HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 24
12
Character Meaning Remarks
[^] Matches a single character not
contained within the brackets. For example, [^16A] means to match a string
containing any character except 1, 6 or A, and the
matching string can also contain 1, 6 or A, but
cannot contain only these three characters. For
example, [^16A] matches abc and m16, but
not 1, 16, or 16A.
\ matches word undo and
string abcdo.
\bcharacter2 Matches character1character2.
character1
can be any character
except number, letter or underline,...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-23.png "Page 24
12
Character Meaning Remarks
[^] Matches a single character not
contained within the brackets. For example, [^16A] means to match a string
containing any character except 1, 6 or A, and the
matching string can also contain 1, 6 or A, but
cannot contain only these three characters. For
example, [^16A] matches abc and m16, but
not 1, 16, or 16A.
\ matches word undo and
string abcdo.
\bcharacter2 Matches character1character2.
character1
can be any character
except number, letter or underline,...")
![Page 26
14
For more information about user login authentication, see Logging in to the CLI. For more information
a
bout AAA and SSH, see Security Configuration Guide .
Configuring a user privilege level for users by using the AAA module
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view. user-interface {
first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] } N/A
3.
Specify the scheme
authentication mode. authentication-mode
scheme By...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-25.png "Page 26
14
For more information about user login authentication, see Logging in to the CLI. For more information
a
bout AAA and SSH, see Security Configuration Guide .
Configuring a user privilege level for users by using the AAA module
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view. user-interface {
first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] } N/A
3.
Specify the scheme
authentication mode. authentication-mode
scheme By...")
9
Using the command history function
The system can automatically save successfully executed commands to the command history buffer for
the current user interface. You can view them and execute them again, or set the maximum number of
commands that can be saved in the command history buffer.
A command is saved to the command history buffer in the exact format as it was entered. For example,
if you enter an incomplete command, the command saved in the command history buffer is also
incomplete; if you enter a command by using a co mmand keyword alias, the command saved in the
command history buffer also uses the alias.
If you enter a command in the same format repeated ly in succession, the system buffers the command
only once. If you enter a command repeatedly in di fferent formats, the system buffers each command
format. For example, display cu and display current-configuration are buffered as two entries but
successive repetitions of display cu create only one entry in the buffer.
By default, the command history buffer can save up to 10 commands for each user. To set the capacity
of the command history buffer for the current user interface, use the history-command max-size
command.
Viewing history commands
You can use arrow keys to access history command s in Windows 200x and Windows XP Terminal or
Telnet. In Windows 9x HyperTerminal, the arrow keys are invalid, and you must use Ctrl+P and Ctrl+N
instead.
To view command history, use one of the following methods:
Task Command
Display all commands in the command history
buffer. display history-command [ |
{ begin | exclude | include }
regular-expression ]
Display the previous history command. Up arrow key or Ctrl+P
Display the next history co mmand. Down arrow key or Ctrl+N
Setting the command history buffer size for user interfaces
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view. user-interface {
first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] } N/A
3.
Set the maximum number of
commands that can be saved
in the command history
buffer. history-command
max-size
size-value Optional.
By default, the command history
buffer can save up to 10
commands.
10
Controlling the CLI output
This section describes the CLI output control features that help you quickly identify the desired output.
Pausing between screens of output
If the output being displayed is more than will fit on one screen, the system automatically pauses after
displaying a screen. By default, up to 24 lines can be displayed on a screen. To change the screen length,
use the screen-length screen-length command. For more information about this command, see
Fundamentals Command Reference . To control output, use keys in Table 5.
Table 5 Keys for controlling output
Ke
ys Function
Space Displays the next screen.
Enter Displays the next line.
Ctrl+C Stops the display and canc els the command execution.
Displays the previous page.
Displays the next page.
To display all output at one time and refresh the scre en continuously until the last screen is displayed:
Task Command Remarks
Disable pausing between screens
of output for the current session. screen-length disable The default for a session depends on the setting
of the
screen-length command in user interface
view. The default of the screen-length command
is pausing between screens of output and
displaying up to 24 lines on a screen.
This command is executed in user view, and
takes effect only for the current session. When
you relog in to the device, the default is restored.
Filtering the output from a display command
You can use one of the following methods to filter the output from a display command:
• Specify the | { begin | exclude | include } regular-expression option at the end of the command.
• When the system pauses after displaying a screen of output, enter a forward slash (/), minus sign
(-), or plus sign (+) plus a regular expression to filter subsequent output. The forward slash equals the
keyword begin, the minus sign equals the keyword exclude, and the plus sign equals the keyword
include .
The following definitions apply to the begin, exclude , and include keywords:
• begin —Displays the first line that matches the specified regular expression and all lines that follow.
