HP Load Balancing Module

Size: px

Start display at page:

Download "HP Load Balancing Module"

Warren Hudson
5 years ago
Views:

1 HP Load Balancing Module System Management Configuration Guide Part number: Software version: Feature 3221 Document version: 6PW

2 Legal and notice information Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents Overview 1 Appearance 1 LB module 1 Application scenarios 1 In small- and medium-sized data centers of campus networks 1 In large data centers of carriers and portal websites 2 Login overview 4 Login methods at a glance 4 CLI user interfaces 5 User interface assignment 5 User interface identification 5 Logging in to the CLI 7 Logging in through the console port for the first time 7 Configuring console login control settings 9 Configuring none authentication for console login 10 Configuring password authentication for console login 11 Configuring scheme authentication for console login 12 Configuring common console user interface settings (optional) 14 Logging in through Telnet 15 Configuring none authentication for Telnet login 16 Configuring password authentication for Telnet login 17 Configuring scheme authentication for Telnet login 18 Configuring common VTY user interface settings (optional) 20 Using the LB module to log in to a Telnet server 22 Logging in through SSH 22 Configuring the SSH server on the LB module 23 Using the LB module to log in to an SSH server 25 Displaying and maintaining CLI login 25 Logging in to the Web interface 27 Web login guidelines and restrictions 27 Logging in with the default settings 27 Modifying the default Web login settings 28 Configuring the Web login function 28 Configuring HTTP login 29 Configuring HTTPS login 30 Displaying and maintaining Web login 33 HTTP login configuration example 33 Network requirements 33 Configuration procedure 33 HTTPS login configuration example 34 Network requirements 34 Configuration procedure 35 Troubleshooting Web browser 36 Cannot access the device through the Web interface 36 Logging in through SNMP 40 Configuring SNMP login 40 Prerequisites 40 i

4 Configuring SNMPv3 settings 40 Configuring SNMPv1 or SNMPv2c settings 41 NMS login example 42 Network requirements 42 Configuration procedure 42 Logging in to the LB module from the network device 43 Logging in to the LB module from the network device 43 Monitoring and managing the LB module on the network device 43 Resetting the system of the LB module 43 Configuring a management IP address for the LB module 44 Configuring the ACSEI protocol 44 Example of monitoring and managing the LB module from the network device 46 Displaying device information 48 Displaying device information 49 Displaying system resource state 49 Displaying interface information 49 Displaying recent system logs 50 Managing the device 51 Configuring the device name 51 Configuring the device name in the Web interface 51 Configuring the device name at the CLI 51 Changing the system time 52 Configuring the system time in the Web interface 52 Configuring the system time at the CLI 54 Setting the Web idle timeout timer 57 Setting the Web idle timeout timer in the Web interface 57 Setting the Web idle timeout timer at the CLI 57 Enabling displaying the copyright statement 58 Configuring banners 58 Banner message input modes 58 Configuration procedure 59 Configuring the maximum number of concurrent users 60 Configuring the exception handling method 60 Rebooting the device 60 Rebooting the device in the Web interface 61 Rebooting the device immediately at the CLI 61 Scheduling a device reboot 61 Scheduling jobs 62 Job configuration approaches 62 Configuration guidelines 63 Scheduling a job in the non-modular approach 63 Scheduling a job in the modular approach 63 Scheduled job configuration example 64 Configuring temperature thresholds for a device 65 Clearing unused 16-bit interface indexes 66 Verifying and diagnosing transceiver modules 66 Verifying transceiver modules 66 Diagnosing transceiver modules 67 Displaying and maintaining device management 67 Configuring local users 69 User levels 69 Configuring a user privilege level 69 ii

5 Configuring a user privilege level for users through the AAA module 70 Configuring the user privilege level directly on a user interface 71 Switching the user privilege level 72 Configuring local users 75 Configuring local users in the Web interface 75 Local user configuration example for the Web interface 77 Configuring local users at the CLI 78 Controlling user logins 79 Controlling Telnet logins 79 Configuring source IP-based Telnet login control 79 Configuring source/destination IP-based Telnet login control 80 Configuring source MAC-based Telnet login control 80 Telnet login control configuration example 80 Configuring source IP-based SNMP login control 81 Configuration procedure 81 SNMP login control configuration example 82 Configuring Web login control 83 Configuring source IP-based Web login control 83 Logging off online Web users 83 Web login control configuration example 84 Displaying online users 84 Configuring VDs 86 Overview 86 VD benefits 86 VD applications 86 Default VD and non-default VDs 87 Configuring a VD in the Web interface 87 Recommended configuration procedure 87 Creating a VD 88 Assigning interfaces to VDs 89 Assigning VLANs to a VD 90 Logging in to a VD 90 VD configuration example 90 Creating a VD at the CLI 93 VD configuration task list 93 Creating a VD 93 Assigning resources to a VD 94 Setting the maximum number of sessions for a VD 95 Logging in to a VD 95 Setting the maximum number of concurrent sessions for a VD 95 VD configuration example 96 Configuring unified multisystem management 98 Overview 98 Configuration guidelines 98 Configuration procedure 98 Configuration example 99 Configuring NTP 101 Overview 101 NTP application 101 NTP advantages 101 How NTP works 101 NTP message format 102 iii

6 NTP operation modes 104 Configuring NTP in the Web interface 106 Configuring NTP 106 NTP configuration example 108 Configuring NTP at the CLI 110 NTP configuration task list 110 Configuring NTP operation modes 110 Configuring the local clock as a reference source 112 Configuring optional parameters for NTP 113 Configuring access-control rights 114 Configuring NTP authentication 115 Displaying and maintaining NTP 119 NTP client/server mode configuration example 119 NTP symmetric peers mode configuration example 121 NTP broadcast mode configuration example 122 NTP multicast mode configuration example 124 Configuration example for NTP client/server mode with authentication 126 Configuration example for NTP broadcast mode with authentication 128 Configuration guidelines 131 Upgrading software 132 Overview 132 Software upgrade methods 132 Upgrading BootWare 133 Upgrading the system software 133 Upgrading system software in the Web interface 134 Upgrading system software at the CLI 135 Installing hotfixes 135 Basic concepts 135 Patch states 136 Patch installation task list 138 Installation prerequisites 138 Installing and running a patch in one step 139 Installing a patch step by step 139 Uninstalling a patch step by step 141 Displaying and maintaining software upgrade 141 Software upgrade examples 142 Upgrading the entire system software from the CLI 142 Installing patches from the CLI 143 Managing configuration files 145 Overview 145 Configuration types 145 Configuration file content organization and format 146 Startup with a configuration file 146 Managing configuration files in the Web interface 146 Saving the running configuration 146 Backing up the next-startup configuration file 147 Restoring the next-startup configuration file 148 Resetting the configuration 148 Importing a configuration file 149 Managing configuration files at the CLI 149 Saving the running configuration 149 Configuring configuration rollback 151 Specifying the next-startup configuration file 154 iv

7 Backing up the next-startup configuration file to a TFTP server 154 Restoring the next-startup configuration file from a TFTP server 154 Deleting the next-startup configuration file 155 Displaying and maintaining a configuration file 155 Using the CLI 157 Command conventions 157 Using the undo form of a command 158 CLI views 158 Entering system view from user view 159 Returning to the upper-level view from any view 159 Returning to user view from any other view 159 Accessing the CLI online help 160 Entering a command 161 Editing a command line 161 Entering a STRING type value for an argument 161 Abbreviating commands 161 Configuring and using command keyword aliases 162 Configuring and using hotkeys 162 Enabling redisplaying entered-but-not-submitted commands 163 Understanding command-line error messages 164 Using the command history function 164 Viewing history commands 165 Setting the command history buffer size for user interfaces 165 Controlling the CLI output 165 Pausing between screens of output 165 Filtering the output from a display command 166 Configuring command levels 168 Changing the level of a command 169 Saving the running configuration 169 Displaying and maintaining CLI 169 Support and other resources 171 Contacting HP 171 Subscription service 171 Related information 171 Documents 171 Websites 171 Conventions 172 Index 174 v

Overview This document is applicable to HP LB module (hereinafter referred to as LB module) The HP LB module are designed for data centers of carriers, portal websites, large and medium-sized

8 Overview This document is applicable to HP LB module (hereinafter referred to as LB module) The HP LB module are designed for data centers of carriers, portal websites, large and medium-sized enterprises, and industries. The LB module can be installed on an HP 7500/9500/12500 switch or an 8800 router to provide load balancing services. The HP LB module provide Server load balancing Deployed at the distribution layer or core layer of a data center, the LB module equally distributes clients' access requests to the servers in the data center, thus ensuring the data center's response speed and service continuity. You can configure most functions of the LB modules in the Web interface and some functions at the command line interface (CLI). Each chapter in this document clearly specifies whether the involved functions can be configured through Web or CLI. Appearance LB module Figure 1 Appearance of the LB module for 7500/9500/12500 switches Figure 2 Appearance of the LB module for 8800 routers Application scenarios In small- and medium-sized data centers of campus networks To enhance data center performance, load balancing is used to equally distribute clients' access requests to the servers in the data center. In this scenario, you can deploy the LB module. 1

9 Install the LB module into the core switch. The access switch connects the server cluster to the core switch. The LB module's IP address is used as the gateway IP address on each server and the LB module uses NAT to achieve server load balancing. Figure 3 Network diagram In large data centers of carriers and portal websites Generally, load balancing is implemented in large data centers of carriers and portal websites. In this scenario, one or two LB modules are installed on each stateful failover-capable distribution layer switch, and VRRP is enabled on the LB modules for high reliability. 2

10 Figure 4 Network diagram 3

11 Login overview This chapter describes the available login methods and their configuration procedures. Login methods at a glance For the first login, you can connect a terminal to the console port of the LB module to access the CLI or use the username admin and password admin to access the Web interface of the LB module. After login, you can configure other login methods, such as Telnet and SSH for remote access. Table 1 Login methods Login method Default setting and configuration requirements Logging in to the CLI: Logging in through the console port for the first time By default, login through the console port is enabled, no username or password is required, and the user privilege level is 3. By default, Telnet service is disabled. To use Telnet service, complete the following configuration tasks: Enable the Telnet server function. Logging in through Telnet Assign an IP address to a Layer 3 interface and make sure the interface and the Telnet client can reach each other. By default, the LB module has the IP address /24 configured for the interface GigabitEthernet 0/1. Configure the authentication mode for VTY login users (scheme by default). Configure the user privilege level of VTY login users (0 by default). By default, SSH service is disabled. To use SSH service, complete the following configuration tasks: Enable the SSH server function and configure SSH attributes. Logging in through SSH Assign an IP address to a Layer 3 interface and make sure the interface and the SSH client can reach each other. By default, the LB module has the IP address /24 configured for the interface GigabitEthernet 0/1. Enable scheme authentication for VTY login users (scheme by default). Configure the user privilege level of VTY login users (0 by default). Logging in to the Web interface By default, you can log in to the Web interface with the IP address /24, username admin, and password admin. (By default, the LB module has the IP address /24 configured for the interface GigabitEthernet 0/1.) 4

12 Login method Logging in through SNMP Default setting and configuration requirements By default, SNMP login is disabled. To use SNMP service, complete the following configuration tasks: Assign an IP address to a Layer 3 interface, and make sure the interface and the NMS can reach each other. By default, the LB module has the IP address /24 configured for the interface GigabitEthernet 0/1. Configure SNMP basic parameters. Logging in to the LB module from the network device When the LB module is inserted in a switch or router, you can use OAA to log in to the LB module from the CLI of the switch or router. CLI user interfaces The LB module uses user interfaces (also called "lines") to control CLI logins and monitor CLI sessions. You can configure access control settings, including authentication, user privilege, and login redirect on user interfaces. After users are logged in, their actions must be compliant with the settings on the user interfaces assigned to them. Users are assigned different user interfaces, depending on their login methods, as shown in Table 2. Table 2 CLI login method and user interface matrix User interface Console user interface AUX user interface Virtual type terminal (VTY) user interface Login method Console port (EIA/TIA-232 DCE) AUX port (internal interface, used only for OAP connection to the device holding the module) Telnet or SSH User interface assignment The LB module automatically assigns user interfaces to CLI login users, depending on their login methods. Each user interface can be assigned to only one user at a time. If no user interface is available, a CLI login attempt will be rejected. For a CLI login, the LB module always picks the lowest numbered user interface from the idle user interfaces available for the type of login. For example, four VTY user interfaces (0 to 3) are configured, of which VTY 0 and VTY 3 are idle. When a user Telnets to the LB module, the LB module assigns VTY 0 to the user and uses the settings on VTY 0 to authenticate and manage the user. User interface identification A user interface can be identified by an absolute number, or the interface type and a relative number. An absolute number uniquely identifies a user interface among all user interfaces. The user interfaces are numbered starting from 0 and incrementing by 1 and in the sequence of console, AUX, and VTY user interfaces. You can use the display user-interface command without any parameters to view supported user interfaces and their absolute numbers. 5

13 A relative number uniquely identifies a user interface among all user interfaces that are the same type. The number format is user interface type + number. All user interfaces are numbered starting from 0 and incrementing by 1. For example, the first VTY user interface is VTY 0. 6

14 Logging in to the CLI By default, the first time you access the CLI you can log in through the console port. At the CLI, you can configure Telnet or SSH for remote access. Logging in through the console port for the first time To log in through the console port, make sure the console terminal has a terminal emulation program (for example, HyperTerminal in Windows XP). In addition, the port settings of the terminal emulation program must be the same as the default settings of the console port in Table 3. Table 3 Default console port properties Parameter Bits per second Flow control Parity Default 9600 bps None None Stop bits 1 Data bits 8 To log in through the console port from a console terminal (for example, a PC): 1. Connect the DB-9 female connector of the console cable to the serial port of the PC. 2. Connect the RJ-45 connector of the console cable to the console port of the LB module. IMPORTANT: Identify the mark on the console port and make sure you are connecting to the correct port. The serial ports on PCs do not support hot swapping. If the LB module has been powered on, always connect the console cable to the PC before connecting it to the LB module, and when you disconnect the cable, first disconnect it from the LB module. Figure 5 Connecting a terminal to the console port 3. If the PC is off, turn on the PC. 4. Launch the terminal emulation program and configure the communication properties on the PC. Figure 6 through Figure 8 show the configuration procedure on Windows XP HyperTerminal. Make sure the port settings are the same as listed in Table 3. On Windows Server 2003, add the HyperTerminal program first, and then log in to and manage the LB module as described in this document. On Windows Server 2008, Windows 7, Windows Vista, or some other operating system, obtain a third-party terminal control program first, and then follow the user guide or online help to log in to the LB module. 7

15 Figure 6 Connection description Figure 7 Specifying the serial port used to establish the connection 8

16 Figure 8 Setting the properties of the serial port 5. Power on the LB module and press Enter at the prompt. Figure 9 CLI 6. At the default user view prompt <HP>, enter commands to configure the LB module or view the running status of the LB module. To get help, enter?. Configuring console login control settings The following authentication modes are available for controlling console logins: None Requires no authentication. This mode is insecure. Password Requires password authentication. Scheme Uses the AAA module to provide local or remote console login authentication. You must provide a username and password for accessing the CLI. By default, console login does not require authentication. Any user can log in through the console port without authentication and have user privilege level 3. To improve device security, configure the password or scheme authentication mode immediately after you log in to the LB module for the first time. 9

17 Table 4 Configuration required for different console login authentication modes Authentication mode None Password Scheme Configuration tasks Set the authentication mode to none for the console user interface. Enable password authentication on the console user interface. Set a password. Enable scheme authentication on the console user interface. Configure local or remote authentication settings. To configure local authentication: 1. Configure a local user and specify the password. 2. Configure the LB module to use local authentication. To configure remote authentication: 1. Configure the RADIUS or HWTACACS scheme on the LB module. 2. Configure the username and password on the AAA server. 3. Configure the LB module to use the scheme for user authentication. Reference "Configuring none authentication for console login" "Configuring password authentication for console login" "Configuring scheme authentication for console login" Configuring none authentication for console login Step Command Remarks 1. Enter system view. system-view N/A 2. Enter console user interface view. 3. Enable none authentication mode. 4. Configure common settings for console login. user-interface console first-number [ last-number ] authentication-mode none See "Configuring common console user interface settings (optional)." N/A By default, you can log in to the LB module through the console port without authentication and have user privilege level 3. Optional. The next time you attempt to log in through the console port, you do not need to provide any username or password, as shown in Figure

18 Figure 10 Accessing the CLI through the console port without authentication Configuring password authentication for console login Step Command Remarks 1. Enter system view. system-view N/A 2. Enter console user interface view. 3. Enable password authentication. 4. Set a password. 5. Configure common settings for console login. user-interface console first-number [ last-number ] authentication-mode password set authentication password [ hash ] { cipher simple } password See "Configuring common console user interface settings (optional)." N/A By default, you can log in to the LB module through the console port without authentication and have user privilege level 3 after login. By default, no password is set. Optional. The next time you attempt to log in through the console port, you must provide the configured login password, as shown in Figure 11. Figure 11 Password authentication interface for console login 11

19 Configuring scheme authentication for console login When scheme authentication is used, you can choose to configure the command authorization and command accounting functions. If command authorization is enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme. Command accounting allows the HWTACACS server to record all commands executed by users, regardless of command execution results. This function helps control and monitor user behaviors on the LB module. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server. Follow these guidelines when you configure scheme authentication for console login: To make the command authorization or command accounting function take effect, apply an HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters. If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the LB module. If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the RADIUS or HWTACACS server. To configure scheme authentication for console login: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter console user interface view. 3. Enable scheme authentication. 4. Enable command authorization. 5. Enable command accounting. user-interface console first-number [ last-number ] authentication-mode scheme command authorization command accounting N/A Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme. By default, console login users are not authenticated. Optional. By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. Optional. By default, command accounting is disabled. The accounting server does not record the commands executed by users. 6. Exit to system view. quit N/A 12

20 Step Command Remarks 7. Apply an AAA authentication scheme to the intended domain. 8. Create a local user and enter local user view. 9. Set an authentication password for the local user. 10. Specifies a command level of the local user. 11. Specify terminal service for the local user. 12. Configure common settings for console login. a. Enter ISP domain view: domain domain-name b. Apply an AAA scheme to the domain: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } c. Exit to system view: quit local-user user-name password [ [ hash ] { cipher simple } password ] authorization-attribute level level service-type terminal See "Configuring common console user interface settings (optional)." Optional. By default, local authentication is used. For local authentication, configure local user accounts. For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme on the LB module and configure authentication settings (including the username and password) on the server. For more information about AAA configuration, see Security Configuration Guide. By default, there is a local user named admin. By default, no password is set. Optional. By default, the command level is 0. By default, no service type is specified. Optional. The next time you attempt to log in through the console port, you must provide the configured login username and password, as shown in Figure 12. Figure 12 Scheme authentication interface for console login 13

21 Configuring common console user interface settings (optional) Some common settings configured for a console user interface take effect immediately and can interrupt the console login session. To save you the trouble of repeated re-logins, use a login method different from console login to log in to the LB module before you change console user interface settings. After the configuration is complete, change the terminal settings on the configuration terminal and make sure they are the same as the settings on the LB module. To configure common settings for a console user interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter console user interface view. user-interface console first-number [ last-number ] N/A 3. Set the baud rate. speed speed-value 4. Specify the parity check mode. parity { even mark none odd space } By default, the baud rate is 9600 bps. The default setting is none, namely, no parity check. 5. Specify the number of stop bits. 6. Specify the number of data bits in each character. 7. Define the shortcut key for starting a terminal session. 8. Define a shortcut key for terminating tasks. 9. Specify the terminal display type. stopbits { } databits { } activation-key character escape-key { default character } terminal type { ansi vt100 } The default is 1. Stop bits indicate the end of a character. The more the stop bits, the slower the transmission. The default is 8. The setting depends on the character coding type. For example, you can set it to 7 if standard ASCII characters are to be sent, and set it to 8 if extended ASCII characters are to be sent. By default, you press Enter to start the terminal session. By default, pressing Ctrl+C terminates a task. By default, the terminal display type is ANSI. The LB module supports two types of terminal display: ANSI and VT100. HP recommends setting the display type of both the LB module and the terminal to VT100. If the LB module and the client use different display types (for example, HyperTerminal or Telnet terminal) or both are set to ANSI, when the total number of characters of the currently edited command line exceeds 80, an anomaly such as cursor corruption or abnormal display of the terminal display might occur on the client. 14

22 Step Command Remarks 10. Configure the user privilege level for login users. 11. Set the maximum number of lines to be displayed on a screen. 12. Set the size of command history buffer. user privilege level level screen-length screen-length history-command max-size value By default, the default command level is 3 for the console user interface. By default, a screen displays 24 lines at most. A value of 0 disables pausing between screens of output. By default, the buffer saves 10 history commands at most. 13. Set the idle-timeout timer. idle-timeout minutes [ seconds ] The default idle-timeout is 10 minutes. The system automatically terminates the user's connection if there is no information interaction between the LB module and the user within the idle-timeout time. Setting idle-timeout to 0 disables the idle-timeout function. Logging in through Telnet You can Telnet to the LB module for remote management, or use the LB module as a Telnet client to Telnet to other devices, as shown in Figure 13. Figure 13 Telnet login Table 5 shows the Telnet server and client configuration required for a successful Telnet login. Table 5 Telnet server and Telnet client configuration requirements Device role Telnet server Telnet client Requirements Enable Telnet server. Configure the IP address of a Layer 3 interface, and make sure the Telnet server and client can reach each other. By default, the LB module has the IP address /24 configured for the interface GigabitEthernet 0/1. Configure the authentication mode and other settings. Run the Telnet client program. Obtain the IP address of the Layer 3 interface on the server. To control Telnet access to the LB module operating as a Telnet server, configure login authentication and user privilege levels for Telnet users. By default, scheme authentication applies to Telnet login, but no login password is configured. To allow Telnet access to the LB module after you enable the Telnet server, you must configure a password. The following are authentication modes available for controlling Telnet logins: 15

23 None Requires no authentication. This mode is insecure. Password Requires a password for accessing the CLI. If your password was lost, log in to the LB module through the console port to re-set the password. Scheme Uses the AAA module to provide local or remote authentication. You must provide a username and password for accessing the CLI. If the password configured in the local user database was lost, log in to the LB module through the console port and re-set the password. If the username or password configured on a remote server was lost, contact the server administrator for help. Table 6 Configuration required for different Telnet login authentication modes Authentication mode None Password Scheme Configuration tasks Set the authentication mode to none for the VTY user interface. Enable password authentication on the VTY user interface. Set a password. Enable scheme authentication on the VTY user interface. Configure local or remote authentication settings. To configure local authentication: 1. Configure a local user and specify the password. 2. Configure the LB module to use local authentication. To configure remote authentication: 1. Configure the RADIUS or HWTACACS scheme on the LB module. 2. Configure the username and password on the AAA server. 3. Configure the LB module to use the scheme for user authentication. Reference "Configuring none authentication for Telnet login" "Configuring password authentication for Telnet login" "Configuring scheme authentication for Telnet login" Configuring none authentication for Telnet login Step Command Remarks 1. Enter system view. system-view N/A 2. Enable Telnet server. telnet server enable 3. Enter one or multiple VTY user interface views. user-interface vty first-number [ last-number ] By default, the Telnet server function is disabled. N/A 4. Enable none authentication mode. authentication-mode none By default, scheme authentication is enabled for VTY user interfaces. 16

Step Command Remarks 5. Configure the command level for login users on the current user interfaces. user privilege level level By default, the default command level is 0 for VTY user interfaces. 6.

24 Step Command Remarks 5. Configure the command level for login users on the current user interfaces. user privilege level level By default, the default command level is 0 for VTY user interfaces. 6. Configure common settings for the VTY user interfaces. See "Configuring common VTY user interface settings (optional)." Optional. The next time you attempt to Telnet to the LB module, you do not need to provide any username or password, as shown in Figure 14. If the maximum number of login users has been reached, your login attempt fails and the message "All user interfaces are used, please try later!" appears. Figure 14 Telnetting to the LB module without authentication Configuring password authentication for Telnet login Step Command Remarks 1. Enter system view. system-view N/A 2. Enable Telnet server. telnet server enable 3. Enter one or multiple VTY user interface views. user-interface vty first-number [ last-number ] By default, the Telnet server function is disabled. N/A 4. Enable password authentication. authentication-mode password By default, scheme authentication is enabled for VTY user interfaces. 17

25 Step Command Remarks 5. Set a password. 6. Configure the user privilege level for login users. set authentication password [ hash ] { cipher simple } password By default, no password is set. user privilege level level The default level is Configure common settings for VTY user interfaces. See "Configuring common VTY user interface settings (optional)." Optional. The next time you attempt to Telnet to the LB module, you must provide the configured login password, as shown in Figure 15. If the maximum number of login users has been reached, your login attempt fails and the message "All user interfaces are used, please try later!" appears. Figure 15 Password authentication interface for Telnet login Configuring scheme authentication for Telnet login When scheme authentication is used, you can choose to configure the command authorization and command accounting functions. If command authorization is enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme. Command accounting allows the HWTACACS server to record all commands executed by users, regardless of command execution results. This function helps control and monitor user behaviors on the LB module. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server. Follow these guidelines when you configure scheme authentication for Telnet login: 18

26 To make the command authorization or command accounting function take effect, apply an HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters. If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the LB module. If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the RADIUS or HWTACACS server. To configure scheme authentication for Telnet login: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable Telnet server. telnet server enable 3. Enter one or multiple VTY user interface views. user-interface vty first-number [ last-number ] By default, the Telnet server function is disabled. N/A 4. Enable scheme authentication. 5. Enable command authorization. 6. Enable command accounting. authentication-mode scheme command authorization command accounting Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme. By default, local authentication is adopted. Optional. By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. Optional. By default, command accounting is disabled. The accounting server does not record the commands executed by users. 7. Exit to system view. quit N/A 8. Apply an AAA authentication scheme to the intended domain. 9. Create a local user and enter local user view. a. Enter ISP domain view: domain domain-name b. Apply an AAA scheme to the domain: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } c. Exit to system view: quit local-user user-name Optional. By default, local authentication is used. For local authentication, configure local user accounts. For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme on the LB module and configure authentication settings (including the username and password) on the server. For more information about AAA configuration, see Security Configuration Guide. By default, there is a local user named admin. 19

27 Step Command Remarks 10. Set a password. 11. Specify the command level of the local user. 12. Specify Telnet service for the local user. password [ [ hash ] { cipher simple } password ] authorization-attribute level level service-type telnet By default, no password is set. Optional. By default, the command level is 0. By default, no service type is specified. 13. Exit to system view. quit N/A 14. Configure common settings for VTY user interfaces. See "Configuring common VTY user interface settings (optional)." Optional. The next time you attempt to Telnet to the CLI, you must provide the configured login username and password, as shown in Figure 16. If you are required to pass a second authentication, you must also provide the correct password to access the CLI. If the maximum number of login users has been reached, your login attempt fails and the message "All user interfaces are used, please try later!" appears. Figure 16 Scheme authentication interface for Telnet login Configuring common VTY user interface settings (optional) You might be unable to access the CLI through a VTY user interface after configuring the auto-execute command command on it. Before you configure the command and save the configuration, make sure you can access the CLI through a different user interface. To configure common settings for VTY user interfaces: 20

28 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter one or multiple VTY user interface views. user-interface vty first-number [ last-number ] N/A 3. Enable the terminal service. shell Optional. By default, terminal service is enabled. 4. Enable the user interfaces to support Telnet, SSH, or both of them. 5. Define a shortcut key for terminating tasks. 6. Configure the type of terminal display. 7. Set the maximum number of lines to be displayed on a screen. 8. Set the size of command history buffer. protocol inbound { all ssh telnet } escape-key { default character } terminal type { ansi vt100 } screen-length screen-length history-command max-size value Optional. By default, both Telnet and SSH are supported. The configuration takes effect the next time you log in. Optional. By default, pressing Ctrl+C terminates a task. Optional. By default, the terminal display type is ANSI. Optional. By default, up to 24 lines is displayed on a screen. A value of 0 disables the function. Optional. By default, the buffer saves 10 history commands. 9. Set the idle-timeout timer. idle-timeout minutes [ seconds ] Optional. The default idle-timeout is 10 minutes for all user interfaces. The system automatically terminates the user's connection if there is no information interaction between the LB module and the user within the timeout time. Setting idle-timeout to 0 disables the timer. 10. Specify a command to be automatically executed when a user logs in to the user interfaces. auto-execute command command Optional. By default, no automatically executed command is specified. The command auto-execute function is typically used for redirecting a Telnet user to a specific host. After executing the specified command and performing the incurred task, the system automatically disconnect the Telnet session. 21

29 Using the LB module to log in to a Telnet server You can use the LB module as a Telnet client to log in to a Telnet server. If the server is located in a different subnet than the LB module, make sure the two devices have routes to reach each other. Figure 17 Telnetting from the LB module to a Telnet server To use the LB module to log in to a Telnet server: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the source IPv4 address or source interface for outgoing Telnet packets. telnet client source { interface interface-type interface-number ip ip-address } Optional. By default, no source IPv4 address or source interface is specified. The LB module automatically selects a source IPv4 address. 3. Exit to user view. quit N/A 4. Use the LB module to log in to a Telnet server. Log in to an IPv4 Telnet server: telnet remote-host [ service-port ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number ip ip-address } ] Log in to an IPv6 Telnet server: telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ] [ vpn-instance vpn-instance-name ] Use either command. Logging in through SSH SSH offers a secure approach to remote login. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. You can use an SSH client to log in to the LB module operating as an SSH server for remote management, as shown in Figure 18. You can also use the LB module as an SSH client to log in to an SSH server. Figure 18 SSH login diagram Table 7 shows the SSH server and client configuration required for a successful SSH login. 22

30 Table 7 SSH server and client requirements Device role SSH server SSH client Requirements Assign an IP address to a Layer 3 interface, and make sure the interface and the client can reach each other. By default, the LB module has the IP address /24 configured for the interface GigabitEthernet 0/1. Configure the authentication mode and other settings. If a host operates as an SSH client, run the SSH client program on the host. Obtain the IP address of the Layer 3 interface on the server. To control SSH access to the LB module operating as an SSH server, configure authentication and user privilege level for SSH users. Configuring the SSH server on the LB module When scheme authentication is used, you can choose to configure the command authorization and command accounting functions. If command authorization is enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme. Command accounting allows the HWTACACS server to record all commands executed by users, regardless of command execution results. This function helps control and monitor user behaviors on the LB module. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server. Follow these guidelines when you configure the SSH server: To make the command authorization or command accounting function take effect, apply an HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters. If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the LB module. If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the RADIUS or HWTACACS server. The SSH client authentication method is password in this configuration procedure. For more information about SSH and publickey authentication, see Security Configuration Guide. To configure the SSH server on the LB module: Step Command Remarks 1. Enter system view. system-view N/A 2. Create local key pairs. public-key local create rsa By default, no local key pairs are created. 3. Enable SSH server. ssh server enable By default, SSH server is disabled. 4. Enter one or multiple VTY user interface views. user-interface vty first-number [ last-number ] N/A 23

31 Step Command Remarks 5. Enable scheme authentication. authentication-mode scheme By default, scheme authentication is enabled on VTY user interfaces. 6. Enable the user interfaces to support Telnet, SSH, or both of them. 7. Enable command authorization. protocol inbound { all ssh } command authorization Optional. By default, both Telnet and SSH are supported. Optional. By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. 8. Enable command accounting. command accounting Optional. By default, command accounting is disabled. The accounting server does not record the commands executed by users. 9. Exit to system view. quit N/A 10. Apply an AAA authentication scheme to the intended domain. 11. Create a local user and enter local user view. 12. Set a password for the local user. 13. Specify the command level of the user. 14. Specify SSH service for the user. a. Enter the ISP domain view: domain domain-name b. Apply the specified AAA scheme to the domain: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } c. Exit to system view: quit local-user user-name password [ [ hash ] { cipher simple } password ] authorization-attribute level level service-type ssh Optional. For local authentication, configure local user accounts. For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme on the LB module and configure authentication settings (including the username and password) on the server. For more information about AAA configuration, see Security Configuration Guide. By default, there is a local user named admin. By default, no password is set. Optional. By default, the command level is 0. By default, no service type is specified. 15. Exit to system view. quit N/A 16. Create an SSH user, and specify the authentication mode for the SSH user. 17. Configure common settings for VTY user interfaces. ssh user username service-type stelnet authentication-type { password { any password-publickey publickey } assign publickey keyname } See "Configuring common VTY user interface settings (optional)." N/A Optional. 24

32 Using the LB module to log in to an SSH server You can use the LB module as an SSH client to log in to an SSH server. If the server is located in a different subnet than the LB module, make sure the two devices have routes to reach each other. Figure 19 Logging in to an SSH server from the LB module Perform the following tasks in user view: Task Command Remarks Log in to an IPv4 SSH server. Log in to an IPv6 SSH server. ssh2 server ssh2 ipv6 server The server argument represents the IPv4 address or host name of the server. The server argument represents the IPv6 address or host name of the server. To work with the SSH server, you might need to configure the SSH client. For information about configuring the SSH client, see Security Configuration Guide. Displaying and maintaining CLI login Task Command Remarks Display information about the user interfaces that are being used. Display information about all user interfaces the LB module supports. Display user interface information. Display the configuration of the LB module when it serves as a Telnet client. Release a user interface. display users [ { begin exclude include } regular-expression ] display users all [ { begin exclude include } regular-expression ] display user-interface [ num1 { aux console vty } num2 ] [ summary ] [ { begin exclude include } regular-expression ] display telnet client configuration [ { begin exclude include } regular-expression ] free user-interface { num1 { aux console vty } num2 } Available in any view. Available in any view. Available in any view. Available in any view. Available in user view. Multiple users can log in to the LB module to simultaneously configure the LB module. When necessary, you can execute this command to release some connections. You cannot use this command to release the connection you are using. 25

33 Task Command Remarks Lock the current user interface. Send messages to user interfaces. lock send { all num1 { aux console vty } num2 } Available in user view. By default, the system does not automatically lock a user interface. Available in user view. 26

34 Logging in to the Web interface The device provides Web-based configuration interfaces for visual device management and maintenance. Figure 20 Web-based network management operating environment IP network PC LB Web login guidelines and restrictions The PC where you configure the device is not necessarily the Web-based network management terminal. A Web-based network management terminal is a PC (or another terminal) used to log in to the Web interface and is required to be reachable to the device. If you click the verification code displayed on the Web login page, you can get a new verification code. Up to five users can concurrently log in to the device through the Web interface. The Web-based configuration interface supports the operating systems of Windows XP, Windows 2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Vista, Windows 7, Linux, and MAC OS. The Web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0 SP2 and higher, Mozilla Firefox 3.0 and higher, Google Chrome and higher, and the browser must support and be enabled with JavaScript. The Web-based configuration interface does not support the Back, Next, Refresh buttons provided by the browser. Using these buttons may result in abnormal display of Web pages. The Windows firewall limits the number of TCP connections, so when you use IE to log in to the Web interface, sometimes you may be unable to open the Web interface. To avoid this problem, HP recommends you to turn off the Windows firewall before login. If the software version of the device changes, clear the cache data on the browser before logging in to the device through the Web interface; otherwise, the Web page content may not be displayed correctly. You can display at most entries that support content display by pages. Logging in with the default settings You can use the following default settings to log in to the Web interface through HTTP: Username admin. Password admin. IP address of the Ethernet port (GigabitEthernet 0/1 for the LB module) To log in to the Web interface of the LB device from a PC by using the default settings: 27

1. Connect the Ethernet port of the device to the PC by using a crossover Ethernet cable. 2. Configure an IP address for the PC and make sure the PC and the device can reach each other.

35 1. Connect the Ethernet port of the device to the PC by using a crossover Ethernet cable. 2. Configure an IP address for the PC and make sure the PC and the device can reach each other. For example, assign the PC an IP address (for example, ) within the network segment /24 (except for ). 3. Open the browser and input the login information: a. Type the IP address in the address bar and press Enter. b. Enter the username and password admin, and the verification code, select the language (English and Chinese are supported at present), and click Login. Figure 21 Login page of the Web interface Modifying the default Web login settings Enter the CLI of the LB module and perform the following configuration: # Add a telnet user account usera, and set its password to and user privilege level to 3. <Sysname> system-view [Sysname] local-user usera Add user usera. [Sysname-luser-userA] service-type web Set the service type to web. [Sysname-luser-userA] password simple Set the password to [Sysname-luser-userA] authorization-attribute level 3 Set user level to 3. [Sysname-luser-userA] quit After the above-mentioned configuration, you can log in to the web-based configuration interface of the LB module by using username usera and password Configuring the Web login function The LB module provides a built-in Web server for you to configure the LB module through a Web browser. The LB module supports HTTP 1.0 and HTTPS for transferring webpage data across the Internet. HTTPS uses SSL to encrypt data between the client and the server for data integrity and security, and is more secure than HTTP. You can define a certificate attribute-based access control policy to allow only legal clients to access the LB module. HTTP login and HTTPS login are separate login methods. To use HTTPS login, you do not need to configure HTTP login. Table 8 shows the basic Web login configuration requirements. 28

36 Table 8 Basic Web login configuration requirements Object Requirements Assign an IP address to a Layer 3 interface. Configure routes to make sure the interface and the PC can reach each other. LB module Perform either or both of the following tasks: Configuring HTTP login Configuring HTTPS login PC Install a Web browser. Obtain the IP address of the LB module's Layer 3 interface. Configuring HTTP login Step Command Remarks Optional. 1. Specify a fixed verification code for Web login. web captcha verification-code By default, a Web user must enter the verification code indicated on the login page to log in. This command is available in user view. 2. Enter system view. system-view N/A 3. Enable the HTTP service. ip http enable By default, HTTP service is enabled. 4. Configure the HTTP service port number. 5. Associate the HTTP service with an ACL. 6. Set the Web connection timeout time. 7. Set the size of the buffer for Web login logging. 8. Create a local user and enter local user view. ip http port port-number ip http acl acl-number web idle-timeout minutes web logbuffer size pieces local-user user-name Optional. The default HTTP service port is 80. If you execute the command multiple times, the last one takes effect. Optional. By default, the HTTP service is not associated with any ACL. Associating the HTTP service with an ACL enables the LB module to allow only clients permitted by the ACL to log in. Optional. By default, the Web connection timeout time is 10 seconds. Optional. By default, the buffer can save up to 512 Web login logs. By default, there is a local user named admin. 29

37 Step Command Remarks 9. Configure a password for the local user. 10. Specify the command level of the local user. 11. Specify the Telnet service type for the local user. password [ [ hash ] { cipher simple } password ] authorization-attribute level level service-type web By default, no password is configured for a newly created local user, and the password for local user admin is admin. No command level is configured for the local user. By default, no service type is configured for the local user. 12. Exit to system view. quit N/A 13. Enter interface view. 14. Assign an IP address and subnet mask to the interface. interface interface-type interface-number ip address ip-address { mask mask-length } N/A By default, the interface GigabitEthernet 0/1 on the LB module has the IP address /24 configured. Configuring HTTPS login The LB module supports the following HTTPS login modes: Simplified mode To make the LB module operate in this mode, you only need to enable HTTPS service on the LB module. The LB module will use a self-signed certificate (a certificate that is generated and signed by the LB module itself, rather than a CA) and the default SSL settings. This mode is simple to configure but has potential security risks. Secure mode To make the LB module operate in this mode, you must enable HTTPS service on the LB module, specify an SSL server policy for the service, and configure PKI domain-related parameters. This mode is more complicated to configure but provides higher security. For more information about SSL and PKI, see Security Configuration Guide. To configure HTTPS login: Step Command Remarks 1. Specify a fixed verification code for Web login. web captcha verification-code Optional. By default, a Web user must enter the verification code indicated on the login page to log in. This command is available in user view. 2. Enter system view. system-view N/A 30

38 Step Command Remarks 3. Associate the HTTPS service with an SSL server policy. ip https ssl-server-policy policy-name Optional. By default, the HTTPS service is not associated with any SSL server policy, and the LB module uses a self-signed certificate for authentication. If you disable the HTTPS service, the system automatically de-associates the HTTPS service from the SSL service policy. Before re-enabling the HTTPS service, associate the HTTPS service with an SSL server policy first. If the HTTPS service has been enabled, any changes to the SSL server policy associated with it do not take effect. 4. Enable the HTTPS service. ip https enable By default, HTTPS is disabled. Enabling the HTTPS service triggers an SSL handshake negotiation process. During the process, if the local certificate of the LB module exists, the SSL negotiation succeeds, and the HTTPS service can be started properly. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Because the application process takes much time, the SSL negotiation often fails and the HTTPS service cannot be started normally. In that case, execute the ip https enable command multiple times to start the HTTPS service. 5. Associate the HTTPS service with a certificate attribute-based access control policy. 6. Specify the HTTPS service port number. ip https certificate access-control-policy policy-name ip https port port-number Optional. By default, the HTTPS service is not associated with any certificate-based attribute access control policy. Associating the HTTPS service with a certificate-based attribute access control policy enables the LB module to control the access rights of clients. You must configure the client-verify enable command in the associated SSL server policy. If not, no clients can log in through HTTPS. The associated SSL server policy must contain at least one permit rule. Otherwise, no clients can log in through HTTPS. For more information about certificate attribute-based access control policies, see Security Configuration Guide. Optional. The default HTTPS service port is

39 Step Command Remarks 7. Associate the HTTPS service with an ACL. 8. Specify the authentication mode for users trying to log in to the LB module through HTTPS. 9. Set the Web user connection timeout time. 10. Set the size of the buffer for Web login logging. 11. Create a local user and enter local user view. 12. Configure a password for the local user. 13. Specify the command level of the local user. 14. Specify the Web service type for the local user. ip https acl acl-number web https-authorization mode { auto manual } web idle-timeout minutes web logbuffer size pieces local-user user-name password [ [ hash ] { cipher simple } password ] authorization-attribute level level service-type web By default, the HTTPS service is not associated with any ACL. Associating the HTTPS service with an ACL enables the LB module to allow only clients permitted by the ACL to log in. Optional. By default, a user must enter the correct username and password to log in through HTTPS. When the auto mode is enabled: If the user's PKI certificate is correct and not expired, the CN field in the certificate is used as the username to perform AAA authentication. If the authentication succeeds, the user automatically enters the Web interface of the LB module. If the user's PKI certificate is correct and not expired, but the AAA authentication fails, the LB module shows the Web login page. The user can log in to the LB module after entering the correct username and password. Optional. By default, the Web connection timeout time is 10 minutes. Optional. By default, the buffer can save up to 512 Web login logs. By default, there is a local user named admin. By default, no password is configured for a newly created local user, and the password for local user admin is admin. By default, no command level is configured for the local user. By default, no service type is configured for the local user. 15. Exit to system view. quit N/A 16. Enter interface view. 17. Assign an IP address and subnet mask to the interface. interface interface-type interface-number ip address ip-address { mask mask-length } N/A By default, the interface GigabitEthernet 0/1 on the LB module has the IP address /24 configured. 32

40 Displaying and maintaining Web login Task Command Remarks Display information about Web users. Display HTTP state information. Display HTTPS state information. display web users [ { begin exclude include } regular-expression ] display ip http [ { begin exclude include } regular-expression ] display ip https [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. HTTP login configuration example Network requirements As shown in Figure 22, configure the LB module to allow the PC to log in over the IP network by using HTTP. Figure 22 Network diagram Configuration procedure 1. Configure LB: # Assign the IP address and the subnet mask to interface GigabitEthernet 0/1. <LB> system-view [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] ip address [LB-GigabitEthernet0/1] quit # Set the password to admin for local user admin. Specify the Web service type for the local user, and set the command level to 3 for this user. [LB] local-user admin [LB-luser-admin] service-type web [LB-luser-admin] authorization-attribute level 3 [LB-luser-admin] password simple admin 2. Verify the configuration: # On the PC, run the Web browser. Enter the IP address of the LB module in the address bar. The Web login page appears, as shown in Figure

41 Figure 23 Web login page # Enter the user name, password, verify code, and click Login. The homepage appears. After login, you can configure device settings through the Web interface. HTTPS login configuration example Network requirements As shown in Figure 24, to prevent unauthorized users from accessing the LB module, configure the LB module as the HTTPS server and the host as the HTTPS client, and request a certificate for each of them. Figure 24 Network diagram 34

42 Configuration procedure This example assumes that the CA is named new-ca, runs Windows Server, and is installed with the SCEP add-on. This example also assumes that LB, host, and CA can reach one other. 1. Configure LB (HTTPS server): # Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the entity as ssl.security.com. <LB> system-view [LB] pki entity en [LB-pki-entity-en] common-name http-server1 [LB-pki-entity-en] fqdn ssl.security.com [LB-pki-entity-en] quit # Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as authority for certificate request as RA, and the entity for certificate request as en. [LB] pki domain 1 [LB-pki-domain-1] ca identifier new-ca [LB-pki-domain-1] certificate request url [LB-pki-domain-1] certificate request from ra [LB-pki-domain-1] certificate request entity en [LB-pki-domain-1] quit # Create RSA local key pairs. [LB] public-key local create rsa # Retrieve the CA certificate from the certificate issuing server. [LB] pki retrieval-certificate ca domain 1 # Request a local certificate from a CA through SCEP for LB. [LB] pki request-certificate domain 1 # Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication. [LB] ssl server-policy myssl [LB-ssl-server-policy-myssl] pki-domain 1 [LB-ssl-server-policy-myssl] client-verify enable [LB-ssl-server-policy-myssl] quit # Create a certificate attribute group mygroup1, and configure a certificate attribute rule, specifying that the distinguished name in the subject name includes the string of new-ca. [LB] pki certificate attribute-group mygroup1 [LB-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca [LB-pki-cert-attribute-group-mygroup1] quit # Create a certificate attribute-based access control policy myacp. Configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp. [LB] pki certificate access-control-policy myacp [LB-pki-cert-acp-myacp] rule 1 permit mygroup1 [LB-pki-cert-acp-myacp] quit # Associate the HTTPS service with SSL server policy myssl. [LB] ip https ssl-server-policy myssl 35

43 # Associate the HTTPS service with certificate attribute-based access control policy myacp. [LB] ip https certificate access-control-policy myacp # Enable the HTTPS service. [LB] ip https enable # Create a local user named usera, set the password to 123, specify the Web service type, and specify the user privilege level 3. A level-3 user can perform all operations supported by the LB. [LB] local-user usera [LB-luser-usera] password simple 123 [LB-luser-usera] service-type web [LB-luser-usera] authorization-attribute level 3 2. Configure the host (HTTPS client): On the host, run the IE browser, and then enter in the address bar and request a certificate for the host as prompted. 3. Verify the configuration: Enter in the address bar, and select the certificate issued by new-ca. When the Web login page of LB appears, enter the username usera and password 123 to log in to the Web management page. For more information about PKI configuration commands, SSL configuration commands, and the public-key local create rsa command, see Security Command Reference. Troubleshooting Web browser Cannot access the device through the Web interface Symptom Analysis You can ping the device and log in to the device through Telnet. HTTP is enabled and the operating system and browser version meet the Web interface requirements. However, you cannot access the Web interface of the device. If you use the Microsoft Internet Explorer, you can access the Web interface only when the following functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting. If you use the Mozilla Firefox, you can access the Web interface only when JavaScript is enabled. Configuring the Internet Explorer settings 1. Open the Internet Explorer, and select Tools > Internet Options. 2. Click the Security tab, and then select a Web content zone to specify its security settings. 36

44 Figure 25 Internet Explorer setting (I) 3. Click Custom Level. The dialog box Security Settings appears. 4. Enable these functions: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting. 37

45 Figure 26 Internet Explorer Setting (II) 5. Click OK in the Security Settings dialog box. Configuring Firefox Web browser Settings 1. Open the Firefox Web browser, and select Tools > Options. 2. Click the Content tab, select the Enable JavaScript box, and click OK. 38

46 Figure 27 Firefox Web browser setting 39

47 Logging in through SNMP You can run SNMP on an NMS to access the MIB and perform GET and SET operations to manage and monitor the LB module. The LB module supports SNMPv1, SNMPv2c, and SNMPv3, and can work with various network management software modules, including IMC. For more information about SNMP, see System Maintenance Configuration Guide. By default, SNMP access is disabled. To enable SNMP access, log in to the LB module through any other method and configure SNMP login. Configuring SNMP login Connect the PC (the NMS) and the LB module to the network, making sure they can reach each other, as shown in Figure 28. This section describes only the basic SNMP configuration procedures on the LB module. Figure 28 Network diagram IMPORTANT: To make SNMP operate correctly, make sure the SNMP settings (including the SNMP version) on the NMS are consistent with those on the LB module. Prerequisites Assign an IP address to a Layer 3 interface on the LB module. By default, the LB module has the IP address /24 configured for the interface GigabitEthernet 0/1. Configure routes to make sure the NMS and the Layer 3 interface can reach each other. Configuring SNMPv3 settings Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the SNMP agent. snmp-agent Optional. By default, the SNMP agent is disabled. You can enable SNMP agent with this command or any command that begins with snmp-agent (except for snmp-agent calculate-password). 40

48 Step Command Remarks 3. Configure an SNMP group and specify its access right. 4. Add a user to the SNMP group. snmp-agent group v3 group-name [ authentication privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number acl ipv6 ipv6-acl-number ] * snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 sha } auth-password [ privacy-mode { 3des aes128 des56 } priv-password ] ] [ acl acl-number acl ipv6 ipv6-acl-number ] * By default, no SNMP group is configured. N/A Configuring SNMPv1 or SNMPv2c settings Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the SNMP agent. 3. Create or update MIB view information. 4. Configure the SNMP access right. snmp-agent snmp-agent mib-view { excluded included } view-name oid-tree [ mask mask-value ] (Approach 1) Specify the SNMP NMS access right directly by configuring an SNMP community: snmp-agent community { read write } community-name [ mib-view view-name ] [ acl acl-number acl ipv6 ipv6-acl-number ] * (Approach 2) Configure an SNMP group and add a user to the SNMP group: a. snmp-agent group { v1 v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number acl ipv6 ipv6-acl-number ] * b. snmp-agent usm-user { v1 v2c } user-name group-name [ acl acl-number acl ipv6 ipv6-acl-number ] * Optional. By default, the SNMP agent is disabled. You can enable SNMP agent with this command or any command that begins with snmp-agent (except for snmp-agent calculate-password). Optional. By default, the MIB view name is ViewDefault and OID is 1. Use either approach. The username in approach 2 is equivalent to the community name used in approach 1, and must be the same as the community name configured on the NMS. 41

49 NMS login example Network requirements Configure the LB module and network management station so you can remotely manage the LB module through SNMPv3. Figure 29 Network diagram Configuration procedure 1. Configure LB: # Assign an IP address to the LB module. Make sure the LB module and the NMS can reach each other. (Details not shown.) # Enter system view. <LB> system-view # Enable the SNMP agent. [LB] snmp-agent # Configure an SNMP group. [LB] snmp-agent group v3 managev3group # Add a user to the SNMP group. [LB] snmp-agent usm-user v3 managev3user managev3group 2. Configure the NMS: Make sure the NMS has the same SNMP settings, including the username, as the LB module. If not, the LB module cannot be discovered or managed by the NMS. 3. Use the network management station to discover, query, and configure the LB module. For more information, see the NMS manual. 42

50 Logging in to the LB module from the network device Logging in to the LB module from the network device Use the following command to log in to the LB module. After login, the terminal screen displays the CLI of the LB module. To return to the CLI on the device, press Ctrl+K. To log in to the LB module from the network device, execute one of the following commands in user view as appropriate: Task Log in to the OAP system from the device. Command In standalone mode: oap connect slot slot-number In IRF mode: oap connect chassis chassis-number slot slot-number Monitoring and managing the LB module on the network device Resetting the system of the LB module CAUTION: Resetting the LB module might cause data loss and service interruption. Before resetting the LB module, save the configurations of the LB module operating system and shut down the LB module operating system to avoid service interruption and data loss. If the operating system of the LB module works abnormally (for example, the system does not respond), you can reset the system with the following command. The LB module has an independent CPU; therefore, the network device can still recognize and control the LB module after you reset the system of LB module. To reset the system of the LB module, execute one of the following commands in user view as appropriate: Task Reset the LB module. Command In standalone mode: oap reboot slot slot-number In IRF mode: oap reboot chassis chassis-number slot slot-number 43

51 Configuring a management IP address for the LB module NOTE: Support for this feature varies by the device model and software release of the network device that holds the LB module. In the OAA system, the network device and the LB module integrate together and function as one device. For the SNMP UDP domain-based NMS, however, the device and the LB module are independent SNMP agents. Physically, the two agents are on the same managed object. Logically, they belong to two different systems and manage their own MIB objects on the device and the module separately. When you use the NMS to manage the device and the LB module on the same interface, you must first obtain the management IP addresses of the two SNMP agents and obtain the link relationship between them. Then, you can access the two agents. The management IP address configured on the device for the LB module must be the same as that configured on the LB module. Otherwise, the NMS cannot access the LB module by using the configured management IP address. To configure a management IP address for the LB module: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a management IP address for an LB module. In standalone mode: oap management-ip ip-address slot slot-number In IRF mode: oap management-ip ip-address chassis chassis-number slot slot-number Not configured by default. Configuring the ACSEI protocol ACSEI functions ACFP Client and Server Exchange Information (ACSEI) is an HP proprietary protocol. ACSEI uses the server/client model: The ACSEI server is integrated in the Comware software system of the device as a function. The ACSEI client is integrated in the Comware software system of the device as a function or in the Comware software system of the LB module as a function. ACSEI provides the following functions: Enables ACSEI clients to register and deregister with the ACSEI server. Enables the ACSEI server to assign IDs to ACSEI clients to distinguish among them. Allows the ACSEI server and an ACSEI client to mutually monitor and detect each other. Supports information interaction between the ACSEI server and ACSEI clients, including clock synchronization. Allows the ACSEI server to manage the ACSEI clients. For example, you can close or restart an ACSEI client on the ACSEI server. 44

52 ACSEI timers An ACSEI server supports multiple ACSEI clients. An ACSEI server uses two timers, which can be set at the CLI: Clock synchronization timer Used to periodically trigger the ACSEI server to send clock synchronization advertisements to the ACSEI clients. Client monitoring timer Used to periodically trigger the ACSEI server to send monitoring requests to the ACSEI clients. An ACSEI client also uses two timers, neither of which are configurable: Registration timer Used to periodically trigger the ACSEI client to multicast registration requests (with the multicast MAC address 010F-E ). Monitoring timer Used to periodically trigger the ACSEI client to send monitoring requests to the ACSEI server. ACSEI startup and operation After you enable the ACSEI server function on the device and enable the ACSEI client on the ACSEI client: 1. The ACSEI client multicasts registration requests. 2. After the ACSEI server receives a valid registration request, it negotiates parameters with the ACSEI client. If the negotiation succeeds, the server establishes a connection to the client. 3. The ACSEI server and the ACSEI client mutually monitor the connection. 4. If the ACSEI server detects the disconnection of the ACSEI client, the server removes the configuration and policies that are associated with the client. Configuring ACSEI server on the network device Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the ACSEI server function. acsei server enable Disabled by default. 3. Enter ACSEI server view. acsei server N/A 4. Set the clock synchronization timer. acsei timer clock-sync minutes Optional. Five minutes by default. 5. Set the client monitoring timer. acsei timer monitor seconds 6. Close an ACSEI client. acsei client close client-id Optional. Five seconds by default. Optional. This command is available only for an ACSEI client that is running on a Linux operating system. 7. Restart an ACSEI client. acsei client reboot client-id Optional. Configuring ACSEI client on the LB module The ACSEI client is integrated in the Comware software system of the LB module as a function. It can be started only on one interface of the LB module at a time. However, the ACSEI client on the LB module and that on the device can run simultaneously. 45

53 To configure the ACSEI client on the LB module: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable ACSEI client. acsei-client enable Disabled by default. Displaying and maintaining ACSEI server and client Task Command Remarks Display ACSEI client summary on the ACSEI server. Display ACSEI client information on the ACSEI server. Display information about ACSEI client on the ACSEI client. Display the current state of ACSEI client on the ACSEI client. display acsei client summary [ client-id ] [ { begin exclude include } regular-expression ] display acsei client info [ client-id ] [ { begin exclude include } regular-expression ] display acsei-client information [ { begin exclude include } regular-expression ] display acsei-client status [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Example of monitoring and managing the LB module from the network device Network requirements An LB module is installed in slot 3 of the network device to detect the traffic passing the network device. The internal interface Ten-GigabitEthernet3/0/1 on the network device is connected to the internal interface Ten-GigabitEthernet0/0 on the LB module. When the traffic arrives at the network device, the network device redirects it to the LB module. The LB module processes the traffic based on the configured policy, and then redirects the traffic that passes the detection to the network device for forwarding. Configure the network device and LB module so that you can log in to and restart the LB module from the network device. Configure the clock synchronization timer from the network device to the LB module as 10 minutes, and configure the monitoring timer as 10 seconds. Figure 30 Network diagram 46

54 Configuration procedure The following configuration uses a switch as an example. The configuration on a router is the same. 1. Log in to the LB module from the network device. <Switch> oap connect slot 3 Connected to OAP! <LB> 2. Configure the clock synchronization timer and the monitoring timer on the network device: # Enable ACSEI server. <Switch> system-view [Switch] acsei server enable # Enter ACSEI server view. [Switch] acsei server # Set the clock synchronization timer from the network device to the LB module to 10 minutes. [Switch-acsei server] acsei timer clock-sync 10 # Set the monitoring timer from the network device to the LB module to 10 seconds. [Switch-acsei server] acsei timer monitor Configure the LB module: # Enable ACSEI client on the Ten-GigabitEthernet 0/0 interface. <LB> system-view [LB] interface Ten-GigabitEthernet0/0 [LB] acsei-client enable Verifying the configuration 1. Restart the LB module on the network device. <Switch> oap reboot slot 3 This command will recover the OAP from shutdown or other failed state. Warning: This command may lose the data on the hard disk if the OAP is not being shut down! Continue? [Y/N]:y Reboot OAP by command. The output shows that you can restart the LB module on the network device. 2. Display the ACSEI server configuration information on the network device. <Switch> display current-configuration configuration acsei-server # acsei server acsei timer clock-sync 10 acsei timer monitor 10 # return [Switch] The output shows that the clock synchronization timer and monitoring timer from the network device to the LB module are 10 minutes and 10 seconds, respectively. 47

55 Displaying device information When you log in to the Web interface, you are placed on the Summary > Device Info page. Figure 31 Device overview 48

56 Select the refresh mode from the Refresh Period list. If you select a specific period, the system periodically refreshes the Device Info page. If you select Manual, click Refresh to refresh the page. Displaying device information Table 9 Field description Field Device Location Contact Information SerialNum Software Version Hardware Version Bootrom Version Running Time Description Location of the device. Contact information for device maintenance. Serial number of the device. Software version of the device. Hardware version of the device. BootWare version of the device. Running time after the latest boot of the device. Displaying system resource state Table 10 Field description Field CPU Usage Flow Engine Usage Memory Usage Temperature Active Sessions on Current Virtual Device All Active Sessions Description Real-time CPU usage. Real-time flow engine usage. Real-time memory usage. Temperature of the device. Active sessions on the current virtual device. All the active sessions on the device. Displaying interface information Table 11 Field description Field Interface IP Address/Mask Zone Description Interface name and interface number. IP address and mask of an interface. Security zone to which an interface belongs. 49

57 Field Status Description Interface status: The interface is up and is connected. The interface is up, but not connected. The interface is down. To know more information about device interfaces, click the More hyperlink under the Device Interface Information area to enter the System > Interface page to view and operate the interfaces. For more information, see Network Management Configuration Guide. The Device Info page does not display the security zone to which the Layer 2 Ethernet interface belongs. Displaying recent system logs Table 12 Field description Field Time Level Description Description Time when the system logs are generated. Level of the system logs. Contents of the system logs. To know more information about system operation logs, click the More hyperlink under the Recent System Logs area to enter the Log Report > Report > System Log page to view the logs. For more information, see System Maintenance Configuration Guide. 50

Managing the device Device management includes monitoring the operating status of devices and configuring their running parameters. The configuration tasks in this document are order independent.

58 Managing the device Device management includes monitoring the operating status of devices and configuring their running parameters. The configuration tasks in this document are order independent. You can perform these tasks in any order. Configuring the device name A device name identifies a device in a network and works as the user view prompt at the CLI. For example, if the device name is Sysname, the user view prompt is <Sysname>. Configuring the device name in the Web interface 1. Select System > Device Management > Device Basic Info from the navigation tree to enter the page shown in Figure Enter the system name. 3. Click Apply. Figure 32 Device basic information The current system name is displayed on the very top of the navigation tree, as shown in Figure 33. Figure 33 Current system name Configuring the device name at the CLI Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the device name. sysname sysname The default device name is HP. 51

Changing the system time You must synchronize your device with a trusted time source by using NTP or changing the system time before you run it on the network.

59 Changing the system time You must synchronize your device with a trusted time source by using NTP or changing the system time before you run it on the network. Network management depends on an accurate system time setting, because the timestamps of system messages and logs use the system time. For NTP configuration, see "Configuring NTP." In a small-sized network, you can manually set the system time of each device. IMPORTANT: If you reboot the device, the system time and date are restored to the factory default. To ensure an accurate system time setting, you must change the system time and date or configure NTP for the device. Configuring the system time in the Web interface System time allows you to display and set the device system time, time zone, and daylight saving time on the Web interface. The device supports setting system time through manual configuration and automatic synchronization of NTP server time. Displaying the current system time Select System > System Time from the navigation tree to enter the System Time tab page, as shown in Figure 34. The current system time of the device appears on the page. Figure 34 System time page Configuring the system time 1. Select System > System Time from the navigation tree. The System Time page appears as shown in Figure Click the System Time Configuration text box. The calendar page appears. 52

60 Figure 35 Calendar page 3. Modify the system time either in the System Time Configuration text box, or through the calendar page. You can perform the following operations on the calendar page: Click Today to set the current date on the calendar to the current system date of the local host, and the time stays unchanged. Set the year, month, date and time, and then click OK. 4. Click Apply in the system time configuration page to save your configuration. Configuring the time zone and daylight saving time 1. Select Device > System Time from the navigation tree. 2. Click Time Zone. The page for setting the time zone appears. Figure 36 Setting the time zone 3. Configure the time zone and daylight saving time as described in Table Click Apply. Table 13 Configuration items Item Time Zone Description Set the time zone for the system. 53

61 Item Description Adjust the system clock for daylight saving time changes, which means adding one hour to the current system time. Adjust clock for daylight saving time changes Click Adjust clock for daylight saving time changes to expand the option, as shown in Figure 37. You can configure the daylight saving time changes in the following ways: Specify that the daylight saving time starts on a specific date and ends on a specific date. The time range must be greater than one day and smaller than one year. For example, configure the daylight saving time to start on August 1st, 2012 at 06:00:00 a.m., and end on September 1st, 2012 at 06:00:00 a.m. Specify that the daylight saving time starts and ends on the corresponding specified days every year. The time range must be greater than one day and smaller than one year. For example, configure the daylight saving time to start on the first Monday in August at 06:00:00 a.m., and end on the last Sunday in September at 06:00:00 a.m. Figure 37 Setting the daylight saving time Configuring the system time at the CLI Configuration guidelines You can change the system time by configuring the relative time, time zone, and daylight saving time. The configuration result depends on their configuration order (see Table 14). In the first column of this table, 1 represents the clock datetime command, 2 represents the clock timezone command, and 3 represents the clock summer-time command. To verify the system time setting, use the display clock command. This table assumes that the original system time is 2012/1/1 1:00:00. Table 14 System time configuration results Command Effective system time Configuration example System time 1 date-time clock datetime 1: /1/1 01:00:00 UTC Mon 01/01/ Original system time ± zone-offset clock timezone zone-time add 1 02:00:00 zone-time Sat 01/01/ , 2 date-time ± zone-offset 2, 1 date-time clock datetime 2: /2/2 clock timezone zone-time add 1 clock timezone zone-time add 1 clock datetime 3: /3/3 03:00:00 zone-time Fri 02/02/ :00:00 zone-time Sat 03/03/

62 Command Effective system time Configuration example System time The original system time outside the daylight saving time range: The system time does not change until it falls into the daylight saving time range. clock summer-time ss one-off 1: /1/1 1: /8/8 2 01:00:00 UTC Sat 01/01/ The original system time in the daylight saving time range: The system time increases by summer-offset. clock summer-time ss one-off 00: /1/1 1: /8/8 2 03:00:00 ss Sat 01/01/2012. If the original system time plus summer-offset is beyond the daylight saving time range, the original system time does not change. After you disable the daylight saving setting, the system time automatically decreases by summer-offset. date-time outside the daylight saving time range: date-time clock datetime 1: /1/1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 01:00:00 UTC Mon 01/01/ :00:00 ss Mon 01/01/ , 3 date-time in the daylight saving time range: date-time + summer-offset clock datetime 8: /1/1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 If the date-time plus summer-offset is outside the daylight saving time range, the system time equals date-time. After you disable the daylight saving setting, the system time automatically decreases by summer-offset. 3, 1 (date-time outside the daylight saving time range) date-time clock summer-time ss one-off 1: /1/1 1: /8/8 2 clock datetime 1: /1/1 01:00:00 UTC Tue 01/01/ , 1 (date-time in the daylight saving time range) date-time summer-offset outside the daylight saving time range: date-time summer-offset date-time summer-offset in the daylight saving time range: date-time clock summer-time ss one-off 1: /1/1 1: /8/8 2 clock datetime 1: /1/1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 clock datetime 3: /1/1 23:30:00 UTC Sun 12/31/ :00:00 ss Mon 01/01/

63 Command Effective system time Configuration example System time Original system clock ± zone-offset outside the daylight saving time range: Original system clock ± zone-offset clock timezone zone-time add 1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 02:00:00 zone-time Sat 01/01/ , 3 or 3, 2 Original system clock ± zone-offset outside the daylight saving time range: Original system clock ± zone-offset + summer-offset clock timezone zone-time add 1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 System clock configured: 04:00:00 ss Sat 01/01/ , 2, 3 or 1, 3, 2 date-time ± zone-offset outside the daylight saving time range: date-time ± zone-offset date-time ± zone-offset outside the daylight saving time range: date-time ± zone-offset + summer-offset clock datetime 1: /1/1 clock timezone zone-time add 1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 clock datetime 1: /1/1 clock timezone zone-time add 1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 02:00:00 zone-time Mon 01/01/ :00:00 ss Mon 01/01/2012. date-time outside the daylight saving time range: date-time clock timezone zone-time add 1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 clock datetime 1: /1/1 01:00:00 zone-time Mon 01/01/ , 3, 1 or 3, 2, 1 date-time in the daylight saving time range, but date-time summer-offset outside the summer-time range: date-time summer-offset clock timezone zone-time add 1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 clock datetime 1: /1/1 23:30:00 zone-time Mon 12/31/2012. Both date-time and date-time summer-offset in the daylight saving time range: date-time clock timezone zone-time add 1 clock summer-time ss one-off 1: /1/1 1: /8/8 2 clock datetime 3: /1/1 03:00:00 ss Tue 01/01/

Configuration procedure To change the system time: Step Command Remarks 1. Set the system time and date. clock datetime time date Optional. Available in user view. 2. Enter system view.

64 Configuration procedure To change the system time: Step Command Remarks 1. Set the system time and date. clock datetime time date Optional. Available in user view. 2. Enter system view. system-view N/A 3. Set the time zone. 4. Set a daylight saving time scheme. clock timezone zone-name { add minus } zone-offset Set a non-recurring scheme: clock summer-time zone-name one-off start-time start-date end-time end-date add-time Set a recurring scheme: clock summer-time zone-name repeating start-time start-date end-time end-date add-time Optional. Coordinated UTC time zone by default. Optional. Use either command. By default, daylight saving time is disabled, and the UTC time zone applies. Setting the Web idle timeout timer Setting the Web idle timeout timer in the Web interface Perform this task to set the idle timeout period for logged-in users. The system logs out a user that is idle within the specified period. To set Web idle timeout: 1. Select System > Device Management > Web Management from the navigation tree to enter the page shown in Figure Enter the idle timeout. 3. Click Apply. Figure 38 Web management Setting the Web idle timeout timer at the CLI You can set the Web idle timeout timer for a logged-in user. After a user logs in to the LB, if the user does not perform any operation before the timer expires, the LB automatically tears down the connection to the user. If you set this timer to 0, the connection is not automatically torn down. 57

65 To set the idle timeout timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter user interface view. 3. Set the Web idle timeout timer. user-interface { first-num1 [ last-num1 ] { aux console vty } first-num2 [ last-num2 ] } idle-timeout minutes [ seconds ] N/A 10 minutes by default. Enabling displaying the copyright statement The device by default displays the copyright statement when a Telnet or SSH user logs in, or when a console user quits user view. You can disable or enable the function as needed. The following is a sample copyright statement: ************************************************************************** * Copyright (c) Hewlett-Packard Development Company, L.P. * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************** To enable displaying the copyright statement: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable displaying the copyright statement. copyright-info enable Enabled by default. Configuring banners Banners are messages that the system displays during user login. The system supports the following banners: Legal banner Appears after the copyright or license statement. To continue login, the user must enter Y or press Enter. To quit the process, the user must enter N. Y and N are case-insensitive. Message of the Day (MOTD) banner Appears after the legal banner and before the login banner. Login banner Appears only when password or scheme authentication has been configured. Incoming banner Appears for Modem users. Shell banner Appears for non-modem users. Banner message input modes You can configure a banner in one of the following ways: Single-line input Input the entire banner in the same line as the command. The start and end delimiters for the banner must be the same but can be any visible character. The input text, including the command 58

66 keywords and the delimiters cannot exceed 510 characters. In this mode, do not press Enter before you input the end delimiter. For example, you can configure the shell banner "Have a nice day." as follows: <System> system-view [System] header shell %Have a nice day.% Multiple-line input Input message text in multiple lines. In this approach, the message text can be up to 2000 characters. Use one of the following methods to implement multi-line input mode: Method 1 Press Enter after the last command keyword. At the system prompt, enter the banner message and end with the delimiter character %. For example, you can configure the banner "Have a nice day. Please input the password." as follows: <System> system-view [System] header shell Please input banner content, and quit with the character '%'. Have a nice day. Please input the password.% Method 2 After you type the last command keyword, type any single character as the start delimiter for the banner and press Enter. At the system prompt, type the banner and end the last line with a delimiter that is the same as the start delimiter. For example, you can configure the banner "Have a nice day. Please input the password." as follows: <System> system-view [System] header shell A Please input banner content, and quit with the character 'A'. Have a nice day. Please input the password.a Method 3 After you type the last keyword, type the start delimiter and part of the banner and press Enter. At the system prompt, enter the rest of the banner and end the last line with a delimiter that is the same as the start delimiter. For example, you can configure the banner "Have a nice day. Please input the password." as follows: <System> system-view [System] header shell AHave a nice day. Please input banner content, and quit with the character 'A'. Please input the password.a Configuration procedure To configure banners: Step Command 1. Enter system view. system-view 2. Configure the incoming banner. header incoming text 3. Configure the login banner. header login text 4. Configure the legal banner. header legal text 5. Configure the shell banner. header shell text 6. Configure the MOTD banner. header motd text 59

67 Configuring the maximum number of concurrent users You can configure this command to limit the number of users that can enter the system view simultaneously. When the number of concurrent users reaches the upper limit, other users cannot enter system view. When multiple users configure a setting in system view, only the last configuration applies. To configure the maximum number of concurrent users: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the maximum number of concurrent users. configure-user count number By default, up to two users can perform operations in system view at the same time. Configuring the exception handling method You can configure the device to handle system exceptions in one of the following methods: reboot The device automatically reboots to recover from the error condition. maintain The device stays in the error condition so you can collect complete data, including error messages, for diagnosis. In this approach, you must manually reboot the device. To configure the exception handling method: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the exception handling method for the system. system-failure { maintain reboot } By default, the system uses the reboot method when an exception occurs. Rebooting the device CAUTION: Device reboot can interrupt network services. To avoid data loss, save the current configuration before a reboot. To restore the device from an error condition or place new software loaded to the device into effect, you might need to reboot the device. To reboot the device, use one of the following methods: Reboot the device immediately in the Web interface or at the CLI. At the CLI, schedule a reboot to occur at a specific time and date or after a delay. 60

68 Power off and then power on the device. This method might cause data loss, and is the least-preferred method. Reboot in the Web interface or at the CLI enables easy remote device maintenance. Rebooting the device in the Web interface 1. Select System > Reboot from the navigation tree. Figure 39 Rebooting the device 2. If necessary, select Check whether the configuration is saved to the configuration file for next reboot. If you select this option, the device checks whether the configuration file for the next startup reflects the running configuration. If yes, the device reboots. If not, a prompt is displayed and the device does not reboot. You can save the configuration and try to reboot the device again. If you do not select this option, the device directly reboots. 3. Click Apply. A confirmation dialog box appears. 4. Confirm the reboot operation. Rebooting the device immediately at the CLI To reboot a device, execute the following command in user view: Task Reboot the device immediately. Command reboot Scheduling a device reboot The device supports only one device reboot schedule. If you configure the schedule reboot delay command multiple times, the last configuration takes effect. The schedule reboot at command and the schedule reboot delay command overwrite each other, and whichever is configured last takes effect. For data security, if you are performing file operations at the reboot time, the system does not reboot. To schedule a device reboot, execute one of the following commands in user view: 61

69 Task Command Remarks Schedule a reboot. Schedule a reboot to occur at a specific time and date: schedule reboot at hh:mm [ date ] Schedule a reboot to occur after a delay: schedule reboot delay { hh:mm mm } Use either command. The scheduled reboot function is disabled by default. Changing any clock setting can cancel the reboot schedule. Scheduling jobs You can schedule a job to automatically run a command or a set of commands without administrative interference. The commands in a job are polled every minute. When the scheduled time for a command is reached, the job automatically executes the command. If a confirmation is required while the command is running, the system automatically enters Y or Yes. If characters are required, the system automatically enters a default character string or an empty character string when no default character string is available. Job configuration approaches You can configure jobs in a non-modular or modular approach. Use the non-modular approach for a one-time command execution and use non-modular approach for complex maintenance work. Table 15 A comparison of non-modular and modular approaches Comparison item Scheduling a job in the non-modular approach Scheduling a job in the modular approach Configuration method Configure all elements in one command. Separate job, view, and time settings. Can multiple jobs be configured? Can a job have multiple commands? Supported views Supported commands Can a job be repeatedly executed? No. No. If you use the schedule job command multiple times, the most recent configuration takes effect. User view and system view. In the schedule job command, shell represents user view, and system represents system view. Commands in user view and system view. No. Yes. Yes. You can use the time command in job view to configure commands to be executed at different time points. All views. In the time command, monitor represents user view. Commands in all views. Yes. Can a job be saved? No. Yes. 62

70 Configuration guidelines To have a job successfully run a command, make sure the specified view and command are valid. The system does not verify their validity. After job execution, the configuration interface, view, and user status that you have before job execution restores even if the job ran a command to change the user interface (for example, telnet, ftp, and ssh2), the view (for example, system-view and quit), or the user status (for example, super). The jobs run in the background without displaying any messages except log, trap and debugging messages. If you reboot the device, the system time and date are restored to the factory default. To make sure scheduled jobs can be executed at the expected time, you must change the system time and date or configure NTP for the device. For NTP configuration, see "Configuring NTP." In the modular approach: Every job can have only one view and up to 10 commands. If you specify multiple views, the one specified last takes effect. Enter a view name in its complete form. Most commonly used view names include monitor for user view, system for system view, GigabitEthernetx/x for Ethernet interface view, and Vlan-interfacex for VLAN interface view. The time ID (time-id) must be unique in a job. If two time and command bindings have the same time ID, the one configured last takes effect. Scheduling a job in the non-modular approach To schedule a job, execute one of the following commands in user view: Task Command Remarks Schedule a job. Schedule a job to run a command at a specific time: schedule job at time [ date ] view view command Schedule a job to run a command after a delay: schedule job delay time view view command Use either command. If you execute the schedule job command multiple times, the most recent configuration takes effect. Changing any clock setting can cancel the job set by using the schedule job command. Scheduling a job in the modular approach To configure a scheduled job: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a job and enter job view. 3. Specify the view in which the commands in the job run. job job-name view view-name N/A You can specify only one view for a job. The job executes all commands in the specified view. 63

71 Step Command Remarks 4. Add commands to the job. Configure a command to run at a specific time and date: time time-id at time date command command Configure a command to run at a specific time: time time-id { one-off repeating } at time [ month-date month-day week-day week-daylist ] command command Configure a command to run after a delay: time time-id { one-off repeating } delay time command command Use any of the commands. Changing a clock setting does not affect the schedule set by using the time at or time delay command. Scheduled job configuration example Network requirements Configure scheduled jobs on the LB module to enable interfaces GigabitEthernet 0/1, GigabitEthernet 0/2, and GigabitEthernet 0/3 at 8:00 and disabled them at 18:00 on working days every week, to control the access of the PCs connected to these interfaces. Figure 40 Network diagram Configuration procedure # Enter system view. <LB> system-view # Create a job named pc1, and enter its view. [LB] job pc1 # Configure the job to be executed in the view of GigabitEthernet 0/1. [LB-job-pc1] view gigabitethernet 0/1 # Configure the LB module to enable GigabitEthernet 0/1 at 8:00 on working days every week. [LB-job-pc1] time 1 repeating at 8:00 week-day mon tue wed thu fri command undo shutdown # Configure the LB module to shut down GigabitEthernet 0/1 at 18:00 on working days every week. [LB-job-pc1] time 2 repeating at 18:00 week-day mon tue wed thu fri command shutdown 64

72 [LB-job-pc1] quit # Create a job named pc2, and enter its view. [LB] job pc2 # Configure the job to be executed in the view of GigabitEthernet 0/2. [LB-job-pc2] view gigabitethernet 0/2 # Configure the LB module to enable GigabitEthernet 0/2 at 8:00 on working days every week. [LB-job-pc2] time 1 repeating at 8:00 week-day mon tue wed thu fri command undo shutdown # Configure the LB module to shut down GigabitEthernet 0/2 at 18:00 on working days every week. [LB-job-pc2] time 2 repeating at 18:00 week-day mon tue wed thu fri command shutdown [LB-job-pc2] quit # Create a job named pc3, and enter its view. [LB] job pc3 # Configure the job to be executed in the view of GigabitEthernet 0/3. [LB-job-pc3] view gigabitethernet 0/3 # Configure the LB module to enable GigabitEthernet 0/3 at 8:00 on working days every week. [LB-job-pc3] time 1 repeating at 8:00 week-day mon tue wed thu fri command undo shutdown # Configure the LB module to shut down GigabitEthernet 0/3 at 18:00 on working days every week. [LB-job-pc3] time 2 repeating at 18:00 week-day mon tue wed thu fri command shutdown [LB-job-pc3] quit # Display information about scheduled jobs. [LB] display job Job name: pc1 Specified view: gigabitethernet 0/1 Time 1: Execute command undo shutdown at 08:00 Mondays Tuesdays Wednesdays Thursdays Fridays Time 2: Execute command shutdown at 18:00 Mondays Tuesdays Wednesdays Thursdays Fridays Job name: pc2 Specified view: gigabitethernet 0/2 Time 1: Execute command undo shutdown at 08:00 Mondays Tuesdays Wednesdays Thursdays Fridays Time 2: Execute command shutdown at 18:00 Mondays Tuesdays Wednesdays Thursdays Fridays Job name: pc3 Specified view: Gigabitethernet 0/3 Time 1: Execute command undo shutdown at 08:00 Mondays Tuesdays Wednesdays Thursdays Fridays Time 2: Execute command shutdown at 18:00 Mondays Tuesdays Wednesdays Thursdays Fridays Configuring temperature thresholds for a device You can set the temperature threshold to monitor the temperature of a device. When the temperature reaches the threshold, the device generates alarms. To configure the temperature threshold: 65

73 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the temperature threshold for a device. temperature-limit slot slot-number hotspot sensor-number lowerlimit warninglimit Optional. Clearing unused 16-bit interface indexes The device must maintain persistent 16-bit interface indexes and keep one interface index match one interface name for network management. After deleting a logical interface, the device retains its 16-bit interface index so the same index can be assigned to the interface at interface re-creation. To avoid index depletion causing interface creation failures, you can clear all 16-bit indexes that have been assigned but not in use. The operation does not affect the interface indexes of the interfaces that have been created but the indexes assigned to re-recreated interfaces might change. A confirmation is required when you execute this command. The command will not run if you fail to make a confirmation within 30 seconds or enter N to cancel the operation. To clear unused 16-bit interface indexes, execute one of the following commands in user view: Task Clear unused 16-bit interface indexes. Command reset unused porttag Verifying and diagnosing transceiver modules This section describes how to verify and diagnose transceiver modules. Verifying transceiver modules You can verify the genuineness of a transceiver module in the following ways: Display the key parameters of a transceiver module, including its transceiver type, connector type, central wavelength of the transmit laser, transfer distance and vendor name. Display its electronic label. The electronic label is a profile of the transceiver module and contains the permanent configuration including the serial number, manufacturing date, and vendor name. The data is written to the storage component during debugging or testing. To verify transceiver modules: Task Command Remarks Display key parameters of the transceiver modules. Display transceiver modules' electrical label information. display transceiver interface [ interface-type interface-number ] [ { begin exclude include } regular-expression ] display transceiver manuinfo interface [ interface-type interface-number ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. 66

74 Diagnosing transceiver modules The device provides the alarm function and digital diagnosis function for transceiver modules. When a transceiver module fails or works inappropriately, you can examine the alarms present on the transceiver module to identify the fault source or examine the key parameters monitored by the digital diagnosis function, including the temperature, voltage, laser bias current, TX power, and RX power. To diagnose transceiver modules: Step Command Remarks 1. Display alarms present on transceiver modules. 2. Display the measured values of the digital diagnosis parameters for transceiver modules. display transceiver alarm interface [ interface-type interface-number ] [ { begin exclude include } regular-expression ] display transceiver diagnosis interface [ interface-type interface-number ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. 3. Enter system view. system-view N/A 4. Disable alarm traps for transceiver modules. transceiver phony-alarm-disable Optional. By default, alarm traps are enabled for transceiver modules. Displaying and maintaining device management For diagnosis or troubleshooting, you can use separate display commands to collect running status data module by module, or use the display diagnostic-information command to bulk collect running data for multiple modules. Task Command Remarks Display system version information. Display the system time and date. Display information about the users that have logged in to the device but are not under user view. Display the software and hardware copyright statements. Display the flow engine usage statistics. Display the historical usage statistics for the flow engine in charts. Display or save running status data for multiple feature modules. display version [ { begin exclude include } regular-expression ] display clock [ { begin exclude include } regular-expression ] display configure-user [ { begin exclude include } regular-expression ] display copyright [ { begin exclude include } regular-expression ] display flowengine-usage [ { begin exclude include } regular-expression ] display flowengine-usage history [ { begin exclude include } regular-expression ] display diagnostic-information [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. 67

75 Task Command Remarks Display CPU usage statistics. Display historical CPU usage statistics in charts. Display device information. Display the electronic label data for the device. Display device temperature information. Display the operating states of fans. Display memory usage statistics. Display the power state. Display the mode of the last reboot. Display the configuration of the job configured by using the schedule job command. Display the reboot schedule. Display the configuration of jobs configured by using the job command. Display the exception handling method. display cpu-usage [ entry-number [ offset ] [ verbose ] [ from-device ] ] [ { begin exclude include } regular-expression ] display cpu-usage history [ task task-id ] [ { begin exclude include } regular-expression ] display device [ cf-card usb ] [ verbose ] [ { begin exclude include } regular-expression ] display device manuinfo [ { begin exclude include } regular-expression ] display environment [ slot slot-number ] [ { begin exclude include } regular-expression ] display fan [ fan-id ] [ { begin exclude include } regular-expression ] display memory [ { begin exclude include } regular-expression ] display power [ power-id ] [ { begin exclude include } regular-expression ] display reboot-type [ { begin exclude include } regular-expression ] display schedule job [ { begin exclude include } regular-expression ] display schedule reboot [ { begin exclude include } regular-expression ] display job [ job-name ] [ { begin exclude include } regular-expression ] display system-failure [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. 68

76 Configuring local users Local users are a set of user attributes configured on the local device. A local user is uniquely identified by username. To enable users using a certain network service to pass the local authentication, you must configure accounts for the users to the local user database on the device. A local user has the following attributes: Username User password User privilege level Service type that the user can use Virtual device to which the user belongs User levels User levels, ranging from low to high, are visitor, monitor, configure, and management. A user with a higher level has all the operating rights of a lower level. Visitor Users of this level can perform ping and traceroute operations, but can neither access the device data nor configure the device. Monitor Users of this level can only access the device data but cannot configure the device. Configure Users of this level can access data from the device and configure the device, but they cannot upgrade the host software, add/delete/modify users, or back up/restore the application file. Management Users of this level can perform any operations for the device. The previously mentioned user levels apply to users using the root virtual devices only. Those for users using other types of virtual devices depend on the device model. Configuring a user privilege level If the authentication mode on a user interface is scheme, configure a user privilege level for the user interface's users through the AAA module or directly on the user interface. For SSH users who use public-key authentication, the user privilege level configured directly on the user interface always takes effect. For other users, the user privilege level configured in the AAA module has priority over the one configured directly on the user interface. If the authentication mode on a user interface is none or password, configure the user privilege level directly on the user interface. For more information about user login authentication, see "Logging in to the CLI." For more information about AAA and SSH, see Security Configuration Guide. 69

77 Configuring a user privilege level for users through the AAA module Step Command Remarks 1. Enter system view. system-view N/A 2. Enter user interface view. 3. Specify the scheme authentication mode. user-interface { first-num1 [ last-num1 ] { aux console vty } first-num2 [ last-num2 ] } authentication-mode scheme Only LB cards support AUX user interfaces. By default, the authentication mode is scheme for VTY users and none for console and AUX users. 4. Return to system view. quit N/A 5. Configure the authentication mode for SSH users as password. 6. Configure the user privilege level through the AAA module. For more information, see Security Configuration Guide. To use local authentication: a. Use the local-user command to create a local user and enter local user view. b. Use the level keyword in the authorization-attribute command to configure the user privilege level. To use remote authentication (RADIUS or HWTACACS): Configure the user privilege level on the authentication server. This task is required only for SSH users who are required to provide their usernames and passwords for authentication. User either approach. For local authentication, if you do not configure the user privilege level, the user privilege level is 0. For remote authentication, if you do not configure the user privilege level, the user privilege level depends on the default configuration of the authentication server. For more information about the local-user and authorization-attribute commands, see Security Command Reference. For example: # Configure the device to use local authentication for Telnet users on VTY 1. <Sysname> system-view [Sysname] user-interface vty 1 [Sysname-ui-vty1] authentication-mode scheme [Sysname-ui-vty1] quit [Sysname] local-user test [Sysname-luser-test] password simple 123 [Sysname-luser-test] service-type telnet When users Telnet to the device through VTY 1, they must enter username test and password 123. After passing the authentication, the users can only use level-0 commands. # Assign commands of levels 0 through 3 to the users. [Sysname-luser-test] authorization-attribute level 3 70

78 Configuring the user privilege level directly on a user interface To configure the user privilege level directly on a user interface that uses the scheme authentication mode: Step Command Remarks 1. Configure the authentication type for SSH users as publickey. For more information, see Security Configuration Guide. 2. Enter system view. system-view N/A Required only for SSH users who use public-key authentication. 3. Enter user interface view. 4. Enable the scheme authentication mode. 5. Configure the user privilege level. user-interface { first-num1 [ last-num1 ] vty first-num2 [ last-num2 ] } authentication-mode scheme user privilege level level N/A By default, the authentication mode is scheme for VTY users and none for console and AUX users. By default, the user privilege level for console and AUX users is 3, and that for VTY users is 0. To configure the user privilege level directly on a user interface that uses the none or password authentication mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter user interface view. 3. Configure the authentication mode for any user who uses the current user interface to log in to the device. 4. Configure the privilege level of users logged in through the current user interface. user-interface { first-num1 [ last-num1 ] { aux console vty } first-num2 [ last-num2 ] } authentication-mode { none password } user privilege level level Only LB cards support AUX user interfaces. Optional. By default, the authentication mode is scheme for VTY users and none for console and AUX users. Optional. By default, the user privilege level for console and AUX users is 3, and that for VTY users is 0. For example: # Display the commands a Telnet user can use by default after login. <Sysname>? User view commands: ping Ping function quit Exit from current command view rsh Establish one RSH connection ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function 71

79 # Configure the device to perform no authentication for Telnet users, and to authorize authenticated Telnet users to use level-0 and level-1 commands. (Use no authentication mode only in a secure network environment.) <Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode none [Sysname-ui-vty0-4] user privilege level 1 # Display the commands a Telnet user can use after login. Because the user privilege level is 1, a Telnet user can use more commands now. <Sysname>? User view commands: debugging Enable system debugging functions display Display current system information ipc Interprocess communication ping Ping function quit Exit from current command view refresh Do soft reset reset Reset operation rsh Establish one RSH connection screen-length Specify the lines displayed on one screen send Send information to other user terminal interface ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection terminal Set the terminal line characteristics tracert Trace route function undo Cancel current setting # Configure the device to perform password authentication for Telnet users, and to authorize authenticated Telnet users to use the commands of privilege levels 0, 1, and 2. <Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty1] authentication-mode password [Sysname-ui-vty0-4] set authentication password simple 123 [Sysname-ui-vty0-4] user privilege level 2 After the configuration is complete, when users Telnet to the device, they must enter the password After passing authentication, they can use commands of levels 0, 1, and 2. Switching the user privilege level Users can switch to a different user privilege level without logging out and terminating the current connection. After the privilege level switching, users can continue to manage the device without relogging in, but the commands they can execute have changed. For example, with the user privilege level 3, a user can configure system parameters. After switching to user privilege level 0, the user can execute only basic commands like ping and tracert and use a few display commands. The switching operation is effective for the current login. After the user relogs in, the user privilege restores to the original level. To avoid problems, HP recommends that administrators log in with a lower privilege level to view switch operating parameters, and switch to a higher level temporarily only when they must maintain the device. 72

