Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1981 to Favourites
    image text
    Enable zoom 
    							 316 
Generating Keys... 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
++++++++ 
+++++++++++++++++++++++++++++++++++ 
# Enable the SSH server. 
[SwitchB] ssh server enable 
# Enable the SFTP server. 
[SwitchB] sftp server enable 
# Configure an IP address for VLAN-interface 1, which the SSH client uses as the destination for 
SSH connection. 
[SwitchB] interface vlan-interface 1 
[SwitchB-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 
[SwitchB-Vlan-interface1] quit 
# Set the authentication mode on the user interfaces to AAA.  
[SwitchB] user-interface vty 0 15 
[SwitchB-ui-vty0-15] authentication-mode scheme 
# Set the protocol that a remote user uses to log in as SSH. 
[SwitchB-ui-vty0-15] protocol inbound ssh 
[SwitchB-ui-vty0-15] quit 
# Import the peer public key from the file  pubkey. 
[SwitchB] public-key peer Switch001 import sshkey pubkey 
# For user  client001, set the service type as SFTP, authentica tion method as publickey, public key 
as  Switch001 , and working folder as  flash:/ 
[SwitchB] ssh user client001 service-type sftp authentication-type publi\
ckey assign 
publickey Switch001 work-directory flash:/ 
3. Establish a connection between the SFTP client and the SFTP server: 
# Establish a connection to the remote SF TP server and enter SFTP client view. 
 sftp 192.168.0.1 identity-key rsa 
Input Username: client001 
Trying 192.168.0.1 ... 
Press CTRL+K to abort 
Connected to 192.168.0.1 ... 
 
The Server is not authenticated. Continue? [Y/N]:y 
Do you want to save the server public key? [Y/N]:n 
 
sftp-client> 
# Display files under the current directory of the server, delete the file named  z, and check if the file 
has been deleted successfully. 
sftp-client> dir 
-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg 
-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2 
-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey 
drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new 
-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub 
-rwxrwxrwx   1 noone    nogroup         0 Sep 01 08:00 z 
sftp-client> delete z 
The following File will be deleted:
    Add page 1982 to Favourites
    image text
    Enable zoom 
    							 317 
/z 
Are you sure to delete it? [Y/N]:y 
This operation might take a long time.Please wait... 
 
File successfully Removed 
sftp-client> dir 
-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg 
-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2 
-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey 
drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new 
-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub 
# Add a directory named new1 and check if it has been created successfully. 
sftp-client> mkdir new1 
New directory created 
sftp-client> dir 
-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg 
-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2 
-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey 
drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new 
-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub 
drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:30 new1 
# Rename directory  new1 to new2  and check if the directory ha s been renamed successfully. 
sftp-client> rename new1 new2 
File successfully renamed 
sftp-client> dir 
-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg 
-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2 
-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey 
drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new 
-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub 
drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:33 new2 
# Download the pubkey2 file from the server and save it as local file  public. 
sftp-client> get pubkey2 public 
Remote  file:/pubkey2 --->  Local file: public 
Downloading file successfully ended 
# Upload the local file  pu to the server, save it as  puk, and check if the file has been uploaded 
successfully. 
sftp-client> put pu puk 
Local file:pu --->  Remote file: /puk 
Uploading file successfully ended 
sftp-client> dir 
-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg 
-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2 
-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey 
drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new 
drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:33 new2 
-rwxrwxrwx   1 noone    nogroup       283 Sep 02 06:35 pub 
-rwxrwxrwx   1 noone    nogroup       283 Sep 02 06:36 puk
    Add page 1983 to Favourites
    image text
    Enable zoom 
    							 318 
sftp-client> 
# Terminate the connection to the remote SFTP server. 
sftp-client> quit 
Bye 
Connection closed. 
 
SFTP server configuration example 
Network requirements 
As shown in Figure 112, an  SSH connection is required between the host and the switch. The host, an 
SFTP client, needs to log in to the switch for file management and file transfer. Use password 
authentication and configure the username  client002 and the password aabbcc  for the client on the 
switch. 
Figure 112  Network diagram 
 
 
Configuration procedure 
1. Configure the SFTP server: 
# Generate the RSA key pairs. 
 system-view 
[Switch] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++ 
++++++++++++++ 
+++++ 
++++++++ 
# Generate a DSA key pair. 
[Switch] public-key local create dsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
++++++++ 
+++++++++++++++++++++++++++++++++++ 
# Enable the SSH server.
    Add page 1984 to Favourites
    image text
    Enable zoom 
    							 319 
[Switch] ssh server enable 
# Enable the SFTP server. 
[Switch] sftp server enable 
# Configure an IP address for VLAN-interface 1, which the client will use as the destination for SSH 
connection. 
[Switch] interface vlan-interface 1 
[Switch-Vlan-interface1] ip address 192.168.1.45 255.255.255.0 
[Switch-Vlan-interface1] quit 
# Set the authentication mode of the user interfaces to AAA. 
[Switch] user-interface vty 0 15 
[Switch-ui-vty0-15] authentication-mode scheme 
# Enable the user interfaces to support SSH. 
[Switch-ui-vty0-15] protocol inbound ssh 
[Switch-ui-vty0-15] quit 
# Configure a local user named  client002 with the password being  aabbcc and the service type 
being SSH. 
[Switch] local-user client002 
[Switch-luser-client002] password simple aabbcc 
[Switch-luser-client002] service-type ssh 
[Switch-luser-client002] quit 
# Configure the user authentication method as  password and service type as SFTP. 
[Switch] ssh user client002 service-type sftp authentication-type passwo\
rd 
2. Establish a connection between the SFTP client and the SFTP server: 
The switch supports a variety of SFTP client soft ware. The following example uses PSFTP of PuTTy 
Version 0.58.  
 
  NOTE: 
PSFTP supports only password authentication. 
 
# Establish a connection to the remote SFTP server. 
Run the psftp.exe to launch the client interface as shown in  Figure 113, and enter the following 
command:  
open 192.168.1.45 
Enter username client002  and password aabbcc as prompted to log in to the SFTP server.
    Add page 1985 to Favourites
    image text
    Enable zoom 
    							 320 
Figure 113 SFTP client interface
    Add page 1986 to Favourites
    image text
    Enable zoom 
    							 321 
Configuring SCP 
Overview 
Secure copy (SCP) is based on SSH2.0 and offers a secure approach to copying files. 
SCP uses SSH connections for copying files. The switch can act as the SCP server, allowing a user to log 
in to the switch for file upload and download. The switch can also act as an SCP client, enabling a user 
to log in from the switch to a remote server for secure file transfer.  
 
 NOTE: 
When the switch acts as an SCP server, only one of  the FTP, SFTP or SCP user can access the switch.  
Configuring the switch as an SCP server 
 
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Configure the SSH 
server.  For more information, see the security 
guide for your switch.
  N/A 
3.
  C re a t e  a n  SS H  u s e r  fo r  a  
SCP client, set the 
service type to  all or scp , 
and specify the 
authentication method.  ssh user 
username  service-type {  all | scp } 
authentication-type  { password | { any  | 
password-publickey  | publickey  } assign 
publickey  keyname  work-directory  
directory-name }  N/A 
4.
  Create a user account 
and assign a working 
directory for the SSH 
user on the switch or a 
remote server if 
password authentication 
is used.  
• On the remote server (Details not 
shown.) 
• On the switch:  
a.  local-user 
b.  password  
c.   service-type ssh 
d.  authorization-attribute 
work-directory  directory-name  Skip this step if publickey 
authentication, whether with 
password authentication or not, 
is used. 
Make sure that the local user 
account has the name username 
as the username specified in the 
ssh user
 command.   
 
When you set the working directory for the user, follow these guidelines: 
•  If only password authentication is used, the working directory specified in the  ssh user command 
does not take effect. You must set the working directory on the remote server or in the local user 
account for the SSH user.  
•   If publickey authentication, whether with password authentication or not, is used, you must set the 
working directory in the  ssh user command. 
Configuring the switch as the SCP client 
To upload or download files to or from an SCP server:
    Add page 1987 to Favourites
    image text
    Enable zoom 
    							 322 
Step Command  Remarks 
1.  Upload a file 
to an SCP 
server. 
• Upload a file to the IPv4 SCP server: 
scp  server  [ port-number  ] put source-file -path  [ destination-file-path  ]  
[ identity-key  { dsa  | rsa } |  prefer-ctos-cipher  { 3des | aes128  | 
des  } | prefer-ctos-hmac  { md5 | md5-96 |  sha1 | sha1-96 } | 
prefer-kex  { dh-group-exchange  | dh-group1  | dh-group14  } | 
prefer-stoc-cipher  { 3des | aes128  | des } | prefer-stoc-hmac  { md5 
|  md5-96 |  sha1 | sha1-96 } ] *  
• Upload a file to the IPv6 SCP server: 
scp ipv6  server  [ port-number  ] put  source-file-path 
[  destination-file-path  ]  [ identity-key { dsa | rsa } |  prefer-ctos-cipher  
{  3des  | aes128  | des } | prefer-ctos-hmac  { md5  | md5-96 |  sha1 
|  sha1-96 } | prefer-kex  { dh-group-exchange  | dh-group1  | 
dh-group14  } | prefer-stoc-cipher  { 3des | aes128  | des  } | 
prefer-stoc-hmac  { md5 | md5-96  | sha1 |  sha1-96 } ] *  Use one of the 
commands. 
Available in 
user view. 
2.
  Download a 
file from an 
SCP server. 
• Download a file from the remote IPv4 SCP server: 
scp  server  [ port-number  ] get source-file-path  [ destination-file-path  ]  
[ identity-key  { dsa  | rsa } |  prefer-ctos-cipher  { 3des | aes128  | 
des  } | prefer-ctos-hmac  { md5 | md5-96 |  sha1 | sha1-96 } | 
prefer-kex  { dh-group-exchange  | dh-group1  | dh-group14  } | 
prefer-stoc-cipher  { 3des | aes128  | des } | prefer-stoc-hmac  { md5 
|  md5-96 |  sha1 | sha1-96 } ] *  
• Download a file from the remote IPv6 SCP server: 
scp ipv6  server  [ port-number  ] get  source-file-path 
[  destination-file-path  ]  [ identity-key { dsa | rsa } |  prefer-ctos-cipher  
{  3des  | aes128  | des } | prefer-ctos-hmac  { md5  | md5-96 |  sha1 
|  sha1-96 } | prefer-kex  { dh-group-exchange  | dh-group1  | 
dh-group14  } | prefer-stoc-cipher  { 3des | aes128  | des  } | 
prefer-stoc-hmac  { md5 | md5-96  | sha1 |  sha1-96 } ] *  
 
 IMPORTANT: 
File transfer interruption durin
g a downloading process can result in file fragments on the switch. You must
manually delete them.   
SCP client configuration example 
Network requirements 
As shown in Figure 1
14, s witch A acts as a client and download the file  remote.bin f r o m  s w i t c h  B .  T h e  u s e r  
has the username  test and uses the password authentication method. 
Figure 114  Network diagram 
 
 
Configuration procedure 
# Create VLAN-interface 1 and assign an IP address to it.
    Add page 1988 to Favourites
    image text
    Enable zoom 
    							 323 
 system-view 
[SwitchA] interface vlan-interface 1 
[SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 
[SwitchA-Vlan-interface1] quit 
# Download the file remote.bin f r o m  t h e  SC P  s e r v e r,  s a ve  i t  l o c a l l y  a n d  c h a n g e  t h e  f i l e  n a m e  t o  local.bin. 
 scp 192.168.0.1 get remote.bin local.bin 
Username: test 
Trying 192.168.0.1 ... 
Press CTRL+K to abort 
Connected to 192.168.0.1 ... 
 
The Server is not authenticated. Continue? [Y/N]:y 
Do you want to save the server public key? [Y/N]:n 
Enter password: 
18471 bytes transfered in 0.001 seconds. 
SCP server configuration example 
Network requirements 
As shown in  Figure 115, the  switch acts as the SCP server, and the host acts as the SCP client. The host 
establishes an SSH connection to the switch. The user uses the username test  and the password aabbcc. 
The username and password are saved on the switch for local authentication.  
Figure 115  Network diagram 
 
 
Configuration procedure 
# Generate the RSA key pairs. 
 system-view 
[Switch] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++ 
++++++++++++++ 
+++++ 
++++++++ 
# Generate the DSA key pair.  
[Switch] public-key local create dsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512,
    Add page 1989 to Favourites
    image text
    Enable zoom 
    							 324 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
++++++++ 
+++++++++++++++++++++++++++++++++++ 
# Enable the SSH server function. 
[Switch] ssh server enable 
# Configure an IP address for VLAN-interface 1, which the client will use as the destination for SSH 
connection.  
[Switch] interface vlan-interface 1 
[Switch-Vlan-interface1] ip address 192.168.1.45 255.255.255.0 
[Switch-Vlan-interface1] quit 
# Set the authentication mode of the user interfaces to AAA. 
[Switch] user-interface vty 0 15 
[Switch-ui-vty0-15] authentication-mode scheme 
# Enable the user interfaces to support all protocols including SSH. 
[Switch-ui-vty0-15] protocol inbound all 
[Switch-ui-vty0-15] quit 
# Create a local user named test. 
[Switch] local-user test 
[Switch-luser-test] password simple aabbcc 
[Switch-luser-test] service-type ssh 
[Switch-luser-test] quit 
# Configure the SSH user authentication method as  password and service type as scp. 
[Switch] ssh user test service-type scp authentication-type password
    Add page 1990 to Favourites
    image text
    Enable zoom 
    							 325 
Configuring SSL 
Overview 
Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based 
application layer protocols such as Hypertext Transfer Pr o t o c o l  ( H T T P ) .  I t  i s  w i d e l y  u s e d  i n  e - b u s i n e s s  a n d  
online banking to ensure secure data transmission over the Internet.  
SSL security mechanism 
Secure connections provided by SSL have these features: 
•   Confidentiality —SSL uses a symmetric encryption algorithm to encrypt data and uses the 
asymmetric key algorithm of Rivest, Shamir, and Adelman (RSA) to encrypt the key to be used by the 
symmetric encryption algorithm. 
•   Authentication —SSL supports certificate-based identity auth entication of the server and client by 
using the digital signatures. The SSL server and client  obtain certificates from a certificate authority 
(CA) through the Public Key Infrastructure (PKI). 
•   Reliability —SSL uses the key-based message authentication code (MAC) to verify message integrity. 
A MAC algorithm transforms a message of any length  to a fixed-length message. With the key, the 
sender uses the MAC algorithm to compute the MAC value of a message. Then, the sender suffixes 
the MAC value to the message and sends the result to the receiver. The receiver uses the same key 
and MAC algorithm to compute the MAC value of th e received message, and compares the locally 
computed MAC value with that received. If the two values match, the receiver considers the 
message intact; otherwise, the receiver consider s that the message has been tampered with in 
transit and discards the message. 
Figure 116  Message integrity verification by a MAC algorithm 
 
 
For more information about symmetric key algorithms, asymmetric key algorithm RSA and digital 
signature, see  Managing public keys .
  
For more information about PKI, certificate, and CA, see  Configuring PKI. 
SSL protocol stack 
The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL 
handshake protocol, change cipher spec protoc ol, and alert protocol at the upper layer.
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide