HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 50
38
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable copyright information
display. copyright-info
enable By default, copyright information
display is enabled.
3.
Enter one or multiple VTY user
interface views. user-interface vty
first -number
[ last-number ] N/A
4.
Enable the terminal service.
shell Optional.
By default, terminal service is
enabled.
5.
Enable the user interfaces to
support Telnet, SSH, or both of
them. protocol inbound
{ all | ssh...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-49.png "Page 50
38
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable copyright information
display. copyright-info
enable By default, copyright information
display is enabled.
3.
Enter one or multiple VTY user
interface views. user-interface vty
first -number
[ last-number ] N/A
4.
Enable the terminal service.
shell Optional.
By default, terminal service is
enabled.
5.
Enable the user interfaces to
support Telnet, SSH, or both of
them. protocol inbound
{ all | ssh...")
39
Step Command Remarks
11. Specify a command to be
automatically executed when a
user logs in to the user interfaces.
auto-execute command
command Optional.
By default, no automatically
executed command is specified.
The command auto-execute
function is typically used for
redirecting a Telnet user to a
specific host. After executing the
specified command and
performing the incurred task, the
system automatically disconnect
the Telnet session.
Using the device to log in to a Telnet server
You can use the device as a Telnet client to log in to a Telnet ser ver. If the ser ver is located in a different
subnet than the device, make sure the two devices have routes to reach each other.
Figure 16
Telnetting from the device to a Telnet server
To use the device to log in to a Telnet server:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Specify a source IPv4 address
or source interface for
outgoing Telnet packets. telnet client source
{ interface
interface-type interface-number | ip
ip-address } Optional.
By default, no source IPv4 address
or source interface is specified.
The IP address of the outbound
interface is used as the source IPv4
address.
3.
Exit to user view.
quit N/A
4. Use the device to log in to a
Telnet server.
• Log in to an IPv4 Telnet server:
telnet remote -host
[ service-port ] [ [ vpn-instance
vpn-instance-name ] | [ source
{ interface interface-type
interface-number | ip
ip-address } ] ]
•
Log in to an IPv6 Telnet server:
telnet ipv6 remote -host [ -i
interface-type
interface-number ]
[ port-number ] [ vpn-instance
vpn-instance-name ]
Use either command.
The vpn-instance
vpn-instance-name option is only
available on the HP 5500-EI
switches.
40 Setting the DSCP value for IP to use for outgoing Telnet packets Step Command Remarks 1. Enter system view. system-view N/A 2. Set the DSCP value for IP to use for outgoing Telnet packets. • On a Telnet client running IPv4: telnet client dscp dscp-value • On a Telnet client running IPv6: telnet client ipv6 dscp dscp-value • On a Telnet server running IPv4: telnet server dscp dscp-value • On a Telnet server running IPv6: telnet server ipv6 dscp dscp-value The default is as follows: • 16 for a Telnet client running IPv4. • 0 for a Telnet client running IPv6. • 48 for a Telnet server running IPv4. • 0 for a Telnet server running IPv6. Logging in through SSH SSH offers a secure approach to remote login. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plaintext password interception. You can log in t o t h e d e vi c e w o r k i n g a s a n SS H s e r ve r f o r re m o t e m a n a g e m e n t, a s s h ow n i n Figure 17. Y ou can also use the device as an SSH client to log in to an SSH server. Figure 17 SSH login diagram Table 15 shows the SSH server and client configuration required for a successful SSH login. Table 15 SSH server and client requirements Device role Re quirements SSH server Assign an IP address to a Layer 3 inte rface, and make sure the interface and the client can reach each other. Configure the authentication mode and other settings. SSH client If the host operates as an SSH client, run the SSH client program on the host. Obtain the IP address of the Layer 3 interface on the server. To control SSH access to the device working as an SSH server, configure authentication and user privilege level for SSH users. By default, password authentication is adopted for SSH login, but no login password is configured. To allow SSH access to the device after you enable the SSH server, you must configure a password. Configuring the SSH server on the device Follow these guidelines when you configure the SSH server:
41
• To make the command authorization or command accounting function take effect, apply an
HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the
authorization server and other authorization parameters.
• If the local authentication scheme is used, use the authorization-attribute level level command in
local user view to set the user privilege level on the device.
• If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the
RADIUS or HWTACACS server.
The SSH client authentication method is password in this configuration procedure. For more information
about SSH and publickey authentication, see Security Configuration Guide.
To configure the SSH server on the device:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create local key pairs.
public-key local create { dsa | rsa } By default, no local key pairs are
created.
3. Enable SSH server.
ssh server enable By default, SSH server is disabled.
4. Enter one or more VTY user
interface views. user-interface vty
first -number
[ last-number ] N/A
5.
Enable scheme
authentication. authentication-mode scheme
By default, password
authentication is enabled on VTY
user interfaces.
6.
Enable the user interfaces to
support Telnet, SSH, or both
of them. protocol inbound
{ all | ssh |
Telnet } Optional.
By default, both Telnet and SSH
are supported.
7.
Enable command
authorization. command authorization Optional.
By default, command authorization
is disabled. The commands
available for a user only depend
on the user privilege level.
If command authorization is
enabled, a command is available
only if the user has the
commensurate user privilege level
and is authorized to use the
command by the AAA scheme.
42
Step Command Remarks
8. Enable command accounting.
command accounting Optional.
By default, command accounting is
disabled. The accounting server
does not record the commands
executed by users.
Command accounting allows the
HWTACACS server to record all
executed commands that are
supported by the device,
regardless of the command
execution result. This function helps
control and monitor user behaviors
on the device. If command
accounting is enabled and
command authorization is not
enabled, every executed
command is recorded on the
HWTACACS server. If both
command accounting and
command authorization are
enabled, only the authorized and
executed commands are recorded
on the HWTACACS server.
9.
Exit to system view.
quit N/A
10. Apply an AAA authentication
scheme to the intended
domain. 1.
Enter the ISP domain view:
domain domain-name
2. Apply the specified AAA
scheme to the domain:
authentication default
{ hwtacacs-scheme
hwtacacs-scheme -name
[ local ] | local | none |
radius-scheme
radius-scheme-name [ local ] }
3. Exit to system view:
quit Optional.
For local authentication, configure
local user accounts.
For RADIUS or HWTACACS
authentication, configure the
RADIUS or HWTACACS scheme
on the device and configure
authentication settings (including
the username and password) on
the server.
For more information about AAA
configuration, see
Security
Configuration Guide .
11. Create a local user and enter
local user view. local-user
user-name By default, no local user exists.
12. Set a password for the local
user. password
{ cipher | simple }
password By default, no password is set.
13.
Specify the command level of
the user. authorization-attribute level
level Optional.
By default, the command level is 0.
14.
Specify SSH service for the
user. service-type
ssh By default, no service type is
specified.
15.
Exit to system view.
quit N/A
43
Step Command Remarks
16. Create an SSH user, and
specify the authentication
mode for the SSH user. ssh user
username service-type
stelnet authentication-type
{ password | { any |
password-publickey | publickey }
assign publickey keyname } N/A
By default, no SSH user is created.
17.
Configure common settings
for VTY user interfaces. See
Configuring common settings
for VTY user int erfaces (optional) .
Optional.
Using the device as an SSH client to log in to the SSH server
You can use the device as an SSH client to log in to an SSH server. If the server is located in a different
subnet than the device, make sure the two devices have routes to reach each other.
Figure 18 Logging in to an SSH server from the device
To use the device as an SSH client to log in to an SSH server, perform the following tasks in user view:
Task Command Remarks
Log in to an IPv4 SSH server. ssh2 server The
server argument represents the IPv4 address
or host name of the server.
Log in to an IPv6 SSH server. ssh2 ipv6 server The
server argument represents the IPv6 address
or host name of the server.
To work with the SSH server, you might need to configure the SSH client. For information about
configuring the SSH client, see Security Configuration Guide.
Modem dial-in through the console port
You can use a pair of modems to remotely connect to a device through its console port over the PSTN
when the IP network connection is broken. To do so, make sure the dial-in connection, the device, and the
modems are correctly set up.
By default, you can log in to the device through modems without authentication, and have user privilege
level 3. To improve device security, configure AUX login authentication.
The following are authentication modes availabl e for modem dial-in through the console port:
• None —Requires no authentication and is insecure.
• Password —Requires a password for accessing the CLI. If your password was lost, log in to the
device through the console port or modify the password.
• Scheme —Uses the AAA module to provide local or re mote authentication. If your username or
password was lost, log in to the device through the console port to modify the setting. If the
username or password configured on a remote ser v er was lost, contact the server administrator for
help.
44
Table 16 Configuration required for different modem login authentication modes
Authentication
mode Configuration task
Reference
None Set the authentication mode to none for the AUX user interface.
Configuring none
authentication f
or
modem dial-in
Password Enable password authentication on
the AUX user interface.
Set a password.
Configuring
password
authentication f
or
modem dial-in
Scheme Enable scheme authentication on the AUX user interface.
Configure local or remote authentication settings.
To configure local authentication:
1.
Configure a local user and specify the password.
2. Configure the device to use local authentication.
To configure remote authentication:
3. Configure the RADIUS or HWTACACS scheme on the
device.
4. Configure the username and password on the AAA server.
5. Configure the device to use the scheme for user
authentication.
Configuring scheme
authentication f
or
modem dial-in
Setting up the configuration environment
Set up a configuration environment as shown in Figure 19 :
1. Connect the serial port of the PC to a modem an d the console port of the device to a modem.
2. Connect each modem to the PSTN through a telephone cable.
3. Obtain the telephone number of the modem connected to the device.
Figure 19 Connecting the PC to the device through modems
4. Perform the following configurations on th e modem directly connected to the device:
{ AT& F —Restores the factory default.
{ ATS 0 = 1 —Configures auto-answer on first ring.
{ AT& D —Ignores data Terminal Ready signals.
{ AT& K 0 —Disables local flow control.
{ AT& R 1 —Ignores Data Flow Control signals.
{ AT& S 0 —Forces DSR to remain on.
{ AT EQ 1 &W —Disables the modem from returning command responses and execution results.
To verify your configuration, enter AT&V to display the configuration results.
45 NOTE: The configuration commands and output vary by mo dem. For more information, see the modem user guide. 5. To avoid data loss, verify that the speed of the console port is lower than the transmission rate of the modem, and the default parity check, st op bits, and data bits settings are used. 6. Launch the terminal emulation program and create a connection by using the telephone number of the modem connected to the device. Figure 20 to Figure 23 shows the configuration proc e dure in Windows XP HyperTerminal. Figure 20 Creating a connection Figure 21 Configuring the dialing parameters
46 NOTE: On Windows Server 2003, you must add the HyperTer minal program first, and then log in to and manage the device as described in this docume nt. On Windows Server 2008, Windows 7, Windows Vista, or some other operating system, obtain a third-party terminal control program first, and follow the user guide or online help of that program to log in to the device. 7. Dial the telephone number to est ablish a connection to the device. Figure 22 Dialing the number Character string CONNECT9600 is displayed on the terminal. 8. Press Enter as prompted. Figure 23 Configuration page 9. At the default user view prompt , enter commands to configure the device or view the running status of the device. To get help, enter ?.
47 To disconnect the PC from the device, execute the AT H command in the HyperTerminal. If the command cannot be entered, type AT+ + + and then press Enter. When the word OK appears, execute the AT H command. The connection is terminated if OK is displayed. You can also terminal the connection by clicking in the HyperTerminal window. IMPORTANT: Do not directly close the HyperTerminal. Doing so can cause some modems to stay in use, and your subsequent dial-in attempts will always fail. Configuring none authentication for modem dial-in Step Command Remarks 1. Enter system view. system-view N/A 2. Enter one or more AUX user interface views. user-interface aux first-number [ last-number ] N/A 3. Enable the none authentication mode. authentication-mode none By default, modem users can dial in to the device without authentication. 4. Configure common settings for the AUX user interfaces. See Configuring common settings for modem di al-in (optional) . Optional. The next time you attempt to dial in to the device, you do not need to provide any username or password, as shown in Figure 24 . Figure 24 Dialing in to the device wit hout any authentication Configuring password authentication for modem dial-in
48
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter one or more AUX user
interface views. user-interface aux
first-number
[ last-number ] N/A
3.
Enable password
authentication. authentication-mode password By default, no authentication is
performed for modem dial-in users.
4.
Set a password. set authentication password
{ cipher | simple } password By default, no is set.
5.
Configure common settings
for the AUX user interfaces. For more information, see
Configuring common settings for
modem di al-in (optional) . Optional.
The next time you attempt to dial in to the device, you must provide the configured login password, as
shown in
Figure 25.
Figure 25 Password a
uthentication interface for modem dial-in users
Configuring scheme authentication for modem dial-in
Follow these guidelines when you configure scheme authentication for AUX login:
• To make the command authorization or command accounting function take effect, apply an
HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the
authorization server and other authorization parameters.
• If the local authentication scheme is used, use the authorization-attribute level level command in
local user view to set the user privilege level on the device.
• If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the
RADIUS or HWTACACS server.
To configure scheme authentication for modem dial-in users: