HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 60
48
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter one or more AUX user
interface views. user-interface aux
first-number
[ last-number ] N/A
3.
Enable password
authentication. authentication-mode password By default, no authentication is
performed for modem dial-in users.
4.
Set a password. set authentication password
{ cipher | simple } password By default, no is set.
5.
Configure common settings
for the AUX user interfaces. For more information,...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-59.png "Page 60
48
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter one or more AUX user
interface views. user-interface aux
first-number
[ last-number ] N/A
3.
Enable password
authentication. authentication-mode password By default, no authentication is
performed for modem dial-in users.
4.
Set a password. set authentication password
{ cipher | simple } password By default, no is set.
5.
Configure common settings
for the AUX user interfaces. For more information,...")
![Page 61
49
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter AUX user
interface view. user-interface aux
first-number
[ last-number ] N/A
3.
Enable scheme
authentication. authentication-mode
scheme Whether local, RADIUS, or HWTACACS
authentication is adopted depends on
the configured AAA scheme.
By default, no authentication is
performed for modem dial-in users.
4.
Enable command
authorization. command authorization Optional.
By default, command authorization is...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-60.png "Page 61
49
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter AUX user
interface view. user-interface aux
first-number
[ last-number ] N/A
3.
Enable scheme
authentication. authentication-mode
scheme Whether local, RADIUS, or HWTACACS
authentication is adopted depends on
the configured AAA scheme.
By default, no authentication is
performed for modem dial-in users.
4.
Enable command
authorization. command authorization Optional.
By default, command authorization is...")
![Page 62
50
Step Command Remarks
7. Apply an AAA
authentication scheme
to the intended
domain. 1.
Enter the ISP domain view:
domain domain-name
2. Apply the specified AAA
scheme to the domain:
authentication default
{ hwtacacs-scheme
hwtacacs-scheme -name
[ local ] | local | none |
radius-scheme
radius-scheme -name [ local ] }
3. Exit to system view:
quit Optional.
By default, local authentication is used.
For local authentication, configure local
user accounts....](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-61.png "Page 62
50
Step Command Remarks
7. Apply an AAA
authentication scheme
to the intended
domain. 1.
Enter the ISP domain view:
domain domain-name
2. Apply the specified AAA
scheme to the domain:
authentication default
{ hwtacacs-scheme
hwtacacs-scheme -name
[ local ] | local | none |
radius-scheme
radius-scheme -name [ local ] }
3. Exit to system view:
quit Optional.
By default, local authentication is used.
For local authentication, configure local
user accounts....")
![Page 65
53
Step Command Remarks
15. Set the idle-timeout timer.
idle-timeout minutes [ seconds ] The default idle-timeout is 10
minutes. The system automatically
terminates the user’s connection if
there is no information interaction
between the device and the user
within the idle-timeout time.
Setting idle-timeout to 0 disables the
timer.
Displaying and maintaining CLI login
Task Command Remarks
Display information about the user
interfaces that are being used.
display users
[ | { begin...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-64.png "Page 65
53
Step Command Remarks
15. Set the idle-timeout timer.
idle-timeout minutes [ seconds ] The default idle-timeout is 10
minutes. The system automatically
terminates the user’s connection if
there is no information interaction
between the device and the user
within the idle-timeout time.
Setting idle-timeout to 0 disables the
timer.
Displaying and maintaining CLI login
Task Command Remarks
Display information about the user
interfaces that are being used.
display users
[ | { begin...")
49 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AUX user interface view. user-interface aux first-number [ last-number ] N/A 3. Enable scheme authentication. authentication-mode scheme Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme. By default, no authentication is performed for modem dial-in users. 4. Enable command authorization. command authorization Optional. By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. If command authorization is enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme. 5. Enable command accounting. command accounting Optional. By default, command accounting is disabled. The accounting server does not record the commands executed by users. Command accounting allows the HWTACACS server to record all executed commands that are supported by the device, regardless of the command execution result. This function helps control and monitor user behaviors on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server. 6. Exit to system view. quit N/A
50
Step Command Remarks
7. Apply an AAA
authentication scheme
to the intended
domain. 1.
Enter the ISP domain view:
domain domain-name
2. Apply the specified AAA
scheme to the domain:
authentication default
{ hwtacacs-scheme
hwtacacs-scheme -name
[ local ] | local | none |
radius-scheme
radius-scheme -name [ local ] }
3. Exit to system view:
quit Optional.
By default, local authentication is used.
For local authentication, configure local
user accounts.
For RADIUS or HWTACACS
authentication, configure the RADIUS or
HWTACACS scheme on the device and
configure authentication settings
(including the username and password)
on the server.
For more information about AAA
configuration, see
Security Configuration
Guide .
8. Create a local user
and enter local user
view. local-user
user-name By default, no local user exists.
9. Set a password for the
local user. password
{ cipher | simple }
password By default, no password is set.
10.
Specify the command
level of the local user. authorization-attribute level
level Optional.
By default, the command level is 0.
11.
Specify terminal
service for the local
user. service-type
terminal By default, no service type is specified.
12. Configure common
settings for the AUX
user interfaces. See
Configuring common settings
for modem di al-in (optional) . Optional.
The next time you attempt to dial in to the device, you must provide the configured username and
password, as shown in
Figure 26.
51
Figure 26 Scheme authentication interface for modem dial-in users
Configuring common settings for modem dial-in (optional)
CAUTION:
To avoid packet loss, make sure the speed of the cons
ole port is lower than the transmission rate of the
modem.
Some common settings configured for an AUX user in terface take effect immediately and can interrupt
the login session. To save you the trouble of repeat ed re-logins, use a login method different from AUX
login to log in to the device before you change AUX user interface settings.
After the configuration is complete, change the termin al settings on the configuration terminal and make
sure they are the same as the settings on the device.
To configure common AUX user interface settings for modem dial-in accesses:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable copyright information
display. copyright-info
enable By default, copyright information
display is enabled.
3.
Enter one or more AUX user
interface views. user-interface aux
first-number
[ last-number ] N/A
4.
Configure the baud rate.
speed speed-value By default, the baud rate is 9600
bps.
5.
Configure the parity check
mode. parity { even
| none | odd } The default setting is
none, namely,
no parity check.
52
Step Command Remarks
6. Configure the number of stop
bits. stopbits
{ 1 | 1.5 | 2 } The default is 1.
Stop bits indicate the end of a
character. The more the bits, the
slower the transmission.
7.
Configure the number of data
bits in each character. databits
{ 7 | 8 } By default, the number of data bits in
each character is 8.
The setting depends on the
character coding type. For example,
you can set it to 7 if standard ASCII
characters are to be sent, and set it
to 8 if extended ASCII characters
are to be sent.
8.
Define a shortcut key for
starting a session. activation-key
character By default, press
Enter to start a
session.
9. Define a shortcut key for
terminating tasks. escape-key
{ default | character } By default, press Ctrl+C to terminate
a task.
10. Configure the flow control
mode. flow-control
{ hardware | none |
software } By default , the flow control mode is
none
.
The device supports only the none
mode.
11. Specify the terminal display
type. terminal type
{ ansi | vt100 } By default, the terminal display type
is ANSI.
The device supports two terminal
display types: ANSI and VT100. HP
recommends setting the display type
to VT100 for both the device and the
client. If the device and the client use
different display types or both use
the ANSI display type, when the
total number of characters of a
command line exceeds 80, the
screen display on the terminal might
be abnormal. For example, the
cursor might be displayed at a
wrong place.
12.
Configure the user privilege
level for login users. user privilege level
level 3 by default.
13. Set the maximum number of
lines to be displayed on a
screen. screen-length
screen-length By default, a screen displays 24
lines at most.
A value of 0 disables the function.
14.
Set the size of the command
history buffer. history-command max-size
value By default, the buffer saves 10
history commands at most.
53
Step Command Remarks
15. Set the idle-timeout timer.
idle-timeout minutes [ seconds ] The default idle-timeout is 10
minutes. The system automatically
terminates the user’s connection if
there is no information interaction
between the device and the user
within the idle-timeout time.
Setting idle-timeout to 0 disables the
timer.
Displaying and maintaining CLI login
Task Command Remarks
Display information about the user
interfaces that are being used.
display users
[ | { begin | exclude
| include } regular-expression ] Available in any view.
Display information about all user
interfaces the device supports. display users all
[ | { begin |
exclude | include }
regular-expression ] Available in any view.
Display user interface information. display user-interface
[ num1 |
{ aux | vty } num2 ] [ summary ] [ |
{ begin | exclude | include }
regular-expression ] Available in any view.
Display the configuration of the
device when it serves as a Telnet
client. display telnet client configuration
[ |
{ begin | exclude | include }
regular-expression ] Available in any view.
Release a user interface.
free user-interface
{ num1 | { aux |
vty } num2 } Available in user view.
Multiple users can log in to the
system to simultaneously configure
the device. You can execute the
command to release the
connections established on the
specified user interfaces.
You cannot use this command to
release the connection you are
using.
Lock the current user interface.
lock Available in user view.
By default, the current user
interface is not locked.
Send messages to the specified
user interfaces.
send
{ all | num1 | { aux | vty }
num2 } Available in user view.
54 Logging in to the Web interface The device provides a built-in Web server for you to configure the device through a Web browser. Web login is by default disabled. To enable Web login, log in via the console port, and perform the following configuration tasks: • Enable HTTP or HTTPS service. • Configure the IP address of a Layer 3 interface, and make sure the interface and the configuration terminal can reach each other. • Configure a local user account for Web login. The device supports HTTP 1.0 and HTTPS for transferring webpage data across the Internet. HTTPS uses SSL to encrypt data between the client an d the server for data integrity and security, and is more secure than HTTP. You can define a certificate attribute-based access control policy to allow only legal clients to access the device. HTTP login and HTTPS login are separate login methods. To use HTTPS login, you do not need to configure HTTP login. Table 17 shows the basic Web login configuration requirements. Table 17 Basic web login configuration requirements Ob ject Requirements Device Configure an IP address for a Layer 3 interface. Configuring routes to make sure the inte rface and the PC can reach each other. Perform either or both of the following task: • Configuring HTTP login • Configuring HTTPS login PC Install a Web browser. Obtain the IP address of the device’s Layer 3 interface. Configuring HTTP login Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the HTTP service. ip http enable By default, HTTP service is enabled. 3. Configure the HTTP service port number. ip http port port-number Optional. The default HTTP service port is 80. If you execute the command multiple times, the last one takes effect.
55
Step Command Remarks
4. Associate the HTTP service
with an ACL. ip http acl
acl-number Optional.
By default, the HTTP service is not
associated with any ACL.
Associating the HTTP service with
an ACL enables the device to allow
only clients permitted by the ACL to
access the device.
5.
Create a local user and enter
local user view. local-user
user-name By default, no local user is
configured.
6.
Configure a password for the
local user. password
{ cipher | simple }
password By default, no password is
configured for the local user.
7.
Specify the command level of
the local user. authorization-attribute level
level No command level is configured
for the local user.
8.
Specify the Telnet service type
for the local user. service-type
web By default, no service type is
configured for the local user.
9.
Exit to system view.
quit N/A
10. Set the DSCP value for IP to
use for HTTP packets.
• For IPv4:
ip http dscp dscp-value
• For IPv6:
ipv6 http dscp dscp-value Optional.
The default is as follows: •
16 for IPv4.
• 0 for IPv6.
11. Create a VLAN interface and
enter its view. interface vlan-interface
vlan-interface-id
If the VLAN interface already
exists, the command enters its
view.
12.
Assign an IP address and
subnet mask to the interface. ip
address ip-address { mask |
mask-length } By default, no IP address is
assigned to the interface.
Configuring HTTPS login
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Associate the HTTPS
service with an SSL server
policy. ip https ssl-server-policy
policy-name By default, the HTTPS service is not
associated with any SSL server policy,
and the device uses a self-signed
certificate for authentication.
If you disable the
HTTPS service, the
system automatically de-associates the
HTTPS service from the SSL service
policy. Before re-enabling the HTTPS
service, associate th e HTTPS service with
an SSL server policy first.
If the HTTPS service has been enabled,
any changes to the SSL server policy
associated with the HTTP service that is
enabled do not take effect.
56
Step Command Remarks
3. Enable the HTTPS service.
ip https enable By default, HTTPS is disabled.
Enabling the HTTPS service triggers an
SSL handshake negotiation process.
During the process, if the local certificate
of the device exists, the SSL negotiation
succeeds, and the HTTPS service can be
started properly. If no local certificate
exists, a certificate application process
will be triggered by the SSL negotiation.
Because the application process takes
much time, the SSL negotiation often fails
and the HTTPS service cannot be started
normally. In that case, execute the
ip
https enable command multiple times to
start the HTTPS service.
4. Associate the HTTPS
service with a certificate
attribute-based access
control policy. ip https certificate
access-control-policy
policy-name
Optional.
By default, the HTTPS service is not
associated with any certificate-based
attribute access control policy.
Associating the HTTPS service with a
certificate-based attribute access control
policy enables the device to control the
access rights of clients.
You must configure the client-verify
enable
command in the associated SSL
server policy. If not, no clients can log in
to the device.
The associated SSL server policy must
contain at least one permit rule.
Otherwise, no clients can log in to the
device.
For more information about certificate
attribute-based access control policies,
see Security Configuration Guide .
5. Specify the HTTPS service
port number. ip https port
port-number Optional.
The default HTTPS service port is 443.
6. Associate the HTTPS
service with an ACL. ip https acl
acl-number By default, the HTTPS service is not
associated with any ACL.
Associating the HTTPS service with an
ACL enables the device to allow only
clients permitted by the ACL to access
the device.
7.
Create a local user and
enter local user view. local-user
user-name By default, no local user is configured.
8. Configure a password for
the local user. password
{ cipher | simple }
password By default, no password is configured
for the local user.
9.
Specify the command
level of the local user. authorization-attribute level
level By default, no command level is
configured for the local user.
57
Step Command Remarks
10. Specify the Web service
type for the local user. service-type
web By default, no service type is configured
for the local user.
11.
Exit to system view.
quit N/A
12. Create a VLAN interface
and enter its view. interface vlan-interface
vlan-interface-id
If the VLAN interface already exists, the
command enters its view.
You could replace this VLAN interface
with any other Layer 3 interface as
appropriate.
13.
Assign an IP address and
subnet mask to the
interface. ip
address ip-address { mask |
mask-length } By default, no IP address is assigned to
the interface.
For more information about SSL and PKI, see
Security Configuration Guide.
Displaying and maintaining Web login
Task Command Remarks
Display information about Web
users. display web users
[ | { begin |
exclude | include }
regular-expression ] Available in any view
Display HTTP state information. display ip http
[ | { begin | exclude
| include } regular-expression ] Available in any view
Display HTTPS state information. display ip https
[ | { begin |
exclude | include }
regular-expression ] Available in any view
HTTP login configuration example
Network requirements
As shown in Figure 27, configure the device to allow the PC to log in over the IP network by using HTTP.
Figure 27 Network diagram
Configuration procedure
1. Configure the device:
# Create VLAN 999, and add GigabitEthernet 1/0/1 (the interface connected to the PC) to VLAN
999.
system-view
58 [Sysname] vlan 999 [Sysname-vlan999] port GigabitEthernet 1/0/1 [Sysname-vlan999] quit # Assign the IP address 192.168.0.58 and the subnet mask 255.255.255.0 to VLAN-interface 999. [Sysname] interface vlan-interface 999 [Sysname-VLAN-interface999] ip address 192.168.0.58 255.255.255.0 [Sysname-VLAN-interface999] quit # Create a local user named admin, and set the password to admin for the user. Specify the Web service type for the local user, and set the command level to 3 for this user. [Sysname] local-user admin [Sysname-luser-admin] service-type web [Sysname-luser-admin] authorization-attribute level 3 [Sysname-luser-admin] password simple admin 2. Verify the configuration: # On the PC, run the Web browser. Enter the IP address of the device in the address bar. The Web login page appears, as shown in Figure 28. Figure 28 Web login page # Enter the user name, password, verify code, select English, and click Login. The homepage appears. After login, you can configure devi ce settings through the Web interface.