Operation Manual Login and User Interface. Table of Contents

Transcription

1 Table of Contents Table of Contents Chapter 1 Switch Login Setting Up Configuration Environment Through the Console Port Setting Up Configuration Environment Through Telnet Connecting a PC to the Switch Through Telnet Accessing a Switch Through Another Switch via Telnet Setting Up Configuration Environment Through Modem Dial-up User Interface Overview User Interface Configuration Entering User Interface View Defining the Login Header Configuring Asynchronous Port Attributes Configuring Terminal Attributes Managing Users Configuring Telnet Configuring Modem Attributes Configuring Redirection Displaying and Debugging User Interface Chapter 3 Management Port Configuration Management Port Overview Management Port Configuration IP Isolation Overview i

2 Chapter 1 Switch Login Chapter 1 Switch Login When configuring switch login, go to these sections for information you are interested in: Setting Up Configuration Environment Through the Console Port Setting Up Configuration Environment Through Telnet Setting Up Configuration Environment Through Modem Dial-up 1.1 Setting Up Configuration Environment Through the Console Port Step 1: As shown in the figure below, to set up the local configuration environment, connect the serial port of a PC (or a terminal) to the console port of the switch with the console cable. Figure 1-1 Set up the local configuration environment through the console port Step 2: Run a terminal emulator (such as Terminal of Windows 2000 or HyperTerminal of Windows XP) on the computer. Set the terminal communication parameters as follows: Set Bits per second to 9600, Data bits to 8, Parity to none, Stop bits to 1, and Flow control to none, and select the VT100 as the terminal type.. Figure 1-2 Set up new connection 1-1

3 Chapter 1 Switch Login Figure 1-3 Configure the port for connection Figure 1-4 Set communication parameters Step 3: The switch is powered on. Display self-test information of the switch and prompt you to press Enter to show the command line prompt such as <H3C>. Step 4: Input a command to configure the switch or view the operation state. Input a? for help. For details of specific commands, refer to the following chapters. 1.2 Setting Up Configuration Environment Through Telnet Connecting a PC to the Switch Through Telnet To telnet to the Ethernet Switch, ensure that the following conditions are satisfied: Assign an IP address to the management VLAN interface correctly in the Ethernet Switch (use the ip address command in VLAN interface view). 1-2

4 Chapter 1 Switch Login Specify the Ethernet port connected with the PC to belong to the management VLAN (use the port command in VLAN view) If the PC and the switch s port connected with the PC reside in the same LAN, their IP addresses must be configured to reside in the same network segment. Otherwise, the PC and the Switch must be reachable to each other. Then, you can telnet to the Ethernet Switch to configure it. Follow the given steps below: Step 1: Before logging into the switch through telnet, you need to configure the Telnet user name and password on the switch through the console port. Note: By default, the password is required for authenticating the Telnet user to log into the switch. If a user tries to log in through Telnet without a password, the system will prompt that the login fails because no password is set. <H3C> system-view System View: return to User View with Ctrl+Z. [H3C] user-interface vty 0 [H3C-ui-vty0] set authentication password simple xxxx (xxxx is the login password of Telnet user) Step 2: To set up the configuration environment, connect the Ethernet port of the PC to that of the switch via the LAN, as shown in Figure 1-5. Workstation Switch Ethernet M- Ethernet Server Workstation PC (for the switch via configuring telnet ) Figure 1-5 Set up configuration environment through telnet Step 3: Run Telnet on the PC and input the IP address of the VLAN connected to the PC port, as shown in Figure

5 Chapter 1 Switch Login Figure 1-6 Run Telnet Step 4: The terminal displays Login authentication! and prompts the user to input the logon password. After you input the correct password, it displays the command line prompt (such as <H3C>). If the prompt All user interfaces are used, please try later! The connection was closed by the remote host! appears, it indicates that the maximum number of Telnet users that can be accessed to the switch is reached at this moment. In this case, please reconnect later. At most 5 Telnet users are allowed to log on to the H3C series switches simultaneously. Step 5: Use the corresponding commands to configure the switch or to monitor the running state. Enter? to get the immediate help. For details of specific commands, refer to the following chapters. Note: When configuring the switch via Telnet, do not modify the IP address of it unless necessary, for the modification might cut the Telnet connection. By default, when a Telnet user passes the password authentication to log on to the switch, he can access the commands at Level Accessing a Switch Through Another Switch via Telnet After a user has logged into a switch, he or she can configure another switch through the switch via Telnet. The local switch serves as Telnet client and the peer switch serves as Telnet server. If the ports connecting the two switches are on the same local network, the IP addresses of the two switches must be in the same network segment. Otherwise, a route must be available between the two switches. As shown in the figure below, after you telnet to a switch, you can run telnet command to log in and configure another switch. 1-4

6 Chapter 1 Switch Login PC Telnet Client Telnet Server Figure 1-7 Provide Telnet Client service Step 1: Configure the Telnet user name and password on the Telnet Server through the console port. Note: By default, the password is required for authenticating the Telnet user to log into the switch. If a user logs in via the Telnet without password, he will see the prompt Login password has not been set!. <H3C> system-view System View: return to User View with Ctrl+Z. [H3C] user-interface vty 0 [H3C-ui-vty0] set authentication password simple xxxx Step 2: The user logs in the Telnet Client (switch). For the login process, refer to the section describing Connecting a PC to the Switch through Telnet. Step 3: Perform the following operations on the Telnet Client: <H3C> telnet xxxx xxxx is the hostname or IP address of the Telnet Server. If hostname is used, it must be the one configured with the ip host command or the DNS domain name of the Telnet Server. Step 4: Enter the preset login password and you will see the prompt such <H3C>. If the prompt All user interfaces are used, please try later! The connection was closed by the remote host! appears, it indicates that the maximum number of Telnet users that can be accessed to the switch is reached at this moment. In this case, please connect later. Step 5: Use the corresponding commands to configure the switch or view it running state. Enter? to get the immediate help. For details of specific commands, refer to the following chapters. 1-5

7 Chapter 1 Switch Login 1.3 Setting Up Configuration Environment Through Modem Dial-up Step 1: Perform authentication configuration for the modem user via the console port of the switch before the user logs into the switch through a dial-up modem. Note: By default, the modem user is authenticated against password when logging into the switch. If no password is set, the prompt Login password has not been set!. will be displayed when the modem user logs in. <H3C> system-view System View: return to User View with Ctrl+Z.. [H3C] user-interface aux 0 [H3C-ui-aux0] set authentication password simple xxxx Step 2: As shown in the figure below, to set up the remote configuration environment, connect the Modems to a PC (or a terminal) serial port and the switch AUX port respectively. Figure 1-8 Set up remote configuration environment Step 3: Dial for connection to the switch, using the terminal emulator and Modem on the remote end. The number dialed shall be the telephone number of the Modem connected to the switch. See the two figures below. 1-6

8 Chapter 1 Switch Login Figure 1-9 Set the dialed number Figure 1-10 Dial on the remote PC Step 4: Enter the preset login password on the remote terminal emulator and wait for the prompt such as <H3C>. Then you can configure and manage the switch. Enter? to get the immediate help. For details of specific commands, refer to the following chapters. Note: By default, when a Modem user logs in, he can access the commands at Level

9 When configuring user interface, go to these sections for information you are interested in: User Interface Overview User Interface Configuration Displaying and Debugging User Interface 2.1 User Interface Overview To facilitate system management, the switches support user interface based configuration for the configuration and management of port attributes. Presently, the S9500 series switches support the following user interface based configuration methods: Local configuration via the console port and AUX port Local and remote configuration through Telnet on Ethernet port Remote configuration through dialing with modem via the AUX port. According to the above-mentioned configuration methods, there are three types of user interfaces: Console user interface Console user interface is used to log into the switch via the console port. A switch can only have one console user interface. AUX user interface AUX user interface is used to log into the switch locally or remotely with a modem via the AUX port. A switch can only have one AUX user interface. The local configuration for it is similar to that for the console user interface. VTY user interface VTY user interface is used to telnet the switch. A switch can have up to five VTY user interface. User interface is numbered in the following two ways: absolute number and relative number. I. Absolute number The user interfaces of the S9500 routing switch include three types, which are sequenced as follows: console interface (CON), auxiliary interface (AUX) and virtual interface (VTY). A switch has one CON, one AUX and multiple VTYs. The first absolute number is designated as 0; the second one is designated as 1; and so on. This method can specify a unique user interface or a group of interfaces. 2-1

10 It follows the rules below. Console user interface is numbered as the first interface designated as user interface 0. AUX user interface is numbered as the second interface designated as user interface 1. VTY is numbered after AUX user interface. The absolute number of the first VTY is incremented by 1 than the AUX user interface number. II. Relative number The relative number is in the format of user interface type + number. The number refers to the internal number for each user interface type. With this numbering method, when performing a configuration operation for user interfaces, you can only specify a same type of user interfaces instead of specifying different types of user interfaces. It follows the rules below: Number of console user interface: console 0. Number of AUX user interface: AUX 0. Number of VTY: The first VTY interface is designated as VTY 0; the second one is designated as VTY 1, and so on. 2.2 User Interface Configuration The following sections describe the user interface configuration tasks. Entering User Interface View Defining the Login Header Configuring Asynchronous Port Attributes Configuring Terminal Attributes Managing Users Configuring Telnet Configuring Modem Attributes Configuring Redirection Entering User Interface View The following command is used for entering a user interface view. You can enter a single user interface view or multi user interface view to configure one or more user interfaces respectively. Perform the following configuration in system view. 2-2

11 Follow these steps to enter user interface view: Enter a single user interface view or multi user interface views user-interface [ type ] first-number [ last-number ] Defining the Login Header The following command is used for configuring the displayed header when user login. When the users log into the switch, if a connection is activated, the login header will be displayed. After the user successfully logs in the switch, the shell header will be displayed. Perform the following configuration in system view. Follow these steps to configure the login header: Configure the login header Remove the login header configured header [ shell incoming login ] text undo header [ shell incoming login ] Note that if you press <Enter> after typing any of the three keywords shell, login and incoming in the command, then what you type after the word header is the contents of the login information, instead of identifying header type Configuring Asynchronous Port Attributes The following commands can be used for configuring the attributes of the asynchronous port in asynchronous interactive mode, including speed, flow control, parity, stop bit and data bit. Perform the following configurations in user interface (Console and AUX user interface only) view. I. Configuring the transmission speed Follow these steps to configure the transmission speed: Configure the transmission speed Restore the default transmission speed speed speed-value undo speed By default, the transmission speed on an asynchronous port is 9600 bps. 2-3

12 II. Configuring flow control Follow these steps to configure flow control: Configure the flow control Restore the default flow control mode flow-control { hardware none software } undo flow-control By default, the flow control on an asynchronous port is none, that is, no flow control will be performed. III. Configuring parity Follow these steps to configure parity: Configure parity mode Restore the default parity mode parity { even mark none odd space } undo parity By default, the parity on an asynchronous port is none, that is, no parity bit. IV. Configuring the stop bit Follow these steps to configure the stop bit: Configure the stop bit stopbits { } Restore the default stop bit undo stopbits By default, an asynchronous port supports 1 stop bit. Note that setting 1.5 stop bits is not available on S9500 series at present. V. Configuring the data bit Follow these steps to configure the data bit: Configure the data bit databits { 7 8 } Restore the default data bit undo databits By default, an asynchronous port supports 8 data bits. 2-4

