manualshive.com logo in svg

HP HP 5120 series, Configuration Manual

Share
Download
HP HP 5120 series Configuration Manual Download Page 87

 

80 

Figure 24

 

Network diagram for configuring source IP-based login control over NMS users 

 

 

Configuration procedure 

# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit 

packets sourced from Host A. 

<Sysname> system-view 

[Sysname] acl number 2000 match-order config 

[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 

[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 

[Sysname-acl-basic-2000] quit 

# Associate the ACL with the SNMP community and the SNMP group.  

[Sysname] snmp-agent community read aaa acl 2000 

[Sysname] snmp-agent group v2c groupa acl 2000 

[Sysname] snmp-agent usm-user v2c usera groupa acl 2000 

Configuring source IP-based login control over web 
users 

You can log in to the web management page of the device through HTTP/HTTPS to remotely manage the 

devices. By using the ACL, you can control web user access to the device.  

Configuration preparation 

Before configuration, determine the permitted or denied source IP addresses.  

Configuring source IP-based login control over web users 

Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement 

source IP-based login control over web users. Basic ACLs are numbered from 2000 to 2999. For more 

information about ACL, see the 

ACL and QoS Configuration Guide.

 

Follow these steps to configure source IP-based login control over web users: 

To do… 

Use the command… 

Remarks 

Enter system view 

system-view 

— 

Summary of Contents for HP 5120 series

Page 1: ...HP 5120 SI Switch Series Fundamentals Configuration Guide Part number 5998 1899 Software version Release 1513 Document version 6W100 20130830 ...

Page 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Page 3: ...ering output information 11 Configuring user privilege and command levels 14 Configuring a user privilege level 15 Switching user privilege level 18 Modifying the level of a command 21 Saving the current configuration 22 Displaying and maintaining CLI 22 Login methods 23 FIPS compliance 23 Login methods 23 User interface overview 24 Users and user interfaces 24 Numbering user interfaces 25 CLI log...

Page 4: ...65 Displaying and maintaining web login 67 Web login example 67 HTTP login example 67 HTTPS login example 69 NMS login 72 NMS login overview 72 Configuring NMS login 72 NMS login example 74 User login control 75 User login control overview 75 FIPS compliance 75 Configuring login control over telnet users 75 Configuration preparation 75 Configuring source IP based login control over telnet users 76...

Page 5: ...lient 97 TFTP client configuration example 97 File management 99 Managing files 99 Filename formats 99 Directory operations 100 Displaying directory information 100 Displaying the current working directory 100 Changing the current working directory 100 Creating a directory 100 Removing a directory 101 File operations 101 Displaying file information 101 Displaying the contents of a file 101 Renamin...

Page 6: ...methods 120 Upgrading the Boot ROM program through a system reboot 120 Upgrading the boot file through a system reboot 122 Upgrading the boot file of an IRF member switch 122 Software upgrade by installing hotfixes 123 Basic concepts in hotfix 123 Patch status 124 Configuration prerequisites 126 One step patch installation 127 Step by step patch installation 128 Step by step patch uninstallation 1...

Page 7: ...entifying and diagnosing pluggable transceivers 147 Introduction to pluggable transceivers 147 Identifying pluggable transceivers 147 Diagnosing pluggable transceivers 148 Displaying and maintaining device management configuration 148 Support and other resources 150 Contacting HP 150 Subscription service 150 Related information 150 Documents 150 Websites 150 Conventions 151 Index 153 ...

Page 8: ...S 140 2 requirements Support for features commands and parameters might differ in FIPS mode and non FIPS mode For more information about FIPS mode see the Security Configuration Guide Unless otherwise noted devices in the configuration examples are operating in non FIPS mode What is CLI The command line interface CLI enables you to interact with your device by typing text commands At the CLI you c...

Page 9: ...brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical bars from which you select one or none x y Asterisk marked braces enclose a set of required syntax choices separated by vertical bars from w...

Page 10: ...ferent classes by function To use a command you must enter the class view of the command CLI views adopt a hierarchical structure See Figure 3 After logging in to the switch you are in user view The prompt of user view is device name In user view you can perform display debugging and file management operations set the system time restart your device and perform FTP and telnet operations You can en...

Page 11: ...commands The commands available to you at any given time depend on the view you are in Follow the step below to exit the current view To do Use the command Remarks Return to the parent view from the current view quit Required Available in any view NOTE The quit command in user view stops the current connection between the terminal and the device In public key code view use the public key code end ...

Page 12: ...position of a keyword the CLI displays all possible keywords with a brief description for each keyword For example sysname terminal debugging Send debug information to terminal logging Send log information to terminal monitor Send information output to current terminal trapping Send trap information to terminal If is at the position of an argument the CLI displays a description about this argument...

Page 13: ...l the keywords starting with the character string that you typed If there is no match the system does not modify the incomplete keyword and displays it again in the next line Typing incomplete keywords You can input a command comprising incomplete keywords that uniquely identify the complete command In user view for example command system view to enter system view type sy You can also press Tab to...

Page 14: ...which means you cannot configure command aliases Configure a command alias command alias mapping cmdkey alias Required Not configured by default Configuring CLI hotkeys Follow these steps to configure CLI hotkeys To do Use the command Remarks Enter system view system view Configure CLI hotkeys hotkey CTRL_G CTRL_L CTRL_O CTRL_T CTRL_U command Optional The Ctrl G Ctrl L and Ctrl O hotkeys are speci...

Page 15: ...ding character of the continuous string to the left Esc D Deletes all the characters of the continuous string at the current cursor position and to the right of the cursor Esc F Moves the cursor to the front of the next continuous string to the right Esc N Moves the cursor down by one line available before you press Enter Esc P Moves the cursor up by one line available before you press Enter Esc S...

Page 16: ...tains syntax errors the CLI reports error information Table 4 Common command line errors Error information Cause Unrecognized command found at position The command was not found Incomplete command found at position Incomplete command Ambiguous command found at position Ambiguous command Too many parameters Too many parameters Wrong parameter found at position Wrong parameters Using command history...

Page 17: ...e CLI can save up to 10 commands for each user To set the capacity of the history command buffer for the current user interface use the history command max size command For more information about the history command max size command see the Fundamentals Command Reference Configuring the history buffer size Follow these steps to configure the history buffer size To do Use the command Remarks Enter ...

Page 18: ...ines are displayed on the next screen This command is executed in user view and takes effect for the current user only When the user re logs into the switch the default configuration is restored Filtering output information NOTE Only display commands that support begin exclude include regular expression support filtering output information When the display commands support these parameters depends...

Page 19: ...or example zo matches zo and zoo but not z Matches the preceding or succeeding character string For example def int only matches a character string containing def or int _ If it is at the beginning or the end of a regular expression it equals or In other cases it equals comma space round bracket or curly bracket For example a_b matches a b or a b _ab only matches a line starting with ab ab_ only m...

Page 20: ...hes word undo and string abcdo bcharacter2 Matches character1character2 character1 can be any character except number letter or underline and b equals A Za z0 9_ For example ba matches a with being character1 and a being character2 but it does not match 2a or ba Bcharacter Matches a string containing character and no space is allowed before character For example Bt matches t in install but not t i...

Page 21: ...er levels All the commands are categorized into four levels visit monitor system and manage and are identified from low to high respectively by 0 through 3 Table 5 describes the command levels Table 5 Default command levels Level Privilege Description 0 Visit Involves commands for network diagnosis and accessing an external device Configuration of commands at this level cannot survive a device res...

Page 22: ...y default the authentication mode for VTY users is password and no authentication is needed for AUX login users Return to system view quit Configure the authentication mode for SSH users as password For more information about SSH see the Security Configuration Guide Required if users use SSH to log in and username and password are needed at authentication Configure the user privilege level by usin...

Page 23: ...ollow these steps to configure the user privilege level under a user interface SSH publickey authentication type To do Use the command Remarks Configure the authentication type for SSH users as publickey For more information about SSH see the Security Configuration Guide Required if the SSH login mode is adopted and only username is needed during authentication After the configuration the authenti...

Page 24: ... allow Telnet users to log in without authentication Free access brings security risks For security do not allow free access Sysname system view Sysname user interface vty 0 15 Sysname ui vty0 15 authentication mode none Now Telnet users can log in to the switch without authentication but can use only the following commands Sysname User view commands display Display current system information ping...

Page 25: ...damentals Command Reference For more information about AAA authentication see the Security Configuration Guide For more information about the local user and authorization attribute commands see the Security Command Reference For more information about SSH see the Security Configuration Guide Switching user privilege level Users can switch to a different user privilege level temporarily without log...

Page 26: ...ser and configure password on the HWTACACS or RADIUS server local scheme Performs the local password authentication first and then the remote AAA authentication The switch authenticates a user by using the local password first If no local password is set the privilege level is switched directly for the users logged in from the AUX port and remote AAA authentication is performed on the users logged...

Page 27: ...ou switch the user privilege level the information you need to provide varies with combinations of the user interface authentication mode and the super authentication mode Table 6 Information input for user privilege level switch User interface authentication mode User privilege level switch authentication mode Information input for the first authentication mode Information input after the authent...

Page 28: ... local authentication consecutive unsuccessful password attempts In scheme authentication mode a user who fails to provide the correct password during five consecutive attempts must wait 15 minutes before trying again Trying again before the 15 minute period elapses restores the wait timer to 15 minutes and restarts the timer For more information about user interface authentication see Login metho...

Page 29: ...s such as display commands which display specified information and the reset commands which clear specified information The one time commands executed are never saved Displaying and maintaining CLI To do Use the command Remarks Display defined command aliases and the corresponding commands display command alias begin exclude include regular expression Available in any view Display the clipboard in...

Page 30: ...ice through the console port and complete the following configuration Enable the telnet function Configure the IP address of the VLAN interface and make sure that your device and the telnet client can reach each other by default the device does not have an IP address Configure the authentication mode of VTY login users password by default Configure the user privilege level of VTY login users 0 by ...

Page 31: ... User interface overview User interface also called line allows you to manage and monitor sessions between the terminal and device when you log in to the device through the console port directly or through Telnet or SSH One user interface corresponds to one user interface view where you can configure a set of parameters such as whether to authenticate users at login whether to redirect the request...

Page 32: ...aces can be numbered by using absolute numbering or relative numbering Absolute numbering Absolute numbering identifies a user interface or a group of different types of user interfaces The specified user interfaces are numbered from number 0 with a step of 1 and in the sequence of AUX and VTY user interfaces You can use the display user interface command without any parameters to view supported u...

Page 33: ...ms By default you cannot log in to a device through telnet SSH so you cannot remotely manage and maintain the device Therefore you need to perform configurations to increase device security and manageability FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode and non FIPS mode For m...

Page 34: ...C and plug the RJ 45 connector into the console port of your device Figure 4 Connect the device and PC through a console cable WARNING Identify interfaces to avoid connection errors NOTE The serial port of a PC does not support hot swap so do not plug or unplug the console cable into or from the PC when your device is powered on To connect the PC to the device first plug the DB 9 connector of the ...

Page 35: ...cribed in this document On Windows 2008 Server Windows 7 Windows Vista or some other operating system you need to obtain a third party terminal control program first and follow the user guide or online help of that program to log in to the device Figure 5 Connection description Figure 6 Specify the serial port used to establish the connection ...

Page 36: ...he console port Keep your password scheme requires username and password authentication at the next login through the console port Authentication falls into local authentication and remote authentication To use local authentication configure a local user and related parameters To use remote authentication configure the username and password on the remote authentication server For more information ...

Page 37: ...omain as local NOTE A newly configured authentication mode does not take effect unless you exit and enter the CLI again Configuring none authentication for console login NOTE This feature is not supported in FIPS mode Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 a...

Page 38: ...in For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure password authentication for console login To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux first number last number Configure the authentication mode as local password auth...

Page 39: ...TACACS authentication is adopted depends on the configured AAA scheme By default users that log in through the console port are not authenticated Enable command authorization command authorization Optional By default command authorization is not enabled By default the command level depends on the user privilege level A user is authorized a command level not higher than the user privilege level Wit...

Page 40: ...ing server before enabling command accounting Return to system view quit Configure the authentica tion mode Enter the ISP domain view domain domain name Optional By default the AAA scheme is local If you specify the local AAA scheme you need to perform local user configuration If you specify an existing scheme by providing the radius scheme name argument perform the following configuration as well...

Page 41: ...ration to make the function take effect Create a HWTACACS scheme and specify the IP address of the accounting server and other accounting parameters For more information about AAA see the Security Configuration Guide Reference the created HWTACACS scheme in the ISP domain For more information about AAA see the Security Configuration Guide When users adopt the scheme mode to log in to the device th...

Page 42: ... in data transmission to unequivocally indicate the end of a character The more the bits are the slower the transmission is Configure the data bits databits 5 6 7 8 Optional By default the data bits of the console port is 8 Data bits is the number of bits representing one character The setting depends on the contexts to be transmitted For example you can set it to 7 if standard ASCII characters ar...

Page 43: ...maximum number of lines on the next screen screen length screen length Optional By default the next screen displays 24 lines A value of 0 disables the function Set the size of history command buffer history command max size value Optional By default the buffer saves 10 history commands at most Set the idle timeout timer idle timeout minutes seconds Optional The default idle timeout is 10 minutes T...

Page 44: ...og in to the device through the console port enable telnet server and configure the authentication mode user privilege level and common settings This section includes these topics Telnet login authentication modes Configuring none authentication for telnet login Configuring password authentication for telnet login Configuring scheme authentication for telnet login Configuring common settings for V...

Page 45: ...cheme authentication for telnet login Select an authenticati on scheme Remote AAA authentication Configure a RADIUS HWTACAC S scheme Configure the AAA scheme used by the domain Configure the username and password on the AAA server Local authentication Configure the authentication username and password Configure the AAA scheme used by the domain as local Configuring none authentication for telnet l...

Page 46: ...See Configuring common settings for VTY user interfaces optional When you log in to the device through telnet again You enter the VTY user interface as shown in Figure 9 If All user interfaces are used please try later is displayed it means the current login users exceed the maximum number Please try later Figure 9 Configuration page Configuring password authentication for telnet login Configurati...

Page 47: ...figure the user privilege level for login users user privilege level level Required 0 by default Configure common settings for VTY user interfaces Optional See Configuring common settings for VTY user interfaces optional When you log in to the device through telnet again You are required to enter the login password A prompt such as HP appears after you enter the correct password and press Enter as...

Page 48: ...ADIUS or HWTACACS authentication is adopted depends on the configured AAA scheme By default local authentication is adopted Enable command authorization command authorization Optional By default command authorization is not enabled By default the command level depends on the user privilege level A user is authorized a command level not higher than the user privilege level With command authorizatio...

Page 49: ...nting Exit to system view quit Configure the authentic ation mode Enter the default ISP domain view domain domain name Optional By default the AAA scheme is local If you specify the local AAA scheme perform the configuration concerning local user as well If you specify an existing scheme by providing the radius scheme name argument perform the following configuration as well For RADIUS and HWTACAC...

Page 50: ...see the Security Configuration Guide Reference the created HWTACACS scheme in the ISP domain For more information see the Security Configuration Guide When users adopt the scheme mode to log in to the device the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme When the AAA scheme is local the user privilege level is defined by the author...

Page 51: ...hell Optional Enabled by default Enable the current user interface s to support either Telnet SSH or both of them protocol inbound all ssh telnet Optional By default both protocols are supported The configuration takes effect next time you log in Define a shortcut key for terminating tasks escape key default character Optional By default you can press Ctrl C to terminate a task Configure the type ...

Page 52: ... executed If the command triggers another task the system does not tear down the user connection until the task is completed A telnet command is usually specified to enable the user to automatically telnet to the specified device CAUTION The auto execute command command may disable you from configuring the system through the user interface to which the command is applied Use it with caution Before...

Page 53: ...on The device supports SSH and you can log in to the device through SSH to remotely manage and maintain the device as shown in Figure 13 Figure 13 SSH login diagram The following table shows the configuration requirements of SSH login Object Requirements SSH server Configure the IP address of the VLAN interface and make sure the SSH server and client can reach each other Configure the authenticati...

Page 54: ... the default configuration see Configuration requirements Configuration procedure Follow these steps to configure the device that serves as an SSH server To do Use the command Remarks Enter system view system view Create local key pair s public key local create dsa rsa Required By default no local key pair s are created Enable SSH server ssh server enable Required By default SSH server is disabled...

Page 55: ...checks whether the command is authorized If yes the command can be executed Enable command accounting command accounting Optional By default command accounting is disabled The accounting server does not record the commands executed by users Command accounting allows the HWTACACS server to record all executed commands that are supported by the device regardless of the command execution result This ...

Page 56: ...ord cipher simple password Required By default no local password is set Specifies the command level of the local user authorization attribute level level Optional By default the command level is 0 Specify the service type for the local user service type ssh Required By default no service type is specified Return to system view quit Create an SSH user and specify the authentication mode for the SSH...

Page 57: ...onfiguring the SSH client to log in to the SSH server Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Figure 14 Log in to another device from the ...

Page 58: ...g in through modems and the default user privilege level is 3 To use this method perform necessary configurations at both the device side and administrator side The following table shows the configuration requirements of remote login through the console port by using modem dial in Object Requirement Administrator side The PC is correctly connected to the modem The modem is connected to a telephone...

Page 59: ...e DSR to remain on ATEQ1 W Disable the modem from response to commands and save the configuration To verify your configuration enter AT V to show the configuration results NOTE The configuration commands and the output for different modems may be different For more information see the user guide of your modem 4 Launch a terminal emulation utility such as HyperTerminal in Windows XP Windows 2000 cr...

Page 60: ...53 Figure 16 Connection Description Figure 17 Enter the phone number Figure 18 Dial the number ...

Page 61: ... password requires password authentication at the next login through the console port Keep your password scheme requires username and password authentication at the next login through the console port Authentication falls into local authentication and remote authentication To use local authentication configure a local user and related parameters To use remote authentication configure the username ...

Page 62: ... logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure none authentication for modem login To do Use the command Remarks Enter system view system view Enter one or more AUX user interface views user interface aux first number last number Specify the none authentication mode authentication mode none Required By...

Page 63: ...ple password Required By default no local password is set Configuring common settings for modem login Optional For more information see Configuring common settings for modem login optional When you log in to the device through modems after the configuration you are prompted to enter a login password A prompt such as HP appears after you input the password and press Enter Configuring scheme authent...

Page 64: ... the user privilege level The user is authorized the command with the default level not higher than the user privilege level With the command authorization configured the command level for a login user is determined by both the user privilege level and AAA authorization If a user executes a command of the corresponding command level the authorization server checks whether the command is authorized...

Page 65: ...accounting server before enabling command accounting Exit to system view quit Configure the authentica tion mode Enter the default ISP domain view domain domain name Optional By default the AAA scheme is local If you specify the local AAA scheme perform the configuration concerning local user as well If you specify an existing scheme by providing the radius scheme name argument perform the followi...

Page 66: ...figuration to make the function take effect Create a HWTACACS scheme and specify the IP address of the accounting server and other accounting parameters For more information see the Security Configuration Guide Reference the created HWTACACS scheme in the ISP domain For more information see the Security Configuration Guide When users adopt the scheme mode to log in to the device the level of the c...

Page 67: ... is 1 Stop bits are the last bits transmitted in data transmission to unequivocally indicate the end of a character The more the bits are the slower the transmission is Configure the data bits databits 5 6 7 8 Optional By default the data bits is 8 Data bits is the number of bits representing one character The setting depends on the contexts to be transmitted For example you can set it to 7 if sta...

Page 68: ...ault the next screen displays 24 lines at most A value of 0 disables the function Set the size of the history command buffer history command max size value Optional By default the buffer saves 10 history commands at most Set the idle timeout timer idle timeout minutes seconds Optional The default idle timeout is 10 minutes The system automatically terminates the user s connection if no information...

Page 69: ...clude include regular expression Available in any view Release a specified user interface free user interface num1 aux vty num2 Available in user view Multiple users can log in to the system to simultaneously configure the device In some circumstances when the administrator wants to make configurations without interruption from the users that have logged in through other user interfaces the admini...

Page 70: ... an application layer protocol in the TCP IP protocol suite The connection oriented Transport Control Protocol TCP is adopted at the transport layer The device supports HTTP 1 0 HTTPS login The Secure HTTP HTTPS refers to the HTTP protocol that supports the Security Socket Layer SSL protocol HTTPS uses SSL to encrypt the data exchanged between the HTTPS client and the server to ensure data securit...

Page 71: ...rt number Optional 80 by default If you execute the command multiple times the last one takes effect Associate the HTTP service with an ACL ip http acl acl number Optional By default the HTTP service is not associated with any ACL Associating the HTTP service with an ACL enables the device to allow only clients permitted by the ACL to access the device Set the web user connection timeout time web ...

Page 72: ...login To do Use the command Remarks Enter system view system view Configure PKI and SSL related features Required By default PKI and SSL are not configured For more information about PKI see the Security Configuration Guide For more information about SSL see the Security Configuration Guide Associate the HTTPS service with an SSL server policy ip https ssl server policy policy name Required By def...

Page 73: ...ociating the HTTPS service with a certificate based attribute access control policy enables the device to control the access rights of clients You must configure the client verify enable command in the associated SSL server policy If not no clients can log in to the device The associated SSL server policy must contain at least one permit rule Otherwise no clients can log in to the device For more ...

Page 74: ... its view Assign an IP address and subnet mask to the VLAN interface ip address ip address mask mask length Required By default no IP address is assigned to the VLAN interface Displaying and maintaining web login To do Use the command Remarks Display information about web users display web users begin exclude include regular expression Available in any view Display HTTP state information display i...

Page 75: ...AN interface1 quit Create a local user named admin and set the password to admin for the user Specify the telnet service type for the local user and set the command level to 3 for this user Sysname local user admin Sysname luser admin service type telnet Sysname luser admin authorization attribute level 3 Sysname luser admin password simple admin 2 Configuration on the PC On the PC run the web bro...

Page 76: ...guring HTTPS login Configuration procedure 1 Configure the device that acts as the HTTPS server Configure a PKI entity configure the common name of the entity as http server1 and the FQDN of the entity as ssl security com Device system view Device pki entity en Device pki entity en common name http server1 Device pki entity en fqdn ssl security com Device pki entity en quit Create a PKI domain spe...

Page 77: ...ibute based access control rule specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp Device pki certificate access control policy myacp Device pki cert acp myacp rule 1 permit mygroup1 Device pki cert acp myacp quit Associate the HTTPS service with SSL server policy myssl Device ip https ssl server policy myssl Associate the HTTPS...

Page 78: ...ough HTTP enter the URL address starting with http For more information about PKI configuration commands see the Security Command Reference For more information about the public key local create rsa command see the Security Command Reference For more information about SSL configuration commands see the Security Command Reference ...

Page 79: ... in to the device through NMS To enable NMS login log in to the device via the console port and make the configurations described in the following table The following table shows the configuration requirements of NMS login Object Requirements Device Configure the IP address of the VLAN interface Make sure the device and the NMS can reach each other Configure SNMP settings NMS Configure the NMS For...

Page 80: ...ks Enter system view system view Enable SNMP agent snmp agent Optional Disabled by default You can enable SNMP agent with this command or any command that begins with snmp agent Create or update MIB view information snmp agent mib view excluded included view name oid tree mask mask value Optional By default the MIB view name is ViewDefault and OID is 1 Configure SNMP NMS access right Directly Conf...

Page 81: ...ysname snmp agent usm user v3 managev3user managev3group 2 Configuration on the NMS On the PC start the browser In the address bar enter http 192 168 3 104 8080 imc where 192 168 3 104 is the IP address of the iMC Type the username and password and then click Login The iMC homepage appears Log in to the iMC and configure SNMP settings for the iMC to find the device After the device is found you ca...

Page 82: ...l over telnet users Ethernet frame header ACL NMS Configuring source IP based login control over NMS users Basic ACL Web Configuring source IP based login control over web users Basic ACL FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140 2 requirements Support for features commands and parameters might differ in FIPS mode and non FIPS mode For more information abou...

Page 83: ...r Use the ACL to control user login by source IP address acl ipv6 acl number inbound outbound Required inbound Filters incoming telnet packets outbound Filters outgoing telnet packets Configuring source and destination IP based login control over telnet users Because advanced ACLs can match both source and destination IP addresses of packets you can use advanced ACLs to implement source and destin...

Page 84: ...d login control over telnet users To do Use the command Remarks Enter system view system view Create an Ethernet frame header ACL and enter its view acl number acl number match order config auto Required By default no advanced ACL exists Configure rules for the ACL rule rule id permit deny rule string Required Exit the advanced ACL view quit Enter user interface view user interface type first numb...

Page 85: ...nd Configuring source IP based login control over NMS users You can log in to the NMS to remotely manage the devices SNMP is used for communication between the NMS and the agent that resides in the device By using the ACL you can control SNMP user access to the device Configuration preparation Before configuration determine the permitted or denied source IP addresses Configuring source IP based lo...

Page 86: ...ion about SNMP see the Network Management and Monitoring Configuration Guide Associate the SNMP group with the ACL snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Associate the user with the ACL sn...

Page 87: ... agent usm user v2c usera groupa acl 2000 Configuring source IP based login control over web users You can log in to the web management page of the device through HTTP HTTPS to remotely manage the devices By using the ACL you can control web user access to the device Configuration preparation Before configuration determine the permitted or denied source IP addresses Configuring source IP based log...

Page 88: ...in FIPS mode Associate the HTTPS service with the ACL ip https acl acl number Logging off online web users Follow the step to log off online web users To do Use the command Remarks Log off online web users free web users all user id user id user name user name Required Execute the command in user interface view Source IP based login control over web users configuration example Network requirements...

Page 89: ...er 2030 match order config Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Associate the ACL with the HTTPS service so that only web users from Host B are allowed to access the device Sysname ip https acl 2030 ...

Page 90: ... data like app bin and btm files ASCII mode Transfers files as text like txt bat and cfg files Operation of FTP FTP adopts the client server model Your device can function either as the client or the server as shown in Figure 26 When the device serves as the FTP client use Telnet or an emulation program to log in to the device from the PC execute the ftp command to establish a connection from the ...

Page 91: ...r The device does not support anonymous FTP for security reasons You must set a valid username and password By default authenticated users can access the root directory of the device Configure the FTP server operating parameters Parameters such as the FTP connection timeout time PC FTP client Use the FTP client program to log in to the FTP server You can log in to the FTP server only after you inp...

Page 92: ...ied with the ftp client source or ftp command this source address is used to communicate with an FTP server If you use the ftp client source command and the ftp command to specify a source address respectively the source address specified with the ftp command is used to communicate with an FTP server The source address specified with the ftp client source command is valid for all FTP connections a...

Page 93: ...re information about establishing an FTP connection see Establishing an FTP connection Follow these steps to operate the directories on an FTP server To do Use the command Remarks Display detailed information about a directory or file on the remote FTP server dir remotefile localfile Optional Query a directory or file on the remote FTP server ls remotefile localfile Optional Change the working dir...

Page 94: ...rmation such as the file size and creation time Delete the specified file on the remote FTP server permanently delete remotefile Optional Set the file transfer mode to ASCII ascii Optional ASCII by default Set the file transfer mode to binary binary Optional ASCII by default Set the data transmission mode to passive passive Optional Passive by default Display the local working directory of the FTP...

Page 95: ...ient has established a connection with the FTP server you can use any of the following commands to terminate an FTP connection For more information about establishing an FTP connection see Establishing an FTP connection To do Use the command Remarks Terminate the connection to the FTP server without exiting FTP client view disconnect Optional Equal to the close command Terminate the connection to ...

Page 96: ...abc 331 Give me your password please Password 230 Logged in successfully Set the file transfer mode to binary to transmit boot file ftp binary 200 Type set to I Download the boot file newest bin from PC to the device Download the boot file newest bin from PC to the root directory of the storage medium on the master ftp get newest bin Download the boot file newest bin from PC to the root directory ...

Page 97: ...tarts writing data to the storage medium after a file is transferred to the memory This prevents the existing file on the FTP server from being corrupted in the event that anomaly power failure for example occurs during a file transfer In normal mode the FTP server writes data to the storage medium while receiving data This means that any anomaly power failure for example during file transfer migh...

Page 98: ...and Remarks Enter system view system view Create a local user and enter its view local user user name Required No local user exists by default and the system does not support FTP anonymous user access Assign a password to the user password simple cipher password Required Assign the FTP service to the user service type ftp Required By default the system does not support anonymous FTP access and doe...

Page 99: ...icient use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following operations 1 Configure the IRF virtual device FTP Server Create an FTP user account ftp set its password to pwd and the user privilege level to level 3 the manage level Allow user ftp to access the root directory of the flash on the master a...

Page 100: ...west bin slot2 flash Specify newest bin as the main boot file to be used at the next startup for all the member devices Sysname boot loader file newest bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next reboot on slot 1 The specified file will be used as the main boot file at the next reboot ...

Page 101: ...94 To do Use the command Remarks Display detailed information about logged in FTP users display ftp user begin exclude include regular expression Available in any view ...

Page 102: ... sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server In a normal file uploading process the client sends a write request to the TFTP server sends data to the server and receives the acknowledgement from the server TFTP transfers files in the following modes Binary mode Transfers files as raw data like app bin and btm files ASCII mo...

Page 103: ...deleted Secure download The device saves the obtained file to its memory and does not write it to the storage medium until the whole file is obtained If you download a remote file using a filename destination filename that exists in the directory the original file is not overwritten If file download fails due to network disconnection or other reasons the original file still exists This mode is mor...

Page 104: ...user view NOTE If no primary IP address is configured on the source interface no TFTP connection can be established If you use the ftp client source command to first configure the source interface and then the source IP address of the packets of the TFTP client the new source IP address will overwrite the current one and vice versa Displaying and maintaining the TFTP client To do Use the command R...

Page 105: ...o the root directory of the storage medium on a slave switch with the member ID 2 Sysname tftp 1 2 1 1 get newest bin slot2 flash newest bin Upload a configuration file config cfg to the TFTP server Sysname tftp 1 2 1 1 put config cfg configback cfg Specify newest bin as the main boot file to be used at the next startup for all the member devices Sysname boot loader file newest bin slot all main T...

Page 106: ...prompt modes Filename formats When you specify a file you must enter the filename in one of the following formats Filename formats Format Description Length Example file name Specifies a file in the current working directory 1 to 91 characters a cfg indicates a file named a cfg in the current working directory If the current working directory is on the master a cfg represents file a cfg on the mas...

Page 107: ...oot directory of the flash on a slave with the member ID 2 input slot2 flash a cfg for the filename Directory operations You can create or remove a directory display the current working directory the specified directory file information and so on Displaying directory information To do Use the command Remarks Display directory or file information dir all file url Required Available in user view Dis...

Page 108: ...ile operations You can display the specified directory or file information display file contents rename copy move remove restore and delete files NOTE You can create a file by copying downloading or using the save command Displaying file information To do Use the command Remarks Display file or directory information dir all file url Required Available in user view Displaying the contents of a file...

Page 109: ...ally belongs HP recommends you to empty the recycle bin periodically with the reset recycle bin command to save storage space The delete unreserved file url command deletes a file permanently and the action cannot be undone Execution of this command equals execution of the delete file url command and then the reset recycle bin command in the same directory Restoring a file from the recycle bin To ...

Page 110: ...ile on your PC and then download the batch file to the device If the suffix of the file is not bat use the rename command to change the suffix to bat Follow these steps to execute a batch file To do Use the command Remarks Enter system view system view Execute a batch file execute filename Required CAUTION Execution of a batch file does not guarantee successful execution of every command in the ba...

Page 111: ...s Displaying and repairing bad blocks Bad block ratio varies with products of different vendors The frequently used area of the memory goes bad easily Bad blocks cannot be used to store data and the system has to skip the bad blocks when it allocates storage spaces to files You can get the locations of bad blocks and repair them at the command line interface Follow these steps to display and repai...

Page 112: ...Use the command Remarks Enter system view system view Set the operation prompt mode of the file system file prompt alert quiet Optional The default is alert Example for file operations Display the files and the subdirectories in the current directory Sysname dir Directory of flash 0 drw Feb 16 2006 11 45 36 logfile 1 rw 1218 Feb 16 2006 11 46 19 config cfg 2 drw Feb 16 2006 15 20 27 test 3 rw 1841...

Page 113: ...106 0 drw Feb 16 2006 15 28 14 mytest 97920 KB total 2519 KB free Return to the upper directory Sysname cd Display the current working directory Sysname pwd flash ...

Page 114: ...guration that is running on the device is called running configuration Startup configuration The device uses startup configuration to configure software features during startup The following are sources of startup configuration Initial settings Initial values or states for parameters If the device starts up with empty configuration all parameters are set to their initial settings at startup Defaul...

Page 115: ...mand The displayed configuration does not include parameters that use initial settings Configuration file format and content IMPORTANT To run on the device a configuration file must meet the content and format requirements of the device To ensure a successful configuration loading at startup use a configuration file that was automatically created on the device or created by using the save command ...

Page 116: ...d main startup configuration file is not available the device starts up with the backup startup configuration file c If you have not specified a backup startup configuration file or the specified backup startup configuration file is not available the device starts up with the default configuration file factory defaults If a parameter is not included in the default configuration file its initial se...

Page 117: ...on enabled when you save the current configuration by executing the save safely backup main force command or executing the save filename all command and then pressing Enter the master and a slave automatically save the current configuration to the specified configuration file and use the file as the configuration file to be used at the next startup keeping the consistency of the configuration file...

Page 118: ...tem startup save safely backup main force NOTE The configuration file must be with extension cfg Whether the save safely backup main force command or the save filename all command Enter takes effect on all the member devices or on the master only depends on whether the configuration file auto save function is enabled For the configuration file auto save function see Enabling configuration file aut...

Page 119: ...To load the backup configuration file after a software downgrade specify the backup file as the next startup configuration file on each member device Setting configuration rollback Configuration rollback Configuration rollback allows you to revert to a previous configuration state based on a specified configuration file The specified configuration file must be a valid cfg file generated by using e...

Page 120: ...rameters for saving the running configuration Before the running configuration is saved manually or automatically the file path and filename prefix must be configured After that the system saves the running configuration with the specified filename filename prefix_serial number cfg to the specified path The filename of a saved configuration file is like 20080620archive_1 cfg or 20080620archive_2 c...

Page 121: ...l and archive configuration max commands meanwhile the saved configuration files are cleared The value of the file number argument is determined by memory space Set a comparatively small value for the file number argument if the available memory space is small Enabling automatic saving of the running configuration You can configure the system to save the running configuration at a specified interv...

Page 122: ...ion rollback To do Use the command Remarks Enter system view system view Set configuration rollback configuration replace file filename Required CAUTION Do not reboot an IRF member switch during configuration rollback Configuration rollback may fail if one of the following situations is present if a command cannot be rolled back the system skips it and processes the next one The complete undo form...

Page 123: ...on file must use cfg as its extension name and the startup configuration file must be saved in the root directory of the storage media Backing up the startup configuration file The backup function allows you to copy the startup configuration file to be used at the next startup from the device to the TFTP server The backup operation backs up the main startup configuration file to the TFTP server fo...

Page 124: ...in user view CAUTION This command permanently deletes startup configuration files to be used at the next startup from all member devices Use it with caution Restoring a startup configuration file The restore function allows you to copy a configuration file from a TFTP server to the root directory of the storage media of all the member devices and specify the file as the startup configuration file ...

Page 125: ...ent configuration configuration configuration interface interface type interface number by linenum begin exclude include regular expression Available in any view Display the running configuration file saved on the storage media of the device display saved configuration by linenum begin exclude include regular expression Available in any view Display the configuration files used at this and the nex...

Page 126: ...ftware upgrade Software upgrade configuration examples Switch software overview Switch software includes the Boot ROM program and the system boot file After powered on the device runs the Boot ROM program initializes the hardware and displays the hardware information Then the device runs the boot file The boot file provides drivers and adaption for hardware and implements service features The Boot...

Page 127: ... a system reboot Boot ROM program You need to reboot the whole system to upgrade the software of a device This causes running service interruption during the upgrade process and is not recommended Upgrading the boot file through a system reboot System boot file Upgrading the boot file of an IRF member switch Software upgrade by installing hotfixes System boot file Hotfix is a fast cost effective m...

Page 128: ... the master device by using FTP TFTP or other available methods Required For more information about FTP or TFTP see the chapters FTP configuration and TFTP configuration In FIPS mode you must use SFTP to transfer the Boot ROM program Upgrade the Boot ROM program on member devices bootrom update file file url slot slot number list Required Available in user view In FIPS mode the program must pass a...

Page 129: ...yword specifies a switch by its member ID of the IRF virtual device If the keyword is not provided the IRF virtual device will reboot Available in user view CAUTION You must save the file to be used at the next device boot in the root directory of the device You can copy or move a file to change the path of it to the root directory To execute the boot loader command successfully save the file to b...

Page 130: ...em automatically compares the sum of the space occupied by the current boot file and the remaining space with the size of the new boot file If the sum is greater than the size of the new boot file the member switch automatically deletes the current boot file to release the space If the sum is smaller than the size of the new boot file the member switch prompts you that the upgrade fails Before upg...

Page 131: ...atch loading process only the system deletes all the temporary patches before it loads the common patch Patch status Each patch has its status which can be switched only by commands The relationship between patch state changes and command actions is shown in Figure 33 The patch can be in the state of IDLE DEACTIVE ACTIVE and RUNNING Load run temporarily confirm running stop running delete install ...

Page 132: ...even patches successfully pass the version check and CRC check they are loaded to the memory patch area and are in the DEACTIVE state At this time the patch states in the system are as shown in Figure 35 Figure 35 A patch file is loaded to the memory patch area ACTIVE state Patches in the ACTIVE state are those that have run temporarily in the system and become DEACTIVE after system reboot For the...

Page 133: ... Before patching the system you need to save the appropriate patch files to the storage media of the device using FTP or TFTP When saving the patch files note that the following rules apply The patch files match the device model and software version If they are not matched the hotfixing operation fails Name a patch file properly Otherwise the system cannot locate the patch file and the hotfixing o...

Page 134: ...om IDLE This equals execution of the commands patch location patch load patch active and patch run The patches remain RUNNING after system reboot Entering n or N All the specified patches are installed and turn to the ACTIVE state from IDLE This equals execution of the commands patch location patch load and patch active The patches turn to the DEACTIVE state after system reboot Follow these steps ...

Page 135: ...tch the patch takes effect and is in the test run stage After the device is reset or rebooted the patch becomes invalid If you find that an ACTIVE patch is of some problem reboot the device to deactivate the patch so as to avoid a series of running faults resulting from patch error Confirm the running of the specified patches patch run patch number slot slot number Required After you confirm the r...

Page 136: ...ude include regular expression Available in any view Display the patch information display patch information begin exclude include regular expression Available in any view Software upgrade configuration examples Unless otherwise noted devices in the configuration examples are operating in non FIPS mode Immediate upgrade configuration example Network requirement As shown in Figure 38 the IRF virtua...

Page 137: ...wnloading file from remote TFTP server please wait TFTP 917 bytes received in 1 second s File downloaded successfully Download the new config cfg file to the slave switch with the member ID of 2 IRF tftp 2 2 2 2 get new config cfg slot2 flash new config cfg Download the soft version2 bin file on the TFTP server to the master and slave switch IRF tftp 2 2 2 2 get soft version2 bin File will be tran...

Page 138: ...l after the device reboots use the display version command Hotfix configuration example Network requirements The IRF virtual device in this example comprises two member devices the master and slave switches The software running on the member devices are of some problem and hotfixing is needed The patch file patch_51s bin is saved on the TFTP server The IP address of the IRF virtual device is 1 1 1...

Page 139: ...aster s storage medium Device tftp 2 2 2 2 get patch_51s bin Load the patch file patch_51s bin from the TFTP server to the root directory of the slave switch s storage medium Device tftp 2 2 2 2 get patch_51s bin slot2 flash patch_51s bin Install the patch Device system view Device patch install flash Patches will be installed Continue Y N y Do you want to continue running patches after reboot Y N...

Page 140: ...nly repeatedly outputs the log information and trap information in the terminal display but also alerts users through the LED on the device panel While you are cooling down the device in response to a high temperature alarm the temperature of the device might fluctuate in a narrow range near a high temperature threshold The device can suppress frequent alarms caused by some fluctuations After issu...

Page 141: ...ion allows you to view the current working state of a device configure running parameters and perform daily device maintenance and management Configuring the device name The device name is used to identify a device in a network In the system the device name is the same as the prompt of the CLI For example if the device name is Sysname the prompt of user view is Sysname Follow these steps to config...

Page 142: ...e commands clock datetime clock timezone and clock summer time If these three commands are not configured the display clock command displays the original system clock If you combine these three commands in different ways the system clock is displayed in the ways as shown in 0 The following describes the meanings of the parameters in the configuration column 1 indicates date time has been configure...

Page 143: ...gured 03 00 00 ss Sat 01 01 2005 If the original system clock summer offset is not in the daylight saving time range the system clock configured is the original system clock After this configuration if you disable the daylight saving the system clock becomes the system clock minus summer offset 1 and 3 If date time is not in the daylight saving time range the system clock configured is date time C...

Page 144: ... 1 00 2007 8 8 2 System clock configured 02 00 00 zone time Sat 01 01 2005 If the value of the original system clock zone offset is in the summer time range the system clock configured is the original system clock zone offset summer offset Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2005 1 1 1 00 2005 8 8 2 System clock configured 04 00 00 ss Sat 01 01 2005 1 2 a...

Page 145: ...ogs in or when a console user quits user view You can disable or enable the function as needed The following is a sample copyright statement Copyright c 2010 2011 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Follow these steps to enable the display of copyright information To do Use the command Remarks Ente...

Page 146: ...ulti line input mode can be achieved in the following methods Method I Press the Enter key directly after the command keywords type the banner information and finish your setting with the character The Enter and characters are not part of the banner information Method II Type a character after the command keywords at the first line and then press the Enter key Type the banner information and finis...

Page 147: ...eboot The system recovers itself through automatic reboot maintain The system stays in the current state Therefore you need to manually recover the system such as reboot the system Sometimes it is difficult for the system to recover or some prompts that are printed during the failure are lost after the reboot In this case use this method to keep the abnormal state and troubleshoot the problem Foll...

Page 148: ...called hot start which is mainly used to reboot a device in remote maintenance without performing hardware reboot of the device Follow the step below to reboot a device To do Use the command Remarks Reboot a member device or all the member devices immediately reboot slot slot number Required The slot keyword specifies a member device If it is not provided the whole device IRF is specified Availabl...

Page 149: ...art the device If you are performing file operations when the device will be rebooted the system does not execute the command for the sake of security Configuring scheduled tasks What is a scheduled task A scheduled task defines a command or a group of commands and when such commands are to be executed It allows a device to execute specified commands at a time when no person is available to mainta...

Page 150: ...r interface such as telnet ftp or ssh2 the view such as system view or quit or the user status such as super in a scheduled task does not change the configuration interface view and status of the current user When the specified time is reached the system executes the specified command in the background without displaying any prompt information except system information such as log trap and debuggi...

Page 151: ...dly only the last configuration takes effect The view must be supported by the system and the view name must be complete instead of an abbreviation Most commonly used view names include monitor for user view system for system view GigabitEthernetx x x for Ethernet interface view and Vlan interfacex for VLAN interface view A scheduled task can contain up to 10 commands If you want more than 10 comm...

Page 152: ...ure of the device might fluctuate in a narrow range near a high temperature threshold The device can suppress frequent alarms caused by some fluctuations After issuing a high temperature alarm the device does not issue another alarm if the temperature is in the range of threshold offset C to threshold C The offset might be 3 C or 5 C depending on the device model Follow these steps to configure te...

Page 153: ...nd Remarks Clear the 16 bit interface indexes saved but not in use in the current systems of all member devices reset unused porttag Required Available in user view CAUTION A confirmation is required when you execute this command If you fail to make a confirmation within 30 seconds or enter N to cancel the operation the command will not be executed Disabling password recovery capability Password r...

Page 154: ...vers Follow these steps to identify pluggable transceivers To do Use the command Remarks Display key parameters of the pluggable transceivers display transceiver interface interface type interface number begin exclude include regular expression Available for all pluggable transceivers Display part of the electrical label information of the anti spoofing transceivers customized by HP display transc...

Page 155: ... customized by HP only Displaying and maintaining device management configuration To do Use the command Remarks Display the system version information display version begin exclude include regular expression Available in any view Display the system clock information display clock begin exclude include regular expression Available in any view Display or save the operation statistics of multiple fun...

Page 156: ...play reboot type slot slot number begin exclude include regular expression Available in any view Display state of the RPS This command is available on only HP 5120 24G PoE SI Switch JG091A model display rps slot slot number rps id begin exclude include regular expression Available in any view Display the configuration of the scheduled task configured by the schedule job command display schedule jo...

Page 157: ...ing you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking category For a complete list ...

Page 158: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Page 159: ... 2 features Represents an access controller a unified wired WLAN module or the switching engine on a unified wired WLAN switch Represents an access point Represents a security product such as a firewall a UTM or a load balancing or security card that is installed in a device Represents a security card such as a firewall card a load balancing card or a NetStream card Port numbering in examples The ...

Page 160: ...ng the TFTP client 96 Configuring user privilege and command levels 14 Controlling the CLI display 10 D Deleting a startup configuration file to be used at the next startup 1 17 Device management overview 134 Directory operations 100 Disabling password recovery capability 146 Displaying and maintaining a configuration file 1 18 Displaying and maintaining CLI 22 Displaying and maintaining CLI login...

Page 161: ...ile to be used at the next system startup 1 16 Storage medium operations 103 Switch software overview 1 19 T TFTP client configuration example 97 TFTP overview 95 Typing commands 6 U Undo form of a command 3 Upgrading the boot file of an IRF member switch 122 Upgrading the boot file through a system reboot 122 Upgrading the Boot ROM program through a system reboot 120 User interface overview 24 Us...

Reviews:

No comments

Brands by name

Popular brands

Load more brands