1. Switch View Overview
Switch devices offer a wide range of functions, and thus provide various configuration commands. To make it easier for users to use these commands, Huawei switches classify the command views by function. Therefore, when configuring a specific function, it is necessary to first enter the corresponding command-line view. How to execute the relevant commands for configuration.
| View Type | Function Description |
|---|---|
| <huawei> | User view, in this view, users can view operational status and statistics. |
| [Huawei] | Use system-view to enter the system view, in this view, users can enter other functional configuration views. |
| [Huawei-GigabitEthernet0/0/0] | In this view, users can view information about the interface. |
There are two ways to access devices: command-line mode and web mode. Command-line mode includes: console port login, telnet login, and SSH login.
2. Using the Console Port to Access the Device
2.1 Use a local remote connection tool to connect to the device in eNSP
First, check the port number of the device in eNSP and use CRT or Xshell tools to connect.
After connecting, use the display users command to check if it is a console login method.
2.2 Connect to a physical device using the console port
First, install the driver for the console port on the computer, then plug the console cable into the console interface of the physical device. After installing the console driver, a COM interface device will be created on the local device, which can be connected using remote tools.
3. Using the Telnet Protocol to Access the Device
Telnet is based on a client-server model and uses the TCP protocol to implement remote login services. The detailed explanation of the Telnet principle:
- Establish connection: The Telnet client program establishes a connection with the remote Telnet server program and creates a virtual terminal on this connection. This virtual terminal allows the user to see a terminal window similar to the remote host on the local computer. Users can input commands and data in this window.
- Command and data forwarding: When the user inputs commands or data in this virtual terminal, the Telnet client program packages these commands and data according to the Telnet communication protocol and forwards them through the TCP protocol to the remote Telnet server.
- Server processing: After receiving the commands and data sent by the client, the remote Telnet server processes them according to the relevant rules. This may include executing commands, accessing files, obtaining data, etc. After processing, the server generates response data, which may include the execution result of the command, requested data, or other information.
- Response return: The server packages the processed response data according to the Telnet communication protocol and sends it back to the Telnet client through the TCP protocol.
- Display results: The Telnet client program decapsulates the received response data and displays it in the local virtual terminal window. Thus, the user can see the results of the command execution or data processing on the remote host on their local computer.
3.1 Login using only a password
Client configuration
<Huawei>system-view # Enter system view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname client # Rename the device
[client]interface GigabitEthernet 0/0/0 # Enter interface view
[client-GigabitEthernet0/0/0]ip address 192.168.1.1 24 # Configure IP address
Server configuration
<Huawei>system-view
[Huawei]sysname server
[server]interface GigabitEthernet 0/0/0
[server-GigabitEthernet0/0/0]ip address 192.168.1.2 24
[server]telnet server enable # Enable Telnet service
[server]user-interface vty 0 4 # Enter user interface for managing and monitoring logged-in users
[server-ui-vty0-4]user privilege level 15 # Configure user level
[server-ui-vty0-4]set authentication password cipher 12345678 # Set login authentication password
Client test
<client>telnet 192.168.1.2 # Client test login
3.2 Login using AAA mode
Server configuration
[server]aaa
[server-aaa]local-user admin password cipher 12345678
[server-aaa]local-user admin privilege level 15
[server-aaa]local-user admin service-type telnet
[server]user-interface vty 0 4
[server-ui-vty0-4]authentication-mode aaa
[server]telnet server enable
Client login
<client>telnet 192.168.1.2
Start a packet capture tool to capture Telnet protocol traffic and track the initial data flow. It can be found that the account and password are visible, indicating that the Telnet protocol can log in to the device but is not secure as it may expose the device's account and password. Therefore, it is not recommended to use the Telnet protocol.
4. Using the SSH Protocol to Access the Device
SSH (Secure Shell) mainly relies on asymmetric encryption algorithms, especially RSA, to securely communicate over an insecure network. Its core principles involve two aspects: identity authentication and data encryption.
- In the identity authentication phase, SSH uses public key encryption algorithms. When a user tries to connect to a remote host via an SSH client, the client generates a pair of public and private keys, where the public key is stored on the client, and the private key is safely stored in the client's key store. After the connection is established, the server sends a random number to the client. The client encrypts this random number with its private key and sends the encrypted random number back to the server. The server uses the public key previously received from the client to decrypt the encrypted random number. If the decrypted random number matches the one sent by the server, the identity authentication is considered successful, allowing the user to access the server.
- In the data encryption phase, SSH uses symmetric key encryption algorithms such as AES or 3DES. Once the authentication is successful, the client and server negotiate to select a symmetric key algorithm and use the shared key to encrypt and decrypt the data. This way, all commands and data transmitted through the SSH connection are in a secure channel, ensuring the confidentiality and integrity of the data.
- In summary, SSH uses asymmetric encryption for identity authentication and symmetric encryption to protect the confidentiality of the data, thereby providing secure and reliable remote access and file transfer over an insecure network. This makes SSH the preferred protocol for remote server management, software development, and testing, especially in high-security scenarios.
4.1 Login using SSH password
Topology configuration
Server configuration
<Huawei>system-view # Enter system mode
[Huawei]system-name server # Rename the device
[server]vlan 10 # Create VLAN
[server]interface Vlanif 10 # Enter three-layer VLANIF interface
[server-Vlanif10]ip address 192.168.1.2 24 # Configure IP address
[server]interface GigabitEthernet 0/0/1 # Enter interface view
[server-GigabitEthernet0/0/1]port link-type access # Change interface type to access
[server-GigabitEthernet0/0/1]port default vlan 10 # Tag the interface with VLAN 10
[server]user-interface vty 0 4 # Enter user interface
[server-ui-vty0-4]authentication-mode aaa # Change the verification mode to AAA
[server-ui-vty0-4]protocol inbound ssh # Configure allowed protocol as SSH
[server-aaa]local-user admin password cipher 12345678 privilege level 15 # Configure username, password, and level
[server-aaa]local-user admin service-type ssh # Configure service type as SSH
[server]stelnet server enable # Enable SSH service
[server]ssh user admin authentication-type password # Create SSH user with password authentication
[server]ssh user admin service-type stelnet # Configure SSH user authentication type
Client configuration
<Huawei>system-view
[Huawei]system-name client
[client]vlan 10
[client]interface Vlanif 10
[client-Vlanif10]ip address 192.168.1.1 24
[client]interface GigabitEthernet 0/0/1
[client-GigabitEthernet0/0/1]port link-type access
[client-GigabitEthernet0/0/1]port default vlan 10
[client]ssh client first-time enable # Enable SSH client first-time authentication
[client]stelnet 192.168.1.2 # Test
4.2 Login using key
Server configuration
<Huawei>system-view
[Huawei]system-name server
[server]rsa peer-public-key 12345 # Create a public key
[server]public-key-code begin
3047
0240
AC7CE774 36E7D28C 86DA7BE8 D3054BDA 7FDD19DC 609F7D11 618D641A EC796865
EE04E9DF FE53FBF6 086F3BC1 26E6478D E86A5894 69460BAA A459ACCB 5084E649
0203
010001 # Import the public key generated by the client to the server
[server]public-key-code end
[server]peer-public-key end
[server]ssh user admin1 authentication-type rsa # Create user with RSA authentication
[server]ssh user admin1 assign rsa-key 12345 # Bind the DSA public key of the STelnet client to the SSH user admin1 on the SSH server
[server]ssh user admin1 service-type stelnet # Configure the login mode of the SSH user admin1 on the SSH server as SSH
[server]stelnet server enable # Enable SSH service
[server]display ssh server status # View SSH status information on the SSH server
Client configuration
<Huawei> sysname client
[client] rsa local-key-pair create # Create a local key pair, copy the public key generated locally to the server.
[client]ssh client first-time enable # First login, enable the SSH client first-time authentication feature. Enable the first-time authentication feature for client admin1
[client]stelnet 192.168.1.2 identity-key rsa # STelnet client admin1 connects to the SSH server using RSA authentication
Start a packet capture tool to capture SSH protocol traffic and track a particular flow. It can be found that all data is encrypted, making this method more secure than Telnet.
5. Using Web Mode to Access the Device
The eNSP switch does not support the HTTP command, so this experiment uses an AC. Access via a browser.
Topology diagram as follows
AC configuration
<AC6605> sysname server
[sever]user-interface vty 0 4
[sever-ui-vty0-4]authentication-mode aaa
[sever-ui-vty0-4]protocol inbound all
[sever]aaa
[sever-aaa]local-user admin password irreversible-cipher admin@huawei.com
[sever-aaa]local-user admin privilege level 15
[sever-aaa]local-user admin service-type http
[sever]http secure-server enable
Verification
Access the browser and enter the address: https://192.168.115.2 to log in.
Start a packet capture tool to capture it.
6. Summary
Common protocols for accessing devices and their port numbers.
| Protocol | Port |
|---|---|
| telnet | 23 |
| SSH | 22 |
| http | 80 |
| https | 443 |
| Login Method | Advantages | Disadvantages | Application Scenario | Notes |
|---|---|---|---|---|
| console | Requires a dedicated communication cable (serial port) connection | Cannot remotely log in and maintain the device | When configuring the device for the first time, you can log in to the device via the Console port for configuration. When users cannot remotely log in to the device, they can log in locally via the Console port. | Logging in via the Console port is the most basic way to log in to the device and is also the foundation for other login methods. By default, users can directly log in to the device via the Console port, with a user level of 15. |
| telnet | Convenient for remote management and maintenance of the device. No need to connect a terminal to each device, which is convenient for users. | Transmits data using the TCP protocol in plain text, posing security risks. | Terminals connected to the network can log in to the device using Telnet for remote configuration. Used in networks with low security requirements. | By default, users cannot log in to the device directly via Telnet. If you want to log in to the device via Telnet, you can first log in locally via the Console port. |
| ssh | SSH (Secure Shell) protocol realizes secure remote login over an insecure network, ensuring data integrity and reliability, and ensuring safe data transmission | Configuration is more complex. | If the network has high security requirements, you can log in to the device using STelnet. STelnet is based on the SSH protocol, providing secure information protection and powerful authentication features to protect the device against IP spoofing attacks. | By default, users cannot log in to the device directly via STelnet. If you want to log in to the device via STelnet, you can first log in locally via the Console port or remotely via Telnet. |
| web | Using a browser to log in to the device allows for a more intuitive viewing of device parameters and configurations. | It may expose some sensitive configuration information. | Can be used in small, medium, and large-scale networks. | By default, users cannot log in to the device directly via web. If you want to log in to the device via web, you can first log in locally via the Console port or remotely via web. |