13 2.2.4 Configuring Terminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length and history command buffer size. Perform the following configuration in user interface view. Perform lock command in user view. I. Enabling/disabling terminal service After the terminal service is disabled on a user interface, you cannot log into the switch through the user interface. However, the user logged in through the user interface before disabling the terminal service can continue his operation. After such user logs out, he cannot log in again. In this case, a user can log into the switch through the user interface only when the terminal service is enabled again. Follow these steps to enable/disable terminal service: Enable terminal service Disable terminal service shell undo shell By default, terminal service is enabled on all the user interfaces. Note the following points: For the sake of security, the undo shell command can only be used on the user interfaces other than console user interface. You cannot use this command on the user interface via which you log in. You will be asked to confirm before using undo shell on any legal user interface. II. Configuring idle-timeout Follow these steps to configure idle-timeout: Configure idle-timeout idle-timeout minutes [ seconds ] Restore the default idle-timeout undo idle-timeout By default, idle-timeout is enabled and set to 10 minutes on all the user interfaces. That is, the user interface will be disconnected automatically after 10 minutes without any operation. idle-timeout 0 means disabling idle-timeout. 2-5

14 III. Locking user interface This configuration is to lock the current user interface and prompt the user to enter the password. This makes it impossible for others to operate in the interface after the user leaves. Follow these steps to lock user interface: Lock user interface lock IV. Setting the screen length If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently. Follow these steps to set the screen length: Configure the maximum number of lines of information on one screen of the terminal Restore the default screen-length screen-length undo screen-length Note that the number of lines that can be displayed in each screen remains the same when screen-length is set to 1 or 2. By default, 24 lines (including the multi-screen identifier lines) are displayed in one screen when the multi-screen display function is enabled. Use screen-length 0 to disable the multi-screen display function. V. Setting the history command buffer size Follow these steps to set the history command buffer size: Set the history command buffer size Restore the default history command buffer size history-command max-size value undo history-command max-size By default, the size of the history command buffer is 10, that is, 10 history commands can be saved. 2-6

15 2.2.5 Managing Users The management of users includes the setting of user logon authentication method, level of command which a user can use after logging on, level of command which a user can use after logging on from the specifically user interface, and command level. I. Configuring the authentication method The following command is used for configuring the user login authentication method to deny the access of an unauthorized user. Perform the following configuration in user interface view. Follow these steps to configure the authentication method: Configure the authentication method authentication-mode { password scheme [ command-authorization ] none } By default, terminal authentication is not required for local users log in via the console port. However, password authentication is required for local users and remote Modem users to log in via the AUX port, and for Telnet users and the VTY users to log in through Ethernet port. Note: If the console port is configured for local password authentication, the user can directly log into the system even without a password configured; if other user interfaces, such as the AUX port and VTY interface, are configured for local password authentication, users cannot log into the system without a password. 1) Perform local password authentication to the user interface Using authentication-mode password command, you can perform local password authentication. That is, you need use the command below to configure a login password in order to login successfully. Perform the following configuration in user interface view. Follow these steps to configure the local authentication password: Configure the local authentication password Remove the local authentication password set authentication password { cipher simple } password undo set authentication password # Configure for password authentication when a user logs in through a VTY 0 user interface and set the password to test <H3C>system-view 2-7

16 System View: return to User View with Ctrl+Z. [H3C] user-interface vty 0 [H3C-ui-vty0] authentication-mode password [H3C-ui-vty0] set authentication password simple test 2) Perform authentication using the AAA scheme specified for an ISP domain. Using authentication-mode scheme [ command-authorization ] command, you can perform authentication using the AAA scheme specified for an ISP domain.. An ISP domain is selected based on the following rules: If the username input at login does not contain character, the default ISP domain is selected; If the username input at login contains character: For the local scheme, the character string before the is used as the username, and the character string after the is used as the ISP domain name; for the RADIUS and HWTACACS schemes, the character string before the is used as the username, and the character string after the is used as the ISP domain name. If the command-authorization keyword is provided, it indicates that authorization is needed for the command that the user executes. The authorization mode depends on the AAA scheme configured for an ISP domain. If multiple AAA schemes are configured for an ISP domain, the scheme used at user login is adopted. Among all the AAA schemes: HWTACACS: Command lines are authorized based on the rules configured on the HWTACACS server; Local: Command lines are authorized by the command levels configured by local users; None: All command lines are trusted and authorized; RADIUS: No command lines are authorized. In the following example, local username and password authentication are configured. # Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and test respectively. [H3C-ui-vty0] authentication-mode scheme [H3C-ui-vty0] quit [H3C] local-user zbr [H3C-luser-zbr] password simple test [H3C-luser-zbr] service-type telnet 3) No authentication [H3C-ui-vty0] authentication-mode none 2-8

