HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1956
291
Configuration procedure
To configure the protocols for a user interface to support:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view of
one or more user interfaces. user-interface
vty number
[ ending-number ] N/A
3.
Set the login authentication
mode to scheme. authentication-mode
scheme By default, the authentication
mode is
password .
4. Configure the user interface(s)
to support SSH login. protocol inbound
{ all | ssh }...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1955.png "Page 1956
291
Configuration procedure
To configure the protocols for a user interface to support:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view of
one or more user interfaces. user-interface
vty number
[ ending-number ] N/A
3.
Set the login authentication
mode to scheme. authentication-mode
scheme By default, the authentication
mode is
password .
4. Configure the user interface(s)
to support SSH login. protocol inbound
{ all | ssh }...")
![Page 1961
296
Establishing a connection between the SSH client and server
Task Command Remarks
Establish a connection
between the SSH client and
the server, and specify the
public key algorithm,
preferred encryption
algorithm, preferred HMAC
algorithm and preferred key
exchange algorithm.
• For an IPv4 ser ver:
ssh2 server [ port-number ] [ vpn-instance
vpn-instance-name ] [ identity-key { dsa |
rsa } | prefer-ctos-cipher { 3des | aes128 |
des } | prefer-ctos-hmac { md5 | md5-96 |
sha1...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1960.png "Page 1961
296
Establishing a connection between the SSH client and server
Task Command Remarks
Establish a connection
between the SSH client and
the server, and specify the
public key algorithm,
preferred encryption
algorithm, preferred HMAC
algorithm and preferred key
exchange algorithm.
• For an IPv4 ser ver:
ssh2 server [ port-number ] [ vpn-instance
vpn-instance-name ] [ identity-key { dsa |
rsa } | prefer-ctos-cipher { 3des | aes128 |
des } | prefer-ctos-hmac { md5 | md5-96 |
sha1...")
![Page 1962
297
Task Command Remarks
Display SSH server status
information or session information
on an SSH server. display ssh server
{ status |
session } [ | { begin | exclude |
include } regular-expression ] Available in any view
Display the mappings between
SSH servers and their host public
keys on an SSH client. display ssh server-info
[ | { begin |
exclude | include }
regular-expression ] Available in any view
Display information about SSH
users on an SSH server. display ssh...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1961.png "Page 1962
297
Task Command Remarks
Display SSH server status
information or session information
on an SSH server. display ssh server
{ status |
session } [ | { begin | exclude |
include } regular-expression ] Available in any view
Display the mappings between
SSH servers and their host public
keys on an SSH client. display ssh server-info
[ | { begin |
exclude | include }
regular-expression ] Available in any view
Display information about SSH
users on an SSH server. display ssh...")
![Page 1963
298
++++++++
++++++++++++++
+++++
++++++++
# Generate a DSA key pair.
[Switch] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
++++++++
+++++++++++++++++++++++++++++++++++
# Enable the SSH server.
[Switch] ssh server enable
#...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1962.png "Page 1963
298
++++++++
++++++++++++++
+++++
++++++++
# Generate a DSA key pair.
[Switch] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
++++++++
+++++++++++++++++++++++++++++++++++
# Enable the SSH server.
[Switch] ssh server enable
#...")
296
Establishing a connection between the SSH client and server
Task Command Remarks
Establish a connection
between the SSH client and
the server, and specify the
public key algorithm,
preferred encryption
algorithm, preferred HMAC
algorithm and preferred key
exchange algorithm.
• For an IPv4 ser ver:
ssh2 server [ port-number ] [ vpn-instance
vpn-instance-name ] [ identity-key { dsa |
rsa } | prefer-ctos-cipher { 3des | aes128 |
des } | prefer-ctos-hmac { md5 | md5-96 |
sha1 | sha1-96 } | prefer-kex
{ dh-group-exchange | dh-group1 |
dh-group14 } | prefer-stoc-cipher { 3des |
aes128 | des } | prefer-stoc-hmac { md5 |
md5-96 | sha1 | sha1-96 } ] *
• For an IPv6 ser ver:
ssh2 ipv6 server [ port-number ]
[ vpn-instance vpn-instance-name ]
[ identity-key { dsa | rsa } |
prefer-ctos-cipher { 3des | aes128 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 |
sha1-96 } | prefer-kex { dh-group-exchange
| dh-group1 | dh-group14 } |
prefer-stoc-cipher { 3des | aes128 | des } |
prefer-stoc-hmac { md5 | md5-96 | sha1 |
sha1-96 } ] * Use either command in
user view.
Only the HP 5500 EI
switches support the
vpn-instance
vpn-instance-name option.
Setting the DSCP value for packets sent by the SSH client
Step Command Remarks
1. Enter system view.
system-view N/A
2. Set the DSCP value for
packets sent by the SSH client.
• Set the DSCP value for packets
sent by the IPv4 SSH client:
ssh client dscp dscp-value
• Set the DSCP value for packets
sent by the IPv6 SSH client:
ssh client ipv6 dscp dscp-value
Optional.
By default, the DSCP value is 16 in
packets sent by the IPv4 SSH client
and is 0 in packets sent by the IPv6
SSH client.
Displaying and maintaining SSH
Task Command Remarks
Display the source IP address or
interface set for the SFTP client. display sftp client source
[ | { begin
| exclude | include }
regular-expression ] Available in any view
Display the source IP address or
interface information on an SSH
client. display ssh client source
[ | { begin
| exclude | include }
regular-expression ] Available in any view
297
Task Command Remarks
Display SSH server status
information or session information
on an SSH server. display ssh server
{ status |
session } [ | { begin | exclude |
include } regular-expression ] Available in any view
Display the mappings between
SSH servers and their host public
keys on an SSH client. display ssh server-info
[ | { begin |
exclude | include }
regular-expression ] Available in any view
Display information about SSH
users on an SSH server. display ssh user-information
[
username ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display the public keys of the local
key pairs. display public-key local
{ dsa |
rsa } public [ | { begin | exclude |
include } regular-expression ] Available in any view
Display the public keys of the SSH
peers. display public-key peer
[ brief |
name publickey-name ] [ | { begin
| exclude | include }
regular-expression ] Available in any view
For more information about the
display public-key local and display public-key peer commands, see
Security Command Reference .
SSH server configuration examples
When the switch acts as a server for password authentication
Network requirements
As shown in Figure 101, a host (the SSH client) and a switch (t he SSH server) are directly connected.
Configure an SSH user on the switch so that the host can securely log in to the switch after passing
password authentication. Configure a username and password for the user on the switch.
Figure 101 Network diagram
Configuration procedure
1. Configure the SSH server:
# Generate the RSA key pairs.
system-view
[Switch] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
298 ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [Switch] ssh server enable # Configure an IP address for VLAN-interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-15] protocol inbound ssh [Switch-ui-vty0-15] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001 [Switch-luser-client001] password simple aabbcc [Switch-luser-client001] service-type ssh [Switch-luser-client001] authorization-attribute level 3 [Switch-luser-client001] quit # Specify the service type for user client001 as stelnet, and the authentication method as password . This step is optional. [Switch] ssh user client001 service-type stelnet authentication-type pas\ sword 2. Establish a connection between the SSH client and the SSH server: The switch supports a variety of SSH client soft ware, such as PuTTY, and OpenSSH. The following example uses PuTTY Version 0.58. # Establish a connection to the SSH server. Launch PuTTY.exe to enter the following interface. In the Host Name (or IP address) text box, enter the IP address of the server (192.168.1.40).
299 Figure 102 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username and password. After entering the username ( client001) and password ( aabbcc), you can enter the configuration interface of the server. When the switch acts as a server for publickey authentication Network requirements As shown in Figure 103 , a host (the SSH client) and a switch (the SSH server) are directly connected. Configure an SSH user on the switch so that the host can securely log in to the switch after passing publickey authentication. Use the RSA public key algorithm. Figure 103 Network diagram Configuration procedure
300 IMPORTANT: During SSH server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the SSH server. 1. Configure the SSH client: # Generate the RSA key pairs. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 104 Generating the key pair on the client When the generator is generating the key pair, you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 105. Other wise, the progress bar stops moving and the key pair generati ng process will be stopped.
301 Figure 105 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 106 Saving the key pair on the client
302 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key ( private.ppk in this case). Then, transmit the public key file to the server through FTP or TFTP. 2. Configure the SSH server: # Generate the RSA key pairs. system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [Switch] ssh server enable # Configure an IP address for VLAN-interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-15] protocol inbound ssh # Set the user command privilege level to 3. [Switch-ui-vty0-15] user privilege level 3 [Switch-ui-vty0-15] quit # Import the client’s public key from file key.pub and name it Switch001. [Switch] public-key peer Switch001 import sshkey key.pub
303 # Specify the authentication method for user client002 as publickey , and assign the public key Switch001 to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 3. Establish a connection between the SSH client and the SSH server: # Specify the private key file and est ablish a connection to the SSH server Launch PuTTY.exe to enter the following interface. In the Host Name (or IP address) text box, enter the IP address of the server (192.168.1.40). Figure 107 Specifying the host name (or IP address) Select Connection > SSH > Auth from the navigation tree. The following window appears. Click Browse… to bring up the file selection window, navigate to the private key file ( private.ppk) and click OK.
304 Figure 108 Specifying the private key file Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username ( client002), you can enter the config uration interface of the server. SSH client configuration examples When switch acts as client for password authentication Network requirements As shown in Figure 109 , Switch A (the SSH client) must pass password authentication to log in to Switch B (the SSH server) through the SSH protocol. Configure the username client001 and the password aabbcc for the SSH client on Switch B. Figure 109 Network diagram Configuration procedure 1. Configure the SSH server: # Generate the RSA key pairs. system-view
305 [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [SwitchB] ssh server enable # Configure an IP address for VLAN-interface 1, which the SSH client will use as the destination for SSH connection. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [SwitchB] user-interface vty 0 15 [SwitchB-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH. [SwitchB-ui-vty0-15] protocol inbound ssh [SwitchB-ui-vty0-15] quit # Create local user client001. [SwitchB] local-user client001 [SwitchB-luser-client001] password simple aabbcc [SwitchB-luser-client001] service-type ssh [SwitchB-luser-client001] authorization-attribute level 3 [SwitchB-luser-client001] quit # Specify the service type for user client001 as stelnet, and the authentication method as password . This step is optional. [SwitchB] ssh user client001 service-type stelnet authentication-type pa\ ssword 2. Establish a connection between the SSH client and the SSH server: # Configure an IP address for VLAN-interface 1. system-view [SwitchA] interface vlan-interface 1