No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the VTY User Interface

Configuring the VTY User Interface

Before logging in to the device using Telnet or SSH to maintain the device locally or remotely, a user can configure a VTY user interface to ensure device security.

Pre-configuration Tasks

Before configuring a VTY user interface, complete the following tasks:

  • Log in to the device using a terminal.

Parameters have default values with the exception of the ACL number that restricts the call-in and call-out permissions on the VTY interface, authentication mode on the user interface, and user name and password. You can set parameters based on the site requirements.

Procedure

You can perform the configuration operations in any sequence.

Configuring the Maximum Number of Concurrent VTY User Interfaces

Context

Users can configure the maximum number of concurrent VTY user interfaces to control the number of users who log in to the device at the same time. The number of VTY user interfaces equals the total number of Telnet and SSH (STelnet) users.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    user-interface maximum-vty number

    The maximum number of VTY user interfaces is set.

    By default, the maximum number of VTY user interfaces is 5.

    When the maximum number of VTY user interfaces is set to 0, no user (including the NMS user) can log in to the device using the VTY interface.

    If the configured maximum number is smaller than the original, logged in users are not affected and no additional configuration is needed.

    After increasing the number of VTY user interfaces, you must configure the authentication mode for new VTY users.

  3. Run:

    commit

    The configuration is committed.

(Optional) Configuring Restrictions on ACL-based Logins on the VTY User Interface

Context

You can use the ACL to restrict login permissions on the VTY user interface. Before configuring restrictions on login permissions on the VTY user interface, run the acl command in the system view to create an ACL and enter the ACL view, and run the rule command to add rules for accessing the ACL.

  • The user interface supports basic ACLs (2000-2999) and advanced ACLs (3000-3999).

  • ACL rule:
    • When permit is used in the ACL rule:

      If the ACL is applied in the inbound direction, other devices that match the ACL rule can access the local device.

      If the ACL is applied in the outbound direction, the local device can access other devices that match the ACL rule.

    • When deny is used in the ACL rule:

      If the ACL is applied in the inbound direction, other devices that match the ACL rule cannot access the local device.

      If the ACL is applied in the outbound direction, the local device cannot access other devices that match the ACL rule.

    • When the ACL rule is configured but packets from other devices do not match the rule:

      If the ACL is applied in the inbound direction, other devices cannot access the local device.

      If the ACL is applied in the outbound direction, the local device cannot access other devices.

    • When the ACL contains no rule:

      If the ACL is applied in the inbound direction, any other devices can access the local device.

      If the ACL is applied in the outbound direction, the local device can access any other devices.

  • For details on how to configure the ACL, see "ACL Configuration" in the CX11x&CX31x&CX91x Series Switch Modules Configuration Guide - Security.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    user-interface vty first-ui-number [ last-ui-number ]

    The VTY user interface view is displayed.

  3. Run:

    acl [ ipv6 ] { acl-number | acl-name } { inbound | outbound }

    ACL restrictions on VTY login permissions are configured.

    • To restrict users at a specified address or address segment from logging in to the device, use the inbound parameter.
    • To restrict users who have log in to a device from logging in to other devices, use the outbound parameter.

  4. Run:

    commit

    The configuration is committed.

Configuring Terminal Attributes on the VTY User Interface

Context

Users can configure terminal attributes on the VTY user interface. These attributes include the timeout disconnection function, number of lines on the terminal screen, and size of the history command buffer.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    user-interface vty first-ui-number [ last-ui-number ]

    The VTY user interface view is displayed.

  3. Run:

    shell

    The VTY terminal service is enabled.

    By default, all VTY terminal services are enabled.

  4. Run:

    idle-timeout minutes [ seconds ]

    The timeout disconnection function is set.

    If no operation is performed on the device before the end of the timeout period, the terminal disconnects from the device automatically.

    By default, the timeout duration is 10 minutes.

    If the idle timeout interval is set to 0 or a large value, the terminal will remain in the login state, resulting in security risks. You are advised to run the lockcommand to lock the current connection.

  5. Run:

    screen-length screen-length [ temporary ]

    The number of lines displayed on the terminal screen is set.

    The temporary parameter specifies the temporary number of lines displayed on the terminal screen.

    The default number of lines displayed on the terminal screen is 24.

  6. Run:

    screen-width screen-length

    The number of columns displayed on the terminal screen is set.

    The default number of columns displayed on the terminal screen is 80. Each character is a column.

  7. Run:

    history-command max-size size-value

    The history command buffer is set.

    By default, the history command buffer can store up to 10 commands.

  8. Run:

    commit

    The configuration is committed.

Configuring the User Level on the VTY User Interface

Context

  • Users can be configured with different user levels to control the device access permission, improving device security.
  • There are 16 user levels numbered from 0 to 15, in ascending order of priorities.
  • User levels map command levels. A user can only run commands at the same or lower level.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    user-interface vty first-ui-number [ last-ui-number ]

    The VTY user interface view is displayed.

  3. Run:

    user privilege level level

    The user level is set.

    Table 1-24 describes the mapping between user levels and command levels.

    Table 1-24 Mapping between user levels and command levels

    User Level

    Command Level

    Permission

    Description

    0

    0

    Visit

    Commands at this level are network diagnosis commands, such as ping and tracert commands, and commands used to access remote devices such as Telnet clients.

    1

    0 and 1

    Monitoring

    Commands at this level are system maintenance commands such as display commands.

    NOTE:

    Some display commands are not at this level. For example, the display current-configuration and display saved-configuration commands are at level 3. For details about command levels, see the CX11x&CX31x&CX91x Series Switch Modules Command Reference.

    2

    0, 1, and 2

    Configuration

    Commands at this level are used for service configuration. These commands include routing commands and commands at each network layer to provide network services to users.

    3-15

    0, 1, 2, and 3

    Management

    Commands at these levels are system basic operation commands that support services, including file system, FTP, TFTP, user management commands, command level configuration commands, and debugging commands.

    • By default, users that log in to the device using the VTY interface can run commands at level 0.

    • If the command access level configured in the user interface view and user priority are inconsistent, user priority takes precedence.

  4. Run:

    commit

    The configuration is committed.

Configuring the Authentication Mode for VTY Users

Context

The system provides AAA and password authentication modes to ensure device security.

Procedure

  • Configuring AAA authentication
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      user-interface vty first-ui-number [ last-ui-number ]

      The VTY user interface view is displayed.

    3. Run:

      authentication-mode aaa

      The user authentication mode is set to AAA.

    4. Run:

      quit

      The user quits the VTY user interface view.

    5. Run:

      aaa

      The AAA view is displayed.

    6. Run:

      local-user user-name password irreversible-cipher irreversible-cipher-password

      The local user name and password are configured.

    7. Run:

      local-user user-name service-type { telnet | ssh }

      The service type of the local user is set to Telnet or SSH.

    8. Run:

      quit

      Exit from the AAA view.

    9. Run:

      commit

      The configuration is committed.

  • Configuring password authentication
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      user-interface vty first-ui-number [ last-ui-number ]

      The VTY user interface view is displayed.

    3. Run:

      authentication-mode password

      The user authentication mode is set to password.

    4. Run:

      set authentication password [ cipher password ]

      The authentication password is configured. You can enter a password in plain text or cipher text.

      You can run the set authentication password [ cipher password ] command to change the user interface authentication password configured by the authentication-mode password command.

      The password can be in plain text or cipher text. When the cipher password parameter is not specified, enter the plain text password in interactive mode. When the cipher password parameter is specified, enter either plain or cipher password. No matter which type of password you enter, the password is saved in the configuration file in cipher text.

      The method of entering passwords in plain text has security risks. The interaction method is recommended.

    5. Run:

      commit

      The configuration is committed.

Checking the Configurations

Context

After configurations for the VTY user interface are complete, run the commands to check the configurations.

Procedure

  • ‏Run the display users [ all ] command to view user information for the user interface.
  • Run the display user-interface maximum-vty command to view the maximum number of VTY user interfaces.
  • Run the display user-interface vty ui-number1 [ summary ] command to view the information about the user interface.
  • Run the display aaa local-user command to view the local user list.
Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 61011

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next