HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 2346
45
Step Command Remarks
5. Configure a system
formation output rule for
the SNMP module. info-center source
{ module -name |
default } channel { channel- number |
channel- name } [ debug { level severity
| state state } * | log { level severity |
state state } * | trap { level severity |
state state } * ] * Optional.
See
Default output rules of system
informati
on.
6. Configure the timestamp
format. info-center timestamp
{ debugging |
log | trap } { boot |...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2345.png "Page 2346
45
Step Command Remarks
5. Configure a system
formation output rule for
the SNMP module. info-center source
{ module -name |
default } channel { channel- number |
channel- name } [ debug { level severity
| state state } * | log { level severity |
state state } * | trap { level severity |
state state } * ] * Optional.
See
Default output rules of system
informati
on.
6. Configure the timestamp
format. info-center timestamp
{ debugging |
log | trap } { boot |...")
![Page 2349
48
Task Command Remarks
Perform these operations on
the security log file.
• Display the contents of the specified file:
more file -url
• Display information about all files and
folders:
dir [ / all ] [ file -url ]
• Create a folder under a specified directory
on the storage medium:
mkdir directory
• Change the current working directory:
cd { directory | .. | / }
• Display the current path:
pwd
• Move a specified file from a storage
medium to the recycle bin:
delete [...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2348.png "Page 2349
48
Task Command Remarks
Perform these operations on
the security log file.
• Display the contents of the specified file:
more file -url
• Display information about all files and
folders:
dir [ / all ] [ file -url ]
• Create a folder under a specified directory
on the storage medium:
mkdir directory
• Change the current working directory:
cd { directory | .. | / }
• Display the current path:
pwd
• Move a specified file from a storage
medium to the recycle bin:
delete [...")
![Page 2350
49
Configuring synchronous information output
The output of system logs interrupts ongoing configuration operations, and you have to find the
previously input commands before the logs. Synchronous information output can show the previous input
after log output and a command prompt in command editing mode, or a [Y/N] string in interaction
mode so you can continue your operation from where you were stopped.
To enable synchronous information output:
Step Command Remarks
1. Enter system view....](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2349.png "Page 2350
49
Configuring synchronous information output
The output of system logs interrupts ongoing configuration operations, and you have to find the
previously input commands before the logs. Synchronous information output can show the previous input
after log output and a command prompt in command editing mode, or a [Y/N] string in interaction
mode so you can continue your operation from where you were stopped.
To enable synchronous information output:
Step Command Remarks
1. Enter system view....")
![Page 2351
50
Displaying and maintaining information center
Task Command Remarks
Display the information about
information channels. display channel [ channel
-number |
channel- name ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Display the information about each
output destination. display info-center [ |
{ begin | exclude |
include } regular-expression ] Available in any view
Display the state of the log buffer
and the log information recorded. display...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2350.png "Page 2351
50
Displaying and maintaining information center
Task Command Remarks
Display the information about
information channels. display channel [ channel
-number |
channel- name ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Display the information about each
output destination. display info-center [ |
{ begin | exclude |
include } regular-expression ] Available in any view
Display the state of the log buffer
and the log information recorded. display...")
![Page 2352
51
[Sysname] info-center source default channel loghost debug state off log\
state off
trap state off
To avoid outputting unnecessary information, disable the output of log, trap, and debugging
information on the specified channel ( loghost in this example) before you configure an output rule.
# Configure an output rule to outp ut to the log host ARP and IP log information that has a severity
level of at least informational . (The source modules that are allowed to output information depend
on...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2351.png "Page 2352
51
[Sysname] info-center source default channel loghost debug state off log\
state off
trap state off
To avoid outputting unnecessary information, disable the output of log, trap, and debugging
information on the specified channel ( loghost in this example) before you configure an output rule.
# Configure an output rule to outp ut to the log host ARP and IP log information that has a severity
level of at least informational . (The source modules that are allowed to output information depend
on...")
![Page 2353
52
Figure 19 Network diagram
Configuration procedure
Before the configuration, make sure that the device and the PC can reach each other.
1. Configure the device:
# Enable the information center.
system-view
[Sysname] info-center enable
# Specify the host 1.2.0.1/16 as the log host. Use the channel loghost to output log information
(optional, loghost by default), and use local5 as the logging facility.
[Sysname] info-center loghost 1.2.0.1 channel loghost facility local5
# Disable the...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2352.png "Page 2353
52
Figure 19 Network diagram
Configuration procedure
Before the configuration, make sure that the device and the PC can reach each other.
1. Configure the device:
# Enable the information center.
system-view
[Sysname] info-center enable
# Specify the host 1.2.0.1/16 as the log host. Use the channel loghost to output log information
(optional, loghost by default), and use local5 as the logging facility.
[Sysname] info-center loghost 1.2.0.1 channel loghost facility local5
# Disable the...")
![Page 2356
55
[Sysname] info-center security-logfile enable
[Sysname] info-center security-logfile frequency 3600
# Create a local user seclog, and configure the password for the user as 123123123123.
[Sysname] local-user seclog
New local user added.
[Sysname-luser-seclog] password simple 123123123123
# Authorize the user to mana ge the security log file.
[Sysname-luser-seclog] authorization-attribute level 3 user-role securit\
y-audit
# Authorize the user to use SSH, Telnet, and terminal services....](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2355.png "Page 2356
55
[Sysname] info-center security-logfile enable
[Sysname] info-center security-logfile frequency 3600
# Create a local user seclog, and configure the password for the user as 123123123123.
[Sysname] local-user seclog
New local user added.
[Sysname-luser-seclog] password simple 123123123123
# Authorize the user to mana ge the security log file.
[Sysname-luser-seclog] authorization-attribute level 3 user-role securit\
y-audit
# Authorize the user to use SSH, Telnet, and terminal services....")
50
Displaying and maintaining information center
Task Command Remarks
Display the information about
information channels. display channel [ channel
-number |
channel- name ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Display the information about each
output destination. display info-center [ |
{ begin | exclude |
include } regular-expression ] Available in any view
Display the state of the log buffer
and the log information recorded. display logbuffer
[ reverse ] [ level severity |
size buffersize | slot slot-number ] * [ | { begin |
exclude | include } regular-expression ] Available in any view
Display a summary of the log
buffer. display logbuffer summary
[ level severity | slot
slot-number ] * [ | { begin | exclude | include }
regular-expression ] Available in any view
Display the state of the trap buffer
and the trap information recorded. display trapbuffer [ reverse
] [ size buffersize ]
[ | { begin | exclude | include }
regular-expression ] Available in any view
Reset the log buffer.
reset logbuffer Available in user view
Reset the trap buffer. reset trapbuffer Available in user view
Information center configuration examples
Outputting log information to a UNIX log host
Network requirements
Configure the device to send ARP and IP log information that has a severity level of at least informational
to the UNIX log host at 1.2.0.1/16.
Figure 18 Network diagram
Configuration procedure
Before the configuration, make sure that the device and the log host can reach each other.
1. Configure the device:
# Enable the information center.
system-view
[Sysname] info-center enable
# Specify the host 1.2.0.1/16 as the log host. Use channel loghost to output log information
(optional, loghost by default), and use local4 as the logging facility.
[Sysname] info-center loghost 1.2.0.1 channel loghost facility local4
# Disable the output of log, trap, and debu gging information of all modules on channel loghost.
51 [Sysname] info-center source default channel loghost debug state off log\ state off trap state off To avoid outputting unnecessary information, disable the output of log, trap, and debugging information on the specified channel ( loghost in this example) before you configure an output rule. # Configure an output rule to outp ut to the log host ARP and IP log information that has a severity level of at least informational . (The source modules that are allowed to output information depend on the switch model.) [Sysname] info-center source arp channel loghost log level informational\ state on [Sysname] info-center source ip channel loghost log level informational \ state on 2. Configure the log host: The following configurations were performed on SunOS 4.0 which has similar configurations to the UNIX operating systems implemented by other vendors. a. Log in to the log host as a root user. b. Create a subdirectory named Device in directory /var/log/, and then create file info.log in the Device directory to save logs from Device. # mkdir /var/log/Device # touch /var/log/Device/info.log c. Edit the file /etc/syslog.conf and add the following contents. # Device configuration messages local4.info /var/log/Device/info.log In this configuration, local4 is the name of the logging facility that the log host uses to receive logs. info is the information level. The UNIX system records the log information that has a severity of at least informational to the file /var/log/Device/info.log . NOTE: Be aware of the following issues while editing the file /etc/syslog.conf: • Comments must be on a separate line and must begin with a pound sign (#). • No redundant spaces are allowed after the file name. • The logging facility name and the information level specified in the /etc/syslog.conf file must be identical to those configured on the device using the info-center loghost and info-center source commands. Otherwise the log information might not be output properly to the log host. d. Display the process ID of syslogd, kill the syslogd process and then restart syslogd using the –r option to make the modified configuration take effect. # ps -ae | grep syslogd 147 # kill -HUP 147 # syslogd -r & Now, the system can record log information into the log file. Outputting log information to a Linux log host Network requirements Configure the device to send log information that has a severity level of at least informational to the Linux log host at 1.2.0.1/16.
52 Figure 19 Network diagram Configuration procedure Before the configuration, make sure that the device and the PC can reach each other. 1. Configure the device: # Enable the information center. system-view [Sysname] info-center enable # Specify the host 1.2.0.1/16 as the log host. Use the channel loghost to output log information (optional, loghost by default), and use local5 as the logging facility. [Sysname] info-center loghost 1.2.0.1 channel loghost facility local5 # Disable the output of log, trap, and debu gging information of all modules on channel loghost. [Sysname] info-center source default channel loghost debug state off log\ state off trap state off To avoid outputting unnecessary information, di sable the output of log, trap, and debugging information on the specified channel ( loghost in this example) before you configure an output rule. # Configure an output rule to output to the log host the log information that has a severity level of at least informational . [Sysname] info-center source default channel loghost log level informati\ onal state on 2. Configure the log host: a. Log in to the log host as a root user. b. Create a subdirectory named Device in directory /var/log/, and create file info.log in the Device directory to save logs of Device. # mkdir /var/log/Device # touch /var/log/Device/info.log c. Edit the file /etc/syslog.conf and add the following contents. # Device configuration messages local5.info /var/log/Device/info.log In this configuration, local5 is the name of the logging facility that the log host uses to receive lo\ gs. The information level is info. The Linux system records the log information that has a severity level of at least informational to the file /var/log/Device/info.log . NOTE: Be aware of the following issues while editing the file /etc/syslog.conf: • Comments must be on a separate line and must begin with a pound sign (#). • No redundant spaces are allowed after the file name. • The logging facility name and the information level specified in the /etc/syslog.conf file must be identical to those configured on the device using the info-center loghost and info-center source commands. Otherwise the log information may not be output properly to the log host.
53 d. Display the process ID of syslogd , kill the syslogd process, and restart syslogd using the -r option to make the modified configuration take effect. # ps -ae | grep syslogd 147 # kill -9 147 # syslogd -r & Make sure that the syslogd process is started with the -r option on the Linux log host. Now, the system can record log information into the log file. Outputting log information to the console Network requirements Configure the device to send ARP and IP log informatio n that has a severity level of at least Informational to the console. Figure 20 Network diagram Configuration procedure # Enable the information center. system-view [Sysname] info-center enable # Use channel console to output log information to the console. (This step is optional because it is the default setting). [Sysname] info-center console channel console # Disable the output of log, trap, and debugging information of all modules on channel console. [Sysname] info-center source default channel console debug state off log\ state off trap state off To avoid outputting unnecessary information, disable the output of log, trap, and debugging information of all modules on the specified channel ( console in this example), and then configure the output rule as needed. # Configure an output rule to output to the console ARP and IP log information that has a severity level of at least informational . (The source modules that are allowed to output information depend on the switch model.) [Sysname] info-center source arp channel console log level informational\ state on [Sysname] info-center source ip channel console log level informational \ state on [Sysname] quit # Enable the display of log information on a terminal . (Optional, this function is enabled by default.) terminal monitor Info: Current terminal monitor is on. terminal logging Info: Current terminal logging is on.
54
Now, if the ARP and IP modules generate log information, the information center automatically sends the
log information to the console.
Saving security logs into the security log file
Network requirements
• Save security logs into the security log file Flash:/securitylog/seclog.log every one hour.
• Only the security log administrator can view the contents of the security log file. No other users
cannot view, copy, or rename the security log file.
Figure 21 Network diagram
Configuration considerations
The configuration in this example includes two parts:
1. Log in to the device as the system administrator:
{ Enable saving the securit y logs into the securit y log file and set the saving inter val to one hour.
{ Create a local user seclog with the password 12 312 312 312 3 , and authorize this user as the
security log administrator. That is, use the authorization-attribute command to set the user
privilege level to 3 and specify the user role as security audit. In addition, specify the service
types that the user can use by using service-type.
{ Set the authentication mode to scheme for the user logging in to the device, and make sure that
only the local user that has passed the AAA local authentication can view and perform
operations on the security log file.
2. Log in to the device as the security log administrator:
{ Set the directory for saving the security log file to Flash:/securitylog/seclog.log.
{ View the contents of the security log file to learn the security status of the device.
Configuration procedure
1. Configuration performed by the system administrator:
# Enable saving security logs into the security lo g file and set the saving interval to one hour.
system-view
System
administrator
ConsoleDevice
IP network
Security log
administrator
FTP Server192.168.1.2/24
1.1.1.1/24 192.168.1.1/24
55
[Sysname] info-center security-logfile enable
[Sysname] info-center security-logfile frequency 3600
# Create a local user seclog, and configure the password for the user as 123123123123.
[Sysname] local-user seclog
New local user added.
[Sysname-luser-seclog] password simple 123123123123
# Authorize the user to mana ge the security log file.
[Sysname-luser-seclog] authorization-attribute level 3 user-role securit\
y-audit
# Authorize the user to use SSH, Telnet, and terminal services.
[Sysname-luser-seclog] service-type ssh telnet terminal
[Sysname-luser-seclog] quit
# According to the network plan, the user logs in to the device through SSH or Telnet, so configure
the authentication mode of the VTY user interface as scheme.
[Sysname] display user-interface vty ?
INTEGER Specify one user terminal interface
The output shows that the device supports sixteen VTY user interfaces, which are numbered 0
through 15.
[Sysname] user-interface vty 0 15
[Sysname-ui-vty0-15] authentication-mode scheme
[Sysname-ui-vty0-15] quit
2. Configuration performed by th e security log administrator:
# Log in to the device as user seclog.
C:/> telnet 1.1.1.1
************************************************************************\
******
* Copyright (c) 2010-2012 Hewlett-Packard Development Company, L.P. \
*
* Without the owners prior written consent, \
*
* no decompiling or reverse-engineering shall be allowed. \
*
************************************************************************\
******
Login authentication
Username:seclog
Password:
# Display the summary of the security log file.
display security-logfile summary
Security-log is enabled.
Security-log file size quota: 1MB
Security-log file directory: flash:/seclog
Alarm-threshold: 80%
Current usage: 0%
Writing frequency: 1 hour 0 min 0 sec
The output shows that the directory fo r saving the security log file is flash:/seclog.
# Change the directory where the security log file is saved to Flash:/securitylog.
56 mkdir securitylog . %Created dir flash:/securitylog. info-center security-logfile switch-directory flash:/securityl\ og/ # Display the contents of the security log file buffer. display security-logfile buffer %@175 Nov 2 17:02:53:766 2011 Sysname SHELL/4/LOGOUT: Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.2: logout from Console %@176 Nov 2 17:02:53:766 2011 Sysname SHELL/5/SHELL_LOGOUT:Console logg\ ed out from aux0. The content of other logs is not shown. The preceding information indicates that there is st ill new content in the buffer that has not been saved into the security log file. # Manually save the contents of the security log file buffer into the security log file. security-logfile save Info: Save all the contents in the security log buffer into file flash:/securitylog/seclog.log successfully. # Display the contents of the security log file. more securitylog/seclog.log %@157 Nov 2 16:12:01:750 2011 Sysname SHELL/4/LOGIN: Trap 1.3.6.1.4.1.25506.2.2.1.1.3.0.1: login from Console %@158 Nov 2 16:12:01:750 2011 Sysname SHELL/5/SHELL_LOGIN:Console logge\ d in from aux0. The content of other logs is not shown.
57
Configuring SNMP
T h i s c h a p t e r p r o vi d e s a n o v e r v i e w o f t h e S i m p l e N e t w o r k M a n a g e m e n t P r o t o c o l ( S N M P ) a n d g u i d e s yo u
through the configuration procedure.
Overview
SNMP is an Internet standard protocol widely used for a management station to access and operate the
devices on a network, regardless of their vendors, ph ysical characteristics and interconnect technologies.
SNMP enables network administrators to read and set the variables on managed devices for state
monitoring, troubleshooting, statistics co llection, and other management purposes.
SNMP framework
The SNMP framework comprises the following elements:
• SNMP manager —Works on an NMS to monitor and manage the SNMP-capable devices in the
network.
• SNMP agent —Works on a managed device to receive and handle requests from the NMS, and
send traps to the NMS when some events, su ch as an interface state change, occur.
• Management Information Base (MIB) —Specifies the variables (for example, interface status and
CPU usage) maintained by the SNMP agen t for the SNMP manager to read and set.
Figure 22 Relationship between an NMS, agent and MIB
MIB and view-based MIB access control
A MIB stores variables called nodes or objects in a tree hierarchy and identifies each node with a
u n iqu e O I D. An O I D i s a s t ri n g of nu m b e rs t h a t d e sc ribes the path from the root node to a leaf node. For
example, object B in Figure 23 is u
niquely identified by the OID {1.2.1.1}.
Figure 23 MIB tree
58 A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege and is identified by a view name. The MIB objects included in the MIB view are accessible while those excluded from the MIB view are inaccessible. A MIB view can have multiple view records each identified by a view-name oid-tree pair. You control access to the MIB by assigning MIB views to SNMP groups or communities. SNMP operations SNMP provides the following basic operations: • Get—The NMS retrieves SNMP object nodes in an agent MIB. • Set—The NMS modifies the value of an object node in an agent MIB. • Notifications —Includes traps and informs. SNMP agent sends traps or informs to report events to the NMS. The difference between these two types of notification is that informs require acknowledgement but traps do not. The device supports only traps. SNMP protocol versions HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. • SNMPv1 —Uses community names for authentication. To access an SNMP agent, an NMS must use the same community name as set on the SNMP agen t. If the community name used by the NMS is different from that set on the agent, the NMS cann ot establish an SNMP session to access the agent or receive traps from the agent. • SNMPv2c —Uses community names for authentication. SNMPv2c is compatible with SNMPv1, but supports more operation modes, data types, and error codes. • SNMPv3 —Uses a user-based security model (USM) to secure SNMP communication. You can configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for integrity, authenticity, and confidentiality. SNMP configuration task list Task Remarks Configuring SNMP basic parameters Required Switching the NM-specific interface index Optional Configuring SNMP logging Optional Configuring SNMP traps Optional Configuring SNMP basic parameters SNMPv3 differs from SNMPv1 and SNMPv2c in many ways. Their configuration procedures are described in separate sections. Configuring SNMPv3 basic parameters
59
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the SNMP agent.
snmp-agent Optional.
By default, the SNMP agent is
disabled.
You can also enable the SNMP
agent by using any command that
begins with snmp-agent except the
snmp-agent calculate-password
and snmp-agent ifmib long-ifindex
enable commands.
3. Configure system information
for the SNMP agent. snmp-agent sys-info
{ contact
sys-contact | location sys-location
| version { all | { v1 | v2c |
v3 }* } } Optional.
By default, the contact information
is
Hewlett-Packard Development
Company, L.P , the location
information is null, and the
protocol version is SNMPv3.
4. Configure the local engine ID. snmp-agent local-engineid
engineid Optional.
The default local engine ID is the
company ID plus the device ID.
After you change the local engine
ID, the existing SNMPv3 users
become invalid, and you must
re-create the SNMPv3 users.
5.
Create or update a MIB view. snmp-agent mib-view
{ excluded |
included } view -name oid -tree
[ mask mask-value ] Optional.
By default, the MIB view
ViewDefault is predefined and its
OID is 1.
Each
view-name oid-tree pair
represents a view record. If you
specify the same record with
different MIB subtree masks
multiple times, the last
configuration takes effect. Except
the four subtrees in the default MIB
view, you can create up to 16
unique MIB view records.
6. Configure an SNMPv3 group. snmp-agent group
v3 group-name
[ authentication | privacy ]
[ read-view read-view ]
[ write-view write-view ]
[ notify-view notify-view ] [ acl
acl-number | acl ipv6
ipv6-acl-number ] * By default, no SNMP group exists.
7.
Convert a plaintext key to a
ciphertext (encrypted) key. snmp-agent calculate-password
plain-password mode { 3desmd5 |
3dessha | md5 | sha }
{ local-engineid |
specified-engineid engineid } Optional.