data. They are classified into 100 Mbit/s interfaces, 1 Gbit/s interfaces and 10 Gbit/s interfaces according to their rates; they are classified into electrical interfaces and optical interfaces according to their electrical properties. The rules for numbering service interfaces are as follows: In a single S2300, interfaces are numbered in the format slot ID/subcard ID/interface sequence number. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

27

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

l

Slot ID: indicates the slot where an interface is located. The value is 0.

l

Subcard ID: indicates the subcard where an interface is located. The value is 0.

l

Interface sequence number: indicates the sequence number of an interface.

In a stack system, interfaces are numbered in the format stack ID/subcard ID/interface sequence number. l

Stack ID: indicates the ID of an S2300 in the stack system. The value ranges from 1 to 16.

l

Subcard ID: indicates the ID of a subcard. The value is 0.

l

Interface sequence number: indicates the sequence number of an interface on the S2300.

Table 3-3 FE and GE interface numbering rule Figure of Interface Numbering 2

4

6

... ...

1

3

5

...

Description The S2300 has two rows of service interfaces with the lower-left interface numbered 1. The other interfaces are numbered in ascending order from bottom to up, and then from left to right. For example, the upper-left interface numbered 0/0/2.

Physical Interfaces Physical interfaces are interfaces that actually exist on the S2300. Physical interfaces include management interfaces and service interfaces. The S2300 supports the following physical interfaces: l

Console interface

l

Eth interface

l

Fast Ethernet interface

l

Gigabit Ethernet interface

Logical Interfaces Logical interfaces do not exist and are set up by configurations. The S2300 supports the following logical interfaces: l

Eth-Trunk The Eth-Trunk consists of Ethernet links only. The Eth-Trunk technique has the following advantages: – Increased bandwidth: The bandwidth of an Eth-Trunk is the total bandwidth of all member interfaces. – Improved reliability: When a link fails, traffic is automatically switched to other available links. This ensures link reliability.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

28

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

For details about the Eth-Trunk configuration, see "Configuring the Eth-Trunk" in the Quidway S2300 Series Ethernet Switches Configuration Guide - Ethernet. l

Loopback interface A loopback interface is a virtual interface. The TCP/IP protocol suite defines IP address 127.0.0.0 as a loopback address. When the system starts, it automatically creates an interface using the loopback address 127.0.0.1 to receive all data packets sent to the local device. Some applications need a local interface with a specified IP address without affecting the configuration of physical interfaces. This IP address has a 32-bit mask (to save IP addresses) and can be advertised by routing protocols. The status of a loopback interface is always Up; therefore, the IP address of the loopback interface can be used as the router ID, the label switching router (LSR) ID, or be land to a tunnel. For details, see 3.3 Configuring the Loopback Interface.

l

Null interface Null interfaces are similar to null devices supported by certain operating systems. Any data packets sent to a null interface are discarded. Null interfaces are used for route selection and policy-based routing (PBR). For example, if a packet matches no route during route selection, the packet is sent to the null interface.

l

VLANIF interface When the S2300 needs to communicate with devices at the network layer, you can create a logical interface of the Virtual Local Area Network (VLAN) on the S2300, namely, a VLANIF interface. You can assign IP addresses to VLANIF interfaces because VLANIF interfaces work at the network layer. The S2300 then communicates with devices at the network layer through VLANIF interfaces. For details about the configuration, see "Configuring the VLANIF Interface" in the Quidway S2300 Series Ethernet Switches Configuration Guide - Ethernet.

3.2 Setting Basic Parameters of an Interface This section describes how to set the basic parameters of an interface.

3.2.1 Establishing the Configuration Task Before configuring advanced functions of an interface such as the working mode and routes, you need to complete the basic configuration of the interface.

Applicable Environment To facilitate the configuration and maintenance of an interface, the S2300 provides interface views. The commands related to the interface are valid only in the interface views. The basic interface configurations include entering an interface view, configuring interface description, enabling an interface, and disabling an interface.

Pre-configuration Tasks Installing the LPU on the S2300 Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

29

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

Data Preparation To set parameters of an interface, you need the following data. No.

Data

1

Type and number of the interface to be configured

2

Description of the interface

3.2.2 Entering the Interface View To configure an interface, you need to enter the interface view.

Context Do as follows on the S2300.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface interface-type interface-number

The view of a specified interface is displayed. interface-type specifies the type of the interface and interface-number specifies the number of the interface. ----End

3.2.3 Viewing All the Commands in the Interface View After entering the interface view, you can view all the commands in the interface view.

Context Do as follows on the S2300.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface interface-type interface-number

The view of a specified interface is displayed. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

30

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

Step 3 Run: ?

All the commands in the view of the specified interface are displayed. ----End

3.2.4 Configuring the Description for an Interface The description configured for an interface on the S2300 helps you identify and memorize the usage of the interface, which facilitates the management.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface interface-type interface-number

The view of a specified interface is displayed. Step 3 Run: description description

The description is configured for the interface. ----End

3.2.5 Starting and Shutting Down an Interface When a physical interface is idle and is not connected to a cable, shut down this interface to protect the interface against interference. To use a shutdown interface, you need to start the interface.

Context NOTE

l A null interface is always Up and cannot be shut down by command. l A loopback interface is always Up and cannot be shut down by command.

Procedure l

Shutting down the interface Do as follows on the S2300. 1.

Run: system-view

The system view is displayed. 2.

Run: interface interface-type interface-number

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

31

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

The view of a specified interface is displayed. 3.

Run: shutdown

The interface is shut down. NOTE

By default, an interface is enabled.

l

Starting an interface Do as follows on the S2300. 1.

Run: system-view

The system view is displayed. 2.

Run: interface interface-type interface-number

The view of a specified interface is displayed. 3.

Run: undo shutdown

The interface is started. ----End

3.2.6 Further Configuration an Interface After configuring basic parameters, configure the interface as required.

Context When you access a network through an interface, you need to further setting multiple parameters of the interface based on the networking requirements in addition to performing basic configurations on the interface. Further configurations of an interface include: l

Configuring the operation mode of an interface

l

Configuring routes

For the detailed Configuration, please see the other configuration manuals of S2300. For the detailed Configuration, please see Quidway S2300 Series Ethernet Switches Configuration Guide - Ethernet and Quidway S2300 Series Ethernet Switches Configuration Guide - IP Routing.

3.2.7 Checking the Configuration After completing the basic configuration of an interface, you can use the display commands to check the configuration. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

32

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

Procedure Step 1 Run the display interface [ interface-type [ interface-number ] ] command to check the running status of the interface and the statistics on the interface. Step 2 Run the display interface description command to check the brief information about the interface Step 3 Run the display ip interface [ interface-type interface-number ] command to check the main configurations of the interface. Step 4 Run the display ip interface brief [ interface-type interface-number ] command to check the brief state of the interface. ----End

3.3 Configuring the Loopback Interface This section describes how to configure the loopback interface.

3.3.1 Establishing the Configuration Task The users can create or delete a loopback interface. When being created, the loopback interface remains in the Up state until you delete it.

Applicable Environment Some applications need to be configured with a local interface with a specified IP address when the configuration of a physical interface is not affected. In this case, the IP address of the local interface needs to be advertised by routing protocols. Loopback interfaces are used to improve the reliability of the configuration.

Pre-configuration Tasks Before configuring the loopback interface, complete the following task: l

Switching on the S2300

Data Preparation To configure the loopback interface, you need the following data. No.

Data

1

Number of the loopback interface

2

IP address of the loopback interface

3.3.2 Configuring IPv4 Parameters of the Loopback Interface A loopback interface can be assigned an IPv4 address, configured to check the source IPv4 addresses of packets. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

33

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: interface loopback interface-number

A loopback interface is created. The value of interface-number ranges from 0 to 1023. A maximum of 1024 loopback interfaces can be created. Step 3 Run: ip address ip-address { mask | mask-length } [ sub ]

An IPv4 address is assigned to the loopback interface. Step 4 (Optional) Run: ip verify source-address

The loopback interface is configured to check the source IPv4 addresses of packets. ----End

3.3.3 Checking the Configuration After configuring a loopback interface, run the following commands to check the configuration.

Procedure Step 1 Run the display interface loopback [ number ] command to check the status of the loopback interface. ----End

3.4 Maintaining the Interface This section describes how to maintain the interface.

3.4.1 Clearing Statistics Information on the Interface The statistics on the interface cannot be restored after you clear them. So, confirm the action before you use the command.

Procedure Step 1 Run the reset counters interface [ interface-type [ interface-number ] ] command in the user view to clear the statistics on the interface. ----End Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

34

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

3 How to Use Interfaces

3.4.2 Debugging the Interface When an interface works abnormally, you can debug the interface.

Context

CAUTION Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. For the description about debugging commands, see the Quidway S2300 Series Ethernet Switches Debugging Reference. For details about debugging commands on an interface, see the following chapters.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

35

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4 Basic Configuration

4

Basic Configuration

About This Chapter This chapter describes how to configure the basic system environment and the basic user environment. 4.1 Basic Configuration Introduction This section describes the meaning and scope of the basic configuration. 4.2 Configuring the Basic System Environment This section describes how to configure the basic system environment according to user habits or the requirements of the actual environment. 4.3 Configuring Basic User Environment This section describes the configuration of the basic user environment for user level switching. 4.4 Displaying System Status Messages This section describes the display commands that are used for displaying basic system configurations.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

36

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4 Basic Configuration

4.1 Basic Configuration Introduction This section describes the meaning and scope of the basic configuration. Before configuring services, users often need to perform basic configurations for actual operation and maintenance. The S2300 provides configurations of two kinds of basic environments: l

Basic system environment: includes the language mode, host name, system name, system time, header text, and command level for actual environment.

l

Basic user environment: includes password for changing levels and the terminal lock.

4.2 Configuring the Basic System Environment This section describes how to configure the basic system environment according to user habits or the requirements of the actual environment.

4.2.1 Establishing the Configuration Task Before configuring the basic system environment, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment Before configuring the services, you need to configure the basic system environments to meet the requirements of the actual environments. By default, the S2300 supports commands of Level 0 to Level 3, namely, visit level, monitoring level, configuration level, and management level. If the user needs to define more levels, or refine management privileges on the device, the user can extend the range of command line level from the range of Level 0 to Level 3 to the range of Level 0 to Level 15.

Pre-configuration Tasks Before configuring basic system environment, complete the following task: l

Powering on the switch

Data Preparation To configure basic system environment, you need the following data.

Issue 02 (2011-07-15)

No.

Data

1

System time

2

Host name Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

37

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

No.

Data

3

Login information

4

Command level

4 Basic Configuration

4.2.2 Configuring the Equipment Name You can change the equipment name as required. The new equipment name takes effect immediately.

Context Do as follows on the switch:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: sysname host-name

The equipment name is set. You can change the name of the switch that appears in the command prompt. By default, the host name of the switch is Quidway. ----End

4.2.3 Setting the System Clock To ensure that devices on the network work with the same clock, you need to set or change the system clock.

Context You need to set the system time properly to ensure the cooperation between the S2300 and other devices. The S2300 supports the configurations of the time zone and the daylight saving time. NOTE

UTC indicates the Universal Time Coordinated.

Do as follows on the switch:

Procedure Step 1 Run: clock datetime

Issue 02 (2011-07-15)

HH:MM:SS YYYY-MM-DD

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

38

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4 Basic Configuration

The current date and time is set. Step 2 Run: clock timezone time-zone-name { add | minus } offset

The time zone is set. l If add is configured, the current time is the UTC time plus the time offset. That is, the default UTC time plus offset is equal to the time of time-zone-name. l If minus is configured, the current time is the UTC time minus the time offset. That is, the default UTC time minus offset is equal to the time of time-zone-name. Step 3 Run: clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset

or clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date } end-time { { first | second | third | fourth | last } weekday month | end-date } offset [ start-year [ end-year ] ]

The daylight saving time is set. During the configuration of the daylight saving time, you can configure the start time and end time in one of the following modes: date+date, week+week, date+week, and week+date. For details, see clock daylight-saving-time. NOTE

When the current time is within the daylight saving time, running the clock timezone time-zone-name { add | minus } offset command can successfully set the time zone name. If the display clock command is run to view the time zone name at the moment, the time zone name, however, is displayed as the name of the daylight saving time. After the daylight saving time ends, the set time zone name can be displayed.

----End

4.2.4 Configuring a Header If you need to provide information for login users, you can configure a header that the system displays during login or after login.

Context Do as follows on the switch:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: header login { information text | file file-name }

The header displayed during login is set. Step 3 Run: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

39

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4 Basic Configuration

header shell { information text | file file-name }

The header displayed after login is set. A header is a system prompt displayed when a user logs in to the switch or starts interactive configuration with the switch. The header provides detailed instruction. NOTE

l If a user logs in to the switch by using SSH1.X, the login header is not displayed during login, but the shell header is displayed after login. l If a user logs in to the switch by using SSH2.0, both login and shell headers are displayed.

----End

4.2.5 Configuring Command Levels By default, commands are registered in the sequence of Level 0 to Level 3. If refined rights management is required, you can divide commands in to 16 levels, that is, from Level 0 to Level 15.

Context If the user does not adjust a command level separately, after the command level is updated, all originally-registered command lines adjust automatically according to the following rules: l

The commands of Level 0 and Level 1 remain unchanged.

l

The command Level 2 is updated to Level 10 and Level 3 is updated to Level 15.

l

No command lines exist in Level 2 to Level 9 and Level 11 to Level 14. The user can adjust the command lines to these levels separately to refine the management of privilege. NOTE

The updation of command Level 2 to Level 10 and Level 3 to Level 15 is not a two-step process but onestep by batch.

Do as follows on the switch:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: command-privilege level rearrange

Update the command level in batch. When no password is configured for a Level 15 user, the system prompts the user to set a superpassword for the level 15 user. At the same time, the system asks if the user wants to continue to update the command line level. Then, just select "N" to set a password. If you select "Y", the command level can be updated in batch directly. This results in the user not logging in through the Console port and failing to update the level. Step 3 Run: command-privilege level level view view-name command-key

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

40

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4 Basic Configuration

The command level is configured. With the command, you can specify the level and view multiple commands at one time (command-key). All commands have default command views and levels. You need not reconfigure them. ----End

4.3 Configuring Basic User Environment This section describes the configuration of the basic user environment for user level switching.

4.3.1 Establishing the Configuration Task Before configuring the basic user environment, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment The user can log in to a switch with lower level to perform simple configurations or view configurations. When the configuration is complicated, the user needs to switch to a high level. Thus, it requires the user to configure the basic environment for switching levels.

Pre-configuration Tasks Before configuring the basic environment for the user, complete the following task: l

Powering on the switch properly

Data Preparation To configure the basic environment for the user, you need the following data: No.

Data

1

Password for the user level switching

4.3.2 Configuring the Password for Switching User Levels Passwords need to be set for users that are switched from lower levels to higher levels.