17 Note: By default, password is required to be set for authenticating local users and remote Modem users log in via the AUX port, and Telnet users log in through Ethernet port. If no password has been set, the following prompt will be displayed Login password has not been set!. If the authentication-mode none command is used, the local and Modem users via the AUX port and Telnet users will not be required to input password. II. Setting the command level used after a user logging in The following command is used for setting the command level used after a user logging in. Perform the following configuration in local-user view. Follow these steps to set the command level used after a user logging in: Set command level used after a user logging in Restore the default command level used after a user logging in service-type telnet [ level level ] undo service-type telnet By default, the specified logon user can access the commands at Level 2. III. Setting the command level used after a user logs in from a user interface You can use the following command to set the command level after a user logs in from a specific user interface, so that a user is able to execute the commands at such command level. Perform the following configuration in user interface view. Follow these steps to set the command level used after a user logging in from a user interface: Set command level used after a user logging in from a user interface Restore the default command level used after a user logging in from a user interface user privilege level level undo user privilege level 2-9

18 By default, you can access the commands at Level 3 after logging in through the console user interface, and the commands at Level 0 after logging in through the AUX or VTY user interface. Note: When a user logs in the switch, the command level that it can access depends on two points. One is the command level that the user itself can access, the other is the set command level of this user interface. If the two levels are different, the former will be taken. For example, the command level of VTY 0 user interface is 1, however, you have the right to access commands of level 3; if you log in from VTY 0 user interface, you can access commands of level 3 and lower. IV. Setting the command priority The following command is used for setting the priority of a specified command in a certain view. The command levels include visit, monitoring, configuration, and management, which are identified with 0 through 3 respectively. An administrator assigns authorities as per user requirements. Perform the following configuration in system view. Follow these steps to set the command priority: Set the command priority in a specified view. Restore the default command level in a specified view. command-privilege level level view view command undo command-privilege view view command V. Setting input protocol for a user terminal You can use the following command to set input protocol for a user terminal. The input protocol type can be TELNET, SSH or all. Perform the following configuration in user interface view. Follow these steps to set input protocol for a user terminal: Set input protocol for a user terminal protocol inbound { all telnet ssh } By default, the input protocol type for a user terminal is all. 2-10

19 VI. Enabling command line accounting After command line accounting is enabled, every time you execute a command, the system sends an accounting packet containing the command information to the TACACS server. At present, only the TACACS protocol supports the command line accounting function. After this function is enabled, the system sends accounting packets to the TACACS server when the following two conditions are satisfied: Command line authorization is not enabled, or command line authorization is enabled and the command line is successfully authorized; You have passed the TACACS authorization. Follow these steps to enable command line accounting: Remarks Enter user interface view Enable command line accounting user-interface [ type ] first-number [ last-number ] accounting commands scheme Disabled by default Note: After you have configured the TACACS command line accounting function, if the accounting packets cannot reach the TACACS server due to some reason, you can still execute the commands, but the commands are not accounted. For this kind of situation, the system does not give any prompt, nor record anything. For command line authorization, see the authentication-mode { password scheme [ command-authorization ] none } command Configuring Telnet You can configure Telnet so as to log into other switches from the current switch for remote management. Perform the following configuration in user view. Follow these steps to configure Telnet : Configure Telnet telnet [ vpn-instance vpn-instance-name ] { hostname ip-address } [ service-port ] [ source { ip ip-address interface interface-type interface-number } ] 2-11

20 You can press <Ctrl+k> to terminate a Telnet operation. The default Telnet port number is 23. If you specify the source address or source interface, then the specified IP address of the main IP address of the specified interface is taken as the source address Configuring Modem Attributes When logging in the switch via the Modem, you can use the following commands to configure these parameters. Perform the following configuration in AUX user interface view. Follow these steps to configure Modem attributes: Set the interval since the system receives the RING until CD_UP Restore the default interval since the system receives the RING until CD_UP Configure auto answer Configure manual answer Configure to allow call-in Configure to bar call-in Configure to permit call-in and call-out. Configure to disable call-in and call-out modem timer answer seconds undo modem timer answer modem auto-answer undo modem auto-answer modem call-in undo modem call-in modem both undo modem both Configuring Redirection I. Send command The following command can be used for sending messages between user interfaces. Perform the following configuration in user view. Follow these steps to configure to send messages between different user interfaces: Configure to send messages between different user interfaces. send { all number type number } 2-12

21 II. Auto-execute command The following command is used to automatically run a command after you log in. After a command is configured to be run automatically, it will be automatically executed when you log in again. This command is usually used to automatically execute telnet command on the terminal, which will connect the user to a designated device automatically. Perform the following configuration in user interface view. Follow these steps to configure to automatically run the command: Configure to automatically run the command Configure not to automatically run the command auto-execute command text undo auto-execute command Note the following points: After executing this command, the user interface can no longer be used to carry out the routine configurations for the local system. Use this command with caution. Make sure that you will be able to log into the system in some other way and cancel the configuration, before you use the auto-execute command command and save the configuration. # Telnet after the user logs in through VTY0 automatically. [H3C-ui-vty0] auto-execute command telnet Displaying and Debugging User Interface Remarks Release a specified user interface connection Display the user application information of the user interface Display the physical attributes and some configurations of the user interface Query history commands selectively free user-interface [ type ] number display users [ all ] display user-interface [ type number number ] [ summary ] display history-command [ Command-Number ] [ { begin include exclude } Match-string ] Available in user view Available in any view Available in any view Available in any view 2-13

22 Remarks Enable debugging for the Modem debugging modem Available in user view 2-14

23 Chapter 3 Management Port Configuration Chapter 3 Management Port Configuration When configuring management port, go to these sections for information you are interested in: Management Port Overview Management Port Configuration IP Isolation Overview 3.1 Management Port Overview S9500 series provide a 10/100Base-TX management port on their SRPU board. The port can be used for the following purposes: Connecting to a background PC for software loading and system debugging Connecting to a remote network management station for remote system management 3.2 Management Port Configuration The following sections describe management port configuration tasks. Configuring an IP address for the port Enabling/disabling the port Setting port description Displaying current system information Testing network connectivity (ping, tracert) Enabling IP isolation Refer to the Ethernet Port part and System Maintenance part of this manual for details. Caution: Only the management port configured with an IP address can be used to manage a switch. 3.3 IP Isolation Overview The main function of IP isolation is to isolate packets between the network management port and the service ports to enhance the security of the network management port. When this feature is enabled, there is no route between network 3-1

24 Chapter 3 Management Port Configuration management port and service ports and packets are not forwarded between them. You can use the network management port dedicatedly to manage the switch, and enabling IP isolation on the management port will not affect data communication service of the switch. If this feature is enabled, the network management port and the service ports cannot communicate with each other and the switch will drop the packets to be forwarded between the network management port and the service ports. Otherwise, the switch can forward packets between the network management port and the service ports. Use the following commands to enable IP isolation between the network management port and the service ports. Follow these steps to configure IP isolation: Remarks Enter system view system-view Enter network management port view Enable IP isolation between the network management port and the service ports. interface M-Ethernet m-ethernet ip isolation Optional This feature is disabled by default. 3-2