Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1971 to Favourites
    image text
    Enable zoom 
    							 306 
[SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 
[SwitchA-Vlan-interface1] quit 
[SwitchA] quit 
{ If the client supports first-time authentication, you can directly establish a connection from the 
client to the server. 
# Establish an SSH connection to server 10.165.87.136. 
 ssh2 10.165.87.136 
Username: client001 
Trying 10.165.87.136 ... 
Press CTRL+K to abort 
Connected to 10.165.87.136 ... 
 
The Server is not authenticated. Continue? [Y/N]:y 
Do you want to save the server public key? [Y/N]:n 
Enter password: 
After you enter the correct password, you  can log in to Switch B successfully. 
{ If the client does not support first-time authentication, perform the following configurations. 
# Disable first-time authentication. 
[SwitchA] undo ssh client first-time 
# Configure the host public key of the SSH server. You can get the server host public key by 
using the  display public-key local dsa public  command on the server. 
[SwitchA] public-key peer key1 
[SwitchA-pkey-public-key] public-key-code begin 
[SwitchA-pkey-key-code]308201B73082012C06072A8648CE3804013082011F0281810\
 
0D757262C4584C44C211F18BD96E5F0 
[SwitchA-pkey-key-code]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE\
 
65BE6C265854889DC1EDBD13EC8B274 
[SwitchA-pkey-key-code]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0\
 
6FD60FE01941DDD77FE6B12893DA76E 
[SwitchA-pkey-key-code]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3\
 
68950387811C7DA33021500C773218C 
[SwitchA-pkey-key-code]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E\
 
14EC474BAF2932E69D3B1F18517AD95 
[SwitchA-pkey-key-code]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02\
 
492B3959EC6499625BC4FA5082E22C5 
[SwitchA-pkey-key-code]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E\
 
88317C1BD8171D41ECB83E210C03CC9 
[SwitchA-pkey-key-code]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC\
 
9B09EEF0381840002818000AF995917 
[SwitchA-pkey-key-code]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D\
 
F257523777D033BEE77FC378145F2AD 
[SwitchA-pkey-key-code]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71\
 
01F7C62621216D5A572C379A32AC290 
[SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E\
 
8716261214A5A3B493E866991113B2D 
[SwitchA-pkey-key-code]485348 
[SwitchA-pkey-key-code] public-key-code end
    Add page 1972 to Favourites
    image text
    Enable zoom 
    							 307 
[SwitchA-pkey-public-key] peer-public-key end 
# Specify the host public key for the SSH server (10.165.87.136) as  key1. 
[SwitchA] ssh client authentication server 10.165.87.136 assign publicke\
y key1 
[SwitchA] quit 
# Establish an SSH connection to server 10.165.87.136. 
 ssh2 10.165.87.136 
Username: client001 
Trying 10.165.87.136 
Press CTRL+K to abort 
Connected to 10.165.87.136... 
Enter password:  
After you enter the correct password, you  can log in to Switch B successfully. 
When switch acts as client for publickey authentication 
Network requirements 
As shown in Figure 110, Switch A (the SSH client) must pass publickey authentication to log in to Switch 
B (the SSH server) through the SSH protocol. Use the DSA public key algorithm. 
Figure 110  Network diagram 
 
 
Configuration procedure 
 
 IMPORTANT: 
During SSH server configuration, the client public ke
y is required. Use the client software to generate a 
DSA key pair on the client before configuring the SSH server. 
 
1.  Configure the SSH client: 
# Create VLAN-interface 1 and assign an IP address to it. 
 system-view 
[SwitchA] interface vlan-interface 1 
[SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 
[SwitchA-Vlan-interface1] quit 
# Generate a DSA key pair. 
[SwitchA] public-key local create dsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
++++++++ 
+++++++++++++++++++++++++++++++++++
    Add page 1973 to Favourites
    image text
    Enable zoom 
    							 308 
# Export the DSA public key to file key.pub. 
[SwitchA] public-key local export dsa ssh2 key.pub 
[SwitchA] quit 
Then, transmit the public key file  to the server through FTP or TFTP. 
2. Configure the SSH server: 
# Generate the RSA key pairs. 
 system-view 
[SwitchB] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++ 
++++++++++++++ 
+++++ 
++++++++ 
# Generate a DSA key pair. 
[SwitchB] public-key local create dsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
++++++++ 
+++++++++++++++++++++++++++++++++++ 
# Enable the SSH server. 
[SwitchB] ssh server enable 
# Configure an IP address for VLAN-interface 1, wh ich the SSH client will use as the destination for 
SSH connection. 
[SwitchB] interface vlan-interface 1 
[SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 
[SwitchB-Vlan-interface1] quit 
# Set the authentication mode for the user interfaces to AAA. 
[SwitchB] user-interface vty 0 15 
[SwitchB-ui-vty0-15] authentication-mode scheme 
# Enable the user interfaces to support SSH. 
[SwitchB-ui-vty0-15] protocol inbound ssh 
# Set the user command privilege level to 3. 
[SwitchB-ui-vty0-15] user privilege level 3 
[SwitchB-ui-vty0-15] quit 
# Import the peer public key from the file  key.pub. 
[SwitchB] public-key peer Switch001 import sshkey key.pub
    Add page 1974 to Favourites
    image text
    Enable zoom 
    							 309 
# Specify the authentication method for user client002 as publickey , and assign the public key 
Switch001  to the user. 
[SwitchB] ssh user client002 service-type stelnet authentication-type pu\
blickey 
assign publickey Switch001 
3. Establish a connection between the  SSH client and the SSH server: 
# Establish an SSH connection to the server (10.165.87.136). 
 ssh2 10.165.87.136 
Username: client002 
Trying 10.165.87.136 ... 
Press CTRL+K to abort 
Connected to 10.165.87.136 ... 
 
The Server is not authenticated. Continue? [Y/N]:y 
Do you want to save the server public key? [Y/N]:n 
Later, you will find that you have  logged in to Switch B successfully.
    Add page 1975 to Favourites
    image text
    Enable zoom 
    							 310 
Configuring SFTP 
Overview 
The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. 
SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, 
allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch 
can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure 
file transfer. 
With SSH connection across VPNs, you can configur e the switch as an SFTP client to establish 
connections with SFTP servers in different MPLS VPNs. For more information about this function, see 
 Configuring SSH2.0 . 
Configuring the switch as an SFTP server 
Before you configure this task, complete the following tasks: 
•  Configure the SSH server. 
•   Use the  ssh user service-type  command to set the service type of SSH users to  sftp or all. 
For more information about the configuration procedures, see  Configuring SSH2.0.
  
Enabling the SFTP server 
This configuration task will enable the SFTP service so that a client can log in to the SFTP server through 
SFTP. 
When the switch functions as the SFTP server, only one client can access the SFTP server at a time. If the 
SFTP client uses WinSCP, a file on the server cannot  be modified directly. It can only be downloaded to 
a local place, modified, and then uploaded to the server. 
To enable the SFTP server: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Enable the SFTP server. 
sftp server enable  Disabled by default. 
 
Configuring the SFTP connection idle timeout period 
Once the idle period of an SFTP connection exceed s the specified threshold, the system automatically 
tears the connection down. 
To configure the SFTP connection idle timeout period: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A
    Add page 1976 to Favourites
    image text
    Enable zoom 
    							 311 
Step Command Remarks 
2.  Configure the SFTP 
connection idle timeout 
period.  sftp server idle-timeout 
time-out-value
  Optional. 
10 minutes by default. 
 
Configuring the switch as an SFTP client 
Specifying a source IP address or interface for the SFTP client 
You can configure a client to use only a specified source IP address or interface to access the SFTP server, 
enhancing the service manageability.   
To specify a source IP address or interface for the SFTP client: 
 
Step Command Remarks 
1.
  Enter system view. 
system-view  N/A 
2.  Specify a source IP address or 
interface for the SFTP client. 
• Specify a source IPv4 address 
or interface for the SFTP client:
 
sftp client source  { ip  ip-address 
|  interface  interface-type  
interface-number }  
•  Specify a source IPv6 address 
or interface for the SFTP client:
 
sftp client ipv6 source  { ipv6 
ipv6-address  | interface 
interface-type 
interface-number }  Use either command. 
By default, an SFTP client uses the 
IP address of the interface 
specified by the route of the switch 
to access the SFTP server. 
 
Establishing a connection to the SFTP server 
This configuration task will enable the SFTP client to
 establish a connection to the remote SFTP server and 
enter SFTP client view. 
To enable the SFTP client:
    Add page 1977 to Favourites
    image text
    Enable zoom 
    							 312 
Task Command Remarks 
Establish a connection 
to the remote SFTP 
server and enter SFTP 
client view. 
• Establish a connection to the remote IPv4 SFTP 
server and enter SFTP client view: 
sftp  server  [ port-number  ] [ vpn-instance 
vpn-instance-name ] [ identity-key  { dsa | rsa } | 
prefer-ctos-cipher  { 3des | aes128  | des  } | 
prefer-ctos-hmac  { md5 | md5-96  | sha1 | 
sha1-96 } | prefer-kex  { dh-group-exchange  | 
dh-group1  | dh-group14  } | prefer-stoc-cipher  
{  3des  | aes128  | des } | prefer-stoc-hmac  { md5 | 
md5-96  | sha1  | sha1-96 } ] * 
• Establish a connection to the remote IPv6 SFTP 
server and enter SFTP client view: 
sftp ipv6  server  [ port-number  ] [ vpn-instance  
vpn-instance-name ] [ identity-key  { dsa | rsa } | 
prefer-ctos-cipher  { 3des | aes128  | des  } | 
prefer-ctos-hmac  { md5 | md5-96  | sha1 | 
sha1-96 } | prefer-kex  { dh-group-exchange  | 
dh-group1  | dh-group14  } | prefer-stoc-cipher  
{  3des  | aes128  | des } | prefer-stoc-hmac  { md5 | 
md5-96  | sha1  | sha1-96 } ] *   Use either command in 
user view. 
Only the HP 5500 EI 
switches support the 
vpn-instance
 
vpn-instance-name  option.
 
 
Working with SFTP directories 
SFTP directory operations include: 
•  Changing or displaying the current working directory 
•   Displaying files under a directory or the directory information 
•   Changing the name of a directory on the server 
•   Creating or deleting a directory 
To work with the SFTP directories: 
 
Step Command Remarks 
1.   Enter SFTP client view.  For more information, see 

Establishing a connection to the 
SFTP server .  Execute the command in user 
view. 
2.  Change the working directory 
of the remote SFTP server.  cd
 [ remote-path  ]  Optional. 
3.  Return to the upper-level 
directory.  cdup 
Optional. 
4.  Display the current working 
directory of the remote SFTP 
server.  pwd 
Optional. 
5.  Display files under a 
directory. • dir  [ -a  | -l ] [ remote -path  ] 
• ls  [ -a  | -l ] [ remote -path  ]  Optional. 
The 
dir command functions as the 
ls  command. 
6.   Change the name of a 
directory on the SFTP server.  rename
 oldname  newname   Optional.
    Add page 1978 to Favourites
    image text
    Enable zoom 
    							 313 
Step Command Remarks 
7.  Create a new directory on the 
remote SFTP server.  mkdir
 remote-path  Optional. 
8.  Delete one or more directories 
from the SFTP server.  rmdir 
remote-path &  Optional. 
 
Working with SFTP files 
SFTP file operations include: 
•  Changing the name of a file 
•   Downloading a file 
•   Uploading a file 
•   Displaying a list of the files 
•   Deleting a file 
To work with SFTP files: 
 
Step Command Remarks 
1.   Enter SFTP client view.  For more information, see 

Establishing a connection to the 
SFTP server .  Execute the command in user 
view. 
2.  Change the name of a file on 
the SFTP server.  rename
 old-name new-name  Optional. 
3.  Download a file from the 
remote server and save it 
locally.  get
 remote-file  [ local-file  ] Optional. 
4.  Upload a local file to the 
remote SFTP server.  put 
local-file  [ remote-file  ]  Optional. 
5.  Display the files under a 
directory. • dir  [ -a  | -l ] [ remote -path  ] 
• ls  [ -a  | -l ] [ remote -path  ]  Optional. 
The 
dir command functions as the 
ls  command. 
6.  Delete one or more directories 
from the SFTP server. • delete  remote -file & 
• remove  remote -file &  Optional. 
The 
delete command functions as 
the  remove  command. 
 
Displaying help information 
This configuration task will display a list of all commands or the help information of an SFTP client 
command, such as the command format and parameters. 
To display a list of all commands or the help information of an SFTP client command: 
 
Step Command Remarks 
1.  Enter SFTP client view.  For more information, see 

Establishing a connection to the 
SFTP server .  Execute the command in user 
view.
    Add page 1979 to Favourites
    image text
    Enable zoom 
    							 314 
Step Command Remarks 
2.  Display a list of all commands 
or the help information of an 
SFTP client command.  help 
[ all | command-name  ]  N/A 
 
Terminating the connection to the remote SFTP server  
Step Command Remarks 
1.  Enter SFTP client view.  For more information, see 

Establishing a connection to the 
SFTP server .  Execute the command in user 
view. 
2.  Terminate the connection to 
the remote SFTP server and 
return to user view. • bye 
• exit 
• quit  Use any of the commands. 
These three commands function in 
the same way. 
 
Setting the DSCP value for packets sent by the SFTP client  
Step Command Remarks 
1.
  Enter system view.  system-view  N/A 
2.  Set the DSCP value for 
packets sent by the SFTP 
client.  
• Set the DSCP value for packets 
sent by the IPv4 SFTP client: 
sftp client dscp  dscp-value 
• Set the DSCP value for packets 
sent by the IPv6 SFTP client: 
sftp client ipv6 dscp  dscp-value
 
Optional. 
By default, the DSCP value is 16 in 
packets sent by the IPv4 SFTP client 
and is 8 in packets sent by the IPv6 
SFTP client. 
 
SFTP client configuration example 
Network requirements 
As shown in Figure 1 11, an  SSH connection is required between Switch A and Switch B. Switch A, an 
S F T P  c l i e n t ,  n e e d s  t o  l o g  i n  t o  Sw i t c h  B  f o r  f i l e  m a n a gement and file transfer. Use publickey authentication 
and the RSA public key algorithm. 
Figure 111  Network diagram 
 
 
Configuration procedure
    Add page 1980 to Favourites
    image text
    Enable zoom 
    							 315 
 IMPORTANT: 
During SFTP server configuration, the client public ke
y is required. Use the client software to generate RS
A
key pairs on the client before configuring the SFTP server.  
1. Configure the SFTP client: 
# Create VLAN-interface 1 and assign an IP address to it. 
 system-view 
[SwitchA] interface vlan-interface 1 
[SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 
[SwitchA-Vlan-interface1] quit 
# Generate the RSA key pairs. 
[SwitchA] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++ 
++++++++++++++ 
+++++ 
++++++++ 
# Export the host public key to file  pubkey. 
[SwitchA] public-key local export rsa ssh2 pubkey 
[SwitchA] quit 
Then, transmit the public key file  to the server through FTP or TFTP. 
2. Configure the SFTP server: 
# Generate the RSA key pairs. 
 system-view 
[SwitchB] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++ 
++++++++++++++ 
+++++ 
++++++++ 
# Generate a DSA key pair. 
[SwitchB] public-key local create dsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]:
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide