Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 2351 to Favourites
    image text
    Enable zoom 
    							 50 
Displaying and maintaining information center 
 
Task Command Remarks 
Display the information about 
information channels. display channel [ channel
-number  | 
channel- name ] [  | { begin  | exclude | include  } 
regular-expression  ]  Available in any view 
Display the information about each 
output destination.  display info-center [ |
 { begin | exclude  | 
include  } regular-expression ]  Available in any view 
Display the state of the log buffer 
and the log information recorded. display logbuffer
 [ reverse ] [ level severity  | 
size  buffersize  | slot slot-number  ] * [ | { begin  | 
exclude  | include  } regular-expression  ] Available in any view 
Display a summary of the log 
buffer.  display logbuffer summary 
[ level  severity  | slot  
slot-number  ] * [ | { begin | exclude  | include } 
regular-expression  ]  Available in any view 
Display the state of the trap buffer 
and the trap information recorded.  display trapbuffer [ reverse
 ] [ size  buffersize  ] 
[ |  { begin |  exclude | include } 
regular-expression  ]   Available in any view 
Reset the log buffer. 
reset logbuffer  Available in user view 
Reset the trap buffer. reset trapbuffer  Available in user view 
 
Information center configuration examples 
Outputting log information to a UNIX log host 
Network requirements 
Configure the device to send ARP and IP log information that has a severity level of at least informational 
to the UNIX log host at 1.2.0.1/16. 
Figure 18 Network diagram 
 
 
Configuration procedure 
Before the configuration, make sure that the device and the log host can reach each other.  
1. Configure the device: 
# Enable the information center. 
 system-view 
[Sysname] info-center enable 
# Specify the host 1.2.0.1/16 as the log host. Use channel  loghost to output log information 
(optional,  loghost by default), and use  local4 as the logging facility. 
[Sysname] info-center loghost 1.2.0.1 channel loghost facility local4 
# Disable the output of log, trap, and debu gging information of all modules on channel  loghost.
    Add page 2352 to Favourites
    image text
    Enable zoom 
    							 51 
[Sysname] info-center source default channel loghost debug state off log\
 state off 
trap state off 
To avoid outputting unnecessary information, disable the output of log, trap, and debugging 
information on the specified channel ( loghost in this example) before you configure an output rule. 
# Configure an output rule to outp ut to the log host ARP and IP log information that has a severity 
level of at least informational . (The source modules that are allowed to output information depend 
on the switch model.) 
[Sysname] info-center source arp channel loghost log level informational\
 state on 
[Sysname] info-center source ip channel loghost log level informational \
state on 
2.  Configure the log host: 
The following configurations were performed on  SunOS 4.0 which has similar configurations to 
the UNIX operating systems implemented by other vendors. 
a.  Log in to the log host as a root user. 
b. Create a subdirectory named  Device in directory  /var/log/, and then create file  info.log in the 
Device  directory to save logs from  Device. 
# mkdir /var/log/Device 
# touch /var/log/Device/info.log 
c. Edit the file  /etc/syslog.conf  and add the following contents. 
# Device configuration messages 
local4.info    /var/log/Device/info.log 
In this configuration,  local4 is the name of the logging facility  that the log host uses to receive 
logs. info  is the information level. The UNIX system records the log information that has a 
severity of at least  informational to the file  /var/log/Device/info.log . 
 
 NOTE: 
Be aware of the following issues while editing the file  /etc/syslog.conf: 
•   Comments must be on a separate line and must begin with a pound sign (#). 
•   No redundant spaces are allowed after the file name. 
•   The logging facility name and the information level specified in the  /etc/syslog.conf file must be 
identical to those configured on the device using the  info-center loghost  and info-center source  
commands. Otherwise the log information might not be output properly to the log host. 
 
d.  Display the process ID of  syslogd, kill the  syslogd process and then restart syslogd  using the –r 
option to make the modified  configuration take effect. 
# ps -ae | grep syslogd 
147 
# kill -HUP 147 
# syslogd -r & 
Now, the system can record log information into the log file. 
Outputting log information to a Linux log host 
Network requirements 
Configure the device to send log information that has a severity level of at least informational to the Linux 
log host at 1.2.0.1/16.
    Add page 2353 to Favourites
    image text
    Enable zoom 
    							 52 
Figure 19 Network diagram 
 
 
Configuration procedure 
Before the configuration, make sure that the device and the PC can reach each other. 
1. Configure the device: 
# Enable the information center. 
 system-view 
[Sysname] info-center enable 
# Specify the host 1.2.0.1/16 as the log host. Use the channel  loghost to output log information 
(optional,  loghost by default), and use  local5 as the logging facility. 
[Sysname] info-center loghost 1.2.0.1 channel loghost facility local5 
# Disable the output of log, trap, and debu gging information of all modules on channel  loghost. 
[Sysname] info-center source default channel loghost debug state off log\
 state off 
trap state off 
To avoid outputting unnecessary information, di sable the output of log, trap, and debugging 
information on the specified channel ( loghost in this example) before you configure an output rule. 
# Configure an output rule to output to the log host the log information that has a severity level of 
at least  informational . 
[Sysname] info-center source default channel loghost log level informati\
onal state 
on 
2. Configure the log host: 
a. Log in to the log host as a root user. 
b. Create a subdirectory named  Device in directory  /var/log/, and create file  info.log in the 
Device  directory to save logs of  Device. 
# mkdir /var/log/Device 
# touch /var/log/Device/info.log 
c. Edit the file  /etc/syslog.conf  and add the following contents. 
# Device configuration messages 
local5.info    /var/log/Device/info.log 
In this configuration, local5  is the name of the logging facility that the log host uses to receive lo\
gs. 
The information level is  info. The Linux system records the log information that has a severity level 
of at least  informational  to the file /var/log/Device/info.log . 
 
 NOTE: 
Be aware of the following issues while editing the file  /etc/syslog.conf: 
•   Comments must be on a separate line and must begin with a pound sign (#). 
•   No redundant spaces are allowed after the file name. 
•   The logging facility name and the information level specified in the  /etc/syslog.conf file must be 
identical to those configured on the device using the  info-center loghost  and info-center source  
commands. Otherwise the log information may not be output properly to the log host.
    Add page 2354 to Favourites
    image text
    Enable zoom 
    							 53 
d.
 
Display the process ID of syslogd , kill the syslogd process, and restart  syslogd using the  -r 
option to make the modified  configuration take effect. 
# ps -ae | grep syslogd 
147 
# kill -9 147 
# syslogd -r & 
Make sure that the syslogd process is started with the -r option on the Linux log host. 
Now, the system can record log information into the log file. 
Outputting log information to the console  
Network requirements 
Configure the device to send ARP and IP log informatio n that has a severity level of at least Informational 
to the console. 
Figure 20  Network diagram 
 
 
Configuration procedure 
# Enable the information center. 
 system-view 
[Sysname] info-center enable 
# Use channel console to output log information to the console. (This step is optional because it is the 
default setting). 
[Sysname] info-center console channel console 
# Disable the output of log, trap, and debugging information of all modules on channel  console. 
[Sysname] info-center source default channel console debug state off log\
 state off trap 
state off 
To avoid outputting unnecessary information, disable  the output of log, trap, and debugging information 
of all modules on the specified channel ( console in this example), and then configure the output rule as 
needed. 
# Configure an output rule to output to the console ARP and IP log information that has a severity level 
of at least  informational . (The source modules that are allowed to output information depend on the 
switch model.) 
[Sysname] info-center source arp channel console log level informational\
 state on 
[Sysname] info-center source ip channel console log level informational \
state on 
[Sysname] quit 
# Enable the display of log information on a terminal . (Optional, this function is enabled by default.) 
 terminal monitor 
Info: Current terminal monitor is on. 
 terminal logging 
Info: Current terminal logging is on.
    Add page 2355 to Favourites
    image text
    Enable zoom 
    							 54 
Now, if the ARP and IP modules generate log information, the information center automatically sends the 
log information to the console. 
Saving security logs into the security log file 
Network requirements 
•   Save security logs into the security log file  Flash:/securitylog/seclog.log every one hour. 
•   Only the security log administrator can view the contents of the security log file. No other users 
cannot view, copy, or rename the security log file. 
Figure 21  Network diagram 
 
 
 
Configuration considerations 
The configuration in this example includes two parts: 
1.  Log in to the device as the system administrator: 
{  Enable saving the securit y logs into the securit y log file and set the saving inter val to one hour. 
{ Create a local user seclog  with the password 12 312 312 312 3 , and authorize this user as the 
security log administrator. That is, use the  authorization-attribute command to set the user 
privilege level to 3 and specify the user role as security audit. In addition, specify the service 
types that the user can use by using  service-type. 
{ Set the authentication mode to  scheme for the user logging in to the device, and make sure that 
only the local user that has passed the AAA local authentication can view and perform 
operations on the security log file. 
2.  Log in to the device as the security log administrator: 
{  Set the directory for saving the security log file to  Flash:/securitylog/seclog.log. 
{ View the contents of the security log file to learn the security status of the device. 
Configuration procedure 
1. Configuration performed by the system administrator: 
# Enable saving security logs into the security lo g file and set the saving interval to one hour. 
 system-view 
System
administrator
ConsoleDevice
IP network
Security log 
administrator
FTP Server192.168.1.2/24
1.1.1.1/24 192.168.1.1/24
    Add page 2356 to Favourites
    image text
    Enable zoom 
    							 55 
[Sysname] info-center security-logfile enable 
[Sysname] info-center security-logfile frequency 3600 
# Create a local user seclog, and configure the password for the user as  123123123123. 
[Sysname] local-user seclog 
New local user added. 
[Sysname-luser-seclog] password simple 123123123123 
# Authorize the user to mana ge the security log file. 
[Sysname-luser-seclog] authorization-attribute level 3 user-role securit\
y-audit 
# Authorize the user to use SSH, Telnet, and terminal services. 
[Sysname-luser-seclog] service-type ssh telnet terminal 
[Sysname-luser-seclog] quit 
# According to the network plan, the user logs in  to the device through SSH or Telnet, so configure 
the authentication mode of  the VTY user interface as scheme. 
[Sysname] display user-interface vty ? 
  INTEGER Specify one user terminal interface 
The output shows that the device supports sixteen VTY user interfaces, which are numbered 0 
through 15. 
[Sysname] user-interface vty 0 15 
[Sysname-ui-vty0-15] authentication-mode scheme 
[Sysname-ui-vty0-15] quit 
2. Configuration performed by th e security log administrator: 
# Log in to the device as user  seclog. 
C:/> telnet 1.1.1.1 
************************************************************************\
****** 
* Copyright (c) 2010-2012 Hewlett-Packard Development Company, L.P.   \
       * 
* Without the owners prior written consent,                            \
     * 
* no decompiling or reverse-engineering shall be allowed.               \
     * 
************************************************************************\
****** 
 
 
Login authentication 
 
 
Username:seclog 
Password: 
 
# Display the summary of the security log file. 
 display security-logfile summary 
  Security-log is enabled. 
  Security-log file size quota: 1MB 
  Security-log file directory: flash:/seclog 
  Alarm-threshold: 80% 
  Current usage: 0% 
  Writing frequency: 1 hour 0 min 0 sec 
The output shows that the directory fo r saving the security log file is flash:/seclog. 
# Change the directory where the security log file is saved to  Flash:/securitylog.
    Add page 2357 to Favourites
    image text
    Enable zoom 
    							 56 
 mkdir securitylog 
. 
%Created dir flash:/securitylog. 
 info-center security-logfile switch-directory flash:/securityl\
og/ 
# Display the contents of the security log file buffer. 
 display security-logfile buffer 
%@175 Nov  2 17:02:53:766 2011 Sysname SHELL/4/LOGOUT: 
 Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.2: logout from Console 
%@176 Nov  2 17:02:53:766 2011 Sysname SHELL/5/SHELL_LOGOUT:Console logg\
ed out from 
aux0. 
The content of other logs is not shown. 
The preceding information indicates that there is st ill new content in the buffer that has not been 
saved into the security log file. 
# Manually save the contents of the security  log file buffer into the security log file. 
 security-logfile save 
Info: Save all the contents in the security log buffer into file 
flash:/securitylog/seclog.log successfully. 
# Display the contents of the security log file. 
 more securitylog/seclog.log 
%@157 Nov  2 16:12:01:750 2011 Sysname SHELL/4/LOGIN: 
 Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console 
%@158 Nov  2 16:12:01:750 2011 Sysname SHELL/5/SHELL_LOGIN:Console logge\
d in from 
aux0. 
The content of other logs is not shown.
    Add page 2358 to Favourites
    image text
    Enable zoom 
    							 57 
Configuring SNMP 
T h i s  c h a p t e r  p r o vi d e s  a n  o v e r v i e w  o f  t h e  S i m p l e  N e t w o r k  M a n a g e m e n t  P r o t o c o l  ( S N M P )  a n d  g u i d e s  yo u  
through the configuration procedure. 
Overview 
SNMP is an Internet standard protocol widely used for a management station to access and operate the 
devices on a network, regardless of their vendors, ph ysical characteristics and interconnect technologies. 
SNMP enables network administrators to read and set the variables on managed devices for state 
monitoring, troubleshooting, statistics co llection, and other management purposes. 
SNMP framework 
The SNMP framework comprises the following elements: 
•  SNMP manager —Works on an NMS to monitor and manage the SNMP-capable devices in the 
network. 
•   SNMP agent —Works on a managed device to receive and handle requests from the NMS, and 
send traps to the NMS when some events, su ch as an interface state change, occur. 
•   Management Information Base (MIB) —Specifies the variables (for example, interface status and 
CPU usage) maintained by the SNMP agen t for the SNMP manager to read and set. 
Figure 22  Relationship between an NMS, agent and MIB 
 
 
MIB and view-based MIB access control 
A MIB stores variables called nodes or objects in a tree hierarchy and identifies each node with a 
u n iqu e  O I D.  An  O I D  i s  a  s t ri n g  of  nu m b e rs  t h a t  d e sc ribes the path from the root node to a leaf node. For 
example, object B in  Figure 23 is u
 niquely identified by the OID {1.2.1.1}. 
Figure 23  MIB tree
    Add page 2359 to Favourites
    image text
    Enable zoom 
    							 58 
A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege and 
is identified by a view name. The MIB objects included in the MIB view are accessible while those 
excluded from the MIB view are inaccessible.  
A MIB view can have multiple view records each identified by a  view-name oid-tree pair. 
You control access to the MIB by assigning MIB views to SNMP groups or communities. 
SNMP operations 
SNMP provides the following basic operations: 
•   Get—The NMS retrieves SNMP object nodes in an agent MIB. 
•   Set—The NMS modifies the value of an object node in an agent MIB. 
•   Notifications —Includes traps and informs. SNMP agent sends traps or informs to report events to 
the NMS. The difference between these two types of notification is that informs require 
acknowledgement but traps do not. The device supports only traps. 
SNMP protocol versions 
HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same 
SNMP version to communicate with each other. 
•   SNMPv1 —Uses community names for authentication. To access an SNMP agent, an NMS must use 
the same community name as set on the SNMP agen t. If the community name used by the NMS is 
different from that set on the agent, the NMS cann ot establish an SNMP session to access the agent 
or receive traps from the agent. 
•   SNMPv2c —Uses community names for authentication. SNMPv2c is compatible with SNMPv1, but 
supports more operation modes, data types, and error codes. 
•   SNMPv3 —Uses a user-based security model (USM) to secure SNMP communication. You can 
configure authentication and privacy mechanisms  to authenticate and encrypt SNMP packets for 
integrity, authenticity, and confidentiality. 
SNMP configuration task list 
 
Task Remarks 
Configuring SNMP basic parameters  Required 
Switching the NM-specific interface index Optional 
Configuring SNMP logging  Optional 
Configuring SNMP traps Optional 
 
Configuring SNMP basic parameters 
SNMPv3 differs from SNMPv1 and SNMPv2c in many ways. Their configuration procedures are 
described in separate sections. 
Configuring SNMPv3 basic parameters
    Add page 2360 to Favourites
    image text
    Enable zoom 
    							 59 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enable the SNMP agent. 
snmp-agent  Optional. 
By default, the SNMP agent is 
disabled. 
You can also enable the SNMP 
agent by using any command that 
begins with snmp-agent except the 
snmp-agent calculate-password
 
and  snmp-agent ifmib long-ifindex 
enable  commands. 
3.  Configure system information 
for the SNMP agent.  snmp-agent sys-info
 { contact 
sys-contact |  location sys-location  
|  version  { all  | {  v1  | v2c  | 
v3  }*  } }  Optional. 
By default, the contact information 
is 
Hewlett-Packard Development 
Company, L.P , the location 
information is null, and the 
protocol version is  SNMPv3. 
4.  Configure the local engine ID.  snmp-agent local-engineid
 
engineid   Optional. 
The default local engine ID is the 
company ID plus the device ID. 
After you change the local engine 
ID, the existing SNMPv3 users 
become invalid, and you must 
re-create the SNMPv3 users. 
5.
  Create or update a MIB view.  snmp-agent mib-view
 { excluded | 
included  } view -name  oid -tree 
[ mask  mask-value  ]  Optional. 
By default, the MIB view 
ViewDefault is predefined and its 
OID is 1. 
Each 
view-name oid-tree  pair 
represents a view record. If you 
specify the same record with 
different MIB subtree masks 
multiple times, the last 
configuration takes effect. Except 
the four subtrees in the default MIB 
view, you can create up to 16 
unique MIB view records. 
6.   Configure an SNMPv3 group.  snmp-agent group
 v3  group-name  
[  authentication  | privacy  ] 
[ read-view  read-view ] 
[ write-view  write-view ] 
[ notify-view  notify-view  ] [ acl 
acl-number  | acl ipv6 
ipv6-acl-number  ] *  By default, no SNMP group exists. 
7.
  Convert a plaintext key to a 
ciphertext (encrypted) key.  snmp-agent calculate-password
 
plain-password  mode { 3desmd5  | 
3dessha  | md5  | sha } 
{  local-engineid | 
specified-engineid  engineid }  Optional.
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide