HP A3100 v2 Switch Series
Fundamentals
Configuration Guide
HP A3100-8 v2 SI Switch (JG221A)
HP A3100-16 v2 SI Switch (JG222A)
HP A3100-24 v2 SI Switch (JG223A)
HP A3100-8 v2 EI Switch (JD318B)
HP A3100-16 v2 EI Switch (JD319B)
HP A3100-24 v2 EI Switch (JD320B)
HP A3100-8-PoE v2 EI Switch (JD311B)
HP A3100-16-PoE v2 EI Switch (JD312B)
HP A3100-24-PoE v2 EI Switch (JD313B)
Part number: 5998-1963
Software version: Release 5103
Document version: 6W100-20110909
Download from Www.Somanuals.com. All Manuals Search And Download.
Contents
CLI configuration··························································································································································1
Command conventions·····················································································································································1
Entering system view················································································································································3
Typing commands·····························································································································································5
Configuring command aliases································································································································6
Redisplaying input but not submitted commands··································································································8
Checking command-line errors········································································································································8
Using command history····················································································································································8
Accessing history commands··································································································································9
Controlling the CLI display············································································································································ 10
Configuring user privilege and command levels········································································································ 13
Switching user privilege level·······························································································································16
Displaying and maintaining CLI··································································································································· 20
User interface overview················································································································································· 22
Numbering user interfaces··································································································································· 22
Configuration requirements·································································································································· 24
Console login authentication modes··················································································································· 27
Configuring scheme authentication for console login······················································································· 31
i
Download from Www.Somanuals.com. All Manuals Search And Download.
Telnet login authentication modes······················································································································· 37
Configuring scheme authentication for Telnet login·························································································· 41
Configuring the SSH server·································································································································· 48
Configuring the SSH client to log in to the SSH server····················································································· 51
Configuration requirements·································································································································· 52
Modem login authentication modes···················································································································· 55
Web login overview······················································································································································ 66
Configuring HTTPS login··············································································································································· 67
Web login example······················································································································································· 70
HTTPS login example············································································································································ 71
NMS login··································································································································································74
User login control·······················································································································································78
Configuring source IP-based login control over Telnet users············································································ 78
Configuring source MAC-based login control over Telnet users······································································ 79
Source MAC-based login control configuration example················································································· 80
Configuring source IP-based login control over NMS users············································································· 81
Logging off online web users·······························································································································83
Source IP-based login control over web users configuration example···························································· 84
Introduction to FTP················································································································································· 85
ii
Download from Www.Somanuals.com. All Manuals Search And Download.
FTP operation························································································································································· 85
Establishing an FTP connection···························································································································· 86
Operating the directories on an FTP server········································································································ 87
Operating the files on an FTP server··················································································································· 88
Using another username to log in to an FTP server··························································································· 89
Terminating an FTP connection···························································································································· 89
FTP client configuration example························································································································· 90
Configuring the FTP server············································································································································ 91
Configuring authentication and authorization on the FTP server····································································· 92
TFTP overview································································································································································· 96
Introduction to TFTP··············································································································································· 96
TFTP operation······················································································································································· 96
File management····················································································································································· 100
Performing directory operations·································································································································100
Changing the current working directory···········································································································101
Removing a directory··········································································································································101
Performing file operations···········································································································································101
Copying a file······················································································································································102
Managing the space of a storage medium······································································································104
Example for file operations·········································································································································104
Coexistence of multiple configuration files·······································································································107
Saving the running configuration·······························································································································107
Modes in saving the configuration····················································································································107
iii
Download from Www.Somanuals.com. All Manuals Search And Download.
Setting configuration rollback·····································································································································108
Configuration rollback········································································································································108
Configuring parameters for saving the running configuration·······································································109
Setting configuration rollback····························································································································111
Backing up the startup configuration file···················································································································112
Deleting a startup configuration file···························································································································112
Displaying and maintaining a configuration file······································································································113
Software upgrade configuration···························································································································· 115
Upgrading system software through a system reboot······························································································117
Software upgrade by installing hotfixes····················································································································117
Configuration prerequisites································································································································120
One-step patch installation·································································································································121
Step-by-step patch installation····························································································································121
Software upgrade configuration examples···············································································································123
Changing the system time···········································································································································126
Configuration procedure····································································································································129
Configuring banners····················································································································································130
Introduction to banners·······································································································································130
Configuration procedure····································································································································131
Banner configuration examples·························································································································131
Rebooting the device···················································································································································132
Scheduling jobs····························································································································································133
Configuring the detection timer··································································································································135
Verifying transceiver modules····························································································································136
iv
Download from Www.Somanuals.com. All Manuals Search And Download.
Displaying and maintaining device management configuration············································································137
How automatic configuration works··························································································································141
Work flow of automatic configuration··············································································································141
Using DHCP to obtain an IP address and other configuration information··················································142
Obtaining the configuration file from the TFTP server·····················································································143
Related information······················································································································································146
Documents····························································································································································146
Conventions··································································································································································147
v
Download from Www.Somanuals.com. All Manuals Search And Download.
CLI configuration
What is CLI?
The command line interface (CLI) enables you to interact with your device by typing text commands. At
the CLI, you can instruct your device to perform a given task by typing a text command and then pressing
Enter. Compared with a graphical user interface (GUI) where you can use a mouse to perform
configuration, the CLI allows you to input more information in one command line.
Figure 1 CLI example
Entering the CLI
HP devices provide multiple methods for entering the CLI, such as through the console port, through Telnet,
or through SSH. For more information, see the chapter “Logging in to the switch configuration.”
Command conventions
Command conventions help you understand command meanings. Commands in HP product manuals
Table 1 Command conventions
Convention
Boldface
Italic
Description
Bold text represents commands and keywords that you enter literally as shown.
Italic text represents arguments that you replace with actual values.
1
Download from Www.Somanuals.com. All Manuals Search And Download.
Convention
Description
Square brackets enclose syntax choices (keywords or arguments) that are
optional.
[ ]
Braces enclose a set of required syntax choices separated by vertical bars, from
which you select one.
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
Square brackets enclose a set of optional syntax choices separated by vertical
bars, from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by
vertical bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by
vertical bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&)
sign can be entered 1 to n times.
&<1-n>
#
A line that starts with a pound (#) sign is comments.
NOTE:
The keywords of HP command lines are case insensitive.
Figure 2 Read command line parameters
Following this example, you can type the following command line at the CLI of your device and press
Enter to set the device system time to 10 o’clock 30 minutes 20 seconds, February 23, 2010.
<sysname> clock datetime 10:30:20 2/23/2010
Undo form of a command
The undo form of a command restores the default, disables a function, or removes a configuration.
Almost all configuration commands have an undo form. For example, the info-center enable command
enables the information center, and the undo info-center enable command disables the information
center.
CLI view description
Commands are grouped into different classes by function. To use a command, you must enter the class
view of the command.
2
Download from Www.Somanuals.com. All Manuals Search And Download.
•
After logging in to the switch, you are in user view. The user view prompt is <device name>. In user
view, you can perform display, debugging, and file management operations, set the system time,
restart your device, and perform FTP and Telnet operations.
•
•
You can enter system view from user view. In system view, you can configure parameters such as
daylight saving time, banners, and short-cut keys.
From system view, you can enter different function views. For example, enter interface view to
configure interface parameters, create a VLAN and enter its view, enter user interface view to
configure login user attributes, create a local user and enter local user view to configure the
password and level of the local user.
NOTE:
Enter ? in any view to display all the commands that can be executed in this view.
Figure 3 Command line views
Entering system view
When you log in to the device, you automatically enter user view, where <Device name> is displayed.
You can perform limited operations in user view, for example, display operations, file operations, and
Telnet operations. To perform further configuration on the device, enter system view.
Follow the step below to enter system view:
To do…
Use the command…
Remarks
Required
Enter system view
system-view
Available in user view
Exiting the current view
The CLI is divided into different command views. Each view has a set of specific commands and defines
the effective scope of the commands. The commands available to you at any given time depend on the
view you are in.
Follow the step below to exit the current view:
3
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
quit
Remarks
Required
Return to the parent view from the
current view
Available in any view.
NOTE:
• The quit command in user view stops the current connection between the terminal and the device.
• In public key code view, use the public-key-code end command to return to the parent view (public key
view). In public key view, use the peer-public-key end command to return to system view.
Returning to user view
This feature allows you to return to user view from any other view, without using the quit command
repeatedly. You can also press Ctrl+Z to return to user view from the current view.
Follow the step below to exit to user view:
To do…
Use the command…
Remarks
Required
Return to user view
return
Available in any view except user
view
Using the CLI online help
Type a question mark (?) to obtain online help. See the following examples.
1.
Type ? in any view to display all commands available in this view as well as brief descriptions of
the commands. For example:
<sysname> ?
User view commands:
archive
Specify archive settings
backup
Backup next startup-configuration file to TFTP server
Set boot loader
boot-loader
bootrom
Update/read/backup/restore bootrom
Change current directory
cd
…Omitted…
2.
Type part of a command and a ? separated by a space.
If ? is at the keyword position, the CLI displays all possible keywords with a brief description for each
keyword. For example:
<sysname> terminal ?
debugging Send debug information to terminal
logging
monitor
trapping
Send log information to terminal
Send information output to current terminal
Send trap information to terminal
If ? is at the argument position, the CLI displays a description about this argument. For example:
<sysname> system-view
[sysname] interface vlan-interface ?
4
Download from Www.Somanuals.com. All Manuals Search And Download.
<1-4094> VLAN interface
[sysname] interface vlan-interface 1 ?
<cr>
[sysname] interface vlan-interface 1
The string <cr> indicates that the command is a complete command, and can be executed by pressing
Enter.
3.
Type an incomplete character string followed by ?. The CLI displays all commands starting with the
typed character(s).
<sysname> b?
backup
boot-loader
bootrom
<sysname> display cl?
clipboard
clock
cluster
Typing commands
Editing command lines
Table 2 Editing functions
Key
Function
If the edit buffer is not full, pressing a common key inserts the character at the
position of the cursor and moves the cursor to the right.
Common keys
Deletes the character to the left of the cursor and moves the cursor back one
character.
Backspace
Left arrow key or Ctrl+B
Right arrow key or Ctrl+F
The cursor moves one character space to the left.
The cursor moves one character space to the right.
If you press Tab after entering part of a keyword, the system automatically
completes the keyword:
•
•
•
If there is a unique match, the system substitutes the complete keyword for
the incomplete one and displays it in the next line.
Tab
If there is more than one match, you can press Tab repeatedly to cycle
through all the keywords starting with the character string that you typed.
If there is no match, the system does not modify the incomplete keyword
and displays it again in the next line.
Typing incomplete keywords
You can input a command comprising incomplete keywords that uniquely identify the complete
command.
In user view, for example, commands starting with an s include startup saved-configuration and
system-view.
•
To enter system view, type sy.
5
Download from Www.Somanuals.com. All Manuals Search And Download.
•
To set the configuration file for next startup, type st s.
You can also press Tab to have an incomplete keyword automatically completed.
Configuring command aliases
The command alias function allows you to replace the first keyword of a command with your preferred
keyword. For example, if you configure show as the replacement for the display keyword, then to execute
the display xx command, you can input the command alias show xx.
Note the following guidelines when configuring a command alias:
•
•
You can define and use a command alias but the command is not restored in its alias format.
When you define a command alias, the cmdkey and alias arguments must be in their complete
form.
•
When you input an incomplete keyword that partially matches both a defined alias and the
keyword of a command, the alias takes precedence. To execute the command whose keyword
partially matches your input, input the complete keyword. When you input a character string that
partially matches multiple aliases, the system gives you prompts.
•
•
If you press Tab after you input an alias keyword, the original format of the keyword is displayed.
You can replace only the first keyword of a non-undo command instead of the complete command.
You can replace only the second keyword of undo commands.
Follow these steps to configure command aliases:
To do…
Use the command…
Remarks
—
Enter system view
system-view
Required
Disabled by default, which means
you cannot configure command
aliases.
Enable the command alias function command-alias enable
Required
command-alias mapping cmdkey
alias
Configure a command alias
Not configured by default.
Configuring CLI hotkeys
Follow these steps to configure CLI hotkeys:
To do…
Use the command…
Remarks
—
Enter system view
system-view
Optional
hotkey { CTRL_G | CTRL_L |
CTRL_O | CTRL_T | CTRL_U }
command
The Ctrl+G, Ctrl+L and Ctrl+O
hotkeys are specified at the CLI by
default.
Configure CLI hotkeys
Display hotkeys
for hotkeys reserved by the system.
display hotkey
6
Download from Www.Somanuals.com. All Manuals Search And Download.
NOTE:
By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are associated with pre-defined commands as defined
below, the Ctrl+T and Ctrl+U hotkeys are not.
• Ctrl+G corresponds to the display current-configuration command.
• Ctrl+L corresponds to the display ip routing-table command.
• Ctrl+O corresponds to the undo debugging all command.
Table 3 Hotkeys reserved by the system
Hotkey
Ctrl+A
Ctrl+B
Ctrl+C
Ctrl+D
Ctrl+E
Ctrl+F
Ctrl+H
Ctrl+K
Ctrl+N
Ctrl+P
Ctrl+R
Ctrl+V
Function
Moves the cursor to the beginning of the current line.
Moves the cursor one character to the left.
Stops performing a command.
Deletes the character at the current cursor position.
Moves the cursor to the end of the current line.
Moves the cursor one character to the right.
Deletes the character to the left of the cursor.
Terminates an outgoing connection.
Displays the next command in the history command buffer.
Displays the previous command in the history command buffer.
Redisplays the current line information.
Pastes the content in the clipboard.
Deletes all the characters in a continuous string to the left of the
cursor.
Ctrl+W
Ctrl+X
Ctrl+Y
Ctrl+Z
Ctrl+]
Deletes all characters to the left of the cursor.
Deletes all characters to the right of the cursor.
Exits to user view.
Terminates an incoming connection or a redirect connection.
Moves the cursor to the leading character of the continuous string to
the left.
Esc+B
Esc+D
Esc+F
Esc+N
Deletes all the characters of the continuous string at the current
cursor position and to the right of the cursor.
Moves the cursor to the front of the next continuous string to the
right.
Moves the cursor down by one line (available before you press
Enter)
Esc+P
Esc+<
Esc+>
Moves the cursor up by one line (available before you press Enter)
Specifies the cursor as the beginning of the clipboard.
Specifies the cursor as the ending of the clipboard.
7
Download from Www.Somanuals.com. All Manuals Search And Download.
NOTE:
The hotkeys in Table 3 are defined by the switch. If the same hotkeys are defined by the terminal software
that you use to interact with the switch, the hotkeys defined by the terminal software take effect.
Redisplaying input but not submitted commands
If your command input is interrupted by output system information, you can use this feature to redisplay
the commands input previously but not submitted.
Follow these steps to enable redisplaying of commands previously input but not submitted:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Required
Enable redisplaying of input but
not submitted commands
info-center synchronous
Disabled by default
NOTE:
• If you have no input at the command line prompt and the system outputs system information such as
logs, the system will not display the command line prompt after the output.
• If the system outputs system information when you are typing interactive information (not YES/NO for
confirmation), the system does not redisplay the prompt information but a line break after the output and
then display what you have typed.
• For more information about the info-center synchronous command, see the Network Management and
Monitoring Configuration Guide.
Checking command-line errors
If a command contains syntax errors, the CLI reports error information.
Table 4 Common command line errors
Error information
Cause
% Unrecognized command found at '^' position. The command was not found.
% Incomplete command found at '^' position.
% Ambiguous command found at '^' position.
Too many parameters
Incomplete command
Ambiguous command
Too many parameters
Wrong parameters
% Wrong parameter found at '^' position.
Using command history
The CLI automatically saves the commands recently used in the history command buffer. You can access
these commands and execute them again.
8
Download from Www.Somanuals.com. All Manuals Search And Download.
Accessing history commands
Follow a step below to access history commands:
To do…
Use the key/command…
display history-command
Result
Displays valid history commands you
used
Display history commands
Display the previous history
command
Displays the previous history command, if
any
Up arrow key or Ctrl+P
Display the next history
command
Down arrow key or Ctrl+N
Displays the next history command, if any
NOTE:
You can use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet.
However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are
defined differently. You can use Ctrl+P or Ctrl+N instead.
•
The commands saved in the history command buffer are in the same format in which you typed the
commands. If you type an incomplete command, the command saved in the history command
buffer is also incomplete.
•
If you execute the same command repeatedly, the switch saves only the earliest record. However, if
you execute the same command in different formats, the system saves them as different commands.
For example, if you execute the display cu command repeatedly, the system saves only one
command in the history command buffer. If you execute the command in the format of display cu
and display current-configuration respectively, the system saves them as two separate commands.
•
By default, the CLI can save up to 10 commands for each user. To set the capacity of the history
command buffer for the current user interface, use the history-command max-size command. (For
more information about the history-command max-size command, see the chapter “Logging in to
the switch commands.”
Configuring the history buffer size
Follow these steps to configure the history buffer size:
To do…
Use the command…
system-view
Remarks
Enter system view
—
user-interface { first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] }
Enter user interface view
—
Optional
Set the maximum number of
commands that can be saved in the
history buffer
history-command max-size
size-value
By default, the history buffer can
save up to 10 commands.
NOTE:
For more information about the user-interface and history-command max-size commands, see the
chapter “Logging in to the switch commands.”
9
Download from Www.Somanuals.com. All Manuals Search And Download.
Controlling the CLI display
Multi-screen display
Controlling multi-screen display
If the output information spans multiple screens, each screen pauses after it is displayed. Perform one of
the following operations to proceed.
Action
Function
Press Space
Press Enter
Displays the next screen.
Displays the next line.
Press Ctrl+C
Press <PageUp>
Press <PageDown>
Stops the display and the command execution.
Displays the previous page.
Displays the next page.
By default, each screen displays up to 24 lines. To change the maximum number of lines displayed on the
next screen, use the screen-length command. For more information about the screen-length command,
see the chapter “Logging in to the switch commands.”
Disabling multi-screen display
You can use the following command to disable the multi-screen display function. All of the output
information will be displayed at one time and the screen will refresh continuously until the last screen is
displayed.
To do…
Use the command…
Remarks
Required
By default, a login user uses the
settings of the screen-length
command. The default settings of the
screen-length command are:
multiple-screen display is enabled
and up to 24 lines are displayed on
the next screen.
Disable the multi-screen display
function
screen-length disable
This command is executed in user
view, and takes effect for the current
user only. When the user re-logs into
the switch, the default configuration
is restored.
Filtering output information
Introduction
You can use regular expressions in display commands to filter output information.
The following methods are available for filtering output information:
•
Input the begin, exclude, or include keyword plus a regular expression in the display command to
filter the output information.
10
Download from Www.Somanuals.com. All Manuals Search And Download.
•
When the system displays the output information in multiple screens, use /, - or + plus a regular
expression to filter subsequent output information. / equals the keyword begin, - equals the
keyword exclude, and + equals the keyword include.
The following definitions apply to the begin, exclude, and include keywords:
•
•
•
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
A regular expression is a case-sensitive string of 1 to 256 characters. It supports the following special
characters.
Character
Meaning
Remarks
For example, regular expression “^user” only
matches a string beginning with “user”, not
“Auser”.
Starting sign. string appears only at
the beginning of a line.
^string
Ending sign. string appears only at
the end of a line.
For example, regular expression "user$” only
matches a string ending with “user”, not “userA”.
string$
.
Matches any single character, such
as a single character, a special
character, and a blank.
For example, “.s” matches “as” and “bs”.
Matches the preceding character or
character group zero or multiple
times.
For example, “zo*” matches “z” and “zoo”;
“(zo)*” matches “zo” and “zozo”.
*
Matches the preceding character or
character group one or multiple
times
For example, “zo+” matches “zo” and “zoo”, but
not “z”.
+
|
Matches the preceding or
succeeding character string
For example, “def|int” only matches a character
string containing “def” or “int”.
If it is at the beginning or the end of a
regular expression, it equals ^ or $. For example, “a_b” matches “a b” or “a(b”; “_ab”
_
-
In other cases, it equals comma,
space, round bracket, or curly
bracket.
only matches a line starting with “ab”; “ab_” only
matches a line ending with “ab”.
Connects two values (the smaller one
before it and the bigger one after it)
to indicate a range together with [ ].
For example, “1-9” means 1 to 9 (inclusive); “a-h”
means a to h (inclusive).
For example, [16A] matches a string containing
any character among 1, 6, and A; [1-36A] matches
a string containing any character among 1, 2, 3, 6,
and A (- is a hyphen).
Matches a single character
contained within the brackets.
[ ]
“]” can be matched as a common character only
when it is put at the beginning of characters within
the brackets, for example [ ]string]. There is no such
limit on “[”.
For example, (123A) means a character group
“123A”; “408(12)+” matches 40812 or
408121212. But it does not match 408.
A character group. It is usually used
with “+” or “*”.
( )
11
Download from Www.Somanuals.com. All Manuals Search And Download.
Character
Meaning
Remarks
Repeats the character string
specified by the index. A character
string refers to the string within ()
before \. index refers to the
sequence number (starting from 1
from left to right) of the character
For example, (string)\1 repeats string, and a
matching string must contain stringstring.
(string1)(string2)\2 repeats string2, and a
matching string must contain string1string2string2.
\index
group before \. If only one character (string1)(string2)\1\2 repeats string1 and string2
group appears before \, index can respectively, and a matching string must contain
only be 1; if n character groups
appear before index, index can be
any integer from 1 to n.
string1string2string1string2.
For example, [^16A] means to match a string
containing any character except 1, 6 or A, and the
matching string can also contain 1, 6 or A, but
cannot contain these three characters only. For
example, [^16A] matches “abc” and “m16”, but
not 1, 16, or 16A.
Matches a single character not
contained within the brackets.
[^]
Matches a character string starting
with string.
For example, “\<do” matches word “domain” and
string “doa”.
\<string
string\>
Matches a character string ending
with string.
For example, “do\>” matches word “undo” and
string “abcdo”.
Matches character1character2.
character1 can be any character
except number, letter or underline,
and \b equals [^A-Za-z0-9_].
For example, “\ba” matches “-a” with “-“ being
character1, and “a” being character2, but it does
not match “2a” or “ba”.
\bcharacter2
\Bcharacter
character1\w
\W
Matches a string containing
character, and no space is allowed
before character.
For example, “\Bt” matches “t” in “install”, but not
“t” in “big top”.
Matches character1character2.
character2 must be a number, letter,
or underline, and \w equals
[^A-Za-z0-9_].
For example, “v\w” matches “vlan”, with “v” being
character1, and “l” being character2. v\w also
matches “service”, with “i” being character2.
For example, “\Wa” matches “-a”, with “-” being
character1, and “a” being character2, but does not
match “2a” or “ba”.
Equals \b.
Escape character. If a special
character listed in this table follows
\, the specific meaning of the
character is removed.
For example, “\\” matches a string containing “\”,
“\^” matches a string containing “^”, and “\\b”
matches a string containing “\b”.
\
Example of filtering output information
Example of using the begin keyword
1.
# Display the configuration from the line containing “user-interface” to the last line in the current
configuration (the output information depends on the current configuration).
<Sysname> display current-configuration | begin user-interface
user-interface aux 0
user-interface vty 0 15
authentication-mode none
12
Download from Www.Somanuals.com. All Manuals Search And Download.
user privilege level 3
#
return
2.
Example of using the exclude keyword
# Display the non-direct routes in the routing table (the output depends on the current configuration).
<Sysname> display ip routing-table | exclude Direct
Routing Tables: Public
Destination/Mask
1.1.1.0/24
Proto Pre Cost
Static 60
NextHop
Interface
Vlan1
0
192.168.0.0
3.
Example of using the include keyword
# Display the route entries that contain Vlan in the routing table (the output depends on the current
configuration).
<Sysname> display ip routing-table | include Vlan
Routing Tables: Public
Destination/Mask
192.168.1.0/24
Proto Pre Cost
Direct 0
NextHop
Interface
Vlan999
0
192.168.1.42
Configuring user privilege and command levels
Introduction
To avoid unauthorized access, the switch defines user privilege levels and command levels. User privilege
levels correspond to command levels. When a user at a specific privilege level logs in, the user can only
use commands at that level or lower levels.
All the commands are categorized into four levels: visit, monitor, system, and manage, and are identified
Table 5 Default command levels
Level
Privilege
Description
Involves commands for network diagnosis and accessing an external device.
Command configuration at this level cannot survive a device restart. Upon device
restart, the commands at this level will be restored to the default settings.
0
Visit
Commands at this level include ping, tracert, telnet and ssh2.
Involves commands for system maintenance and service fault diagnosis.
Commands at this level are not allowed to be saved after being configured. After
the switch is restarted, the commands at this level will be restored to the default
settings.
1
2
Monitor
System
Commands at this level include debugging, terminal, refresh, reset, and send.
Involves service configuration commands, such as routing configuration
commands and commands for configuring services at different network levels.
By default, commands at this level include all configuration commands except for
those at the manage level.
13
Download from Www.Somanuals.com. All Manuals Search And Download.
Level
Privilege
Description
Involves commands that influence the basic operation of the system and
commands for configuring system support modules.
By default, commands at this level involve the configuration commands of file
system, FTP, TFTP, Xmodem download, user management, level setting, and
parameter settings within a system (which are not defined by any protocols or
RFCs).
3
Manage
Configuring a user privilege level
A user privilege level can be configured by using AAA authentication parameters or under a user
interface.
Configure user privilege level by using AAA authentication parameters
If the user interface authentication mode is scheme, the user privilege level of users logging into the user
interface is specified in AAA authentication configuration.
Follow these steps to configure the user privilege level by using AAA authentication parameters:
To do…
Use the command…
system-view
Remarks
Enter system view
—
user-interface { first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] }
Enter user interface view
—
Required
By default, the authentication
mode for VTY users is password,
and no authentication is needed
for AUX login users.
Specify the scheme authentication
mode
authentication-mode scheme
quit
Return to system view
—
For more information about SSH,
see the Security Configuration
Guide.
Required if users use SSH to log in,
and username and password are
needed at authentication
Configure the authentication mode
for SSH users as password
•
Use the local-user command to
create a local user and enter
local user view.
Use either approach
•
For local authentication, if you
do not configure the user
privilege level, the user
privilege level is 0.
Using local
•
Use the level keyword in the
authorization-attribute
command to configure the user
privilege level.
Configure the
authentication
user privilege
level by using
AAA
•
For remote authentication, if
you do not configure the user
privilege level, the user
authentication
parameters
Using remote
authentication
privilege level depends on the
default configuration of the
authentication server.
Configure the user privilege level
on the authentication server
(RADIUS,
HWTACACS
authentications)
Example of configuring a user privilege level by using AAA authentication parameters
# You are required to authenticate the users that Telnet to the switch through VTY 1, verify their username
and password, and specify the user privilege level as 3.
14
Download from Www.Somanuals.com. All Manuals Search And Download.
<Sysname> system-view
[Sysname] user-interface vty 1
[Sysname-ui-vty1] authentication-mode scheme
[Sysname-ui-vty1] quit
[Sysname] local-user test
[Sysname-luser-test] password cipher 12345678
[Sysname-luser-test] service-type telnet
When users telnet to the switch through VTY 1, they need to input username test and password 12345678.
After passing authentication, the users can only use level 0 commands. If the users want to use
commands level 0, 1, 2 and 3 commands, the following configuration is required:
[Sysname-luser-test] authorization-attribute level 3
Configure the user privilege level under a user interface
•
•
If the user interface authentication mode is scheme, and SSH publickey authentication type (only a
username is needed for this authentication type) is adopted, the user privilege level of users logging
into the user interface is the user interface level.
If the user interface authentication mode is none or password, the user privilege level of users
logging into the user interface is the user interface level.
Follow these steps to configure the user privilege level under a user interface (SSH publickey
authentication type):
To do…
Use the command…
Remarks
Required if the SSH login mode is
adopted, and only username is
needed during authentication.
For more information about SSH,
see the Security Configuration
Guide.
Configure the authentication type
for SSH users as publickey
After the configuration, the
authentication mode of the
corresponding user interface must
be set to scheme.
Enter system view
system-view
—
user-interface { first-num1
[ last-num1 ] | vty first-num2
[ last-num2 ] }
Enter user interface view
—
Required
Configure the authentication mode
for any user that uses the current
user interface to log in to the switch
By default, the authentication
mode for VTY users is password,
and no authentication is needed
for AUX users.
authentication-mode scheme
Optional
By default, the user privilege level
for users logged in through the
AUX user interface is 3, and that
for users logged in through the VTY
interfaces is 0.
Configure the privilege level for
users that log in through the current user privilege level level
user interface
Follow these steps to configure the user privilege level under a user interface (none or password
authentication mode):
15
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
system-view
Remarks
Enter system view
—
user-interface { first-num1
[ last-num1 ] | { aux | vty }
first-num2 [ last-num2 ] }
Enter user interface view
—
Optional
Configure the authentication mode
for any user that uses the current
user interface to log in to the switch
By default, the authentication
mode for VTY user interfaces is
password, and no authentication is
needed for AUX login users.
authentication-mode { none |
password }
Optional
By default, the user privilege level
for users logged in through the
AUX user interface is 3, and that
for users logged in through the VTY
interfaces is 0.
Configure the privilege level of
users logged in through the current user privilege level level
user interface
Example of configuring a user privilege level under a user interface
# Authenticate users logged in to the switch through Telnet, verify their password, and specify their user
privilege level as 2.
<Sysname> system-view
[Sysname] user-interface vty 0 15
[Sysname-ui-vty0-15] authentication-mode password
[Sysname-ui-vty0-15] set authentication password cipher 123
[Sysname-ui-vty0-15] user privilege level 2
By default, Telnet users can use level 0 commands after passing authentication. After the configuration
above is completed, when users log in to the switch through Telnet, they need to input password 123, and
then they can use level 0, 1, and 2 commands.
NOTE:
• For more information about user interfaces, see the chapter “Logging in to the switch configuration.” For
more information about the user-interface, authentication-mode, and user privilege level commands,
see the chapter “Logging in to the switch commands.”
• For more information about AAA authentication, see the Security Configuration Guide. For more
information about the local-user and authorization-attribute commands, see the Security Command
Reference.
• For more information about SSH, see the Security Configuration Guide.
Switching user privilege level
Introduction
Users can switch to a different user privilege level temporarily without logging out and terminating the
current connection. After the privilege level switch, users can continue to configure the switch without the
need to logging back in, but the commands that they can execute have changed. For example, if the
current user privilege level is 3, the user can configure system parameters. After switching to user
privilege level 0, the user can only execute simple commands, like ping and tracert, and only a few
16
Download from Www.Somanuals.com. All Manuals Search And Download.
display commands. The switching operation is effective for the current login. After the user logs back in,
the user privilege restores to the original level.
•
To avoid problems, HP recommends that administrators log in to the switch by using a lower
privilege level and view switch operating parameters. To maintain the switch, administrators can
temporarily switch to a higher level.
•
If the administrators need to leave or need to ask someone else to temporarily manage the switch,
they can switch to a lower privilege level to restrict the operation by others.
Setting the authentication mode for user privilege level switch
•
A user can switch to a privilege level equal to or lower than the current one unconditionally and is
not required to input a password (if any).
•
For security, a user is required to input the password (if any) to switch to a higher privilege level. The
authentication falls into one of the following four categories:
Authentication
mode
Meaning
Description
The switch authenticates a user by using the privilege level switch
password input by the user.
Local password
authentication
local
When this mode is applied, you need to set the password for
privilege level switch with the super password command.
The switch sends the username and password for privilege level
switch to the HWTACACS or RADIUS server for remote
authentication.
Remote AAA
authentication
through
HWTACACS or
RADIUS
When this mode is applied, you need to perform the following
configurations:
scheme
•
Configure HWTACACS or RADIUS scheme and reference the
created scheme in the ISP domain. For more information, see the
Security Configuration Guide.
•
Create the corresponding user and configure password on the
HWTACACS or RADIUS server.
Performs the local
password
authentication first
and then the
remote AAA
authentication
The switch authenticates a user by using the local password first. If
no local password is set, the privilege level is switched directly for
the users logged in from the AUX port, and remote AAA
authentication is performed on the users logged in from VTY user
interfaces.
local scheme
scheme local
Performs remote
AAA
AAA authentication is performed first, and if the remote
authentication first HWTACACS or RADIUS server does not respond or AAA
and then the local configuration on the switch is invalid, the local password
password
authentication is performed.
authentication
Follow these steps to set the authentication mode for user privilege level switch:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Set the authentication mode for
user privilege level switch
super authentication-mode { local
| scheme } *
local by default.
17
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Required if the authentication
mode is set to local.
Configure the password for user
privilege level switch
super password [ level user-level ]
{ simple | cipher } password
By default, no privilege level switch
password is configured.
CAUTION:
• If no user privilege level is specified when you configure the password for switching the user privilege
level with the super password command, the user privilege level defaults to 3.
• Specifying the simple keyword saves the password in plain text, which is less secure than specifying the
cipher keyword, which saves the password in cipher text.
• If the user logs in from the AUX user interface (the console port), the user can switch the privilege level
to a higher level even if the authentication mode is local and no password for user privilege level switch
is configured.
Switching the user privilege level
Follow the step to switch the user privilege level:
To do…
Use the command…
Remarks
Required
When logging in to the switch, a
user has a user privilege level,
which depends on user interface or
authentication user level.
Switch the user privilege level
super [ level ]
Available in user view.
When you switch the user privilege level, the information you need to provide varies with combinations
of the user interface authentication mode and the super authentication mode.
Table 6 Information input for user privilege level switch
User privilege level
User interface
switch
Information input for the
first authentication mode
Information input after the
authentication mode changes
authentication
mode
authentication
mode
Local user privilege level
switch password (configured
on the switch)
local
—
Username and password for
privilege level switch (configured
on the AAA server)
Local user privilege level
switch password
local scheme
none/password
Username and password for
privilege level switch
scheme
—
Username and password for Local user privilege level switch
privilege level switch password
scheme local
18
Download from Www.Somanuals.com. All Manuals Search And Download.
User privilege level
switch
authentication
mode
User interface
authentication
mode
Information input for the
first authentication mode
Information input after the
authentication mode changes
Local user privilege level
switch password
local
—
Password for privilege level
switch (configured on the AAA
server). The system uses the
username used for logging in as
the privilege level switch
username.
Local user privilege level
switch password
local scheme
Password for privilege level
switch (configured on the
AAA server). The system uses
the username used for
scheme
scheme
—
logging in as the privilege
level switch username.
Password for privilege level
switch (configured on the
AAA server). The system uses Local user privilege level switch
scheme local
the username used for
logging in as the privilege
level switch username.
password
CAUTION:
• When the authentication mode is set to local, configure the local password before switching to a higher
user privilege level.
• When the authentication mode is set to scheme, configure AAA related parameters before switching to
a higher user privilege level.
• The privilege level switch fails after three consecutive unsuccessful password attempts.
• For more information about user interface authentication, see the chapter “Logging in to the switch
configuration.”
Modifying the level of a command
All the commands in a view default to different levels. The administrator can change the default level of
a command to a different level as needed.
Follow these steps to modify the command level:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Required
Configure the command level in a command-privilege level level view
specified view
view command
19
Download from Www.Somanuals.com. All Manuals Search And Download.
CAUTION:
HP recommends that you use the default command level or modify the command level under the guidance
of professional staff. An improper change of the command level may bring inconvenience to your
maintenance and operation, or even potential security problems.
Saving the current configuration
On the device, you can input the save command in any view to save all of the submitted and executed
commands into the configuration file. Commands saved in the configuration file can survive a reboot.
The save command does not take effect on one-time commands, such as display commands, which
display specified information, and the reset commands, which clear specified information. One-time
commands that are executed are never saved.
Displaying and maintaining CLI
To do…
Use the command…
Remarks
display command-alias [ | { begin
| exclude | include }
regular-expression ]
Display defined command aliases
and the corresponding commands
Available in any view
display clipboard [ | { begin |
exclude | include }
Display the clipboard information
Available in any view
regular-expression ]
20
Download from Www.Somanuals.com. All Manuals Search And Download.
Login methods
Login methods
You can log in to the switch by using the following methods.
Table 7 Login methods
Login method
Default state
By default, you can log in to a device through the console port, the
authentication mode is None (no username or password required),
and the user privilege level is 3.
By default, you cannot log in to a device through Telnet. To do so, log
in to the device through the console port, and complete the following
configuration:
•
•
Enable the Telnet function.
Configure the IP address of the VLAN interface, and make sure that
your device and the Telnet client can reach each other (by default,
the device does not have an IP address.).
•
•
Configure the authentication mode of VTY login users (password
by default).
Configure the user privilege level of VTY login users (0 by default).
By default, you cannot log in to a device through SSH. To do so, log
in to the device through the console port, and complete the following
configuration:
•
•
Enable the SSH function and configure SSH attributes.
Configure the IP address of the VLAN interface, and make sure that
your device and the SSH client can reach each other (by default,
your device does not have an IP address.).
•
•
Configure the authentication mode of VTY login users as scheme
(password by default).
Configure the user privilege level of VTY login users (0 by default).
By default, you can log in to a device through modems. The default
user privilege level of modem login users is 3.
By default, you cannot log in to a device through web. To do so, log
in to the device through the console port, and complete the following
configuration:
•
•
•
•
Configure the IP address of the VLAN interface (by default, your
device does not have an IP address.).
Web login
Configure a username and password for web login (not configured
by default).
Configure the user privilege level for web login (not configured by
default).
Configure the Telnet service type for web login (not configured by
default).
21
Download from Www.Somanuals.com. All Manuals Search And Download.
Login method
Default state
By default, you cannot log in to a device through a network
management system (NMS). To do so, log in to the device through the
console port, and complete the following configuration:
•
Configure the IP address of the VLAN interface, and make sure the
device and the NMS can reach each other (by default, your device
does not have an IP address.).
•
Configure SNMP basic parameters.
User interface overview
User interface, also called “line”, allows you to manage and monitor sessions between the terminal and
device when you log in to the device through the console port directly, or through Telnet or SSH.
One user interface corresponds to one user interface view where you can configure a set of parameters,
such as whether to authenticate users at login, whether to redirect the requests to another device, and the
user privilege level after login. When the user logs in through a user interface, the parameters set for the
user interface apply.
The system supports the following CLI configuration methods:
•
•
Local configuration via the console port
Local/Remote configuration through Telnet or SSH
The methods correspond to the following user interfaces.
•
AUX user interface: Used to manage and monitor user that log in via the Console port. The type of
the Console port is EIA/TIA-232 DCE.
•
VTY (virtual type terminal) user interface: Used to manage and monitor users that log in via VTY. A
VTY port used for Telnet or SSH access.
Users and user interfaces
Only one user can use a user interface at a time. The configuration made in a user interface view applies
to any login user. For example, if user A uses the console port to log in, the configuration in the AUX user
interface view applies to user A; if user A logs in through VTY 1, the configuration in VTY 1 user interface
view applies to user A.
A device can be equipped with one AUX user interface and 16 VTY user interfaces. These user interfaces
are not associated with specific users. When a user initiates a connection request, the system
automatically assigns the idle user interface with the smallest number to the user based on the login
method. During the login, the configuration in the user interface view takes effect. The user interface
varies depending on the login method and the login time.
Numbering user interfaces
User interfaces can be numbered by using absolute numbering or relative numbering.
Absolute numbering
Absolute numbering identifies a user interface or a group of different types of user interfaces. The
specified user interfaces are numbered from number 0 with a step of 1 and in the sequence of AUX, and
22
Download from Www.Somanuals.com. All Manuals Search And Download.
VTY user interfaces. You can use the display user-interface command without any parameters to view
supported user interfaces and their absolute numbers.
Relative numbering
Relative numbering allows you to specify a user interface or a group of user interfaces of a specific type.
The number format is “user interface type + number”. The following rules of relative numbering apply:
•
•
AUX user interfaces are numbered from 0 in the ascending order, with a step of 1.
VTY user interfaces are numbered from 0 in the ascending order, with a step of 1.
23
Download from Www.Somanuals.com. All Manuals Search And Download.
CLI login
Overview
The CLI enables you to interact with a device by typing text commands. At the CLI, you can instruct your
device to perform a given task by typing a text command and then pressing Enter to submit it to your
device. Compared with a GUI, where you can use a mouse to perform configuration, the CLI allows you
to input more information in one command line.
You can log in to the device at the CLI through the console port, Telnet, SSH, or modem.
•
By default, you can log in to a device through the console port without any authentication, which
introduces security problems.
•
By default, you cannot log in to a device through Telnet, SSH, so you cannot remotely manage and
maintain the device.
Therefore, you need to perform configurations to increase device security and manageability.
Logging in through the console port
Introduction
Logging in through the console port is the most common login method, and is also the first step to
configure other login methods.
After logging in to the device through the console port, you can configure other login methods. By default,
you can log in to a device only through its console port.
This section includes:
•
•
•
•
•
•
•
Configuration requirements
The following table shows the configuration requirements for console port login.
Object
Requirements
Device
No configuration requirement
Run the hyper terminal program.
Terminal
Configure the hyper terminal attributes.
24
Download from Www.Somanuals.com. All Manuals Search And Download.
The port properties of the hyper terminal must be the same as the default settings of the console port
shown in the following table.
Setting
Default
9,600 bps
None
None
1
Bits per second
Flow control
Parity
Stop bits
Data bits
8
Login procedure
Step1 Use the console cable shipped with the device to connect the PC and the device. Plug the DB-9 connector
of the console cable into the serial port of the PC, and plug the RJ-45 connector into the console port of
your device.
Figure 4 Connect the device and PC through a console cable
WARNING!
Identify interfaces to avoid connection errors.
NOTE:
The serial port of a PC does not support hot-swap, so do not plug or unplug the console cable into or from
the PC when your device is powered on. To connect the PC to the device, first plug the DB-9 connector of
the console cable into the PC, and then plug the RJ-45 connector of the console cable into your device. To
disconnect the PC from the device, first unplug the RJ-45 connector and then the DB-9 connector.
Step2 Launch a terminal emulation program (such as HyperTerminal in Windows XP/Windows 2000). The
following takes Windows XP’s HyperTerminal as an example. Select a serial port to be connected to the
device, and set terminal parameters as follows: set Bits per second to 9600, Data bits to 8, Parity to
NOTE:
On Windows 2003 Server operating system, you need to add the HyperTerminal program first, and then
log in to and manage the device as described in this document. On Windows 2008 Server, Windows 7,
Windows Vista, or some other operating system, you need to obtain a third party terminal control
program first, and follow the user guide or online help of that program to log in to the device.
25
Download from Www.Somanuals.com. All Manuals Search And Download.
Figure 7 Set the properties of the serial port
Step3 Turn on the device. You are prompted to press Enter if the device successfully completes the power-on self
Figure 8 Configuration page
Step4 Execute commands to configure the device or check the running status of the device. To get help, type ?.
Console login authentication modes
The following authentication modes are available for console port login: none, password, and scheme.
27
Download from Www.Somanuals.com. All Manuals Search And Download.
•
•
•
none—Requires no username and password at the next login through the console port. This mode
is insecure.
password—Requires password authentication at the next login through the console port. Keep your
password.
scheme—Requires username and password authentication at the next login through the console
port. Authentication falls into local authentication and remote authentication. To use local
authentication, configure a local user and related parameters. To use remote authentication,
configure the username and password on the remote authentication server. For more information
about authentication modes and parameters, see the Security Configuration Guide.
The following table lists console port login configurations for different authentication modes:
Authenticat
ion mode
Configuration
Remarks
For more information, see
login.”
None
Configure not to authenticate users
Configure to authenticate users by using the local password
Set the local password
For more information, see
login.”
Password
Configure the authentication scheme
Configure a
RADIUS/HWTACAC
S scheme
Configure the AAA
scheme used by the
domain
Remote AAA
authentication
For more information, see
login.”
Configure the
username and
password on the
AAA server
Select an
authentication
scheme
Scheme
Configure the
authentication
username and
password
Local
authentication
Configure the AAA
scheme used by the
domain as local
NOTE:
A newly configured authentication mode does not take effect unless you exit and enter the CLI again.
Configuring none authentication for console login
Configuration prerequisites
You have logged in to the device.
28
Download from Www.Somanuals.com. All Manuals Search And Download.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure none authentication for console login:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Enter AUX user interface view
user-interface aux first-number
[ last-number ]
—
Required
By default, you can log in to the
device through the console port
without authentication, and have
user privilege level 3 after login.
Specify the none authentication
mode
authentication-mode none
Optional
Configure common settings for
AUX user interface view
—
After the configuration, the next time you log in to the device through the console port, you are prompted
Figure 9 Configuration page
Configuring password authentication for console login
Configuration prerequisites
You have logged in to the device.
29
Download from Www.Somanuals.com. All Manuals Search And Download.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure password authentication for console login:
To do…
Use the command…
system-view
Remarks
Enter system view
—
user-interface aux first-number
[ last-number ]
Enter AUX user interface view
—
Required
By default, you can log in to the
device through the console port
without authentication and have
user privilege level 3 after login.
Configure the authentication mode
as local password authentication
authentication-mode password
Required
set authentication password
Set the local password
By default, no local password is
set.
{ cipher | simple } password
Optional
Configure common settings for
AUX user interface view
—
When you log in to the device through the console port after configuration, you are prompted to enter a
login password. A prompt such as <HP> appears after you input the password and press Enter, as shown
Figure 10 Configuration page
30
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring scheme authentication for console login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure scheme authentication for console login:
To do…
Use the command…
system-view
Remarks
Enter system view
—
user-interface aux first-number
[ last-number ]
Enter AUX user interface view
—
Required
Whether local, RADIUS, or
HWTACACS authentication is
adopted depends on the configured
AAA scheme.
Specify the scheme
authentication mode
authentication-mode scheme
By default, users that log in through
the console port are not
authenticated.
Optional
•
By default, command
authorization is not enabled.
•
By default, the command level
depends on the user privilege
level. A user is authorized a
command level not higher than
the user privilege level. With
command authorization
enabled, the command level for
a login user is determined by
both the user privilege level and
AAA authorization. If a user
executes a command of the
corresponding command level,
the authorization server checks
whether the command is
Enable command authorization command authorization
authorized. If yes, the command
can be executed.
•
Before enabling command
authorization, configure the AAA
authorization server. After you
enable command authorization,
only commands authorized by
the AAA authorization server can
be executed.
31
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
•
By default, command accounting
is disabled. The accounting
server does not record the
commands executed by users.
•
Command accounting allows the
HWTACACS server to record all
the commands executed by
users, regardless of command
execution results. This helps
control and monitor user
operations on the device. If
command accounting is enabled
and command authorization is
not enabled, every executed
command is recorded on the
HWTACACS server. If both
command accounting and
command authorization are
enabled, only the authorized and
executed commands are
Enable command accounting
command accounting
recorded on the HWTACACS
server.
•
Configure the AAA accounting
server before enabling command
accounting.
Return to system view
quit
—
Enter the ISP
domain view
Optional
domain domain-name
By default, the AAA scheme is local.
authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme
radius-scheme-name [ local ] }
If you specify the local AAA scheme,
you need to perform local user
configuration. If you specify an
existing scheme by providing the
radius-scheme-name argument,
perform the following configuration
as well:
Apply the
specified AAA
scheme to the
domain
Configure
the
authentica
tion mode
•
For RADIUS and HWTACACS
configuration, see the Security
Configuration Guide.
Exit to system view quit
•
Configure the username and
password on the AAA server.
(For more information about
AAA, see the Security
Configuration Guide.)
Required
Create a local user and enter
local user view
local-user user-name
By default, no local user exists.
Set the authentication password password { cipher | simple }
Required
for the local user
password
Optional
Specify the command level of
the local user
authorization-attribute level level
By default, the command level is 0.
32
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
service-type terminal
Remarks
Required
Specify the service type for the
local user
By default, no service type is
specified.
Optional
Configure common settings for
AUX user interface view
—
After you enable command authorization, you need to perform the following configuration to make the
function take effect:
•
Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information about AAA, see the Security Configuration Guide.
•
Reference the created HWTACACS scheme in the ISP domain. For more information about AAA,
see the Security Configuration Guide.
After you enable command accounting, you need to perform the following configuration to make the
function take effect:
•
Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information about AAA, see the Security Configuration Guide.
•
Reference the created HWTACACS scheme in the ISP domain. For more information about AAA,
see the Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users can
access depends on the user privilege level defined in the AAA scheme.
•
•
•
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute
level level command.
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the
RADIUS or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration
Guide.
When you log in to the device through the console port after the configuration, you are prompted to enter
a login username and password. A prompt such as <HP> appears after you input the password and
33
Download from Www.Somanuals.com. All Manuals Search And Download.
Figure 11 Configuration page
Configuring common settings for console login (optional)
Follow these steps to configure common settings for console port login
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Enable display of copyright
information
copyright-info enable
Enabled by default.
user-interface aux first-number
[ last-number ]
Enter AUX user interface view
—
Optional
Configure
By default, the transmission rate is
9600 bps.
AUX user
Configure the
interface
baud rate
view
speed speed-value
Transmission rate is the number of
bits that the device transmits to the
terminal per second.
properties
Optional
Configure the
parity check mode
parity { even | none | odd }
none by default.
Optional
By default, the stop bits of the
console port is 1.
Configure the stop
bits
Stop bits are the last bits transmitted
in data transmission to
stopbits { 1 | 1.5 | 2 }
unequivocally indicate the end of a
character. The more the bits are, the
slower the transmission is.
34
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
By default, the data bits of the
console port is 8.
Data bits is the number of bits
representing one character. The
setting depends on the contexts to
be transmitted. For example, you
can set it to 7 if standard ASCII
characters are to be sent, and set it
to 8 if extended ASCII characters
are to be sent.
Configure the data
bits
databits { 5 | 6 | 7 | 8 }
Optional
Define a shortcut
key for enabling a activation-key character
terminal session
By default, you can press Enter to
enable a terminal session.
Optional
Define a shortcut
key for terminating escape-key { default | character }
tasks
By default, you can press Ctrl+C to
terminate a task.
Optional
Configure the flow flow-control { hardware | none |
control mode
software }
By default, the value is none
Optional
By default, the terminal display type
is ANSI.
The device supports two types of
terminal display: ANSI and VT100.
HP recommends that you set the
display type of both the device and
the client to VT100. If the device and
the client use different display types
(for example, hyper terminal or
Telnet terminal) or both are set to
ANSI, when the total number of
characters of the edited command
line exceeds 80, an anomaly such
as cursor corruption or abnormal
display of the terminal display may
occur on the client.
Configure the type
of terminal display
terminal type { ansi | vt100 }
Optional
Configure the user
privilege level for
login users
user privilege level level
By default, the default command
level is 3 for the AUX user interface.
Optional
Set the maximum
number of lines on screen-length screen-length
the next screen.
By default, the next screen displays
24 lines.
A value of 0 disables the function.
Optional
Set the size of
history command
buffer
history-command max-size value
By default, the buffer saves 10
history commands at most.
35
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
The default idle-timeout is 10
minutes. The system automatically
terminates the user’s connection if
no information interaction occurs
between the device and the user
within the idle-timeout time.
Set the idle-timeout
timer
idle-timeout minutes [ seconds ]
Setting idle-timeout to 0 disables the
timer.
CAUTION:
The common settings configured for console login take effect immediately. If you configure the common
settings after you log in through the console port, the current connection may be interrupted, so you must
use another login method. After you configure common settings for console login, you need to modify the
settings on the terminal to make them consistent with those on the device.
Logging in through Telnet
Introduction
The device supports Telnet. You can Telnet to the device to remotely manage and maintain it, as shown
Figure 12 Telnet login
The following table shows the configuration requirements of Telnet login.
Object
Requirements
Configure the IP address of the VLAN interface, and make sure the Telnet
server and client can reach each other.
Telnet server
Configure the authentication mode and other settings
Run the Telnet client program.
Telnet client
Obtain the IP address of the VLAN interface on the server
By default, the device is enabled with the Telnet server and client functions.
•
On a device that serves as the Telnet client, you can log in to a Telnet server to perform operations
on the server.
•
On a device that serves as the Telnet server, you can configure the authentication mode and user
privilege level for Telnet users. By default, you cannot log in to the device through Telnet. Before you
can Telnet to the device, you need to log in to the device through the console port, enable Telnet
server, and configure the authentication mode, user privilege level, and common settings.
36
Download from Www.Somanuals.com. All Manuals Search And Download.
This section includes these topics:
•
•
•
•
•
•
Telnet login authentication modes
Three authentication modes are available for Telnet login: none, password, and scheme.
•
•
none—Requires no username and password at the next login through Telnet. This mode is insecure.
password—Requires password authentication at the next login through Telnet. Keep your password.
If you lose your password, log in to the device through the console port to view or modify the
password.
•
scheme—Requires username and password authentication at the next login through Telnet.
Authentication falls into local authentication and remote authentication. To use local authentication,
configure a local user and related parameters. To use remote authentication, configure the username
and password on the remote authentication server. For more information about authentication modes
and parameters, see the Security Configuration Guide. Keep your username and password. If you
lose your local authentication password, log in to the device through the console port to view or
modify the password. If you lose your remote authentication password, contact the administrator.
The following table lists Telnet login configurations for different authentication modes.
Authentication
mode
Configuration
Remarks
For more information, see
login.”
None
Configure not to authenticate users
Configure to authenticate users by using the local
password
For more information, see
login.”
Password
Set the local password
37
Download from Www.Somanuals.com. All Manuals Search And Download.
Authentication
mode
Configuration
Remarks
Configure the authentication scheme
Configure a
RADIUS/HWTACAC
S scheme
Configure the AAA
scheme used by the
domain
Remote AAA
authentication
For more information, see
login.”
Configure the
username and
password on the
AAA server
Select an
authenticati
on scheme
Scheme
Configure the
authentication
username and
password
Local
authentication
Configure the AAA
scheme used by the
domain as local
Configuring none authentication for Telnet login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure none authentication for Telnet login:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Required
Enable Telnet
telnet server enable
By default, the Telnet service is
disenabled.
Enter one or multiple VTY user
interface views
user-interface vty first-number
[ last-number ]
—
Required
Specify the none authentication
mode
authentication-mode none
By default, authentication mode for
VTY user interfaces is password.
Required
Configure the command level for
login users on the current user
interfaces
user privilege level level
By default, the default command
level is 0 for VTY user interfaces.
38
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
Configure common settings for
VTY user interfaces
—
When you log in to the device through Telnet again:
•
•
If “All user interfaces are used, please try later!” is displayed, it means the current login users
exceed the maximum number. Please try later.
Figure 13 Configuration page
Configuring password authentication for Telnet login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure password authentication for Telnet login:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Required
Enable Telnet
telnet server enable
By default, the Telnet service is
disenabled.
39
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
—
Enter one or multiple VTY user
interface views
user-interface vty first-number
[ last-number ]
Required
Specify the password
authentication mode
By default, authentication mode
for VTY user interfaces is
password.
authentication-mode password
Required
set authentication password { cipher |
simple } password
Set the local password
By default, no local password is
set.
Required
Configure the user privilege level
for login users
user privilege level level
0 by default.
Optional
Configure common settings for
VTY user interfaces
See “Configuring common
—
When you log in to the device through Telnet again:
•
You are required to enter the login password. A prompt such as <HP> appears after you enter the
•
If “All user interfaces are used, please try later!” is displayed, it means the number of current
concurrent login users exceed the maximum. Please try later.
Figure 14 Configuration page
40
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring scheme authentication for Telnet login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure scheme authentication for Telnet login
To do…
Use the command…
system-view
Remarks
—
Enter system view
Required
Enable Telnet
telnet server enable
By default, the Telnet service is
disabled.
Enter one or multiple VTY user
interface views
user-interface vty first-number
[ last-number ]
—
Required
Whether local, RADIUS, or
HWTACACS authentication is
adopted depends on the
configured AAA scheme.
Specify the scheme authentication
mode
authentication-mode scheme
By default, local authentication is
adopted.
41
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
•
By default, command
authorization is not enabled.
•
By default, the command level
depends on the user privilege
level. A user is authorized a
command level not higher than
the user privilege level. With
command authorization
enabled, the command level for
a login user is determined by
both the user privilege level and
AAA authorization. If a user
executes a command of the
corresponding command level,
the authorization server checks
whether the command is
Enable command authorization
command authorization
authorized. If yes, the command
can be executed.
•
Before enabling command
authorization, configure the
AAA authorization server. After
you enable command
authorization, only commands
authorized by the AAA
authorization server can be
executed.
42
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
•
By default, command
accounting is disabled. The
accounting server does not
record the commands executed
by users.
•
Command accounting allows
the HWTACACS server to
record all executed commands
that are supported by the
device, regardless of the
command execution result. This
helps control and monitor user
operations on the device. If
command accounting is
Enable command accounting
command accounting
enabled and command
authorization is not enabled,
every executed command is
recorded on the HWTACACS
server. If both command
accounting and command
authorization are enabled, only
the authorized and executed
commands are recorded on the
HWTACACS server.
•
Configure the AAA accounting
server before enabling
command accounting.
Exit to system view
quit
—
Enter the default ISP
domain view
Optional
domain domain-name
By default, the AAA scheme is
local.
authentication default
Specify the AAA
scheme to be applied to hwtacacs-scheme-name [ local ]
the domain
{ hwtacacs-scheme
If you specify the local AAA
scheme, perform the configuration
concerning local user as well. If you
specify an existing scheme by
providing the radius-scheme-name
argument, perform the following
configuration as well:
| local | none | radius-scheme
radius-scheme-name [ local ] }
Configure
the
authentic
ation
mode
•
For RADIUS and HWTACACS
configuration, see the Security
Configuration Guide.
Exit to system view
quit
•
Configure the username and
password on the AAA server.
(For more information, see the
Security Configuration Guide.)
Create a local user and enter local
user view
local-user user-name
By default, no local user exists.
Required
password { cipher | simple }
password
Set the local password
By default, no local password is set.
43
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
Specify the command level of the
local user
authorization-attribute level
level
By default, the command level is 0.
Required
Specify the service type for the local
user
service-type Telnet
By default, no service type is
specified.
Exit to system view
quit
—
Optional
Configure common settings for VTY
user interfaces
—
After you enable command authorization, you need to perform the following configuration to make the
function take effect:
•
Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information, see the Security Configuration Guide.
•
Reference the created HWTACACS scheme in the ISP domain. For more information, see the
Security Configuration Guide.
After you enable command accounting, you need to perform the following configuration to make the
function take effect:
•
Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information, see the Security Configuration Guide.
•
Reference the created HWTACACS scheme in the ISP domain. For more information, see the
Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users can
access depends on the user privilege level defined in the AAA scheme.
•
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute
level level command.
•
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the
RADIUS or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration Guide.
When you log in to the device through Telnet again:
•
•
•
You are required to enter the login username and password. A prompt such as <HP> appears after
you enter the correct username (for example, admin) and password and press Enter, as shown in
After you enter the correct username and password, if the device prompts you to enter another
password of the specified type, you will be authenticated for the second time. In other words, to
pass authentication, you must enter a correct password as prompted.
If “All user interfaces are used, please try later!” is displayed, it means the current login users
exceed the maximum number. Please try later.
44
Download from Www.Somanuals.com. All Manuals Search And Download.
Figure 15 Configuration page
Configuring common settings for VTY user interfaces (optional)
Follow these steps to configure common settings for VTY user interfaces:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Enable display of copyright
information
copyright-info enable
Enabled by default.
Enter one or multiple VTY user
interface views
user-interface vty first-number
[ last-number ]
—
User
interface
configuration
Optional
Enable the terminal
service
shell
Enabled by default.
Optional
Enable the current
user interface(s) to
support either Telnet,
SSH, or both of them
By default, both protocols are
supported.
protocol inbound { all | ssh |
telnet }
The configuration takes effect next
time you log in.
Optional
Define a shortcut key
for terminating tasks
escape-key { default |
character }
By default, you can press Ctrl+C to
terminate a task.
Optional
Configure the type of
terminal display
terminal type { ansi | vt100 }
By default, the terminal display
type is ANSI.
45
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
Set the maximum
number of lines on the screen-length screen-length
next screen
By default, the next screen displays
24 lines.
A value of 0 disables the function.
Optional
Set the size of history history-command max-size
command buffer
By default, the buffer saves 10
history commands.
value
Optional
The default idle-timeout is 10
minutes for all user interfaces.
The system automatically
Set the idle-timeout
timer
terminates the user’s connection if
no information interaction occurs
between the device and the user in
timeout time.
idle-timeout minutes [ seconds ]
Setting idle-timeout to 0 disables
the timer.
Optional
By default, command
auto-execution is disabled.
The system automatically executes
the specified command when a
user logs in to the user interface,
and tears down the user
connection after the command is
executed. If the command triggers
another task, the system does not
tear down the user connection until
the task is completed. A Telnet
command is usually specified to
enable the user to automatically
Telnet to the specified device.
Specify a command
to be automatically
executed when a user
logs in to the current
user interface
auto-execute command
command
CAUTION:
• The auto-execute command command may disable you from configuring the system through the user
interface to which the command is applied. Use it with caution.
• Before executing the auto-execute command command and saving the configuration (by using the save
command), make sure that you can access the device through VTY and AUX user interfaces so that you
can remove the configuration if a problem occurs.
Configuring the device to log in to a Telnet server as a Telnet
client
Configuration prerequisites
You have logged in to the device.
46
Download from Www.Somanuals.com. All Manuals Search And Download.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Figure 16 Log in to another device from the current device
NOTE:
If the Telnet client port and the Telnet server port that connect them are not in the same subnet, make sure
that the two devices can reach each other.
Configuration procedure
Follow the step below to configure the device to log in to a Telnet server as a Telnet client:
To do…
Use the command…
Remarks
telnet remote-host [ service-port ] [ |
[ source { interface interface-type
interface-number | ip
Required
Configure the device to log in to a
Telnet server as a Telnet client
ip-address } ] ]
Use either command
Available in user view
telnet ipv6 remote-host [ -i
interface-type interface-number ]
[ port-number ]
Optional
Specify the source IPv4 address or telnet client source { interface
source interface for sending Telnet interface-type interface-number | ip
By, no source IPv4 address or
source interface is specified. The
source IPv4 address is selected by
routing.
packets
ip-address }
Logging in through SSH
Introduction
Secure Shell (SSH) offers an approach to log into a remote device securely. By providing encryption and
strong authentication, it protects devices against attacks such as IP spoofing and plain text password
interception. The device supports SSH, and you can log in to the device through SSH to remotely manage
Figure 17 SSH login diagram
The following table shows the configuration requirements of SSH login.
47
Download from Www.Somanuals.com. All Manuals Search And Download.
Object
Requirements
Configure the IP address of the VLAN interface, and make sure the SSH server
and client can reach each other.
SSH server
Configure the authentication mode and other settings.
Run the SSH client program.
SSH client
Obtain the IP address of the VLAN interface on the server.
By default, the device is enabled with the SSH server and client functions.
•
On a device that serves as the SSH client, you can log in to an SSH server to perform operations on
the server.
•
On a device that serves as the SSH server, you can configure the authentication mode and user level
for SSH users. By default, password authentication is adopted for SSH login, but no login password
is configured, so you cannot log in to the device through SSH by default. Before you can log in to
the device through SSH, you need to log in to the device through the console port and configure the
authentication mode, user level, and common settings.
This section includes these topics:
•
•
Configuring the SSH server
Configuration prerequisites
You have logged in to the device, and want to log in to the device through SSH in the future.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure the device that serves as an SSH server:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Required
Create local key pair(s)
Enable SSH server
public-key local create { dsa | rsa }
By default, no local key pair(s) are
created.
Required
ssh server enable
By default, SSH server is disabled.
Enter one or more VTY user
interface views
user-interface vty first-number
[ last-number ]
—
Required
Specify the scheme authentication
mode
authentication-mode scheme
By default, authentication mode for
VTY user interfaces is password.
48
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
Enable the current user interface to
support SSH
protocol inbound { all | ssh }
By default, Telnet and SSH are
supported.
Optional
•
By default, command
authorization is not enabled.
•
By default, command level for a
login user depends on the user
privilege level. The user is
authorized the command with
the default level not higher than
the user privilege level. With
the command authorization
configured, the command level
for a login user is determined
by both the user privilege level
and AAA authorization. If a
user executes a command of
the corresponding command
level, the authorization server
checks whether the command is
authorized. If yes, the
Enable command authorization
command authorization
command can be executed.
Optional
•
By default, command
accounting is disabled. The
accounting server does not
record the commands executed
by users.
•
Command accounting allows
the HWTACACS server to
record all executed commands
that are supported by the
device, regardless of the
command execution result. This
helps control and monitor user
operations on the device. If
command accounting is
Enable command accounting
command accounting
enabled and command
authorization is not enabled,
every executed command is
recorded on the HWTACACS
server. If both command
accounting and command
authorization are enabled, only
the authorized and executed
commands are recorded on the
HWTACACS server.
Exit to system view
quit
—
49
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
Enter the default
ISP domain
view
domain domain-name
By default, the AAA scheme is
local.
authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme
radius-scheme-name [ local ] }
If you specify the local AAA
Apply the
scheme, perform the configuration
concerning local user as well. If
you specify an existing scheme by
providing the radius-scheme-name
argument, perform the following
configuration as well:
specified AAA
scheme to the
domain
Configure the
authentication
mode
•
For RADIUS and HWTACACS
configuration, see the Security
Configuration Guide.
Exit to system
view
quit
•
Configure the username and
password on the AAA server.
(For more information, see the
Security Configuration Guide.)
Required
Create a local user and enter local
user view
local-user user-name
By default, no local user exists.
Required
password { cipher | simple }
Set the local password
By default, no local password is
set.
password
Optional
Specify the command level of the
local user
authorization-attribute level level
By default, the command level is 0.
Required
Specify the service type for the
local user
service-type ssh
quit
By default, no service type is
specified.
Return to system view
—
ssh user username service-type
stelnet authentication-type
{ password | { any |
password-publickey | publickey }
assign publickey keyname }
Required
Create an SSH user, and specify
the authentication mode for the
SSH user
By default, no SSH user exists, and
no authentication mode is
specified.
Optional
Configure common settings for VTY
user interfaces
—
See “Configuring common settings
for VTY user interfaces (optional).”
NOTE:
This chapter describes how to configure an SSH client by using password authentication. For more
information about SSH and how to configure an SSH client by using publickey, see the Security
Configuration Guide.
After you enable command authorization or command accounting, you need to perform the following
configuration to make the function take effect:
•
Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters.
50
Download from Www.Somanuals.com. All Manuals Search And Download.
•
Reference the created HWTACACS scheme in the ISP domain.
For more information, see the Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users can
access depends on the user privilege level defined in the AAA scheme.
•
•
•
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute
level level command.
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the
RADIUS or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration
Guide.
Configuring the SSH client to log in to the SSH server
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
see “Configuration requirements.”
Figure 18 Log in to another device from the current device
NOTE:
If the SSH client and the SSH server are not in the same subnet, make sure that the two devices can reach
each other.
Configuration procedure
Follow these steps to configure the SSH client to log in to the SSH server:
To do…
Use the command…
Remarks
Required
server is the IPv4 address or host
name of the server.
Log in to an IPv4 SSH server
ssh2 server
Available in user view
Required
server is the IPv6 address or host
name of the server.
Log in to an IPv6 SSH server
ssh2 ipv6 server
Available in user view
NOTE:
You can configure other settings for the SSH client to work with the SSH server. For more information, see
the Security Configuration Guide.
51
Download from Www.Somanuals.com. All Manuals Search And Download.
Logging in through modems
Introduction
The administrator can use two modems to remotely maintain a switch through its Console port over the
Public Switched Telephone Network (PSTN) when the IP network connection is broken.
This section includes these topics:
•
•
•
•
•
•
•
Configuration requirements
By default, no authentication is needed when you log in through modems, and the default user privilege
level is 3.
To use this method, perform necessary configurations on both the device side and administrator side.
The following table shows the remote login configuration requirements through the console port by using
modem dial-in:
Object
Requirement
The PC is correctly connected to the modem.
The modem is connected to a telephone cable that works properly.
Administrator side
The telephone number of the remote modem connected to the console port of the
remote switch is obtained.
The console port is correctly connected to the modem.
Configurations have been configured on the modem.
Device side
The modem is connected to a telephone cable that works properly.
Authentication configuration has been completed on the remote switch.
Login procedure
Step1 Set up a configuration environment as shown in Figure 19: connect the serial port of the PC and the
console port of the device to a modem respectively.
Figure 19 Set up a configuration terminal
52
Download from Www.Somanuals.com. All Manuals Search And Download.
Step2 Configuration on the administrator side
The PC and the modem are correctly connected, the modem is connected to a telephone cable, and the
telephone number of the remote modem connected to the console port of the remote switch is obtained.
NOTE:
Note the following device settings:
• The baud rate of the Console port is lower than the transmission rate of the modem. Otherwise, packets
may be lost.
• The parity check mode, stop bits, and data bits of the console port adopt the default settings.
Step3 Perform the following configurations on the modem that is directly connected to the device:
AT&F
----------------------- Restore the factory defaults
----------------------- Configure auto-answer on first ring
----------------------- Ignore data Terminal Ready signals
----------------------- Disable local flow control
----------------------- Ignore Data Flow Control signals
----------------------- Force DSR to remain on
ATS0=1
AT&D
AT&K0
AT&R1
AT&S0
ATEQ1&W ----------------------- Disable the modem from response to commands and save the
configuration
To verify your configuration, enter AT&V to show the configuration results.
NOTE:
The configuration commands and the output for different modems may be different. For more information,
see your modem’s user guide.
Step4 Launch a terminal emulation utility (such as HyperTerminal in Windows XP/Windows 2000), and create
a new connection (the telephone number is the number of the modem connected to the device).
NOTE:
On Windows 2003 Server operating system, you need to add the HyperTerminal program first, and then
log in to and manage the device as described in this document. On Windows 2008 Server, Windows 7,
Windows Vista, or some other operating system, you need to obtain a third party terminal control
program first, and follow that program’s user guide or online help to log in to the device.
Step5 Dial the destination number on the PC to establish a connection with the device, as shown in Figure 20
53
Download from Www.Somanuals.com. All Manuals Search And Download.
Step6 Character string CONNECT9600 is displayed on the terminal. Then a prompt appears when you press
Enter.
Figure 23 Configuration page
Step7 If the authentication mode is password, a prompt (for example, HP) appears when you type the
configured password on the remote terminal. Then you can configure or manage the router. To get help,
type ?.
Step8 Execute commands to configure the device or check the running status of the device. To get help, type ?.
NOTE:
• To terminate the connection between the PC and device, execute the ATH command on the terminal to
terminate the connection between the PC and modem. If you cannot execute the command on the
terminal, input AT+ + + and then press Enter. When you are prompted OK, execute the ATH command,
and the connection is terminated if OK is displayed. You can also terminal the connection between the
PC and device by clicking
on the hyper terminal window.
• Do not close the hyper terminal directly. Otherwise, the remote modem may always be online, and you
will fail to dial in the next time.
Modem login authentication modes
The following authentication modes are available for modem dial-in login: none, password, and
scheme.
•
•
none—Requires no username and password at the next login through modems. This mode is insecure.
password—Requires password authentication at the next login through the console port. Keep your
password.
•
scheme—Requires username and password authentication at the next login through the console port.
Authentication falls into local authentication and remote authentication. To use local authentication,
configure a local user and related parameters. To use remote authentication, configure the username
55
Download from Www.Somanuals.com. All Manuals Search And Download.
and password on the remote authentication server. For more information about authentication modes
and parameters, see the Security Configuration Guide. Keep your username and password.
The following table lists modem login configurations for different authentication modes:
Authentication
mode
Configuration
Remarks
For more information, see
login.”
None
Configure not to authenticate users
Configure to authenticate users by using the local
password
For more information, see
login.”
Password
Set the local password
Configure the authentication scheme
Configure a
RADIUS/HWTACAC
S scheme
Configure the AAA
scheme used by the
domain
Remote AAA
authentication
For more information, see
login.”
Configure the
username and
password on the AAA
server
Select an
authentic
ation
Scheme
scheme
Configure the
authentication
username and
password
Local authentication
Configure the AAA
scheme used by the
domain as local
NOTE:
Modem login authentication changes do not take effect until you exit the CLI and log in again.
Configuring none authentication for modem login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure none authentication for modem login:
56
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
system-view
Remarks
Enter system view
—
Enter one or more AUX user
interface views
user-interface aux first-number
[ last-number ]
—
Required
Specify the none authentication
mode
By default, users that log in through
the console port are not
authenticated.
authentication-mode none
Optional
Configure common settings for VTY
user interfaces
—
When you log in to the device through modems after the configuration, you are prompted to press Enter.
Figure 24 Configuration page
Configuring password authentication for modem login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
Configuration procedure
Follow these steps to configure password authentication for modem login:
57
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
system-view
Remarks
Enter system view
—
Enter one or more AUX user
interface views
user-interface aux first-number
[ last-number ]
—
Required
Specify the password
authentication mode
authentication-mode password
By default, the authentication
mode is none for modem users
Required
set authentication password
Set the local password
By default, no local password is
set.
{ cipher | simple } password
Optional
Configure common settings for
VTY user interfaces
For more information, see
—
When you log in to the device through modems after the configuration, you are prompted to enter a login
password. A prompt such as <HP> appears after you input the password and press Enter, as shown in
Figure 25 Configuration page
Configuring scheme authentication for modem login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
58
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuration procedure
Follow these steps to configure scheme authentication for modem login:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Enter AUX user interface
view
user-interface aux first-number
[ last-number ]
—
Required
Whether local, RADIUS, or
HWTACACS authentication is
adopted depends on the configured
AAA scheme.
Specify the scheme
authentication mode
authentication-mode scheme
By default, the authentication mode
is none for modem users
Optional
•
By default, command
authorization is not enabled.
•
By default, command level for a
login user depends on the user
privilege level. The user is
authorized the command with the
default level not higher than the
user privilege level. With the
command authorization
configured, the command level
for a login user is determined by
both the user privilege level and
AAA authorization. If a user
executes a command of the
corresponding command level,
the authorization server checks
whether the command is
Enable command
authorization
command authorization
authorized. If yes, the command
can be executed.
•
Before enabling command
authorization, configure the AAA
authorization server. After you
enable command authorization,
only commands authorized by
the AAA authorization server can
be executed.
59
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
•
By default, command accounting
is disabled. The accounting
server does not record the
commands executed by users.
•
Command accounting allows the
HWTACACS server to record all
executed commands that are
supported by the device,
regardless of the command
execution result. This helps
control and monitor user
operations on the device. If
command accounting is enabled
and command authorization is
not enabled, every executed
command is recorded on the
HWTACACS server. If both
command accounting and
command authorization are
enabled, only the authorized and
executed commands are
Enable command
accounting
command accounting
recorded on the HWTACACS
server.
•
Configure the AAA accounting
server before enabling command
accounting.
Exit to system view
quit
—
Enter the
Optional
default ISP
domain view
domain domain-name
By default, the AAA scheme is local.
If you specify the local AAA scheme,
perform the configuration
concerning local user as well. If you
specify an existing scheme by
providing the radius-scheme-name
argument, perform the following
configuration as well:
authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme
radius-scheme-name [ local ] }
Apply the
specified
AAA scheme
to the domain
Configure
the
authentica
tion mode
•
For RADIUS and HWTACACS
configuration, see the Security
Configuration Guide.
Return to
system view
quit
•
Configure the username and
password on the AAA server.
(For more information, see the
Security Configuration Guide.)
Required
Create a local user and
enter local user view
local-user user-name
By default, no local user exists.
Set the authentication
password for the local user
password { cipher | simple } password
authorization-attribute level level
Required
Optional
Specify the command level
of the local user
By default, the command level is 0.
60
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
service-type terminal
Remarks
Required
Specify the service type for
the local user
By default, no service type is
specified.
Optional
Configure common settings
for VTY user interfaces
—
After you enable command authorization, you need to perform the following configuration to make the
function take effect:
•
Create a HWTACACS scheme, and specify the IP address of the authorization server and other
authorization parameters. For more information, see the Security Configuration Guide.
•
Reference the created HWTACACS scheme in the ISP domain. For more information, see the
Security Configuration Guide.
After you enable command accounting, you need to perform the following configuration to make the
function take effect:
•
Create a HWTACACS scheme, and specify the IP address of the accounting server and other
accounting parameters. For more information, see the Security Configuration Guide.
•
Reference the created HWTACACS scheme in the ISP domain. For more information, see the
Security Configuration Guide.
When users adopt the scheme mode to log in to the device, the level of the commands that the users can
access depends on the user privilege level defined in the AAA scheme.
•
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute
level level command.
•
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the
RADIUS or HWTACACS server.
For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration Guide.
When you log in to the device through modems after the configuration, you are prompted to enter a login
username and password. A prompt such as <HP> appears after you input the password and username
61
Download from Www.Somanuals.com. All Manuals Search And Download.
Figure 26 Configuration page
Configuring common settings for modem login (optional)
Follow these steps to configure common settings for modem login:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Enable display of copyright
information
copyright-info enable
Enabled by default.
Enter one or more AUX user
interface views
user-interface aux first-number
[ last-number ]
—
Optional
Configure
By default ,the baud rate is 9600
bps.
AUX user
interface
properties
Configure the
baud rate
speed speed-value
Transmission rate is the number of
bits that the device transmits to the
terminal per second.
Optional
Configure the
parity check mode
parity { even | none | odd }
By default, the parity check mode is
none, which means no check bit.
Optional
By default, the stop bits of the
console port is 1.
Configure the stop
bits
Stop bits are the last bits transmitted
in data transmission to
stopbits { 1 | 1.5 | 2 }
unequivocally indicate the end of a
character. The more the bits are, the
slower the transmission is.
62
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
By default, the data bits is 8.
Data bits is the number of bits
representing one character. The
setting depends on the contexts to
be transmitted. For example, you
can set it to 7 if standard ASCII
characters are to be sent, and set it
to 8 if extended ASCII characters
are to be sent.
Configure the data
bits
databits { 5 | 6 | 7 | 8 }
Optional
Define a shortcut
key for starting a
session
activation-key character
By default, you can press Enter to
start a session.
Optional
Define a shortcut
key for terminating escape-key { default | character }
tasks
By default, you can press Ctrl+C to
terminate a task.
Optional
Configure the flow flow-control { hardware | none |
control mode
software }
By default, the value is none
Optional
By default, the terminal display type
is ANSI.
The device supports two types of
terminal display: ANSI and VT100.
HP recommends that you set the
display type of both the device and
the client to VT100. If the device and
the client use different display types
(for example, hyper terminal or
Telnet terminal) or both are set to
ANSI, when the total number of
characters of the edited command
line exceeds 80, an anomaly such
as cursor corruption or abnormal
display of the terminal display may
occur on the client.
Configure the type
of terminal display
terminal type { ansi | vt100 }
Configure the user
privilege level for
login users
Optional
user privilege level level
3 by default.
Optional
Set the maximum
number of lines on screen-length screen-length
the next screen
By default, the next screen displays
24 lines at most.
A value of 0 disables the function.
Optional
Set the size of the
history command
buffer
history-command max-size value
By default, the buffer saves 10
history commands at most.
63
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
The default idle-timeout is 10
minutes. The system automatically
terminates the user’s connection if
no information interaction occurs
between the device and the user
within the idle-timeout time.
Set the idle-timeout
timer
idle-timeout minutes [ seconds ]
Setting idle-timeout to 0 disables the
timer.
CAUTION:
• The common settings configured for console login take effect immediately. If you configure the common
settings after you log in through the console port, the current connection may be interrupted. To avoid
this problem, use another login method. After you configure the common settings for console login, you
will need to modify the settings on the terminal to make them consistent with those on the device.
• The baud rate of the console port must be lower than the transmission rate of the modem. Otherwise,
packets may be lost.
Displaying and maintaining CLI login
To do…
Use the command…
Remarks
Display the source IP
address/interface specified for
Telnet packets
display telnet client configuration
[ | { begin | exclude | include }
regular-expression ]
Available in any view
Display information about the user display users [ | { begin | exclude
Available in any view
Available in any view
interfaces that are being used
| include } regular-expression ]
display users all [ | { begin |
exclude | include }
regular-expression ]
Displays information about all user
interfaces that the device supports
display user-interface [ num1 |
{ aux | vty } num2 ] [ summary ] [ |
{ begin | exclude | include }
regular-expression ]
Display user interface information
Available in any view
64
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Available in user view
Multiple users can log in to the
system to simultaneously configure
the device. In some circumstances,
when the administrator wants to
make configurations without
interruption from the users that
have logged in through other user
interfaces, the administrator can
execute the command to release
the connections established on the
specified user interfaces.
free user-interface { num1 | { aux |
vty } num2 }
Release a specified user interface
You cannot use this command to
release the connection that you are
using.
Available in user view
Lock the current user interface
lock
By default, the current user
interface is not locked.
Send messages to the specified
user interfaces
send { all | num1 | { aux | vty }
num2 }
Available in user view
65
Download from Www.Somanuals.com. All Manuals Search And Download.
Web login
Web login overview
The device provides a built-in web server that enables you to log in to the web interface of the device from
a PC. Web login is disabled by default.
To enable web login, log in to the device via the console port, and perform the following configuration:
•
•
•
Enable HTTP or HTTPS service
Configure the IP address of the VLAN interface
Configure a username and password
The device supports the following web login methods:
•
HTTP login: The Hypertext Transfer Protocol (HTTP) is used for transferring web page information
across the Internet. It is an application-layer protocol in the TCP/IP protocol suite. The
connection-oriented Transport Control Protocol (TCP) is adopted at the transport layer. The device
supports HTTP 1.0.
•
HTTPS login: The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket
Layer (SSL) protocol. HTTPS uses SSL to encrypt the data exchanged between the HTTPS client and
the server to ensure data security and integrity. You can define a certificate attribute-based access
control policy to allow legal clients to access the device securely and to prohibit illegal clients.
The following table shows the configuration requirements of web login.
Object
Requirements
Configure the IP address of the VLAN interface
Make sure the device and the PC can reach each other
Device
Required to use one approach
Install a web browser
PC
Obtain the IP address of the VLAN interface of the device
Configuring HTTP login
Follow these steps to configure HTTP login:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Required
Enable the HTTP service
ip http enable
Enabled by default.
66
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
80 by default.
Configure the HTTP service port
number
ip http port port-number
If you execute the command
multiple times, the last one takes
effect.
Optional
By default, the HTTP service is not
associated with any ACL.
Associate the HTTP service with an
ACL
ip http acl acl-number
local-user user-name
Associating the HTTP service with
an ACL enables the device to allow
only clients permitted by the ACL to
access the device.
Required
Create a local user and enter local
user view
By default, no local user is
configured.
Required
Configure a password for the local password { cipher | simple }
By default, no password is
configured for the local user.
user
password
Required
Specify the command level of the
local user
authorization-attribute level level
No command level is configured
for the local user.
Required
Specify the Telnet service type for
the local user
service-type telnet
quit
By default, no service type is
configured for the local user.
Exit to system view
—
Required
Create a VLAN interface and enter interface vlan-interface
If the VLAN interface already
exists, the command enters its
view.
its view
vlan-interface-id
Required
Assign an IP address and subnet
mask to the VLAN interface
ip address ip-address { mask |
mask-length }
By default, no IP address is
assigned to the VLAN interface.
Configuring HTTPS login
Follow these steps to configure HTTPS login:
To do…
Use the command…
Remarks
Enter system view
system-view
—
67
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Required
By default, PKI and SSL are not configured.
Configure PKI and SSL related
features
•
For more information about PKI, see the
Security Configuration Guide.
—
•
For more information about SSL, see the
Security Configuration Guide.
Required
By default, the HTTPS service is not associated
with any SSL server policy.
•
If you disable the HTTPS service, the system
automatically de-associates the HTTPS
service from the SSL service policy. Before
re-enabling the HTTPS service, associate
the HTTPS service with an SSL server policy
first.
Associate the HTTPS service
with an SSL server policy
ip https ssl-server-policy
policy-name
•
Any changes to the SSL server policy
associated with the HTTP service that is
enabled do not take effect.
Required
Disabled by default.
Enabling the HTTPS service triggers an SSL
handshake negotiation process. During the
process, if the local certificate of the device
exists, the SSL negotiation succeeds, and the
HTTPS service can be started normally. If no
local certificate exists, a certificate application
process will be triggered by the SSL
Enable the HTTPS service
ip https enable
negotiation. Because the application process
takes much time, the SSL negotiation often fails
and the HTTPS service cannot be started
normally. In that case, you need to execute the
ip https enable command multiple times to
start the HTTPS service.
68
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
By default, the HTTPS service is not associated
with any certificate-based attribute access
control policy.
•
•
•
•
Associating the HTTPS service with a
certificate-based attribute access control
policy enables the device to control the
access rights of clients.
Associate the HTTPS service
with a certificate
attribute-based access control
policy
ip https certificate
access-control-policy
policy-name
You must configure the client-verify enable
command in the associated SSL server
policy. If not, no clients can log in to the
device.
The associated SSL server policy must
contain at least one permit rule.
Otherwise, no clients can log in to the
device.
For more information about certificate
attribute-based access control policies, see
the Security Configuration Guide.
Optional
Configure the port number of
the HTTPS service
ip https port port-number
ip https acl acl-number
local-user user-name
443 by default.
Required
By default, the HTTPS service is not associated
with any ACL.
Associate the HTTPS service
with an ACL
Associating the HTTPS service with an ACL
enables the device to allow only clients
permitted by the ACL to access the device.
Required
Create a local user and enter
local user view
By default, no local user is configured.
Required
Configure a password for the password { cipher | simple }
local user password
By default, no password is configured for the
local user.
Required
Specify the command level of authorization-attribute level
By default, no command level is configured for
the local user.
the local user
level
Required
Specify the Telnet service type
for the local user
service-type telnet
quit
By default, no service type is configured for
the local user.
Exit to system view
—
Required
Create a VLAN interface and interface vlan-interface
If the VLAN interface already exists, the
command enters its view.
enter its view
vlan-interface-id
Required
Assign an IP address and
subnet mask to the VLAN
interface
ip address ip-address { mask
| mask-length }
By default, no IP address is assigned to the
VLAN interface.
69
Download from Www.Somanuals.com. All Manuals Search And Download.
Displaying and maintaining web login
To do…
Use the command…
Remarks
Display information about web
users
display web users [ | { begin | exclude |
include } regular-expression ]
Available in any view
display ip http [ | { begin | exclude |
include } regular-expression ]
Display HTTP state information
Display HTTPS state information
Available in any view
Available in any view
display ip https [ | { begin | exclude |
include } regular-expression ]
Web login example
HTTP login example
Network requirements
As shown in Figure 27, the PC is connected to the device over an IP network. The IP address of the Device
is 192.168.20.66/24.
Figure 27 Network diagram for configuring HTTP login
Configuration procedure
Configuration on the device
1.
# Log in to the device via the console port and configure the IP address of VLAN 1 of the device. VLAN
1 is the default VLAN.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-VLAN-interface1] ip address 192.168.20.66 255.255.255.0
[Sysname-VLAN-interface1] quit
# Create a local user named admin, and set the password to admin for the user. Specify the Telnet
service type for the local user, and set the command level to 3 for this user.
[Sysname] local-user admin
[Sysname-luser-admin] service-type telnet
[Sysname-luser-admin] authorization-attribute level 3
[Sysname-luser-admin] password simple admin
2.
Configuration on the PC
# On the PC, run the web browser. Enter the IP address of the device in the address bar, 192.168.20.66
70
Download from Www.Somanuals.com. All Manuals Search And Download.
Figure 28 Web login page
# Type the user name, password, verify code, select English, and click Login. The homepage appears.
After login, you can configure device settings through the web interface.
HTTPS login example
Network requirements
As shown in Figure 29, to prevent unauthorized users from accessing the Device, configure HTTPS login
as follows:
•
•
Configure the Device as the HTTPS server, and request a certificate for it.
The Host acts as the HTTPS client. Request a certificate for it.
In this example, Windows Server acts as the CA. Install Simple Certificate Enrollment Protocol (SCEP)
add-on on the CA. The name of the CA that issues certificates to the Device and Host is new-ca.
Before performing the following configuration, make sure that the Device, Host, and CA can reach each
other.
Figure 29 Network diagram for configuring HTTPS login
71
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuration procedure
1.
Configure the device that acts as the HTTPS server
# Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the
entity as ssl.security.com.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as
http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and the entity for
certificate request as en.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier new-ca
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
# Create RSA local key pairs.
[Device] public-key loc al create rsa
# Retrieve the CA certificate from the certificate issuing server.
[Device] pki retrieval-certificate ca domain 1
# Request a local certificate from a CA through SCEP for the device.
[Device] pki request-certificate domain 1
# Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable
certificate-based SSL client authentication.
[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain 1
[Device-ssl-server-policy-myssl] client-verify enable
[Device-ssl-server-policy-myssl] quit
# Create a certificate attribute group mygroup1, and configure a certificate attribute rule, specifying that
the Distinguished Name (DN) in the subject name includes the string of new-ca.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Device-pki-cert-attribute-group-mygroup1] quit
# Create a certificate attribute-based access control policy myacp. Configure a certificate
attribute-based access control rule, specifying that a certificate is considered valid when it matches an
attribute rule in certificate attribute group myacp.
[Device] pki certificate access-control-policy myacp
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1
[Device-pki-cert-acp-myacp] quit
# Associate the HTTPS service with SSL server policy myssl.
[Device] ip https ssl-server-policy myssl
# Associate the HTTPS service with certificate attribute-based access control policy myacp.
[Device] ip https certificate access-control-policy myacp
72
Download from Www.Somanuals.com. All Manuals Search And Download.
# Enable the HTTPS service.
[Device] ip https enable
# Create a local user named usera, set the password to 123 for the user, and specify the Telnet service
type for the local user.
[Device] local-user usera
[Device-luser-usera] password simple 123
[Device-luser-usera] service-type telnet
2.
Configure the host that acts as the HTTPS client
On the host, run the IE browser. In the address bar, enter http://10.1.2.2/certsrv and request a certificate
for the host as prompted.
3.
Verify the configuration
Enter https://10.1.1.1 in the address bar, and select the certificate issued by new-ca. Then the web login
page of the Device appears. On the login page, type the username usera, and password 123 to enter
the web management page.
NOTE:
• To log in to the web interface through HTTPS, enter the URL address starting with https://. To log in to
the web interface through HTTP, enter the URL address starting with http://.
• For more information about PKI configuration commands, see the Security Command Reference.
• For more information about the public-key local create rsa command, see the Security Command
Reference.
• For more information about SSL configuration commands, see the Security Command Reference.
73
Download from Www.Somanuals.com. All Manuals Search And Download.
NMS login
NMS login overview
An NMS runs the SNMP client software. It offers a user-friendly interface to facilitate network
management. An agent is a program that resides in the device. It receives and handles requests from the
NMS. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the NMS.
The NMS and agents exchange information through the SNMP protocol. The device supports multiple
NMS programs, such as iMC and CAMS.
By default, you cannot log in to the device through NMS. To enable NMS login, log in to the device via
the console port and make the configuration changes described in the following table.
The following table shows the configuration requirements of NMS login.
Object
Requirements
Configure the IP address of the VLAN interface
Make sure the device and the NMS can reach each other
Device
Configure SNMP settings
NMS
Configure the NMS. For more information, see your NMS manual.
Configuring NMS login
Connect the Ethernet port of the PC to an Ethernet port of VLAN 1 of the device, as shown in Figure 30.
Make sure the PC and VLAN 1 interface can reach each other.
Figure 30 Network diagram for configuring NMS login
Follow these steps to configure SNMPv3 settings:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Disabled by default.
Enable SNMP agent
snmp-agent
You can enable SNMP agent with this
command or any command that
begins with snmp-agent.
snmp-agent group v3 group-name
[ authentication | privacy ]
[ read-view read-view ] [ write-view
write-view ] [ notify-view
Required
Configure an SNMP group
and specify its access right
By default, no SNMP group is
configured.
notify-view ] [ acl acl-number ]
74
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
snmp-agent usm-user v3 user-name
group-name [ [ cipher ]
Required
authentication-mode { md5 | sha }
auth-password [ privacy-mode
{ 3des | aes128 | des56 }
If the cipher keyword is specified, both
auth-password and priv-password are
cipher text passwords.
Add a user to the SNMP group
priv-password ] ] [ acl acl-number ]
Follow these steps to configure SNMPv1 and SNMPv2c settings:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Disabled by default.
You can enable SNMP agent
with this command or any
command that begins with
snmp-agent.
Enable SNMP agent
snmp-agent
Optional
snmp-agent mib-view
{ excluded | included }
view-name oid-tree [ mask
mask-value ]
By default, the MIB view
name is ViewDefault and
OID is 1.
Create or update MIB view information
Configure an
snmp-agent community
{ read | write }
community-name [ acl
acl-number | mib-view
view-name ]*
Required
Directly
SNMP
Use either approach.
community
The direction configuration
approach is for SNMPv1 or
SNMPv2c. The community
name configured on the
NMS should be consistent
with the username configured
on the agent.
snmp-agent group { v1 |
v2c } group-name
[ read-view read-view ]
[ write-view write-view ]
[ notify-view notify-view ]
[ acl acl-number ]
Configure
SNMP NMS
access right
Configure an
SNMP group
Indirectly
The indirect configuration
approach is for SNMPv3.
snmp-agent usm-user { v1 |
v2c } user-name group-name
[ acl acl-number ]
Add a user to the
SNMP group
NOTE:
The device supports the following SNMP versions: SNMPv1, SNMPv2c and SNMPv3. For more
information about SNMP, see the Network Management and Monitoring Configuration Guide.
NMS login example
In this example, iMC is used as the NMS.
1.
Configuration on the device
# Assign IP address of device. Make sure the device and the NMS can reach each other. (Configuration
steps are omitted.)
75
Download from Www.Somanuals.com. All Manuals Search And Download.
# Enter system view.
<Sysname> system-view
# Enable the SNMP agent.
[Sysname] snmp-agent
# Configure an SNMP group.
[Sysname] snmp-agent group v3 managev3group read-view test write-view test
# Add a user to the SNMP group.
[Sysname] snmp-agent usm-user v3 managev3user managev3group
2.
Configuration on the NMS
On the PC, start the browser. In the address bar, enter http://192.168.20.107:8080/imc, where
192.168.20.107 is the IP address of the iMC.
Figure 31 iMC login page
32.
76
Download from Www.Somanuals.com. All Manuals Search And Download.
Figure 32 iMC homepage
Log in to the iMC and configure SNMP settings for the iMC to find the device. After the device is found,
you can manage and maintain the device through the iMC. For example, you can query device
information or configure device parameters.
The SNMP settings on the iMC must be the same as those configured on the device. If not, the device
cannot be found or managed by the iMC. See the iMC manuals for more information.
Click Help in the upper right corner of each configuration page to get corresponding help information.
77
Download from Www.Somanuals.com. All Manuals Search And Download.
User login control
User login control methods
The device provides the following login control methods.
Login Through
Login control methods
ACL used
Basic ACL
Telnet
Advanced ACL
Ethernet frame header ACL
NMS
Web
Basic ACL
Basic ACL
Configuring login control over Telnet users
Configuration preparation
Before configuration, determine the permitted or denied source IP addresses, source MAC addresses,
and destination IP addresses.
Configuring source IP-based login control over Telnet users
Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement
source IP-based login control over Telnet users. Basic ACLs are numbered from 2000 to 2999. For more
information about ACL, see the ACL and QoS Configuration Guide.
Follow these steps to configure source IP-based login control over Telnet users:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Create a basic ACL and enter its
view, or enter the view of an
existing basic ACL
Required
acl [ ipv6 ] number acl-number
[ match-order { config | auto } ]
By default, no basic ACL exists.
rule [ rule-id ] { permit | deny }
[ source { sour-addr sour-wildcard
| any } | time-range time-name |
fragment | logging ]*
Configure rules for this ACL
Exit the basic ACL view
Required
—
quit
78
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
—
user-interface [ type ] first-number
[ last-number ]
Enter user interface view
Required
inbound: Filters incoming Telnet
packets.
Use the ACL to control user login
by source IP address
acl [ ipv6 ] acl-number { inbound |
outbound }
outbound: Filters outgoing Telnet
packets.
Configuring source and destination IP-based login control over
Telnet users
Because advanced ACLs can match both source and destination IP addresses of packets, you can use
advanced ACLs to implement source and destination IP-based login control over Telnet users. Advanced
ACLs are numbered from 3000 to 3999. For more information about ACL, see the ACL and QoS
Configuration Guide.
Follow these steps to configure source and destination IP-based login control over Telnet users:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Create an advanced ACL
and enter its view, or enter
the view of an existing
advanced ACL
Required
acl [ ipv6 ] number acl-number
[ match-order { config | auto } ]
By default, no advanced ACL
exists.
Configure rules for the ACL rule [ rule-id ] { permit | deny } rule-string Required
Exit advanced ACL view
Enter user interface
quit
—
user-interface [ type ] first-number
[ last-number ]
—
Required
Use the ACL to control user
login by source and
destination IP addresses
inbound: Filters incoming Telnet
packets.
acl [ ipv6 ] acl-number { inbound |
outbound }
outbound: Filters outgoing Telnet
packets.
Configuring source MAC-based login control over Telnet users
Ethernet frame header ACLs can match the source MAC addresses of packets, so you can use Ethernet
frame header ACLs to implement source MAC-based login control over Telnet users. Ethernet frame
header ACLs are numbered from 4000 to 4999. For more information about ACL, see the ACL and QoS
Configuration Guide.
Follow these steps to configure source MAC-based login control over Telnet users:
To do…
Use the command…
system-view
Remarks
Enter system view
—
79
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Required
Create an Ethernet frame header
ACL and enter its view
acl number acl-number
[ match-order { config | auto } ]
By default, no advanced ACL
exists.
rule [ rule-id ] { permit | deny }
rule-string
Configure rules for the ACL
Exit the advanced ACL view
Enter user interface view
Required
—
quit
user-interface [ type ] first-number
[ last-number ]
—
Required
Use the ACL to control user login
by source MAC address
acl acl-number inbound
inbound: Filters incoming Telnet
packets.
NOTE:
The above configuration does not take effect if the Telnet client and server are not in the same subnet.
Source MAC-based login control configuration example
Network requirements
As shown in Figure 33, configure an ACL on the Device to permit only incoming Telnet packets sourced
from Host A and Host B.
Figure 33 Network diagram for configuring source MAC-based login control
Configuration procedure
# Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to
permit packets sourced from Host A.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Reference ACL 2000 in user interface view to allow Telnet users from Host A and Host B to access the
Device.
80
Download from Www.Somanuals.com. All Manuals Search And Download.
[Sysname] user-interface vty 0 4
[Sysname-ui-vty0-4] acl 2000 inbound
Configuring source IP-based login control over
NMS users
You can log in to the NMS to remotely manage the devices. SNMP is used for communication between
the NMS and the agent that resides in the device. By using the ACL, you can control SNMP user access
to the device.
Configuration preparation
Before configuration, determine the permitted or denied source IP addresses.
Configuring source IP-based login control over NMS users
Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement
source IP-based login control over NMS users. Basic ACLs are numbered from 2000 to 2999. For more
information about ACL, see the ACL and QoS Configuration Guide.
Follow these steps to configure source IP-based login control over NMS users:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Create a basic ACL and enter its
view, or enter the view of an
existing basic ACL
Required
acl [ ipv6 ] number acl-number
[ match-order { config | auto } ]
By default, no basic ACL exists.
rule [ rule-id ] { permit | deny }
[ source { sour-addr sour-wildcard |
any } | time-range time-name |
fragment | logging ]*
Create rules for this ACL
Exit the basic ACL view
Required
quit
—
snmp-agent community { read |
write } community-name [ acl
acl-number | mib-view
view-name ]*
Required
Associate this SNMP community
with the ACL
You can associate the ACL when
creating the community, the SNMP
group, and the user.
snmp-agent group { v1 | v2c }
group-name [ read-view
read-view ] [ write-view
write-view ] [ notify-view
notify-view ] [ acl acl-number ]
For more information about
SNMP, see the Network
Management and Monitoring
Configuration Guide.
Associate the SNMP group with
the ACL
snmp-agent group v3 group-name
[ authentication | privacy ]
[ read-view read-view ]
[ write-view write-view ]
[ notify-view notify-view ] [ acl
acl-number ]
81
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
snmp-agent usm-user { v1 | v2c }
user-name group-name [ acl
acl-number ]
snmp-agent usm-user v3
Associate the user with the ACL
user-name group-name [ [ cipher ]
authentication-mode { md5 | sha }
auth-password [ privacy-mode
{ 3des | aes128 | des56 }
priv-password ] ] [ acl acl-number ]
Source IP-based login control over NMS users configuration
example
Network requirements
As shown in Figure 34, configure the device to allow only NMS users from Host A and Host B to access.
Figure 34 Network diagram for configuring source IP-based login control over NMS users
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit
packets sourced from Host A.
<Sysname> system-view
[Sysname] acl number 2000 match-order config
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000
82
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring source IP-based login control over web
users
You can log in to the web management page of the device through HTTP/HTTPS to remotely manage the
devices. By using the ACL, you can control web user access to the device.
Configuration preparation
Before configuration, determine the permitted or denied source IP addresses.
Configuring source IP-based login control over web users
Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement
source IP-based login control over web users. Basic ACLs are numbered from 2000 to 2999. For more
information about ACL, see the ACL and QoS Configuration Guide.
Follow these steps to configure source IP-based login control over web users:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Create a basic ACL and enter its
view, or enter the view of an
existing basic ACL
Required
acl [ ipv6 ] number acl-number
[ match-order { config | auto } ]
By default, no basic ACL exists.
rule [ rule-id ] { permit | deny }
[ source { sour-addr sour-wildcard
| any } | time-range time-name |
fragment | logging ]*
Create rules for this ACL
Exit the basic ACL view
Required
—
quit
Associate the HTTP service with the
ACL
ip http acl acl-number
Required to use one command
Associate the HTTPS service with
the ACL
ip https acl acl-number
Logging off online web users
Follow the step to log off online web users:
To do…
Use the command…
Remarks
Required
free web-users { all | user-id
Log off online web users
Execute the command in user
interface view.
user-id | user-name user-name }
83
Download from Www.Somanuals.com. All Manuals Search And Download.
Source IP-based login control over web users configuration
example
Network requirements
Figure 35 Network diagram for configuring source IP-based login control
Configuration procedure
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B.
<Sysname> system-view
[Sysname] acl number 2030 match-order config
[Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0
# Associate the ACL with the HTTP service so that only web users from Host B are allowed to access the
device.
[Sysname] ip http acl 2030
84
Download from Www.Somanuals.com. All Manuals Search And Download.
FTP configuration
FTP overview
Introduction to FTP
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client
over a TCP/IP network.
FTP uses TCP ports 20 and 21 for file transfer. Port 20 is used to transmit data, and port 21 to transmit
control commands. For more information about FTP basic operations, see RFC 959.
FTP transfers files in the following modes:
•
•
Binary mode: Transfers files as raw data, such as .app, .bin, and .btm files.
ASCII mode: Transfers files as text, such as .txt, .bat, and .cfg files.
FTP operation
FTP adopts the client/server model. Your device can function either as the client or the server. See Figure
36.
•
When the device serves as the FTP client, use Telnet or an emulation program to log in to the device
from the PC, execute the ftp command to establish a connection from the device (FTP client) to the
PC (FTP server), and then upload/download files to/from the server.
•
When the device serves as the FTP server, run the FTP client program on the PC to establish a
connection to the FTP server and upload/download files to/from the server.
Figure 36 Network diagram for FTP
When the device serves as the FTP client, you need to perform the following configuration:
Table 8 Configuration when the device serves as the FTP client
Device
Configuration
Remarks
If the remote FTP server supports anonymous
FTP, the device can log in to it directly; if not,
the device must obtain the FTP username and
password first to log in to the remote FTP
server.
Use the ftp command to establish the
connection to the remote FTP server
Device (FTP client)
Enable FTP server on the PC, and
configure the username, password,
user privilege level, and so on.
PC (FTP server)
—
When the device serves as the FTP server, you need to perform the following configuration:
85
Download from Www.Somanuals.com. All Manuals Search And Download.
Table 9 Configuration when the device serves as the FTP server
Device
Configuration
Remarks
Disabled by default.
Enable the FTP server function
You can use the display ftp-server command to view the
FTP server configuration on the device.
Configure the username, password, and authorized
directory for an FTP user.
Device (FTP
server)
Configure authentication and
authorization
The device does not support anonymous FTP for security
reasons. You must set a valid username and password.
By default, authenticated users can access the root
directory of the device.
Configure the FTP server
operating parameters
Parameters such as the FTP connection timeout time
Use the FTP client program to log You can log in to the FTP server only after you input the
in to the FTP server. correct FTP username and password.
PC (FTP client)
CAUTION:
• Make sure that the FTP server and the FTP client can reach each other before establishing the FTP
connection.
• When you use IE to log in to the device serving as the FTP server, some FTP functions are not available.
This is because multiple connections are established during the login process but the device supports
only one connection at a time.
Configuring the FTP client
NOTE:
Only manage level users can use the ftp command to log in to an FTP server, enter FTP client view, and
execute directory and file related commands. However, whether the commands can be executed
successfully depends on the FTP server authorizations.
Establishing an FTP connection
Before you can access the FTP server, you must first establish a connection from the FTP client to the FTP
server. You can either use the ftp command to establish the connection directly or use the open command
in FTP client view to establish the connection.
When using the ftp command, you can specify the source interface (such as a loopback) or source IP
address. The primary IP address of the specified source interface or the specified source IP address is
used as the source IP address of sent FTP packets. The source address of the transmitted packets is
selected following these rules:
•
If no source address is specified, the FTP client uses the interface’s IP address determined by the
matched route as the source IP address to communicate with an FTP server.
•
If the source address is specified with the ftp client source or ftp command, this source address is
used to communicate with an FTP server.
86
Download from Www.Somanuals.com. All Manuals Search And Download.
•
•
If you use the ftp client source command and the ftp command to specify a source address
respectively, the source address specified with the ftp command is used to communicate with an FTP
server.
The source address specified with the ftp client source command is valid for all FTP connections and
the source address specified with the ftp command is valid only for the current FTP connection.
Follow these steps to establish an IPv4 FTP connection:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Optional
A switch uses the IP address
of the interface determined by
the matched route as the
source IP address to
Configure the source address of
the FTP client
ftp client source { interface interface-type
interface-number | ip source-ip-address }
communicate with the FTP
server by default.
Exit to system view
quit
—
ftp [ server-address [ service-port ]
[ source { interface interface-type
interface-number | ip
Log in to the remote FTP server
directly in user view
Use either approach.
The ftp command is available
in user view, and the open
command is available in FTP
client view.
source-ip-address } ] ]
ftp
Log in to the remote FTP server
indirectly in FTP client view
open server-address [ service-port ]
NOTE:
• If there is not a primary IP address configured on the specified source interface, you cannot establish an
FTP connection.
• If you use the ftp client source command to configure a source interface and then use it to configure a
source IP address, the source IP address overwrites the source interface, and vice versa.
Follow these steps to establish an IPv6 FTP connection:
To do…
Use the command…
Remarks
ftp ipv6 [ server-address
[ service-port ] [ source ipv6
source-ipv6-address ] [ -i
Log in to the remote FTP server
directly in user view
Use either approach.
interface-type interface-number ] ]
The ftp ipv6 command is available
in user view; and the open ipv6
command is available in FTP client
view.
ftp ipv6
Log in to the remote FTP server
indirectly in FTP client view
open ipv6 server-address
[ service-port ] [ -i interface-type
interface-number ]
Operating the directories on an FTP server
After the switch serving as the FTP client has established a connection with an FTP server, you can create
or delete folders under the authorized directory of the FTP server. For more information about establishing
87
Download from Www.Somanuals.com. All Manuals Search And Download.
Follow these steps to operate the directories on an FTP server:
To do…
Use the command…
Remarks
Optional
Optional
Optional
Display detailed information about a directory or
file on the remote FTP server
dir [ remotefile [ localfile ] ]
Query a directory or file on the remote FTP server ls [ remotefile [ localfile ] ]
Change the working directory of the remote FTP
server
cd { directory | .. | / }
Exit the current working directory and return to an
cdup
Optional
upper level directory of the remote FTP server
Display the working directory that is being
accessed
pwd
Optional
Optional
Optional
Create a directory on the remote FTP server
mkdir directory
rmdir directory
Remove the specified working directory on the
remote FTP server
Operating the files on an FTP server
After the switch serving as the FTP client has established a connection with an FTP server, you can upload
a file to or download a file from the FTP server under the authorized directory of the FTP server by
following these steps. For information about establishing an FTP connection, see “Establishing an FTP
1.
2.
3.
Use the dir or ls command to display the directory and the location of the file on the FTP server.
Delete useless files for effective use of the storage space.
Set the file transfer mode. FTP transmits files in two modes: ASCII and binary. ASCII mode transfers
files as text. Binary mode transfers files as raw data.
4.
Use the lcd command to display the local working directory of the FTP client. You can upload the
file under this directory, or save the downloaded file under this directory.
5.
Upload or download the file.
Follow these steps to operate the files on an FTP server:
To do…
Use the command…
Remarks
Optional
Display detailed information
about a directory or file on the
remote FTP server
The ls command displays the name of a
directory or file only, while the dir
command displays detailed information
such as the file size and creation time.
dir [ remotefile [ localfile ] ]
Optional
The ls command displays the name of a
directory or file only, while the dir
command displays detailed information
such as the file size and creation time.
Query a directory or file on the
remote FTP server
ls [ remotefile [ localfile ] ]
Delete the specified file on the
remote FTP server permanently
delete remotefile
Optional
Optional
Set the file transfer mode to
ASCII
ascii
ASCII by default.
88
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
binary
Remarks
Optional
Set the file transfer mode to
binary
ASCII by default.
Optional
Set the data transmission mode
to passive
passive
Passive by default.
Display the local working
directory of the FTP client
lcd
Optional
Optional
Optional
Upload a file to the FTP server
put localfile [ remotefile ]
get remotefile [ localfile ]
Download a file from the FTP
server
Using another username to log in to an FTP server
After the switch serving as the FTP client has established a connection with the FTP server, you can use
another username to log in to the FTP server. For more information about establishing an FTP connection,
This feature allows you to switch to different user levels without affecting the current FTP connection; if you
input an incorrect username or password, the current connection will be terminated, and you must log in
again to access the FTP server.
Follow the step below to use another username to log in to the FTP server:
To do…
Use the command…
Remarks
Use another username to re-log in after
successfully logging in to the FTP server
user username [ password ]
Optional
Maintaining and debugging an FTP connection
After a switch serving as the FTP client has established a connection with the FTP server, you can perform
the following operations to locate and diagnose problems encountered in an FTP connection. For more
To do…
Use the command…
Remarks
Display the help information of
FTP-related commands supported by the remotehelp [ protocol-command ]
Optional
remote FTP server
Optional
Enable information display in a detailed
manner
verbose
Enabled by default
Optional
Enable FTP related debugging when the
debugging
switch acts as the FTP client
Disabled by default
Terminating an FTP connection
After the switch serving as the FTP client has established a connection with the FTP server, you can use
any of the following commands to terminate an FTP connection. For more information about establishing
89
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
disconnect
Remarks
Optional
Terminate the connection to the FTP server
without exiting FTP client view
Equal to the close command.
Optional
Terminate the connection to the FTP server
without exiting FTP client view
close
bye
Equal to the disconnect
command.
Optional
Terminate the connection to the FTP server
and return to user view
Equal to the quit command in
FTP client view.
Optional
Terminate the connection to the FTP server
and return to user view
quit
Available in FTP client view,
equal to the bye command.
FTP client configuration example
Network requirements
•
•
•
addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. The device and PC can reach each other.
The device downloads a system software image file from the PC for device upgrade, and uploads
the configuration file to the PC for backup.
On the PC, an FTP user account has been created for the FTP client, with the username abc and the
password pwd.
Figure 37 Network diagram for FTPing a system software image file from an FTP server
Configuration procedure
CAUTION:
If the available memory space of the device is not enough, use the fixdisk command to clear the memory
or use the delete /unreserved file-url command to delete the files not in use and then perform the following
operations.
# Log in to the server through FTP.
<Sysname> ftp 10.1.1.1
Trying 10.1.1.1
Connected to 10.1.1.1
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(10.1.1.1:(none)):abc
331 Give me your password, please
Password:
90
Download from Www.Somanuals.com. All Manuals Search And Download.
230 Logged in successfully
# Set the file transfer mode to binary to transmit system software image file.
[ftp] binary
200 Type set to I.
# Download the system software image file newest.bin from the PC to the device.
[ftp] get newest.bin
# Upload the configuration file config.cfg of the device to the server for backup.
[ftp] ascii
[ftp] put config.cfg back-config.cfg
227 Entering Passive Mode (10,1,1,1,4,2).
125 ASCII mode data connection already open, transfer starting for /config.cfg.
226 Transfer complete.
FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec.
[ftp] bye
# Specify newest.bin as the main system software image file for next startup.
<Sysname> boot-loader file newest.bin main
# Reboot the device, and the system software image file is updated at the system reboot.
<Sysname> reboot
CAUTION:
The system software image file for next startup must be saved in the storage medium’s root directory. You
can copy or move a file to the storage medium’s root directory. For more information about the
boot-loader command, see the Fundamentals Command Reference.
Configuring the FTP server
Configuring FTP server operating parameters
The FTP server uses one of the following modes to update a file when you upload the file (use the put
command) to the FTP server:
•
In fast mode, the FTP server starts writing data to the storage medium after a file is transferred to the
memory. This prevents the existing file on the FTP server from being corrupted in the event that
anomaly, such as a power failure occurs during a file transfer.
•
In normal mode, the FTP server writes data to the storage medium while receiving data. This means
that any anomaly, such as a power failure during file transfer might result in file corruption on the
FTP server. This mode, however, consumes less memory space than the fast mode.
Follow these steps to configure the FTP server:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Required
Enable the FTP server
ftp server enable
Disabled by default.
91
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
Use an ACL to control FTP clients’
access to the switch
ftp server acl acl-number
By default, no ACL is used to control
FTP clients’ access to the switch.
Optional
30 minutes by default.
Within the idle-timeout time, if there is
no information interaction between
the FTP server and client, the
connection between them is
terminated.
Configure the idle-timeout timer
ftp timeout minutes
Optional
Set the file update mode for the FTP
server
ftp update { fast | normal }
Normal update is used by default.
Quit to user view
quit
—
Manually release the FTP
connection established with the
specified username
Optional
free ftp user username
Available in user view
Configuring authentication and authorization on the FTP server
To allow an FTP user to access certain directories on the FTP server, you must create an account for the
user, authorizing access to the directories and associating the username and password with the account.
The following configuration is used when the FTP server authenticates and authorizes a local FTP user. If
the FTP server needs to authenticate a remote FTP user, you must configure authentication, authorization
and accounting (AAA) policy instead of the local user. For detailed configuration, see the Security
Command Reference.
In local authentication, the switch checks the input username and password against those configured on
the switch. In remote authentication, the switch sends the input username and password to the remote
authentication server, which then checks whether they are consistent with those configured on the switch.
Follow these steps to configure authentication and authorization for FTP server:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Required
Create a local user and enter its
view
No local user exists by default, and
the system does not support FTP
anonymous user access.
local-user user-name
password { simple | cipher }
password
Assign a password to the user
Assign the FTP service to the user
Required
Required
By default, the system does not
support anonymous FTP access,
and does not assign any service. If
the FTP service is assigned, the root
directory of the switch is used by
default.
service-type ftp
92
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
authorization-attribute { acl
acl-number | callback-number
callback-number | idle-cut minute
| level level | user-profile
profile-name | user-role
security-audit | vlan vlan-id |
work-directory directory-name } *
By default, the FTP/SFTP users can
access the root directory of the
switch, and the user level is 0. You
can change the default
configuration by using this
command.
Configure user properties
NOTE:
• For more information about the local-user, password, service-type ftp, and authorization-attribute
commands, see the Security Command Reference.
• When the switch serves as the FTP server, if the client is to perform the write operations (such as upload,
delete, and create) on the device’s file system, the FTP login users must be level 3 users; if the client is to
perform other operations such as the read operation, the switch has no restriction on the user level of the
FTP login users.
FTP server configuration example
Network requirements
•
•
•
addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. The device and PC can reach each other.
PC keeps the updated system software image file of the device. Use FTP to upgrade the device and
back up the configuration file.
Set the username to ftp and the password to pwd for the FTP client to log in to the FTP server.
Figure 38 Upgrading using the FTP server
Configuration procedure
Configure the device (FTP Server)
1.
# Create an FTP user account ftp, set its password to pwd and the user privilege level to level 3 (the
manage level). Allow user ftp to access the root directory of the flash, and specify ftp to use FTP.
<Sysname> system-view
[Sysname] local-user ftp
[Sysname-luser-ftp] password simple pwd
[Sysname-luser-ftp] authorization-attribute level 3
[Sysname-luser-ftp] authorization-attribute work-directory flash:/
[Sysname-luser-ftp] service-type ftp
[Sysname-luser-ftp] quit
# Enable FTP server.
[Sysname] ftp server enable
[Sysname] quit
93
Download from Www.Somanuals.com. All Manuals Search And Download.
# Check files on your device. Remove those redundant to ensure adequate space for the system software
image file to be uploaded.
<Sysname> dir
Directory of flash:/
0
1
2
3
drw-
drw-
-rw-
-rw-
- Dec 07 2005 10:00:57
- Jan 02 2006 14:27:51
1216 Jan 02 2006 14:28:59
1216 Jan 02 2006 16:27:26
filename
logfile
config.cfg
back.cfg
14986 KB total (2511 KB free)
<Sysname> delete /unreserved flash:/back.cfg
2.
Configure the PC (FTP Client)
# Log in to the FTP server through FTP.
c:\> ftp 1.1.1.1
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)): ftp
331 Password required for ftp.
Password:
230 User logged in.
# Download the configuration file config.cfg of the device to the PC for backup.
ftp> get config.cfg back-config.cfg
# Upload the configuration file newest.bin to the device.
ftp> put newest.bin
ftp> bye
NOTE:
• You can take the same steps to upgrade configuration file with FTP. When upgrading the configuration
file with FTP, put the new file in the storage medium’s root directory.
• After you finish transferring Boot ROM through FTP, you must execute the bootrom update command to
upgrade Boot ROM.
3.
Upgrade the device
# Specify newest.bin as the main system software image file for next startup.
<Sysname> boot-loader file newest.bin main
# Reboot the device and the system software image file is updated at the system reboot.
<Sysname> reboot
CAUTION:
The system software image file used for the next startup must be saved in the storage medium’s root
directory. You can copy or move a file to the storage medium’s root directory. For more information about
the boot-loader command, see the Fundamentals Command Reference.
94
Download from Www.Somanuals.com. All Manuals Search And Download.
Displaying and maintaining FTP
To do…
Use the command…
Remarks
display ftp client configuration [ |
{ begin | exclude | include }
regular-expression ]
Display the configuration of the FTP
client
Available in any view
display ftp-server [ | { begin |
exclude | include }
regular-expression ]
Display the configuration of the FTP
server
Available in any view
Available in any view
display ftp-user [ | { begin |
exclude | include }
regular-expression ]
Display detailed information about
logged-in FTP users
95
Download from Www.Somanuals.com. All Manuals Search And Download.
TFTP configuration
TFTP overview
Introduction to TFTP
The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less
complex than FTP in interactive access interface and authentication. It is more suitable in environments
where complex interaction is not needed between client and server.
TFTP uses the UDP port 69 for data transmission. For more information about TFTP basic operation, see
RFC 1350.
In TFTP, file transfer is initiated by the client.
•
In a normal file downloading process, the client sends a read request to the TFTP server, receives
data from the server, and then sends the acknowledgement to the server.
•
In a normal file uploading process, the client sends a write request to the TFTP server, sends data to
the server, and receives the acknowledgement from the server.
TFTP transfers files in the following modes:
•
•
Binary mode: Transfers files as raw data, such as .app, .bin, and .btm files.
ASCII mode: Transfers files as text, such as .txt, .bat, and .cfg files.
TFTP operation
NOTE:
Only the TFTP client service is available with your device at present.
Figure 39 TFTP configuration diagram
Before using TFTP, the administrator needs to configure IP addresses for the TFTP client and server, and
make sure that there is a reachable route between the TFTP client and server.
When the device serves as the TFTP client, you need to perform the following configuration:
96
Download from Www.Somanuals.com. All Manuals Search And Download.
Table 10 Configuration when the device serves as the TFTP client
Device
Configuration
Remarks
•
Configure the IP address and routing function, and
ensure that the route between the device and the TFTP
server is available.
Device (TFTP client)
—
•
Use the tftp command to establish a connection to the
remote TFTP server to upload/download files to/from
the TFTP server
Enable TFTP server on the PC, and configure the TFTP
working directory.
PC (TFTP server)
—
Configuring the TFTP client
When a device acts as a TFTP client, you can upload a file on the device to a TFTP server or download
a file from the TFTP server to the local device. You can use either of the following methods to download
a file:
•
Normal download: The device writes the obtained file to the storage medium directly. In this way,
if you download a remote file using a filename destination-filename that exists in the directory, the
device deletes the original file and then saves the new one. If file download fails due to network
disconnection or other reasons, the original system file will never recover because it has been
deleted.
•
Secure download: The device saves the obtained file to its memory and does not write it to the
storage medium until the whole file is obtained. If you download a remote file using a filename
destination-filename that exists in the directory, the original file is not overwritten. If file download
fails due to network disconnection or other reasons, the original file still exists. This mode is more
secure but consumes more memory.
HP recommends that you use the secure mode or, if you use the normal mode, specify a filename not
existing in the current directory as the target filename when downloading the system software image file
or the startup configuration file.
Before using the tftp command to establish a TFTP connection, you can perform source address binding.
Source address binding means configuring an IP address on a stable interface such as a loopback
interface, and then using this IP address as the source IP address of a TFTP connection. The source
address binding function simplifies the configuration of ACL rules and security policies. You only need to
specify the source or destination address argument in an ACL rule as the address to filter inbound and
outbound packets on the device, ignoring the difference between interface IP addresses as well as the
effect of interface statuses. You can configure the source address by configuring the source interface or
source IP address. The primary IP address configured on the source interface is the source address of the
transmitted packets.
Follow these steps to configure the TFTP client:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Optional
Use an ACL to control the device’s
access to TFTP servers
By default, no ACL is used to
control the device’s access to
TFTP servers.
tftp-server [ ipv6 ] acl acl-number
97
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
tftp client source { interface
interface-type interface-number | ip
source-ip-address }
A device uses the source
Configure the source address of
the TFTP client
address determined by the
matched route to communicate
with the TFTP server by default.
Return to user view
quit
—
tftp server-address { get | put | sget }
source-filename
[ destination-filename ] [ source
{ interface interface-type
interface-number | ip
Optional
Download or upload a file in an
IPv4 network
Available in user view
source-ip-address } ]
tftp ipv6 tftp-ipv6-server [ -i
interface-type interface-number ] { get
| put } source-file [ destination-file ]
Optional
Download or upload a file in an
IPv6 network
Available in user view
NOTE:
• If no primary IP address is configured on the source interface, no TFTP connection can be established.
• If you use the ftp client source command to first configure the source interface and then the source IP
address of the packets of the TFTP client, the new source IP address will overwrite the current one, and
vice versa.
Displaying and maintaining the TFTP client
To do…
Use the command…
Remarks
display tftp client configuration [ |
{ begin | exclude | include }
regular-expression ]
Display the configuration of the
TFTP client
Available in any view
TFTP client configuration example
Network requirements
•
addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. The device and PC can reach each other.
•
The device downloads a system software image file from PC for upgrading and uploads a
configuration file named config.cfg to PC for backup.
Figure 40 Smooth upgrading using the TFTP client function
98
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuration procedure
1.
•
Configure the PC (TFTP Server), the configuration procedure is omitted.
On the PC, enable the TFTP server
Configure a TFTP working directory
Configure the device (TFTP Client)
•
2.
CAUTION:
If the available memory space of the device is not enough, use the fixdisk command to clear the memory
or use the delete /unreserved file-url command to delete the files not in use and then perform the following
operations.
# Enter system view.
<Sysname> system-view
# Download system software image file newest.bin from the PC.
<Sysname> tftp 1.2.1.1 get newest.bin
# Upload a configuration file config.cfg to the TFTP server.
<Sysname> tftp 1.2.1.1 put config.cfg configback.cfg
# Specify newest.bin as the main system software image file for the next startup.
<Sysname> boot-loader file newest.bin bbb.bin main
# Reboot the device and the system software image file is upgraded.
<Sysname> reboot
CAUTION:
The system software image file used for the next startup must be saved in the storage medium’s root
directory of the. You can copy or move a file to the root directory of the storage medium. For more
information about the boot-loader command, see the Fundamentals Command Reference.
99
Download from Www.Somanuals.com. All Manuals Search And Download.
File management
Managing files
Files such as host software and configuration files that are necessary for the operation of the device are
saved in the storage media of the device. You can manage files on your device through these operations:
Performing directory operations, Performing file operations, Performing batch operations, Performing
Filename formats
When you specify a file, you must enter the filename in one of the following formats.
Filename formats:
Format
Description
Length
Example
Specifies a file in the current
working directory.
1 to 91
characters
a.cfg indicates a file named a.cfg
in the current working directory
file-name
Specifies a file in the specified
folder in the current working
directory. path indicates the name 1 to 135
of the folder. You can specify
multiple folders, indicating a file
under a multi-level folder.
test/a.cfg indicates a file named
a.cfg in the test folder in the current
working directory.
path/file-name
characters
Specifies a file in the specified
storage medium on the device.
drive represents the storage
medium name, which is usually
flash or cf. If there is only one
storage medium on the device, you 1 to 135
do not need to provide information characters
about the storage medium. If
flash:/test/a.cfg indicates a file
named a.cfg in the test folder in the
root directory of the flash memory.
drive:/[path]/file-
name
multiple storage media exist on the
device, you must provide the
related information to identify the
storage medium.
Performing directory operations
You can create or remove a directory, display the current working directory, the specified directory, and
file information.
100
Download from Www.Somanuals.com. All Manuals Search And Download.
Displaying directory information
To do…
Use the command…
Remarks
Required
Display directory or file
information
dir [ /all ] [ file-url ]
Available in user view
Displaying the current working directory
To do…
Use the command…
Remarks
Required
Display the current working
directory
pwd
Available in user view
Changing the current working directory
To do…
Use the command…
Remarks
Required
Change the current working
directory
cd { directory | .. | / }
Available in user view
Creating a directory
To do…
Use the command…
Remarks
Required
Create a directory
mkdir directory
Available in user view
Removing a directory
To do…
Use the command…
Remarks
Required
Remove a directory
rmdir directory
Available in user view
NOTE:
• The directory to be removed must be empty, meaning that before you remove a directory, you must
delete all the files and the subdirectory in this directory. For file deletion, see the delete command; for
subdirectory deletion, see the rmdir command.
• The rmdir command automatically deletes the files in the recycle bin in the current directory.
Performing file operations
You can display the specified directory or file information; display file contents; rename, copy, move,
remove, restore, and delete files.
101
Download from Www.Somanuals.com. All Manuals Search And Download.
NOTE:
You can create a file by copying, downloading or using the save command.
Displaying file information
To do…
Use the command…
Remarks
Required
Display file or directory
information
dir [ /all ] [ file-url ]
Available in user view
Displaying the contents of a file
To do…
Use the command…
Remarks
Required
Display the contents of a file
more file-url
Only text files can be displayed.
Available in user view
Renaming a file
To do…
Use the command…
Remarks
Required
Rename a file
rename fileurl-source fileurl-dest
Available in user view
Copying a file
To do…
Use the command…
Remarks
Required
Copy a file
copy fileurl-source fileurl-dest
Available in user view
Moving a file
To do…
Use the command…
Remarks
Required
Move a file
move fileurl-source fileurl-dest
Available in user view
Deleting a file
To do…
Use the command…
Remarks
Required
Move a file to the recycle bin or
delete it permanently
delete [ /unreserved ] file-url
Available in user view
102
Download from Www.Somanuals.com. All Manuals Search And Download.
CAUTION:
• The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, execute the reset
recycle-bin command in the directory to which the file originally belongs. HP recommends you to empty
the recycle bin periodically with the reset recycle-bin command to save storage space.
• The delete /unreserved file-url command deletes a file permanently and the action cannot be undone.
Executing this command equals executing the delete file-url command and then the reset recycle-bin
command in the same directory.
Restoring a file from the recycle bin
To do…
Use the command…
Remarks
Required
Restore a file from the recycle bin
undelete file-url
Available in user view
Emptying the recycle bin
To do…
Use the command…
Remarks
Optional
If the original directory of the file to
be deleted is not the current
working directory, this command is
required.
Enter the original working
directory of the file to be deleted
cd { directory | .. | / }
Available in user view
Required
Delete the file in the current
directory and in the recycle bin
reset recycle-bin [ /force ]
Available in user view
Performing batch operations
A batch file is a set of executable commands. Executing a batch file is the same as executing the
commands in the batch file one by one.
Before executing a batch file, edit the batch file on your PC, and then download the batch file to the
device. If the suffix of the file is not .bat, use the rename command to change the suffix to .bat.
Follow these steps to execute a batch file:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Execute a batch file
execute filename
Required
CAUTION:
Executing a batch file does not guarantee successful execution of every command in the batch file. If a
command has error settings or the conditions for executing the command are not satisfied, this command
fails to be executed, and the system skips to the next command.
103
Download from Www.Somanuals.com. All Manuals Search And Download.
Performing storage medium operations
Managing the space of a storage medium
When the space of a storage medium becomes inaccessible due to abnormal operations, you can use
the fixdisk command to restore it. The execution of the format command formats the storage medium,
and all the data on the storage medium is deleted.
Use the following commands to manage the space of a storage medium:
To do…
Use the command…
Remarks
Optional
Restore the space of a storage
medium
fixdisk device
Available in user view
Optional
Format a storage medium
format device
Available in user view
CAUTION:
When you format a storage medium, all the files stored on it are erased and cannot be restored. If a
startup configuration file exists on the storage medium, formatting the storage medium results in loss of the
startup configuration file.
Setting prompt modes
The system provides the following prompt modes:
•
alert—In this mode, the system warns you about operations that may bring undesirable
consequences such as file corruption or data loss.
•
quiet—In this mode, the system does not prompt confirmation for any operation.
To prevent undesirable consequences resulting from mis-operations, the alert mode is preferred.
Follow these steps to set the operation prompt mode:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Set the operation prompt mode of
the file system
file prompt { alert | quiet }
The default is alert.
Example for file operations
# Display the files and the subdirectories in the current directory.
<Sysname> dir
Directory of flash:/
0
drw-
- Feb 16 2006 11:45:36
logfile
104
Download from Www.Somanuals.com. All Manuals Search And Download.
1
2
3
-rw-
drw-
-rw-
1218 Feb 16 2006 11:46:19
- Feb 16 2006 15:20:27
config.cfg
test
184108 Feb 16 2006 15:30:20
aaa.bin
14986 KB total (2521 KB free)
# Create a new folder mytest in the test directory.
<Sysname> cd test
<Sysname> mkdir mytest
%Created dir flash:/test/mytest.
# Display the current working directory.
<Sysname> pwd
flash:/test
# Display the files and the subdirectories in the test directory.
<Sysname> dir
Directory of flash:/test/
0
drw-
- Feb 16 2006 15:28:14
mytest
14986 KB total (2519 KB free)
# Return to the upper directory.
<Sysname> cd ..
# Display the current working directory.
<Sysname> pwd
flash:
105
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuration file management
Configuration file overview
A configuration file contains a set of commands. You can save the current configuration to a
configuration file so that the configuration can take effect after a switch reboot. In addition, you can
conveniently view the configuration information, or upload and download the configuration file to/from
another switch to configure switches in batches.
Types of configuration
The switch maintains the following types of configurations: factory defaults, startup configuration, and
running configuration.
Factory defaults
Switches are shipped with some basic settings, which are called factory defaults. These default settings
ensure that a switch can start up and run normally when it has no configuration file or the configuration
file is damaged.
Startup configuration
Use startup configuration for initialization when the switch boots. If this file does not exist, the system
boots using null configuration. Null configuration is the factory default configuration, which may differ
from the default settings for commands. The factory default configuration may vary with switch models.
View the startup configuration using either of the following methods:
•
Use the display startup command to view the currently using configuration file, and use the more
command to view the content of the configuration file.
•
After the reboot of the switch and before configuring the switch, use the display
current-configuration command to view the startup configuration.
Running configuration
The running configuration is stored in the temporary storage media of the switch, and will be removed if
not saved when the switch reboots.
Use the display current-configuration command to view the current validated configuration of the switch.
Format and content of a configuration file
A configuration file is saved as a text file; the following rules apply:
•
•
Only non-default configuration settings are saved.
Commands in a configuration file are listed in sections by views, usually in the order of system view,
interface view, routing protocol view, and user interface view. Sections are separated with one or
multiple blank lines or comment lines that start with a pound sign #.
•
A configuration file ends with a return.
106
Download from Www.Somanuals.com. All Manuals Search And Download.
Coexistence of multiple configuration files
The switch can save multiple configuration files on its storage media. You can save the configurations
used in different networking environments as different configuration files. When the switch moves
between networking environments, specify the configuration file as the startup configuration file of the
switch and then restart the switch. Multiple configuration files allow the switch to adapt to a network
rapidly, saving the configuration workload.
A switch starts up using only one configuration file. However, you can specify two startup configuration
files, main startup configuration file and backup startup configuration file as needed when the switch has
main and backup configuration files. The switch starts up using the main startup configuration file. If the
main startup configuration file is corrupted or lost, the switches starts up using the backup startup
configuration file. Switches supporting main and backup startup configuration files are more secure and
reliable.
At a moment, the switch has at most one main startup configuration file and one backup startup
configuration file. You can specify neither of the two files (displayed as NULL).
You can specify main and backup startup configuration files using one of the following methods:
•
Specify them when saving the running configuration. For more information, see “Saving the running
•
Specify them when specifying the startup configuration file. For more information, see “Specifying
Startup with the configuration file
The switch takes the following steps when it starts up:
1.
2.
3.
If the main startup configuration file you specified exists, the switch starts up with this configuration
file.
If the main startup configuration file you specified does not exist but the backup startup
configuration file exists, the switch starts up with the backup startup configuration file.
If neither the main nor the backup startup configuration file exists, the switch starts up with null
configuration.
Saving the running configuration
Introduction
To make configuration changes take effect at the next startup of the switch, save the running configuration
to the startup configuration file to be used at the next startup before the switch reboots.
Modes in saving the configuration
•
Fast saving mode. This is the mode when you use the save command without the safely keyword.
The mode saves the file more quickly but is likely to lose the existing configuration file if the switch
reboots or the power fails during the process.
•
Safe mode. This is the mode when you use the save command with the safely keyword. The mode
saves the file more slowly but can retain the configuration file in the switch even if the switch reboots
or the power fails during the process.
107
Download from Www.Somanuals.com. All Manuals Search And Download.
The fast saving mode is suitable for environments where the power supply is stable. The safe mode is
preferred in environments where a stable power supply is unavailable or remote maintenance is
involved.
Follow these steps to save the current configuration:
To do…
Use the command…
Remarks
Save the current configuration to
the specified file, but the
configuration file will not be set as
the file for the next startup
save file-url
Required
Use either command
Available in any view.
Save the current configuration to
the root directory of the storage
medium and specify the file as the
startup configuration file to be used
at the next system startup
save [ safely ] [ backup | main ]
[ force ]
NOTE:
• The configuration file must have the .cfg extension.
• The execution of the save [ safely ] and save [ safely ] main commands has the same effect: The system
will save the current configuration and specify the configuration file as the main startup configuration file
to be used at the next system startup.
• During the execution of the save [ backup | main ] command, the startup configuration file to be used
at the next system startup may be lost if the switch reboots or the power supply fails. The switch will boot
with the null configuration, and after the switch reboots, you will need to re-specify a startup
configuration file for the next system startup (see “Specifying a startup configuration file to be used at
Setting configuration rollback
Configuration rollback
Configuration rollback allows you to revert to a previous configuration state based on a specified
configuration file. The specified configuration file must be a valid .cfg file generated by using either the
backup function (manually or automatically) or the save command, or, if a configuration file is generated
by another switch, the configuration file must comply with the format of the configuration file on the
current switch. HP recommends that you use the configuration file that is generated by using the backup
function (manually or automatically). Configuration rollback can be applied in the following situations:
•
•
Running configuration error. Rolling back the running configuration to a correct one is needed.
The application environment has changed and the switch has to run in a configuration state based
on a previous configuration file without being rebooted.
Before setting configuration rollback, perform the following steps:
1.
2.
Specify the filename prefix and path for saving the running configuration.
Save the running configuration with the specified filename (filename prefix + serial number) to the
specified path. The running configuration can be saved automatically or manually.
108
Download from Www.Somanuals.com. All Manuals Search And Download.
When you enter the configuration replace file command, the system compares the running configuration
and the specified replacement configuration file. The configuration replace file command performs the
following actions:
•
•
•
•
Preserves all commands present in both the replacement configuration file and the running
configuration.
Removes commands from the running configuration that are not present in the replacement
configuration file.
Applies the commands from the replacement configuration file that are not present in the running
configuration.
Applies the commands from the replacement configuration file that have different configurations in
the running configuration.
Configuration task list
Complete these tasks to configure the configuration rollback:
Task
Remarks
Required
Required
Use either approach
Required
Configuring parameters for saving the running configuration
Before the running configuration is saved manually or automatically, the file path and filename prefix
must be configured. After that, the system saves the running configuration with the specified filename
(filename prefix_serial number.cfg) to the specified path. The filename of a saved configuration file is like
20080620archive_1.cfg, or 20080620archive_2.cfg. The saved configuration files are numbered
automatically, from 1 to 1,000 (with an increment of 1). If the serial number reaches 1,000, it restarts from
1. If you change the path or filename prefix, or reboot the switch, the saved file serial number restarts from
1, and the system recounts the saved configuration files. If you change the path of the saved configuration
files, the files in the original path become common configuration files, and are not processed as saved
configuration files, and are not displayed when you view saved configuration files.
The number of saved configuration files has an upper limit. After the maximum number of files is saved,
the system deletes the oldest files when the next configuration file is saved.
Follow these steps to configure parameters for saving the running configuration:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Required
By default, the path and filename
for saving configuration files are
not configured, and the system
does not save the configuration
file at a specified interval.
Configure the path and filename
prefix for saving configuration
files
archive configuration location
directory filename-prefix
filename-prefix
109
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Set the maximum number of
configuration files that can be
saved
Optional
archive configuration max
file-number
The default number is 5.
NOTE:
• If the undo archive configuration location command is executed, the running configuration cannot be
saved either manually or automatically, and the configuration is restored to the default by executing the
archive configuration interval and archive configuration max commands. The saved configuration
files are cleared.
• The value of the file-number argument is determined by memory space. Set a comparatively small value
for the file-number argument if the available memory space is small.
Enabling automatic saving of the running configuration
You can configure the system to save the running configuration at a specified interval, and use the
display archive configuration command to view the filenames and save time of the saved configuration
files. This enables you to easily roll back the current configuration to a previous configuration state.
Configure an automatic save interval based on the storage media’s performance and the frequency of
configuration modification using the following guidelines:
•
If the configuration of the switch does not change frequently, manually save the running
configuration as needed
•
Save the running configuration manually, or configure automatic saving with an interval longer
than 1,440 minutes (24 hours).
Follow these steps to enable automatic saving of the running configuration:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Enable the automatic saving of
the running configuration, and set
the interval
Optional
archive configuration interval
minutes
Disabled by default
NOTE:
The path and filename prefix for saving configuration files must be specified before you configure the
automatic saving period.
Manually saving the running configuration
Automatic saving of the running configuration occupies system resources, and frequent saving can
greatly affect system performance. If the system configuration does not change frequently, disable
automatic saving of the running configuration and save it manually.
In addition, automatic saving of the running configuration is performed periodically, while manual
saving can be used to immediately save the running configuration. Before performing a complicated
configuration, manually save the running configuration so that the switch can revert to the previous state
if the configuration fails.
Follow the step below to manually save the running configuration:
110
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
archive configuration
Remarks
Required
Manually save the running
configuration
Available in user view
NOTE:
Specify the path and filename prefix of a save configuration file before you manually save the running
configuration; otherwise, the operation fails.
Setting configuration rollback
Follow these steps to set configuration rollback:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Set configuration rollback
configuration replace file filename
Required
CAUTION:
Configuration rollback may fail if one of the following situations is present (if a command cannot be rolled
back, the system skips it and processes the next one):
• The complete undo form of a command is not supported. You cannot get the actual undo form of the
command by simply putting the keyword undo in front of the command, so the complete undo form of
the command cannot be recognized by the switch.
• The configuration cannot be removed, such as hardware-related commands
• Commands in different views are dependent on each other
• If the replacement configuration file is not a complete file generated by using the save or archive
configuration command, or the file is copied from a different type of switch, the configuration cannot be
rolled back. Ensure that the replacement configuration file is correct and compatible with the current
switch.
• The configuration file specified with the configuration replace file filename command can only be a
configuration file in simple text. Otherwise, errors may occur in configuration rollback.
Specifying a startup configuration file to be used at
the next system startup
To specify a startup configuration file to be used at the next system startup, use the following guidelines:
•
Use the save command. If you save the running configuration to the specified configuration file in
the interactive mode, the system automatically sets the file as the main startup configuration file to
be used at the next system startup.
•
Use the command dedicated to specify a startup configuration file to be used at the next startup,
which is described in the following table:
Follow the step below to specify a startup configuration file to be used at the next startup:
111
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Required
Specify a startup configuration file startup saved-configuration cfgfile
to be used at the next startup
[ backup | main ]
Available in user view
CAUTION:
A configuration file must use .cfg as its extension name and the startup configuration file must be saved in
the storage media’s root directory.
Backing up the startup configuration file
The backup function allows you to copy the startup configuration file to be used at the next startup from
the switch to the TFTP server.
The backup operation backs up the main startup configuration file to the TFTP server for switches
supporting main and backup startup configuration files.
Follow the step below to back up the startup configuration file to be used at the next startup:
To do…
Use the command…
Remarks
Back up the startup configuration
file to be used at the next startup to
the specified TFTP server
Required
backup startup-configuration to
dest-addr [dest- filename ]
Available in user view
NOTE:
Before the backup operation:
• Make sure that the server is reachable and enabled with TFTP service, and the client has the read and
write permission.
• Use the display startup command (in user view) to check whether you have specified a startup
configuration file to be used at the next startup. If the file is set as NULL or does not exist, the backup
operation fails.
Deleting a startup configuration file
You can delete a startup configuration file at the CLI. On a switch that has main and backup startup
configuration files, you can choose to delete the main, the backup, or both. If the switch has only one
startup configuration to be used at the next startup, the system only sets the startup configuration file to
NULL.
You may need to delete a startup configuration file to be used at the next startup for one of the following
reasons:
•
After you upgrade system software, the existing startup configuration files do not match the new
system software.
•
Startup configuration files are corrupted (often caused by loading a wrong configuration file).
With startup configuration files deleted, the switch uses null configuration at the next startup.
Follow the step below to delete a startup configuration file to be used at the next startup:
112
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Delete a startup configuration file
to be used at the next startup from
the storage media
Required
reset saved-configuration [ backup
| main ]
Available in user view
CAUTION:
This command permanently deletes startup configuration files to be used at the next startup from the
switch. Use the command with caution.
Restoring a startup configuration file
The restore function allows you to copy a configuration file from a TFTP server to the switch and specify
the file as the startup configuration file to be used at the next startup.
Follow the step below to restore a startup configuration file to be used at the next startup:
To do…
Use the command…
Remarks
Required
Restore a startup configuration file restore startup-configuration from
to be used at the next startup
src-addr src-filename
Available in user view
NOTE:
• The restore operation restores the main startup configuration file.
• Before restoring a configuration file, ensure that the server is reachable, the server is enabled with TFTP
service, and the client has read and write permission.
• After execution of the command, use the display startup command (in user view) to verify that the
filename of the configuration file to be used at the next system startup is the same with that specified by
the filename argument.
Displaying and maintaining a configuration file
To do…
Use the command…
Remarks
display archive configuration [ |
{ begin | exclude | include }
regular-expression ]
Display the information about
configuration rollback
Available in any view
display default-configuration [ |
{ begin | exclude | include }
regular-expression ]
Display the factory defaults of the
switch
Available in any view
Available in any view
display current-configuration
[ [ configuration [ configuration ] |
interface [ interface-type ]
[ interface-number ] | exclude
modules ] [ by-linenum ] [ | { begin
| exclude | include }
Display the current validated
configurations of the switch
regular-expression ] ]
Display the running configuration
display saved-configuration
file saved on the storage media of [ by-linenum ] [ | { begin | exclude Available in any view
the switch
| include } regular-expression ]
113
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
display startup [ | { begin |
exclude | include }
regular-expression ]
Display the configuration files used
at this and the next system startup
Available in any view
display this [ by-linenum ] [ |
{ begin | exclude | include }
regular-expression ]
Display the valid configuration
under the current view
Available in any view
114
Download from Www.Somanuals.com. All Manuals Search And Download.
Software upgrade configuration
Switch software overview
Switch software includes the Boot ROM and the system software images. After powered on, the device
runs the Boot ROM image, initializes the hardware, and displays the hardware information. Then the
device runs the system software image, which provides drivers and adaption for hardware, and
implements service features. The Boot ROM and system software images are required for the startup and
running of a device.
Figure 41 Relationship between the Boot ROM program and the system software images
Software upgrade methods
You can upgrade both Boot ROM and system software at the Boot menu or at the command line interface
(CLI). The following sections cover how to upgrade them at the CLI. For instructions about how to upgrade
them at the Boot menu, see the installation manual of your switch.
Upgrading at the CLI falls into the following categories:
Upgrade method
Upgrade object Description
•
You need to reboot the whole system to upgrade the
software of a switch.
Boot ROM image
•
This causes running service interruption during the
115
Download from Www.Somanuals.com. All Manuals Search And Download.
Upgrade method
Upgrade object Description
upgrade process, and is not recommended.
System software
•
•
Hotfix is a fast, cost-effective method to repair
software defects of a switch.
Compared with software version upgrade, hotfix can
upgrade the software without interrupting the running
services of the switch. It can repair the software
defects of the current version without rebooting the
switch.
System software
•
The patch files match the switch model and software
version. If they are not matched, the hotfixing
operation fails.
Upgrading the Boot ROM program through a
system reboot
Follow these steps to upgrade Boot ROM:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Optional
Enable the validity check function
when upgrading Boot ROM
bootrom-update security-check
enable
By default, the validity check
function is enabled at the time of
upgrading Boot ROM.
Return to user view
quit
—
Required
Save the Boot ROM image to the
root directory of the Flash of the
switch by using FTP, TFTP, or other
approaches.
For more information about FTP or
TFTP, see the chapters “FTP
configuration” and “TFTP
configuration.”
—
Required
bootrom update file file-url slot
slot-number-list
Upgrade Boot ROM on the switch
Available in user view.
The slot keyword specifies the ID of
a switch. The ID can only be 1.
Reboot the switch
reboot [ slot slot-number ]
Available in user view.
CAUTION:
To execute the bootrom command successfully, save the Boot ROM image in the storage media’s root
directory on the switch.
116
Download from Www.Somanuals.com. All Manuals Search And Download.
Upgrading system software through a system
reboot
Follow these steps to upgrade system software through a system reboot:
To do…
Use the command…
Remarks
Required
Save the system software image to
the root directory of the Flash of the
switch by using FTP, TFTP, or other
approaches.
For more information about FTP
or TFTP, see the chapters “FTP
configuration” and “TFTP
configuration.”
—
Specify system software image to
be used at the next boot of the
switch
Required
boot-loader file file-url slot slot-number
{ main | backup }
Available in user view.
The slot keyword specifies the ID
of a switch. The switch ID can
only be 1.
Reboot the switch
reboot [ slot slot-number ]
Available in user view.
CAUTION:
• You must save the file to be used at the next switch boot in the root directory of the switch. You can copy
or move a file to change the path of it to the root directory.
• To execute the boot-loader command successfully, save the file to be used at the next device boot in the
storage media’s root directory on the switch.
Software upgrade by installing hotfixes
Hotfix can repair software defects of the current version without rebooting the device, protecting the
running services of the device from being interrupted.
Basic concepts in hotfix
Patch and patch file
A patch, also called “patch unit”, is a package used to fix software defects. Patches are usually released
as patch files. A patch file may contain one or more patches for different defects. After loaded from the
storage medium to the memory patch area, each patch is assigned a unique number, which starts from
1, for identification, management and operation. For example, if a patch file has three patch units, they
are numbered as 1, 2, and 3 respectively.
Incremental patch
An incremental patch means that the patch is dependent on the previous patch units. For example, if a
patch file has three patch units, patch 3 can be run only after patch 1 and 2 take effect. You cannot run
patch 3 separately.
Currently released patches are all incremental patches.
117
Download from Www.Somanuals.com. All Manuals Search And Download.
Common patch and temporary patch
•
•
Common patches are those formally released through the version release flow.
Temporary patches are those not formally released through the version release flow, but temporarily
provided to solve the emergent problems.
Common patches always include the functions of the previous temporary patches so as to replace them.
The patch type only affects the patch loading process. The system deletes all of the temporary patches
before it loads the common patch.
Patch status
Each patch has its status, which can be switched only by commands. The relationship between patch
DEACTIVE, ACTIVE, and RUNNING. Load, run temporarily, confirm running, stop running, delete, install,
and uninstall represent operations, corresponding to commands of patch load, patch active, patch run,
patch deactive, patch delete, patch install, and undo patch install. For example, if you execute the patch
active command for the patches in the DEACTIVE state, the patches turn to the ACTIVE state.
Figure 42 Relationship between patch state changes and command actions
NOTE:
Information about patch states is saved in the file patchstate on the flash. Do not to operate this file.
IDLE state
Patches in the IDLE state are not loaded. You cannot install or run the patches, as shown in Figure 43 (in
this example, the memory patch area can load up to eight patches).
118
Download from Www.Somanuals.com. All Manuals Search And Download.
Figure 43 Patches are not loaded to the memory patch area
Patch 1 IDLE
Patch 2 IDLE
Patch 3 IDLE
Patch 4 IDLE
Patch 5 IDLE
Patch 6 IDLE
Memory patch area
Patch 7 IDLE
Patch 8 IDLE
NOTE:
The memory patch area supports up to 200 patches.
DEACTIVE state
Patches in the DEACTIVE state have been loaded to the memory patch area but have not run in the system
yet. Suppose that the patch file to be loaded has seven patches. After the seven patches successfully pass
the version check and CRC check, they are loaded to the memory patch area and are in the DEACTIVE
Figure 44 A patch file is loaded to the memory patch area
ACTIVE state
Patches in the ACTIVE state are those that have run temporarily in the system and become DEACTIVE after
system reboot. For the seven patches in Figure 44, if you activate the first five patches, their states change
The patches that are in the ACTIVE state are in the DEACTIVE state after system reboot.
119
Download from Www.Somanuals.com. All Manuals Search And Download.
Figure 45 Patches are activated
Patch 1 ACTIVE
Patch 2 ACTIVE
Patch 3 ACTIVE
Patch 4 ACTIVE
Patch 5 ACTIVE
Patch 6 DEACTIVE
Patch 7 DEACTIVE
Patch 8 IDLE
Memory patch area
RUNNING state
After you confirm the ACTIVE patches are running, the patch state becomes RUNNING and they are
placed in the RUNNING state after system reboot. For the five patches in Figure 45, if you confirm the
first three patches are running, their states change from ACTIVE to RUNNING. At this time, the patch
The patches that are in the RUNNING state are still in the RUNNING state after system reboot.
Figure 46 Patches are running
Patch 1 RUNNING
Patch 2 RUNNING
Patch 3 RUNNING
Patch 4 ACTIVE
Patch 5 ACTIVE
Patch 6 DEACTIVE
Memory patch area
Patch 7 DEACTIVE
Patch 8 IDLE
Configuration prerequisites
Patches are released per switch model. Before patching the system, you need to save the appropriate
patch files to the switch’s storage media using FTP or TFTP. When saving the patch files, note that the
following rules apply:
•
The patch files match the switch model and software version. If they are not matched, the hotfix
operation fails.
•
Name a patch file properly. Otherwise, the system cannot locate the patch file and the hotfixing
operation fails. The name is in the format of "patch_PATCH-FLAG suffix.bin". The PATCH-FLAG is
pre-defined and support for the PATCH-FLAG depends on switch model. The first three characters of
the version item (using the display patch information command) represent the PATCH-FLAG suffix.
The system searches the root directory of the storage medium (Flash by default) for patch files based
120
Download from Www.Somanuals.com. All Manuals Search And Download.
on the PATCH-FLAG. If there is a match, the system loads patches to or installs them on the memory
patch area.
The following table describes the default patch name for the switch series.
PATCH-FLAG
Default patch name
PATCH-311
patch_311.bin
One-step patch installation
To install patches in one step, use the patch install command. After you execute the command, the system
displays the message "Do you want to continue running patches after reboot? [Y/N]:"
•
Entering y or Y: All of the specified patches are installed, and turn to the RUNNING state from IDLE.
This equals execution of the commands patch location, patch load, patch active, and patch run.
The patches remain RUNNING after system reboot.
•
Entering n or N: All of the specified patches are installed and turn to the ACTIVE state from IDLE. This
equals execution of the commands patch location, patch load and patch active. The patches turn to
the DEACTIVE state after system reboot.
Follow these steps to install the patches in one step:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Install the patches in one step
patch install patch-location
Required
NOTE:
• The patch matches the switch type and software version.
• To uninstall all patches in one operation, use the undo patch install command, which has the same
Step-by-step patch installation
Follow these steps to load a patch file:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Configure the patch file location
patch location patch-location
patch load slot slot-number
flash: by default
Load the patch file on from the
storage medium to the specified
memory patch area
Required
121
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Required
•
After you activate a patch, the
patch takes effect and is in the
test-run stage. After the switch is
reset or rebooted, the patch
becomes invalid.
patch active patch-number slot
slot-number
Activate the specified patches
•
If you find that an ACTIVE patch
is of some problem, reboot the
switch to deactivate the patch,
so as to avoid a series of
running faults resulting from
patch error.
Required
After you confirm the running of a
patch, the patch state becomes
RUNNING, and the patch is in the
normal running stage. After the
switch is reset or rebooted, the
patch is still valid.
Confirm the running of the
specified patches
patch run patch-number [ slot
slot-number ]
NOTE:
• Set the file transfer mode to binary mode before using FTP or TFTP to upload/download patch files
to/from the Flash of the switch. Otherwise, patch file cannot be parsed properly.
• This operation is applicable to patches in the ACTIVE state only.
Step-by-step patch uninstallation
Follow these steps to stop running patches:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Required
When you stop running a patch,
the patch state becomes
DEACTIVE, and the system runs in
the way before it is installed with
the patch.
patch deactive patch-number slot
slot-number
Stop running the specified patches
Required
Deleting patches only removes the
patches from the memory patch
area, and does not delete them
from the storage medium. The
patches turn to the IDLE state after
this operation. After a patch is
deleted, the system runs in the way
it did before the patch was
installed.
Delete the specified patches from
the memory patch area
patch delete patch-number slot
slot-number
122
Download from Www.Somanuals.com. All Manuals Search And Download.
Displaying and maintaining the software upgrade
To do…
Use the command…
Remarks
display boot-loader [ slot
slot-number ] [ | { begin | exclude Available in any view
| include } regular-expression ]
Display information about system
software
display patch information [ |
Display the patch information
{ begin | exclude | include }
regular-expression ]
Available in any view
Software upgrade configuration examples
Scheduled upgrade configuration example
Network requirement
•
software version of Device to soft-version2 and configuration file to new-config at a time when few
services are processed (for example, at 3 am) through remote operations.
•
•
•
The latest application soft-version2.bin and the latest configuration file new-config.cfg are both
saved in the aaa directory of the FTP server.
The IP address of Device is 1.1.1.1/24, the IP address of the FTP server is 2.2.2.2/24, and Device
and FTP server can reach each other.
A user can log in to Device via Telnet, and the user and Device can reach each other.
Figure 47 Network diagram for scheduled upgrade
Configuration procedure
Configure the FTP server (configurations may vary with different types of servers)
1.
•
Set the access parameters for the FTP client (including enabling the FTP server function, setting the
FTP username to aaa and password to hello, and setting the user to have access to the flash:/aaa
directory).
<FTP-Server> system-view
[FTP-Server] ftp server enable
123
Download from Www.Somanuals.com. All Manuals Search And Download.
[FTP-Server] local-user aaa
[FTP-Server-luser-aaa] password cipher hello
[FTP-Server-luser-aaa] service-type ftp
[FTP-Server-luser-aaa] authorization-attribute work-directory flash:/aaa
•
Use text editor on the FTP server to edit batch file auto-update.txt. The following is the content of the
batch file:
return
startup saved-configuration new-config.cfg
boot-loader file soft-version2.bin slot 1 main
reboot
2.
Configure Device
# Log in to the FTP server (The prompt may vary with servers.)
<Device> ftp 2.2.2.2
Trying 2.2.2.2 ...
Press CTRL+K to abort
Connected to 2.2.2.2.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(2.2.2.2:(none)):aaa
331 Give me your password, please
Password:
230 Logged in successfully
[ftp]
# Download file auto-update.txt on the FTP server.
[ftp] ascii
[ftp] get auto-update.txt
# Download file new-config.cfg on the FTP server.
[ftp]get new-config.cfg
# Download file soft-version2.bin on the FTP server.
[ftp] binary
[ftp] get soft-version2.bin
[ftp] bye
<Device>
# Change the extension of file auto-update.txt to .bat.
<Device> rename auto-update.txt auto-update.bat
To ensure correctness of the file, use the more command to view the content of the file.
# Execute the scheduled automatic execution function to enable Device to be automatically upgraded at
3 am.
<Device> system-view
[Device] job autoupdate
[Device-job-autoupdate] view system-view
[Device-job-autoupdate] time 1 one-off at 03:00 command execute auto-update.bat
To check if the upgrade is successful after Device reboots, use the display version command.
124
Download from Www.Somanuals.com. All Manuals Search And Download.
Hotfix configuration example
Network requirements
•
•
•
The patch file patch_311.bin is saved on the TFTP server.
The IP address of Device is 1.1.1.1/24, and IP address of TFTP Server is 2.2.2.2/24. Device and
TFTP server can reach each other.
Figure 48 Network diagram of hotfix configuration
Configuration procedure
1.
Configure TFTP Server. The configuration varies depending on server type and the configuration
procedure is omitted.
•
Enable the TFTP server function.
Save the patch file patch_311.bin to the directory of the TFTP server.
Configure Device.
•
2.
CAUTION:
Make sure the free Flash space of Device is large enough to store the patch file.
# Before upgrading the software, use the save command to save the current system configuration. The
configuration procedure is omitted.
# Load the patch file patch_311.bin from the TFTP server to the root directory of Device storage media.
<Device> tftp 2.2.2.2 get patch_311.bin
# Install the patch.
<Device> system-view
[Device] patch install flash:
Patches will be installed. Continue? [Y/N]:y
Do you want to continue running patches after reboot? [Y/N]:y
Installing patches........
Installation completed, and patches will continue to run after reboot.
125
Download from Www.Somanuals.com. All Manuals Search And Download.
Device management
Device management includes monitoring the operating status of devices and configuring their running
parameters.
NOTE:
The configuration tasks in this document are order independent. You can perform these tasks in any order.
Configuring the device name
A device name identifies a device in a network and works as the user view prompt at the CLI. For
example, if the device name is Sysname, the user view prompt is <Sysname>.
Follow these steps to configure the device name:
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Configure the device name
sysname sysname
The default device name is HP.
Changing the system time
You must synchronize your device with a trusted time source by using NTP or changing the system time
before you run it on the network. Network management depends on an accurate system time setting,
because the timestamps of system messages and logs use the system time.
In a small-sized network, you can manually set the system time of each device.
Configuration guidelines
You can change the system time by configuring the relative time, time zone, and daylight saving time. The
configuration result depends on their configuration order (see Table 11). In the first column of this table,
1 represents the clock datetime command, 2 represents the clock timezone command, and 3 represents
the clock summer-time command. To verify the system time setting, use the display clock command. This
table assumes that the original system time is 2005/1/1 1:00:00.
Table 11 System time configuration results
Command
Effective system time
Configuration example System time
01:00:00 UTC Mon
01/01/2007
clock datetime 1:00
2007/1/1
1
date-time
Original system time ±
zone-offset
02:00:00 zone-time Sat
01/01/2005
clock
zone-time add 1
timezone
2
126
Download from Www.Somanuals.com. All Manuals Search And Download.
Command
Effective system time
Configuration example System time
clock datetime 2:00
2007/2/2
03:00:00 zone-time Fri
02/02/2007
1, 2
date-time ± zone-offset
clock
timezone
zone-time add 1
clock
timezone
zone-time add 1
03:00:00 zone-time Sat
03/03/2007
2, 1
date-time
clock datetime 3:00
2007/3/3
The original system time
outside the daylight
saving time range:
clock summer-time ss
01:00:00 UTC Sat
01/01/2005
one-off
1:00
1:00
The system time does not
change until it falls into
the daylight saving time
range.
2006/1/1
2006/8/8 2
03:00:00 ss Sat
01/01/2005
NOTE:
3
If the original system time
plus summer-offset is
The original system time
in the daylight saving time
range:
clock summer-time ss
beyond the daylight saving
time range, the original
system time does not
change. After you disable
the daylight saving setting,
the system time
one-off
2005/1/1
00:30
1:00
The system time increases
by summer-offset.
2005/8/8 2
automatically decreases by
summer-offset.
clock datetime 1:00
2007/1/1
date-time outside the
daylight saving time
range:
01:00:00 UTC Mon
01/01/2007
clock summer-time ss
one-off
2006/1/1
1:00
1:00
date-time
2006/8/8 2
10:00:00 ss Mon
01/01/2007
NOTE:
1, 3
clock datetime 8:00
2007/1/1
If the date-time plus
date-time in the daylight
saving time range:
summer-offset is outside the
daylight saving time range,
the system time equals
date-time. After you disable
the daylight saving setting,
the system time
clock summer-time ss
one-off
2007/1/1
2007/8/8 2
1:00
1:00
date-time + summer-offset
automatically decreases by
summer-offset.
clock summer-time ss
3, 1
one-off
2007/1/1
1:00
1:00
01:00:00 UTC Tue
01/01/2008
(date-time outside the
daylight saving time
range)
date-time
2007/8/8 2
clock datetime 1:00
2008/1/1
127
Download from Www.Somanuals.com. All Manuals Search And Download.
Command
Effective system time
Configuration example System time
clock summer-time ss
date-time – summer-offset
outside the daylight
saving time range:
one-off
1:00
1:00
2007/1/1
2007/8/8 2
23:30:00 UTC Sun
12/31/2006
3, 1
clock datetime 1:30
2007/1/1
date-time – summer-offset
(date-time in the
daylight saving time
range)
clock summer-time ss
date-time – summer-offset
in the daylight saving time
range:
one-off
2007/1/1
2007/8/8 2
1:00
1:00
03:00:00 ss Mon
01/01/2007
clock datetime 3:00
2007/1/1
date-time
Original system clock ±
zone-offset outside the
daylight saving time
range:
clock
zone-time add 1
timezone
02:00:00 zone-time Sat
01/01/2005
clock summer-time ss
one-off
2007/1/1
2007/8/8 2
1:00
1:00
Original system clock ±
zone-offset
2, 3 or 3, 2
Original system clock ±
zone-offset outside the
daylight saving time
range:
clock
zone-time add 1
timezone
System clock configured:
04:00:00 ss Sat
01/01/2005
clock summer-time ss
one-off
2005/1/1
2005/8/8 2
1:00
1:00
Original system clock ±
zone-offset +
summer-offset
clock datetime 1:00
2007/1/1
date-time ± zone-offset
outside the daylight
saving time range:
clock
timezone
02:00:00 zone-time Mon
01/01/2007
zone-time add 1
clock summer-time ss
one-off
2008/1/1
1:00
1:00
date-time ± zone-offset
2008/8/8 2
1, 2 , 3 or 1, 3, 2
clock datetime 1:00
2007/1/1
date-time ± zone-offset
outside the daylight
saving time range:
clock
zone-time add 1
timezone
04:00:00 ss Mon
01/01/2007
clock summer-time ss
one-off
2007/1/1
2007/8/8 2
date-time ± zone-offset +
summer-offset
1:00
1:00
clock
timezone
zone-time add 1
date-time outside the
daylight saving time
range:
clock summer-time ss
one-off
2008/1/1
2008/8/8 2
01:00:00 zone-time Mon
01/01/2007
1:00
1:00
2, 3, 1 or 3, 2, 1
date-time
clock datetime 1:00
2007/1/1
128
Download from Www.Somanuals.com. All Manuals Search And Download.
Command
Effective system time
Configuration example System time
clock
zone-time add 1
timezone
date-time in the daylight
saving time range, but
date-time – summer-offset
outside the summer-time
range:
clock summer-time ss
one-off
2008/1/1
2008/8/8 2
23:30:00 zone-time Mon
12/31/2007
1:00
1:00
clock datetime 1:30
2008/1/1
date-time – summer-offset
clock
timezone
zone-time add 1
Both date-time and
date-time – summer-offset
in the daylight saving time
range:
clock summer-time ss
one-off
2008/1/1
2008/8/8 2
03:00:00 ss Tue
01/01/2008
1:00
1:00
date-time
clock datetime 3:00
2008/1/1
Configuration procedure
Follow these steps to change the system time:
To do…
Use the command…
Remarks
Optional
Set the system time and date
Enter system view
clock datetime time date
Available in user view.
system-view
—
Optional
clock timezone zone-name { add |
minus } zone-offset
Set the time zone
Universal time coordinated (UTC)
time zone by default.
Set a non-recurring scheme:
clock summer-time zone-name
one-off start-time start-date
end-time end-date add-time
Optional
Use either command.
Set a daylight saving time scheme
By default, daylight saving time is
disabled, and the UTC time zone
applies.
Set a recurring scheme:
clock summer-time zone-name
repeating start-time start-date
end-time end-date add-time
Enabling displaying the copyright statement
The device by default displays the copyright statement when a Telnet or SSH user logs in, or when a
console user quits user view. You can disable or enable the function as needed. The following is a sample
copyright statement:
******************************************************************************
* Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P.
* Without the owner's prior written consent,
*
*
*
* no decompiling or reverse-engineering shall be allowed.
******************************************************************************
Follow these steps to enable displaying the copyright statement:
129
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
system-view
Remarks
Enter system view
—
Optional
Enable displaying the copyright
statement
copyright-info enable
Enabled by default.
Configuring banners
Introduction to banners
Banners are messages that the system displays when a user connects to the device to perform login
authentication, and start interactive configuration.
Banner types
You can configure the following types of banners:
•
Legal banner appears after the system displays the copyright or license statement for a user
attempting to log in. To continue authentication or login, the user must enter Y or press Enter. To quit
the process, the user must enter N. Y and N are case insensitive.
•
Message of the Day (MOTD) banner displays the greeting message, and appears after the legal
banner and before the login banner.
•
•
Login banner appears only when password or scheme login authentication has been configured.
Incoming banner appears for Modem dial-in users and the shell banner appears for users that use
any other access method to access the CLI.
Message input modes
The system supports single-line input mode and multiple-line input mode for configuring a banner.
Single-line input
1.
In single-line input mode, all banner information comes after the command keywords in the same line.
The start and end characters of the input text must be the same but are not part of the banner information.
In this case, the input text, together with the command keywords, cannot exceed 510 characters.
2.
Multiple-line input
In multiple-line input mode, all the banner information is input in multiple lines by pressing the Enter key.
In this case, up to 2000 characters can be input.
Multi-line input mode can be achieved in the following methods:
•
Method I—Press the Enter key directly after the command keywords, type the banner information,
and end with the % character. The Enter and % characters are not part of the banner information.
•
Method II—Type a character after the command keywords at the first line, and then press the Enter
key. Type the banner information, and end with the character you type at the first line. The character
at the first line and the end character are not part of the banner information.
•
Method III—Type multiple characters after the command keywords at the first line—with the first and
last characters being different, and then press the Enter key. Type the banner information, and end
with the first character you type at the first line. The first input character at the first line and the end
character are not part of the banner information.
130
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuration procedure
Follow these steps to configure a banner:
To do…
Use the command…
Remarks
—
Enter system view
system-view
Configure the incoming banner
Configure the login banner
Configure the legal banner
Configure the shell banner
Configure the MOTD banner
header incoming text
header login text
header legal text
header shell text
header motd text
Optional
Optional
Optional
Optional
Optional
Banner configuration examples
# Configure the shell banner as Welcome to HP!.
•
Single-line input mode:
<System> system-view
[System] header shell %Welcome to HP!%
•
Multiple-line input mode (method I):
<System> system-view
[System] header shell
Please input banner content, and quit with the character '%'.
Welcome to HP!
%
•
Multiple-line input mode (method II):
<System> system-view
[System] header shell W
Please input banner content, and quit with the character 'W'.
Welcome to HP!
W
Configuring the exception handling method
You can configure the device to handle system exceptions in one of the following methods:
•
•
reboot—The device automatically reboots to recover from the error condition.
maintain—The device stays in the error condition so you can collect complete data, including error
messages, for diagnosis. In this approach, you must manually reboot the device.
Follow these steps to configure the exception handling method:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Optional
Configure the exception handling
method
system-failure { maintain | reboot }
By default, the system reboots
when an exception occurs.
131
Download from Www.Somanuals.com. All Manuals Search And Download.
Rebooting the device
You can reboot the device in one of the following ways to recover from an error condition:
•
•
•
Reboot the device immediately at the CLI.
At the CLI, schedule a reboot to occur at a specific time and date or after a delay.
Power off and then re-power on the device. This method might cause data loss and hardware
damage, and is the least preferred method.
Reboot at the CLI enables easy remote device maintenance.
CAUTION:
• A reboot can interrupt network services.
• To avoid data loss, use the save command to save the current configuration before a reboot.
• Use the display startup and display boot-loader commands to check that you have correctly set the
startup configuration file and the main system software image file. If the main system software image file
has been corrupted or does not exist, the device cannot reboot. You must re-specify a main system
software image file, or power off the device and then power it on so the system can reboot with the
backup system software image file.
Rebooting the device immediately at the CLI
Perform the following command in user view to reboot the device:
To do…
Use the command…
Remarks
Required
Reboot the device immediately
reboot [ slot slot-number ]
The slot-number argument must be
1.
Scheduling a device reboot
Perform one of the following commands in user view to schedule a device reboot:
To do…
Use the command…
Remarks
Schedule a reboot to occur at a
specific time and date
Required
schedule reboot at hh:mm [ date ]
Use either command.
The scheduled reboot function is
disabled by default.
Schedule a reboot to occur after a schedule reboot delay { hh:mm |
delay
mm }
The two commands overwrite each
other.
NOTE:
• The system displays the alert “REBOOT IN ONE MINUTE” one minute before the reboot.
• For data security, if you are performing file operations at the reboot time, the system does not reboot.
132
Download from Www.Somanuals.com. All Manuals Search And Download.
Scheduling jobs
You can schedule a job to automatically run a command or a set of commands without administrative
interference. The commands in a job are polled every minute. When the scheduled time for a command
is reached, the job automatically executes the command. If a confirmation is required while the
command is running, the system automatically inputs Y or Yes. If characters are required, the system
automatically inputs a default character string, or inputs an empty character string when there is no
default character string.
Job configuration approaches
You can configure jobs in a non-modular or modular approach. Use the non-modular approach for a
one-time command execution and use non-modular approach for complex maintenance work.
Table 12 A comparison of non-modular and modular approaches
Comparison item
Configuration method
Configure all elements in one command Separate job, view, and time settings
Can multiple jobs be
configured?
No
No
Yes
Yes
Can a job have multiple
commands?
User view (represented by shell), system All views (monitor represents user
view view)
Supported views
Supported commands
Commands in user view and system view Commands in any view
Can a job be repeatedly
executed?
No
No
Yes
Yes
Can a job be saved to the
configuration file?
Configuration guidelines
•
To have a job successfully run a command, check that the specified view and command are valid.
The system does not verify their validity.
•
The configuration interface, view, and user status that you have before job execution restores even
if the job has run a command that changes the user interface (for example, telnet, ftp, and ssh2),
the view (for example, system-view and quit), or the user status (for example, super).
•
•
The jobs run in the background without displaying any messages except log, trap and debugging
messages.
In the modular approach:
{
{
{
Every job can have only one view and up to 10 commands. If you specify multiple views, the
one specified the last takes effect.
Input a view name in its complete form. Most commonly used view names include monitor for
user view, system for system view, and Vlan-interfacex for VLAN interface view.
The time ID (time-id) must be unique in a job. If two time and command bindings have the same
time ID, the one configured last takes effect.
133
Download from Www.Somanuals.com. All Manuals Search And Download.
Scheduling a job in the non-modular approach
Perform one of the following commands in user view to schedule a job:
To do…
Use the command…
Remarks
Required
Schedule a job to run a command schedule job at time [ date ] view
at a specific time view command
Use either command.
NOTE:
If you change the system time by
using the clock datetime, clock
summer-time, or clock timezone
command after you configure a
scheduled job, the job configuration
becomes invalid automatically.
Schedule a job to run a command schedule job delay time view view
after a delay command
Scheduling a job in the modular approach
Follow these steps to configure a scheduled job:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a job and enter job view
job job-name
Required
Required
Specify the view in which the
commands in the job run
You can specify only one view for
a job. The job executes all
view view-name
commands in the specified view.
Configure a command to run at a
specific time and date:
time time-id at time date command
command
Required
Configure a command to run at a
specific time
Use any of the commands.
NOTE:
time time-id { one-off | repeating }
at time [ month-date month-day |
week-day week-daylist ] command
command
Add commands to the job
Changing the system time does not
affect the execution time of the job
set by the time at command or the
time delay command.
Configure a command to run after
a delay:
time time-id { one-off | repeating }
delay time command command
Disabling Boot ROM access
By default, anyone can press Ctrl+B during startup to enter the Boot menu and configure the Boot ROM.
To protect the system, you can disable Boot ROM access so the users can access only the CLI.
You can also set a Boot ROM password the first time you access the Boot menu to protect the Boot ROM.
134
Download from Www.Somanuals.com. All Manuals Search And Download.
To view Boot ROM accessibility status, use the display startup command. For more information about the
display startup command, see the Fundamentals Command Reference.
Follow the step below to disable Boot ROM access:
To do…
Use the command…
Remarks
Required
undo startup bootrom-access
enable
By default, Boot ROM access is
enabled.
Disable Boot ROM access
Available in user view.
Configuring the detection timer
Some protocols might shut down ports under specific circumstances. For example, MSTP shuts down a
BPDU guard enabled port when the port receives a BPDU. Then, the device starts the detection timer. If
the port is still down when the detection timer expires, the port quits the shutdown status and resume its
actual physical status.
Follow these steps to configure the detection timer:
To do…
Use the command…
system-view
Remarks
—
Enter system view
Optional
Configure the detection timer
shutdown-interval time
The detection interval is 30
seconds by default.
Configuring temperature alarm thresholds
(available only on the A3100 v2 EI)
You can set the temperature alarm thresholds to monitor the temperature of a device.
The temperature alarm thresholds include lower temperature limit, warning temperature threshold, and
temperature alarming threshold.
When the device temperature drops below the lower limit or reaches the warning threshold, the device
logs the event and outputs a log message and a trap.
When the device temperature reaches the alarming threshold, the device constantly outputs log and tap
messages to the configuration terminal and lights the temperature alarm LED on the device panel.
Follow these steps to configure temperature alarm thresholds:
To do…
Use the command…
Remarks
Enter system view
system-view
—
135
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
Optional
By default :
•
•
•
The lower temperature limit is 5°C
(41°F).
The warning temperature threshold is
70°C (158°F).
temperature-limit slot slot-number
inflow sensor-number lowerlimit
warninglimit [ alarmlimit ]
Configure temperature alarm
thresholds
The Alarming temperature threshold
is 80°C (176°F).
The warning and alarming thresholds
must be higher than the lower
temperature limit.
The alarming threshold must be higher
than the warning threshold.
NOTE:
This feature is available only on PoE-capable models of the A3100 v2 EI Switch Series.
Clearing idle 16-bit interface indexes
The device must maintain persistent 16-bit interface indexes and keep one interface index match one
interface name for network management. After deleting a logical interface, the device retains its 16-bit
interface index so the same index can be assigned to the interface at interface re-creation.
To avoid index depletion causing interface creation failures, you can clear all 16-bit indexes that have
been assigned but not in use. The operation does not affect the interface indexes of the interfaces that
have been created but the indexes assigned to re-recreated interfaces might change.
Follow the step below to clear idle 16-bit interface indexes:
To do…
Use the command…
Remarks
Required
Clear idle 16-bit interface indexes reset unused porttag
Available in user view.
NOTE:
A confirmation is required when you execute this command. The command will not run if you fail to make
a confirmation within 30 seconds or enter N to cancel the operation.
Verifying and diagnosing transceiver modules
Verifying transceiver modules
You can verify the genuineness of a transceiver module in the following ways:
•
Display the key parameters of a transceiver module, including its transceiver type, connector type,
central wavelength of the transmit laser, transfer distance and vendor name.
136
Download from Www.Somanuals.com. All Manuals Search And Download.
•
Display its electronic label. The electronic label is a profile of the transceiver module and contains
the permanent configuration including the serial number, manufacturing date, and vendor name.
The data is written to the storage component during debugging or testing.
Perform the following commands in any view to verify transceiver modules:
To do…
Use the command…
display transceiver interface [ interface-type
Display key parameters of transceiver modules interface-number ] [ | { begin | exclude | include }
regular-expression ]
display transceiver manuinfo interface [ interface-type
Display transceiver modules’ electronic label
interface-number ] [ | { begin | exclude | include }
information
regular-expression ]
NOTE:
The display transceiver manuinfo command cannot display information for some transceiver modules.
Diagnosing transceiver modules
The device provides the alarm function and digital diagnosis function for transceiver modules. When a
transceiver module fails or inappropriately work, you can check for alarms present on the transceiver
module to identify the fault source or examine the key parameters monitored by the digital diagnosis
function, including the temperature, voltage, laser bias current, TX power, and RX power.
Perform the following commands in any view to diagnose transceiver modules:
To do…
Use the command…
display transceiver alarm interface [ interface-type
Display alarms present on transceiver modules interface-number ] [ | { begin | exclude | include }
regular-expression ]
Display the present measured values of the
digital diagnosis parameters for pluggable
transceivers
display transceiver diagnosis interface [ interface-type
interface-number ] [ | { begin | exclude | include }
regular-expression ]
NOTE:
The display transceiver diagnosis command cannot display information for some transceiver modules.
Displaying and maintaining device management
configuration
For diagnosis or troubleshooting, you can use separate display commands to collect running status data
module by module, or use the display diagnostic-information command to bulk collect running data for
multiple modules. The display diagnostic-information command equals this set of commands: display
clock, display version, display device, and display current-configuration.
To do…
Use the command…
Remarks
Display system version
information
display version [ | { begin | exclude |
include } regular-expression ]
Available in any view
137
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
display clock [ | { begin | exclude |
include } regular-expression ]
Display the system time and date
Available in any view
Display or save operating
statistics for multiple feature
modules
display diagnostic-information [ | { begin
| exclude | include } regular-expression ]
Available in any view
Available in any view
display cpu-usage [ slot slot-number [ cpu
cpu-number ] ] [ | { begin | exclude |
include } regular-expression ]
Display CPU usage statistics
display cpu-usage entry-number [ offset ]
[ verbose ] [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ]
display cpu-usage history [ task task-id ]
[ slot slot-number [ cpu cpu-number ] ] [ |
{ begin | exclude | include }
Display historical CPU usage
statistics in charts
Available in any view
regular-expression ]
display device [ [ slot slot-number [ subslot
Display hardware information
subslot-number ] ] | verbose ] [ | { begin | Available in any view
exclude | include } regular-expression ]
Display the electronic label data
for the device
display device manuinfo [ | { begin |
Available in any view
exclude | include } regular-expression ]
Available in any view
display environment [ slot slot-number ]
[ | { begin | exclude | include }
regular-expression ]
This command is available on
only PoE-capable models of
the A3100 v2 EI Switch
Series.
Display device temperature
statistics
Available in any view
This command is available on
only PoE-capable models of
the A3100 v2 EI Switch
Series.
display fan [ fan-id ] [ | { begin | exclude
| include } regular-expression ]
Display the operating state of fans
display memory [ slot slot-number [ cpu
cpu-number ] ] [ | { begin | exclude |
include } regular-expression ]
Display memory usage statistics
Display the power state
Available in any view
display power [ power-id ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Available in any view
This feature is available on
only A3100-24-PoE v2 EI
Switch(JD313B) and
display rps [ rps-id ] [ | { begin | exclude
| include } regular-expression ]
Display RPS state information
A3100-16-PoE v2 EI
Switch(JD312B) models.
display reboot-type [ slot slot-number ] [ |
{ begin | exclude | include }
regular-expression ]
Display the mode of the last
reboot
Available in any view
Available in any view
Display the configuration of the
job configured by using the
schedule job command
display schedule job [ | { begin | exclude
| include } regular-expression ]
138
Download from Www.Somanuals.com. All Manuals Search And Download.
To do…
Use the command…
Remarks
display schedule reboot [ | { begin |
exclude | include } regular-expression ]
Display the device reboot setting
Available in any view
Display the configuration of jobs
configured by using the job
command
display job [ job-name ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display the exception handling
method
display system-failure [ | { begin |
exclude | include } regular-expression ]
Available in any view
Available in any view
Available in system view
Display the device software
version update history
display version-update-record [ | { begin
| exclude | include } regular-expression ]
Clear the device software version reset version-update-record [ | { begin |
update history
exclude | include } regular-expression ]
139
Download from Www.Somanuals.com. All Manuals Search And Download.
Automatic configuration
Automatic configuration overview
Automatic configuration enables a device without any configuration file to automatically obtain and
execute a configuration file during startup. Automatic configuration simplifies network configuration,
facilitates centralized management, and reduces maintenance workload.
To implement automatic configuration, the network administrator saves configuration files on a server
and a device automatically obtains and executes a specific configuration file.
Typical automatic configuration network
Figure 49 Network diagram for automatic configuration
DHCP server
IP network
Device
Gateway
TFTP server
DNS server
following servers: a DHCP server, TFTP server, and DNS server:
•
•
•
DHCP server—assigns an IP address and other configuration parameters such as the configuration
file name, TFTP server IP address, and DNS server IP address to the device.
TFTP server: Saves files needed in automatic configuration such as the host name file and the
configuration file.
DNS server—resolves between IP addresses and host names. In some cases, the device resolves its
IP address to the host name through the DNS server, and then uses the host name to request the
configuration file with the same name (hostname.cfg) from the TFTP server. If the device gets the
domain name of the TFTP server from the DHCP response, the device can also resolve the domain
name of the TFTP server to the IP address of the TFTP server through the DNS server.
If the DHCP server, TFTP server, DNS server, and the device are not in the same network segment, you
need to configure the DHCP relay agent on the gateway.
140
Download from Www.Somanuals.com. All Manuals Search And Download.
How automatic configuration works
Automatic configuration works in the following manner:
1.
During startup, the device sets the first up interface (if up Layer 2 Ethernet interfaces are available,
the VLAN interface of the default VLAN of the Ethernet interfaces is selected as the first up
interface.) as the DHCP client to request parameters from the DHCP server, such as an IP address
and name of a TFTP server, IP address of a DNS server, and the configuration file name.
2.
After getting related parameters, the device sends a TFTP request to obtain the configuration file
from the specified TFTP server and executes the configuration file. If the client cannot get such
parameters, it uses factory default configuration.
NOTE:
• To implement automatic configuration, you need to configure the DHCP server, DNS server and TFTP
server, but you do not need to perform any configuration on the device that performs automatic
configuration.
• Before starting the device, connect only the interface needed in automatic configuration to the network.
Work flow of automatic configuration
Figure 50 shows the work flow of automatic configuration.
Figure 50 Work flow of automatic configuration
Start the device with
default configuration
No
The interface obtains
parameters through DHCP
Yes
No
Is the TFTP server address
contained in the parameters?
Yes
Is the TFTP server domain
name contained in the
parameters?
No
Yes
Broadcast a TFTP
request to obtain
the configuration file
No
Fails
Resolve domain name of
the TFTP server
Yes
Fails
Succeeds
Unicast a TFTP request to
obtain the configuration file
Succeeds
Remove the temporary
configurations and the device
starts with default configuration
Remove the temporary
configurations and execute
the obtained configuration file
Remove the temporary
configurations and the device
starts with default configuration
End
141
Download from Www.Somanuals.com. All Manuals Search And Download.
Using DHCP to obtain an IP address and other configuration
information
Address acquisition process
As mentioned before, a device sets the first up interface as the DHCP client during startup. The DHCP
client broadcasts a DHCP request, where the Option 55 field specifies the information that the client
wants to obtain from the DHCP server such as the configuration file name, domain name and IP address
of the TFTP server, and DNS server IP address.
After receiving the DHCP response from the DHCP server, the device obtains the IP address and resolves
the following fields in the DHCP response:
•
Option 67 or the file field that specifies the configuration file name. If Option 67 contains the
configuration file name, the device does not resolve the file field. If not, the device resolves the file
field.
•
•
•
Option 66 that specifies the TFTP server domain name
Option 150 that specifies the TFTP server IP address
Option 6 that specifies the DNS server IP address.
If no response is received from the DHCP server, the device removes the temporary configuration and
starts up with factory defaults.
NOTE:
• The configuration file name is saved in the Option 67 or file field of the DHCP response. The device first
resolves the Option 67 field. If this field contains the configuration file name, the device does not resolve
the file field. If not, it resolves the file field.
• The temporary configuration contains two parts: the configuration made on the interface through which
automatic configuration is performed, and the configuration made by executing the ip host commands
in the host name file (For more information about the ip host command, see the Layer 3—IP Services
Command Reference.). The temporary configuration is removed by executing the undo commands.
• For more information about DHCP, see the Layer 3—IP Services Configuration Guide.
Principles for selecting an address pool on the DHCP server
The DHCP server selects IP addresses and other network configuration parameters from an address pool
for clients. DHCP supports the following types of address pools:
•
Dynamic address pool: A dynamic address pool contains a range of IP addresses and other
parameters that the DHCP server dynamically assigns to clients.
•
Static address pool: A static address pool contains the binding of an IP address and a MAC
address (or a client ID). The DHCP server assigns the IP address of the binding and specific
configuration parameters to a requesting client whose MAC address or ID is contained in the
binding. In this way, the client can get a fixed IP address.
Select address pools by using one of the following methods.
•
If devices use the same configuration file, you can configure a dynamic address pool on the DHCP
server to assign IP addresses and the same configuration parameters (for example, configuration
file name) to the devices. The configuration file can only contain common configurations of the
devices, and the specific configurations of each device need to be performed in other ways. For
example, the configuration file can enable Telnet and create a local user on devices so that the
142
Download from Www.Somanuals.com. All Manuals Search And Download.
administrator can Telnet to each device to perform specific configurations (for example, configure
the IP address of each interface).
•
If devices use different configuration files, you need to configure static address pools to ensure that
each device can get a fixed IP address and a specific configuration file. With this method, the
administrator does not need to perform any other configuration for the devices.
NOTE:
To configure static address pools, you must obtain client IDs. To obtain a device’s client ID, use the display
dhcp server ip-in-use command to display address binding information on the DHCP server after the
device obtains its IP address through DHCP.
Obtaining the configuration file from the TFTP server
File types
A device can obtain the following files from the TFTP server during automatic configuration:
•
•
The configuration file specified by the Option 67 or file field in the DHCP response
The host name file named network.cfg, which stores mappings between IP addresses and host
names.
For example, the host name file can include the following:
ip host host1 101.101.101.101
ip host host2 101.101.101.102
ip host client1 101.101.101.103
ip host client2 101.101.101.104
CAUTION:
• There must be a space before the keyword ip host.
• The host name of a device saved in the host name file must be the same as the configuration file name
of the device, and can be identical with or different from that saved in the DNS server.
•
•
The configuration file of a device is named hostname.cfg, where hostname is the host name of the
device. For example, if the host name of a device is aaa, the configuration file of the device is
named aaa.cfg.
The default configuration file is named device.cfg.
143
Download from Www.Somanuals.com. All Manuals Search And Download.
Obtaining the configuration file
Figure 51 Obtain the configuration file
Is the configuration file
contained in the DHCP
response?
Yes
No
No
Obtain the network
intermediate file
Yes
Search the domain name
corresponding to the IP address
in the network intermediate file
Yes
No
Resolve an IP
address to a domain
name through DNS
No
Yes
Obtain the configuration
file corresponding to the
domain name
Yes
Yes
No
Obtain the specified
configuration file in the
response
No
Obtain the default
configuration file
No
Yes
Remove the temporary
configurations and the device
starts without loading the
configuration file
Remove the temporary
configurations and execute the
obtained configuration file
A device obtains its configuration file by using the following workflow:
•
If the DHCP response contains the configuration file name, the device requests the specified
configuration file from the TFTP server.
•
If not, the device tries to get its host name from the host name file obtained from the TFTP server. If
it fails, the device resolves its IP address to the host name through DNS server. Once the device gets
its host name, it requests the configuration file with the same name from the TFTP server.
•
If all the operations fail, the device requests the default configuration file from the TFTP server.
TFTP request sending mode
The device selects to unicast or broadcast a TFTP request by using the following workflow:
•
If a legitimate TFTP server IP address is contained in the DHCP response, the device unicasts a TFTP
request to the TFTP server.
•
If not, the device resolves the TFTP server domain name contained in the DHCP response to the IP
address through the DNS server. If successful, the device unicasts a TFTP request to the TFTP server;
if not, the device broadcasts a TFTP request.
•
If the IP address and the domain name of the TFTP server are not contained in the DHCP response
or they are illegitimate, the device broadcasts a TFTP request.
144
Download from Www.Somanuals.com. All Manuals Search And Download.
NOTE:
After broadcasting a TFTP request, the device selects the TFTP server that responds first to obtain the
configuration file. If the requested configuration file does not exist on the TFTP server, the request
operation fails, and the device removes the temporary configuration and starts up with factory defaults.
Executing the configuration file
After obtaining the configuration file, the device removes the temporary configuration and executes the
configuration file. If no configuration file is obtained, the device removes the temporary configuration
and starts up with factory defaults.
NOTE:
The configuration file is deleted after executed. Save the configuration by using the save command.
Otherwise, the device has to perform automatic configuration again after reboot. For more information
about the save command, see the Fundamentals Command Reference.
145
Download from Www.Somanuals.com. All Manuals Search And Download.
Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
Before contacting HP, collect the following information:
•
•
•
•
•
•
Product model names and numbers
Technical support registration number (if applicable)
Product serial numbers
Error messages
Operating system type and revision level
Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
•
•
For related documentation, navigate to the Networking section, and select a networking category.
For a complete list of acronyms and their definitions, see HP A-Series Acronyms.
Websites
•
•
•
•
•
•
HP Networking http://www.hp.com/go/networking
HP manuals http://www.hp.com/support/manuals
HP download drivers and software http://www.hp.com/support/downloads
HP software depot http://www.software.hp.com
HP Education http://www.hp.com/learn
146
Download from Www.Somanuals.com. All Manuals Search And Download.
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Boldface
Italic
Description
Bold text represents commands and keywords that you enter literally as shown.
Italic text represents arguments that you replace with actual values.
Square brackets enclose syntax choices (keywords or arguments) that are optional.
[ ]
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
Asterisk-marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
Asterisk-marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
&<1-n>
#
A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
Boldface
>
Description
Window names, button names, field names, and menu items are in bold text. For
example, the New User window appears; click OK.
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention
WARNING
Description
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
CAUTION
An alert that calls attention to essential information.
An alert that contains additional or supplementary information.
An alert that provides helpful information.
IMPORTANT
NOTE
TIP
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
147
Download from Www.Somanuals.com. All Manuals Search And Download.
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
148
Download from Www.Somanuals.com. All Manuals Search And Download.
Index
Displaying and maintaining CLI login,64
Displaying and maintaining device management
A
B
Displaying and maintaining the TFTP client,98
Displaying and maintaining web login,70
C
Checking command-line errors,8
CLI view description,2
E
Entering the CLI,1
Command conventions,1
Configuring HTTP login,66
Configuring HTTPS login,67
Configuring login control over Telnet users,78
F
FTP overview,85
H
L
Configuring source IP-based login control over NMS
Configuring source IP-based login control over web
users,83
Configuring temperature alarm thresholds (available
Logging in through modems,52
Logging in through SSH,47
Logging in through Telnet,36
Logging in through the console port,24
Configuring the FTP client,86
Configuring the TFTP client,97
M
N
NMS login example,75
O
Overview,24
P
D
Displaying and maintaining CLI,20
R
149
Download from Www.Somanuals.com. All Manuals Search And Download.
Typing commands,5
U
Undo form of a command,2
Upgrading system software through a system
Upgrading the Boot ROM program through a system
S
Saving the current configuration,20
User interface overview,22
User login control methods,78
Using command history,8
Using the CLI online help,4
V
Specifying a startup configuration file to be used at the
W
Web login example,70
Web login overview,66
What is CLI?,1
T
TFTP client configuration example,98
TFTP overview,96
150
Download from Www.Somanuals.com. All Manuals Search And Download.
|