Context When users log in to the switch with a lower user level, they switch to a higher user level to perform advanced operations by entering the corresponding password. The password needs to be configured in advance.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

41

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4 Basic Configuration

CAUTION When simple is used, the password is saved in the configuration files in simple text. Login users with lower level can obtain the password by viewing the configuration. This may cause security problems. Therefore, cipher is used to save the password in encrypted text. If the pass word is set in cipher mode, the password cannot be resumed from the system. Save the password to avoid oblivion or miss. Do as follows on the switch:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: super password [ level user-level ] { simple | cipher } password

The password for switching user levels is configured. ----End

4.3.3 Switching User Levels You need to enter the set password when being switched from a lower level to a higher level.

Context An accurate password must be entered when the user is switched from a lower level to a higher level. Do as follows on the switch:

Procedure Step 1 Run: super [ level ]

User levels are switched. Step 2 Follow the prompt and enter a password. If the password entered is correct, the user can switch to a higher level. If the user enters a password incorrectly for three consecutive times, the user remains at the current login level and returns to the user view. NOTE

When the login user of lower level is switched to the user of higher level through the super command, the system automatically sends trap messages and records the switchover in a log. When the switched level is lower than that of the current level, the system only records the switchover in a log.

----End Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

42

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4 Basic Configuration

4.3.4 Locking User Interfaces You can enter the set password to unlock the locked user interface.

Context When you leave the operation terminals for a moment, you can lock the user interface to prevent unauthorized users from operating the interface. Do as follows on the switch:

Procedure Step 1 Run: lock

The user interface is locked. Step 2 Follow the system prompt and input an unlock password, and then confirm. lock Enter Password: Confirm Password:

If the locking is successful, the system prompts that the user interface is locked. You must enter a correct password to unlock the user interface. ----End

4.4 Displaying System Status Messages This section describes the display commands that are used for displaying basic system configurations.

Context You can use the display commands to collect information about the system status. The display commands are classified according to the following functions: l

Displays system configurations.

l

Displays the running status of the system.

l

Displays the diagnostic information about a system.

l

Displays the restart information about the main control board.

See the related sections for display commands for protocols and interfaces. The following only shows the system display commands. Run the following commands in any view.

4.4.1 Displaying System Configuration You can view information about the system version, system time, original configuration, and current configuration. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

43

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

4 Basic Configuration

Prerequisite Basic Configuration are complete.

Procedure l

Run the display version command to display the system version.

l

Run the display clock command to display the system time.

l

Run the display saved-configuration command to display the original configuration.

l

Run the display current-configuration command to display the current configuration.

----End

4.4.2 Displaying System Status You can view the configuration of the current view.

Prerequisite Basic configuration are complete.

Procedure l

Run the display this command to display the configuration of the current view.

----End

4.4.3 Collecting System Diagnostic Information You can view the system diagnosis information.

Context Basic configuration is complete.

Procedure Step 1 Run: display diagnostic-information [ file-name ]

The system diagnosis information is displayed. When the system fails or performs the routine maintenance, you need to collect a lot of information to locate faults. Then, you have to run different display commands to collect all information. In this case, you can use the display diagnostic-information command to collect all information about the current running modules in the system. The display diagnostic-information command collects all information collected by running the following commands, including display clock, display version, display cpu-usage, display interface, display current-configuration, display saved-configuration, display historycommand, and so on. ----End Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

44

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

5

User Management

About This Chapter This chapter describes user interfaces and the configuration of users' login. 5.1 User Management Introduction This section describes basic concepts of user interfaces and user management. 5.2 Logging In to the S2300 Through the Console Port This section describes how to log in to the S2300 through the console port. 5.3 Configuring Console User Interface You can configure the console user interface so as to maintain a switch on the local device. 5.4 Configuring VTY User Interface You can configure the VTY user interface to maintain a remote switch. 5.5 Managing User Interfaces You need to configure user management to ensure that the operator manages switchs safely. 5.6 Configuring User Management Through user management, you can create users for switchs, set user passwords, and manage users. 5.7 Configuration Examples This section provides examples for configuring users to log in to a switch in different modes. These configuration examples explain networking requirements, configuration roadmap, and configuration notes.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

45

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

5.1 User Management Introduction This section describes basic concepts of user interfaces and user management.

5.1.1 User Interface A user interface (UI) enables users to log in to the S2300. Through a user interface, you can configure the parameters on all physical and logical interfaces that work in asynchronous and interactive modes. In this manner, you can manage, authenticate, and authorize the login users.

Types of User Interfaces Table 5-1 describes the types of user interfaces supported by the S2300. Table 5-1 Types of user interfaces Type

Purpose

Description

CON

Local login through the console interface

It is a linear interface conforming to the EIA/TIA-232 standard. The type of the interface is DCE. Each device provides a console interface.

VTY

Local or remote login through Telnet or SSH

It is a virtual interface and indicates a logical terminal line. When you log in to the S2300 through Telnet, FTP, or SSH, a VTY connection is set up.

Numbering of User Interfaces You can number a user interface in the following ways: l

Relative numbering Relative numbering indicates that the interfaces of the same type are numbered. The relative numbering uniquely specifies a user interface of a specified type. The format of the relative numbering is: user interface type + number. It must comply with the following rules: – Number of the CON interface: console0 – Default number of the VTY: vty0, vty1, vty2, vty3, and vty4

l

Absolute numbering The S2300 uniquely specifies the default numbers of 0, 34… 38 for the user interfaces of CON and VTY. You can enter a specific user interface view by entering any of these numbers.

l

Mapping between relative numbering and absolute numbering Figure 5-1 shows the mapping between relative and absolute numbering of a user interface.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

46

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Figure 5-1 Numbering of user interfaces on the S2300 Types ofset interface CON

Relative numbering

Obsolute numbering

console0

0 ……

VTY

vty0

34

vty1

35

vty2

36

vty3

37

vty4

38

In the figure, console 0 and 0 indicate the same user interface; vty1 and 35 indicate the same user interface. NOTE

On the S2300, the absolute number can be 0 or 34 to 48.

5.1.2 User Authentication When a user logs in to the S2300, the S2300 authenticates the user according to the configuration to ensure system security. When the S2300 is switched on for the first time, no authentication information for login is available in the system. In this case, you can log in to the S2300 through the console interface without being authenticated. If a user logs in to the S2300 through Telnet on an Ethernet interface, the login user must be authenticated for the sake of security. If the authentication succeeds, the user can log in to the S2300 to configure and maintain the S2300. To manage users that try to log in to the S2300, these users are assigned with passwords and classified into different levels.

Classifying Login Users Login users on the S2300 are classified according to service types and assigned rights assigned, as shown in Table 5-2. Table 5-2 Types of login users

Issue 02 (2011-07-15)

User Type

Description

Authentication

Super users

Logs in to the S2300 through the console interface and have all rights.

Not authenticated for the first login but recommended later

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

47

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

User Type

Description

Authentication

Telnet users

Logs in to the S2300 through the Ethernet interface using Telnet and have limited rights. A Telnet connection is set up between the user terminal and the S2300.

Recommended

SSH users

Logs in to the S2300 through the Ethernet interface using SSH and have limited rights. An SSH connection is set up between the user terminal and the S2300.

Recommended

FTP users

Logs in to the S2300 through FTP on the Ethernet interface and have limited rights. An FTP connection is set up between the user terminal and the S2300.

Recommended

The rights that can be obtained by users logging in to the S2300 through Telnet, SSH, and FTP depend on the priorities of the user interfaces through which they log in to. The S2300 provides multiple services for a user. To ensure login convenience and security, login users must be classified, and then assigned levels.

Priorities of Users The system manages super users and Telnet users according to user levels. Similar to the command levels, users are classified into 16 levels numbered 0 to 15. The greater the number, the higher the user level. NOTE

If the user levels are not set, the four default user levels are used, namely, levels 0 to 3.

The level of the command that a user can run is determined by the level of this user. l

In the case of non-authentication or password authentication, the level of the command that the user can run depends on the level of the user interface.

l

In the case of AAA authentication, the command that the user can run depends on the level of the local user specified in AAA configuration.

Users of a level can access the commands of this level or lower levels. Assuming that user levels 0 to 3 are used in the system, users of level 2 can access commands of levels 0, 1, and 2, and users of level 3 can access commands at all levels.

Authenticating Login Users After users are configured on the S2300, the system authenticates the users when they log in to the S2300. The S2300 provides three authentication modes, as shown in Table 5-3.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

48

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Table 5-3 Authentication modes of login users Authenticatio n Mode

Description

Nonauthentication

Users can log in to the S2300 without entering the user name and password. There is a great potential security risk.

Password authentication

Users can log in to the S2300 by entering only the password. In this manner, security is ensured.

AAA authentication

Users need to enter both the user name and password to log in to the S2300. The S2300 then authenticates the users according to the configured user information. This further improves security. It applies to the users logging in to the S2300 through the console interface and Telnet users.

5.2 Logging In to the S2300 Through the Console Port This section describes how to log in to the S2300 through the console port.

5.2.1 Establishing the Configuration Task Applicable Environment You need to log in to the S2300 through the console interface, as shown in Figure 5-2. In the figure, Switch is an S2300. Figure 5-2 Logging in to the S2300 through the console interface

RS-232 serial interface

PC

Console interface

Switch

NOTE

If the S2300 is switched on for the first time and you need to manage and configure the S2300, you can log in to the S2300 through the console interface only.

Pre-configuration Tasks Before logging in to the S2300 through the console interface, complete the following tasks: l

Connecting the PC and the S2300 correctly

l

Starting the S2300 normally

Data Preparation None. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

49

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

5.2.2 Logging In to the S2300 Through the Console Interface Context When setting up a local configuration environment through the console interface, you can connect the PC and the S2300 through the Windows HyperTerminal.

Procedure Step 1 Enable the HyperTerminal on the PC. Choose Start > All Programs > Accessories > Communications > HyperTerminal to start the HyperTerminal. Step 2 Set up a new connection. As shown in Figure 5-3, enter the name of the new connection in the Name text box and choose an icon. Click OK. Figure 5-3 Setting up a new connection

Step 3 Set the connection port. After entering the Connect window as shown in Figure 5-4, select a serial port from the Connect drop-down list box according to the port used by the PC or the configuration terminal. Select COM1 in this case, and click OK.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

50

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Figure 5-4 Setting the connection port

Step 4 Set communication parameters. After entering the COM1 Properties window as shown in Figure 5-5, set the communication parameters according to the description in Table 5-4. NOTE

In other Windows operating systems, Bits per second may be described as Baud rate; Flow control may be described as Traffic control.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

51

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Figure 5-5 Setting communication parameters for the port

Table 5-4 Communication parameters Parameter

Value

Bit per second (Baud rate)

9600

Data bit

8

Parity check

None

Stop bit

1

Flow control (Traffic control)

None

Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Properties window as shown in Figure 5-6. Choose the Setting tab, select Auto detect or VT100 from the Emulation drop-down list box. Click OK to complete the setting.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

52

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Figure 5-6 Selecting a terminal type

After the preceding steps are complete, press Enter. If the prompt is displayed, it indicates that you have logged in to the S2300. At this time, you can enter the command to configure and manage the S2300. ----End

5.3 Configuring Console User Interface You can configure the console user interface so as to maintain a switch on the local device.

5.3.1 Establishing the Configuration Task Before configuring a console interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment A console user interface is required for maintaining the local switch.

Pre-configuration Tasks Before configuring a console interface, complete the following tasks: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

53

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

l

Powering on the switch

l

Connecting a PC to the switch

5 User Management

Data Preparation To configure a console interface, you need the following data. No.

Data

1

Baud rate, flow-control mode, parity, stop bit, and data bit

2

Idle timeout period, number of lines displayed in a terminal screen, number of characters in each line displayed in a terminal screen,and the size of history command buffer

3

User priority

4

User authentication method, user name, and password

NOTE

All the configuration items of the switch, excluding the user name and password, have default values and do not need to be configured additionally.

5.3.2 Configuring Console Interface Attributes You can configure the rate, flow control mode, parity mode, stop bit, and data bit for the console port.

Context Do as follows on the switch that the user logs in to:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface console interface-number

The console user interface view is displayed. Step 3 (Optional) Run: speed speed-value

The baud rate is set. By default, the baud rate is 9600 bit/s. Step 4 (Optional) Run: flow-control { hardware | none | software }

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

54

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

The flow control mode is set. By default, the flow-control mode is none. Step 5 (Optional) Run: parity { even | mark | none | odd | space }

The parity mode is set. By default, the value is none. Step 6 (Optional) Run: stopbits { 1.5 | 1 | 2 }

The stop bit is set. By default, the value is 1 bit. Step 7 (Optional) Run: databits { 5 | 6 | 7 | 8 }

The data bit is set. By default, the data bit is 8. NOTE

When the user logs in to a switch through a console port, the configured attributes for the console port on the HyperTerminal should be in accordance with the attributes of the interface on the switch. Otherwise, the user cannot log in to the switch.

----End

5.3.3 Setting Console Terminal Attributes You can configure the timeout period for idle users, maximum number of lines to displayed on each screenor the maximum number of characters in each line, and the size of historical command buffer for the console interface.

Context Do as follows on the switch to which a user logs in:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface console interface-number

The console interface view is displayed. Step 3 Run: shell

The terminal service is started. Step 4 Run: idle-timeout minutes [ seconds ]

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

55

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

The timeout period for idle users is set. By default, the timeout period for idle users is 10 minutes. Step 5 Run: screen-length screen-length

The number of lines to be displayed on each screen is set. By default, a terminal displays 24 lines on each screen. You can run the screen-length screen-length temporary command to specify the number of lines that a terminal displays on each screen. Step 6 Run: screen-width screen-width

The maximum number of characters in each line displayed on a terminal screen is set. By default, each line displayed on a terminal screen has a maximum of 80 characters. Step 7 Run: history-command max-size size-value

The buffer of the history command is set. By default,the history command buffer on a user interface can cache a maximum of 10 commands. ----End

5.3.4 Configuring User Priority You can set the priority for a user who logs in through the console port.

Context Do as follows on the switch that the user logs in to:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface console interface-number

The console user interface view is displayed. Step 3 Run: user privilege level level

The priority of the user is set. This process is to set the priority for a user who logs in through the console port. A user can only use the command of the level corresponding to the user level. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

56

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

For more information about the command priority, see "Command Level" in Chapter 3 "CLI Overview". ----End

5.3.5 Configuring User Authentication The system provides three authentication modes, namely, AAA, password, and none.

Procedure l

Configuring AAA Authentication 1.

Run: system-view

The system view is displayed. 2.

Run: user-interface console interface-number

The console user interface view is displayed. 3.

Run: authentication-mode aaa

The authentication mode is set to AAA. 4.

Run: quit

Exit from the console user interface view. 5.

Run: aaa

The AAA view is displayed. 6.

Run: local-user user-name password { simple | cipher } password

Name and password of the local user are created. l

Configuring Password Authentication 1.

Run: system-view

The system view is displayed. 2.

Run: user-interface console interface-number

The console user interface view is displayed. 3.

Run: authentication-mode password

You can set the authentication mode as password authentication. 4.

Run: set authentication password { cipher | simple } password

A password for authentication is set. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

57

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

l

5 User Management

Configuring Non-Authentication 1.

Run: system-view

The system view is displayed. 2.

Run: user-interface console interface-number

The console user interface view is displayed. 3.

Run: authentication-mode none

The authentication mode is set to non-authentication. ----End

5.3.6 Checking the Configuration After configuring the console user interface, you can view the usage information of the user interface, physical attributes and configurations of the user interface, local user list, and online users.

Prerequisite The configurations of the User Management function are complete.

Procedure l

Run the display users [ all ] command to check information about user interface.

l

Run the display user-interface console ui-number1 [ summary ] command to check physical attributes and configurations of the user interface.

l

Run the display local-user command to check the local user list.

l

Run the display access-user command to check online users.

----End

5.4 Configuring VTY User Interface You can configure the VTY user interface to maintain a remote switch.

5.4.1 Establishing the Configuration Task Before configuring a VTY interface, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment If you want to log in to the switch using Telnet or SSH to perform management or configuration operations, .a VTY interface is required. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

58

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Pre-configuration Tasks Before configuring a VTY user interface, complete the following tasks: l

Powering on the switch

l

Connecting a PC to the switch correctly

Data Preparation To configure a VTY user interface, you need the following data. No.

Data

1

Maximum VTY user interfaces

2

(Optional) Number of the ACL for limiting incoming and outgoing calls of users logging in using VTY user interfaces

3

Timeout period for idle users, maximum number of lines to be displayed on each screen , maximum number of characters in each line, and the size of the history command buffer

4

User authentication mode, user name, and password

5.4.2 Configuring Maximum VTY User Interfaces You can configure the maximum number of VTY user interfaces through which users log in to a switch.

Context Do as follows on the switch that the user logs in to:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface maximum-vty number

The maximum VTY user interfaces that can log in to the switch is set. NOTE

When the maximum number of VTY user interfaces is set to zero, any user including the NMS user cannot log in to a switch.

If the maximum number of VTY user interfaces to be configured is smaller than the maximum number of current interfaces, other parameters need not be configured. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

59

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

If the maximum number of VTY user interfaces to be configured is larger than the maximum number of current interfaces, the authentication mode and password need to be configured for newly added user interfaces. For newly added user interfaces, the system applies password authentication by default. For example, a maximum of five users are allowed online. To allow 15 VTY users online at the same time, you need to run the authentication-mode command and the set authentication password command to configure authentication modes and passwords for user interfaces from VTY 5 to VTY 14. The command is run as follows: system-view [Quidway] user-interface maximum-vty 15 [Quidway] user-interface vty 5 14 [Quidway-ui-vty5-14] authentication-mode password [Quidway-ui-vty5-14] set authentication password cipher huawei

----End

5.4.3 (Optional)Configuring Limits for Incoming Calls and Outgoing Calls You can set the limit on incoming and outgoing calls for VTY user interfaces.

Context Do as follows on the switch that the user logs in to:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface vty first-ui-number [ last-ui-number ]

The VTY user interface view is displayed. Step 3 Run: acl acl-number { inbound | outbound }

The limits to calling in/out of VTY are configured. When you need to prevent a user of certain address or segment address from logging in to the switch, use the inbound command; when you need to prevent a user who logs in to a switch from accessing other switchs, use the outbound command. ----End

5.4.4 Configuring VTY Terminal Attributes You can configure the timeout period for idle users, maximum number of lines to be displayed on each screenor the maximum number of characters in each line, and the size of the historical command buffer for a VTY interface. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

60

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Context Do as follows on the switch:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface vty number1 [ number2 ]

The VTY interface view is displayed. Step 3 Run: shell

Terminal services are enabled. Step 4 Run: idle-timeout minutes [ seconds ]

The timeout period for idle users is set. Step 5 Run: screen-length screen-length

The maximum number of lines to be displayed on each screen is set. By default, a maximum of 24 lines are displayed on each screen. You can run the screen-length screen-length temporary command to specify the maximum number of lines to be temporarily displayed on each terminal screen. Step 6 Run: screen-width screen-width

The maximum number of characters in each line displayed on a terminal screen is set. By default, each line displayed on a terminal screen has a maximum of 80 characters. Step 7 Run: history-command max-size size-value

The size of the history command buffer is set. By default, the history command buffer on a user interface can cache a maximum of 10 commands. ----End

5.4.5 Configuring User Authentication The system provides three authentication modes, namely, AAA, password, and none.

Context The switch supports user authentication of three types: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

61

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

l

AAA authentication: requires the user name and password.

l

Password authentication: requires no user name but a password must be set. Otherwise, the user can log in to the switch only through the console interface.

l

None: requires neither user name nor password. No authentication is needed when the user logs in to the switch.

l

Configuring AAA Authentication

Procedure 1.

Run: system-view

The system view is displayed. 2.

Run: user-interface vty number1 [ number2 ]

The VTY user interface view is displayed. 3.

Run: authentication-mode aaa

The authentication mode is set to AAA. 4.

Run: quit

Exit from the VTY user interface view. 5.

Run: aaa

The AAA view is displayed. 6.

Run: local-user user-name password { simple | cipher } password

Name and password of the local user are created. l

Configuring Password Authentication 1.

Run: system-view

The system view is displayed. 2.

Run: user-interface vty number1 [ number2 ]

The VTY user interface view is displayed. 3.

Run: authentication-mode password

Set the authentication mode as password. 4.

Run: set authentication password { cipher | simple } password

A password for this authentication mode is set. l

Configuring Non-Authentication 1.

Issue 02 (2011-07-15)

Do as follows on the switch, run: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

62

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

system-view

The system view is displayed. 2.

Run: user-interface vty number1 [ number2 ]

The VTY user interface view is displayed. 3.

Run: authentication-mode none

The authentication mode is set to none. ----End

5.4.6 Checking the Configuration After configuring the VTY user interface, you can view the usage information of the user interface, the maximum number of VTY user interfaces, and physical attributes and configurations of the user interface.

Prerequisite The configuration of VTY User Interface are complete.

Procedure l

Run the display users [ all ] command to check the usage information of the user interface.

l

Run the display user-interface maximum-vty command to check the number of maximum VTY user interfaces.

l

Run the display user-interface [ [ ui-type ] ui-number1 | ui-number ] [ summary ] command to check the physical attributes and configurations of the user interface.

----End

5.5 Managing User Interfaces You need to configure user management to ensure that the operator manages switchs safely.

5.5.1 Establishing the Configuration Task Before configuring user management interfaces, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment To ensure that the operator managesswitchs safely, you need to send messages between user interfaces and clear designated user.

Pre-configuration Tasks Before managing the user interface, complete the following tasks: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

63

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

l

Powering on the switch

l

Connecting the PC with the switch properly

5 User Management

Data Preparations To manage the user interface, you need the following data: No.

Data

1

Type and number of the user interface

2

Contents of the message to be sent

5.5.2 Sending Messages to Other User Interfaces You can configure messaging between user interfaces.

Context Do as follows on the switch:

Procedure Step 1 Run: send { all | ui-type ui-number | ui-number1 }

You can enable message sending between user interfaces. Step 2 Following the prompt, you can enter the message to be sent. You can press Ctrl_Z or Enter to end, and press Ctrl_C to abort. ----End

5.5.3 Clearing Online User You can clear specified online users.

Context Do as follows on the switch:

Procedure Step 1 Run: free user-interface { ui-number | ui-type ui-number1 }

Online users are cleared. Step 2 On receiving the prompts, you can confirm whether the designated online users have to be cleared. ----End Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

64

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

5.5.4 Checking the Configuration After configuring user management interfaces, you can view the usage information of user interfaces.

Prerequisite The configuration of User Interfaces are complete.

Procedure Step 1 Run the display users [ all ] command to check the usage information of the user interface. ----End

5.6 Configuring User Management Through user management, you can create users for switchs, set user passwords, and manage users.

5.6.1 Establishing the Configuration Task Before configuring user management, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment After the IP address is assigned to the main control board or the interface board, any remote user can use Telnet to log in to the switch, or connect the switch through PPP to access networks. This compromises the security. To ensure network security and ease user management, configure a user name and the user password for the switch.

Pre-configuration Tasks Before configuring a user, complete the following tasks: l

Powering on the switch

l

Connecting the PC with the switch properly

Data Preparation To configure a user, you need the following data.

Issue 02 (2011-07-15)

No.

Data

1

Authentication mode

2

User name and password

3

User priority

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

65

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

5.6.2 Configuring Authentication Mode The system provides three authentication modes, namely, AAA local authentication, password authentication, and none authentication.

Context Do as follows on the switch that the user logs in to:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ]

The user interface view is displayed. Step 3 Run: authentication-mode { aaa | password | none }

The user authentication mode is configured. ----End

5.6.3 Configuring Authentication Password You can configure a plain or cipher text password for authentication.

Context Do as follows on the switch that the user logs in to:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ]

The user interface view is displayed. Step 3 Run: authentication-mode password

The authentication mode is set to Password. Step 4 Run: set authentication password { cipher | simple } password

The authentication password is configured. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

66

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

NOTE

The default authentication mode is the password authentication.

----End

5.6.4 Setting Username and Password for AAA Local Authentication You can configure a plain or cipher text password for AAA local authentication.

Context Do as follows on the switch that the user logs in to:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ]

The user interface view is displayed. Step 3 Run: authentication-mode aaa

The authentication mode is set to AAA. Step 4 Run: quit

Return to the system view. Step 5 Run: aaa

The AAA view is displayed. Step 6 Run: local-user user-name password { simple | cipher } password

The local username and the password are configured. ----End

5.6.5 Configuring Non-Authentication You can configure users to log in to a switch without being authenticated.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

67

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Context

CAUTION Configuring the non-authentication mode may cause security problems of the switch. Do as follows on the switch that the user logs in to:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ]

The user interface view is displayed. Step 3 Run: authentication-mode none

The non-authentication mode is configured. NOTE

l If the authentication mode is non-authentication or password authentication, the priority of the userinterface determines the command level that the users can access. l If the authentication mode needs the username and the password, the priority of the user determines the command level that the users can access.

----End

5.6.6 Configuring User Priority You can configure the user priority.

Context Refer to the Quidway S2300 Series Configuration Guide - Security.

5.6.7 Checking the Configuration After configuring user management, you can view the usage information of user interfaces, local user list, and online users.

Prerequisite The configuration of User Management are complete.

Procedure l Issue 02 (2011-07-15)

Run the display users [ all ] command to check the user information. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

68

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

l

Run the display local-user command to check the local user list.

l

Run the display access-user command to check online users.

5 User Management

----End

5.7 Configuration Examples This section provides examples for configuring users to log in to a switch in different modes. These configuration examples explain networking requirements, configuration roadmap, and configuration notes.

Context

CAUTION After the first and second configuration examples are complete, the commands with priorities higher than 2 cannot be run if the current user is VTY0. Ensure that users can log in to theswitch in other methods to delete configurations.

5.7.1 Example for Configuring Logging In to the Switch Through Password In this example, the VTY0 priority, authentication mode, and disconnection time are configured, which enables users to log in to the switch through a password.

Networking Requirements The COM port of the PC is connected with the Console port. Set the priority of VTY0 to 2 and authenticate the passwords of users. Users need to enter the password Huawei to log in successfully. After login, if the operations are not carried out in 30 minutes, it means that the user-interface is disconnected from the switch.

Configuration Roadmap The configuration roadmap is as follows: 1.

Enter the user interface, and configure the priority of VTY0 as 2.

2.

Configure the simple authentication and the disconnect time.

Data Preparation To complete the configuration, you need the following data: l

The password of the authentication mode

l

The disconnect time

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

69

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

5 User Management

Procedure Step 1 Configure the priority of VTY0 to be 2 on the Switch. system-view [Quidway] user-interface vty0 [Quidway-ui-vty0] user privilege level 2

Step 2 Configuring password and disconnect time. [Quidway-ui-vty0] authentication-mode password [Quidway-ui-vty0] set authentication password simple huawei [Quidway-ui-vty0] idle-timeout 30

----End

Configuration Files # sysname Quidway # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default # user-interface vty 0 user privilege level 2 set authentication password simple huawei idle-timeout 30 # return

5.7.2 Example for Logging In to the Device Through AAA In this example, the VTY0 priority and disconnection time are configured and the idle-out function is enabled for local users, which enables users to log in to the switch through AAA authentication.

Networking Requirements The COM port of the PC and the console port of the switch are connected. Configure the priority of VTY0 to be 2, perform AAA authentication on the user that logs in through VTY0. The login user must enter the username "huawei" and the password "huawei". After login, if the user does not operate the switch within 30 minutes, the connection with the switch is disabled.

Configuration Roadmap The configuration roadmap is as follows: 1.

Enter the user interface view to configure the priority of VTY0 to be 2 and the disconnection time.

2.

Enter the AAA view to configure the username, the password, and the user level.

3.

Switch on the idle timeout for the local user in the AAA view.

Data Preparation To complete the configuration, you need the following data: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

70

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

l

Username and password for authentication

l

Disconnect time

5 User Management

Procedure Step 1 Configure the priority of VTY0 to be 2 and the disconnection time within 30 minutes. system-view [Quidway] user-interface vty0 [Quidway-ui-vty0] user privilege level 2 [Quidway-ui-vty0] authentication-mode aaa [Quidway-ui-vty0] idle-timeout 30 [Quidway-ui-vty0] quit

Step 2 Configuring the local username, the password, and user level. [Quidway] aaa [Quidway-aaa] local-user huawei password cipher huawei [Quidway-aaa] local-user huawei privilege level 2

----End

Configuration Files # sysname Quidway # aaa local-user huawei password cipher N`C55QK

Step 4 Set the mode of transferring files to binary and the local directory on the PC. ftp> binary 200 Type set to I. ftp> lcd c:\temp Local directory now C:\temp.

Step 5 Upload d006.cc and vrpcfg.cfg to the Switch on the PC. ftp> put d006.cc d006.cc 200 Port command okay. 150 Opening BINARY mode data connection for d006.cc. ftp> put vrpcfg.cfg vrpcfg.cfg 200 Port command okay. 150 Opening BINARY mode data connection for vrpcfg.cfg. ftp> quit C:\WINDOWS\Desktop>

----End

Configuration Files # sysname Quidway # FTP server enable # vlan batch 10 # interface Vlanif10 ip address 10.1.1.2 255.255.255.0 # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # aaa local-user u1 password simple ftppwd local-user u1 ftp-directory flash:/ local-user u1 service-type ftp # Return

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

109

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

8 FTP and TFTP

8.7.2 Example for Configuring an ACL of the FTP Server In this example, an ACL is configured to allow only a certain host to log in to the FTP server.

Networking Requirements As shown in Figure 8-2, the IP address of the FTP server is 172.16.104.110/24. The routes between PC1, PC2, and FTP server are reachable. On the S2300 that functions as the FTP server, it is required that the FTP server should permit only PC1 with the IP address as 172.16.104.111 to download and upload files through FTP, and PC2 should not connect to the FTP server after the ACL is configured. Figure 8-2 Networking diagram for configuring an ACL of the FTP server

FTP Server 172.16.104.110/24

172.16.104.111/24

172.16.105.111/24 PC1

PC2

Configuration Roadmap The configuration roadmap is as follows: 1.

Perform basic configurations on the FTP server.

2.

Configure the ACL on the FTP server.

Data Preparation To complete the configuration, you need the following data: l

Name of the FTP user set as u1 and password set as huawei on the server

l

Number of the ACL

Procedure Step 1 Configure basic FTP functions. For details, see 8.7.1 Example for Configuring the FTP Server. Step 2 Configure an ACL. system-view [Quidway] acl number 2001 [Quidway-acl-basic-2001] rule permit source 172.16.104.111 0.0.0.0

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

110

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

8 FTP and TFTP

[Quidway-acl-basic-2001] quit

Step 3 Configure the ACL supported by the FTP server. [Quidway] ftp acl 2001

Step 4 Connect PC1 to the FTP server. This step needs to be performed on the DOS of the PC. c:\ ftp 172.16.104.110 Connected to 172.16.104.110. 220 FTP service ready. User (100.2.150.40:(none)):u1 331 Password required for u1 Password: 230 User logged in. ftp>

Step 5 Connect PC2 to the FTP server. This step needs to be performed on the DOS of the PC. c:\ ftp 172.16.104.110 Connected to 172.16.104.110. Info:Connection was denied by remote host according to ACL! Connection closed by remote host.

----End

Configuration Files Configuration file of the FTP server # sysname Quidway # FTP server enable FTP acl 2001 # acl number 2001 rule 5 permit source 172.16.104.111 0 # vlan batch 10 # interface Vlanif10 ip address 10.1.1.2 255.255.255.0 # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default local-user u1 password simple huawei local-user u1 ftp-directory flash:/ local-user u1 service-type ftp # return

8.7.3 Example for Configuring the FTP Client In this example, a switch is configured to be an FTP client. Then, the switch logs in to the FTP server and downloads system software and configuration software. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

111

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

8 FTP and TFTP

Networking Requirements As shown in Figure 8-3, the remote server at 10.1.1.2 serves as the FTP server. The Switch and the FTP server are directly connected and on the same network segment. The Switch has a reachable route to the FTP server. The Switch acts as the FTP client. Interfaces ranging from Ethernet0/0/1 to Ethernet0/0/4 can be used to set up FTP connections and they share the IP address 10.1.1.1. The Switch downloads files from the FTP server. Figure 8-3 Networking diagram of the Switch functioning as the FTP client FTP session

PC

configuration cable FTP Client

FTP Server

Configuration Roadmap The configuration roadmap is as follows: 1.

Log in to the FTP server from the FTP client.

2.

Download files from the server to the storage device of the client.

Data Preparation To complete the configuration, you need the following data: l

IP address of the FTP server

l

Name of the destination file and position where the destination files are located on the Switch

l

Name of the FTP user set as u1 and the password set as ftppwd on the client

Procedure Step 1 Enable FTP on the remote FTP server. Add an FTP user named u1 and set the password to ftppwd. Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1 to VLANIF10. system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface ethernet [Quidway-Ethernet0/0/1] port [Quidway-Ethernet0/0/1] port [Quidway-Ethernet0/0/1] quit [Quidway] interface ethernet [Quidway-Ethernet0/0/2] port [Quidway-Ethernet0/0/2] port [Quidway-Ethernet0/0/2] quit [Quidway] interface ethernet [Quidway-Ethernet0/0/3] port

Issue 02 (2011-07-15)

0/0/1 hybrid pvid vlan 10 hybrid untagged vlan 10 0/0/2 hybrid pvid vlan 10 hybrid untagged vlan 10 0/0/3 hybrid pvid vlan 10

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

112

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

8 FTP and TFTP

[Quidway-Ethernet0/0/3] port hybrid untagged vlan 10 [Quidway-Ethernet0/0/3] quit [Quidway] interface ethernet 0/0/4 [Quidway-Ethernet0/0/4] port hybrid pvid vlan 10 [Quidway-Ethernet0/0/4] port hybrid untagged vlan 10 [Quidway-Ethernet0/0/4] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.1.1.3 24

Step 3 On the Switch, initiate a connection to the FTP server with the user name tpuser and the password ftppwd. ftp 10.1.1.2 Trying 10.1.1.2 ... Press CTRL+K to abort Connected to 10.1.1.2. 220 FTP service ready. User(10.1.1.2:(none)):u1 331 Password required for u1. Enter password: 230 User logged in. [ftp]

Step 4 On the Switch, set the mode of transferring files to binary and the flash directory. [ftp] binary 200 Type set to I. [ftp] lcd flash:/ The current local directory is flash:.

Step 5 Download the vrpcfg.cfg file from the remote FTP server on the Switch. [ftp] get vrpcfg.cfg vrpcfg.cfg 200 Port command okay. 150 Opening BINARY mode data connection for vrpcfg.cfg. 226 Transfer complete. FTP: 9124 byte(s) received in 3.100 second(s) 2.94Kbyte(s)/sec. [ftp] quit

----End

Configuration Files # sysname Quidway # vlan batch 10 # interface Vlanif10 ip address 10.1.1.3 255.255.255.0 # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface Ethernet0/0/2 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface Ethernet0/0/3 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface Ethernet0/0/4 port hybrid pvid vlan 10 port hybrid untagged vlan 10 #

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

113

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

8 FTP and TFTP

return

8.7.4 Example for Configuring the TFTP Client In this example, the TFTP application is run on the TFTP server and the location of the source file on the server is set. After that, you can upload and download files.

Networking Requirements As shown in Figure 8-4, the Switch cannot function as the TFTP server. The remote server at 10.1.1.2 functions as the TFTP server. The Switch acts as a TFTP client. VLAN 10 is created on the Switch, and Ethernet0/0/1 is added to VLAN 10. The IP address 10.1.1.1/24 is assigned to VLANIF 10. The Switch downloads files from the TFTP server. Figure 8-4 Networking diagram for configuring TFTP TFTP session

PC

configuration cable TFTP Client

TFTP Server

Configuration Roadmap The configuration roadmap is as follows: 1.

Run the TFTP software on the TFTP server and set the position where the source file is located on the Switch.

2.

Download files through TFTP commands on the Switch.

Data Preparation To complete the configuration, you need the following data: l

TFTP software installed on the TFTP server

l

Path of the source file on the TFTP server

l

Name of the destination file and position where the destination file is located on the Switch

Procedure Step 1 Enable TFTP on the remote server to ensure that the TFTP application software is started. Step 2 Create VLAN 10 on the Switch and assign the IP address 10.1.1.1/24 to VLANIF 10. system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] port hybrid pvid vlan 10 [Quidway-Ethernet0/0/1] port hybrid untagged vlan 10

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

114

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

8 FTP and TFTP

[Quidway-Ethernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.1.1.1 24

Step 3 On the Switch, initiate a connection to the TFTP server and download the 8031.cc file. tftp 10.1.1.2 get 8031.cc 8031new.cc Info: Transfer file in binary mode. Downloading the file from the remote tftp server, please wait...

----End

Configuration Files # sysname Quidway # vlan batch 10 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # Return

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

115

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

9

Telnet and SSH

About This Chapter Telnet and SSH can provide a terminal which enables users to remotely log in to and access a server. 9.1 Telnet and SSH Introduction This section explains basic concepts of user login by means of Telnet and SSH. 9.2 Configuring Telnet Terminal Services This section explains how to log in to a switch by means of Telnet and configure the switch. 9.3 Configuring SSH Users SSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSH servers. 9.4 Configuring the SSH Server Function This section describes how to configure the SSH server. STelnet or SFTP must first be enabled on the SSH server. 9.5 Configuring the STelnet Client Function This section describes how to configure the STelnet client. A secure connection between the client and server can be established through negotiation, and the client will be able to log in to the server similarly to using Telnet services. 9.6 Configuring the SFTP Client Function This section explains how to configure the SFTP client. The authentication and bidirectional data encryption of the SFTP client can be manually configured, which will ensure secure file transmission on the network. 9.7 Configuring the SCP Client This section describes how to configure the SCP client. The SCP client sets up a secure connection with the SCP server so that the client can upload files to the server or download files from the server. 9.8 Configuration Examples This section provides configuration examples for Telnet and SSH along with a configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

116

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

9.1 Telnet and SSH Introduction This section explains basic concepts of user login by means of Telnet and SSH.

9.1.1 Overview of User Login You can locally or remotely log in to a switch through the console port, Telnet, or SSH. To configure, monitor, and maintain the local or remote S2300, you need to configure the user interface, the user management, and the terminal service. The user interface provides a login plane. The user management guarantees the login security and the terminal service provides related processes of login protocol. The S2300 supports the following login methods: l

Login through the console port

l

Local or remote login through Telnet or SSH

9.1.2 Telnet Terminal Services The S2300 provides Telnet services including Telnet server and Telnet client.

Telnet Services Telnet is an application layer protocol in the TCP/IP protocol suite. It provides remote login and a virtual terminal service through the network. The S2300 provides the following Telnet services: l

Telnet server: You can run the Telnet client program on a PC to log in to the switch, configure and manage it. The switch acts as a Telnet server.

l

Telnet client: You can run the terminal emulation program or the Telnet client program on a PC to connect with the switch. With the telnet command, you can log in to other switchs to configure and manage them. As shown in Figure 9-1, Switch A serves as both the Telnet server and the Telnet client. Figure 9-1 Telnet client services Telnet Session2

Telnet Session 1

Telnet Server

PC

Issue 02 (2011-07-15)

SwitchA

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

SwitchB

117

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

9.1.3 SSH Terminal Services The S2300 supports the basic SSH protocol, client function, SFTP protocol, STelnet protocol and SCP.

Introduction to SSH SSH works at the application layer in the TCP/IP protocol suite. SSH provides remote login and virtual terminal on the network where security is guaranteed. Based on TCP connections, SSH guarantees security and provides authentication for transmitted information, preventing the following attacks shown in Figure 9-2: l

IP spoofing

l

Interception of the password in plain text

l

Denial of Service (DoS)

In the figure, Switch is an S2300. Figure 9-2 Establishing a local SSH connection between the PC and the S2300

VLAN1 SSH Client

PC

Telnet Session

Ethernet

SSH Server

L2 Switch Ethernet

Switch

SSH adopts the client/server model and sets up multiple secure transmission channels. The Switch, as the SSH server, can be connected to multiple PCs that function as SSH clients. A Layer 2 switch may exist between the PC and the SSH server. In the actual networking, a route is required to be reachable between the PC and the Switch.

Advantages of SSH The applications of SSH include STelnet and SFTP. Different from Telnet and FTP terminal services, SSH provides secure remote access on the network without security guaranteed. The advantages of SSH are described as follows: l

STelnet client functions There is a potential risk on security for login through Telnet because there is no authentication and the data transmitted through TCP is in plain text. The insecure access results in malicious attacks including DoS attacks, IP spoofing attacks, and route spoofing attacks. SSH provides secure remote access on an insecure network by supporting the following functions: – Supporting Revest-Shamir-Adleman Algorithm (RSA) authentication

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

118

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

– Supporting Data Encryption Standard (DES) and 3DES – Supporting the encrypted transfer of the user name or password – Supporting the encrypted transfer of interactive data SSH adopts RSA. After the public key and the private key are generated according to the encryption principle of the asymmetric encryption system, the following information is transmitted with security between the SSH client and the SSH server: – Key – User name or password – Interactive data l

SFTP client functions SFTP provides the following types of applications: – By using SFTP, you can securely log in to the S2300 to manage files from the remote device. In this manner, the security of data transmission is improved when files need to be transferred during the upgrade of the remote system. – The S2300 can function as the client to log in to the remote device through FTP to transfer files with security.

l

SCP client SCP enables you to log in to the device securely from a remote device to upload or download files. Data transfer in this mode is much safer for remote system update. In addition, SCP provides the client function so that a local device can log in to a remote device for secure data transfer. Unlike SFTP, SCP simplifies the file transfer process by combing user authentication and file transfer, thus improving the configuration efficiency.

Setting Up an SSH Connection The procedure for setting up an SSH connection is as follows: 1.

Negotiating the SSH version

2.

Negotiating the key

3.

Authenticating the user identity

4.

Initiating a session request

5.

Performing the interactive session

9.2 Configuring Telnet Terminal Services This section explains how to log in to a switch by means of Telnet and configure the switch.

9.2.1 Establishing the Configuration Task Before configuring Telnet terminal services, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

119

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Applicable Environment To remotely log in to the switch through the Telnet protocol for maintenance and management, you need to configure Telnet terminal services.

Pre-configuration Tasks Before configuring Telnet terminal services, complete the following tasks: l

Ensuring that the switch runs normally

l

Ensuring that the IP addresses of interfaces on the switch are configured correctly

l

Configuring the user account, correct login authentication mode, and call-in and call-out restriction

l

Ensuring that reachable routes exist between the terminal and the switch

Data Preparation To configure Telnet terminal services, you need the following data. No.

Data

1

IP address of the switch

3

IPv4/IPv6 address or host name of the remote switch

4

Number of the TCP port that is used by the remote switch to provide Telnet services

5

(Optional) Timeout period after which the server terminates the connection with the user interface

6

(Optional) Source IP address or source interface of the device functioning as an Telnet client

9.2.2 Enabling the Telnet Service Before establishing a Telnet connection with the server, you need to enable the Telnet service.

Context Do as follows on the switch that serves as an Telnet server. Select and perform one of the following two steps for IPv4 or IPv6.

Procedure l

For the IPv4 network 1.

Run: system-view

The system view is displayed. 2.

Run: telnet server enable

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

120

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

The Telnet service is enabled. NOTE

l By default, the function of the Telnet server is enabled. l If the undo telnet server enable command is run when Telnet login is in progress, the command does not take effect. l After the Telnet server function is disabled, you can log in to the device only through SSH or an asynchronous serial interface rather than through Telnet.

l

For the IPv6 network 1.

Run: system-view

The system view is displayed. 2.

Run: telnet ipv6 server enable

The Telnet service is enabled. NOTE

l By default, the function of the Telnet server is enabled. l If the telnet ipv6 server enable command is run when Telnet login is in progress, the command does not take effect. l After the Telnet server function is disabled, you can log in to the device only through SSH or an asynchronous serial interface rather than through Telnet.

----End

9.2.3 Establishing a Telnet Connection You can log in to and manage a switch through Telnet.

Context Do as follows on the switch that serves as a Telnet client: Select and perform one of the following two steps for IPv4 or IPv6.

Procedure l

Run: telnet

host-name [ port-number ]

Log in to the switch and manage other switchs. l

Run: telnet ipv6 host-name [ port-number ]

Log in to the switch and manage other switchs. ----End

9.2.4 (Optional) Configuring a Telnet Server Port Number A user can configure or change the Telnet server port number. After the port number is changed, only the user knows the port number, improving security. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

121

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Context Do as follows on the switch that functions as a Telnet server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: telnet server port port-number

A Telnet server port number is set. If a new port number is set, the Telnet server terminates all established Telnet connections, and then uses the new port number to listen to new requests for Telnet connections. By default, the Telnet server port number is 23. ----End

9.2.5 (Optional) Scheduled Telnet Disconnection You can set the idle-timeout period for Telnet connections. In this manner, if the Telnet connections keep idle during the specified period, the system automatically terminates the Telnet connections.

