Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 51 to Favourites
    image text
    Enable zoom 
    							 39 
Step Command Remarks 
11. Specify a command to be 
automatically executed when a 
user logs in to the user interfaces.
 
auto-execute command  
command   Optional. 
By default, no automatically 
executed command is specified. 
The command auto-execute 
function is typically used for 
redirecting a Telnet user to a 
specific host. After executing the 
specified command and 
performing the incurred task, the 
system automatically disconnect 
the Telnet session. 
 
Using the device to log in to a Telnet server 
You can use the device as a Telnet client to log in to a Telnet ser ver. If the ser ver is located in a different 
subnet than the device, make sure the two devices have routes to reach each other. 
Figure 16
 Telnetting from the device to a Telnet server 
 
 
To use the device to log in to a Telnet server:  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Specify a source IPv4 address 
or source interface for 
outgoing Telnet packets.  telnet client source 
{ interface 
interface-type interface-number  | ip  
ip-address }   Optional. 
By default, no source IPv4 address 
or source interface is specified. 
The IP address of the outbound 
interface is used as the source IPv4 
address. 
3.
  Exit to user view. 
quit  N/A 
4.  Use the device to log in to a 
Telnet server. 
• Log in to an IPv4 Telnet server: 
telnet  remote -host  
[ service-port  ] [ [ vpn-instance  
vpn-instance-name  ] | [ source 
{  interface  interface-type  
interface-number |  ip 
ip-address } ] ]
 
•  
Log in to an IPv6 Telnet server: 
telnet  ipv6  remote -host  [ -i 
interface-type  
interface-number ] 
[ port-number  ] [ vpn-instance  
vpn-instance-name  ]
 
Use either command. 
The vpn-instance  
vpn-instance-name  option is only 
available on the HP 5500-EI 
switches.
    Add page 52 to Favourites
    image text
    Enable zoom 
    							 40 
Setting the DSCP value for IP to use for outgoing Telnet packets  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Set the DSCP value for 
IP to use for outgoing 
Telnet packets. 
• On a Telnet client running IPv4: 
telnet client dscp  dscp-value 
• On a Telnet client running IPv6: 
telnet client ipv6 dscp  dscp-value 
• On a Telnet server running IPv4: 
telnet server dscp  dscp-value 
• On a Telnet server running IPv6: 
telnet server ipv6 dscp  dscp-value The default is as follows: 
•
 16 for a Telnet client running IPv4. 
• 0 for a Telnet client running IPv6. 
• 48 for a Telnet server running 
IPv4. 
• 0 for a Telnet server running IPv6. 
 
Logging in through SSH 
SSH offers a secure approach to remote login. By providing encryption and strong authentication, it 
protects devices against attacks such as IP spoofing  and plaintext password interception. You can log in 
t o  t h e  d e vi c e  w o r k i n g  a s  a n  SS H  s e r ve r  f o r  re m o t e  m a n a g e m e n t,  a s  s h ow n  i n   Figure 17. Y
ou can also use 
the device as an SSH client to log in to an SSH server. 
Figure 17  SSH login diagram 
 
 
Table 15 shows the SSH server and client configuration required for a successful SSH login. 
Table 15 SSH server and client requirements 
Device role  Re
quirements 
SSH server  Assign an IP address to a Layer 3 inte
rface, and make sure the interface and 
the client can reach each other. 
Configure the authentication mode and other settings. 
SSH client  If the host operates as an SSH client, run the SSH client program on the host. 
Obtain the IP address of the Layer 3 interface on the server. 
 
To control SSH access to the device working as an SSH server, configure authentication and user 
privilege level for SSH users.  
By default, password authentication is adopted for 
SSH login, but no login password is configured. To 
allow SSH access to the device after you enable the SSH server, you must configure a password. 
Configuring the SSH server on the device 
Follow these guidelines when you configure the SSH server:
    Add page 53 to Favourites
    image text
    Enable zoom 
    							 41 
•  To make the command authorization or command accounting function take effect, apply an 
HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the 
authorization server and other authorization parameters.  
•   If the local authentication scheme is used, use the  authorization-attribute level level command in 
local user view to set the user privilege level on the device. 
•   If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the 
RADIUS or HWTACACS server.  
The SSH client authentication method is password in  this configuration procedure. For more information 
about SSH and publickey authentication, see  Security Configuration Guide. 
To configure the SSH server on the device: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Create local key pairs. 
public-key local create { dsa  | rsa  } By default, no local key pairs are 
created. 
3.  Enable SSH server. 
ssh server enable  By default, SSH server is disabled. 
4.  Enter one or more VTY user 
interface views.  user-interface vty
 first -number  
[ last-number  ]  N/A 
5.
  Enable scheme 
authentication.  authentication-mode scheme
 By default, password 
authentication is enabled on VTY 
user interfaces. 
6.
  Enable the user interfaces to 
support Telnet, SSH, or both 
of them.  protocol inbound
 { all | ssh   | 
Telnet  }  Optional. 
By default, both Telnet and SSH 
are supported. 
7.
  Enable command 
authorization.  command authorization  Optional. 
By default, command authorization 
is disabled. The commands 
available for a user only depend 
on the user privilege level. 
If command authorization is 
enabled, a command is available 
only if the user has the 
commensurate user privilege level 
and is authorized to use the 
command by the AAA scheme.
    Add page 54 to Favourites
    image text
    Enable zoom 
    							 42 
Step Command Remarks 
8.  Enable command accounting. 
command accounting  Optional. 
By default, command accounting is 
disabled. The accounting server 
does not record the commands 
executed by users. 
Command accounting allows the 
HWTACACS server to record all 
executed commands that are 
supported by the device, 
regardless of the command 
execution result. This function helps 
control and monitor user behaviors 
on the device. If command 
accounting is enabled and 
command authorization is not 
enabled, every executed 
command is recorded on the 
HWTACACS server. If both 
command accounting and 
command authorization are 
enabled, only the authorized and 
executed commands are recorded 
on the HWTACACS server. 
9.
  Exit to system view. 
quit  N/A 
10. Apply an AAA authentication 
scheme to the intended 
domain.  1.
  Enter the ISP domain view:   
domain  domain-name   
2.   Apply the specified AAA 
scheme to the domain:  
authentication default  
{  hwtacacs-scheme  
hwtacacs-scheme -name  
[ local ] |  local | none  | 
radius-scheme  
radius-scheme-name  [ local ] } 
 
3.  Exit to system view:  
quit  Optional. 
For local authentication, configure 
local user accounts.  
For RADIUS or HWTACACS 
authentication, configure the 
RADIUS or HWTACACS scheme 
on the device and configure 
authentication settings (including 
the username and password) on 
the server.  
For more information about AAA 
configuration, see 
Security 
Configuration Guide . 
11. Create a local user and enter 
local user view.  local-user 
user-name  By default, no local user exists. 
12. Set a password for the local 
user.  password
 { cipher |  simple } 
password   By default, no password is set. 
13.
 Specify the command level of 
the user.  authorization-attribute level 
level Optional. 
By default, the command level is 0.
 
14.
 Specify SSH service for the 
user.  service-type
 ssh    By default, no service type is 
specified. 
15.
 Exit to system view. 
quit  N/A
    Add page 55 to Favourites
    image text
    Enable zoom 
    							 43 
Step Command Remarks 
16. Create an SSH user, and 
specify the authentication 
mode for the SSH user.  ssh user
 username  service-type 
stelnet authentication-type 
{  password  | { any | 
password-publickey  | publickey  } 
assign  publickey  keyname }  N/A 
By default, no SSH user is created.
 
17.
 Configure common settings 
for VTY user interfaces.  See 
Configuring common settings 
for VTY user int erfaces (optional) .
 Optional. 
 
Using the device as an SSH client to log in to the SSH server 
You can use the device as an SSH client to log in to an SSH server. If the server is located in a different 
subnet than the device, make sure the two devices have routes to reach each other. 
Figure 18 Logging in to an SSH server from the device 
 
 
To use the device as an SSH client to log in to an SSH server, perform the following tasks in user view:  
Task Command Remarks 
Log in to an IPv4 SSH server. ssh2 server    The 
server  argument represents the IPv4 address 
or host name of the server. 
Log in to an IPv6 SSH server.  ssh2 ipv6 server   The 
server  argument represents the IPv6 address 
or host name of the server. 
 
To work with the SSH server, you might need to configure the SSH client. For information about 
configuring the SSH client, see  Security Configuration Guide. 
Modem dial-in through the console port 
You can use a pair of modems to remotely connect to  a device through its console port over the PSTN 
when the IP network connection is broken. To do so, make sure the dial-in connection, the device, and the 
modems are correctly set up. 
By default, you can log in to the device through modems without authentication, and have user privilege 
level 3. To improve device security, configure AUX login authentication. 
The following are authentication modes availabl e for modem dial-in through the console port: 
•   None —Requires no authentication and is insecure. 
•   Password —Requires a password for accessing the CLI. If your password was lost, log in to the 
device through the console port or modify the password. 
•   Scheme —Uses the AAA module to provide local or re mote authentication. If your username or 
password was lost, log in to the device through the console port to modify the setting. If the 
username or password configured on a remote ser v er was lost, contact the server administrator for 
help.
    Add page 56 to Favourites
    image text
    Enable zoom 
    							 44 
Table 16 Configuration required for different modem login authentication modes 
Authentication 
mode  Configuration task 
Reference 
None Set the authentication mode to  none for the AUX user interface.  
Configuring none 
authentication f
 or 
modem dial-in  
Password  Enable password authentication on
 the AUX user interface.  
Set a password.  
Configuring 
password 
authentication f

or 
modem dial-in  
Scheme  Enable scheme authentication on the AUX user interface. 
Configure local or remote authentication settings.  
To configure local authentication: 
1.
  Configure a local user and specify the password. 
2.   Configure the device to use local authentication. 
To configure remote authentication: 
3.   Configure the RADIUS or HWTACACS scheme on the 
device. 
4.   Configure the username and password on the AAA server.  
5.   Configure the device to use the scheme for user 
authentication.   
Configuring scheme 
authentication f
 or 
modem dial-in  
 
Setting up the configuration environment 
Set up a configuration environment as shown in  Figure 19 : 
1. Connect the serial port of the PC to a modem an d the console port of the device to a modem. 
2. Connect each modem to the PSTN through a telephone cable. 
3. Obtain the telephone number of the modem connected to the device. 
Figure 19  Connecting the PC to the device through modems 
 
 
4. Perform the following configurations on th e modem directly connected to the device: 
{ AT& F —Restores the factory default. 
{ ATS 0 = 1 —Configures auto-answer on first ring. 
{ AT& D —Ignores data Terminal Ready signals. 
{ AT& K 0 —Disables local flow control. 
{ AT& R 1 —Ignores Data Flow Control signals. 
{ AT& S 0 —Forces  DSR to remain on. 
{ AT EQ 1 &W —Disables the modem from returning command responses and execution results. 
To verify your configuration, enter AT&V  to display the configuration results.
    Add page 57 to Favourites
    image text
    Enable zoom 
    							 45 
 NOTE:  
The configuration commands and output vary by mo dem. For more information, see the modem user 
guide. 
 
5.  To avoid data loss, verify that the speed of the console port is lower than the transmission rate of 
the modem, and the default parity check, st op bits, and data bits settings are used. 
6. Launch the terminal emulation program and create a connection by using the telephone number of 
the modem connected to the device. 
Figure 20 to  Figure 23 shows the configuration proc e
 dure in Windows XP HyperTerminal. 
Figure 20  Creating a connection 
 
 
Figure 21 Configuring the dialing parameters
    Add page 58 to Favourites
    image text
    Enable zoom 
    							 46 
 NOTE:  
On Windows Server 2003, you must add the HyperTer minal program first, and then log in to and 
manage the device as described in this docume nt. On Windows Server 2008, Windows 7, Windows 
Vista, or some other operating system, obtain a third-party terminal control program first, and follow the
user guide or online help of that program to log in to the device. 
 
7.  Dial the telephone number to est ablish a connection to the device. 
Figure 22  Dialing the number  
 
 
Character string CONNECT9600 is displayed on the terminal.  
8. Press  Enter as prompted.  
Figure 23  Configuration page 
 
 
9. At the default user view prompt , enter commands to configure the device or view the running 
status of the device. To get help, enter  ?.
    Add page 59 to Favourites
    image text
    Enable zoom 
    							 47 
To disconnect the PC from the device, execute the AT H command in the HyperTerminal. If the command 
cannot be entered, type AT+ + + and then press  Enter. When the word  OK appears, execute the  AT H 
command. The connection is terminated if  OK is displayed. You can also terminal the connection by 
clicking   in the HyperTerminal window. 
 
  IMPORTANT: 
Do not directly close the HyperTerminal. Doing so 
can cause some modems to stay in use, and your 
subsequent dial-in attempts will always fail. 
 
Configuring none authentication for modem dial-in  
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Enter one or more AUX user 
interface views.  user-interface aux 
first-number  
[ last-number  ]  N/A 
3.
  Enable the none 
authentication mode.  authentication-mode none  By default, modem users can dial 
in to the device without 
authentication. 
4.
  Configure common settings 
for the AUX user interfaces.  See 
Configuring common settings 
for modem di al-in (optional) . Optional. 
 
The next time you attempt to dial in to the device, 
you do not need to provide any username or password, 
as shown in Figure 24 . 
Figure 24  Dialing in to the device wit

hout any authentication 
 
 
Configuring password authentication for modem dial-in
    Add page 60 to Favourites
    image text
    Enable zoom 
    							 48 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enter one or more AUX user 
interface views.  user-interface aux 
first-number  
[ last-number  ]  N/A 
3.
  Enable password 
authentication.  authentication-mode password  By default, no authentication is 
performed for modem dial-in users.
 
4.
  Set a password.  set authentication password
 
{  cipher |  simple } password  By default, no is set. 
5.
  Configure common settings 
for the AUX user interfaces.  For more information, see 

Configuring common settings for 
modem di al-in (optional) . Optional. 
 
The next time you attempt to dial in to the device, you must provide the configured login password, as 
shown in 
Figure 25. 
Figure 25  Password a

uthentication interface for modem dial-in users 
 
 
Configuring scheme authentication for modem dial-in 
Follow these guidelines when you configure scheme authentication for AUX login:  
•  To make the command authorization or command accounting function take effect, apply an 
HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the 
authorization server and other authorization parameters.  
•   If the local authentication scheme is used, use the  authorization-attribute level level command in 
local user view to set the user privilege level on the device. 
•   If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the 
RADIUS or HWTACACS server.  
To configure scheme authentication for modem dial-in users:
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide