HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 78
66
Configuring source/destination IP-based Telnet login control
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an advanced ACL and
enter its view, or enter the
view of an existing advanced
ACL. acl
[ ipv6 ] number acl-number
[ match-order { config | auto } ] By default, no advanced ACL
exists.
3. Configure an ACL rule. rule
[ rule-id ] { permit | deny }
rule-string N/A
4. Exit advanced ACL view.
quit N/A
5. Enter user interface view....](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-77.png "Page 78
66
Configuring source/destination IP-based Telnet login control
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an advanced ACL and
enter its view, or enter the
view of an existing advanced
ACL. acl
[ ipv6 ] number acl-number
[ match-order { config | auto } ] By default, no advanced ACL
exists.
3. Configure an ACL rule. rule
[ rule-id ] { permit | deny }
rule-string N/A
4. Exit advanced ACL view.
quit N/A
5. Enter user interface view....")
![Page 79
67
Figure 34 Network diagram
Configuration procedure
# Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to
permit packets sourced from Host A.
system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Reference ACL 2000 in user interface view to allow Telnet users from Host A and Host B to...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-78.png "Page 79
67
Figure 34 Network diagram
Configuration procedure
# Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to
permit packets sourced from Host A.
system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Reference ACL 2000 in user interface view to allow Telnet users from Host A and Host B to...")
![Page 80
68
Step Command Remarks
5. Apply the ACL to an
SNMP community, group
or user.
• SNMPv1/v2c community:
snmp-agent community { read | write }
community -name [ mib-view view-name ]
[ acl acl-number | acl ipv6
ipv6-acl-number ] *
• SNMPv1/v2c group:
snmp-agent group { v1 | v2c }
group-name [ read-view read-view ]
[ write-view write -view ] [ notify-view
notify-view ] [ acl acl-number | acl ipv6
ipv6-acl-number ] *
• SNMPv3 group:
snmp-agent group v3 group-name...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-79.png "Page 80
68
Step Command Remarks
5. Apply the ACL to an
SNMP community, group
or user.
• SNMPv1/v2c community:
snmp-agent community { read | write }
community -name [ mib-view view-name ]
[ acl acl-number | acl ipv6
ipv6-acl-number ] *
• SNMPv1/v2c group:
snmp-agent group { v1 | v2c }
group-name [ read-view read-view ]
[ write-view write -view ] [ notify-view
notify-view ] [ acl acl-number | acl ipv6
ipv6-acl-number ] *
• SNMPv3 group:
snmp-agent group v3 group-name...")
![Page 81
69
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit
packets sourced from Host A.
system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname]...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-80.png "Page 81
69
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit
packets sourced from Host A.
system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname]...")
![Page 82
70
Figure 36 Network diagram
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B.
system-view
[Sysname] acl number 2030 match-order config
[Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0
# Associate the ACL with the HTTP service so only Web users from Host B are allowed to access the
device.
[Sysname] ip http acl 2030](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-81.png "Page 82
70
Figure 36 Network diagram
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B.
system-view
[Sysname] acl number 2030 match-order config
[Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0
# Associate the ACL with the HTTP service so only Web users from Host B are allowed to access the
device.
[Sysname] ip http acl 2030")
![Page 86
74
Task Command Remarks
Query a directory or file on the
FTP server. ls
[ remotefile [ localfile ] ] The
ls command displays the name of a
directory or file only, while the dir
command displays detailed information
such as the file size and creation time.
Delete the specified file on the
FTP server permanently. delete
remotefile N/A
Set the file transfer mode to
ASCII. ascii
By default, ASCII mode is used.
Set the file transfer mode to
binary. binary
By default, ASCII mode is...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-85.png "Page 86
74
Task Command Remarks
Query a directory or file on the
FTP server. ls
[ remotefile [ localfile ] ] The
ls command displays the name of a
directory or file only, while the dir
command displays detailed information
such as the file size and creation time.
Delete the specified file on the
FTP server permanently. delete
remotefile N/A
Set the file transfer mode to
ASCII. ascii
By default, ASCII mode is used.
Set the file transfer mode to
binary. binary
By default, ASCII mode is...")
69
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit
packets sourced from Host A.
system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000
Configuring Web login control
Use a basic ACL (2000 to 2999) to filter HTTP traffic by source IP address for Web login control. To
access the device, a Web user must use an IP address permitted by the ACL.
You can also log off suspicious Web users who have been logged in.
Configuring source IP-based Web login control
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a basic ACL and enter
its view, or enter the view of
an existing basic ACL. acl
[ ipv6 ] number acl-number
[ match-order { config | auto } ] By default, no basic ACL exists.
3. Create rules for this ACL. rule
[ rule-id ] { permit | deny }
[ source { sour-addr sour-wildcard
| any } | time-range time-name |
fragment | logging ]* N/A
4. Exit the basic ACL view. quit N/A
5. Associate the HTTP service
with the ACL. ip http acl
acl-number N/A
Logging off online Web users
Task Command Remarks
Log off online Web users. free web-users
{ all | user-id
user-id | user-name user-name } Available in user interface view
Web login control configuration example
Network requirements
As shown in Figure 36, c onfigure the device to allow only Web users from Host B to access.
70 Figure 36 Network diagram Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B. system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 # Associate the ACL with the HTTP service so only Web users from Host B are allowed to access the device. [Sysname] ip http acl 2030
71 Configuring FTP File Transfer Protocol (FTP) is an application layer protocol based on the client/server model. It is used to transfer files from one host to another over a TCP/IP network. FTP server uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959. FTP supports the following transfer modes: • Binary mode —Used to transfer image files, such as .app and .bin files. • ASCII mode —Used to transfer text files, such as .txt, .bat , and .cfg files. FTP can operate in either of the following modes: • Active mode (PORT)—The FTP server initiates the TCP connection. This mode is not suitable when the FTP client is behind a firewall (for example, the FTP client resides in a private network). • Passive mod e (PASV ) —The FTP client initiates the TCP connection. This mode is not suitable when the server does not allow the client to use a random unprivileged port greater than 1024. The FTP operation mode varies depending on the FTP client program. The device can act as the FTP client or FTP server: Figure 37 FTP application scenario Using the device as an FTP client To connect to an FTP server or enter FTP client view, make sure the following requirements are met: • You have level-3 (Manage) user privileges on the device. In FTP client view, whether a directory or file management command can be successfully executed depends on the authorization set on the FTP server. • The device and the FTP server can reach each other. • You have a user account (including the username, password, and authorization) on the FTP server. If the FTP server supports anonymous FTP, you can di rectly access the FTP server without a username and password. Establishing an FTP connection To access an FTP server, use the ftp command in user view or use the open command in FTP client view to establish a connection to the FTP server. You can use the ftp client source command to specify a source IP address or source interface for the FTP packets sent by the device. If a source interface (typically a loopback interface) is specified, its primary IP address is used as the source IP address for the FTP packets sent by the device. The source interface setting and the source IP address setting overwrite each other.
72
The ftp client source command setting applies to all FTP sessio ns. When you set up an FTP session by
using the ftp or ftp ipv6 command, you can also specify a different source IP address for the FTP session.
IMPORTANT:
To avoid FTP connection failures, when you specify a so
urce interface for FTP packets, make sure that the
interface has been assigned a primary IP address.
To establish an IPv4 FTP connection:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Specify a source IP address
for outgoing FTP packets. ftp client source
{ interface interface-type
interface-number | ip source-ip-address }
Optional.
By default, the primary IP
address of the output interface
is used as the source IP
address.
3. Return to user view. quit N/A
4. Log in to the FTP server.
• (Approach 1) Log in to the FTP server
in user view:
ftp [ server-address [ service-port ]
[ vpn-instance vpn-instance-name ]
[ source { interface interface-type
interface-number | ip
source-ip-address } ] ]
• (Ap p roa ch 2) Log in to the FT P ser ver
in FTP client view:
a. ftp
b. open server-address
[ service-port ] Use either approach.
Only HP 5500-EI switches
support the
vpn-instance
vpn-instance-name option.
To establish an IPv6 FTP connection, perform one of the following tasks:
Task Command Remarks
Log in to the FTP server from user
view. ftp ipv6
[ server-address [ service-port ]
[ vpn-instance vpn-instance-name ]
[ source ipv6 source-ipv6-address ] [ -i
interface-type interface-number ] ]
Only HP 5500-EI switches
support the vpn-instance
vpn-instance-name option.
Log in to the FTP server from FTP
client view. 1.
ftp ipv6
2. open ipv6 server-address
[ service-port ] [ -i interface-type
interface-number ]
Setting the DSCP value for IP to use for outgoing FTP packets
You can set the DSCP value for IPv4 or IPv6 to use for outgoing FTP packets on an FTP client, so that
outgoing FTP packets are forwarded based on their priority on transit devices.
To set the DSCP value for IP to use for outgoing FTP packets:
73
Step Command Remarks
1. Enter system view. system-view N/A
2. Set the DSCP value for
IP to use for outgoing
FTP packets. • For IPv4:
ftp client dscp dscp-value
• For IPv6:
ftp client ipv6 dscp dscp-value The default is 0, whether the FTP
client is running IPv4 or IPv6.