Context Do as follows on the switch that serves as a Telnet client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface [ ui-type ] first-ui-number [ last-ui-number ]

The user interface view is displayed. Step 3 Run: idle-timeout minutes [ seconds ]

The scheduled Telnet disconnection is enabled. ----End

9.2.6 Checking the Configuration After configuring Telnet terminal services, you can view the connection status of the current user interface, connection status of each user interface, and status of all established TCP connections. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

122

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Prerequisite The configuration of Telnet Terminal Services are complete.

Procedure l

Run the display users command to check information about connected users.

l

Run the display users all command to check information about all users, including connected and disconnected users.

l

Run the display tcp status command to check TCP connections.

l

Run the display telnet server status command to check the configuration and status of the Telnet server.

----End

Example Run the display tcp status command to view TCP connections. In the command output, Established indicates that a TCP connection has been established. display tcp status TCPCB Tid/Soid Local Add:port 39952df8 36 /1509 0.0.0.0:0 Closed 32af9074 59 /1 0.0.0.0:21 Listening 34042c80 73 /17 10.164.39.99:23 Established

Foreign Add:port 0.0.0.0:0

VPNID 0

0.0.0.0:0

14849

10.164.6.13:1147

0

State

Run the display telnet server status command to view the configuration and status of the Telnet server. display telnet server status TELNET IPV4 server TELNET IPV6 server TELNET server port

:Enable :Enable :23

9.3 Configuring SSH Users SSH users must be configured to ensure that STelnet or SFTP clients are able to log in to SSH servers.

9.3.1 Establishing the Configuration Task Before configuring SSH users, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment The STelnet or SFTP client can log in to the SSH server to perform operations only after SSH users are correctly configured on the SSH server.

Pre-configuration Tasks Before configuring SSH users, complete the following tasks: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

123

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

l

Creating a local user

l

Configuring an RSA public key for the SSH client on the SSH server

9 Telnet and SSH

Data Preparation To configure SSH users, you need the following data. No.

Data

1

Name and password of SSH users

2

Authentication mode of SSH users

3

Service type of SSH users

4

Name of the peer RSA public key assigned to SSH users

5

Operating directory of the SFTP service for SSH users

9.3.2 Creating SSH User AAA does not support RSA authentication. Therefore, when RSA authentication or passwordrsa authentication is adopted, you need to create an SSH user. When password authentication is adopted, you need to create a local user with the same name in the AAA view.

Context NOTE

Besides creating an SSH user separately, you can also create an SSH user when you configure the following. l Configuring the Authentication Mode for SSH Users l Configuring the Service Type of SSH Users

Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh user user-name

If you want to create an SSH user in the password authentication mode, you need to create a local user with the same name in the AAA view. 1.

Run: aaa

The AAA view is displayed. 2.

Run: local-user user-name password { simple | cipher } password

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

124

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Name and password of the local user are created. ----End

9.3.3 Configuring SSH for the VTY User Interface You can configure SSH for the VTY user interface.

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: user-interface [ vty ] first-ui-number [ last-ui-number ]

The VTY user interface is displayed. Step 3 Run: authentication-mode aaa

The AAA authentication mode is configured. Step 4 Run: protocol inbound ssh

The VTY is configured to support SSH. NOTE

The authentication mode of the VTY user interface must be set to AAA. Otherwise, the protocol inbound ssh command cannot be configured successfully.

----End

9.3.4 Generating a Local RSA Key Pair You need to create an RSA key before configuring SSH.

Context Do as follows on the switchs that serve as a client or a server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: rsa local-key-pair create

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

125

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

A local RSA key pair is generated. NOTE

To log in to an SSH server, the local RSA key pair must be configured and generated first. Before performing the other SSH configurations, you must configure the rsa local-key-pair create command to generate a local key pair.

----End

9.3.5 Configuring the Authentication Mode for SSH Users You can configure the password or RSA authentication mode for SSH users.

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh user user-name authentication-type { password | rsa | password-rsa | all }

The authentication mode for SSH users is configured. Perform the following as required: l Authenticate the SSH user through the password. – Run: ssh user user-name authentication-type password

The password authentication is configured for the SSH user. – Run: ssh authentication-type default password

The default password authentication is configured for the SSH user. For the local authentication or HWTACACS authentication, if the number of SSH users is small, you can adopt the former command; if the number of SSH users is large, adoptthe later command to simplify the configuration. l Authenticate the SSH user through RSA. 1.

Run: ssh user user-name authentication-type rsa

The RSA authentication is configured for the SSH user. 2.

Run: rsa peer-public-key key-name

The public key view is displayed. 3.

Run: public-key-code begin

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

126

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

The public key editing view is displayed. 4.

Run: hex-data

The public key is edited. The public key must be a string of hexadecimal alphanumeric characters. It is automatically generated by an SSH client. You can run the display rsa local-key-pair public command to view a generated public key. 5.

Run: public-key-code end

Quit the public key editing view. If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. 6.

Run: peer-public-key end

Return to the system view from the public key view. 7.

Run: ssh user user-name assign rsa-key key-name

The public key is assigned to the SSH user. NOTE

l After the public key editing view is displayed, the RSA public key generated on the client can be sent to the server. Copy the RSA public key to the switch that serves as the SSH server. l Before the peer RSA public key is assigned to the SSH users, the SSH server must be configured and the peer RSA public key must be the RSA public key of the SSH client.

----End

9.3.6 (Optional) Configuring the Basic Authentication Information for SSH Users You can configure the interval for updating the server key pair, timeout period of the SSH authentication, and retry times of the SSH authentication.

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh server rekey-interval interval

The interval for updating the server key pair is configured. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

127

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

By default, the interval for updating the key pair of the SSH server is 0 that indicates no updating. Step 3 Run: ssh server timeout seconds

The timeout period of the SSH authentication is set. By default, the timeout period is 60 seconds. Step 4 Run: ssh server authentication-retries times

The number of retry times of the SSH authentication is set. By default, the retry times is 3. ----End

9.3.7 (Optional) Authorizing SSH Users Through the Command Line If RSA authentication is adopted, you need to configure command line authorization for SSH users.

Context NOTE

There are four authentication modes for an SSH user, namely, password, rsa, password-rsa, and all. For details of the configuration of the command line authorization for password authentication, refer to the chapter "AAA and User Management" in the Quidway S2300 Series Configuration Guide - Security. This section describes how to configure the command line authorization for RSA authentication.

Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh user user-name authorization-cmd aaa

The command line authorization is configured for the specified SSH user. ----End

Follow-up Procedure After configuring the authorization through command lines for the SSH user to perform RSA authentication, you have to configure the AAA authorization. Otherwise, the command line authorization for the SSH user does not take effect.

9.3.8 Configuring the Service Type of SSH Users You can set the service type of SSH users to SFTP, STelnet, or all. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

128

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Context Do as follows on the switch that functions as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh user username service-type { sftp | stelnet | all }

The service type for the SSH user is configured. By default, the service type of the SSH user is not configured. ----End

9.3.9 (Optional) Configuring the Authorized Directory of the SFTP Service for SSH Users You can configure a directory as an authorized directory to allow SSH users to use SFTP services.

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh user username sftp-directory directoryname

The authorized directory of the SFTP service for SSH users is configured. By default, the authorized directory of the SFTP service for SSH users is Flash. ----End

9.3.10 Checking the Configuration After configuring SSH users, you can view SSH user information.

Prerequisite The configuration of SSH Users are complete. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

129

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Procedure l

Run the display ssh user-information command to check the information about the SSH client on the SSH server.

l

Run the display ssh user-information username command to check the information about the specified SSH client on the SSH server.

----End

Example Run the display ssh user-information username command. It shows that the SSH user named clinet001 is authenticated by password, and its service type is sftp. [Quidway] display ssh user-information client001 User Name : client001 Authentication-type : password User-public-key-name : Sftp-directory : Service-type : sftp Authorization-cmd : No

9.4 Configuring the SSH Server Function This section describes how to configure the SSH server. STelnet or SFTP must first be enabled on the SSH server.

9.4.1 Establishing the Configuration Task Before configuring the SSH server, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment Before configuring the SSH server, you must enable STelnet, SFTP, or SCP on the SSH server. You can change the number of the port monitored by the SSH server to other port numbers. This can prevent attackers from accessing standard ports of the SSH server and thus save bandwidth and system resources.

Pre-configuration Tasks Before configuring the SSH server, complete the following tasks: l

Connecting the SSH client to the SSH server correctly

l

Ensuring that the SSH client and the SSH server are routable

l

Configuring the VTY interface on the SSH server to support SSH

l

Configuring the SSH client on the SSH server

l

Creating the local RSA key pair on the SSH server

Data Preparation To configure the SSH server, you need the following data. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

130

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

No.

Data

1

Number of the port monitored by the SSH server

9 Telnet and SSH

9.4.2 Enabling the STelnet Service Before enjoying the STelnet service, you need to enable it.

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: stelnet server enable

The STelnet service is enabled. By default, STelnet services are disabled. ----End

9.4.3 Enabling the SFTP Service Before enjoying the STelnet service, you need to enable it.

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: sftp server enable

The SFTP service is enabled. By default, the SFTP service is disabled. ----End

9.4.4 Enabling SCP Services SCP services become available only after being enabled. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

131

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Context Do as follows on the S2300 functioning as the SCP server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: scp server enable

SCP services are enabled. By default, SCP services are disabled. ----End

9.4.5 (Optional) Enabling the Earlier Version - Compatible Function You can configure whether SSH of earlier versions are compatible.

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh server compatible-ssh1x enable

The earlier version-compatible function is enabled. By default, the server configured with the SSH2.0 protocol is compatible with the server configured with SSH1.X. If the client of SSH1.3 to SSH1.99 (protocol version ranges from 1.3 to 1.99) is denied access to log in, you can run the undo ssh server compatible-ssh1x enable command to disable the switch to be compatible with the earlier protocol version. NOTE

l Compared with SSH1.X, SSH2.0 is extended in structure to more authentication modes and key exchange modes with higher service capability, such as SFTP. l The S2300 supports the SSH protocol of version 1.3 to version 2.0.

----End

9.4.6 (Optional) Configuring the Number of the Port Monitored by the SSH Server You can configure or change the monitoring port number of the SSH server. After the port number is changed, only the user knows the current port number, which guarantees the security. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

132

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh server port port-number

The number of the port monitored by the SSH server is configured. If a new number of a monitored port is configured, the SSH server interrupts all the STelnet and SFTP connections and monitors the port of the new number. By default, the number of the port monitored by the SSH server is 22. ----End

9.4.7 (Optional) Configuring the Interval for Updating the Key Pair on the SSH Server You can configure the interval for updating the key pair of the SSH server, which can guarantee the security.

Context Do as follows on the switch that serves as an SSH server:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh server rekey-interval interval

The interval for updating the key pair is set. By default, the interval for updating the key pair of the SSH server is 0, which means that the key pair is never updated. ----End

9.4.8 Checking the Configuration After configuring the SSH server, you can view the global configuration of the SSH server.

Prerequisite The configurations of the SSH server are complete. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

133

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Procedure Step 1 Run the display ssh server status command to view the global configuration of the SSH server. ----End

Example Run the display ssh server status command, and you can view that the SSH version of the SSH session is 1.99, and the times for re-establishing the SSH session is 5. display ssh server status SSH version SSH connection timeout SSH server key generating interval SSH Authentication retries SFTP server Stelnet server Scp server SSH server port

: : : : : : : :

1.99 60 seconds 2 hours 5 times Enable Enable Enable 55535

NOTE

If the number of the monitored port is the default number, information about the currently monitored port will not be displayed.

9.5 Configuring the STelnet Client Function This section describes how to configure the STelnet client. A secure connection between the client and server can be established through negotiation, and the client will be able to log in to the server similarly to using Telnet services.

9.5.1 Establishing the Configuration Task Before configuring an STelnet client, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately.

Applicable Environment STelnet is a secure Telnet protocol. The SSH user can use the STelnet service in the same manner as using the Telnet service.

Pre-configuration Tasks Before connecting the STelnet client to the SSH server, complete the following tasks: l

Generating the local RSA key pair on the SSH server

l

Configuring the STelnet user on the SSH server

l

Enabling the STelnet service on the SSH server

Data Preparation To connect the STelnet client to the SSH server, you need the following data: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

134

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

No.

Data

1

Name of the SSH server

2

Number of the port monitored by the SSH server

3

Preferred encrypted algorithm from the STelnet client to the SSH server

4

Preferred encrypted algorithm from the SSH server to the STelnet client

5

Preferred HMAC algorithm from the STelnet client to the SSH server

6

Preferred HMAC algorithm from the SSH server to the STelnet client

7

Preferred algorithm of key exchange

8

Name of the outgoing interface

9

Source address

9.5.2 Enabling the First-Time Authentication on the SSH Client After the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time.

Context If the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. After the login, the system automatically allocates the RSA public key and saves it for authentication in next login. To simplify user operations, you are recommended to enable the first-time authentication on the SSH client. Do as follows on the switch that serves as an SSH client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh client first-time enable

The first-time authentication on the SSH client is enabled. By default, the first-time authentication on the SSH client is disabled.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

135

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the STelnet client logs in to the SSH server for the first time. The check is skipped because the STelnet server has not saved the RSA public key of the SSH server. l If the first-time authentication is not enabled on the SSH client, when the STelnet client logs in to the SSH server for the first time, the STelnet client fails to pass the check on the RSA public key validity and cannot log in to the server. TIP

To ensure that the STelnet client can log in to the SSH server at the first attempt, you can assign the RSA public key in advance to the SSH server on the SSH client in addition to enabling the first-time authentication on the SSH client.

----End

9.5.3 (Optional) Assigning an RSA Public Key to the SSH Server You can assign an RSA public key to the SSH server.

Context If the first-time authentication on the SSH client is disabled, you need to allocate an RSA public key to the SSH server before the STelnet client logs in to the SSH server. Do as follows on the switch that serves as an SSH client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: rsa peer-public-key key-name

The public key view is displayed. Step 3 Run: public-key-code begin

The public key editing view is displayed. Step 4 Run: hex-data

The public key is edited. The public key must be a string of hexadecimal alphanumeric characters. It is automatically generated by an SSH client. You can run the display rsa local-key-pair public command to view a generated public key. Step 5 Run: public-key-code end

Quit the public key editing view. If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system prompts Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

136

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

that the key does not exist after the peer-public-key end command is run and the system view is displayed. Step 6 Run: peer-public-key end

Return to the system view from the public key view. Step 7 Run: ssh client servername assign rsa-key keyname

The RSA public key is assigned to the SSH server. NOTE

l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client. Then, the STelnet client client can successfully undergo the validity check on the RSA public key of the SSH server. l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH server.

----End

9.5.4 Enabling the STelnet Client You can log in to the SSH server from the SSH client through STelnet.

Context NOTE

When accessing an SSH server, the STelnet client can carry the source address and choose the key exchange algorithm, encryption algorithm, or HMAC algorithm, and configure the keepalive function..

Do as follows on the switch that serves as an SSH client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 According to the address type of the SSH server, select and run one of the following two commands. l For IPv4 addresses, Run the stelnet host-ipv4 [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command. You can log in to the SSH server through STelnet. l For IPv6 addresses, Run the stelnet ipv6 host-ipv6 [ -i interface-type interface-number ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

137

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]command. You can log in to the SSH server through STelnet. ----End

9.5.5 Checking the Configuration After configuring the STelnet client, you can view the global configuration of the SSH server.

Prerequisite The configuration of the STelnet Client Function are complete.

Procedure l

Run the display ssh server-info command to check the mapping between the RSA public key and the SSH client on the SSH client.

l

Run the display ssh server session command to check the session of the SSH client on the SSH server.

----End

Example When running the display ssh server session command, you can view that the client logs in from VTY3, with Stelent service by password authentication. display ssh server session Session 1: Conn : VTY 3 Version : 2.0 State : started Username : client001 Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password

9.6 Configuring the SFTP Client Function This section explains how to configure the SFTP client. The authentication and bidirectional data encryption of the SFTP client can be manually configured, which will ensure secure file transmission on the network.

9.6.1 Establishing the Configuration Task Before configuring the SFTP client, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This can help you complete the configuration task quickly and accurately. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

138

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Applicable Environment SFTP enables users to log in to the device from a secure remote end to manage files. This improves the security of data transmission for the remote end to update its system. The SFTP client function also enables you to log in to the remote device through SFTP for the secure file transmission.

Pre-configuration Tasks Before connecting the SFTP client to the SSH server, complete the following tasks: l

Creating a local RSA key pair on an SSH server

l

Configuring an SFTP client on the SSH server

l

Enabling the SFTP service on the SSH server

Data Preparation To connect an SFTP client to an SSH server, you need the following data. No.

Data

1

Name of the SSH server

2

Number of the port monitored by the SSH server

3

Preferred encrypted algorithm from the SFTP client to the SSH server

4

Preferred encrypted algorithm from the SFTP server to the SSH client

5

Preferred HMAC algorithm from the SFTP client to the SSH server

6

Preferred HMAC algorithm from the SFTP server to the SSH client

7

Preferred algorithm of key exchange

8

Name of the outgoing interface

9

Directory name

10

File name

9.6.2 Configuring the First-Time Authentication on the SSH Client After the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time.

Context If the first-time authentication on the SSH client is enabled, the STelnet client does not check the validity of the RSA public key when logging in to the SSH server for the first time. After the login, the system automatically allocates the RSA public key and saves it for authentication in next login. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

139

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

To simplify user operations, you are recommended to enable the first-time authentication on the SSH client. Do as follows on the switch that serves as an SSH client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ssh client first-time enable

Enable the SSH client with the first authentication. By default, first-time authentication is disabled on SSH clients. NOTE

l The purpose of enabling the first-time authentication on the SSH client is to skip checking the validity of the RSA public key of the SSH server when the SFTP client logs in to the SSH server for the first time. The check is skipped because the SFTP server has not saved the RSA public key of the SSH server. l If the first-time authentication is not enabled on the SSH client, when the SFTP client logs in to the SSH server for the first time, the SFTP client fails to pass the check on the RSA public key validity and cannot log in to the server. TIP

Except for enabling the first-time authentication on the SSH client, the SFTP client can assign the RSA public key in advance to the SSH server on the SSH client to log in to the server successfully for the first time.

----End

9.6.3 (Optional) Assigning an RSA Public Key to the SSH Server You can assign an RSA public key on the SSH client to the SSH server.

Context If the first-time authentication on the SSH client is disabled, you need to assign an RSA public key to the SSH server before the STelnet client logs in to the SSH server. Do as follows on the switch that serves as an SSH client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: rsa peer-public-key key-name

The public key view is displayed. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

140

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Step 3 Run: public-key-code begin

The public key editing view is displayed. Step 4 Run: hex-data

The public key is edited. The public key must be a string of hexadecimal alphanumeric characters. It is automatically generated by an SSH client. You can run the display rsa local-key-pair public command to view a generated public key. Step 5 Run: public-key-code end

Quit the public key editing view. If the specified hex-data is invalid, the public key cannot be generated after the peer-publickey end command is run; If the specified key-name is deleted in other views, the system prompts that the key does not exist after the peer-public-key end command is run and the system view is displayed. Step 6 Run: peer-public-key end

Return to the system view from the public key view. Step 7 Run: ssh client servername assign rsa-key keyname

Assign a public key to the SSH server. NOTE

l Before being assigned to the SSH server, the assigned peer RSA public key must be obtained from the SSH server and must be configured on the SSH client. Then, the SFTP client can successfully undergo the validity check on the RSA public key of the SSH server. l If the RSA public key stored on the SSH client becomes invalid, run the undo ssh client servername assign rsa-key command to cancel the association between the SSH client and the SSH server. Then, run the ssh client servername assign rsa-key keyname command to allocate a new RSA public key to the SSH server.

----End

9.6.4 Enabling the SFTP Client You can log in to the SSH server from the SSH client through SFTP.

Context NOTE

The command of enabling the SFTP client is similar to that of the STelnet. When accessing the SSH server, the SFTP can carry the source address and choose the key exchange algorithm, encrypted algorithm and HMAC algorithm, and configure the keepalive function.

Do as follows on the switch that serves as an SSH client. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

141

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 According to the address type of the SSH server, select and perform one of the two configurations below. l For IPv4 addresses, Run: sftp [ -a source-address ] host-ipv4 [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP. l For IPv6 addresses, Run: sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interfacenumber ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

----End

9.6.5 (Optional) Managing the Directory On the SFTP client, you can log in to the SSH server to create or delete directories on the SSH server.

Context NOTE

After the SFTP client logs in to the SSH server, the SFTP client can create or delete the directory on the SSH server, display the current operating directory and information about a specified directory and its files.

Do as follows on the switch that serves as an SSH client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 According to the address type of the SSH server, select and perform one of the two configurations below. l For IPv4 addresses, Run: sftp [ -a source-address ] host-ipv4 [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 |

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

142

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP. l For IPv6 addresses, Run: sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interfacenumber ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

Step 3 Perform the following as required: l Run: cd [ remote-directory ]

The current operating directory of users is changed. l Run: cdup

The operating directory of users is switched to the upper-level directory. l Run: pwd

The current operating directory of users is displayed. l Run: dir / ls [ remote-directory ]

The file list in the specified directory is displayed. l Run: rmdir remote-directory &

l The directory on the server is deleted. l Run: mkdir remote-directory

A directory is created on the server. ----End

9.6.6 (Optional) Managing the File On the SFTP client, you can view specified remote directories or files on the SFTP server or delete specified files on the SFTP server.

Context NOTE

After the SFTP client logs in to the SSH server, SFTP client can change file names, delete files, display the file list, upload and download files on the SFTP server.

Do as follows on the login switch.

Procedure Step 1 Run: Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

143

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

system-view

The system view is displayed. Step 2 According to the address type of the SSH server, select and perform one of the two configurations below. l For IPv4 addresses, Run: sftp [ -a source-address ] host-ipv4 [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP. l For IPv6 addresses, Run: sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interfacenumber ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

Step 3 Run the command. l Run: rename old-name new-name

The name of the specified file on the server is changed. l Run: get remote-filename [local-filename]

The file on the remote server is downloaded. l Run: put local-filename [remote-filename]

The local file is uploaded to the remote server. l Run: remove remote-filename

The file on the server is removed. ----End

9.6.7 (Optional) Displaying the SFTP Client Command Help You can view the SFTP client command help.

Context Do as follows on the login switch:

Procedure Step 1 Run: system-view

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

144

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

The system view is displayed. Step 2 According to the address type of the SSH server, select and perform one of the two configurations below. l For IPv4 addresses, Run: sftp [ -a source-address ] host-ipv4 [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

You can log in to the SSH server through SFTP. l For IPv6 addresses, Run: sftp ipv6 [ -a source-address ] host-ipv6 [ -i interface-type interfacenumber ] [ port ] [ [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 } ] | [ prefer_stoc_cipher { des | 3des | aes128 } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

Step 3 Run: help [all | command-name ]

The SFTP client command help is displayed. ----End

9.6.8 Checking the Configuration After configuring the SFTP client, you can view the global configuration of the SSH server.

Prerequisite The configuration of the SFTP Client Function are complete.

Procedure l

Run the display ssh server-info command to check the mapping between the SSH server and the RSA public key on the SSH client.

l

Run the display ssh server session command to check the session of the SSH client on the SSH server.

----End

Example Run the display ssh server session command, and you can view that the client logs in from the VTY4 through the sftp service in rsa authentication mode. [Quidway] display ssh server session Session 2: Conn : VTY 4 Version : 2.0 State : started Username : client002 Retry : 1 CTOS Cipher : aes128-cbc

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

145

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration STOC Cipher CTOS Hmac STOC Hmac Kex Service Type Authentication Type

9 Telnet and SSH : : : : : :

aes128-cbc hmac-sha1-96 hmac-sha1-96 diffie-hellman-group1-sha1 sftp rsa

9.7 Configuring the SCP Client This section describes how to configure the SCP client. The SCP client sets up a secure connection with the SCP server so that the client can upload files to the server or download files from the server.

9.7.1 Establishing the Configuration Task Before configuring the SCP client, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately.

Applicable Environment SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file uploading or downloading without user authentication and public key assignment, and also supports file uploading or downloading in batches.

Pre-configuration Tasks Before configuring the SCP client, complete the following tasks: l

Generating a local RSA key pair on the SCP server

l

Configuring SCP users on the SCP server

l

Enabling SCP services on the SCP server

Data Preparation To configure the SCP client, you need the following data. No.

Data

1

(Optional) Source IPv4 or IPv6 address and source interface of the local switch

2

Port number of the remote SCP server, encryption algorithm for uploading or downloading files, source files to be uploaded or downloaded, and destination files to be uploaded or downloaded

9.7.2 (Optional) Configuring a Source IP Address for the SCP Client It is more secure to configure a source IP address for the SCP client, and use the specified source IP address to set up an SCP connection between the client and server. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

146

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Context Do as follows on the switch functioning as the SCP client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: scp client-source { -a source-ip-address | -i interface-type interface-number }

A source IP address or a source interface is configured for the SCP client. At present, the available source interface must be a loobpack interface. A loopback interface is recommended to improve network security. ----End

9.7.3 Copying Files You can use SCP to upload files from the client to the server or download files from the server to the client.

Context NOTE

When logging in to the SCP server, the SCP client can carry source IP address, and select an encryption algorithm.

Do as follows on the switch functioning as the SCP client:

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Files are uploaded from the SCP client to the remote SCP server or downloaded from the remote SCP server to the SCP client. l Basing on IPv4 address scp [ -port port-number | -a sourceaddress | -i interface-type interface-number | -r | cipher { des | 3des | aes128 } | -c ]* sourcefile destinationfile l Basing on IPv6 address scp ipv6 [ -port port-number | -a sourceipv6address | -r | -cipher { des | 3des | aes128 } | c ]* sourcefile destinationfile [ -i interface-type interface-number ] ----End Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

147

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

9.7.4 Checking the Configuration After the SCP client is successfully configured, you can view configurations of the SCP connection.

Prerequisite The configurations of the SCP client are complete.

Context l

Run the display scp-client command to view the source IP address or source interface of the SCP client.

Example Run the display scp-client command, and you can view the source IP address of the SCP client. display scp-client The source of SCP ipv4 client: 1.1.1.1 The source of SCP ipv6 client: --

9.8 Configuration Examples This section provides configuration examples for Telnet and SSH along with a configuration flowchart. The configuration examples explain networking requirements, configuration notes, and configuration roadmap.

9.8.1 Example for Configuring the Telnet Terminal Service In this example, the authentication mode and password are configured for users to log in to the switch through Telnet.

Networking Requirements As shown in Figure 9-3, after logging in to Switch A, the user logs in to Switch B through Telnet by using the default interface 23. Figure 9-3 Networking diagram of the remote login of the Ethernet user

PC

SwitchA 10.10.10.8/24

SwitchB 10.10.10.9/24

Switch

Interface

VLANIF interface

IP address

SwitchA

Ethernet0/0/1

VLANIF 2

10.10.10.8/24

SwitchB

Ethernet0/0/1

VLANIF 2

10.10.10.9/24

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

148

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Configuration Roadmap The configuration roadmap is as follows: 1.

Assign IP addresses to Switch A and Switch B.

2.

Configure an authentication mode and password on Switch B.

3.

Log in to Switch B from Switch A.

Data Preparation To complete the configuration, you need the following data: l

ID of the VLAN

l

IP address and number of the interface on the Switch A that functions as the Telnet client

l

IP address and number of the interface on the Switch B that functions as the Telnet server

l

Authentication mode and the password for a user to log in to Switch B through Telnet

Procedure Step 1 Assign IP addresses. # Assign IP address to Switch A that functions as the Telnet client. system-view [SwitchA] vlan 2 [SwitchA-vlan2] quit [SwitchA] interface ethernet [SwitchA-Ethernet0/0/1] port [SwitchA-Ethernet0/0/1] port [SwitchA-Ethernet0/0/1] quit [SwitchA] interface vlanif 2 [SwitchA-Vlanif2] ip address [SwitchA-Vlanif2] quit [SwitchA]

0/0/1 hybrid pvid vlan 2 hybrid untagged vlan 2 10.10.10.8 255.255.255.0

# Assign an IP address to Switch B that functions as the Telnet server. system-view [SwitchB] vlan 2 [SwitchB-vlan2] quit [SwitchB] interface ethernet [SwitchB-Ethernet0/0/1] port [SwitchB-Ethernet0/0/1] port [SwitchB-Ethernet0/0/1] quit [SwitchB] interface vlanif 2 [SwitchB-Vlanif2] ip address [SwitchB-Vlanif2] quit [SwitchB]

0/0/1 hybrid pvid vlan 2 hybrid untagged vlan 2 10.10.10.9 255.255.255.0

Step 2 Configure the authentication mode and password for Switch B. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode password [SwitchB-ui-vty0-4] set authentication password simple 123456 [SwitchB-ui-vty0-4] quit [SwitchB]

Step 3 Verify the configuration. # Log in to Switch B on Switch A through Telnet. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

149

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

telnet 10.10.10.9 Trying 10.10.10.9 ... Press CTRL+K to abort Connected to 10.10.10.9 ... Login authentication Password: info: The max number of VTY users is 20, and the current number of VTY users on line is 1.

----End

Configuration Files l

Configuration file of Switch A # sysname SwitchA # vlan batch 2 # interface Vlanif2 ip address 10.10.10.8 255.255.255.0 # interface Ethernet0/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 # return

l

Configuration file of Switch B # sysname SwitchB # vlan batch 2 # interface Vlanif2 ip address 10.10.10.9 255.255.255.0 # interface Ethernet0/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 # user-interface vty 0 4 set authentication password simple 123456 # return

9.8.2 Example for Configuring the PC as the STelnet Client to Connect to the SSH Server This part provides an example for configuring the PC as the STelnet client to connect to the SSH server. In this example, after generating the local key pair on the SSH server, configuring the name and password of the SSH user on the SSH server, and enabling the STelnet service on the SSH server, you can connect the Stelnet client to the SSH server.

Networking Requirements As shown in Figure 9-4, after the STelnet service is enabled on the SSH server, the STelnet client can log in to the SSH server with the password, RSA, password-rsa, or all authentication mode. Configure Client001 with the password as huawei and adopt the password authentication. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

150

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

The IP address of the SSH server is 192.168.1.1. The user interface supports only SSH. Figure 9-4 Networking diagram of configuring the PC as the STelnet client to connect to the SSH server

IP Network SSH Client

SSH Server

Configuration Roadmap The configuration roadmap is as follows: 1.

Configure Client001 on the SSH server.

2.

Enable STelnet service on the SSH server.

3.

Configure password authentication as the default authentication mode on the SSH server.

Data Preparation To complete the configuration, you need the following data: l

Name and the authentication mode of the SSH user

l

Password of the SSH user

l

Name of the SSH server

Procedure Step 1 Generate a local key pair on the server. system-view [Quidway] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: Quidway_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ ......++++++++

Step 2 Configure the VTY user interface. [SSH [SSH [SSH [SSH

Issue 02 (2011-07-15)

Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

151

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

NOTE

If SSH is configured as the login protocol, the S2300 automatically disables Telnet.

Step 3 Configure the password of the SSH user Client001 to huawei. [SSH [SSH [SSH [SSH [SSH

Server] aaa Server-aaa] Server-aaa] Server-aaa] Server-aaa]

local-user client001 password cipher huawei local-user client001 privilege level 3 local-user client001 service-type ssh quit

Step 4 Enable the STelnet service on the SSH server. [SSH Server] stelnet server enable [SSH Server] ssh authentication-type default password

Step 5 Verify the configuration. # Log in to the device through the software putty, and specify the IP address of the device being 192.168.1.1 and the login protocol being SSH.

# Log in to the device through the software putty, and enter the user name client001 and the password huawei.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

152

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

----End

Configuration Files l

Configuration file of the SSH server # sysname SSH Server # aaa local-user client001 password cipher N`C55QK

Step 9 Verify the configuration. After the configuration, run the display ssh server status and display ssh server session commands on the SSH server. You can view that the SFTP service is enabled, and that the SFTP client logs in to the server successfully. # Check the status of the SSH server. [Quidway] display ssh server status SSH version SSH connection timeout SSH server key generating interval SSH Authentication retries SFTP server Stelnet server Scp server

:1.99 :60 seconds :0 hours :3 times :Enable :Disable :Disable

# Check the connection of the SSH server. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

163

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

[Quidway] display ssh server session Session 1: Conn: VTY 3 Version: 2.0 State: started Username: client001 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: sftp Authentication Type: password Session 2: Conn: VTY 4 Version: 2.0 State: started Username: client002 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: sftp Authentication Type: rsa

# Check information about the SSH user. [Quidway] display ssh user-information User 1: User Name: client001 Authentication-type: password User-public-key-name: Sftp-directory: flash: Service-type: sftp Authorization-cmd: No User 2: User Name: client002 Authentication-type: rsa User-public-key-name: RsaKey001 Sftp-directory: flash: Service-type: sftp Authorization-cmd: No

----End

Configuration Files l

Configuration file of the Quidway, the SSH server # sysname Quidway # vlan batch 10 # interface Vlanif10 ip address 10.164.39.222 255.255.255.0 # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

164

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

peer-public-key end # aaa local-user client001 password simple huawei local-user client001 service-type ssh # sftp server enable ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type sftp ssh user client002 service-type sftp ssh user client001 sftp-directory flash:/ ssh user client002 sftp-directory flash:/ # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return

l

Configuration file of Client001, the SSH client # sysname client001 # vlan batch 10 # interface Vlanif10 ip address 10.164.39.220 255.255.255.0 # ssh client first-time enable # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return

l

Configuration file of Client002, the SSH client # sysname client002 # vlan batch 10 # interface Vlanif10 ip address 10.164.39.221 255.255.255.0 # ssh client first-time enable # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return

9.8.5 Example for Configuring the SSH Server to Support the Access from Another Port In this example, the monitoring port number of the SSH server is set to a port number other than the standard monitoring port number so that only valid users can set up connections with the SSH server. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

165

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Networking Requirements The standard listening port is numbered 22, as defined in the SSH protocol. If attackers access the standard port continuously, the bandwidth is consumed and the performance of the server is degraded. As a result, other valid users cannot access the port. If the listening port on the SSH server is changed to a non-default one, attackers will not aware of this change and continue to send a request for the socket connection to port 22. In this case, the SSH server detects that it is not the listening port, and then denies the the request for establishing the socket connection. Therefore, only valid users can use the specified listening port to set up a socket connection through the following procedures: l

Negotiating the version of the SSH protocol

l

Negotiating the algorithm

l

Generating the session key

l

Authenticating

l

Sending a request for a session

l

Performing the interactive session

Figure 9-7 Networking diagram for configuring the SSH server to support the access from another port

SSH Server 10.164.39.222/24

10.164.39.221/24

10.164.39.220/24

Client001 Client002 Switch

Interface

VLANIF interface

IP address

SSH server

Ethernet0/0/1

VLANIF 10

10.164.39.222/24

Client001

Ethernet0/0/1

VLANIF 10

10.164.39.220/24

Client002

Ethernet0/0/1

VLANIF 10

10.164.39.221/24

Configuration Roadmap The configuration roadmap is as follows: 1.

Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface.

2.

Configure Client001 and Client002 on the SSH server.

3.

Create a local key pair on the SFTP client and SSH server separately.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

166

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

4.

Generate an RSA public key on the SSH server and bind the RSA public key of the SSH client to Client002.

5.

Enable the STelnet and SFTP services on the SSH server.

6.

Configure the type of the service and authenticated directory for the SSH user.

7.

Set the listening port number on the SSH server.

8.

Client001 and Client002 log in to the SSH server through STelnet and SFTP separately.

Data Preparation To complete the configuration, you need the following data: l

IP addresses of the FTP server and client, as shown in Figure 9-7

l

SSH user name and authentication mode

l

Password or RSA public key of the SSH user

l

Server name

l

Listening port number on the SSH server

Procedure Step 1 Create a VLAN that each interface belongs to and assign an IP address to each VLANIF interface. Create VLAN 10 on the Switch that functions as the server and assign IP address 10.164.39.222/24 to VLANIF 10. system-view [Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] port hybrid pvid vlan 10 [Quidway-Ethernet0/0/1] port hybrid untagged vlan 10 [Quidway-Ethernet0/0/1] quit [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.164.39.222 24

Assigning an IP address to theSwitch that functions as Client001 or Client002 is the same as assigning an IP address to VLANIF 10, and is not mentioned here. Step 2 A local key pair generated on the SSH server system-view [Quidway] rsa local-key-pair create The key name will be: Quidway_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: Generating keys... ...........++++++++++++ ..................++++++++++++ ...++++++++ ...........++++++++

Step 3 Configure the RSA public key on the server. # Create a local key pair on the client. system-view [Quidway] sysname client002 [client002] rsa local-key-pair create

# Check the RSA public key generated on the client. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

167

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

[client002] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7 yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: client002_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client002]

# Send the RSA public key generated on the client to the server. [Quidway] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [Quidway-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [Quidway-rsa-key-code] 3047 [Quidway-rsa-key-code] 0240 [Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [Quidway-rsa-key-code] 1D7E3E1B [Quidway-rsa-key-code] 0203 [Quidway-rsa-key-code] 010001 [Quidway-rsa-key-code] public-key-code end [Quidway-rsa-public-key] peer-public-key end

Step 4 Create an SSH user on the server. NOTE

SSH users can be authenticated in four modes: password, RSA, password-rsa, and all. l Before configuring the authentication mode of password or password-rsa, you must configure a local user. l Before configuring the authentication mode of RSA, password-rsa, or all, you must copy the RSA public key of the SSH client to the server.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

168

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

# Configure a VTY user interface. [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-4] authentication-mode aaa [Quidway-ui-vty0-4] protocol inbound ssh [Quidway-ui-vty0-4] quit

# Create an SSH user named Client001, and configure the authentication mode as password for the user. [Quidway] ssh user client001 [Quidway] ssh user client001 authentication-type password

# Set the password of Client001 to huawei. [Quidway] aaa [Quidway-aaa] local-user client001 password simple huawei [Quidway-aaa] local-user client001 service-type ssh [Quidway-aaa] quit

# Set the type of service of Client001 to STelnet. [Quidway] ssh user client001 service-type stelnet

# Create an SSH user named Client002, and configure the authentication mode as RSA for the user. Bind the RSA public key of the SSH client to Client002. [Quidway] ssh user client002 [Quidway] ssh user client002 authentication-type rsa [Quidway] ssh user client002 assign rsa-key RsaKey001

# Set the type of service of Client002 to SFTP and the authorized directory as flash:/. [Quidway] ssh user client002 service-type sftp [Quidway] ssh user client002 sftp-directory flash:/

Step 5 Enable the STelnet and SFTP services on the SSH server. [Quidway] stelnet server enable [Quidway] sftp server enable

Step 6 Configure the new listening port number on the SSH server. [Quidway] ssh server port 1025

Step 7 Connect the SSH client and the SSH server. # You must enable the initial authentication on the SSH client for the first login. [client001] ssh client first-time enable [client002] ssh client first-time enable

# The STelnet client logs in to the SSH server by using the new listening port. [client001] stelnet 10.164.39.222 1025 Please input the username:client001 Trying 10.164.39.222 ... Press CTRL+K to abort Connected to 10.164.39.222 ... The server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):y The server's public key will be saved with the name: 10.164.39.222. Please wait... Enter password:

Enter the password huawei, and information indicating that the login succeeds is displayed as follows: info: The max number of VTY users is 20, and the current number of VTY users on line is 1.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

169

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

# The SFTP client logs in to the SSH server by using the new listening port. [client002]sftp 10.164.39.222 1025 Please input the username:client002 Trying 10.164.39.222 ... Press CTRL+K to abort The server's public key does not match the one we cached. The server is not authenticated. Do you continue to access it?(Y/N):y Do you want to update the server's public key we cached?(Y/N):y sftp-client>

Step 8 Verify the configuration. Attackers fail to log in to the SSH server by using port 22. [client002] sftp 10.164.39.222 Please input the username:client002 Trying 10.164.39.222 ... Press CTRL+K to abort Can't establish tcp connection to server

After the configuration, run the commands of display ssh server status and display ssh server session on the SSH server. You can check the current listening port number on the SSH server, and that the STelnet or SFTP client logs in to the server successfully. # Check the status of the SSH server. [Quidway] display ssh server status SSH version SSH connection timeout SSH server key generating interval SSH Authentication retries SFTP server Stelnet server Scp server SSH server port

:1.99 :60 seconds :0 hours :3 times :Enable :Enable :Disable :1025

# Check the connection of the SSH server. [Quidway] display ssh server session Session 1: Conn: VTY 3 Version: 2.0 State: started Username: client001 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: stelnet Authentication Type: password Session 2: Conn: VTY 4 Version: 2.0 State: started Username: client002 Retry: 1 CTOS Cipher: aes128-cbc STOC Cipher: aes128-cbc CTOS Hmac: hmac-sha1-96 STOC Hmac: hmac-sha1-96 Kex: diffie-hellman-group1-sha1 Service Type: sftp Authentication Type: rsa

----End Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

170

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Configuration Files l

Configuration file of the Quidway, the SSH server # sysname Quidway # vlan batch 10 # interface Vlanif10 ip address 10.164.39.222 255.255.255.0 # rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password simple huawei local-user client001 service-type ssh # sftp server enable stelnet server enable ssh server port 1025 ssh user client001 ssh user client002 ssh user client001 authentication-type password ssh user client002 authentication-type rsa ssh user client002 assign rsa-key RsaKey001 ssh user client001 service-type stelnet ssh user client002 service-type sftp ssh user client002 sftp-directory flash:/ # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return

l

Configuration file of Client001, the SSH client # sysname client001 # vlan batch 10 # interface Vlanif10 ip address 10.164.39.220 255.255.255.0 # ssh client first-time enable # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return

l

Configuration file of Client002, the SSH client # sysname client002 #

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

171

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

vlan batch 10 # interface Vlanif10 ip address 10.164.39.221 255.255.255.0 # ssh client first-time enable # interface Ethernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return

9.8.6 Example for Authenticating SSH Through RADIUS In this example, a user that attempts to access the SSH server is authenticated by the RADIUS server, and the SSH server determines whether to set up a connection with the user according to the authentication result.

Networking Requirements When an RADIUS user is connected to an SSH server, the SSH server sends the user name and password of the SSH client to the RADIUS server (compatible with the TACACS server) for authentication. The RADIUS server authenticates the user and sends the result (passed or failed) back to the SSH server. If the authentication is successful, the user level is sent along with the result. The SSH server determines whether the SSH client is allowed to set up a connection according to the authentication result. Figure 9-8 shows the networking diagram. Figure 9-8 Networking diagram of authenticating the SSH through RADIUS

10.164.39.221/24

SSH Client

10.164.39.222/24

SSH Server

10.164.6.49/24

Radius Server

Configuration Roadmap The configuration roadmap is as follows: 1.

Configure the RADIUS template on the SSH server.

2.

Configure a domain on the SSH server.

3.

Create a user on the RADIUS server.

4.

Generate the local key pair on STelnet client and SSH server respectively. The SSH server monitors the port number.

5.

Generate the local key pair on the client and SSH server .

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

172

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

6.

Generate the RSA public key on SSH server and bind the RSA public key of the SSH client to [email protected].

7.

Enable the STelnet and SFTP services on the SSH server.

8.

Configure the service mode and authorization directory of the SSH user.

9.

Users [email protected] and [email protected] log in to the SSH server through STelnet and SFTP respectively.

Data Preparation To complete the configuration, you need the following data: l

Configure the password authentication for the two SSH users .

l

RADIUS authentication

l

Name of the RADIUS template

l

Name of the RADIUS domain

l

Name and password of the RADIUS user

Procedure Step 1 Generate a local key pair on the SSH server. system-view [Quidway] rsa local-key-pair create The key name will be: Quidway_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 768 Generating keys... .......++++++++++++ ..........++++++++++++ ...................................++++++++ ......++++++++

Step 2 Configure the RSA public key of the server. # Generate a local key pair of client on the client. system-view [Quidway] sysname client [client] rsa local-key-pair create

# View the RSA public key generated on the client. [client] display rsa local-key-pair public ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: Quidway_Host Key type: RSA encryption Key ===================================================== Key code: 3047 0240 BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 1D7E3E1B 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

173

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b ---- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key ===================================================== Time of Key pair created: 16:38:51 2007/5/25 Key name: Quidway_Server Key type: RSA encryption Key ===================================================== Key code: 3067 0260 BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74 9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27 1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E BC89D3DB 5A83698C 9063DB39 A279DD89 0203 010001 [client]

# Send the RSA public key generated on the client to the server. [Quidway] rsa peer-public-key RsaKey001 Enter "RSA public key" view, return system view with "peer-public-key end". [Quidway-rsa-public-key] public-key-code begin Enter "RSA key code" view, return last view with "public-key-code end". [Quidway-rsa-key-code] 3047 [Quidway-rsa-key-code] 0240 [Quidway-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB [Quidway-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8 [Quidway-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43 [Quidway-rsa-key-code] 1D7E3E1B [Quidway-rsa-key-code] 0203 [Quidway-rsa-key-code] 010001 [Quidway-rsa-key-code] public-key-code end [Quidway-rsa-public-key] peer-public-key end

Step 3 Create the SSH user. On the RADIUS server, add two users named [email protected] and [email protected] ; in addition, designate the NAS address 10.164.39.222 and the key huawei. The NAS address refers to the address of the SSH server that connects to the RADIUS server. # Configure the VTY user interface on the SSH server. [Quidway] user-interface vty 0 4 [Quidway-ui-vty0-4] authentication-mode aaa [Quidway-ui-vty0-4] protocol inbound ssh [Quidway-ui-vty0-4] quit

# Create SSH users [email protected] and [email protected] on the SSH server. [Quidway] [Quidway] [Quidway] [Quidway] [Quidway] [Quidway] [Quidway]

ssh ssh ssh ssh ssh ssh ssh

user user user user user user user

[email protected] [email protected] authentication-type password [email protected] service-type stelnet [email protected] [email protected] authentication-type password [email protected] service-type sftp client001 sftp-directory flash:/

Step 4 Configure the RADIUS template. # Configure the authentication scheme newscheme and authentication mode RADIUS. [Quidway] aaa [Quidway-aaa] authentication-scheme newscheme [Quidway-aaa-authen-newscheme] authentication-mode radius

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

174

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

[Quidway-aaa-authen-newscheme] quit

# Configure the RADIUS template of SSH server as ssh. [Quidway] radius-server template ssh

# Configure the IP address as 10.164.6.49 and port of the RADIUS authentication server as 1812. [Quidway-radius-ssh] radius-server authentication 10.164.6.49 1812

# Configure the key of RADIUS server as huawei. [Quidway-radius-ssh] radius-server shared-key huawei [Quidway-radius-ssh] quit

Step 5 Configure RADIUS domain name. # Configure the RADIUS domain of SSH server as ssh.com, applying authentication scheme newscheme and RADIUS template ssh. [Quidway] aaa [Quidway-aaa] domain ssh.com [Quidway-aaa-domain-ssh.com] authentication-scheme newscheme [Quidway-aaa-domain-ssh.com] radius-server ssh [Quidway-aaa-domain-ssh.com] quit [Quidway-aaa] quit

Step 6 Connect the SSH client and the SSH server. # Enable STelnet and SFTP services on the SSH server. [Quidway] stelnet server enable [Quidway] sftp server enable

# For the first login, you need to enable the first authentication on SSH client. [client] ssh client first-time enable [client] quit

# Connect the STelnet client to the SSH server in the RADIUS authentication. system-view [client] stelnet 10.164.39.222 Please input the username: [email protected] Trying 10.164.39.222 ... Press CTRL+K to abort Connected to 10.164.39.222 ... he server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):y he server's public key will be saved with the name: 10.164.39.222. Please wait... Enter password:

Enter the password Huawei and view as follows: Info: The max number of VTY users is 10, and the current number of VTY users on line is 2.

# Connect the SFTP client to the SSH server in the RADIUS authentication. system-view [client] sftp 10.164.39.222 Please input the username: [email protected] Trying 10.164.39.222 ... Press CTRL+K to abort Connected to 10.164.39.222 ... Enter password: sftp-client>

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

175

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Step 7 Verify the configuration. After the configuration, run the display radius-server configuration and display ssh server session commands on the SSH server. You can view the configuration of the RADIUS server on the SSH server. You can also view that the STelnet or SFTP client is connected to the SSH server successfully with RADIUS authentication. # Display the configuration of the RADIUS server. [Quidway-aaa] display radius-server configuration ------------------------------------------------------------------Server-template-name : ssh Protocol-version : standard Traffic-unit : B Shared-secret-key : huawei Timeout-interval(in second) : 5 Primary-authentication-server : 10.164.6.49 :1812 LoopBack:NULL Primary-accounting-server : 0.0.0.0 :0 LoopBack:NULL Secondary-authentication-server : 0.0.0.0 :0 LoopBack:NULL Secondary-accounting-server : 0.0.0.0 :0 LoopBack:NULL Retransmission : 3 Domain-included : YES Calling-station-id MAC-format : xxxx-xxxx-xxxx ------------------------------------------------------------------Total of radius template :1

# Display the connection of the SSH server. [Quidway] display ssh server session Session 1: Conn : VTY 0 Version : 2.0 State : started Username : [email protected] Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : stelnet Authentication Type : password Session 2: Conn : VTY 1 Version : 2.0 State : started Username : [email protected] Retry : 1 CTOS Cipher : aes128-cbc STOC Cipher : aes128-cbc CTOS Hmac : hmac-sha1-96 STOC Hmac : hmac-sha1-96 Kex : diffie-hellman-group1-sha1 Service Type : sftp Authentication Type : password

----End

Configuration Files Configuration file of the SSH server # sysname Quidway # radius-server template ssh radius-server authentication 10.164.6.49 1812

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

176

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

# rsa peer-public-key rsakey001 public-key-code begin 3047 0240 C4989BF0 416DA8F2 2675910D 7F2997E8 5573A35D 0163FD4A FAC39A6E 0F45F325 A4E3AA1D 54692B04 C6A28D3D C58DE2E8 E0D58D65 7A25CF92 A74D21F9 E917182B 0203 010001 public-key-code end peer-public-key end # aaa authentication-scheme newscheme authentication-mode radius # domain ssh.com authentication-scheme newscheme radius-server ssh # # sftp server enable stelnet server enable ssh user [email protected] ssh user [email protected] ssh user [email protected] authentication-type password ssh user [email protected] authentication-type password ssh user [email protected] assign rsa-key RsaKey001 ssh user [email protected] service-type stelnet ssh user [email protected] service-type sftp ssh user client001 sftp-directory flash:/ # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # Return

9.8.7 Example for Configuring the SCP Client This section provides an example for configuring the SCP client. In this example, the SCP client accesses the SCP server to download files.

Networking Requirements As shown in Figure 9-9, the switch functioning as the SCP client has a reachable route to the SCP server, and can download files from the SCP server. Figure 9-9 Networking diagram of the SCP client

SCP Server 172.16.104.110/24

1.1.1.1/32 SCP Client Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

177

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

Configuration Roadmap The configuration roadmap is as follows: 1.

Create a local RSA key pair on the SSH server.

2.

Create an SSH user on the SSH server.

3.

Enable SCP services on the SSH server.

4.

Enable first-time authentication on the SSH client.

5.

Configure an IP address of the source interface on the SCP client.

6.

Download files from the SSH server to the SCP client.

Data Preparation To complete the configuration, you need the following data: l

SSH user name, authentication mode, and authentication password

l

IP address of the source interface on the SCP client

l

The name and path of the destination files and the source files.

Procedure Step 1 Create a local RSA key pair on the SSH server. system-view [Quidway] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be: SSH Server_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 512]: 512 Generating keys... .....++++++++++++ ....++++++++++++ ......++++++++ ................................++++++++

Step 2 Create an SSH user on the SCP server. # Configure the VTY user interface. [SSH [SSH [SSH [SSH

Server] user-interface vty 0 4 Server-ui-vty0-4] authentication-mode aaa Server-ui-vty0-4] protocol inbound ssh Server-ui-vty0-4] quit

# Configure the password authentication for the SSH user Client001. [SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password

# Configure the password of the SSH user Client001 to huawei. [SSH [SSH [SSH [SSH

Server] aaa Server-aaa] local-user client001 password cipher huawei Server-aaa] local-user client001 service-type ssh Server-aaa] quit

# Configure the service type for the SSH users Client001 to all. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

178

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

9 Telnet and SSH

[SSH Server] ssh user client001 service-type all

Step 3 Enable SCP services on the SCP server. [SSH Server] scp server enable

Step 4 Download files from the SCP server to the SCP client. # For the first login, you need to enable the first authentication on SSH client. system-view [Quidway] sysname SCP Client [SCP Client] ssh client first-time enable

# Configure the IP address 1.1.1.1 of a loopback interface as the source IP address for the SCP client. [SCP Client] scp client-source -a 1.1.1.1

# Use 3des to encrypt the file license.txt, and then download the file to the local working directory from the remote SCP server with the IP address of 172.16.104.110. [SCP Client] scp -a 1.1.1.1 -cipher 3des [email protected]:license.txt license.txt

Step 5 Verify the configuration. Run the display scp-client command on the SCP client. The command output is as follows: display scp-client The source of SCP ipv4 client: 1.1.1.1

The IP address of the source interface on the SCP client is 1.1.1.1. ----End

Configuration Files l

Configuration file of the SCP server # sysname SSH Server # aaa local-user client001 password simple huawei local-user client001 service-type ssh # scp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type all # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return

l

Configuration file of the SCP client # sysname SCP Client # ssh client first-time enable scp client-source 1.1.1.1 # return

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

179

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10

10 Web System Configuration

Web System Configuration

About This Chapter Before configuring the S2300 in Web mode, you need to configure the S2300 as the Web server. 10.1 Overview of Web System Through the Web system, users can manage and maintain the S2300 in the graphical user interface (GUI). 10.2 Starting Web System This topic describes how to load the Web system and create an account of the Web system.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

180

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

10.1 Overview of Web System Through the Web system, users can manage and maintain the S2300 in the graphical user interface (GUI). To facilitates the use and maintenance of the S2300 , Huawei develops the Web system for S2300. The S2300 is installed with a built-in Web server. Thus, the terminal (such as a PC) connected to the S2300 can access the S2300 through the Web browser. Figure 10-1 shows the running environment of the Web system. Figure 10-1 Running environment of the Web System

Switch

HTTP Connection

PC

10.2 Starting Web System This topic describes how to load the Web system and create an account of the Web system.

10.2.1 Logging In to the S2300 Through the Console Interface Context When setting up a local configuration environment through the console interface, you can connect the PC and the S2300 through the Windows HyperTerminal.

Procedure Step 1 Enable the HyperTerminal on the PC. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

181

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

Choose Start > All Programs > Accessories > Communications > HyperTerminal to start the HyperTerminal. Step 2 Set up a new connection. As shown in Figure 10-2, enter the name of the new connection in the Name text box and choose an icon. Click OK. Figure 10-2 Setting up a new connection

Step 3 Set the connection port. After entering the Connect window as shown in Figure 10-3, select a serial port from the Connect drop-down list box according to the port used by the PC or the configuration terminal. Select COM1 in this case, and click OK.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

182

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

Figure 10-3 Setting the connection port

Step 4 Set communication parameters. After entering the COM1 Properties window as shown in Figure 10-4, set the communication parameters according to the description in Table 10-1. NOTE

In other Windows operating systems, Bits per second may be described as Baud rate; Flow control may be described as Traffic control.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

183

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

Figure 10-4 Setting communication parameters for the port

Table 10-1 Communication parameters Parameter

Value

Bit per second (Baud rate)

9600

Data bit

8

Parity check

None

Stop bit

1

Flow control (Traffic control)

None

Step 5 After the HyperTerminal is started, select File Attributes to enter the Connect Properties window as shown in Figure 10-5. Choose the Setting tab, select Auto detect or VT100 from the Emulation drop-down list box. Click OK to complete the setting.

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

184

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

Figure 10-5 Selecting a terminal type

After the preceding steps are complete, press Enter. If the prompt is displayed, it indicates that you have logged in to the S2300. At this time, you can enter the command to configure and manage the S2300. ----End

10.2.2 Setting the Management IP Address of the S2300 This section describes how to configure the management IP address of the S2300.

Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface vlanif interface-number

The view of the interface of the management VLAN is displayed. Step 3 Run: ip address ip-address { mask | mask-length } [ sub ]

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

185

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

The IP address of the interface is configured. ----End

10.2.3 Uploading Web Page Files This section describes how to obtain the Web page files and upload them to the S2300 through FTP.

Prerequisite To obtain the Web page file of the S2300, log in to http://support.huawei.com, and then choose Software Center > Version Software > Data Communication Product Line > Ethernet Switch > S23&33&53&CX200D Series. Download the software package of the current version. The Web page file is contained in the software package. The file name is Product Name + the Version of Software.web.zip. Before uploading the Web page file, copy the Web page file to the client from which you log in to the S2300.

Context NOTE

You can also download Web files through TFTP. In this case, the S2300 functions as the TFTP client, and the terminal that stores the Web files functions as the TFTP server. For details, see 8.5.3 Downloading Files Through TFTP.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: ftp server enable

The FTP server is enabled. Step 3 Run: aaa

The AAA view is displayed. Step 4 Run: local-user user-name

password { simple | cipher } password

An FTP client is configured and the password is set to huawei. Step 5 Run: local-user user-name

ftp-directory directory

The directory is set for the FTP client. Step 6 Run: local-user user-name

service-type ftp

The service type of an FTP login user is set. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

186

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

Step 7 Run the following command in the cmd view of the PC: ftp ip-address

The user name and password are displayed. The PC can log in to the S2300. C:\>ftp 10.1.1.132 Connected to 10.1.1.132. 220 FTP service ready. User (10.1.1.132:(none)): client 331 Password required for client. Password: 230 User logged in. ftp>

Step 8 Run the following command in the FTP view: put local-filename

The web.zip file is uploaded from the PC to the S2300. ftp> put web.zip 200 Port command okay. 150 Opening ASCII mode data connection for web.zip. 226 Transfer complete. ftp: 251047 bytes sent in 3.36Seconds 74.74Kbytes/sec. ftp>

----End

10.2.4 Loading a Web Page File This section describes how to load a Web file.

Context Before loading the Web page file, upload it to the S2300.

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: http server load file-name

The Web page file is loaded to the S2300. ----End

10.2.5 Creating a Web Account Before logging in to the S2300 in Web mode, you need to create a Web account on the S2300.

Context Before enabling the HTTP server,load the Web Page File to S2300. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

187

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

Procedure Step 1 Run: system-view

The system view is displayed. Step 2 Run: http server enable

The HTTP server is enabled. Step 3 Run: aaa

The AAA view is displayed. Step 4 Run: local-user user-name

password { simple | cipher } password

An HTTP client is configured and the password of the client is set. NOTE

You are recommended to set the password in the cipher text. Simple user name and password should not be used for the sake of security.

Step 5 Run: local-user user-name

service-type http

The access type of the user named admin is set to HTTP. Step 6 Run: quit

Return to the system view. Step 7 (Optional) Run: http timeout timeout

The timeout period of an HTTP connection is set. By default, the timeout period of an HTTP connection is 20 minutes. ----End

10.2.6 Logging In to the Web System This section describes how to log in to the S2300 in Web mode.

Procedure Step 1 Open the Web browser on the PC, and then enter the management address of the S2300 in the address bar (the PC and the S2300 have reachable routes to each other). Then, press Enter to display the Login dialog box. As shown in Figure 10-6, enter the pre-set Web user name, password and verify code, and then choice the language. Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

188

Quidway S2300 Series Ethernet Switches Configuration Guide - Basic Configuration

10 Web System Configuration

Figure 10-6 Login

NOTE

If you select Save my password before clicking Login, you do not need to enter the password at next login.

Step 2 Click Login or press enter to display the homepage of the Web system. You can configure the S2300 after logging in to the Web system. For details on how to configure the S2300 on the Web system, see the Quidway S2300 Series Ethernet Switches Web Network Management System Client Operation Guide. ----End

Issue 02 (2011-07-15)

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

189

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF