1 Logging In to an Ethernet switch 1.1 How to Log in to an Ethernet Switch You can log in to an Ethernet switch in the following ways:
- Local login through the Console port
- Remote login through Telnet or SSH
- Log in through the WEB-BASED NMS
- Logging In through the NMS
1.2 User Interface Overview 1.2.1 User interfaces supported by the Switch
In S5120-SI Ethernet switches, AUX ports (Auxiliary ports) and Console ports are the same. The Console port is referred to as the Console port. The corresponding USER interface type is AUX user interface.
S5120-si Ethernet switches support two types of user interfaces: AUX user interface and VTY user interface. AUX user interface: provides the Console port login view, which is used to manage and monitor users who log in through the Console port. The device provides a Console port EIA/TIA-232 DCE. You need to configure the switch through this port when using the device for the first time. Virtual Type Terminal (VTY) user interface: the view provided by the system for logging in to the switch through VTY for Telnet or SSH access. Table 1-1 Describes the user interfaces
Each User interface has a corresponding User-interface view. In the User interface view, the network administrator can set a series of parameters, such as the authentication mode and User level after login. When a User logs in to the User interface, these parameters are restricted. So as to achieve unified management of various user session connections. 1.2.2 Relationship between Users and User Interfaces You can configure different user interfaces to monitor and manage users in different login modes. An S5120-SI Ethernet switch provides one AUX user interface and 16 VTY user interfaces. These user interfaces have no fixed mapping with users. When a user logs in, the system automatically assigns an idle user interface with the smallest id to the user based on the user login mode. The entire login process is subject to the configuration in the user interface view. The assigned user interfaces vary according to the login modes of the same user. The assigned user interfaces may vary depending on the login time of the same user. Although a single user interface can only be used by one user at a time, it is not specific to one user. For example, user A can log in to the switch using the VTY 0 UI. When user A logs out, user B can log in to the switch using the VTY 0 UI. 1.2.3 Switch User Interface Numbering User interfaces can be numbered in absolute or relative ways. (1) In absolute numbering mode, the rules are as follows: AUX user interface is numbered before VTY user interface, and the absolute number is 0. The VTY user interface is numbered after the AUX user interface. The absolute number of the first VTY user interface is 1, the absolute number of the second VTY user interface is 2, and so on. (2) The relative number is in the form of user interface type + number. The rules to follow are as follows: the relative number of AUX user interface is AUX0; VTY user interface numbers: the first is VTY0, the second is VTY1, and so on. 1.2.4 Common UI Configurations Table 1-2 Common UI configurations
2 Local Login through the Console Port 2.1 Introduction to Local Login Through the Console Port Local login through the Console port of the switch is the basic method for logging in to the switch. It is also the basis for configuring other methods for logging in to the switch. By default, you can log in to the S5120-SI Ethernet switch only through the Console port. The default configuration of the Console port on the switch is as follows. Table 2-1 Default configuration of the Console port on the switch
To log in to the Ethernet switch through the Console port, ensure that the communication parameters of the user terminal are consistent with those of the Console port. After logging in to the switch, users can configure the AUX user interface. For details, see 2.3 Configuring Public Attributes of the Console Port Login Mode. 2.2 Logging In to the Switch Through the Console Port Step 1: To set up the local configuration environment, connect the serial port of the PC or terminal to the Console port of the Ethernet switch through a configuration cable, as shown in Figure 2-1. Figure 2-1 Setting up the local configuration environment through the Console port
Step 2: Run the terminal emulation program (for example, The HyperTerminal of Windows XP or Windows 2000) on the PC, select the serial port connected to the switch, and set terminal communication parameters. The transmission rate is 9600bit/s, 8 data bit, 1 stop bit, and no parity or flow control, as shown in figure 2-2 to figure 2-4.
If your PC runs The Windows 2003 Server operating system, add the HyperTerminal program to the Windows component and log in to and manage the switch as described in this section. If your PC runs Windows Server 2008, Windows 7, Windows Vista, or another operating system, prepare third-party terminal control software. For details about how to use the software, see the software usage guide or online help.
Figure 2-2 Creating a connection
Figure 2-3 Port connection Settings
Figure 2-4 Setting port communication parameters
Step 3: Power on the Ethernet switch. The device self-check information is displayed on the terminal. When the self-check is complete, you are prompted to enter. Figure 2-5 Ethernet switch configuration page
Step 4: Type commands to configure the Ethernet switch or view the running status of the Ethernet switch. You can always type “? , for details about the configuration commands, see related contents in this manual. 2.3 Configuring The Public Properties of the Console Port Table 2-2 lists the public properties of the Console port. Table 2-2 Console port login methods Common properties configuration
2.5 Configuration of the Console Port Login Mode when the Authentication Mode is None 2.5.1 Configuration Process Table 2-4 Configuration of the Console Port Login Mode when the Authentication Mode is None
2.5.2 Configuration Examples
- Network requirements
The switch has been configured to allow users to log in through Telnet. The current user level is management level (level 3). The current login user must qualify the user who logs in through the Console port (AUX user interface) as follows:
- Users who log in to the switch through the Console port do not need to be authenticated
- Set the command level that can be accessed from the AUX UI to level 2
- Set the transmission rate of the Console port to 19200bit/s
- Set a terminal screen to display 30 lines of commands
- The history command buffer can hold 20 commands
- Set the timeout period of AUX user interface to 6 minutes
- Network diagram
Figure 2-6 Networking diagram of configuring AUX UI attributes when the authentication mode is None
- The configuration steps
The system view is displayed.
system-view
The AUX user interface view is displayed.
[Sysname] user-interface aux 0
Users who log in to the switch through the Console port do not need to be authenticated.
[Sysname-ui-aux0] authentication-mode none
Set the command level that can be accessed from the AUX UI to level 2.
[Sysname-ui-aux0] user privilege level 2
Set the transmission rate of the Console port to 19200bit/s.
[Sysname-ui-aux0] speed 19200
Set a terminal screen to display 30 lines of commands.
[Sysname-ui-aux0] screen-length 30
The history command buffer can hold 20 commands.
[Sysname-ui-aux0] history-command max-size 20
Set the timeout period of AUX user interface to 6 minutes.
[sysname-uI-aux0] idle-timeout 6 After the configuration, change the configuration of the terminal emulation program running on the PC, as shown in Figure 2-4, to be consistent with that on the switch to ensure normal login. 2.6 Configuring the Console Port Login Mode When The Authentication Mode Is Password 2.6.1 Configuration Process Table 2-5 Configuring the Console Port Login Mode when the Authentication Mode is Password
2.6.2 Configuration Examples
- Network requirements
The switch has been configured to allow users to log in through Telnet. The current user level is management level (level 3). The current login user must qualify the user who logs in through the Console port (AUX user interface) as follows:
- Configure Password authentication for users who log in to the switch through the Console port
- Set the user authentication password to plain text 123456
- Set the command level that can be accessed from the AUX UI to level 2
- Set the transmission rate of the Console port to 19200bit/s
- Set a terminal screen to display 30 lines of commands
- The history command buffer can hold 20 commands
- Set the timeout period of AUX user interface to 6 minutes
- Network diagram
Figure 2-7 Networking diagram of configuring AUX UI attributes when the authentication mode is Password
- The configuration steps
The system view is displayed.
system-view
The AUX user interface view is displayed.
[Sysname] user-interface aux 0
Configure Password authentication for users who log in to the switch through the Console port.
[Sysname-ui-aux0] authentication-mode password
Set the user authentication password to plain text 123456.
[Sysname-ui-aux0] set authentication password simple 123456
Set the command level that can be accessed from the AUX UI to level 2.
[Sysname-ui-aux0] user privilege level 2
Set the transmission rate of the Console port to 19200bit/s.
[Sysname-ui-aux0] speed 19200
Set a terminal screen to display 30 lines of commands.
[Sysname-ui-aux0] screen-length 30
The history command buffer can hold 20 commands.
[Sysname-ui-aux0] history-command max-size 20
Set the timeout period of AUX user interface to 6 minutes.
[sysname-uI-aux0] idle-timeout 6 After the configuration, change the configuration of the terminal emulation program running on the PC, as shown in Figure 2-4, to be consistent with that on the switch to ensure normal login. 2.7 Configuration of the Console Port Login Mode In Scheme Authentication Mode 2.7.1 Configuration Procedure Table 2-6 Configuration of the Console Port Login Mode in Scheme Authentication Mode
Note that when users log in to the Ethernet switch in Scheme authentication mode, the command levels they can access depend on the user levels defined in the AAA Scheme. When the AAA authentication scheme is local, the user level can be set using the authorization-attribute level level command. If THE AAA mode is RADIUS authentication, set the user level on the RADIUS server.
For details about AAA and RADIUS, see AAA Configuration.
2.7.2 Configuration Examples
- Network requirements
The switch has been configured to allow users to log in through Telnet, and the user level is management level (level 3). The current login user must qualify the user who logs in through the Console port (AUX user interface) as follows:
- Set the user name of the local user to guest
- Set the authentication password of the local user to plain text (123456)
- Example Set the service type of the local user to Terminal and command level to 2
- Scheme authentication is enabled for users who log in to the switch through the Console port
- Set the transmission rate of the Console port to 19200bit/s
- Set a terminal screen to display 30 lines of commands
- The history command buffer can hold 20 commands
- Set the timeout period of AUX user interface to 6 minutes
- Network diagram
Figure 2-8 Networking diagram for configuring AUX UI attributes in Scheme authentication mode
- The configuration steps
(1) Configuration on the switch
The system view is displayed.
system-view
Create local user guest and access the local user view.
[Sysname] local-user guest
Set the authentication password of the local user to plain text (123456).
[Sysname-luser-guest] password simple 123456
Example Set the service type of the local user to Terminal.
[Sysname-luser-guest] service-type terminal
Example Set the command level that a user can access to level 2.
[Sysname-luser-guest] authorization-attribute level 2 [Sysname-luser-guest] quit
The AUX user interface view is displayed.
[Sysname] user-interface aux 0
Scheme authentication is enabled for users who log in to the switch through the Console port.
[Sysname-ui-aux0] authentication-mode scheme
Set the transmission rate of the Console port to 19200bit/s.
[Sysname-ui-aux0] speed 19200
Set a terminal screen to display 30 lines of commands.
[Sysname-ui-aux0] screen-length 30
The history command buffer can hold 20 commands.
[Sysname-ui-aux0] history-command max-size 20
Set the timeout period of AUX user interface to 6 minutes.
[sysname-uI-aux0] idle-timeout 6 (2) Authentication scheme configuration Configure the authentication server by referring to AAA Configuration. After the configuration is complete, you need to change the configuration of the terminal emulation program running on the PC, as shown in Figure 2-4, to ensure that the configuration is consistent with that on the switch.
3 Remote Login Through Telnet/SSH 3.1 Remote Login Through Telnet 3.1.1 Introduction to Remote Login Through Telnet The S5120-SI Ethernet switches support the Telnet function. Users can remotely manage and maintain the switches through Telnet. To log in to the switch through Telnet, you need to configure the switch and the Telnet client. Table 3-1 Prerequisites for logging in to the switch through Telnet
3.1.2 Setting up the Telnet Configuration Environment When you log in to the switch through Telnet, you can use a PC as the Telnet client to Telnet to the switch and configure the switch, or use one switch to Telnet to another switch and use the local switch as the Telnet client. Configure the peer switch as the Telnet server.
- Telnet the terminal to the Ethernet switch
Step 1: Configure the IP address of VLAN1 of the Ethernet switch through the Console port (VLAN1 is the default VLAN of the switch). Set up the configuration environment through the Console port. To set up the local configuration environment, connect the serial port of the PC or terminal to the Console port of the Ethernet switch through a configuration cable, as shown in Figure 3-1. Figure 3-1 Setting up the local configuration environment through the Console port
Execution on the PC Terminal emulator (such as Windows3.1 Terminal, Windows95 Windows98 / Windows NT/Windows/XP/super Terminal), set up the Terminal communication parameters: The transmission rate is 9600bit/s, 8 data bit, 1 stop bit, and no check and flow control. Symptom When an Ethernet switch is powered on, the PC displays self-check information about the Switch. After the self-check is complete, you are prompted to enter. A command-line interface (CLI) prompt is displayed, as shown in Figure 3-2. Figure 3-2 Ethernet switch configuration page
Run the following command on the HyperTerminal through the Console port to set the IP address of VLAN1 to 202.38.160.92/24. System-view [Sysname] interface vlan-interface 1 [sysname-vlan-interface1] IP address 202.38.160.92 255.255.255.0 step 2: Before logging in to the Ethernet switch through Telnet, you need to configure different authentication modes on the switch. For details, see 3.1.5 Telnet Login Mode Configuration when the Authentication Mode is None, 3.1.6 Telnet Login Mode Configuration when the Authentication Mode is Password, and 3.1.7 Telnet Login Mode Configuration when the Authentication Mode is Scheme. Step 3: Set up the configuration environment and connect the Ethernet port on the PC to the Ethernet port on VLAN1 over the network, as shown in Figure 3-3. Ensure that the PC is routable to the Ethernet port on VLAN1. Figure 3-3 Setting up the local configuration environment over the LAN
Step 4: Run the Telnet program on the PC and enter the IP address of VLAN1, as shown in Figure 3-4. Figure 3-4 Running the Telnet program
Step 5: If the authentication mode is set to Password, Login Authentication is displayed on the terminal and the user is prompted to enter the preset Login Password. If the Password is correct, a command line prompt (for example) is displayed. If All user interfaces are used, please try later! “, indicating that too many Telnet users are connected to the Ethernet switch. Please connect to the switch later. (AN S5120-SI Ethernet switch allows a maximum of 16 Telnet users to log in at the same time.) Step 6: Run corresponding commands to configure the Ethernet switch or check the running status of the Ethernet switch. You can always type “? , for details about the configuration commands, see related contents in this manual.
When configuring the switch through Telnet, do not delete or change the IP address of the VLAN interface on the switch connected through Telnet. Otherwise, the Telnet connection will be disconnected. When Telnet users log in to the switch through password authentication, they can access commands at command level 0 by default. For a description of the command levels, see Configuring user levels and command levels in System Configuration and Maintenance.
- Telnet to the Ethernet switch through the Ethernet switch
You can Telnet from one switch to another switch to configure the switch. The local switch serves as the Telnet client and the peer switch serves as the Telnet server. If the ports connected to the two switches are on the same LAN, their IP addresses must be on the same network segment. Otherwise, the two switches must be routable. Figure 3-5 shows the configuration environment. After Telnet to one Ethernet switch, you can run the Telnet command to log in to other Ethernet switches to configure and manage them. Figure 3-5 Logging in to another switch through the switch
Step 1: Configure different authentication modes on the switch that functions as the Telnet Server. For details, see 3.1.5 Telnet Login Mode Configuration when the Authentication Mode is None, 3.1.6 Telnet Login Mode Configuration when the Authentication Mode is Password, and 3.1.7 Telnet Login Mode Configuration when the Authentication Mode is Scheme. Step 2: The user logs in to the Ethernet switch as a Telnet Client. Step 3: Perform the following operations on the Ethernet switch of the Telnet Client: Telnet XXXX XXXX indicates the host name or IP address of the Ethernet switch serving as the Telnet Server. If XXXX is the host name, it must be the host name configured by running the IP host command. Step 4: After login, a command line prompt is displayed. If All user interfaces are used, please try later! Is displayed, indicating that too many users are using Telnet to connect to the Ethernet switch. Step 5: Run corresponding commands to configure the Ethernet switch or check the running status of the Ethernet switch. You can always type “? , for details about the configuration commands, see related contents in this manual. 3.1.3 Configuring The Common Properties of Telnet Login Table 3-2 lists the common properties of Telnet login. Table 3-2 Common properties of Telnet login mode
3.1.5 Telnet Login Mode When the Authentication Mode is None
- The configuration process
Table 3-4 Telnet login mode when the authentication mode is None
Note that when a user uses None authentication to log in to the Ethernet switch, the command level that the user can access depends on the level parameter defined in the user privilege level level command. 2. Configuration Example (1) Networking Requirements The current user logs in to the switch through the AUX user interface (Console port). The current user level is management level (level 3). The current user must qualify the Telnet user who logs in through VTY0 as follows:
- Telnet users who log in to the switch through VTY0 do not need to be authenticated
- Set the command level that can be accessed from the VTY0 user interface to 2
- Set the VTY0 user interface to support Telnet
- Set VTY0 user’s terminal screen to display 30 lines of commands on one screen
- The VTY0 user history command buffer can hold 20 commands
- Example Set the timeout period of the VTY0 user interface to 6 minutes
(2) Networking Figure 3-6 Networking diagram of configuring Telnet users whose authentication mode is None
(3) Configuration procedure
The system view is displayed.
system-view
The VTY0 user interface view is displayed.
[Sysname] user-interface vty 0
Telnet users who log in to the switch through VTY0 do not need authentication.
[Sysname-ui-vty0] authentication-mode none
Set the command level that can be accessed through the VTY0 user interface to 2.
[Sysname-ui-vty0] user privilege level 2
Set the VTY0 user interface to support Telnet.
[Sysname-ui-vty0] protocol inbound telnet
Set VTY0 user’s terminal screen to display 30 lines of commands on one screen.
[Sysname-ui-vty0] screen-length 30
The VTY0 user history command buffer can hold 20 commands.
[Sysname-ui-vty0] history-command max-size 20
Example Set the timeout period of the VTY0 user interface to 6 minutes.
[sysname-uI-vty0] idle-timeout 6 3.1.6 Telnet Login Mode When the authentication Mode is Password
- The configuration process
Table 3-5 Telnet login mode configuration when the authentication mode is Password
Note that when a user uses Password authentication to log in to the Ethernet switch, the command level that the user can access depends on the level parameter defined in the user privilege level level command. 2. Configuration Example (1) Networking Requirements The current user logs in to the switch through the AUX user interface (Console port). The current user level is management level (level 3). The current user must qualify the Telnet user who logs in through VTY0 as follows:
- Set the Password authentication for Telnet users who log in to the switch through port VTY0
- Set the user authentication password to plain text 123456
- Set the command level that can be accessed from the VTY0 user interface to 2
- Set the VTY0 user interface to support Telnet
- Set VTY0 user’s terminal screen to display 30 lines of commands on one screen
- The VTY0 user history command buffer can hold 20 commands
- Example Set the timeout period of the VTY0 user interface to 6 minutes
(2) Networking Figure 3-7 Networking diagram of configuring the Telnet user whose authentication mode is Password
(3) Configuration procedure
The system view is displayed.
system-view
The VTY0 user interface view is displayed.
[Sysname] user-interface vty 0
Configure Password authentication for users who log in to the switch through VTY0.
[Sysname-ui-vty0] authentication-mode password
Set the user authentication password to plain text 123456.
[Sysname-ui-vty0] set authentication password simple 123456
Set the command level that can be accessed from the VTY0 user interface to 2.
[Sysname-ui-vty0] user privilege level 2
Set the VTY0 user interface to support Telnet.
[Sysname-ui-vty0] protocol inbound telnet
Set VTY0 user’s terminal screen to display 30 lines of commands on one screen.
[Sysname-ui-vty0] screen-length 30
The VTY0 user history command buffer can hold 20 commands.
[Sysname-ui-vty0] history-command max-size 20
Example Set the timeout period of the VTY0 user interface to 6 minutes.
[sysname-uI-vty0] idle-timeout 6 3.1.7 Telnet Login Mode When Scheme Authentication Is Used
- The configuration process
Table 3-6 Telnet login mode configuration in Scheme authentication Mode
Note that when users log in to the Ethernet switch in Scheme authentication mode, the command levels they can access depend on the user levels defined in the AAA Scheme. When the AAA authentication scheme is local, the user level can be set using the authorization-attribute level level command. If THE AAA mode is RADIUS authentication, set the user level on the RADIUS server.
For details about AAA and RADIUS, see AAA Configuration.
- Configuration for
(1) Networking requirements The current user logs in to the switch through the Console port (AUX UI). The current user level is management level (level 3). The current user must qualify the Telnet user who logs in through VTY0 as follows:
- Set the user name of the local user to guest
- Set the authentication password of the local user to plain text (123456)
- Example Set the service type of VTY users to Telnet and command level to 2
- Set Scheme authentication for Telnet users who log in to the switch through port VTY0
- Set the VTY0 user interface to support only Telnet
- Set VTY0 user’s terminal screen to display 30 lines of commands on one screen
- The VTY0 user history command buffer can hold 20 commands
- Example Set the timeout period of the VTY0 user interface to 6 minutes
(2) Networking Figure 3-8 Networking diagram of configuring Telnet users in Scheme authentication mode
(3) Configuration Procedure Configuration on the switch
The system view is displayed.
system-view
Create local user guest and access the local user view.
[Sysname] local-user guest
Set the authentication password of the local user to plain text (123456).
[Sysname-luser-guest] password simple 123456
Example Set the service type of VTY users to Telnet and command level to 2.
[Sysname-luser-guest] service-type telnet
Example Set the command level that VTY users can access to level 2.
[Sysname-luser-guest] authorization-attribute level 2 [Sysname-luser-guest] quit
The VTY0 user interface view is displayed.
[Sysname] user-interface vty 0
Set Scheme authentication for Telnet users who log in to the switch through port VTY0.
[Sysname-ui-vty0] authentication-mode scheme
Set the VTY0 user interface to support Telnet.
[Sysname-ui-vty0] protocol inbound telnet
Set VTY0 user’s terminal screen to display 30 lines of commands on one screen.
[Sysname-ui-vty0] screen-length 30
The VTY0 user history command buffer can hold 20 commands.
[Sysname-ui-vty0] history-command max-size 20
Example Set the timeout period of the VTY0 user interface to 6 minutes.
[sysname-uI-vty0] idle-timeout 6 Authentication scheme configuration Configure the authentication server by referring to AAA Configuration. 3.2 Login Over SSH 3.2.1 Introduction to Login Over SSH SSH is short for Secure Shell. When users remotely log in to a device on an insecure network, SSH uses encryption and powerful authentication functions to protect the device from attacks such as IP address fraud and plaintext password interception. 3.2.2 Configuring Login Over SSH SSH login encapsulates a security shell based on Telnet. For details about how to configure the security function provided by SSH, see “SSH Configuration”.
4 Logging In to the SWITCH Through the Web NMS 4.1 Introduction to Logging In to the Switch Through the Web NMS AN S5120-SI Ethernet switch provides a built-in Web Server. Users can log in to the switch through the Web NMS terminal (PC). Use the built-in Web Server to manage and maintain Ethernet switches intuitively on the Web. You must configure the switch and the Web NMS terminal (PC) to ensure that you can log in to the switch through the Web NMS. Table 4-1 Prerequisites for logging in to a switch through the WEB-BASED NMS
4.2 Login And Configuration Through the WEB-BASED NMS Table 4-2 Login and Configuration through the Web-based NMS
4.3 Displaying Web Users After the configuration is complete, you can run the display command in any view to display the information about Web users and verify the configuration. Table 4-3 Web user information displayed
Set the IP address of VLAN 1 on the Ethernet switch to 10.153.17.82 and the subnet mask to 255.255.255.0.
System-view [Sysname] interface vlan-interface 1 [sysname-vlan-interface1] IP address 10.153.17.82 255.255.255.0 (2) Through the Console port, you can configure the web-based NMS user name and authentication password on the Ethernet switch.
Set the Web NMS user name admin, authentication password admin, and user level 3.
[Sysname] local-user admin [Sysname-luser-admin] service-type telnet [Sysname-luser-admin] authorization-attribute level 3 [sysname-luser-admin] password simple admin (3) Set up the remote configuration environment for the Web-based NMS, as shown in Figure 4-1. Figure 4-1 Setting up the remote operating environment for the WEB-BASED NMS
(5) Enter the user name, password and verification code added on the switch, and click Login to log in. The initial Web NMS page is displayed.
5 Logging In through the NMS 5.1 Overview of Logging In through the NMS Users can log in to the switch through the Network Management Station (NMS) and manage and configure the switch through the Agent module on the switch. The Simple Network Management Protocol (SNMP) runs between the NMS and the Agent. For details, see snmp-RMON. To ensure normal login to the switch through the NMS, you must perform corresponding configurations on both the NMS and the switch. Table 5-1 Requirements for logging in to the switch through the NMS
5.2 Network Structure of Logging In through the NMS Figure 5-1 Network structure of logging in through the NMS
6 Specifying a Source IP Address for Telnet Service Packets 6.1 Specifying a Source IP Address for Telnet Service Packets You can configure the following operations to specify a source IP address or interface for the Telnet Client, improving service manageability and security. The source IP address specified for Telnet service packets is the Loopback interface. By setting the IP address of the Loopback virtual interface as the specified source IP address of Telnet service packets, the Telnet Client and Telnet Server use the source IP address of the specified interface to transmit packets through any interface of the switch, hiding the IP address of the actual communication interface. It can prevent external attacks and improve security. At the same time, sometimes the server restricts access to certain IP addresses. Using the source IP feature on the client can avoid server failure. 6.2 Configuring Telnet Service Packets The source IP address can be specified in the user view and the system view. The configuration in the user view takes effect only for this operation, and the configuration in the system view takes effect for all subsequent operations. The user view takes precedence over the system view.
- Configuration in the user view
Table 6-1 Specifying a source IP address for Telnet service packets in the user view
- Configuration in the system view
Table 6-2 Specifying a source IP address for Telnet service packets in the system view
The specified ip-address must be the address of the local device. The specified interface must exist. If the specified interface does not exist, the configuration fails. If the source IP address or interface is specified, ensure that the Specified IP address or interface between the Telnet Server and Telnet Client is routable.
6.3 Configuring Display of Specified Source IP Addresses for Telnet Service Packets After the configuration is complete, you can run display commands in any view to display the running status of specified source IP addresses or source interfaces for service packets. You can verify the configuration by viewing the display information. Table 6-3 Configuring the display of specified source IP addresses for Telnet service packets
7 Control over Login Users 7.1 Introduction to Control Over Login Users Table 7-1 lists the control over login modes on an S5120-SI Ethernet switch. Table 7-1 Control over login users
7.2.3 Controlling Telnet By Source IP Address and Destination IP Address This configuration needs to be implemented through the advanced ACL. The serial number of an advanced ACL ranges from 3000 to 3999. For the definition of ACLs, see the ACL Configuration module in the manual. Table 7-3 Configuring advanced ACL rules
The Layer-2 ACL does not take effect if the source IP address of the Telnet Client and the interface IP address of the Telnet Server are on different network segments.
7.2.5 Configuration Examples
- Network requirements
Telnet is controlled by source IP and only Telnet users from 10.110.100.52 and 10.110.100.46 are allowed to access the switch. 2. Networking Diagram Figure 7-1 ACL control for Telnet users on the Switch
- The configuration steps
Define a basic access control list.
System-view [Sysname] acl number 2000 match-order config [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [sysname-acl-basic-2000] quit
Reference the ACL to allow Telnet users whose source IP addresses are 10.110.100.52 and 10.110.100.46 to access the switch.
[Sysname] user-interface vty0 4 [sysname-uI-vTY0-4] acl 2000 inbound 7.3 Controlling NETWORK Management Users by Source IP Address S5120-SI Ethernet switches support remote management by network management software. NMS users can access the switch through SNMP. By referencing an ACL, you can control SNMP users who access the switch. 7.3.1 Preparing for The Configuration This section describes the control policies for NETWORK management users, including the source IP addresses to be controlled and whether to allow or deny access. 7.3.2 Controlling ESIGHT Users by Source IP Address This configuration needs to be implemented by using the basic ACL. The serial number of a basic ACL ranges from 2000 to 2999. For the definition of ACLs, see the ACL Configuration module in the manual. Table 7-5 Controlling ESIGHT users by source IP address
7.3.3 Configuration Examples
- Network requirements
Only SNMP users from 10.110.100.52 and 10.110.100.46 are allowed to access the switch. 2. Networking Diagram Figure 7-2 ACL control for SNMP users
Define a basic access control list.
System-view [Sysname] acl number 2000 match-order config [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [sysname-acl-basic-2000] quit
Reference acl, only SNMP users from 10.110.100.52 and 10.110.100.46 are allowed to access the switch.
[Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent Usm-user v2c USera groupa ACL 2000 7.4 Controlling Web Users by Source IP Address S5120-SI Ethernet switches support remote management through Web. Web users can access the switch through HTTP. By referring to access control lists (ACLs), you can control Web users who access the switch. 7.4.1 Preparing for The Configuration This section describes the control policies for Web users, including the source IP addresses to be controlled and whether to allow or deny access. 7.4.2 Controlling Web Users by Source IP Address This configuration must be implemented through the basic ACL. The serial number of a basic ACL ranges from 2000 to 2999. For the definition of ACLs, see the ACL module in the manual. Table 7-6 Controlling Web users by source IP address
7.4.3 Forcing an Online Web User Offline A network administrator can force an online Web user offline through the cli. Table 7-7 Forcing online Web users offline
7.4.4 Configuration Examples
- Network requirements
Only Web users from 10.110.100.52 are allowed to access the switch. 2. Network diagram
Figure 7-3 Configuring ACL control for HTTP users on the Switch 3
Define a basic access control list.
System-view [Sysname] acl number 2030 match-order config [sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0
Reference access control list. Only Web users from 10.110.100.52 are allowed to access the switch.
[Sysname] ip http acl 2030