Whether the level of the local user of the S series switches affects data communication

18

S series switches (except S1700) configuring the local user level only affects the local user's login management of the device, and has no effect on data communication.

Other related questions:
Why level-1 users can run configuration-level commands on S series switches
Level-1 users can use only the commands at level 1 and level 0, but cannot use the level-2 (configuration-level) commands. You can use the following three methods to set the user level for users logging in through AAA local authentication. The user level set in the first method has the highest priority, and the user level set in the last method has the lowest priority. Run the local-user user-name privilege level level command in the AAA view to set the user level for the user named user-name. Run the admin-user privilege level level command in the service scheme view to set a user level for all users in a domain. Run the user privilege level level command in the user view to set a user level for all users logging in through the user view. By default, the users on the console port are at level 15 and the users on the VTY user interface are at level 0. Therefore, user level 1 set in the user view does not take effect because a higher user level has been set in the AAA or service scheme view.

How do I configure the administrator level on an AR
If non-authentication is used, the administrator level is specified by using the user privilege level command in the VTY interface view. If local authentication is used, the administrator level can be configured in the following ways that are in descending order of priority: 1. Running the local-user privilege level command to configure the local user level 2. Running the admin-user privilege level command to configure the administrator level in a domain 3. Running the user privilege level command to configure the user level in the VTY interface view If remote authentication is used, the administrator level can be configured in the following ways that are in descending order of priority: 1. Using the user level sent by an authentication server to the AR after authentication has succeeded 2. Running the admin-user privilege level command to configure the administrator level in a domain 3. Running the user privilege level command to configure user level in the VTY interface view

Whether the S series low-level switches can be used as gateway devices
It is recommended to choose a more high-level series of three-layer switch as a gateway device.

Configure ACLs on S series switches to restrict communications between users
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

Change local user passwords on S series switch
On an S series switch, except S1700, there are two methods to change the local user password:
- The administrator can change passwords for other local users.
  A local user can change the attributes (including password, level, max access number, and validity period) for the local users with lower levels.
  For example, to change the password of local user admin to huawei@123.
  [HUAWEI] aaa
  [HUAWEI-aaa] local-user admin password cipher huawei@123
- The local user changes its own password.
  To ensure password security, a low-level administrator can run the local-user change-password command after passing authentication to change its own password.  
  <HUAWEI> local-user change-password
  Please configure the login password (8-128)
  It is recommended that the password consist of at least 2 types of 
  characters, including lowercase letters, uppercase letters, numerals
  and special characters. 
  Please enter old password: //Enter the old password.
  Please enter new password: //Enter the new password.
  Please confirm new password:  //Confirm the new password.
Note:
- Only the users passing local authentication can change their own passwords.
- The local-user change-password command only changes local user passwords, but does not save configurations. The passwords are saved as local-user password.If you do not enter the old, new, or confirm password within the timeout interval (30 seconds), the password change operation is canceled. You can also press Ctrl+C to cancel the password change operation.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top