Managing directories on the FTP server
After the device establishes a connection to an FTP server, you can create or delete folders in the
authorized directory on the FTP server.
To manage the directories on the FTP server:
Task Command
Display detailed information abo
ut files and directories under
the current directory on the FTP server. dir
[ remotefile [ localfile ] ]
Query a directory or file on the FTP server. ls [ remotefile [ localfile ] ]
Change the working directory on the FTP server. cd { directory | .. | / }
Return to the upper level directory on the FTP server. cdup
Display the current directory on the FTP server. pwd
Create a directory on the FTP server. mkdir directory
Remove the specified working directory on the FTP server. rmdir directory
Working with the files on the FTP server
After you log in to the server, you can upload a file to or download a file from the authorized directory
by following these steps:
1. Use the dir or ls command to display the directory and the location of the file on the FTP server.
2. Delete unused files to get more free storage space.
3. Set the file transfer mode. FTP transmits files in two modes: ASCII and binary. Use ASCII mode to
transfer text files. Use binary mode to transfer image files.
4. Use the lcd command to display the local working dire ctory of the FTP client. You can upload the
file or save the downloaded file in this directory.
5. Upload or download the file.
To work with the files on the FTP server:
Task Command Remarks
Display detailed information
about a directory or file on the
FTP server. dir
[ remotefile [ localfile ] ] The
ls command displays the name of a
directory or file only, while the dir
command displays detailed information
such as the file size and creation time.
74 Task Command Remarks Query a directory or file on the FTP server. ls [ remotefile [ localfile ] ] The ls command displays the name of a directory or file only, while the dir command displays detailed information such as the file size and creation time. Delete the specified file on the FTP server permanently. delete remotefile N/A Set the file transfer mode to ASCII. ascii By default, ASCII mode is used. Set the file transfer mode to binary. binary By default, ASCII mode is used. Set the FTP operation mode to passive. passive By default, passive mode is used Display the local working directory of the FTP client. lcd N/A Upload a file to the FTP server. put localfile [ remotefile ] N/A Download a file from the FTP server. get remotefile [ localfile ] N/A Switching to another user account After you log in to the FTP ser ver with one user account, you can switch to another user account to get a different privilege without reestablishing the FTP connection. You must correctly enter the new username and password. A wrong username or password can cause the FTP connection to disconnect. To switch to another user account: Task Command Change the username after FTP login. user username [ password ] Maintaining and troubleshooting the FTP connection Task Command Remarks Display the help information of FTP-related commands on the FTP server. remotehelp [ protocol -command ] N/A Enable displaying detailed prompt information received from the server. verbose Enabled by default Enable FTP related debugging when the device acts as the FTP client. debugging Disabled by default Terminating the FTP connection To terminate an FTP connection, perform one of the following tasks:
75 Task Command Remarks Terminate the FTP connection without exiting FTP client view. • disconnect • close Use either command in FTP client view. Terminate the FTP connection and return to user view. • bye • quit Use either command in FTP client view. FTP client configuration example Network requirements As shown in Figure 38 , the IRF fabric that comprises two member devices acts as the FTP client and the PC acts as the FTP server. The IRF fabric and the PC can reach each other. An account with the username abc and password abc is already configured on the FTP server. Log in to the FTP server from the FTP client, download the file newest.bin from the FTP server to the FTP client, and upload the configuration file config.cfg from the FTP client to the FTP server for backup. Figure 38 Network diagram Configuration procedure # Examine the storage medium of the device for insufficiency or i mpai rment. I f no s u f ficient free spac e i s available, use the delete/unreserved file -url command to delete unused files. (Details not shown.) # Log in to the server at 10.1.1.1 through FTP. ftp 10.1.1.1 Trying 10.1.1.1 ... Connected to 10.1.1.1. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user \ User(10.1.1.1:(none)):abc 331 Give me your password, please Password: 230 Logged in successfully # Set the file transfer mode to binary. [ftp] binary 200 Type set to I. # Download the system software image file newest.bin from the PC to the IRF fabric. • Download the file newest.bin from the PC to the Flash root directory of the master device. [ftp] get newest.bin
76 • Download the file newest.bin from the PC to the Flash root directory of the subordinate device (with member ID of 2). [ftp] get newest.bin slot2#flash:/newest.bin # Set the transfer mode to ASCII and upload the configuration file config.cfg f ro m t h e I R F f a b ri c t o t h e PC for backup. [ftp] ascii [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /conf\ ig.cfg. 226 Transfer complete. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye 221 Server closing. # Specify newest.bin as the main system software image file fo r the next startup of all member devices. boot-loader file newest.bin slot all main This command will set the boot file of the specified board. Continue? \ [Y/N]:y The specified file will be used as the main boot file at the next rebo\ ot on slot 1! The specified file will be used as the main boot file at the next rebo\ ot on slot 2! IMPORTANT: The system software image file used for the next startu p must be saved in the Flash root directory. You can copy or move a file to the Flash root directory. # Reboot the device, and the system software image file is updated at the system reboot. reboot Using the device as an FTP server If the device is operating as an FTP server, make sure the following requirements are met to ensure successful FTP operations: • The device and the FTP server can reach each other. • Configure a user account (including the username, password, and authorization) on the device or a remote authentication server for an FTP user. Th is task is required because the device does not support anonymous FTP for security reasons. By default, authenticated users can access the root directory of the device. • The FTP user provides the correct username and password. NOTE: When you use the Internet Explorer browser to log in to the device operating as an FTP server, some FTP functions are not available. This is becaus e multiple connections are required durin g the login process but the device supports only one connection at a time. Configuring basic parameters The FTP server uses one of the following modes to update a file when you upload the file (use the put command) to the FTP server:
77
• Fast mode —The FTP server starts writing data to the Flas h after a file is transferred to the memory.
Th i s p reve n t s t h e exi s t i n g fi l e o n t h e F T P s e r ve r f r om being corrupted in the event that anomaly, such
as a power failure, occurs during a file transfer.
• Normal mode —The FTP server writes data to the Flash while receiving data. This means that any
anomaly, such as a power failure, during file transfer might result in file corruption on the FTP server.
This mode, however, consumes less memory space than the fast mode.
To configure basic parameters for the FTP server:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the FTP server.
ftp server enable By default, the FTP server is disabled.
3. Set the DSCP value for IPv4 to
use for outgoing FTP packets. ftp server dscp
dscp-value Optional.
The default is 0.
4.
Use an ACL to control FTP
access. ftp server acl
acl-number Optional.
By default, no ACL is used for access
control.
5.
Configure the idle-timeout
timer. ftp
timeout minutes Optional.
The default idle-timeout timer is 30
minutes.
If no data is transferred within the
idle-timeout time, the connection is
terminated.
6.
Set the file update mode for
the FTP server. ftp update {
fast | normal } Optional.
By default, normal update is used.
7.
Return to user view.
quit N/A
8. Release the FTP connection
established by a specific user. free ftp user
username Optional.
Configuring authentication and authorization
Perform this task on the FTP server to authenticate FTP clients and specify the directories that
authenticated clients can access.
The following authenticati on modes are available:
• Local authentication —The device looks up the clients username and password in the local user
account database. If a match is found, authentication succeeds.
• Remote authentication —The device sends the clients us ername and password to a remote
authentication server for authentication. If this approach is used, the user account is configured on
the remote authentication server rather than the device.
To assign an FTP user write access (including uplo ad, delete, and create) to the device, assign level-3
(Manage) user privileges to the user. For read-only a ccess to the file system, any user privilege level is
OK.
For more information, see Security Configuration Guide .
To configure authentication and authorization for the FTP server:
78
Step Command Remarks
1. Enter system view. system-view N/A
2. Create a local user
account and enter
its view. local-user
user-name By default, no local
user account exists, and
the system does not support FTP anonymous
user access.
3. Set a password for
the user account. password
{ simple | cipher }
password N/A
4.
Assign FTP service
to the user account service-type ftp By default, no service type is specified. If the
FTP service is specified, the root directory of
the device is by default used.
5.
Configure
authorization
attributes. authorization-attribute
{ acl
acl-number | callback-number
callback-number | idle-cut minute
| level level | user-profile
profile-name | user-role { guest |
guest-manager | security-audit } |
vlan vlan-id | work-directory
directory-name } * Optional.
By default, the FTP/SFTP users can access the
root directory of the device, and the user level
is 0. You can change the default configuration
by using this command.
For more information about the
local-user, password , service-type ftp , and authorization-attribute
commands, see Security Command Reference .
FTP server configuration example
Network requirements
Create a local user account with username abc and password abc and enable FTP server on the IRF
fabric in Figure 39 . U
se the user account to log in to the FTP server from the FTP client, upload the file
newest.bin from the FTP client to the FTP server, and download the configuration file config.cfg from the
FTP server to the FTP client for backup.
Figure 39 Network diagram
Configuration procedure
1. Configure the FTP server:
# Examine the storage medium of the device for insufficiency or impairment. If no sufficient free
space is available, use the delete/unreserved file -url command to delete unused files. (Details not
shown.)
Internet
IRF (FTP server)
IP: 1.1.1.1/16
Master
(Member_ID=1) Subordinate
(Member_ID=2)
PC
FTP client
1.2.1.1/16
Note: The orange line represents an IRF link.