• exclude —Displays all lines that do not match the specified regular expression.
• include —Displays all lines that match the specified regular expression.
A regular expression is a case-sensitive string of 1 to 256 characters that supports the special characters
in Tabl e 6.
11 Table 6 Special characters supported in a regular expression Character Meanin g Remarks ^string Starting sign. Matches a line that starts with string. For example, regular expr ession ^user matches a line beginning with user, not Auser. string$ Ending sign. Matches a line that ends with string. For example, regular expression user$ only matches a line ending with user, not userA. . Matches any single character, such as a single character, a special character, and a blank. For example, .s matches both as and bs. * Matches the preceding character or character group zero or multiple times. For example, zo* matches z and zoo; (zo)* matches zo and zozo. + Matches the preceding character or character group one or multiple times For example, zo+ matches zo and zoo, but not z. | Matches the preceding or succeeding character string For example, def|int only matches a character string containing def or int. _ I f i t i s a t t h e b e g i n n i n g o r t h e e n d o f a regular expression, it equals ^ or $. In other cases, it equals comma, space, round bracket, or curly bracket. For example, a_b matches a b or a(b; _ab only matches a line starting with ab; ab_ only matches a line ending with ab. - It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ]. For example, 1-9 means 1 to 9 (inclusive); a-h means a to h (inclusive). [ ] Matches a single character contained within the brackets. For example, [16A] matches a string containing any character among 1, 6, and A; [1-36A] matches a string containing any character among 1, 2, 3, 6, and A (- is a hyphen). ] can be matched as a common character only when it is put at the beginning of characters within the brackets, for example [ ] string]. There is no such limit on [. ( ) A character group. It is usually used with + or *. For example, (123A) means a character group 123A; 408(12)+ matches 40812 or 408121212. But it does not match 408. \index Repeats the character string specified by the index. A character string refers to the string within () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \. If only one character group appears before \, index can only be 1; if n character groups appear before index, index can be any integer from 1 to n. For example, ( string)\1 repeats string, and a matching string must contain stringstring. (string1 )(string2 )\2 repeats string2, and a matching string must contain string1string2string2. (string1 )(string2 )\1\2 repeats string1 and string2 respectively, and a matching string must contain string1string2string1string2.
12 Character Meaning Remarks [^] Matches a single character not contained within the brackets. For example, [^16A] means to match a string containing any character except 1, 6 or A, and the matching string can also contain 1, 6 or A, but cannot contain only these three characters. For example, [^16A] matches abc and m16, but not 1, 16, or 16A. \ matches word undo and string abcdo. \bcharacter2 Matches character1character2. character1 can be any character except number, letter or underline, and \b equals [^A-Za-z0-9_]. For example, \ba matches -a with - being character1, and a being character2, but it does not match 2a or ba . \Bcharacter Matches a string containing character , and no space is allowed before character. For example, \Bt matches t in install, but not t in big top. character1\w Matches character1character2. character2 must be a number, letter, or underline, and \ w equals [A-Za-z0-9_]. For example, v\w matches vlan (v is character1 and l is character2 ) and ser vice ( i is character2 ). \W Equals \b. For example, \Wa matches -a, with - being character1, and a being character2, but does not match 2a or ba . Escape character. If a special character listed in this table follows \, the specific meaning of the character is removed. For example, \\ matches a string containing \, \^ matches a string containing ^, and \\b matches a string containing \b. The following are several regular expression examples: # Use | begin user-interface in the display current-configuration command to match the first line of output that contains user-interface to the last line of output. display current-configuration | begin user-interface user-interface aux 0 user-interface vty 0 15 authentication-mode none user privilege level 3 # return # Use | exclude Direct in the display ip routing-table command to filter out direct routes and display only the non -direct routes. display ip routing-table | exclude Direct Routing Tables: Public Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.0/24 Static 60 0 192.168.0.0 Vlan1
13 # Use | include Vlan in the display ip routing-table command to filter in route entries that contain Vlan. display ip routing-table | include Vlan Routing Tables: Public Destination/Mask Proto Pre Cost NextHop Interface 192.168.1.0/24 Direct 0 0 192.168.1.42 Vlan999 Configuring user privilege and command levels To avoid unauthorized access, the device defines the user privilege levels and command levels in Tabl e 7 . User privilege levels correspond to command levels. A user who has been logged in with a specific privilege level can use only the commands at that level or lower levels. All commands are categorized into four levels: visit, monitor, system, and manage, and are identified from low to high, respectively by 0 through 3. Table 7 Command levels and user privilege levels Level Privile ge Default set of commands 0 Visit Includes commands for network diagnosis and commands for accessing an external device. Configuration of commands at this level cannot survive a device restart. Upon device restart, the commands at this leve l are restored to the default settings. Commands at this level include ping, tracert, telnet and ssh2. 1 Monitor Includes commands for system maintenance and service fault diagnosis. Commands at this level are not saved after being configured . After the device is restarted, the commands at this level are restored to the default settings. Commands at this level include debugging, terminal, refresh, and send . 2 System Includes service configuration commands, including routing configuration commands and commands for configuring services at different network levels. By default, commands at this level include all configuration commands except for those at manage level. 3 Manage Includes commands that influence the basi c operation of the system and commands for configuring system support modules. By default, commands at this level involve the configuration commands of file system, FTP, TFTP, Xmodem download, user management, leve l setting, and parameter settings within a system (which are not defined by any protocols or RFCs). Configuring a user privilege level If the authentication mode on a user interface is scheme, configure a user privilege level for users who access the interface by using the AAA module or directly on the user interface. For SSH users who use public-key authentication, the user privilege level configured directly on the user interface always takes effect. For other users, the user privilege level configured in the AAA module has priority over the one configured directly on the user interface. If the authentication mode on a user interface is none or password, configure the user privilege level directly on the user interface.
14
For more information about user login authentication, see Logging in to the CLI. For more information
a
bout AAA and SSH, see Security Configuration Guide .
Configuring a user privilege level for users by using the AAA module
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view. user-interface {
first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] } N/A
3.
Specify the scheme
authentication mode. authentication-mode
scheme By default, the authentication
mode for VTY users is
password,
and no authentication is needed
for AUX users.
4. Return to system view.
quit N/A
5. Configure the authentication
mode for SSH users as
password . For more information, see Security
Configuration Guide. This task is required only for SSH
users who are required to provide
their usernames and passwords for
authentication.
6. Configure the user privilege
level by using the AAA
module.
• To use local authentication:
a. Use the local-user
command to create a
local user and enter local
user view.
b. Use the level keyword in
the
authorization-attribute
command to configure the
user privilege level.
• To use remote authentication
(RADIUS or HWTACACS):
Configure the user privilege
level on the authentication
server User either approach.
For local authentication, if you do
not configure the user privilege
level, the user privilege level is 0.
For remote authentication, if you
do not configure the user privilege
level, the user privilege level
depends on the default
configuration of the authentication
server.
For more information about the
local-user and
authorization-attribute
commands,
see Security Command Reference .
For example:
# Configure the device to use local authentication for Telnet users on VTY 1 and set the user privilege
level to 3.
system-view
[Sysname] user-interface vty 1
[Sysname-ui-vty1] authentication-mode scheme
[Sysname-ui-vty1] quit
[Sysname] local-user test
[Sysname-luser-test] password simple 123
[Sysname-luser-test] service-type telnet
When users Telnet to the device through VTY 1, they must enter username test and password 12 3 4 5 6 7 8.
After passing the authentication, the users can only use level-0 commands of level 0.
# Assign commands of levels 0 through 3 to the users.
15
[Sysname-luser-test] authorization-attribute level 3
Configuring the user privilege level directly on a user interface
To configure the user privilege level directly on a user interface that uses the scheme authentication mode:
Step Command Remarks
1. Configure the authentication
type for SSH users as
publickey . For more information, see Security
Configuration Guide
. Required only for SSH users who
use public-key authentication.
2.
Enter system view.
system-view N/A
3. Enter user interface view. user-interface {
first-num1
[ last-num1 ] | vty first-num2
[ last-num2 ] } N/A
4.
Enable the scheme
authentication mode. authentication-mode
scheme By default, the authentication
mode for VTY users is
password,
and no authentication is needed
for AUX users.
5. Configure the user privilege
level. user privilege level
level By default, the user privilege level
for users logged in through the
AUX user interface is 3, and that
for users logged in through the
other user interfaces is 0.
To configure the user privilege level directly on a user interface that uses the none or password
authentication mode:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view. user-interface {
first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] } N/A
3.
Configure the authentication
mode for any user who uses
the current user interface to
log in to the device. authentication-mode
{ none |
password } Optional.
By default, the authentication
mode for VTY user interfaces is
password , and no authentication is
needed for AUX users.
4. Configure the privilege level
of users logged in through the
current user interface. user privilege level
level Optional.
By default, the user privilege level
for users logged in through the
AUX user interface is 3, and that
for users logged in through the
other user interfaces is 0.
For example:
# Display the commands a Telnet user can use by default after login.
?
User view commands:
display Display current system information
16 ping Ping function quit Exit from current command view rsh Establish one RSH connection ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tftp Open TFTP connection tracert Trace route function # Configure the device to perform no authentication for Telnet users, and to authorize authenticated Telnet users to use level-0 and level-1 commands. (Use no authentication mode only in a secure network environment.) system-view [Sysname] user-interface vty 0 15 [Sysname-ui-vty0-15] authentication-mode none [Sysname-ui-vty0-15] user privilege level 1 # Display the commands a Telnet user can use after login. Because the user privilege level is 1, a Telnet user can use more commands now. ? User view commands: debugging Enable system debugging functions dialer Dialer disconnect display Display current system information ping Ping function quit Exit from current command view refresh Do soft reset reset Reset operation rsh Establish one RSH connection screen-length Specify the lines displayed on one screen send Send information to other user terminal interface ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection terminal Set the terminal line characteristics tftp Open TFTP connection tracert Trace route function undo Cancel current setting # Configure the device to perform password authentication for Telnet users, and to authorize authenticated Telnet users to use the commands of privilege levels 0, 1, and 2. system-view [Sysname] user-interface vty 0 15 [Sysname-ui-vty0-15] authentication-mode password [Sysname-ui-vty0-15] set authentication password simple 123 [Sysname-ui-vty0-15] user privilege level 2 After the configuration is complete, when users Telnet to the device, they must enter the password 12 3 4 5 6 7 8. After passing authentication, they can use commands of levels 0, 1, and 2.
17 Switching the user privilege level Users can switch to a different user privilege level without logging out and terminating the current connection. After the privilege level switching, users can continue to manage the device without relogging in, but the commands they can execute have changed. For example, with the user privilege level 3, a user can configure system parameters. After switching to user privilege level 0, the user can execute only basic commands like ping and tracert and use a few display commands. The switching operation is effective for the current login. After the user relogs in, the user privilege restores to the original level. To avoid problems, HP recommends that administrators log in with a lower privilege level to view switch operating parameters, and switch to a higher level temporarily only when they must maintain the device. When an administrator must leave for a while or as k someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. Configuring the authentication parameters for user privilege level switching A user can switch to a privilege level equal to or lower than the current one unconditionally and is not required to enter a password (if any). For security, a user is required to enter a password (if any) to switch to a higher privilege level. The authentication falls into one of the following categories: Keywords Authentication mode Description local Local password authentication only (local-only) The device authenticates a user by using the privilege level switching password entered by the user. To use this mode, you must set the password for privilege level switching by using the super password command. scheme Remote AAA authentication through HWTACACS or RADIUS The device sends the username and password for privilege level switching to the HWTACACS or RADIUS server for remote authentication. To use this mode, you must perform the following configuration tasks: • Configure the required HWTACACS or RADIUS schemes and configure the ISP domain to use the schemes for users. For more information, see Security Configuration Guide . • Add user accounts and specify the user passwords on the HWTACACS or RADIUS server. local scheme Local password authentication first and then remote AAA authentication The device authenticates a user by using the local password first, and if no password for privilege level switching is set, for the user logged in to the AUX user interface, the privilege level is switched directly; for VTY users, AAA authentication is performed. scheme local Remote AAA authentication first and then local password authentication AAA authentication is performed first, and if the remote HWTACACS or RADIUS server does not respond or AAA configuration on the device is invalid, the local password authentication is performed. To configure the authentication parameters for a user privilege level:
18
Step Command Remarks
1. Enter system view.
system-view N/A
2. Set the authentication mode
for user privilege level
switching. super authentication-mode
{ local
| scheme } * Optional.
By default, local-only
authentication is used.
3.
Configure the password for a
user privilege level. super password
[ level user-level ]
{ cipher | simple } password Required for loca
l authentication.
By default, a privilege level has no
password.
If no user privilege level is specified
when you configure the command,
the user privilege level defaults to
3.
If local-only authentication is used, an AUX user inte rface user (a user logged in through the console port)
can switch to a higher privilege level even if the privilege level has not been assigned a password.
Switching to a higher user privilege level
Before you switch to a higher user privilege level, obtain the required authentication data as described
in Tabl e 8 .
T
he privilege level switching fails after three consecutive unsuccessful password attempts.
To switch the user privilege level, perform the following task in user view:
Task Command Remarks
Switch the user privilege level. super [ level ] When logging in to the device, a
user has a user privilege level,
which depends on user interface or
authentication user level.
Table 8 Information required for user privilege level switching
User interface
authentication
mode User privilege level
switching
authentication
mode Information required for
the first authentication
mode
Information required for the
second authentication mode
none/password local
Password configured on the
device with the
super
password command for the
privilege level N/A local
scheme Password configured on the
device with the
super
password command for the
privilege level Username and password
configured on the AAA server for
the privilege level
scheme
Username and password for
the privilege level
N/A
scheme
local Username and password for
the privilege level Local user privilege level
switching password