80 When administrators must leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. Configuring the authentication parameters for user privilege level switching A user can switch to a lower privilege level without authentication. To switch to a higher privilege level, however, a user must provide the privilege level switching authentication information (if any). Table 16 shows the privilege level switching authentication modes supported by the device. Table 16 Privilege level switching authentication modes Authentication mode Local password authentication only (local-only) Remote AAA authentication through HWTACACS or RADIUS Local password authentication first and then remote AAA authentication Remote AAA authentication first and then local password authentication Keywords local scheme local scheme scheme local Description The device uses the locally configured passwords for privilege level switching authentication. To use this mode, you must set the passwords for privilege level switching using the super password command. The device sends the username and password for privilege level switching to the HWTACACS or RADIUS server for remote authentication. To use this mode, you must perform the following configuration tasks: Configure the required HWTACACS or RADIUS schemes and configure the ISP domain to use the schemes for users. For more information, see Security Configuration Guide. Add user accounts and specify the user passwords on the HWTACACS or RADIUS server. The device first uses the locally configured passwords for privilege level switching authentication. If no local password is set, the device allows console users to switch their privilege levels without authentication, but performs AAA authentication for AUX and VTY users. AAA authentication is performed first, and if the remote HWTACACS or RADIUS server does not respond or AAA configuration on the device is invalid, the local password authentication is performed. To configure the authentication parameters for a user privilege level: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the authentication mode for user privilege level switching. super authentication-mode { local scheme } * Optional. By default, local-only authentication is used. 73

81 Step Command Remarks 3. Configure the password for the user privilege level. super password [ level user-level ] { cipher simple } password If local authentication is involved, this step is required. By default, a privilege level has no password. If no user privilege level is specified when you configure the command, the user privilege level defaults to 3. If local-only authentication is used, a console user interface user can switch to a higher privilege level, even if the privilege level has not been assigned a password. Switching to a higher user privilege level Before you switch to a higher user privilege level, obtain the required authentication data as described in Table 17. The privilege level switching fails after three consecutive unsuccessful password attempts. To switch the user privilege level, perform the following task in user view: Task Command Remarks Switch the user privilege level. super [ level ] When logging in to the device, a user has a user privilege level, which depends on user interface or authentication user level. Table 17 Information required for user privilege level switching User interface authentication mode User privilege level switching authentication mode Information required for the first authentication mode Information required for the second authentication mode local Password configured for the privilege level on the device with the super password command. N/A none/password local scheme Password configured for the privilege level on the device with the super password command. Username and password configured on the AAA server for the privilege level. scheme Username and password for the privilege level. N/A scheme local Username and password for the privilege level. Local user privilege level switching password. scheme local Password configured for the privilege level on the device with the super password command. N/A 74

User interface authentication mode User privilege level switching authentication mode Information required for the first authentication mode Information required for the second authentication mode

82 User interface authentication mode User privilege level switching authentication mode Information required for the first authentication mode Information required for the second authentication mode local scheme Password configured for the privilege level on the device with the super password command. Password for privilege level switching configured on the AAA server. The system uses the login username as the privilege level switching username. scheme Password for privilege level switching configured on the AAA server. The system uses the login username as the privilege level switching username. N/A scheme local Password for privilege level switching configured on the AAA server. The system uses the login username as the privilege level switching username. Password configured on the device with the super password command for the privilege level. Configuring local users Configuring local users in the Web interface To configure a local user: 1. Select System > User from the navigation tree. Figure 41 Local user 2. Click Add. 75

Figure 42 Adding a local user 3. Configure a local user, as described in Table 18. 4. Click Apply. Table 18 Configuration items Item User Name Description Enter the username of the local user.

83 Figure 42 Adding a local user 3. Configure a local user, as described in Table Click Apply. Table 18 Configuration items Item User Name Description Enter the username of the local user. The username can contain spaces in the middle. However, the device ignores any leading spaces in the username. Set the user privilege level of a user. User Privilege Level User privilege levels are visitor, monitor, configure, and management in ascending order. A user with a higher level has all the operating rights of a user with a lower level. For more information about user privilege levels, see "User levels." IMPORTANT: The user privilege levels apply only to Web, FTP, Telnet, and SSH users. Service Type Password Confirm Password Password Encryption Set the service type that a user can use, including Web, FTP, SSH, Telnet, and terminal. You must configure a service type for each user for local authentication. Otherwise, user authentication fails. Set and confirm the password. The confirm password must be the same as the previously set password. Any leading spaces in the password are ignored. Select the method for encrypting passwords to be saved: Reversible Uses a reversible encryption algorithm. Irreversible Uses an irreversible encryption algorithm. 76

84 Item Virtual Device Description Set the virtual device to which a user belongs. Every time a user logs in through the Web interface, the user logs in to the virtual device to which the user belongs. When a root virtual device user with privilege level Configure or Management logs in to the device, the user can log in to another virtual device by selecting System > Device > Virtual Device > Virtual Device. The access right of the user is the same as other virtual device users that have the same privilege level. Local user configuration example for the Web interface Network requirements As shown in Figure 43, configure LB to allow user Emily to log in to the LB (root virtual device) through the Web interface and view the data on the LB, but prevent the user from performing any configurations. Figure 43 Network diagram Configuration procedure 1. Configure the IP address of the interface. (Details not shown.) 2. Configure local user Emily: a. Select System > User from the navigation tree. The Local User tab appears. b. Click Add. 77

Figure 44 Creating a local user c. Enter Emily as the username. d. Select the user privilege level Monitor. e. Select the service type Web. f. Enter aabbcc as the password and confirm the password.

85 Figure 44 Creating a local user c. Enter Emily as the username. d. Select the user privilege level Monitor. e. Select the service type Web. f. Enter aabbcc as the password and confirm the password. g. Select the password encryption method Reversible. h. Select the virtual device Root. i. Click Apply. Configuring local users at the CLI See the chapter on AAA in Security Configuration Guide. 78

86 Controlling user logins User login control can be configured only at the CLI. Use ACLs to prevent unauthorized logins. For more information about ACLs, see Security Configuration Guide. Controlling Telnet logins Use a basic ACL (2000 to 2999) to filter Telnet traffic by source IP address. Use an advanced ACL (3000 to 3999) to filter Telnet traffic by source and/or destination IP address. Use an Ethernet frame header ACL (4000 to 4999) to filter Telnet traffic by source MAC address. To access the LB module, a Telnet user must match a permit statement in the ACL applied to the user interface. Configuring source IP-based Telnet login control Step Command Remarks 1. Enter system view. system-view N/A 2. Create a basic ACL and enter its view, or enter the view of an existing basic ACL. 3. Configure an ACL rule. acl [ ipv6 ] number acl-number [ name name ] [ match-order { config auto } ] For IPv4 networks: rule [ rule-id ] { deny permit } [ counting fragment logging source { sour-addr sour-wildcard any } time-range time-range-name vpn-instance vpn-instance-name ] * For IPv6 networks: rule [ rule-id ] { deny permit } [ counting fragment logging routing [ type routing-type ] source { ipv6-address prefix-length ipv6-address/prefix-length any } time-range time-range-name vpn-instance vpn-instance-name ] * By default, no basic ACL exists. By default, a basic ACL does not contain any rule. 4. Exit the basic ACL view. quit N/A 5. Enter user interface view. 6. Use the ACL to control user logins by source IP address. user-interface [ type ] first-number [ last-number ] acl [ ipv6 ] acl-number { inbound outbound } N/A inbound: Filters incoming packets. outbound: Filters outgoing packets. 79

87 Configuring source/destination IP-based Telnet login control Step Command Remarks 1. Enter system view. system-view N/A 2. Create an advanced ACL and enter its view, or enter the view of an existing advanced ACL. 3. Configure an ACL rule. acl [ ipv6 ] number acl-number [ name name ] [ match-order { config auto } ] rule [ rule-id ] { permit deny } rule-string By default, no advanced ACL exists. N/A 4. Exit advanced ACL view. quit N/A 5. Enter user interface view. 6. Apply the ACL to the user interfaces. user-interface [ type ] first-number [ last-number ] acl [ ipv6 ] acl-number { inbound outbound } N/A inbound: Filters incoming Telnet packets. outbound: Filters outgoing Telnet packets. Configuring source MAC-based Telnet login control Ethernet frame header ACLs apply to Telnet traffic only if the Telnet client and server are located in the same subnet. To configure source MAC-based Telnet login control: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an Ethernet frame header ACL and enter its view. 3. Configure an ACL rule. 4. Exit Ethernet frame header ACL view. 5. Enter user interface view. 6. Use the ACL to control user logins by source MAC address. acl number acl-number [ name name ] [ match-order { config auto } ] rule [ rule-id ] { permit deny } rule-string quit user-interface [ type ] first-number [ last-number ] acl acl-number inbound By default, no Ethernet frame header ACL exists. N/A N/A N/A inbound: Filters incoming packets. Telnet login control configuration example Network requirements Configure the LB module in Figure 45 to permit only incoming Telnet packets sourced from Host A and Host B. 80

88 Figure 45 Network diagram Host A IP network LB Host B Configuration procedure # Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit packets sourced from Host A. <LB> system-view [LB] acl number 2000 match-order config [LB-acl-basic-2000] rule 1 permit source [LB-acl-basic-2000] rule 2 permit source [LB-acl-basic-2000] quit # Reference ACL 2000 on user interfaces VTY 0 through VTY 4 so only Host A and Host B can Telnet to LB. [LB] user-interface vty 0 4 [LB-ui-vty0-4] acl 2000 inbound Configuring source IP-based SNMP login control Use a basic ACL (2000 to 2999) to control SNMP logins by source IP address. To access the requested MIB view, an NMS must use a source IP address permitted by the ACL. Configuration procedure To configure source IP-based SNMP login control: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a basic ACL and enter its view, or enter the view of an existing basic ACL. 3. Configure an ACL rule. acl [ ipv6 ] number acl-number [ name name ] [ match-order { config auto } ] rule [ rule-id ] { deny permit } [ counting fragment logging source { sour-addr sour-wildcard any } time-range time-range-name vpn-instance vpn-instance-name ] * By default, no basic ACL exists. N/A 4. Exit the basic ACL view. quit N/A 81

89 Step Command Remarks SNMPv1/v2c community: snmp-agent community { read write } community-name [ mib-view view-name ] [ acl acl-number acl ipv6 ipv6-acl-number ] * SNMPv1/v2c group: snmp-agent group { v1 v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number acl ipv6 ipv6-acl-number ] * 5. Apply the ACL to an SNMP community, group, or user. SNMPv3 group: snmp-agent group v3 group-name [ authentication privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number acl ipv6 ipv6-acl-number ] * SNMPv1/v2c user: snmp-agent usm-user { v1 v2c } user-name group-name [ acl acl-number acl ipv6 ipv6-acl-number ] * SNMPv3 user: snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 sha } auth-password [ privacy-mode { 3des aes128 des56 } priv-password ] ] [ acl acl-number acl ipv6 ipv6-acl-number ] * For more information about SNMP, see System Maintenance Configuration Guide. SNMP login control configuration example Network requirements Configure the LB module in Figure 46 to allow Host A and Host B to access LB through SNMP. Figure 46 Network diagram Host A IP network LB Host B Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit packets sourced from Host A. <LB> system-view 82

90 [LB] acl number 2000 match-order config [LB-acl-basic-2000] rule 1 permit source [LB-acl-basic-2000] rule 2 permit source [LB-acl-basic-2000] quit # Associate the ACL with the SNMP community and the SNMP group. [LB] snmp-agent community read aaa acl 2000 [LB] snmp-agent group v2c groupa acl 2000 [LB] snmp-agent usm-user v2c usera groupa acl 2000 Configuring Web login control Use a basic ACL (2000 to 2999) to filter HTTP/HTTPS traffic by source IP address for Web login control. To access the LB module, a Web user must use an IP address permitted by the ACL. You can also log off suspicious Web users that have been logged in. Configuring source IP-based Web login control Step Command Remarks 1. Enter system view. system-view N/A 2. Create a basic ACL and enter its view, or enter the view of an existing basic ACL. 3. Create rules for this ACL. acl [ ipv6 ] number acl-number [ name name ] [ match-order { config auto } ] rule [ rule-id ] { deny permit } [ counting fragment logging source { sour-addr sour-wildcard any } time-range time-range-name vpn-instance vpn-instance-name ] * By default, no basic ACL exists. N/A 4. Exit the basic ACL view. quit N/A 5. Associate the HTTP service with the ACL. 6. Associate the HTTPS service with the ACL. ip http acl acl-number ip https acl acl-number Configure either or both of the commands. HTTP login and HTTPS login are separate login methods. To use HTTPS login, you do not need to configure HTTP login. Logging off online Web users Step Command Remarks 1. Display online Web users. display web users Optional. Available in any view. 2. Log off online Web users. free web-users { all user-id user-id user-name user-name } Available in user view. 83

91 Web login control configuration example Network requirements Configure the LB module in Figure 47 to provide Web access service only to Host B. Figure 47 Network diagram Host A IP network LB Host B Configuration procedure # Create ACL 2030, and configure rule 1 to permit packets sourced from Host B. <LB> system-view [LB] acl number 2030 match-order config [LB-acl-basic-2030] rule 1 permit source # Associate the ACL with the HTTP service so only the Web users on Host B can access the LB module. [LB] ip http acl 2030 Displaying online users Online users refer to the users who have passed authentication and got online. You can view information about online users on the Web page of the device. To display online users, select System > User from the navigation tree and click the Online User tab. Figure 48 Online users Table 19 Online user fields Field User ID User Name IP Address Description Identity of the online user in the system. Username used for authentication. IP address of the user's host. 84

92 Field User Type Login Time Online Duration Description Access type of the online user, such as Admin (Telnet or Web). The Web page does not display FTP users. User login time. Elapsed time after user login. 85

93 Configuring VDs Overview The virtualization technology can virtualize a physical device into multiple logical devices called "virtual devices (VDs)." All VDs share the hardware and software resources of the physical device, but each VD has its own Layer 3 interfaces, maintains its own routing and forwarding entries, serves its own users, and has its own administrators. Creating, running, or deleting a VD does not affect the configuration or service of any other VD. In the perspective of users, a VD is a standalone device. The name of the VD to which you are logged in is displayed in brackets at the top level of the navigation tree. Figure 49 Name of the current VD VD benefits Higher utilization of existing network resources Instead of purchasing new devices, you can configure more VDs on existing network devices to expand the network, reducing hardware upgrade cost. For example, when there are more user groups, you can configure more VDs and assign the VDs to the user groups; when there are more users in a group, you can assign more interfaces and other resources to the group. Lower management and maintenance cost Management and maintenance of multiple VDs occur on a single physical device. Independence of each VD and high security Each VD is isolated from any other VD and cannot communicate with any other VD directly. Each VD maintains its own local user information, and a login user of a VD can log in to and manage only the VD itself. Each VD maintains its own address, service, and session resources, its own security zones and security zone-based security policies, and its own connection limits, blacklist, and port scanning and flood attack detection policies and information. VD applications The VD technology can be widely used for, for example, device renting, service hosting, and student labs. As shown in Figure 50, LAN 1, LAN 2, and LAN 3 are three companies' LANs. To provide access service for the three companies, you can deploy a single physical device and configure a VD for each company. Then, the administrators of each company can log in to only their own VD to maintain their own network, without affecting any other VD or network. The effect equals deploying a separate gateway for each company. 86

94 Figure 50 Network diagram Default VD and non-default VDs A device supporting VDs is a VD itself, and it is called the "default VD" (for example, Device in Figure 50). The default VD always uses the name Root and the ID 1. You cannot delete it or change its name or ID. From the default VD, you can manage the whole physical device, create and delete non-default VDs, and assign interface and VLAN resources to non-default VDs. No VDs can be created on a non-default VD. A non-default VD can only use the resources assigned to it. It cannot use the resources assigned to other VDs or the remaining resources on the physical device. The default VD can use the resources not assigned to any other VDs. Unless otherwise stated, the term "VD" in the following sections refers to a non-default VD. Unless otherwise stated, all operations in the following sections are performed on the default VD. For more information about the configurations and services on a non-default VD, see related manuals. Configuring a VD in the Web interface Recommended configuration procedure Step 1. Creating a VD 2. Assigning interfaces to VDs Description Required. You can create a VD and assign session resources and resources for load balancing to the VD. The root VD exists by default. You do not need to create it, and it cannot be removed. Required. By default, all Layer 3 interfaces belong to the root VD, and the other VDs have no Layer 3 interface to use. All VDs can use the Layer 2 interfaces in the system. An interface can belong to only one VD at a time. 87

Step 3. Assigning VLANs to a VD 4. Logging in to a VD Description Optional. By default, all VLANs belong to the root VD, and the other VDs have no VLAN to use.

A user who has the configuration or management privilege level on the root VD can log in to another VD to perform the same operations as the VD's users of the same operation

95 Step 3. Assigning VLANs to a VD 4. Logging in to a VD Description Optional. By default, all VLANs belong to the root VD, and the other VDs have no VLAN to use. A VLAN can belong to only one VD at a time. Optional. A user who has the configuration or management privilege level on the root VD can log in to another VD to perform the same operations as the VD's users of the same operation level. Creating a VD 1. Select System > Device Management > Virtual Device > Configuration from the navigation tree. The Configuration page appears. Figure 51 VD configuration page 2. Click Add. The page for adding a VD appears. Figure 52 Adding a VD 3. Configure the parameters as described in Table Click Apply. 88

96 Table 20 Configuration items Item Virtual Device ID Virtual Device Name Max. Sessions Max. LB Real Service Groups Max. LB Real Services Max. LB Virtual Services Description Enter a VD ID that is globally unique. Enter a VD name that is globally unique. Set the maximum number of concurrent sessions that can be established on the VD. Limiting the maximum number of concurrent sessions helps protect the device against potential attacks, such as SYN flood attacks. Set the maximum number of real service groups for load balancing, including IPv4 and IPv6 real service groups for server load balancing. Set the maximum number of real services for load balancing, including IPv4 real services and IPv6 real services for load balancing. Set the maximum number of virtual services for load balancing, including IPv4 virtual services and IPv6 virtual services for load balancing. On the VD list page, you can click the Max. Sessions link, the Max. LB Real Service Groups link, the Max. LB Real Services link, or the Max. LB Virtual Services link of a VD (except the root VD) to modify its value. The sum of the Max. Sessions of all VDs is the maximum number of sessions supported by the physical device. The maximum number of sessions of the root VD is the remaining number of sessions of the physical device. This rule also applies to the Max. LB Real Service Groups, the Max. LB Real Services, and the Max. LB Virtual Services. When you change the value of the Max. LB Real Service Groups, the Max. LB Real Services, or the Max. LB Virtual Services, the target value must be larger than the number of existing real service groups for load balancing, the number of existing real services for load balancing, or the number of virtual services for load balancing. For more information about the load balancing feature, see Load Balancing Configuration Guide. Assigning interfaces to VDs 1. Select System > Device Management > Virtual Device > Interface from the navigation tree. A list appears, showing the interfaces and the VDs that the interfaces belong to. Figure 53 Assigning interfaces to VDs 2. Select the target VDs for the interfaces. 3. Click Apply. 89

97 Assigning VLANs to a VD 1. Select System > Device Management > Virtual Device > VLAN from the navigation tree. A list appears, showing the VDs and the VLANs. Figure 54 Assigning VLANs to a VD 2. Click the icon in the Operation column of a VD. 3. Enter the VLAN range for the VD in the VLAN Range column. 4. Click Apply. Logging in to a VD To log in to a VD, log in to the device, and then complete the following steps: 1. Select System > Device Management > Virtual Device > Device Selection from the navigation tree. The device selection page appears. 2. Select a VD. 3. Click the Login link. The Web interface of the target VD appears, where you can perform operations. Figure 55 Selecting a VD VD configuration example Network requirements Divide LB into two VDs, and rent them to Customer A and Customer B. For Layer 3 networking, Customer A and Customer B have their own Layer 3 Ethernet interfaces. For Layer 2 networking, Customer A can use VLAN 100 through VLAN 205 and VLAN 300 through VLAN 310. Customer B can use VLAN 50 through VLAN 80, VLAN 400, and VLAN 500 through VLAN 530. Assign sessions to Customer A and Customer B. Assign 100 real service groups, 200 real services, and 100 virtual services to Customer A, which uses server load balancing. Customer B does not use server load balancing. 90

Figure 57 Creating VD_A c. Enter the VD ID 2. d. Enter the VD name VD_A. e. Set the maximum number of sessions to 100000. f.

98 Figure 56 Network diagram Configuration procedure 1. Create VD VD_A: a. Select System > Device Management > Virtual Device > Configuration from the navigation tree. b. Click Add. The page for adding a VD appears. Figure 57 Creating VD_A c. Enter the VD ID 2. d. Enter the VD name VD_A. e. Set the maximum number of sessions to f. Set the maximum number of real service groups for load balancing to 100. g. Set the maximum number of real services for load balancing to 200. h. Set the maximum number of virtual services for load balancing to 100. i. Click Apply. 2. Create VD VD_B: a. Click Add. The page for adding a VD appears. 91

Figure 58 Creating VD_B b. Enter the VD ID 3. c. Enter the VD name VD_B. d. Set the maximum number of sessions to 100000. e. Set the maximum number of real service groups fo

99 Figure 58 Creating VD_B b. Enter the VD ID 3. c. Enter the VD name VD_B. d. Set the maximum number of sessions to e. Set the maximum number of real service groups for load balancing to 0. f. Set the maximum number of real services for load balancing to 0. g. Set the maximum number of virtual services for load balancing to 0. h. Click Apply. 3. Assign interfaces to the VDs: a. Select System > Device Management > Virtual Device > Interface from the navigation tree. b. Select VD_A for GigabitEthernet 0/1, and select VD_B for GigabitEthernet 0/2. c. Click Apply. Figure 59 Assigning interfaces to VD_A and VD_B 4. Assign VLANs to VD_A: a. Select System > Device Management > Virtual Device > VLAN from the navigation tree. b. Click the icon for VD_A, and enter VLAN ranges , c. Click Apply. 92

Figure 61 Assigning VLANs to VD_B Creating a VD at the CLI VD configuration task list Task Creating a VD Assigning resources to a VD Assigning a Layer 3 interface to a VD Assigning a VLAN to a VD

100 Figure 60 Assigning VLANs to VD_A 5. Assign VLANs to VD_B: a. Select System > Device Management > Virtual Device > VLAN from the navigation tree. b. Click the icon for VD_B, and enter VLAN ranges 50-80,400, c. Click Apply. Figure 61 Assigning VLANs to VD_B Creating a VD at the CLI VD configuration task list Task Creating a VD Assigning resources to a VD Assigning a Layer 3 interface to a VD Assigning a VLAN to a VD Remarks Required. Required. Optional. Setting the maximum number of sessions for a VD Logging in to a VD Setting the maximum number of concurrent sessions for a VD Optional. Optional. Optional. Creating a VD All non-default VDs are created manually. A non-default VD cannot use the name Root or the ID 1. When creating a VD on a device, you must specify a VD name and a VD ID that are respectively unique on the device. 93

101 To enter the view of an existing VD, you can specify the VD name, or specify both the VD name and the VD ID. If you specify both the VD name and the VD ID, make sure the two arguments identify the same VD. To create a VD: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VD and enter VD view. vd vd-name id vd-id By default, there is a default VD with the name Root and the ID 1. Assigning resources to a VD When you create a VD, the system automatically assigns some resources for the VD to ensure its operation. You can allocate system resources including interfaces and VLANs for VDs. The resources that are not assigned to any non-default VD belong to the default VD. Assigning a Layer 3 interface to a VD By default, all Layer 3 interfaces belong to the default VD. After being created, a non-default VD can use any Layer 2 interfaces in the system but can use no Layer 3 interface. To enable the VD to forward packets, you must assign it a Layer 3 interface. To assign a Layer 3 interface to a VD: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD view. vd vd-name [ id vd-id ] N/A 3. Assign a Layer 3 interface to the VD. allocate interface interface-type interface-number By default, all Layer 3 interfaces belong to the default VD, and a non-default VD has no Layer 3 interface to use. The Layer 3 interface to be assigned to a VD must already exist. A Layer 3 interface can belong to only one VD. Assigning a Layer 3 interface to a second VD is the same as reclaiming the interface and assigning it to the second VD. Assigning a VLAN to a VD By default, all VLANs belong to the default VD. After creating a non-default VD, you can assign VLANs to it. To assign a VLAN to a VD: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD view. vd vd-name [ id vd-id ] N/A 3. Assign a VLAN to the VD. allocate vlan vlan-list By default, all VLANs belong to the default VD, and a non-default VD has no VLAN to use. 94

102 A VLAN can be assigned to only one VD. Assigning a VLAN to a second VD is the same as reclaiming the VLAN and assigning it to the second VD. Setting the maximum number of sessions for a VD You can put a limit on the maximum of sessions that can be set up on a VD. The actual number of sessions available for a VD, however, is also restricted by the number of sessions available on the physical device. To set the maximum number of sessions for a VD: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VD view. vd vd-name [ id vd-id ] N/A 3. Set the maximum number of sessions for the VD. limit-resource session max-entries max-entries By default, the maximum number of sessions that can be set up on a non-default VD equals the maximum number of sessions supported by the physical device. Logging in to a VD From the system view of the default VD, you can log in to a non-default VD. After logging in to a non-default VD, you are placed in VD system view. To return from a VD system view to the system view of the default VD, use the quit command. To log in to a VD: Step Command 1. Enter system view. system-view 2. Log in to a VD and enter VD system view. switchto vd vd-name Setting the maximum number of concurrent sessions for a VD To prevent potential attacks (such as SYN flood attacks) from depleting system resources, you can control the maximum number of concurrent sessions that can be set up on the device or a VD of the device. To set the maximum number of concurrent sessions for the default VD: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the maximum number of concurrent sessions for the default VD. session max-entries max-entries By default, the maximum number of concurrent sessions for the default VD equals the maximum number of sessions supported by the physical device. To set the maximum number of concurrent sessions for a non-default VD: Step Command Remarks 1. Enter system view. system-view N/A 95

103 Step Command Remarks 2. Log in to the VD. switchto vd vd-name Optional. 3. Set the maximum number of concurrent sessions for the VD. session max-entries max-entries By default, the maximum number of concurrent sessions for a non-default VD equals the maximum number of sessions specified for the VD by using the limit-resource session max-entries command. VD configuration example Network requirements Virtualize LB into two VDs and use the two VDs as the gateways for enterprise A and enterprise B so that: Each enterprise has its own Layer 3 Ethernet interface. Enterprise A can use VLAN 100 to VLAN 205, and can have up to sessions. Enterprise B can use VLAN 50 to VLAN 80, VLAN 400, and VLAN 500 to VLAN 530, and can have up to sessions. Figure 62 Network diagram Configuration procedure # Create a VD with the name vda and ID 2. <LB> system-view [LB] vd vda id 2 # Assign interface GigabitEthernet 0/1 to VD vda. [LB-vd-vda] allocate interface gigabitethernet 0/1 # Assign VLAN 100 to VLAN 205 to VD vda. [LB-vd-vda] allocate vlan 100 to 205 # Set the maximum number of sessions to for VD vda. [LB-vd-vda] limit-resource session max-entries [LB-vd-vda] quit # Create a VD with the name vdb and ID 3. 96

104 [LB] vd vdb id 3 # Assign interface GigabitEthernet 0/2 to VD vdb. [LB-vd-vdb] allocate interface gigabitethernet 0/2 # Assign VLAN 50 to VLAN 80, VLAN 400, and VLAN 500 to VLAN 530 to VD vdb. [LB-vd-vdb] allocate vlan 50 to to 530 # Set the maximum number of sessions to for VD vdb. [LB-vd-vdb] limit-resource session max-entries Verifying the configuration Administrators of enterprise A can log in to VD vda, and administrators of enterprise B can log in to VD vdb. Each enterprise network can use its Layer 3 interface, VLAN resources, and session resources to communicate with the Internet. 97

105 Configuring unified multisystem management Overview You can install a LB module into a device to offload the load balancing service from the device. This module has an independent operating system. Unified multisystem management enables you to configure LB modules in the device's Web interface. To implement unified multisystem management, configure the device as the ACSEI server and the LB module as the ACSEI client. After the module registers with the device, the module data appears on the Device Management tab in the Web interface of the device, as shown in Figure 63. You can click the manage link for the module to configure the module. For more information about ACSEI, see "Logging in to the LB module from the network device." Figure 63 Unified multi-system management interface Configuration guidelines Configure the unified management VLAN before enabling the ACSEI function. Configure the same unified management VLAN for the LB module and 7500 switch. Create a local Web user with a privilege user level of 1 on the device and the LB card. For more information about configuring local users, see Security Configuration Guide. Configuration procedure To configure the device: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the unified management VLAN. unified-management vlan vlan-id By default, no unified management VLAN is configured. The unified management VLAN is used to forward management packets among multiple systems. 3. Enable the ACSEI server. acsei server enable By default, the ACSEI server is disabled. To configure the LB module: 98

106 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the unified management VLAN. 3. Enter the view of the interface connected to the device. unified-management vlan vlan-id interface interface-type interface-number By default, no unified management VLAN is configured. The unified management VLAN is used to forward management packets among multiple systems. N/A 4. Enable the ACSEI client. acsei-client enable By default, the ACSEI client is disabled. Configuration example Network requirements As shown in Figure 64, an LB module is inserted in the Configure unified multisystem management so you can manage the module in the Web interface of the switch. Figure 64 Network diagram XGE0/0 LB module 7500 Host Device Configuration procedure 1. Configure the 7500: # Configure the unified management VLAN. <7500> system-view [7500] unified-management vlan 3000 # Enable ACSEI server. [7500] acsei server enable # Configure the local user to log in to the Web interface. [7500] local-user admin [7500-luser-admin] password simple admin [7500-luser-admin] authorization-attribute level 3 [7500-luser-admin] service-type web 99

107 2. Configure the LB module: # Configure the unified management VLAN. <LB> system-view [LB] unified-management vlan 3000 # Enable ACSEI client. [LB] interface ten-gigabitethernet 0/0 [LB-Ten-GigabitEthernet0/0] acsei-client enable [LB-Ten-GigabitEthernet0/0] quit # Configure the local user to log in to the Web interface. [LB] local-user admin [LB-luser-admin] password simple admin [LB-luser-admin] authorization-attribute level 3 [LB-luser-admin] service-type web Verifying the configuration 1. Log in to the switch's Web interface by using the username and password admin. Figure 65 Login page 2. Select Device Info from the navigation tree. 3. Click the Device Management tab. 4. Click the manage link for the LB module. The Web interface of the LB module appears. Figure 66 Unified multisystem management page 100

108 Configuring NTP You must synchronize your device with a trusted time source by using the Network Time Protocol (NTP) or changing the system time before you run it on a live network. Various tasks, including network management, charging, auditing, and distributed computing depend on an accurate system time setting, because the timestamps of system messages and logs use the system time. Overview NTP is typically used in large networks to dynamically synchronize time among network devices. It guarantees higher clock accuracy than manual system clock setting. In a small network that does not require high clock accuracy, you can keep time synchronized among devices by changing their system clocks one by one. NTP runs over UDP and uses UDP port 123. NTP application An administrator is unable to keep time synchronized among all the devices within a network by changing the system clock on each station, because this is a huge work and does not guarantee clock precision. NTP, however, allows quick clock synchronization within the entire network and ensures a high clock precision. NTP is used when all devices within the network must be consistent in timekeeping, for example: In analysis of the log information and debugging information collected from different devices in network management, time must be used as reference basis. All devices must use the same reference clock in a charging system. To implement certain functions, such as scheduled restart of all devices within the network, all devices must be consistent in timekeeping. When multiple systems process a complex event in cooperation, these systems must use the same reference clock to ensure the correct execution sequence. For incremental backup between a backup server and clients, timekeeping must be synchronized between the backup server and all the clients. NTP advantages NTP uses a stratum to describe clock precision, and it can synchronize time among all devices within the network. NTP supports access control and MD5 authentication. NTP can unicast, multicast or broadcast protocol messages. How NTP works Figure 67 shows how NTP synchronizes the system time between two devices, in this example, Device A and Device B. Assume that: 101

109 Prior to the time synchronization, the time of Device A is set to 10:00:00 am and that of Device B is set to 11:00:00 am. Device B is used as the NTP server. Device A is to be synchronized to Device B. It takes 1 second for an NTP message to travel from Device A to Device B, and from Device B to Device A. Figure 67 Basic work flow of NTP The synchronization process is as follows: Device A sends Device B an NTP message, which is timestamped when it leaves Device A. The timestamp is 10:00:00 am (T1). When this NTP message arrives at Device B, it is timestamped by Device B. The timestamp is 11:00:01 am (T2). When the NTP message leaves Device B, Device B timestamps it. The timestamp is 11:00:02 am (T3). When Device A receives the NTP message, the local time of Device A is 10:00:03 am (T4). Now, Device A can calculate the following parameters based on the timestamps: The roundtrip delay of an NTP message: Delay = (T4 T1) (T3-T2) = 2 seconds. The time difference between Device A and Device B: Offset = ((T2-T1) + (T3-T4))/2 = 1 hour. Based on these parameters, Device A can synchronize its own clock to the clock of Device B. This is a rough description of how NTP works. For more information, see RFC NTP message format All NTP messages mentioned in this document refer to NTP clock synchronization messages. 102

110 NTP uses two types of messages: clock synchronization messages and NTP control messages. NTP control messages are used in environments where network management is needed. Because NTP control messages are not essential for clock synchronization, they are not described in this document. A clock synchronization message is encapsulated in a UDP message, as shown in Figure 68. Figure 68 Clock synchronization message format The main fields are described as follows: LI (Leap Indicator) A 2-bit leap indicator. If set to 11, it warns of an alarm condition (clock unsynchronized). If set to any other value, it is not to be processed by NTP. VN (Version Number) A 3-bit version number that indicates the version of NTP. The latest version is version 4. Mode A 3-bit code that indicates the work mode of NTP. This field can be set to these values: 0 Reserved 1 Symmetric active 2 Symmetric passive 3 Client 4 Server 5 Broadcast or multicast 6 NTP control message 7 Reserved for private use Stratum An 8-bit integer that indicates the stratum level of the local clock, taking the value of 1 to 16. Clock precision decreases from stratum 1 through stratum 16. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized. Poll An 8-bit signed integer that indicates the maximum interval between successive messages, which is called the poll interval. 103

111 Precision An 8-bit signed integer that indicates the precision of the local clock. Root Delay Roundtrip delay to the primary reference source. Root Dispersion The maximum error of the local clock relative to the primary reference source. Reference Identifier Identifier of the particular reference source. Reference Timestamp The local time at which the local clock was set or corrected most recently. Originate Timestamp The local time at which the request departed from the client for the service host. Receive Timestamp The local time at which the request arrived at the service host. Transmit Timestamp The local time at which the reply departed from the service host for the client. Authenticator Authentication information. NTP operation modes Devices that run NTP can implement clock synchronization in one of the following modes: Client/server mode Symmetric peers mode Broadcast mode Multicast mode You can select operation modes of NTP as needed. If the IP address of the NTP server or peer is unknown and many devices in the network need to be synchronized, you can adopt the broadcast or multicast mode. In client/server or symmetric peers mode, a device is synchronized from the specified server or peer, so clock reliability is enhanced. Client/server mode Figure 69 Client/server mode Client Server Performs clock filtering and selection, and synchronizes its local clock to that of the optimal reference source Network Clock synchronization (Mode3) message Reply ( Mode 4) Automatically works in client/server mode and sends a reply When operating in client/server mode, a client sends a clock synchronization message to servers with the Mode field in the message set to 3 (client mode). Upon receiving the message, the servers automatically operate in server mode and send a reply, with the Mode field in the messages set to 4 (server mode). Upon receiving the replies from the servers, the client performs clock filtering and selection and synchronizes its local clock to that of the optimal reference source. In client/server mode, a client can be synchronized to a server, but not vice versa. 104

112 Symmetric peers mode Figure 70 Symmetric peers mode Broadcast mode In symmetric peers mode, devices that operate in symmetric active mode and symmetric passive mode exchange NTP messages with the Mode field 3 (client mode) and 4 (server mode). Then the device that operates in symmetric active mode periodically sends clock synchronization messages, with the Mode field in the messages set to 1 (symmetric active). The device that receives the messages automatically enters symmetric passive mode and sends a reply, with the Mode field in the message set to 2 (symmetric passive). This exchange of messages establishes symmetric peers mode between the two devices, so the two devices can synchronize, or be synchronized by, each other. If the clocks of both devices have been synchronized, the device whose local clock has a lower stratum level synchronizes the clock of the other device. Figure 71 Broadcast mode In broadcast mode, a server periodically sends clock synchronization messages to broadcast address , with the Mode field in the messages set to 5 (broadcast mode). Clients listen to the broadcast messages from servers. When a client receives the first broadcast message, the client and the server start to exchange messages with the Mode field set to 3 (client mode) and 4 (server mode), to calculate the network delay between client and the server. Then, the client enters broadcast client mode. The client continues listening to broadcast messages and synchronizes its local clock based on the received broadcast messages. 105

113 Multicast mode Figure 72 Multicast mode In multicast mode, a server periodically sends clock synchronization messages to the user-configured multicast address, or, if no multicast address is configured, to the default NTP multicast address , with the Mode field in the messages set to 5 (multicast mode). Clients listen to the multicast messages from servers. When a client receives the first multicast message, the client and the server start to exchange messages with the Mode field set to 3 (client mode) and 4 (server mode), to calculate the network delay between client and server. Then, the client enters multicast client mode. It continues listening to multicast messages and synchronizes its local clock based on the received multicast messages. In symmetric peers mode, broadcast mode and multicast mode, the client (or the symmetric active peer) and the server (the symmetric passive peer) can operate in the specified NTP working mode only after they exchange NTP messages with the Mode field being 3 (client mode) and the Mode field being 4 (server mode). During this message exchange process, NTP clock synchronization can be implemented. Configuring NTP in the Web interface Configuring NTP 1. Select System > System Time from the navigation tree. 2. Click Network Time Protocol. The page for configuring the network time appears. 106

Figure 73 Configuring the network time 3. Configure the network time as described in Table 21. 4. Click Apply.

114 Figure 73 Configuring the network time 3. Configure the network time as described in Table Click Apply. Table 21 Configuration items Item Clock status Local Reference Source Description Display the synchronization status of the system clock. Set the IP address of the local clock source to u, where the value range for u is 0 to 3, representing the NTP process ID. If the IP address of the local clock source is specified, the local clock is used as the reference clock, and thus can provide time for other devices. If the IP address of the local clock source is not specified, the local clock is not used as the reference clock. Set the stratum level of the local clock. Stratum The stratum level of the local clock decides the precision of the local clock. A higher value indicates a lower precision. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized and cannot be used as a reference clock. Set the source interface for an NTP message. Source Interface If you do not want the IP address of a certain interface on the local device to become the destination address of response messages, you can specify the source interface for NTP messages, so that the source IP address in the NTP messages is the primary IP address of this interface. If the specified source interface is down, the source IP address of the NTP messages sent is the primary IP address of the outbound interface. 107

115 Item Description Set NTP authentication key. Key 1 Key 2 External Reference Source NTP Server 1/Reference Key ID NTP Server 2/Reference Key ID The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication. You can set two authentication keys, each of which is composed of a key ID and key string. ID is the ID of a key. Key string is a character string for MD5 authentication key. Specify the IP address of an NTP server, and configure the authentication key ID used for the association with the NTP server. Only if the key provided by the server is the same with the specified key will the device synchronize its time to the NTP server. You can configure two NTP servers. The clients will choose the optimal reference source. IMPORTANT: The IP address of an NTP server is a unicast address, and cannot be a broadcast or a multicast address, or the IP address of the local clock source. NTP configuration example In this example, Device A is the LB module. Network requirements The local clock of Device A is set as the reference clock, with the stratum level 2. Device B operates in client mode, and uses Device A as the NTP server. Figure 74 Network diagram 1. Set the IP address for each interface as shown in Figure 74. (Details not shown.) 2. Configure Device A: Configure the local clock as the reference clock, with the stratum level 2. a. Select System > System Time from the navigation tree. b. Click Network Time Protocol. The page for setting up NTP appears. c. Select from the Local Reference Source list, and select 2 from the Stratum list. d. Click Apply. 108

Figure 75 Configuring the local clock as the reference clock 3. Configure Device B: Configure Device A as the NTP server of Device B. a. Select System > System Time from the navigation tree. b.

116 Figure 75 Configuring the local clock as the reference clock 3. Configure Device B: Configure Device A as the NTP server of Device B. a. Select System > System Time from the navigation tree. b. Click Network Time Protocol. The page for setting up NTP appears. c. Enter in the NTP Server 1 box. d. Click Apply. Figure 76 Configuring Device A as the NTP server of Device B 4. Verify the configuration: 109

117 After the configuration, you can see that the current system time displayed on the System Time page is the same for Device A and Device B. Configuring NTP at the CLI NTP configuration task list Task Configuring NTP operation modes Configuring the local clock as a reference source Configuring optional parameters for NTP Configuring access-control rights Configuring NTP authentication Remarks Required. Optional. Optional. Optional. Optional. Configuring NTP operation modes Devices can implement clock synchronization in one of the following modes: Client/server mode Configure only clients. Symmetric mode Configure only symmetric-active peers. Broadcast mode Configure both clients and servers. Multicast mode Configure both clients and servers. Configuring the NTP client/server mode If you specify the source interface for NTP messages by specifying the source interface source-interface option, NTP uses the primary IP address of the specified interface as the source IP address of the NTP messages. A device can act as a server to synchronize other devices only after it is synchronized. If a server has a stratum level higher than or equal to a client, the client does not synchronize to that server. In the ntp-service unicast-server command, ip-address must be a unicast address, rather than a broadcast address, a multicast address or the IP address of the local clock. To specify an NTP server on the client: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify an NTP server for the device. ntp-service unicast-server { ip-address server-name } [ authentication-keyid keyid priority source-interface interface-type interface-number version number ] * By default, no NTP server is specified. You can configure multiple servers by repeating the command. The clients will select the optimal reference source. Configuring the NTP symmetric peers mode Follow these guidelines when you configure the NTP symmetric peers mode: 110

118 For devices operating in symmetric mode, specify a symmetric-passive peer on a symmetric-active peer. Use the ntp-service refclock-master command or any NTP configuration command in Configuring NTP operation modes to enable NTP. Otherwise, a symmetric-passive peer does not process NTP messages from a symmetric-active peer. Either the symmetric-active peer or the symmetric-passive peer must be in synchronized state. Otherwise, clock synchronization does not proceed. After you specify the source interface for NTP messages by specifying the source interface source-interface option, the source IP address of the NTP messages is set as the primary IP address of the specified interface. To specify a symmetric-passive peer on the active peer: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a symmetric-passive peer for the device. ntp-service unicast-peer { ip-address peer-name } [ authentication-keyid keyid priority source-interface interface-type interface-number version number ] * By default, no symmetric-passive peer is specified. The ip-address argument must be a unicast address, rather than a broadcast address, a multicast address, or the IP address of the local clock. Configuring the NTP broadcast mode The broadcast server periodically sends NTP broadcast messages to the broadcast address After receiving the messages, the device operating in NTP broadcast client mode sends a reply and synchronizes its local clock. Configure the NTP broadcast mode on both the server and clients. The NTP broadcast mode can only be configured in a specific interface view because an interface needs to be specified on the broadcast server for sending NTP broadcast messages and on each broadcast client for receiving broadcast messages. To configure a broadcast client: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. 3. Configure the device to operate in NTP broadcast client mode. interface interface-type interface-number ntp-service broadcast-client This command enters the view of the interface for sending NTP broadcast messages. N/A To configure the broadcast server: Step Command Remarks 1. Enter system view. system-view N/A 111

119 Step Command Remarks 2. Enter interface view. 3. Configure the device to operate in NTP broadcast server mode. interface interface-type interface-number ntp-service broadcast-server [ authentication-keyid keyid version number ] * This command enters the view of the interface for sending NTP broadcast messages. A broadcast server can synchronize broadcast clients only when its clock has been synchronized. Configuring the NTP multicast mode The multicast server periodically sends NTP multicast messages to multicast clients, which send replies after receiving the messages and synchronize their local clocks. Configure the NTP multicast mode on both the server and clients. The NTP multicast mode must be configured in a specific interface view. To configure a multicast client: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. 3. Configure the device to operate in NTP multicast client mode. interface interface-type interface-number ntp-service multicast-client [ ip-address ] This command enters the view of the interface for sending NTP multicast messages. You can configure up to 1024 multicast clients, of which 128 can take effect at the same time. To configure the multicast server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. 3. Configure the device to operate in NTP multicast server mode. interface interface-type interface-number ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid ttl ttl-number version number ] * This command enters the view of the interface for sending NTP multicast messages. A multicast server can synchronize broadcast clients only when its clock has been synchronized. Configuring the local clock as a reference source A network device can get its clock synchronized in either of the following two ways: Synchronized to the local clock, which operates as the reference source. Synchronized to another device on the network in any of the four NTP operation modes previously described. If you configure two synchronization modes, the device selects the optimal clock as the reference source. 112

120 Typically, the stratum level of the NTP server that is synchronized from an authoritative clock (such as an atomic clock) is set to 1. This NTP server operates as the primary reference source on the network, and other devices synchronize to it. The number of NTP hops that devices in a network are away from the primary reference source determines the stratum levels of the devices. If you configure the local clock as a reference clock, the local device can act as a reference clock to synchronize other devices in the network. Perform this configuration with caution to avoid clock errors in the devices in the network. To configure the local clock as a reference source: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the local clock as a reference source. ntp-service refclock-master [ ip-address ] [ stratum ] The value of the ip-address argument must be u, where the value range for u is 0 to 3, representing the NTP process ID. Configuring optional parameters for NTP This section explains how to configure the optional parameters of NTP. Specifying the source interface for NTP messages If you specify the source interface for NTP messages, the device sets the source IP address of the NTP messages as the primary IP address of the specified interface when sending the NTP messages. NTP packets might not be received because of state changes of an interface on the device. To avoid that problem, specify the loopback interface as the source interface. When the device responds to an NTP request received, the source IP address of the NTP response is always the destination IP address of the NTP request. Follow these guidelines when you configure the source interface for NTP messages: The source interface for NTP unicast messages is the interface specified in the ntp-service unicast-server or ntp-service unicast-peer command. The source interface for NTP broadcast or multicast messages is the interface where you configure the ntp-service broadcast-server or ntp-service multicast-server command. To specify the source interface for NTP messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the source interface for NTP messages. ntp-service source-interface interface-type interface-number By default, no source interface is specified for NTP messages, and the system uses the IP address of the interface determined by the matching route as the source IP address of NTP messages. Disabling an interface from receiving NTP messages If NTP is enabled, NTP messages can be received from all the interfaces by default. 113

121 To disable an interface from receiving NTP messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. 3. Disable the interface from receiving NTP messages. interface interface-type interface-number ntp-service in-interface disable N/A By default, an interface is enabled to receive NTP messages. Configuring the allowed maximum number of dynamic sessions NTP has the following types of associations: Static association A manually created association. Dynamic association Temporary association created by the system during NTP operation. A dynamic association is removed if no messages are exchanged over a specific period of time. The following describes how an association is established in different operation modes: Client/server mode After you specify an NTP server, the system creates a static association on the client. The server simply responds passively upon the receipt of a message, rather than creating an association (static or dynamic). Symmetric active/passive mode After you specify a symmetric-passive peer on a symmetric active peer, static associations are created on the symmetric-active peer, and dynamic associations are created on the symmetric-passive peer. Broadcast or multicast mode Static associations are created on the server, and dynamic associations are created on the client. A single device can have a maximum of 128 concurrent associations, including static associations and dynamic associations. To configure the allowed maximum number of dynamic sessions: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the maximum number of dynamic sessions allowed to be established locally. ntp-service max-dynamic-sessions number The default is 100. Configuring access-control rights From the highest to lowest, the NTP service access-control rights are peer, server, synchronization, and query. If a device receives an NTP request, it performs an access-control right match and uses the first matched right. If no matched right is found, the device drops the NTP request. Query Control query permitted. This level of right permits the peer devices to perform control query to the NTP service on the local device but does not permit a peer device to synchronize its clock to that of the local device. The so-called "control query" refers to query of some states of the NTP service, including alarm information, authentication status, clock source information, and so on. 114

122 Synchronization Server access only. This level of right permits a peer device to synchronize its clock to that of the local device but does not permit the peer devices to perform control query. Server Server access and query permitted. This level of right permits the peer devices to perform synchronization and control query to the local device but does not permit the local device to synchronize its clock to that of a peer device. Peer Full access. This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that of a peer device. The access-control right mechanism provides only a minimum level of security protection for a system running NTP. A more secure method is identity authentication. Configuration prerequisites Before you configure the NTP service access-control right to the local device, create and configure an ACL associated with the access-control right. For more information about ACLs, see Security Configuration Guide. Configuration procedure To configure the NTP service access-control right to the local device: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the NTP service access-control right for a peer device to access the local device. ntp-service access { peer query server synchronization } acl-number The default is peer. Configuring NTP authentication Enable NTP authentication for a system running NTP in a network where there is a high security demand. NTP authentication enhances network security by using client-server key authentication, which prohibits a client from synchronizing with a device that fails authentication. To configure NTP authentication, do the following: Enable NTP authentication Configure an authentication key Configure the key as a trusted key Associate the specified key with an NTP server or a symmetric peer These tasks are required. If any task is omitted, NTP authentication cannot function. Configuring NTP authentication in client/server mode Follow these instructions to configure NTP authentication in client/server mode: A client can synchronize to the server only when you configure all the required tasks on both the client and server. On the client, if NTP authentication is not enabled or no key is specified to associate with the NTP server, the client is not authenticated. No matter whether NTP authentication is enabled or not on the server, the clock synchronization between the server and client can be performed. 115

123 On the client, if NTP authentication is enabled and a key is specified to associate with the NTP server, but the key is not a trusted key, the client does not synchronize to the server no matter whether NTP authentication is enabled or not on the server. To configure NTP authentication for a client: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP authentication is disabled. 3. Configure an NTP authentication key. 4. Configure the key as a trusted key. 5. Associate the specified key with an NTP server. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher simple ] value ntp-service reliable authentication-keyid keyid ntp-service unicast-server { ip-address server-name } authentication-keyid keyid By default, no NTP authentication key is configured. Configure the same authentication key on the client and server. By default, no authentication key is configured to be trusted. You can associate a non-existing key with an NTP server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the NTP server. To configure NTP authentication for a server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP authentication is disabled. 3. Configure an NTP authentication key. 4. Configure the key as a trusted key. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher simple ] value ntp-service reliable authentication-keyid keyid By default, no NTP authentication key is configured. Configure the same authentication key on the client and server. By default, no authentication key is configured to be trusted. Configuring NTP authentication in symmetric peers mode Follow these instructions to configure NTP authentication in symmetric peers mode: An active symmetric peer can synchronize to the passive symmetric peer only when you configure all the required tasks on both the active symmetric peer and passive symmetric peer. When the active peer has a greater stratum level than the passive peer: On the active peer, if NTP authentication is not enabled or no key is specified to associate with the passive peer, the active peer synchronizes to the passive peer as long as NTP authentication is disabled on the passive peer. On the active peer, if NTP authentication is enabled and a key is associated with the passive peer, but the key is not a trusted key, no matter whether NTP authentication is enabled or not on the passive peer, the active peer does not synchronize to the passive peer. 116

124 When the active peer has a smaller stratum level than the passive peer: On the active peer, if NTP authentication is not enabled, no key is specified to associate with the passive peer, or the key is not a trusted key, the active peer can synchronize to the passive peer as long as NTP authentication is disabled on the passive peer. To configure NTP authentication for an active peer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP authentication is disabled. 3. Configure an NTP authentication key. 4. Configure the key as a trusted key. 5. Associate the specified key with the passive peer. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher simple ] value ntp-service reliable authentication-keyid keyid ntp-service unicast-peer { ip-address peer-name } authentication-keyid keyid By default, no NTP authentication key is configured. Configure the same authentication key on the active symmetric peer and passive symmetric peer. By default, no authentication key is configured to be trusted. You can associate a non-existing key with a passive peer. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the passive peer. To configure NTP authentication for a passive peer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP authentication is disabled. 3. Configure an NTP authentication key. 4. Configure the key as a trusted key. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher simple ] value ntp-service reliable authentication-keyid keyid By default, no NTP authentication key is configured. Configure the same authentication key on the active symmetric peer and passive symmetric peer. By default, no authentication key is configured to be trusted. Configuring NTP authentication in broadcast mode Follow these instructions to configure NTP authentication in broadcast mode: A broadcast client can synchronize to the broadcast server only when you configure all the required tasks on both the broadcast client and server. If NTP authentication is not enabled on the client, the broadcast client can synchronize to the broadcast server no matter whether NTP authentication is enabled or not on the server. To configure NTP authentication for a broadcast client: 117

125 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP authentication is disabled. 3. Configure an NTP authentication key. 4. Configure the key as a trusted key. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher simple ] value ntp-service reliable authentication-keyid keyid By default, no NTP authentication key is configured. Configure the same authentication key on the client and server. By default, no authentication key is configured to be trusted. To configure NTP authentication for a broadcast server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP authentication is disabled. 3. Configure an NTP authentication key. 4. Configure the key as a trusted key. 5. Enter interface view. 6. Associate the specified key with the broadcast server. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher simple ] value ntp-service reliable authentication-keyid keyid interface interface-type interface-number ntp-service broadcast-server authentication-keyid keyid By default, no NTP authentication key is configured. Configure the same authentication key on the client and server. By default, no authentication key is configured to be trusted. N/A You can associate a non-existing key with the broadcast server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the broadcast server. Configuring NTP authentication in multicast mode Follow these instructions to configure NTP authentication in multicast mode: A broadcast client can synchronize to the broadcast server only when you configure all the required tasks on both the broadcast client and server. If NTP authentication is not enabled on the client, the multicast client can synchronize to the multicast server no matter whether NTP authentication is enabled or not on the server. To configure NTP authentication for a multicast client: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP authentication is disabled. 118

126 Step Command Remarks 3. Configure an NTP authentication key. 4. Configure the key as a trusted key. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher simple ] value ntp-service reliable authentication-keyid keyid By default, no NTP authentication key is configured. Configure the same authentication key on the client and server. By default, no authentication key is configured to be trusted. To configure NTP authentication for a multicast server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP authentication is disabled. 3. Configure an NTP authentication key. 4. Configure the key as a trusted key. 5. Enter interface view. 6. Associate the specified key with the multicast server. ntp-service authentication-keyid keyid authentication-mode md5 [ cipher simple ] value ntp-service reliable authentication-keyid keyid interface interface-type interface-number ntp-service multicast-server authentication-keyid keyid By default, no NTP authentication key is configured. Configure the same authentication key on the client and server. By default, no authentication key is configured to be trusted. N/A You can associate a non-existing key with the multicast server. To enable NTP authentication, you must configure the key and specify it as a trusted key after associating the key with the multicast server. Displaying and maintaining NTP Task Command Remarks Display information about NTP service status. Display information about NTP sessions. Display brief information about the NTP servers from the local device back to the primary reference source. display ntp-service status [ { begin exclude include } regular-expression ] display ntp-service sessions [ verbose ] [ { begin exclude include } regular-expression ] display ntp-service trace [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. NTP client/server mode configuration example In this example, Device B is the LB module. 119

127 Network requirements Perform the following configurations to synchronize the time between Device B and Device A: As shown in Figure 77, the local clock of Device A is to be used as a reference source, with the stratum level 2. Device B operates in client/server mode and Device A is to be used as the NTP server of Device B. Figure 77 Network diagram Configuration procedure Set the IP address for each interface as shown in Figure 77. (Details not shown.) Configure Device A: # Specify the local clock as the reference source, with the stratum level 2. <DeviceA> system-view [DeviceA] ntp-service refclock-master 2 Configure Device B: # Display the NTP status of Device B before clock synchronization. <DeviceB> display ntp-service status Clock status: unsynchronized Clock stratum: 16 Reference clock ID: none Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00: UTC Jan ( ) # Specify Device A as the NTP server of Device B so that Device B synchronizes to Device A. <DeviceB> system-view [DeviceB] ntp-service unicast-server # Display the NTP status of Device B after clock synchronization. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: 1.05 ms Peer dispersion: 7.81 ms 120

128 Reference time: 14:53: UTC Sep (C6D94F67.5EF9DB22) The output shows that Device B has synchronized to Device A. The stratum level of Device B is 3, and that of Device A is 2. # Display NTP session information for Device B, which shows that an association has been set up between Device B and Device A. [DeviceB] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [12345] note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 NTP symmetric peers mode configuration example Network requirements Perform the following configurations to synchronize time among devices: As shown in Figure 78, the local clock of LB A is to be configured as a reference source, with the stratum level 2. The local clock LB C is to be configured as a reference source, with the stratum level 1. LB B operates in client mode and LB A is to be used as the NTP server of LB B. LB C operates in symmetric-active mode and LB B acts as the peer of LB C. Figure 78 Network diagram LB A NTP server / / /24 LB B NTP client/ symmetric passive peer LB C Symmetric active peer Configuration procedure Set the IP address for each interface as shown in Figure 78. (Details not shown.) Configure LB A: # Specify the local clock as the reference source, with the stratum level 2. <LBA> system-view [LBA] ntp-service refclock-master 2 Configure LB B: # Specify LB A as the NTP server of LB B. 121

129 <LBB> system-view [LBB] ntp-service unicast-server Configure LB C (after LB B is synchronized to LB A): # Specify the local clock as the reference source, with the stratum level 1. <LBC> system-view [LBC] ntp-service refclock-master 1 # Configure LB B as a symmetric peer after local synchronization. [LBC] ntp-service unicast-peer In the step above, LB B and LB C are configured as symmetric peers, with LB C in the symmetric-active mode and LB B in the symmetric-passive mode. Because the stratus level of LB C is 1 while that of LB B is 3, LB B synchronizes to LB C. # Display the NTP status of LB B after clock synchronization. [LBB] display ntp-service status Clock status: synchronized Clock stratum: 2 Reference clock ID: Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: ms Peer dispersion: ms Reference time: 15:22: UTC Sep (C6D F7CED) The output shows that LB B has synchronized to LB C. The stratum level of LB B is 2, and that of LB C is 1. # Display NTP session information for LB B, which shows that an association has been set up between LB B and LB C. [LBB] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [245] [1234] LOCL note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 2 NTP broadcast mode configuration example Network requirements As shown in Figure 79, LB C functions as the NTP server for multiple devices on a network segment and synchronizes the time among multiple devices. LB C's local clock is to be used as a reference source, with the stratum level 2. LB C operates in broadcast server mode and sends broadcast messages from GigabitEthernet 0/1. LB B and LB A operate in broadcast client mode and receive broadcast messages through their respective GigabitEthernet 0/1. 122

130 Figure 79 Network diagram GE0/ /24 LB C NTP broadcast server GE0/ /24 LB A NTP broadcast client GE0/ /24 LB B NTP broadcast client Configuration procedure Set the IP address for each interface as shown in Figure 79. (Details not shown.) Configure LB C: # Specify the local clock as the reference source, with the stratum level 2. <LBC> system-view [LBC] ntp-service refclock-master 2 # Configure LB C to operate in broadcast server mode and send broadcast messages through GigabitEthernet 0/1. [LBC] interface gigabitethernet 0/1 [LBC-GigabitEthernet0/1] ntp-service broadcast-server Configure LB A: # Configure LB A to operate in broadcast client mode and receive broadcast messages on GigabitEthernet 0/1. <LBA> system-view [LBA] interface gigabitethernet 0/1 [LBA-GigabitEthernet0/1] ntp-service broadcast-client Configure LB B: # Configure LB B to operate in broadcast client mode and receive broadcast messages on GigabitEthernet 0/1. <LBB> system-view [LBB] interface gigabitethernet 0/1 [LBB-GigabitEthernet0/1] ntp-service broadcast-client LB A and LB B get synchronized upon receiving a broadcast message from LB C. # Take LB A as an example. Display the NTP status of LB A after clock synchronization. [LBA-GigabitEthernet0/1] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: Nominal frequency: Hz Actual frequency: Hz 123

131 Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: 8.31 ms Peer dispersion: ms Reference time: 16:01: UTC Sep (C6D95F6F.B6872B02) The output shows that LB A has synchronized to LB C. The stratum level of LB A is 3, and that of LB C is 2. # Display NTP session information for LB A, which shows that an association has been set up between LB A and LB C. [LBA-GigabitEthernet0/1] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [1234] note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 NTP multicast mode configuration example Network requirements As shown in Figure 80, LB B functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices. LB B's local clock is to be used as a reference source, with the stratum level 2. LB B operates in multicast server mode and sends multicast messages from GigabitEthernet 0/1. LB A and LB C operate in multicast client mode and receive multicast messages through their respective GigabitEthernet 0/1. Figure 80 Network diagram Configuration procedure Set the IP address for each interface as shown in Figure 80. (Details not shown.) Configure LB B: # Specify the local clock as the reference source, with the stratum level

132 <LBB> system-view [LBB] ntp-service refclock-master 2 # Configure LB B to operate in multicast server mode and send multicast messages through GigabitEthernet 0/1. [LBB] interface gigabitethernet 0/1 [LBB-GigabitEthernet0/1] ntp-service multicast-server Configure LB C: # Configure LB C to operate in multicast client mode and receive multicast messages on GigabitEthernet 0/1. <LBC> system-view [LBC] interface gigabitethernet 0/1 [LBC-GigabitEthernet0/1] ntp-service multicast-client Because LB C and LB B are on the same subnet, LB C can receive the multicast messages from LB B without being enabled with the multicast functions and can be synchronized to LB B. # Display the NTP status of LB C after clock synchronization. [LBC-GigabitEthernet0/1] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: 8.31 ms Peer dispersion: ms Reference time: 16:01: UTC Sep (C6D95F6F.B6872B02) The output shows that LB C has synchronized to LB B. The stratum level of LB C is 3, and that of LB B is 2. # Display NTP session information for LB C, which shows that an association has been set up between LB C and LB B. [LBC-GigabitEthernet0/1] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [1234] note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 Configure Device: Because LB A and LB B are on different subnets, you must enable the multicast functions on Device before LB A can receive multicast messages from LB B. # Enable the IP multicast function. <Device> system-view [Device] multicast routing-enable [Device] interface gigabitethernet 0/1 [Device-GigabitEthernet0/1] igmp enable [Device-GigabitEthernet0/1] igmp static-group [Device-GigabitEthernet0/1] quit 125

133 [Device] interface gigabitethernet 0/2 [Device-GigabitEthernet0/2] pim dm Configure LB A: <LBA> system-view [LBA] interface gigabitethernet 0/1 # Configure LB A to operate in multicast client mode and receive multicast messages on GigabitEthernet 0/1. [LBA-GigabitEthernet0/1] ntp-service multicast-client # Display the NTP status of LB A after clock synchronization. [LBA-GigabitEthernet0/1] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: ms Peer dispersion: ms Reference time: 16:02: UTC Sep (C6D95F6F.B6872B02) The output shows that LB A has synchronized to LB B. The stratum level of LB A is 3, and that of LB B is 2. # Display NTP session information for LB A, which shows that an association has been set up between LB A and LB B. [LBA-Ethernet0/1] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [1234] note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 Configuration example for NTP client/server mode with authentication In this example, Device B is the LB module. Network requirements As shown in Figure 81, perform the following configurations to synchronize the time between Device B and Device A and ensure network security. The local clock of Device A is to be configured as a reference source, with the stratum level 2. Device B operates in client mode and Device A is to be used as the NTP server of Device B, with Device B as the client. NTP authentication is to be enabled on both Device A and Device B. 126

134 Figure 81 Network diagram Configuration procedure Set the IP address for each interface as shown in Figure 81. (Details not shown.) Configure Device A: # Specify the local clock as the reference source, with the stratum level 2. <DeviceA> system-view [DeviceA] ntp-service refclock-master 2 Configure Device B: <DeviceB> system-view # Enable NTP authentication on Device B. [DeviceB] ntp-service authentication enable # Set an authentication key. [DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 anicekey # Specify the key as a trusted key. [DeviceB] ntp-service reliable authentication-keyid 42 # Specify Device A as the NTP server of Device B. [DeviceB] ntp-service unicast-server authentication-keyid 42 Before Device B can synchronize to Device A, enable NTP authentication for Device A. Perform the following configuration on Device A: # Enable NTP authentication. [DeviceA] ntp-service authentication enable # Set an authentication key. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 anicekey # Specify the key as a trusted key. [DeviceA] ntp-service reliable authentication-keyid 42 # Display the NTP status of Device B after clock synchronization. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: 1.05 ms Peer dispersion: 7.81 ms Reference time: 14:53: UTC Sep (C6D94F67.5EF9DB22) The output shows that Device B has synchronized to Device A. The stratum level of Device B is 3, and that of Device A is

135 # Display NTP session information for Device B, which shows that an association has been set up between Device B and Device A. [DeviceB] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [12345] note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 Configuration example for NTP broadcast mode with authentication Network requirements As shown in Figure 82, LB C functions as the NTP server for multiple devices on different network segments and synchronizes the time among multiple devices. LB B authenticates the reference source. LB C's local clock is to be used as a reference source, with the stratum level 3. LB C operates in broadcast server mode and sends broadcast messages from GigabitEthernet 0/1. LB A and LB B operate in broadcast client mode and receive broadcast client through GigabitEthernet 0/1. Configure NTP authentication on both LB B and LB C. Figure 82 Network diagram Configuration procedure Set the IP address for each interface as shown in Figure 82. (Details not shown.) Configure LB A: # Configure LB A to operate in NTP broadcast client mode and receive NTP broadcast messages on GigabitEthernet 0/1. <LBA> system-view [LBA] interface gigabitethernet 0/1 [LBA-GigabitEthernet0/1] ntp-service broadcast-client Configure LB B: 128

136 # Enable NTP authentication on LB B. Configure an NTP authentication key, with the key ID of 88 and key value of Specify the key as a trusted key. <LBB> system-view [LBB] ntp-service authentication enable [LBB] ntp-service authentication-keyid 88 authentication-mode md [LBB] ntp-service reliable authentication-keyid 88 # Configure LB B to operate in broadcast client mode and receive NTP broadcast messages on GigabitEthernet 0/1. [LBB] interface gigabitethernet 0/1 [LBB-GigabitEthernet0/1] ntp-service broadcast-client Configure LB C: # Specify the local clock as the reference source, with the stratum level 3. <LBC> system-view [LBC] ntp-service refclock-master 3 # Configure LB C to operate in NTP broadcast server mode and use GigabitEthernet 0/1 to send NTP broadcast packets. [LBC] interface gigabitethernet 0/1 [LBC-GigabitEthernet0/1] ntp-service broadcast-server [LBC-GigabitEthernet0/1] quit # LB A synchronizes its local clock based on the received broadcast messages sent from LB C. # Display NTP service status information on LB A. [LBA-GigabitEthernet0/1] display ntp-service status Clock status: synchronized Clock stratum: 4 Reference clock ID: Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: 8.31 ms Peer dispersion: ms Reference time: 16:01: UTC Sep (C6D95F6F.B6872B02) The output shows that LB A has synchronized to LB C. The stratum level of LB A is 4, and that of LB C is 3. # Display NTP session information for LB A, which shows that an association has been set up between LB A and LB C. [LBA-GigabitEthernet0/1] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [1234] note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 # NTP authentication is enabled on LB B, but not enabled on LB C, so LB B cannot synchronize to LB C. [LBB-GigabitEthernet0/1] display ntp-service status Clock status: unsynchronized 129

137 Clock stratum: 16 Reference clock ID: none Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^18 Clock offset: ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00: UTC Jan ( ) # Enable NTP authentication on LB C. Configure an NTP authentication key, with the key ID of 88 and key value of Specify the key as a trusted key. [LBC] ntp-service authentication enable [LBC] ntp-service authentication-keyid 88 authentication-mode md [LBC] ntp-service reliable authentication-keyid 88 # Specify LB C as an NTP broadcast server, and associate the key 88 with LB C. [LBC] interface gigabitethernet 0/1 [LBC-GigabitEthernet0/1] ntp-service broadcast-server authentication-keyid 88 # After NTP authentication is enabled on LB C, LB B can synchronize to LB C. Display NTP service status information on LB B. [LBB-GigabitEthernet0/1] display ntp-service status Clock status: synchronized Clock stratum: 4 Reference clock ID: Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: 8.31 ms Peer dispersion: ms Reference time: 16:01: UTC Sep (C6D95F6F.B6872B02) The output shows that LB B has synchronized to LB C. The stratum level of LB B is 4, and that of LB C is 3 # Display NTP session information for LB B, which shows that an association has been set up between LB B and LB C. [LBB-GigabitEthernet0/1] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [1234] note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 # Configuration of NTP authentication on LB C does not affect LB A. LB A still synchronizes to LB C. [LBA-GigabitEthernet0/1] display ntp-service status Clock status: synchronized Clock stratum: 4 Reference clock ID:

138 Nominal frequency: Hz Actual frequency: Hz Clock precision: 2^7 Clock offset: ms Root delay: ms Root dispersion: 8.31 ms Peer dispersion: ms Reference time: 16:01: UTC Sep (C6D95F6F.B6872B02) Configuration guidelines A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized. If the clock of a server has a stratum level higher than or equal to that of a client's clock, the client does not synchronize to the server. The synchronization process takes a period of time. Therefore, the clock status might be unsynchronized after your configuration in the Web interface. In this case, you can refresh the page to view the clock status later on. If the system time of the NTP server is ahead of the system time of the device, and the difference between them exceeds the Web idle time specified on the device, all online Web users are logged out because of timeout. 131

139 Upgrading software You can use the CLI, Boot menu, or Web interface to upgrade software. This chapter describes how to upgrade software from the CLI and Web. Overview Upgrading software includes upgrading the BootWare (called "bootrom" in CLI) and system software. Each time the device is powered on, it runs the BootWare image to initialize hardware and display hardware information, and then runs the system software image (called the "boot file" in software code) so you can access the software features, as shown in Figure 83. Figure 83 System startup process Start Select the Reboot option to reboot the device BootWare runs Press Ctrl+B No Yes Enter Boot menu to upgrade BootWare or system software Run system software image Enter CLI Finish Software upgrade methods You can use one of the following methods to upgrade system software: Upgrading method Software types Remarks Upgrading from the CLI: Upgrading entire software BootWare image System software image (excluding patches) This method is disruptive. You must reboot the device to complete the upgrade. 132

140 Upgrading method Software types Remarks Installing hotfixes Upgrading from the Web interface Upgrading from the Boot menu System software images System software images BootWare image System software images Hotfixes repair software defects without requiring a reboot or service interruption. Hotfixes do not add new features to system software images. It is a user-friendly method for upgrading the system software image. Use this method when the device cannot start up correctly. For information about this upgrading method, see the release notes for your device. Upgrading BootWare You can upgrade the BootWare image only from the CLI. To upgrade the BootWare image: Step Command Remarks 1. Use FTP or TFTP to transfer the BootWare image to the root directory of the device's storage medium. See System Maintenance Configuration Guide. Make sure the image file is saved in the root directory of the storage medium. If the storage medium has been partitioned, save the image file to the root directory of the first partition. 2. Enter system view. system-view N/A Optional. 3. Enable BootWare image validity check. bootrom-update security-check enable By default, the validity check function is enabled. This feature examines the upgrade BootWare image for version and hardware incompatibility to ensure a successful upgrade. 4. Return to user view. quit N/A 5. Read, restore, back up, or upgrade the BootWare program on the device in user view. bootrom { backup read restore update file file-url } [ all part ] If neither the all keyword nor the part keyword is specified, the specified action applies to the entire BootWare image. 6. Reboot the device. reboot N/A Upgrading the system software You can upgrade the system software image in the Web interface or at the CLI. 133

Upgrading system software in the Web interface IMPORTANT: Upgrading software takes some time. During software upgrade, do not perform any operation on the Web interface.

141 Upgrading system software in the Web interface IMPORTANT: Upgrading software takes some time. During software upgrade, do not perform any operation on the Web interface. Otherwise, the upgrade might be disrupted. To upgrade software: 1. Select System > Software Upgrade from the navigation tree. Figure 84 Software upgrade configuration page 2. Configure upgrade parameters as described in Table Click Apply. Table 22 Configuration items Item File File Type If a file with the same name already exists, overwrite it without any prompt Reboot after the upgrade is finished Description Specify the filename of the local system software image file, which must have the extension.app or.bin. Specify the type of the next-startup system software image: Main Main system software image to be used at the next startup. The main system software image has higher priority than the backup system software image at startup. Backup Backup system software image to be used at the next startup. It is used to start up the device when the main system software image is not available. Specify whether to overwrite the file with the same name. If you do not select the option, when a file with the same name exists, the system does not upgrade the software but displays an error message: "The file has existed." Specify whether to reboot the device to make the upgraded software take effect after the system software image is uploaded. 134

142 Upgrading system software at the CLI Step Command Remarks 1. Use FTP or TFTP to transfer the system software image to the root directory of the device's storage medium. 2. Specify the file as the startup system software image in user view. See System Maintenance Configuration Guide. boot-loader file file-url { main backup } The image file must be saved in the root directory for a successful upgrade. If the storage medium has been partitioned, save the image file to the root directory of the first partition. N/A 3. Reboot the device. reboot N/A Installing hotfixes Hotfixes (called "patches" in this document) repair software defects without requiring a system reboot. Basic concepts This section describes the basic patch concepts. Patch, patch file, and patch package file A patch fixes certain software defects. A patch file contains one or more patches. After being loaded from the storage medium to the patch memory area, each patch is assigned a unique number, which starts from 1. For example, if a patch file has three patches, they are numbered 1, 2, and 3. A patch package file contains patch files for multiple modules. It enables you to use one command to bulk-fix bugs for multiple modules. Incremental patch Incremental patches are dependent on previous patches and cannot separately run. For example, if a patch file has three patches, patch 3 can be running only after patch 1 and 2 take effect. You cannot run patch 3 separately. Patches that have been released are all incremental patches. Common patch and temporary patch Common patches are formally released to users. Temporary patches are interim solutions that are provided to fix critical bugs. They are not formally released. A common patch always includes the functions of its previous temporary patches. The system deletes all the temporary patches before loading the common patch. 135

143 Patch states A patch is in IDLE, DEACTIVE, ACTIVE, or RUNNING state, depending on the patch manipulation command. Patch manipulation commands include patch load (load), patch active (run temporarily), patch run (confirm running), patch deactive (stop running), patch delete (delete), patch install (install), and undo patch install (uninstall). For example, if you execute the patch active command, patches in DEACTIVE state change to the ACTIVE state. Figure 85 shows the patch manipulation commands and how they affect the patch state. IMPORTANT: Patch state information is saved in the patchstate file on the storage medium. To make sure the device can correctly find the patches, do not edit, delete, move the file, or change the file name. Figure 85 Impact of patch manipulation commands on patch state IDLE state Patches that have not been loaded are in IDLE state. You cannot install or run these patches. As shown in Figure 86, the patch memory area can load up to eight patches. The patch memory area supports up to 200 patches. 136

144 Figure 86 Patches that are not loaded to the patch memory area DEACTIVE state Patches in DEACTIVE state have been loaded to the patch memory area but have not yet run in the system. Suppose that the patch file you are loading has seven patches. After the seven patches successfully pass the version check and CRC check, they are loaded to the patch memory area and are in DEACTIVE state. In the patch memory area, patch states are as shown in Figure 87. Figure 87 Patch states in the patch memory area after a patch file is loaded ACTIVE state Patches in ACTIVE state run temporarily in the system and become DEACTIVE after system reboot. For the seven patches in Figure 87, if you activate the first five patches, their states change from DEACTIVE to ACTIVE. The patch states in the system are as shown in Figure 88. The patches that are in ACTIVE state change to the DEACTIVE state after a system reboot. 137

145 Figure 88 Patches are activated RUNNING state After you confirm ACTIVE patches, their states change to RUNNING and persist after a reboot. In contrast to ACTIVE patches, RUNNING patches continue to take effect after a reboot. For example, if you confirm the first three patches in Figure 88, their state changes from ACTIVE to RUNNING, and the RUNNING state persists after a reboot. The patch states of the system are shown in Figure 89. Figure 89 Patches in RUNNING state Patch installation task list Task Installing patches: Installing and running a patch in one step Installing a patch step by step Uninstalling a patch step by step Remarks Use either method. Step-by-step patch installation allows you to control the patch status. Optional. Installation prerequisites To ensure a successful patch installation and normal device operation after patch installation: Make sure each patch file you are installing matches the product hardware and the software version. 138

146 Save patch files or patch package files to the root directory of the device's storage medium. If the storage medium has been partitioned, save the files to the root directory of the first partition. Correctly name a patch file in the patch_patch-flag suffix.bin format. The PATCH-FLAG suffix is predefined and must be the same as the first three characters of the value for the Version field in the output from the display patch information command. If a patch file is not correctly named, the system cannot identify the file. The default system patch file name of the device is patch_hfw.bin. Installing and running a patch in one step To install and run patches in one step, use the patch install command. This command changes the state of installed patches from IDLE to ACTIVE or RUNNING, depending on your choice. When executing the patch install command, you must choose to run installed patches or disable running them after a reboot. If you choose to have installed patches continue to run after a reboot, the installed patches are set in RUNNING state and remain in this state after a reboot. If not, the installed patches are set in ACTIVE state and change to the DEACTIVE state at a reboot. To install and run patches in one step: Step Command Remarks 1. Enter system view. system-view N/A 2. Install and run patches in one step. patch install { patch-location file patch-package } patch-location: Specifies the directory where the patch file is located. file patch-package: Specifies a patch package file name. If you execute the patch install patch-location command, the directory specified for the patch-location argument replaces the directory specified with the patch location command after the upgrade is complete. If you execute the patch install file patch-package command, the directory specified with the patch location command does not change. To uninstall all ACTIVE and RUNNING patches in one step, use the undo patch install command. For information about the step-by-step patch uninstall approach, see "Uninstalling a patch step by step." Installing a patch step by step In contrast to the one-step patch installation approach, step-by-step patch installation enables you to control patch status during the patch installation process. Step-by-step patch installation task list Task Configuring the patch file location Loading a patch file Activating patches Remarks Optional. To install a patch package, skip this step. Required. Required. 139

147 Task Confirming ACTIVE patches Remarks Optional. Configuring the patch file location For reliable patch loading, HP recommends saving patch files to the root directory of the storage medium. If the patch file is saved in the root directory, you do not need to specify the patch location. If not, use the patch location patch-location command to specify the patch file location. To configure the patch file location: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the patch file location. patch location patch-location By default, the system loads a patch file from the root directory of the storage medium. NOTE: If you execute the patch install patch-location command, the directory specified for the patch-location argument replaces the directory specified with the patch location command after the upgrade is complete. Loading a patch file Loading the correct patch files is the basis of other patch installation operations. The system loads patches from the specified patch location. If no patch location has been specified, the system loads a patch file from the root directory of the storage medium. IMPORTANT: Set the file transfer mode to binary mode before using FTP or TFTP to upload or download patch files. Otherwise, patch files cannot be parsed properly. To load a patch file: Step Activating patches Command 1. Enter system view. system-view 2. Load the patch file from the storage medium (CF patch load [ file patch-package ] card) to the patch memory area. Activating a patch changes its state to ACTIVE. An ACTIVE patch runs in memory until a reboot occurs. To have a patch continue to run after a reboot, you must change its state to RUNNING. To activate patches: Step Command 1. Enter system view. system-view 140

148 Step Command 2. Activate patches. patch active [ patch-number ] Confirming ACTIVE patches To have an ACTIVE patch continue to run after a reboot, perform the task in this section. After you confirm an ACTIVE patch, its state changes to RUNNING and persists after a reboot. To confirm ACTIVE patches: Step Command 1. Enter system view. system-view 2. Confirm ACTIVE patches. patch run [ patch-number ] Uninstalling a patch step by step To uninstall a patch in the step-by-step approach, first stop running the patch and then remove it from the patch memory area. Stopping running patches When you stop running a patch, the patch state becomes DEACTIVE, and the system runs the way it did before it was installed with the patch. To stop running patches: Step Command 1. Enter system view. system-view 2. Stop running patches. patch deactive [ patch-number ] Removing patches from the patch memory area After being removed from the patch memory area, a patch is still retained in IDLE state in the storage medium. The system runs the way it did before it was installed with the patch. To remove patches from the patch memory area: Step Command 1. Enter system view. system-view 2. Remove patches from the patch memory area. patch delete [ patch-number ] Displaying and maintaining software upgrade Task Command Remarks Display information about the system software image. display boot-loader [ { begin exclude include } regular-expression ] Available in any view. 141

149 Task Command Remarks Display information about the patch package. Display patch information. display patch [ { begin exclude include } regular-expression ] display patch information [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Software upgrade examples Upgrading the entire system software from the CLI Network requirement The current system software version is soft-version1 for the LB module in Figure 90. The latest system software image soft-version2.bin and the latest configuration file new-config.cfg are both saved in cfa0:/aaa on the FTP server. The LB module and the FTP server can reach each other, and the PC and the LB module can reach each other. Upgrade the software version of the LB module to soft-version2 and configuration file to new-config. Figure 90 Network diagram FTP Server /24 Internet Telnet FTP Client User LB /24 Configuration procedure 1. Configure the FTP server (the configuration varies with server vendors): # Set the access parameters for the FTP client (including enabling the FTP server function, setting the FTP username to aaa and password to hello, and assign the FTP user the right to access the cfa0:/aaa directory). <FTP-Server> system-view [FTP-Server] ftp server enable [FTP-Server] local-user aaa [FTP-Server-luser-aaa] password cipher hello [FTP-Server-luser-aaa] service-type ftp [FTP-Server-luser-aaa] authorization-attribute work-directory cfa0:/aaa 2. Configure the LB module: # Log in to the FTP server. 142

150 <LB> ftp Trying Press CTRL+K to abort Connected to WFTPD 2.0 service (by Texas Imperial Software) ready for new user User( :(none)):aaa 331 Give me your password, please Password: 230 Logged in successfully # Download new-config.cfg from the FTP server. [ftp] ascii [ftp] get new-config.cfg # Download soft-version2.bin from the FTP server. [ftp] binary [ftp] get soft-version2.bin [ftp] bye <LB> # Specify new-config.cfg as the next-startup configuration file. <LB> startup saved-configuration new-config.cfg Please wait Done! # Specify soft-version2.bin as the main startup system software image. <LB> boot-loader file soft-version2.bin main # Reboot the LB module to complete the upgrade. <LB> reboot 3. Use the display version command to verify that the upgrade has succeeded. (Details not shown.) Installing patches from the CLI Network requirements Download a patch file from a TFTP server to fix bugs on the LB module in Figure 91. The LB module and the TFTP server can reach each other. Figure 91 Network diagram Configuration procedure 1. Configure the TFTP server: # Enable the TFTP server function. (Details not shown.) # Save the patch file patch_hfw.bin to the working directory on the TFTP server. (Details not shown.) 2. Configure the LB: 143

151 # Use the save command to save the running configuration. (Details not shown.) # Examine the storage medium on the LB module for space insufficiency. If the free space is not sufficient for the patches, delete unused files. (Details not shown.) # Download patch_hfw.bin from the TFTP server to the root directory of the LB module's storage medium. <LB> tftp get patch_hfw.bin # Install the patches. <LB> system-view [LB] patch install cfa0: Patches will be installed. Continue? [Y/N]:y Do you want to continue running patches after reboot? [Y/N]:y Installing patches... Installation completed, and patches will continue to run after reboot. 3. Use the display patch information command to verify that the patches have been installed and running. (Details not shown.) 144

152 Managing configuration files You can use the CLI, Boot menu, or Web interface to manage configuration files. This chapter describes the CLI and Web interface approaches to configuration file management. Overview A configuration file saves configurations as a set of text commands. You can save the running configuration to a configuration file so the configuration takes effect after you reboot the device. You can also back up the configuration file on to a host and download the file to the device as needed. Configuration types Factory defaults The device has the following types of configurations: factory defaults, startup configuration, and running configuration. The device is shipped with some basic settings called "factory defaults." These default settings make sure the device can start up and run normally when it has no configuration file or the configuration file is corrupted. To view the factory defaults of the device, use the display default-configuration command. Startup configuration The device uses startup configuration to configure software features during startup. After the device starts up, you can specify a different configuration file to be loaded at the next startup. This configuration file is called the "next-startup configuration file." The configuration file that has been loaded is called the "current startup configuration file." You can view the current startup configuration in either of the following ways: Execute the display startup command. To view detailed file contents, use the more command. After the device reboots, execute the display current-configuration command before making any configuration. Running configuration Running configuration is stored in a volatile storage medium and takes effect while the device is operating. It includes startup settings that have not been changed and new settings you have made. A new setting takes effect immediately after it is made but must be saved to a configuration file to survive a reboot. To view the running configuration, use the display current-configuration command. 145

153 Configuration file content organization and format IMPORTANT: To run on the device, a configuration file must meet the content and format requirements of the device. To avoid any configuration loading problem at startup, use a configuration file created on the device. If you edit the configuration file, make sure all edits are compliant with the requirements of the device. A configuration file must meet the following requirements: All commands are saved in their complete form. Commands are sorted in sections by view, typically in this order: system view, interface view, protocol views, and user interface view. Sections are separated with one or more blank lines or comment lines that start with a pound sign (#). The configuration file ends with the word return. You can execute the save command to save the running configuration to a configuration file. To make sure that the configuration file can run normally, HP recommends that you not edit the content and format of the configuration file. Startup with a configuration file The device selects the configuration file to load at startup, as follows: 1. If you have specified a startup configuration file that already exists on the storage medium, the device starts up with this startup configuration file. 2. If the specified startup configuration file does not exist, the device starts up with the factory defaults. Managing configuration files in the Web interface Administrators can save, back up, restore, reset, or import the device configuration. Saving the running configuration Guidelines Procedures The save configuration module allows administrators to save the running configuration to the next-startup configuration file (.cfg file or.xml file). Saving the configuration takes some time. Only one administrator can save the configuration at a moment. If one administrator saves the configuration while the system is saving the configuration as required by another administrator, the system prompts the second administrator to try later. This module supports saving the configuration in either of the following two modes: fast or common. To save the configuration in fast mode, click the Save button at the upper right of the auxiliary area. 146

Figure 92 Saving the configuration To save the configuration in common mode: 1. Select System > Maintenance from the navigation tree. The Save page appears, as shown in Figure 92. 2.

Backing up the next-startup configuration file Configuration file backup allows administrators to: View the next-startup configuration file (including.cfg and.xml files).

154 Figure 92 Saving the configuration To save the configuration in common mode: 1. Select System > Maintenance from the navigation tree. The Save page appears, as shown in Figure To encrypt the configuration file, select Encrypt the configuration file. 3. Click Apply. Backing up the next-startup configuration file Configuration file backup allows administrators to: View the next-startup configuration file (including.cfg and.xml files). Back up the next-startup configuration file (including.cfg and.xml files) to the PC of the current user. IMPORTANT: HP recommends backing up both the.cfg and.xml configuration files. If you back up only the.cfg configuration file, some configuration information might not be restored when, for example, the configuration is mistakenly removed. To back up the next-startup configuration file: 1. Select System > Maintenance from the navigation tree. 2. Click the Backup tab. Figure 93 Backing up the configuration 3. Click the upper Backup button. A file download dialog box appears. 4. Select to view the.cfg file or to save the file to the local host. 5. Click the lower Backup button. 147

155 A file download dialog box appears. 6. Select to view the.xml file or to save the file to the local host. Restoring the next-startup configuration file Configuration restoration allows you to: Upload the.cfg file on the host of the administrator to the device for the next startup. Upload the.xml file on the host of the administrator to the device for the next startup, and delete the previous.xml configuration file that was used for the next startup. The restored configuration takes effect at the next startup of the device. To restore a configuration file: 1. Select System > Maintenance from the navigation tree. 2. Click the Restore tab. Figure 94 Restoring the configuration file 3. Click one of the Browse buttons to select the configuration file to be used: Click the upper Browse button to select the.cfg file to be used. Click the lower Browse button to select the.xml file to be used. 4. Click Apply. Resetting the configuration This operation disables the next-startup configuration file to serve for the next startup, restores the device's factory defaults, and reboots the device. To reset the next-startup configuration: 1. Select System > Maintenance from the navigation tree. 2. Click the Initialize tab. 148

Figure 95 Resetting the configuration 3. Click Restore Factory-Default Settings. Importing a configuration file IMPORTANT: Do not perform any other operations during the configuration import process.

156 Figure 95 Resetting the configuration 3. Click Restore Factory-Default Settings. Importing a configuration file IMPORTANT: Do not perform any other operations during the configuration import process. This operation allows an administrator to import the.cfg file on the local host to the device and execute the configuration in the file. The imported configuration takes effect immediately, but is not automatically saved to the configuration file to be used at the next startup. To use the configuration for the next startup, you must manually save the configuration. To import a.cfg file: 1. Select System > Maintenance from the navigation tree. 2. Click the Import tab. Figure 96 Importing the configuration 3. Click Browse. 4. Select the.cfg file to be imported as prompted. 5. Click Apply. Managing configuration files at the CLI Saving the running configuration To make configuration changes take effect at the next startup, save the running configuration to the startup configuration file to be used at the next startup before the device reboots. 149

HP High-End Firewalls

HP High-End Firewalls Getting Started Guide Part number: 5998-2646 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719 Legal