Professional Documents
Culture Documents
Series Switches
Typical Configuration Examples 2 Typical Login Configuration
Configuration Notes
l Prepare a console cable. If you use a laptop or a PC without a serial port, prepare a USB
to serial cable and install the driver stored on the CD-ROM (delivered with the cable)
according to instructions.
l Install the terminal emulation software on the PC. You can use the built-in
HyperTerminal of Windows 2000 on the PC. If no built-in terminal emulation software is
available, prepare the terminal emulation software. For details on how to use terminal
emulation software, see the related usage guide or online help. The third-part software
SecureCRT is used as an example here.
l This example applies to switches that support the console interface.
NOTE
The following uses the command lines and outputs of the S7700 running V200R006C00 as an example.
Networking Requirements
The IT maintenance department of a company purchases S series switches, which are
configured by network administrators. A network administrator usually logs in to a new
switch through a console port and then performs initial configurations.
As shown in Figure 2-1, the serial port of a PC is connected to the console port of the Switch
through a console cable. The user wants to log in to the Switch through the console port and
requires local authentication upon the next login. To facilitate remote maintenance on the
Switch, the user wants to configure the Telnet function.
Figure 2-1 Networking diagram for configuring switch login through a console port
Serial port Console port
Console cable
PC Switch
10.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure terminal emulation software, set the connected port and communication
parameters, and log in to the Switch.
2. Configure basic information for the Switch, including the date, time, time zone, and
name, to facilitate management.
3. Configure an authentication mode for the console user interface so that the user is
authenticated upon the next login through the console port.
4. Configure the management IP address and Telnet to facilitate remote maintenance on the
Switch.
Procedure
Step 1 Connect the DB9 female connector of the console cable to the serial port (COM) on the PC,
and connect the RJ45 connector to the console port on the switch, as shown in Figure 2-2.
NOTE
l If you use a laptop or a PC without a serial port, prepare a USB to serial cable. Install the driver
stored on the CD-ROM (delivered with the cable) according to instructions, connect the USB-DB9
female connector of the cable to the USB port on the PC, and connect the RJ-45 connector to the
console port on the switch.
l If the switch has two MPUs, you can log in to the switch through the console port on either of the
two MPUs.
Stop bits 1
Data bits 8
2. Set the connected port and communication parameters, as shown in Figure 2-4.
Select the connected port based on actual situations. For example, you can view port
information in Device Manager in the Windows operating system, and select the
connected port.
NOTE
By default, no flow control mode is configured on the switch. Because RTS/CTS is selected in the
software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.
3. Click Connect. In V200R009 and earlier versions, the following information will be
displayed, prompting you to configure a login password. There is no default password
for first login. You need to configure a login password. (The following output is only for
reference.)
An initial password is required for the first login via the console.
Continue to set it? [Y/N]: y //Configure the login password.
Set a password and keep it safe. Otherwise you will not be able to login via
the console.
In V200R010 and later versions, the system prompts you to enter the user name and
password. The default user name for first login is admin and password is
admin@huawei.com. You must reconfigure the password during first login. If you have
already configured a password, use it for subsequent logins. (The following output is
only for reference.)
Login authentication
Username:admin
Password: //Enter the default password admin@huawei.com.
Warning: The default password poses security risks.
The password needs to be changed. Change now? [Y/N]: y //Change the login
password.
Please enter old password: //Enter the default password admin@huawei.com.
Please enter new password: //Enter the new password.
NOTE
The time zone varies depending on the location of a switch. Set the time zone based on the site requirements.
The following information is only for reference.
<HUAWEI> clock timezone BJ add 08:00:00 //BJ is the name of the time zone, and
08:00:00 indicates that the local time is 8 plus the system default UTC time zone.
<HUAWEI> clock datetime 10:10:00 2014-07-26 //Set the current date and time.
Before setting the current time, check the time zone and set a correct time zone
offset to ensure the correct local time.
<HUAWEI> system-view
[HUAWEI] sysname Switch //Set the switch name to Switch.
Step 4 Configure an authentication mode for the console user interface. (In V200R010 and later
versions, the default authentication mode for the console user interface is AAA
authentication. The method of changing the authentication mode is similar and is not provided
here.)
# Set the authentication mode of the console interface to AAA, and create a local user.
[Switch] user-interface console 0
[Switch-ui-console0] authentication-mode aaa //Set the authentication mode of
the user to AAA.
[Switch-ui-console0] quit
[Switch] aaa
[Switch-aaa] local-user admin1234 password irreversible-cipher
Helloworld@6789 //Create a local user named admin1234 and set its password to
Helloworld@6789. Versions earlier than V200R003 support only the cipher keyword
but do not support irreversible-cipher.
[Switch-aaa] local-user admin1234 privilege level 15 //Set the user level to
15.
[Switch-aaa] local-user admin1234 service-type terminal //Set the access type
to terminal, that is, console user.
[Switch-aaa] quit
When logging in to the switch again through the console port after completing the
configuration, you need to enter the user name and authentication password configured in the
preceding steps to pass identity authentication and log in to the switch successfully. You can
also log in to the switch using Telnet.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
telnet server enable
#
clock timezone BJ add 08:00:00
#
aaa
local-user admin123 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!
X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
local-user admin123 privilege level 15
local-user admin123 service-type telnet
local-user admin1234 password irreversible-cipher %^%#}+ysUO*B&
+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|G~ws,9G%^%#
local-user admin1234 privilege level 15
local-user admin1234 service-type terminal
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 10
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
return
Related Content
Videos
An Access Control List (ACL) is a packet filter that filters packets based on rules. One or
more rules describe the packet matching conditions, such as the source address, destination
address, and port number of packets. For packets that match the ACL rules configured on a
device, the device forwards or discards these packets according to the policies used by the
service module to which the ACL is applied.
RADIUS uses the client/server model in distributed mode and protects a network against
unauthorized access. It is often used on networks that require high security and remote user
access control. After Telnet login based on RADIUS authentication is configured, a switch
sends the user name and password of a login user to the RADIUS server. The RADIUS server
then authenticates the user and records the user operations, ensuring network security.
If ACLs and RADIUS authentication are both configured, packets matching ACL rules reach
an upper-layer module and then are authenticated in RADIUS mode based on the user name
and password. The Telnet login mode based on ACL rules and RADIUS authentication
therefore ensures network security.
Configuration Notes
l Telnet is an insecure protocol. Using STelnet V2 is recommended.
l Ensure that the user terminal has reachable routes to the switch and RADIUS server.
l Ensure that the IP address, port number, and shared key of the RADIUS server are
configured correctly on the switch and are the same as those on the RADIUS server.
l Ensure that a user has been configured on the RADIUS server. In this example, the user
admin@huawei.com (in the format of user name@domain name) and password
Huawei@1234 have been configured.
l This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S7700 running V200R006C00 as an example.
Networking Requirements
The network administrator requires remote management and maintenance on a switch and
high network security for protecting the network against unauthorized access. To meet the
requirements, configure Telnet login based on ACL rules and RADIUS authentication.
As shown in Figure 2-5, the Switch has reachable routes to the administrator and the
RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24 and
1812 respectively.
Figure 2-5 Networking diagram for configuring Telnet login based on ACL rules and
RADIUS authentication
RADIUS Server
10.2.1.1/24
Network
Network Switch
Administrator 10.1.1.1/24
10.137.217.177/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Telnet protocol so that users can log in to the Switch using Telnet.
2. Configure an ACL rule to ensure that only users matching the ACL rule can log in to the
Switch.
3. Configure the RADIUS protocol to implement RADIUS authentication. After the
configuration is complete, you can use the user name and password configured on the
RADIUS server to log in to the Switch using Telnet, ensuring user login security.
Procedure
Step 1 Configure Telnet login.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] telnet server enable
[Switch] user-interface vty 0 14 //Enter the user interface views of VTY 0 to
VTY 14.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface
to support Telnet. By default, switches in V200R006 and earlier versions support
Telnet, and switches in V200R007 and later versions support SSH.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication mode of
users in VTY 0 to VTY 14 to AAA.
[Switch-ui-vty0-14] user privilege level 15 //Set the level of users in VTY 0
to VTY 14 to 15.
[Switch-ui-vty0-14] quit
[Switch-ui-vty0-14] acl 2008 inbound //Allow only users matching ACL 2008 in
VTY 0 to VTY 14 to log in to the switch.
[Switch-ui-vty0-14] quit
# Configure a RADIUS server template on the Switch to implement communication with the
RADIUS server.
[Switch] radius-server template 1 //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812 //Configure the
RADIUS server.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789 //Set the shared
key of the RADIUS server to Huawei@6789.
[Switch-radius-1] quit
NOTE
If the RADIUS server does not support a user name containing the domain name, run the undo radius-
server user-name domain-included command to configure the Switch to send packets carrying a user
name without the domain name to the RADIUS server.
# Configure an AAA authentication scheme, with the authentication mode being RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme
named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication
mode to RADIUS.
[Switch-aaa-authen-sch1] quit
# Create a domain, and apply the AAA authentication scheme and RADIUS server template
in the domain.
[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter
the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the
authentication scheme sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server
template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Configure the domain huawei.com as the default global management domain so that an
administrator does not need to enter the domain name for logging in to the Switch.
[Switch] domain huawei.com admin
Choose Start > Run as an administrator. Enter cmd to open the Windows Command Prompt
window. Type telnet 10.1.1.1, and press Enter.
C:\Documents and Settings\Administrator> telnet 10.1.1.1
In the login interface, type the user name admin and password Huawei@1234 as prompted
and press Enter. Authentication succeeds, and you successfully log in to the Switch using
Telnet. (The following information is only for reference.)
Login authentication
Username:admin
Password:
Info: The max number of VTY users is 8, and the number
of current VTY users on line is 2.
The current login time is 2014-07-30 09:54:02+08:00.
<Switch>
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
domain huawei.com admin
#
telnet server enable
#
radius-server template 1
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,
$>NP>63de|G~ws,9G%^%#
radius-server authentication 10.2.1.1 1812 weight 80
#
acl number 2008
rule 5 permit source 10.137.217.177 0
#
aaa
authentication-scheme sch1
authentication-mode radius
domain huawei.com
authentication-scheme sch1
radius-server 1
#
user-interface vty 0 14
acl 2008 inbound
authentication-mode aaa
user privilege level 15
protocol inbound telnet
#
return
Related Content
Videos
RADIUS uses the client/server model in distributed mode and protects a network against
unauthorized access. It is often used on networks that require high security and remote user
access control. After STelnet login based on RADIUS authentication is configured, a switch
sends the user name and password of a login user to the RADIUS server. The RADIUS server
then authenticates the user and records the user operations, ensuring network security.
Configuration Notes
l STelnet V1 is an insecure protocol. Using STelnet V2 is recommended.
l Ensure that the user terminal has SSH server login software installed before configuring
STelnet login. In this example, the third-party software PuTTY is used as the SSH server
login software.
l Ensure that the user terminal has reachable routes to the switch and RADIUS server.
l Ensure that the IP address, port number, and shared key of the RADIUS server are
configured correctly on the switch and are the same as those on the RADIUS server.
l Ensure that a user has been configured on the RADIUS server. In this example, the user
admin@huawei.com (in the format of user name@domain name) and password
Huawei@1234 have been configured.
l This example applies to all versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S7700 running V200R006C00 as an example.
Networking Requirements
The network administrator requires remote login to a switch and high network security for
protecting the network against unauthorized access. To meet the requirements, configure
STelnet login based on RADIUS authentication.
As shown in Figure 2-6, the Switch functions as the SSH server and has a reachable route to
the RADIUS server. The IP address and port number of the RADIUS server are 10.2.1.1/24
and 1812 respectively.
Figure 2-6 Networking diagram for configuring STelnet login based on RADIUS
authentication
RADIUS Server
10.2.1.1/24
Network
Network Switch
Administrator 10.1.1.1/24
10.137.217.177/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Generate a local key pair on the SSH server to implement secure data exchange between
the server and client.
2. Configure the STelnet protocol so that users can log in to the Switch using STelnet.
3. Configure the RADIUS protocol to implement RADIUS authentication. After the
configuration is complete, you can use the user name and password configured on the
RADIUS server to log in to the Switch using STelnet, ensuring user login security.
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[HUAWEI] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Set the authentication mode of the SSH user admin to password authentication, and service
type to STelnet.
[Switch] ssh user admin authentication-type password //Set the authentication
of the SSH user admin to password authentication.
[Switch] ssh user admin service-type stelnet //Set the service type of the SSH
user admin to STelnet.
NOTE
To configure password authentication for multiple SSH users, run the ssh authentication-type default
password command to specify password authentication as the default authentication mode of SSH
users. After this configuration is complete, you do not need to configure the authentication mode and
service type for each SSH user, simplifying configuration and improving efficiency.
NOTE
If the RADIUS server does not support a user name containing the domain name, run the undo radius-
server user-name domain-included command to configure the Switch to send packets carrying a user
name without the domain name to the RADIUS server.
# Configure an AAA authentication scheme, with the authentication mode being RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme
named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication
mode to RADIUS.
[Switch-aaa-authen-sch1] quit
# Create a domain, and apply the AAA authentication scheme and RADIUS server template
in the domain.
[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter
the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the
authentication scheme sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server
template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Configure the domain huawei.com as the default global management domain so that an
administrator does not need to enter the domain name for logging in to the Switch.
[Switch] domain huawei.com admin
# Click Open. In the login interface, type the user name admin and password Huawei@1234
as prompted and press Enter. Authentication succeeds, and you successfully log in to the
Switch using STelnet. (The following information is only for reference.)
login as: admin
password:
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
domain huawei.com admin
#
radius-server template 1
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,
$>NP>63de|G~ws,9G%^%#
radius-server authentication 10.2.1.1 1812 weight 80
#
aaa
authentication-scheme sch1
authentication-mode radius
domain huawei.com
authentication-scheme sch1
radius-server 1
#
user-interface vty 0 14
authentication-mode aaa
user privilege level 15
#
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
#
return
Related Content
Videos
Remotely Log In to a Switch Using Telnet.
Table 2-2 Factory settings of web page files for fixed switches
Product V100R006C V200R001 V200R002 V200R003 V200R005
Model 05
Table 2-3 Factory settings of web page files for modular switches
Product V200R001 V200R002 V200R003 V200R005
Model
S7700 The storage A web page file A web page file The system
medium does is saved in the is saved in the software
not contain a storage storage contains a web
web page file. medium, but is medium, and is page file that is
not loaded. loaded. loaded.
S9700 The storage A web page file A web page file The system
medium does is saved in the is saved in the software
not contain a storage storage contains a web
web page file. medium, but is medium, and is page file that is
not loaded. loaded. loaded.
NOTE
A hyphen (-) indicates that the version is not available for the model.
Configuration Notes
This example applies to V200R001 of all S series switches.
NOTE
The following uses the command lines and outputs of the S5700EI running V200R001C00 as an
example.
Networking Requirements
As shown in Figure 2-8, a switch functions as the HTTPS server. The user wants to log in to
the web system using HTTPS to manage and maintain the switch. The user has obtained the
server digital certificate 1_servercert_pem_dsa.pem and private key file
1_serverkey_pem_dsa.pem from the CA.
Figure 2-8 Networking diagram for configuring switch login through the web system
192.168.0.1/24
Network
PC HTTPS_Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a management IP address for remotely transferring files and logging in to the
switch through the web system.
2. Upload the required files to the HTTPS server through FTP, including the web page file,
server digital certificate, and private key file.
3. Load the web page file and digital certificate.
4. Bind an SSL policy and enable the HTTPS service.
5. Configure a web user and enter the web system login page.
NOTICE
FTP is an insecure protocol. Using SFTP V2, SCP, or FTPS is recommended.
Procedure
Step 1 Obtain the web page file.
The following methods are available:
l Obtain the web page file from a Huawei agent.
l Download the web page file from the Huawei enterprise technical support website
(http://support.huawei.com/enterprise). In V200R001, the web page file is named in
the format of product name-software version.web page file version.web.zip.
NOTE
Check whether the size of the obtained web page file is the same as the file size displayed on the
website. If not, an exception may occur during file download. Download the file again.
Step 3 Upload the web page file and digital certificate to the HTTPS server through FTP.
# Configure VTY user interfaces on the HTTPS server.
# Configure the FTP function for the switch and information about an FTP user, including the
password, user level, service type, and authorized directory.
[HTTPS_Server] ftp server enable //Enable the FTP server function.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password cipher Helloworld@6789 //Set
the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15 //Set the user level
to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp //Set the user service
type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/ //Set the FTP
authorized directory to flash:/.
[HTTPS_Server-aaa] quit
[HTTPS_Server] quit
# Log in to the HTTPS server from the PC through FTP and upload the web page file and
digital certificate to the HTTPS server.
Connect the PC to the switch using FTP. Enter the user name client001 and password
Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. By default, files are
transferred in ASCII mode.
200 Type set to I.
ftp>
Upload the web page file and digital certificate to the HTTPS server from the PC.
ftp> put web.zip //Upload the web page file. The web.zip file is used as an
example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.
ftp> put 1_servercert_pem_dsa.pem
200 Port command okay.
150 Opening BINARY mode data connection for 1_servercert_pem_dsa.pem
226 Transfer complete.
ftp: 1302 bytes sent in 2 Seconds 4.6Kbytes/sec.
ftp> put 1_serverkey_pem_dsa.pem
200 Port command okay.
150 Opening BINARY mode data connection for 1_serverkey_pem_dsa.pem
226 Transfer complete.
ftp: 951 bytes sent in 1 Second 4.6Kbytes/sec.
# Run the dir command on the Switch to check whether the web page file and digital
certificate exist in the current storage directory.
NOTE
If the sizes of the web page file and digital certificate in the current storage directory on the switch is
different from those on the PC, an exception may occur during file transfer. Upload the files again.
# Create the subdirectory security on the HTTPS server and copy the digital certificate and
private key file to the subdirectory.
<HTTPS_Server> mkdir security
<HTTPS_Server> copy 1_servercert_pem_dsa.pem security
Copy flash:/1_servercert_pem_dsa.pem to flash:/security/1_servercert_pem_dsa.pem?
[Y/N]:y
100% complete
Info: Copied file flash:/1_servercert_pem_dsa.pem to flash:/security/
1_servercert_pem_dsa.pem...Done.
<HTTPS_Server> copy 1_serverkey_pem_dsa.pem security
Copy flash:/1_serverkey_pem_dsa.pem to flash:/security/1_serverkey_pem_dsa.pem?
[Y/N]:y
100% complete
Info: Copied file flash:/1_serverkey_pem_dsa.pem to flash:/security/
1_serverkey_pem_dsa.pem...Done.
# Run the dir command in the security subdirectory to check the digital certificate.
<HTTPS_Server> cd security
<HTTPS_Server> dir
Directory of flash:/security/
# After the preceding configurations are complete, run the display ssl policy command on the
HTTPS server to check detailed information about the loaded digital certificate.
[HTTPS_Server] display ssl policy
Step 6 Configure a web user and enter the web system login page.
# Configure a web user.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password cipher Helloworld@6789 //Create a
local user named admin and set its password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to
15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the access type to
http, that is, web user.
[HTTPS_Server-aaa] quit
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
aaa
local-user admin password cipher %$%$_h,hW_!nJ!2gXkH9v$X)+,#w%$%$
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password cipher %$%$jD,QKAhe{Yd9kD9Fqi#I+QH~%$%$
local-user client001 privilege level 15
local-user client001 ftp-directory flash:/
local-user client001 service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 10
#
user-interface vty 0 14
authentication-mode aaa
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file
1_serverkey_pem_dsa.pem auth-code 123456
#
return
Overview
The web system uses the built-in web server on a switch to provide a GUI through which
users can perform switch management and maintenance. Users can log in to the web system
from terminals using HTTPS.
Configuration Notes
This example applies to V100R006C05, V200R002, and V200R003 of all S series switches.
NOTE
The following uses the command lines and outputs of the S5700EI running V200R002C00 as an
example.
Networking Requirements
As shown in Figure 2-10, a switch functions as the HTTPS server. The user wants to log in to
the web system using HTTPS to manage and maintain the switch.
Figure 2-10 Networking diagram for configuring switch login through the web system
192.168.0.1/24
Network
PC HTTPS_Server
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
The web page file is delivered with a switch. For all switches in V100R006C05&V200R002 and
S5700-10P-LI switches in V200R003C00, you need to load the web page file. Fixed switches excluding
S5700-10P-LI in V200R003 have loaded the web page file before delivery. Step 2 can be skipped.
A switch provides a default SSL policy and has a randomly generated self-signed digital certificate in
the web page file. If the default SSL policy and self-signed digital certificate can meet security
requirements, you do not need to upload a digital certificate or manually configure an SSL policy,
simplifying configuration. The following configuration uses the default SSL policy provided by the
switch as an example.
1. Configure a management IP address for logging in to the switch through the web system.
2. Load the web page file.
3. Configure a web user and enter the web system login page.
Procedure
Step 1 Configure a management IP address.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] interface vlanif 10 //Configure VLANIF 10 as the
management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address
and deploy the route based on the network plan to ensure reachability between the
PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 1/0/10 //In this example, GE1/0/10 is
the physical interface used for logging in to the switch through the web system
on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet1/0/10] port link-type access //Set the interface
type to access.
[HTTPS_Server-GigabitEthernet1/0/10] port default vlan 10 //Add the interface
to VLAN 10.
[HTTPS_Server-GigabitEthernet1/0/10] quit
l Run the dir command to view the name of the web page file carried by the switch.
l In V100R006C05, the web page file is named in the format of product name-software version.web
page file version.web.zip. In V200R002 and V200R003, the web page file is named in the format of
product name-software version.web page file version.web.7z.
[HTTPS_Server] http server load web.7z //Upload the web page file. The web.7z
file is used as an example here.
Step 4 Configure a web user and enter the web system login page.
# Configure a web user.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password cipher Helloworld@6789 //Create a
local user named admin and set its password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to
15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the access type to
http, that is, web user.
[HTTPS_Server-aaa] quit
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
vlan batch 10
#
http server load web.7z
#
aaa
local-user admin password cipher %$%$+8;_RIkI680;]{;b/Vo&T/l>%$%$
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
return
Overview
The web system uses the built-in web server on a switch to provide a GUI through which
users can perform switch management and maintenance. Users can log in to the web system
from terminals using HTTPS.
Configuration Notes
This example applies to V200R005 of all S series switches.
NOTE
The following uses the command lines and outputs of the S5700HI running V200R005 as an example.
Networking Requirements
As shown in Figure 2-12, a switch functions as the HTTPS server. The user wants to log in to
the web system using HTTPS to manage and maintain the switch.
Figure 2-12 Networking diagram for configuring switch login through the web system
192.168.0.1/24
Network
PC HTTPS_Server
Configuration Roadmap
NOTE
A switch provides a default SSL policy and has a randomly generated self-signed digital certificate in
the web page file. If the default SSL policy and self-signed digital certificate can meet security
requirements, you do not need to upload a digital certificate or manually configure an SSL policy,
simplifying configuration. The following configuration uses the default SSL policy provided by the
switch as an example.
The system software of the following switch models in V200R005 has integrated and loaded
the web page file (including the EasyOperation and Classics editions). You only need to
configure a web user and enter the web system login page.
NOTICE
FTP is an insecure protocol. Using SFTP V2, SCP, or FTPS is recommended.
Procedure
Step 1 Obtain the web page file.
The following methods are available:
l Obtain the web page file from a Huawei agent.
l Download the web page file from the Huawei enterprise technical support website
(http://support.huawei.com/enterprise).
– For a fixed switch, download the system software containing the web page file.
– For a modular switch, download the web page file.
– In V200R005, the web page file is named in the format of product name-software
version.web page file version.web.7z.
NOTE
Check whether the size of the obtained web page file is the same as the file size displayed on the
website. If not, an exception may occur during file download. Download the file again.
Step 3 Upload the web page file to the HTTPS server through FTP.
# Configure VTY user interfaces on the HTTPS server.
[HTTPS_Server] user-interface vty 0 14 //Enter VTY user interfaces 0 to 14.
[HTTPS_Server-ui-vty0-14] authentication-mode aaa //Set the authentication mode
of users in VTY user interfaces 0 to 14 to AAA.
[HTTPS_Server-ui-vty0-14] quit
# Configure the FTP function for the switch and information about an FTP user, including the
password, user level, service type, and authorized directory.
[HTTPS_Server] ftp server enable //Enable the FTP server function.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password irreversible-cipher
Helloworld@6789 //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15 //Set the user level
to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp //Set the user service
type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/ //Set the FTP
authorized directory to flash:/.
[HTTPS_Server-aaa] quit
# Log in to the HTTPS server from the PC through FTP and upload the web page file to the
HTTPS server.
Connect the PC to the switch using FTP. Enter the user name client001 and password
Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. By default, files are
transferred in ASCII mode.
200 Type set to I.
ftp>
Upload the web page file to the HTTPS server from the PC.
ftp> put web.7z //Upload the web page file. The web.7z file is used as an
example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.
NOTE
If the size of the web page file in the current directory on the switch is different from that on the PC, an
exception may occur during file transfer. Upload the web page file again.
Step 6 Configure a web user and enter the web system login page.
# Configure a web user.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher
Helloworld@6789 //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to
15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the user service
type to HTTP.
[HTTPS_Server-aaa] quit
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
http server load web.7z
#
aaa
local-user admin password irreversible-cipher %@%@wU:(2j8~r8Htyu3.]',NwU`Td[-
A9~9"%4Kvhm'0RV[/U`Ww%@%@
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password irreversible-cipher %@%@5d~9:M^ipCfL
\iB)EQd>,,ajwsi[\ad,saejin[qndi83Uwe%@%@
local-user client001 privilege level 15
local-user client001 ftp-directory flash:/
local-user client001 service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
user-interface vty 0 14
authentication-mode aaa
#
return
Related Content
Videos
Log In to a Switch Using the Web System.
Configure a Switch Using the Web System.
Configuration Notes
This example applies to V200R006 and later versions of all S series switches.
NOTE
The following uses the command lines and outputs of the S5700LI running V200R006C00 as an
example.
Networking Requirements
As shown in Figure 2-14, a switch functions as the HTTPS server. The user wants to log in to
the web system using HTTPS to manage and maintain the switch.
Figure 2-14 Networking diagram for configuring switch login through the web system
192.168.0.1/24
Network
PC HTTPS_Server
Configuration Roadmap
The configuration roadmap is as follows:
l The system software of the switch has integrated and loaded the web page file. No
manual configuration is required.
l A switch provides a default SSL policy and has a randomly generated self-signed digital
certificate in the web page file. If the default SSL policy and self-signed digital
certificate can meet security requirements, you do not need to upload a digital certificate
or manually configure an SSL policy, simplifying configuration. The following
configuration uses the default SSL policy provided by the switch as an example.
l Configure a management IP address for logging in to the switch through the web system.
l Configure a web user and enter the web system login page.
Procedure
Step 1 Configure a management IP address.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] interface vlanif 10 //Configure VLANIF 10 as the
management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address
and deploy the route based on the network plan to ensure reachability between the
PC and switch.
[HTTPS_Server-Vlanif10] quit
[HTTPS_Server] interface gigabitethernet 1/0/10 //In this example, GE1/0/10 is
the physical interface used for logging in to the switch through the web system
on a PC. Select an interface based on actual networking requirements.
[HTTPS_Server-GigabitEthernet1/0/10] port link-type access //Set the interface
type to access.
[HTTPS_Server-GigabitEthernet1/0/10] port default vlan 10 //Add the interface
to VLAN 10.
[HTTPS_Server-GigabitEthernet1/0/10] quit
Step 3 Configure a web user and enter the web system login page.
# Configure a web user.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher
Helloworld@6789 //Set the login password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to
15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the user service
type to HTTP.
[HTTPS_Server-aaa] quit
Table 2-4 Mapping between the product version and browser version
Product Browser Version for Browser Version for Classic
Version EasyOperation Web System Web System
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
vlan batch 10
#
aaa
local-user admin password irreversible-cipher %#%#wU:(2j8~r8Htyu3.]',NwU`Td[-
A9~9"%4Kvhm'0RV[/U`Ww%#%#
local-user admin privilege level 15
local-user admin service-type http
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
return