Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 71 to Favourites
    image text
    Enable zoom 
    							 59 
HTTPS login configuration example 
Network requirements 
As shown in Figure 29, to prevent unauthorized users from accessing the device, configure the device as 
the HTTPS server and the host as the HTTPS client, and request a certificate for each of them. 
Figure 29  Network diagram 
 
 
Configuration procedure 
This example assumes that the CA is named  new-ca, runs Windows Server, and is installed with the 
Simple Certificate Enrollment Protocol (SCEP) add-on. This example also assumes that the device, host, 
and CA can reach one other. 
1.  Configure the device (HTTPS server): 
# Configure a PKI entity, configure the common name of the entity as  http-server1, and the FQDN 
of the entity as  ssl.security.com . 
 system-view 
[Device] pki entity en 
[Device-pki-entity-en] common-name http-server1 
[Device-pki-entity-en] fqdn ssl.security.com 
[Device-pki-entity-en] quit 
# Create a PKI domain, specify the trusted CA as  new-ca, the URL of the server for certificate 
request as  http://10.1.2.2/certsrv/mscep/mscep.dll , authority for certificate request as RA, and 
the entity for certificate request as  en. 
[Device] pki domain 1 
[Device-pki-domain-1] ca identifier new-ca 
[Device-pki-domain-1] certificate request url 
http://10.1.2.2/certsrv/mscep/mscep.dll 
[Device-pki-domain-1] certificate request from ra 
[Device-pki-domain-1] certificate request entity en 
[Device-pki-domain-1] quit 
# Create RSA local key pairs.  
[Device] public-key loc  al create rsa 
# Retrieve the CA certificate from the certificate issuing server.  
[Device] pki retrieval-certificate ca domain 1 
# Request a local certificate from a  CA through SCEP for the device.  
[Device] pki request-certificate domain 1
    Add page 72 to Favourites
    image text
    Enable zoom 
    							 60 
# Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable 
certificate-based SSL client authentication.  
[Device] ssl server-policy myssl 
[Device-ssl-server-policy-myssl] pki-domain 1 
[Device-ssl-server-policy-myssl] client-verify enable 
[Device-ssl-server-policy-myssl] quit 
# Create a certificate attribute group  mygroup1, and configure a certif icate attribute rule, 
specifying that the distinguished name (DN) in  the subject name includes the string of new-ca. 
[Device] pki certificate attribute-group mygroup1 
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ct\
n new-ca 
[Device-pki-cert-attribute-group-mygroup1] quit 
# Create a certificate attribute-based access control policy  myacp. Configure a certificate 
attribute-based access control rule, specifying that  a certificate is considered valid when it matches 
an attribute rule in certificate attribute group  myacp.  
[Device] pki certificate access-control-policy myacp 
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1 
[Device-pki-cert-acp-myacp] quit 
# Associate the HTTPS service with SSL server policy  myssl. 
[Device] ip https ssl-server-policy myssl 
# Associate the HTTPS service with certificate attribute-based access control policy  myacp.  
[Device] ip https certificate access-control-policy myacp 
# Enable the HTTPS service.  
[Device] ip https enable 
# Create a local user named  usera, set the password to 123, specify the Web service type, and 
specify the user privilege level 3. A level-3 us er can perform all operations supported by the 
device. 
[Device] local-user usera 
[Device-luser-usera] password simple 123 
[Device-luser-usera] service-type web 
[Device-luser-usera] authorization-attribute level 3 
2.  Configure the host (HTTPS client):  
On the host, run the IE browser, and then enter  http://10.1.2.2/certsrv in the address bar and 
request a certificate for the host as prompted.  
3.  Verify the configuration: 
Enter  https://10.1.1.1  in the address bar, and select  the certificate issued by new-ca . When the 
Web login page of the device  appears, enter the username usera and password 123 to log in to 
the Web management page.  
For more information about PKI configuration commands, SSL configuration commands, and the 
public-key local create rsa  command, see Security Command Reference.
    Add page 73 to Favourites
    image text
    Enable zoom 
    							 61 
Logging in through NMS 
You can use an NMS to access the device MIB and perform GET and SET operations to manage and 
monitor the device. The device supports SNMPv1, SNMPv2c, and SNMPv3, and can work with various 
network management software products, including IMC. For more information about SNMP, see 
Network Management and Monitoring Configuration Guide. 
By default, SNMP access is disabled. To enable SNMP access, log in to the device via any other method. 
Configuring SNMP login 
Connect the PC (the NMS) and the device to the network, making sure they can reach each other, as 
shown in  Figure 30. 
Figure 30  Network diagram 
 
 
 IMPORTANT: 
This document describes only the basic SNMP config
uration procedures on the device. To make SNMP 
work correctly, make sure the SNMP settings (including the SNMP version) on the NMS are consistent with
those on the device.  
 
Prerequisites 
•   Assign an IP address to a Layer 3 interface on the device.  
•   Configure routes to make sure the NMS and the Layer 3 interface can reach each other.  
Configuring SNMPv3 settings  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enable the SNMP agent. 
snmp-agent  Optional. 
By default, the SNMP agent is 
disabled. 
You can enable SNMP agent with this 
command or any command that 
begins with 
snmp-agent.
    Add page 74 to Favourites
    image text
    Enable zoom 
    							 62 
Step Command Remarks 
3.  Configure an SNMP 
group and specify its 
access right.  snmp-agent
 group  v3  group-name  
[ authentication  | privacy ] 
[  read-view  read-view  ] [ write-view  
write-view  ] [ notify-view  
notify-view  ] [ acl acl-number |  acl 
ipv6  ipv6-acl-number  ] *  By default, no SNMP group is 
configured.  
4.
  Add a user to the SNMP 
group.  snmp-agent
 usm-user  v3  user-name  
group-name  [ [ cipher ] 
authentication-mode  { md5 | sha } 
auth-password  [ privacy-mode  
{  3des  | aes128  | des56 } 
priv-password  ] ] [ acl acl-number  | 
acl  ipv6  ipv6-acl-number  ] * N/A 
 
Configuring SNMPv1 or SNMPv2c settings  
Step Command Remarks 
1.
  Enter system view. 
system-view  N/A 
2.  Enable the SNMP agent. 
snmp-agent  Optional. 
By default, the SNMP agent 
is disabled. 
You can enable SNMP agent 
with this command or any 
command that begins with 
snmp-agent
. 
3.   Create or update MIB 
view information.  snmp-agent mib-view
 { excluded | included   } 
view -name  oid -tree  [ mask  mask-value  ] Optional. 
By default, the MIB view 
name is ViewDefault and 
OID is 1.
 
4.  Configure SNMP NMS 
access right. 
• (Approach 1) Specify the SNMP NMS 
access right directly by configuring an 
SNMP community:   
snmp-agent  community  { read | write  } 
community -name [ mib-view  view-name  ] 
[ acl  acl-number  | acl  ipv6 
ipv6-acl-number  ] * 
• (Approach 2) Configure an SNMP group 
and add a user to the SNMP group: 
a.  snmp-agent  group  { v1 | v2c  } 
group-name  [ read-view  read-view  ] 
[  write-view  write-view ] [ notify-view  
notify-view  ] [ acl acl-number  | acl  
ipv6  ipv6-acl-number  ] * 
b.  snmp-agent  usm-user  { v1 | v2c  } 
user-name  group-name  [ acl 
acl-number  | acl  ipv6 
ipv6-acl-number  ] *  Use either approach. 
The direct configuration 
approach is for SNMPv1 or 
SNMPv2c. The community 
name configured on the 
NMS should be consistent 
with the username configured 
on the agent. 
The indirect configuration 
approach is for SNMPv3.
    Add page 75 to Favourites
    image text
    Enable zoom 
    							 63 
NMS login example 
Network requirements 
Configure the device and network management station so you can remotely manage the device through 
SNMPv3. 
Figure 31 Network diagram 
 
 
Configuration procedure 
1. Configure the device: 
# Assign an IP address to the device. Make sure  the device and the NMS can reach each other. 
(Details not shown.) 
# Enter system view.  
 system-view 
# Enable the SNMP agent.  
[Sysname] snmp-agent 
# Configure an SNMP group.  
[Sysname] snmp-agent group v3 managev3group 
# Add a user to the SNMP group.  
[Sysname] snmp-agent usm-user v3 managev3user managev3group 
2.  Configure the NMS: 
Make sure the NMS has the same SNMP settings, in cluding the username as the device. If not, the 
device cannot be discovered or managed by the NMS. 
a.  On the PC, launch the browser, and enter  http://192.168.3.104:8080/imc in the address bar 
(suppose that the IP addres s of IMC is 192.168.3.104).
    Add page 76 to Favourites
    image text
    Enable zoom 
    							 64 
Figure 32 IMC login page 
 
b. Enter the username and password, and then click  Login.  
The IMC homepage appears. 
Figure 33  IMC homepage  
 
c. Log in to IMC and configure SNMP settings for IMC to find the switch.  
d.  After the switch is found, you can manage and  maintain the switch through IMC. For example, 
query switch information or co nfigure switch parameters.
    Add page 77 to Favourites
    image text
    Enable zoom 
    							 65 
Controlling user logins 
To harden device security, use ACLs to prevent unauthorized logins. For more information about ACLs, 
see ACL and QoS Configuration Guide.  
Controlling Telnet logins 
Use a basic ACL (2000 to 2999) to filter Telnet traffic by source IP address. Use an advanced ACL (3000 
to 3999) to filter Telnet traffic by source and/or  destination IP address. Use an Ethernet frame header 
ACL (4000 to 4999) to filter Telnet traffic by source MAC address.  
To access the device, a Telnet user must match a permit  statement in the ACL applied to the user interface. 
Configuring source IP-based Telnet login control  
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Create a basic ACL and 
enter its view, or enter the 
view of an existing basic 
ACL.   acl 
[ ipv6  ] number  acl-number   
[ match-order  { config | auto  } ]  By default, no basic ACL exists. 
 
3.  Configure an ACL rule.  rule
 [ rule-id  ] { permit  | deny } 
[  source  {  sour-addr sour-wildcard  | 
any  } | time-range  time-name  | 
fragment |  logging ]*
 
By default, a basic ACL does not 
contain any rule. 
4.  Exit the basic ACL view. quit  N/A 
5.  Enter user interface view.  user-interface 
[ type  ] first-number  
[ last-number  ]  N/A 
6.
  Use the ACL to control user 
logins by source IP address.  acl [ ipv6 
] acl-number  { inbound  | 
outbound  } 
• inbound : Filters incoming 
packets.  
•  outbound : Filters outgoing 
packets.
    Add page 78 to Favourites
    image text
    Enable zoom 
    							 66 
Configuring source/destination IP-based Telnet login control  
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Create an advanced ACL and 
enter its view, or enter the 
view of an existing advanced 
ACL.   acl 
[ ipv6  ] number  acl-number  
[ match-order  { config | auto  } ]  By default, no advanced ACL 
exists.
 
3.  Configure an ACL rule.  rule
 [ rule-id  ] { permit  | deny } 
rule-string   N/A
 
4.  Exit advanced ACL view. 
quit  N/A 
5.  Enter user interface view.  user-interface 
[ type  ] first-number  
[ last-number  ]  N/A 
6.
  Use the ACL to control user 
logins by source and 
destination IP addresses.  acl [ ipv6 
] acl-number  { inbound  | 
outbound  } • inbound : Filters incoming 
packets. 
•  outbound : Filters outgoing 
packets.   
 
Configuring source MAC-based Telnet login control 
Ethernet frame header ACLs apply to Telnet traffic only  if the Telnet client and server are located in the 
same subnet.  
To configure source MAC-based Telnet login control:  
 
Step Command Remarks 
1.   Enter system view. 
system-view N/A 
2.  Create an Ethernet frame 
header ACL and enter its 
view.  acl 
number  acl-number   
[ match-order  { config | auto  } ]  By default, no Ethernet frame 
header ACL exists.  
3.
  Configure an ACL rule.  rule
 [ rule-id  ] { permit  | deny } 
rule-string   N/A
 
4.  Exit Ethernet frame header 
ACL view.   quit 
N/A 
5.  Enter user interface view.  user-interface 
[ type  ] first-number  
[ last-number  ]  N/A 
6.
  Use the ACL to control user 
logins by source MAC 
address.  acl 
acl-number  inbound  inbound: Filters incoming packets. 
 
 
Telnet login control configuration example 
Network requirements 
As shown in  Figure 34, c onfigure an ACL on the device to perm it only incoming Telnet packets sourced 
from Host A and Host B.
    Add page 79 to Favourites
    image text
    Enable zoom 
    							 67 
Figure 34 Network diagram 
 
 
Configuration procedure 
# Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to 
permit packets sourced from Host A. 
 system-view 
[Sysname] acl number 2000 match-order config 
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 
[Sysname-acl-basic-2000] quit 
# Reference ACL 2000 in user interface view to allow Telnet users from Host A and Host B to access the 
Device. 
[Sysname] user-interface vty 0 15 
[Sysname-ui-vty0-15] acl 2000 inbound 
Configuring source IP-based SNMP login control 
Use a basic ACL (2000 to 2999) to control SNMP logins by source IP address. To access the requested 
MIB view, an NMS must use a source IP address permitted by the ACL. 
Configuration procedure 
To configure source IP-based SNMP login control:  
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Create a basic ACL and 
enter its view, or enter the 
view of an existing basic 
ACL.   acl 
[ ipv6  ] number  acl-number  [ match-order  
{  config  | auto  } ]  By default, no basic ACL 
exists.
 
3.  Create an ACL rule.  rule
 [ rule-id  ] { permit  | deny } [ source 
{  sour-addr sour-wildcard  | any  } | 
time-range  time-name  | fragment  | 
logging  ]*  N/A
 
4.  Exit the basic ACL view. 
quit  N/A
    Add page 80 to Favourites
    image text
    Enable zoom 
    							 68 
Step Command Remarks 
5.  Apply the ACL to an 
SNMP community, group 
or user. 
• SNMPv1/v2c community:  
snmp-agent  community  { read | write  } 
community -name [ mib-view  view-name  ] 
[ acl  acl-number  | acl  ipv6 
ipv6-acl-number  ] * 
• SNMPv1/v2c group: 
snmp-agent  group  { v1 | v2c  } 
group-name  [ read-view  read-view  ] 
[ write-view  write -view  ] [ notify-view  
notify-view  ] [ acl acl-number  | acl  ipv6 
ipv6-acl-number  ] * 
• SNMPv3 group: 
snmp-agent  group  v3  group-name  
[ authentication  | privacy  ] [ read-view  
read-view  ] [ write-view  write -view ] 
[  notify-view  notify-view  ] [ acl acl-number  
|  acl  ipv6  ipv6-acl-number  ] * 
• SNMPv1/v2c user: 
snmp-agent  usm-user  { v1 | v2c  } 
user-name  group-name  [ acl acl-number  | 
acl  ipv6  ipv6-acl-number  ] * 
• SNMPv3 user:  
snmp-agent  usm-user  v3  user-name  
group-name  [ [ cipher  ] 
authentication-mode  { md5 | sha } 
auth-password  [ privacy-mode  { 3des | 
aes128  | des56  } priv-password ] ] [ acl  
acl-number  | acl  ipv6  ipv6-acl-number  ] *
 
For more information about 
SNMP, see Network 
Management and 
Monitoring Configuration 
Guide.  
 
SNMP login control configuration example 
Network requirements 
As shown in Figure 35, c onfigure the device to allow only NMS users from Host A and Host B to access. 
Figure 35  Network diagram
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide