HP Hewlett Packard Switch A3100 16 v2 EI User Manual

HP A3100 v2 Switch Series  
Fundamentals  
Configuration Guide  
HP A3100-8 v2 SI Switch (JG221A)  
HP A3100-16 v2 SI Switch (JG222A)  
HP A3100-24 v2 SI Switch (JG223A)  
HP A3100-8 v2 EI Switch (JD318B)  
HP A3100-16 v2 EI Switch (JD319B)  
HP A3100-24 v2 EI Switch (JD320B)  
HP A3100-8-PoE v2 EI Switch (JD311B)  
HP A3100-16-PoE v2 EI Switch (JD312B)  
HP A3100-24-PoE v2 EI Switch (JD313B)  
Part number: 5998-1963  
Software version: Release 5103  
Document version: 6W100-20110909  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
i
Download from Www.Somanuals.com. All Manuals Search And Download.  
ii  
Download from Www.Somanuals.com. All Manuals Search And Download.  
iii  
Download from Www.Somanuals.com. All Manuals Search And Download.  
iv  
Download from Www.Somanuals.com. All Manuals Search And Download.  
v
Download from Www.Somanuals.com. All Manuals Search And Download.  
CLI configuration  
What is CLI?  
The command line interface (CLI) enables you to interact with your device by typing text commands. At  
the CLI, you can instruct your device to perform a given task by typing a text command and then pressing  
Enter. Compared with a graphical user interface (GUI) where you can use a mouse to perform  
configuration, the CLI allows you to input more information in one command line.  
Figure 1 CLI example  
Entering the CLI  
HP devices provide multiple methods for entering the CLI, such as through the console port, through Telnet,  
or through SSH. For more information, see the chapter “Logging in to the switch configuration.”  
Command conventions  
Command conventions help you understand command meanings. Commands in HP product manuals  
comply with the conventions listed in Table 1.  
Table 1 Command conventions  
Convention  
Boldface  
Italic  
Description  
Bold text represents commands and keywords that you enter literally as shown.  
Italic text represents arguments that you replace with actual values.  
1
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Convention  
Description  
Square brackets enclose syntax choices (keywords or arguments) that are  
optional.  
[ ]  
Braces enclose a set of required syntax choices separated by vertical bars, from  
which you select one.  
{ x | y | ... }  
[ x | y | ... ]  
{ x | y | ... } *  
[ x | y | ... ] *  
Square brackets enclose a set of optional syntax choices separated by vertical  
bars, from which you select one or none.  
Asterisk marked braces enclose a set of required syntax choices separated by  
vertical bars, from which you select at least one.  
Asterisk marked square brackets enclose optional syntax choices separated by  
vertical bars, from which you select one choice, multiple choices, or none.  
The argument or keyword and argument combination before the ampersand (&)  
sign can be entered 1 to n times.  
&<1-n>  
#
A line that starts with a pound (#) sign is comments.  
NOTE:  
The keywords of HP command lines are case insensitive.  
Figure 2 shows how to read the clock datetime time date command by using Table 1 as a reference.  
Figure 2 Read command line parameters  
Following this example, you can type the following command line at the CLI of your device and press  
Enter to set the device system time to 10 o’clock 30 minutes 20 seconds, February 23, 2010.  
<sysname> clock datetime 10:30:20 2/23/2010  
More complicated commands can be understood using Table 1 as a reference.  
Undo form of a command  
The undo form of a command restores the default, disables a function, or removes a configuration.  
Almost all configuration commands have an undo form. For example, the info-center enable command  
enables the information center, and the undo info-center enable command disables the information  
center.  
CLI view description  
Commands are grouped into different classes by function. To use a command, you must enter the class  
view of the command.  
2
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
CLI views adopt a hierarchical structure. See Figure 3.  
After logging in to the switch, you are in user view. The user view prompt is <device name>. In user  
view, you can perform display, debugging, and file management operations, set the system time,  
restart your device, and perform FTP and Telnet operations.  
You can enter system view from user view. In system view, you can configure parameters such as  
daylight saving time, banners, and short-cut keys.  
From system view, you can enter different function views. For example, enter interface view to  
configure interface parameters, create a VLAN and enter its view, enter user interface view to  
configure login user attributes, create a local user and enter local user view to configure the  
password and level of the local user.  
NOTE:  
Enter ? in any view to display all the commands that can be executed in this view.  
Figure 3 Command line views  
Entering system view  
When you log in to the device, you automatically enter user view, where <Device name> is displayed.  
You can perform limited operations in user view, for example, display operations, file operations, and  
Telnet operations. To perform further configuration on the device, enter system view.  
Follow the step below to enter system view:  
To do…  
Use the command…  
Remarks  
Required  
Enter system view  
system-view  
Available in user view  
Exiting the current view  
The CLI is divided into different command views. Each view has a set of specific commands and defines  
the effective scope of the commands. The commands available to you at any given time depend on the  
view you are in.  
Follow the step below to exit the current view:  
3
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
quit  
Remarks  
Required  
Return to the parent view from the  
current view  
Available in any view.  
NOTE:  
The quit command in user view stops the current connection between the terminal and the device.  
In public key code view, use the public-key-code end command to return to the parent view (public key  
view). In public key view, use the peer-public-key end command to return to system view.  
Returning to user view  
This feature allows you to return to user view from any other view, without using the quit command  
repeatedly. You can also press Ctrl+Z to return to user view from the current view.  
Follow the step below to exit to user view:  
To do…  
Use the command…  
Remarks  
Required  
Return to user view  
return  
Available in any view except user  
view  
Using the CLI online help  
Type a question mark (?) to obtain online help. See the following examples.  
1.  
Type ? in any view to display all commands available in this view as well as brief descriptions of  
the commands. For example:  
<sysname> ?  
User view commands:  
archive  
Specify archive settings  
backup  
Backup next startup-configuration file to TFTP server  
Set boot loader  
boot-loader  
bootrom  
Update/read/backup/restore bootrom  
Change current directory  
cd  
…Omitted…  
2.  
Type part of a command and a ? separated by a space.  
If ? is at the keyword position, the CLI displays all possible keywords with a brief description for each  
keyword. For example:  
<sysname> terminal ?  
debugging Send debug information to terminal  
logging  
monitor  
trapping  
Send log information to terminal  
Send information output to current terminal  
Send trap information to terminal  
If ? is at the argument position, the CLI displays a description about this argument. For example:  
<sysname> system-view  
[sysname] interface vlan-interface ?  
4
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
<1-4094> VLAN interface  
[sysname] interface vlan-interface 1 ?  
<cr>  
[sysname] interface vlan-interface 1  
The string <cr> indicates that the command is a complete command, and can be executed by pressing  
Enter.  
3.  
Type an incomplete character string followed by ?. The CLI displays all commands starting with the  
typed character(s).  
<sysname> b?  
backup  
boot-loader  
bootrom  
<sysname> display cl?  
clipboard  
clock  
cluster  
Typing commands  
Editing command lines  
Table 2 Editing functions  
Key  
Function  
If the edit buffer is not full, pressing a common key inserts the character at the  
position of the cursor and moves the cursor to the right.  
Common keys  
Deletes the character to the left of the cursor and moves the cursor back one  
character.  
Backspace  
Left arrow key or Ctrl+B  
Right arrow key or Ctrl+F  
The cursor moves one character space to the left.  
The cursor moves one character space to the right.  
If you press Tab after entering part of a keyword, the system automatically  
completes the keyword:  
If there is a unique match, the system substitutes the complete keyword for  
the incomplete one and displays it in the next line.  
Tab  
If there is more than one match, you can press Tab repeatedly to cycle  
through all the keywords starting with the character string that you typed.  
If there is no match, the system does not modify the incomplete keyword  
and displays it again in the next line.  
Typing incomplete keywords  
You can input a command comprising incomplete keywords that uniquely identify the complete  
command.  
In user view, for example, commands starting with an s include startup saved-configuration and  
system-view.  
To enter system view, type sy.  
5
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To set the configuration file for next startup, type st s.  
You can also press Tab to have an incomplete keyword automatically completed.  
Configuring command aliases  
The command alias function allows you to replace the first keyword of a command with your preferred  
keyword. For example, if you configure show as the replacement for the display keyword, then to execute  
the display xx command, you can input the command alias show xx.  
Note the following guidelines when configuring a command alias:  
You can define and use a command alias but the command is not restored in its alias format.  
When you define a command alias, the cmdkey and alias arguments must be in their complete  
form.  
When you input an incomplete keyword that partially matches both a defined alias and the  
keyword of a command, the alias takes precedence. To execute the command whose keyword  
partially matches your input, input the complete keyword. When you input a character string that  
partially matches multiple aliases, the system gives you prompts.  
If you press Tab after you input an alias keyword, the original format of the keyword is displayed.  
You can replace only the first keyword of a non-undo command instead of the complete command.  
You can replace only the second keyword of undo commands.  
Follow these steps to configure command aliases:  
To do…  
Use the command…  
Remarks  
Enter system view  
system-view  
Required  
Disabled by default, which means  
you cannot configure command  
aliases.  
Enable the command alias function command-alias enable  
Required  
command-alias mapping cmdkey  
alias  
Configure a command alias  
Not configured by default.  
Configuring CLI hotkeys  
Follow these steps to configure CLI hotkeys:  
To do…  
Use the command…  
Remarks  
Enter system view  
system-view  
Optional  
hotkey { CTRL_G | CTRL_L |  
CTRL_O | CTRL_T | CTRL_U }  
command  
The Ctrl+G, Ctrl+L and Ctrl+O  
hotkeys are specified at the CLI by  
default.  
Configure CLI hotkeys  
Display hotkeys  
Available in any view. See Table 3  
for hotkeys reserved by the system.  
display hotkey  
6
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
NOTE:  
By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are associated with pre-defined commands as defined  
below, the Ctrl+T and Ctrl+U hotkeys are not.  
Ctrl+G corresponds to the display current-configuration command.  
Ctrl+L corresponds to the display ip routing-table command.  
Ctrl+O corresponds to the undo debugging all command.  
Table 3 Hotkeys reserved by the system  
Hotkey  
Ctrl+A  
Ctrl+B  
Ctrl+C  
Ctrl+D  
Ctrl+E  
Ctrl+F  
Ctrl+H  
Ctrl+K  
Ctrl+N  
Ctrl+P  
Ctrl+R  
Ctrl+V  
Function  
Moves the cursor to the beginning of the current line.  
Moves the cursor one character to the left.  
Stops performing a command.  
Deletes the character at the current cursor position.  
Moves the cursor to the end of the current line.  
Moves the cursor one character to the right.  
Deletes the character to the left of the cursor.  
Terminates an outgoing connection.  
Displays the next command in the history command buffer.  
Displays the previous command in the history command buffer.  
Redisplays the current line information.  
Pastes the content in the clipboard.  
Deletes all the characters in a continuous string to the left of the  
cursor.  
Ctrl+W  
Ctrl+X  
Ctrl+Y  
Ctrl+Z  
Ctrl+]  
Deletes all characters to the left of the cursor.  
Deletes all characters to the right of the cursor.  
Exits to user view.  
Terminates an incoming connection or a redirect connection.  
Moves the cursor to the leading character of the continuous string to  
the left.  
Esc+B  
Esc+D  
Esc+F  
Esc+N  
Deletes all the characters of the continuous string at the current  
cursor position and to the right of the cursor.  
Moves the cursor to the front of the next continuous string to the  
right.  
Moves the cursor down by one line (available before you press  
Enter)  
Esc+P  
Esc+<  
Esc+>  
Moves the cursor up by one line (available before you press Enter)  
Specifies the cursor as the beginning of the clipboard.  
Specifies the cursor as the ending of the clipboard.  
7
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
NOTE:  
The hotkeys in Table 3 are defined by the switch. If the same hotkeys are defined by the terminal software  
that you use to interact with the switch, the hotkeys defined by the terminal software take effect.  
Redisplaying input but not submitted commands  
If your command input is interrupted by output system information, you can use this feature to redisplay  
the commands input previously but not submitted.  
Follow these steps to enable redisplaying of commands previously input but not submitted:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
Enable redisplaying of input but  
not submitted commands  
info-center synchronous  
Disabled by default  
NOTE:  
If you have no input at the command line prompt and the system outputs system information such as  
logs, the system will not display the command line prompt after the output.  
If the system outputs system information when you are typing interactive information (not YES/NO for  
confirmation), the system does not redisplay the prompt information but a line break after the output and  
then display what you have typed.  
For more information about the info-center synchronous command, see the Network Management and  
Monitoring Configuration Guide.  
Checking command-line errors  
If a command contains syntax errors, the CLI reports error information.  
Table 4 Common command line errors  
Error information  
Cause  
% Unrecognized command found at '^' position. The command was not found.  
% Incomplete command found at '^' position.  
% Ambiguous command found at '^' position.  
Too many parameters  
Incomplete command  
Ambiguous command  
Too many parameters  
Wrong parameters  
% Wrong parameter found at '^' position.  
Using command history  
The CLI automatically saves the commands recently used in the history command buffer. You can access  
these commands and execute them again.  
8
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Accessing history commands  
Follow a step below to access history commands:  
To do…  
Use the key/command…  
display history-command  
Result  
Displays valid history commands you  
used  
Display history commands  
Display the previous history  
command  
Displays the previous history command, if  
any  
Up arrow key or Ctrl+P  
Display the next history  
command  
Down arrow key or Ctrl+N  
Displays the next history command, if any  
NOTE:  
You can use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet.  
However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are  
defined differently. You can use Ctrl+P or Ctrl+N instead.  
The commands saved in the history command buffer are in the same format in which you typed the  
commands. If you type an incomplete command, the command saved in the history command  
buffer is also incomplete.  
If you execute the same command repeatedly, the switch saves only the earliest record. However, if  
you execute the same command in different formats, the system saves them as different commands.  
For example, if you execute the display cu command repeatedly, the system saves only one  
command in the history command buffer. If you execute the command in the format of display cu  
and display current-configuration respectively, the system saves them as two separate commands.  
By default, the CLI can save up to 10 commands for each user. To set the capacity of the history  
command buffer for the current user interface, use the history-command max-size command. (For  
more information about the history-command max-size command, see the chapter “Logging in to  
the switch commands.”  
Configuring the history buffer size  
Follow these steps to configure the history buffer size:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
user-interface { first-num1  
[ last-num1 ] | { aux | vty }  
first-num2 [ last-num2 ] }  
Enter user interface view  
Optional  
Set the maximum number of  
commands that can be saved in the  
history buffer  
history-command max-size  
size-value  
By default, the history buffer can  
save up to 10 commands.  
NOTE:  
For more information about the user-interface and history-command max-size commands, see the  
chapter “Logging in to the switch commands.”  
9
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Controlling the CLI display  
Multi-screen display  
Controlling multi-screen display  
If the output information spans multiple screens, each screen pauses after it is displayed. Perform one of  
the following operations to proceed.  
Action  
Function  
Press Space  
Press Enter  
Displays the next screen.  
Displays the next line.  
Press Ctrl+C  
Press <PageUp>  
Press <PageDown>  
Stops the display and the command execution.  
Displays the previous page.  
Displays the next page.  
By default, each screen displays up to 24 lines. To change the maximum number of lines displayed on the  
next screen, use the screen-length command. For more information about the screen-length command,  
see the chapter “Logging in to the switch commands.”  
Disabling multi-screen display  
You can use the following command to disable the multi-screen display function. All of the output  
information will be displayed at one time and the screen will refresh continuously until the last screen is  
displayed.  
To do…  
Use the command…  
Remarks  
Required  
By default, a login user uses the  
settings of the screen-length  
command. The default settings of the  
screen-length command are:  
multiple-screen display is enabled  
and up to 24 lines are displayed on  
the next screen.  
Disable the multi-screen display  
function  
screen-length disable  
This command is executed in user  
view, and takes effect for the current  
user only. When the user re-logs into  
the switch, the default configuration  
is restored.  
Filtering output information  
Introduction  
You can use regular expressions in display commands to filter output information.  
The following methods are available for filtering output information:  
Input the begin, exclude, or include keyword plus a regular expression in the display command to  
filter the output information.  
10  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
When the system displays the output information in multiple screens, use /, - or + plus a regular  
expression to filter subsequent output information. / equals the keyword begin, - equals the  
keyword exclude, and + equals the keyword include.  
The following definitions apply to the begin, exclude, and include keywords:  
begin: Displays the first line that matches the specified regular expression and all lines that follow.  
exclude: Displays all lines that do not match the specified regular expression.  
include: Displays all lines that match the specified regular expression.  
A regular expression is a case-sensitive string of 1 to 256 characters. It supports the following special  
characters.  
Character  
Meaning  
Remarks  
For example, regular expression “^user” only  
matches a string beginning with “user”, not  
“Auser”.  
Starting sign. string appears only at  
the beginning of a line.  
^string  
Ending sign. string appears only at  
the end of a line.  
For example, regular expression "user$” only  
matches a string ending with “user”, not “userA”.  
string$  
.
Matches any single character, such  
as a single character, a special  
character, and a blank.  
For example, “.s” matches “as” and “bs”.  
Matches the preceding character or  
character group zero or multiple  
times.  
For example, “zo*” matches “z” and “zoo”;  
“(zo)*” matches “zo” and “zozo”.  
*
Matches the preceding character or  
character group one or multiple  
times  
For example, “zo+” matches “zo” and “zoo”, but  
not “z”.  
+
|
Matches the preceding or  
succeeding character string  
For example, “def|int” only matches a character  
string containing “def” or “int”.  
If it is at the beginning or the end of a  
regular expression, it equals ^ or $. For example, “a_b” matches “a b” or “a(b”; “_ab”  
_
-
In other cases, it equals comma,  
space, round bracket, or curly  
bracket.  
only matches a line starting with “ab”; “ab_” only  
matches a line ending with “ab”.  
Connects two values (the smaller one  
before it and the bigger one after it)  
to indicate a range together with [ ].  
For example, “1-9” means 1 to 9 (inclusive); “a-h”  
means a to h (inclusive).  
For example, [16A] matches a string containing  
any character among 1, 6, and A; [1-36A] matches  
a string containing any character among 1, 2, 3, 6,  
and A (- is a hyphen).  
Matches a single character  
contained within the brackets.  
[ ]  
“]” can be matched as a common character only  
when it is put at the beginning of characters within  
the brackets, for example [ ]string]. There is no such  
limit on “[”.  
For example, (123A) means a character group  
“123A”; “408(12)+” matches 40812 or  
408121212. But it does not match 408.  
A character group. It is usually used  
with “+” or “*”.  
( )  
11  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Character  
Meaning  
Remarks  
Repeats the character string  
specified by the index. A character  
string refers to the string within ()  
before \. index refers to the  
sequence number (starting from 1  
from left to right) of the character  
For example, (string)\1 repeats string, and a  
matching string must contain stringstring.  
(string1)(string2)\2 repeats string2, and a  
matching string must contain string1string2string2.  
\index  
group before \. If only one character (string1)(string2)\1\2 repeats string1 and string2  
group appears before \, index can respectively, and a matching string must contain  
only be 1; if n character groups  
appear before index, index can be  
any integer from 1 to n.  
string1string2string1string2.  
For example, [^16A] means to match a string  
containing any character except 1, 6 or A, and the  
matching string can also contain 1, 6 or A, but  
cannot contain these three characters only. For  
example, [^16A] matches “abc” and “m16”, but  
not 1, 16, or 16A.  
Matches a single character not  
contained within the brackets.  
[^]  
Matches a character string starting  
with string.  
For example, “\<do” matches word “domain” and  
string “doa”.  
\<string  
string\>  
Matches a character string ending  
with string.  
For example, “do\>” matches word “undo” and  
string “abcdo”.  
Matches character1character2.  
character1 can be any character  
except number, letter or underline,  
and \b equals [^A-Za-z0-9_].  
For example, “\ba” matches “-a” with “-“ being  
character1, and “a” being character2, but it does  
not match “2a” or “ba”.  
\bcharacter2  
\Bcharacter  
character1\w  
\W  
Matches a string containing  
character, and no space is allowed  
before character.  
For example, “\Bt” matches “t” in “install”, but not  
“t” in “big top”.  
Matches character1character2.  
character2 must be a number, letter,  
or underline, and \w equals  
[^A-Za-z0-9_].  
For example, “v\w” matches “vlan”, with “v” being  
character1, and “l” being character2. v\w also  
matches “service”, with “i” being character2.  
For example, “\Wa” matches “-a”, with “-” being  
character1, and “a” being character2, but does not  
match “2a” or “ba”.  
Equals \b.  
Escape character. If a special  
character listed in this table follows  
\, the specific meaning of the  
character is removed.  
For example, “\\” matches a string containing “\”,  
“\^” matches a string containing “^”, and “\\b”  
matches a string containing “\b”.  
\
Example of filtering output information  
Example of using the begin keyword  
1.  
# Display the configuration from the line containing “user-interface” to the last line in the current  
configuration (the output information depends on the current configuration).  
<Sysname> display current-configuration | begin user-interface  
user-interface aux 0  
user-interface vty 0 15  
authentication-mode none  
12  
Download from Www.Somanuals.com. All Manuals Search And Download.  
user privilege level 3  
#
return  
2.  
Example of using the exclude keyword  
# Display the non-direct routes in the routing table (the output depends on the current configuration).  
<Sysname> display ip routing-table | exclude Direct  
Routing Tables: Public  
Destination/Mask  
1.1.1.0/24  
Proto Pre Cost  
Static 60  
NextHop  
Interface  
Vlan1  
0
192.168.0.0  
3.  
Example of using the include keyword  
# Display the route entries that contain Vlan in the routing table (the output depends on the current  
configuration).  
<Sysname> display ip routing-table | include Vlan  
Routing Tables: Public  
Destination/Mask  
192.168.1.0/24  
Proto Pre Cost  
Direct 0  
NextHop  
Interface  
Vlan999  
0
192.168.1.42  
Configuring user privilege and command levels  
Introduction  
To avoid unauthorized access, the switch defines user privilege levels and command levels. User privilege  
levels correspond to command levels. When a user at a specific privilege level logs in, the user can only  
use commands at that level or lower levels.  
All the commands are categorized into four levels: visit, monitor, system, and manage, and are identified  
from low to high, respectively by 0 through 3. Table 5 describes the command levels.  
Table 5 Default command levels  
Level  
Privilege  
Description  
Involves commands for network diagnosis and accessing an external device.  
Command configuration at this level cannot survive a device restart. Upon device  
restart, the commands at this level will be restored to the default settings.  
0
Visit  
Commands at this level include ping, tracert, telnet and ssh2.  
Involves commands for system maintenance and service fault diagnosis.  
Commands at this level are not allowed to be saved after being configured. After  
the switch is restarted, the commands at this level will be restored to the default  
settings.  
1
2
Monitor  
System  
Commands at this level include debugging, terminal, refresh, reset, and send.  
Involves service configuration commands, such as routing configuration  
commands and commands for configuring services at different network levels.  
By default, commands at this level include all configuration commands except for  
those at the manage level.  
13  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Level  
Privilege  
Description  
Involves commands that influence the basic operation of the system and  
commands for configuring system support modules.  
By default, commands at this level involve the configuration commands of file  
system, FTP, TFTP, Xmodem download, user management, level setting, and  
parameter settings within a system (which are not defined by any protocols or  
RFCs).  
3
Manage  
Configuring a user privilege level  
A user privilege level can be configured by using AAA authentication parameters or under a user  
interface.  
Configure user privilege level by using AAA authentication parameters  
If the user interface authentication mode is scheme, the user privilege level of users logging into the user  
interface is specified in AAA authentication configuration.  
Follow these steps to configure the user privilege level by using AAA authentication parameters:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
user-interface { first-num1  
[ last-num1 ] | { aux | vty }  
first-num2 [ last-num2 ] }  
Enter user interface view  
Required  
By default, the authentication  
mode for VTY users is password,  
and no authentication is needed  
for AUX login users.  
Specify the scheme authentication  
mode  
authentication-mode scheme  
quit  
Return to system view  
For more information about SSH,  
see the Security Configuration  
Guide.  
Required if users use SSH to log in,  
and username and password are  
needed at authentication  
Configure the authentication mode  
for SSH users as password  
Use the local-user command to  
create a local user and enter  
local user view.  
Use either approach  
For local authentication, if you  
do not configure the user  
privilege level, the user  
privilege level is 0.  
Using local  
Use the level keyword in the  
authorization-attribute  
command to configure the user  
privilege level.  
Configure the  
authentication  
user privilege  
level by using  
AAA  
For remote authentication, if  
you do not configure the user  
privilege level, the user  
authentication  
parameters  
Using remote  
authentication  
privilege level depends on the  
default configuration of the  
authentication server.  
Configure the user privilege level  
on the authentication server  
(RADIUS,  
HWTACACS  
authentications)  
Example of configuring a user privilege level by using AAA authentication parameters  
# You are required to authenticate the users that Telnet to the switch through VTY 1, verify their username  
and password, and specify the user privilege level as 3.  
14  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
<Sysname> system-view  
[Sysname] user-interface vty 1  
[Sysname-ui-vty1] authentication-mode scheme  
[Sysname-ui-vty1] quit  
[Sysname] local-user test  
[Sysname-luser-test] password cipher 12345678  
[Sysname-luser-test] service-type telnet  
When users telnet to the switch through VTY 1, they need to input username test and password 12345678.  
After passing authentication, the users can only use level 0 commands. If the users want to use  
commands level 0, 1, 2 and 3 commands, the following configuration is required:  
[Sysname-luser-test] authorization-attribute level 3  
Configure the user privilege level under a user interface  
If the user interface authentication mode is scheme, and SSH publickey authentication type (only a  
username is needed for this authentication type) is adopted, the user privilege level of users logging  
into the user interface is the user interface level.  
If the user interface authentication mode is none or password, the user privilege level of users  
logging into the user interface is the user interface level.  
Follow these steps to configure the user privilege level under a user interface (SSH publickey  
authentication type):  
To do…  
Use the command…  
Remarks  
Required if the SSH login mode is  
adopted, and only username is  
needed during authentication.  
For more information about SSH,  
see the Security Configuration  
Guide.  
Configure the authentication type  
for SSH users as publickey  
After the configuration, the  
authentication mode of the  
corresponding user interface must  
be set to scheme.  
Enter system view  
system-view  
user-interface { first-num1  
[ last-num1 ] | vty first-num2  
[ last-num2 ] }  
Enter user interface view  
Required  
Configure the authentication mode  
for any user that uses the current  
user interface to log in to the switch  
By default, the authentication  
mode for VTY users is password,  
and no authentication is needed  
for AUX users.  
authentication-mode scheme  
Optional  
By default, the user privilege level  
for users logged in through the  
AUX user interface is 3, and that  
for users logged in through the VTY  
interfaces is 0.  
Configure the privilege level for  
users that log in through the current user privilege level level  
user interface  
Follow these steps to configure the user privilege level under a user interface (none or password  
authentication mode):  
15  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
user-interface { first-num1  
[ last-num1 ] | { aux | vty }  
first-num2 [ last-num2 ] }  
Enter user interface view  
Optional  
Configure the authentication mode  
for any user that uses the current  
user interface to log in to the switch  
By default, the authentication  
mode for VTY user interfaces is  
password, and no authentication is  
needed for AUX login users.  
authentication-mode { none |  
password }  
Optional  
By default, the user privilege level  
for users logged in through the  
AUX user interface is 3, and that  
for users logged in through the VTY  
interfaces is 0.  
Configure the privilege level of  
users logged in through the current user privilege level level  
user interface  
Example of configuring a user privilege level under a user interface  
# Authenticate users logged in to the switch through Telnet, verify their password, and specify their user  
privilege level as 2.  
<Sysname> system-view  
[Sysname] user-interface vty 0 15  
[Sysname-ui-vty0-15] authentication-mode password  
[Sysname-ui-vty0-15] set authentication password cipher 123  
[Sysname-ui-vty0-15] user privilege level 2  
By default, Telnet users can use level 0 commands after passing authentication. After the configuration  
above is completed, when users log in to the switch through Telnet, they need to input password 123, and  
then they can use level 0, 1, and 2 commands.  
NOTE:  
For more information about user interfaces, see the chapter “Logging in to the switch configuration.” For  
more information about the user-interface, authentication-mode, and user privilege level commands,  
see the chapter “Logging in to the switch commands.”  
For more information about AAA authentication, see the Security Configuration Guide. For more  
information about the local-user and authorization-attribute commands, see the Security Command  
Reference.  
For more information about SSH, see the Security Configuration Guide.  
Switching user privilege level  
Introduction  
Users can switch to a different user privilege level temporarily without logging out and terminating the  
current connection. After the privilege level switch, users can continue to configure the switch without the  
need to logging back in, but the commands that they can execute have changed. For example, if the  
current user privilege level is 3, the user can configure system parameters. After switching to user  
privilege level 0, the user can only execute simple commands, like ping and tracert, and only a few  
16  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
display commands. The switching operation is effective for the current login. After the user logs back in,  
the user privilege restores to the original level.  
To avoid problems, HP recommends that administrators log in to the switch by using a lower  
privilege level and view switch operating parameters. To maintain the switch, administrators can  
temporarily switch to a higher level.  
If the administrators need to leave or need to ask someone else to temporarily manage the switch,  
they can switch to a lower privilege level to restrict the operation by others.  
Setting the authentication mode for user privilege level switch  
A user can switch to a privilege level equal to or lower than the current one unconditionally and is  
not required to input a password (if any).  
For security, a user is required to input the password (if any) to switch to a higher privilege level. The  
authentication falls into one of the following four categories:  
Authentication  
mode  
Meaning  
Description  
The switch authenticates a user by using the privilege level switch  
password input by the user.  
Local password  
authentication  
local  
When this mode is applied, you need to set the password for  
privilege level switch with the super password command.  
The switch sends the username and password for privilege level  
switch to the HWTACACS or RADIUS server for remote  
authentication.  
Remote AAA  
authentication  
through  
HWTACACS or  
RADIUS  
When this mode is applied, you need to perform the following  
configurations:  
scheme  
Configure HWTACACS or RADIUS scheme and reference the  
created scheme in the ISP domain. For more information, see the  
Security Configuration Guide.  
Create the corresponding user and configure password on the  
HWTACACS or RADIUS server.  
Performs the local  
password  
authentication first  
and then the  
remote AAA  
authentication  
The switch authenticates a user by using the local password first. If  
no local password is set, the privilege level is switched directly for  
the users logged in from the AUX port, and remote AAA  
authentication is performed on the users logged in from VTY user  
interfaces.  
local scheme  
scheme local  
Performs remote  
AAA  
AAA authentication is performed first, and if the remote  
authentication first HWTACACS or RADIUS server does not respond or AAA  
and then the local configuration on the switch is invalid, the local password  
password  
authentication is performed.  
authentication  
Follow these steps to set the authentication mode for user privilege level switch:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Set the authentication mode for  
user privilege level switch  
super authentication-mode { local  
| scheme } *  
local by default.  
17  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
Required if the authentication  
mode is set to local.  
Configure the password for user  
privilege level switch  
super password [ level user-level ]  
{ simple | cipher } password  
By default, no privilege level switch  
password is configured.  
CAUTION:  
If no user privilege level is specified when you configure the password for switching the user privilege  
level with the super password command, the user privilege level defaults to 3.  
Specifying the simple keyword saves the password in plain text, which is less secure than specifying the  
cipher keyword, which saves the password in cipher text.  
If the user logs in from the AUX user interface (the console port), the user can switch the privilege level  
to a higher level even if the authentication mode is local and no password for user privilege level switch  
is configured.  
Switching the user privilege level  
Follow the step to switch the user privilege level:  
To do…  
Use the command…  
Remarks  
Required  
When logging in to the switch, a  
user has a user privilege level,  
which depends on user interface or  
authentication user level.  
Switch the user privilege level  
super [ level ]  
Available in user view.  
When you switch the user privilege level, the information you need to provide varies with combinations  
of the user interface authentication mode and the super authentication mode.  
Table 6 Information input for user privilege level switch  
User privilege level  
User interface  
switch  
Information input for the  
first authentication mode  
Information input after the  
authentication mode changes  
authentication  
mode  
authentication  
mode  
Local user privilege level  
switch password (configured  
on the switch)  
local  
Username and password for  
privilege level switch (configured  
on the AAA server)  
Local user privilege level  
switch password  
local scheme  
none/password  
Username and password for  
privilege level switch  
scheme  
Username and password for Local user privilege level switch  
privilege level switch password  
scheme local  
18  
Download from Www.Somanuals.com. All Manuals Search And Download.  
User privilege level  
switch  
authentication  
mode  
User interface  
authentication  
mode  
Information input for the  
first authentication mode  
Information input after the  
authentication mode changes  
Local user privilege level  
switch password  
local  
Password for privilege level  
switch (configured on the AAA  
server). The system uses the  
username used for logging in as  
the privilege level switch  
username.  
Local user privilege level  
switch password  
local scheme  
Password for privilege level  
switch (configured on the  
AAA server). The system uses  
the username used for  
scheme  
scheme  
logging in as the privilege  
level switch username.  
Password for privilege level  
switch (configured on the  
AAA server). The system uses Local user privilege level switch  
scheme local  
the username used for  
logging in as the privilege  
level switch username.  
password  
CAUTION:  
When the authentication mode is set to local, configure the local password before switching to a higher  
user privilege level.  
When the authentication mode is set to scheme, configure AAA related parameters before switching to  
a higher user privilege level.  
The privilege level switch fails after three consecutive unsuccessful password attempts.  
For more information about user interface authentication, see the chapter “Logging in to the switch  
configuration.”  
Modifying the level of a command  
All the commands in a view default to different levels. The administrator can change the default level of  
a command to a different level as needed.  
Follow these steps to modify the command level:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
Configure the command level in a command-privilege level level view  
specified view  
view command  
See Table 5 for the default settings.  
19  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
CAUTION:  
HP recommends that you use the default command level or modify the command level under the guidance  
of professional staff. An improper change of the command level may bring inconvenience to your  
maintenance and operation, or even potential security problems.  
Saving the current configuration  
On the device, you can input the save command in any view to save all of the submitted and executed  
commands into the configuration file. Commands saved in the configuration file can survive a reboot.  
The save command does not take effect on one-time commands, such as display commands, which  
display specified information, and the reset commands, which clear specified information. One-time  
commands that are executed are never saved.  
Displaying and maintaining CLI  
To do…  
Use the command…  
Remarks  
display command-alias [ | { begin  
| exclude | include }  
regular-expression ]  
Display defined command aliases  
and the corresponding commands  
Available in any view  
display clipboard [ | { begin |  
exclude | include }  
Display the clipboard information  
Available in any view  
regular-expression ]  
20  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Login methods  
Login methods  
You can log in to the switch by using the following methods.  
Table 7 Login methods  
Login method  
Default state  
By default, you can log in to a device through the console port, the  
authentication mode is None (no username or password required),  
and the user privilege level is 3.  
By default, you cannot log in to a device through Telnet. To do so, log  
in to the device through the console port, and complete the following  
configuration:  
Enable the Telnet function.  
Configure the IP address of the VLAN interface, and make sure that  
your device and the Telnet client can reach each other (by default,  
the device does not have an IP address.).  
Configure the authentication mode of VTY login users (password  
by default).  
Configure the user privilege level of VTY login users (0 by default).  
By default, you cannot log in to a device through SSH. To do so, log  
in to the device through the console port, and complete the following  
configuration:  
Enable the SSH function and configure SSH attributes.  
Configure the IP address of the VLAN interface, and make sure that  
your device and the SSH client can reach each other (by default,  
your device does not have an IP address.).  
Configure the authentication mode of VTY login users as scheme  
(password by default).  
Configure the user privilege level of VTY login users (0 by default).  
By default, you can log in to a device through modems. The default  
user privilege level of modem login users is 3.  
By default, you cannot log in to a device through web. To do so, log  
in to the device through the console port, and complete the following  
configuration:  
Configure the IP address of the VLAN interface (by default, your  
device does not have an IP address.).  
Web login  
Configure a username and password for web login (not configured  
by default).  
Configure the user privilege level for web login (not configured by  
default).  
Configure the Telnet service type for web login (not configured by  
default).  
21  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Login method  
Default state  
By default, you cannot log in to a device through a network  
management system (NMS). To do so, log in to the device through the  
console port, and complete the following configuration:  
Configure the IP address of the VLAN interface, and make sure the  
device and the NMS can reach each other (by default, your device  
does not have an IP address.).  
Configure SNMP basic parameters.  
User interface overview  
User interface, also called “line, allows you to manage and monitor sessions between the terminal and  
device when you log in to the device through the console port directly, or through Telnet or SSH.  
One user interface corresponds to one user interface view where you can configure a set of parameters,  
such as whether to authenticate users at login, whether to redirect the requests to another device, and the  
user privilege level after login. When the user logs in through a user interface, the parameters set for the  
user interface apply.  
The system supports the following CLI configuration methods:  
Local configuration via the console port  
Local/Remote configuration through Telnet or SSH  
The methods correspond to the following user interfaces.  
AUX user interface: Used to manage and monitor user that log in via the Console port. The type of  
the Console port is EIA/TIA-232 DCE.  
VTY (virtual type terminal) user interface: Used to manage and monitor users that log in via VTY. A  
VTY port used for Telnet or SSH access.  
Users and user interfaces  
Only one user can use a user interface at a time. The configuration made in a user interface view applies  
to any login user. For example, if user A uses the console port to log in, the configuration in the AUX user  
interface view applies to user A; if user A logs in through VTY 1, the configuration in VTY 1 user interface  
view applies to user A.  
A device can be equipped with one AUX user interface and 16 VTY user interfaces. These user interfaces  
are not associated with specific users. When a user initiates a connection request, the system  
automatically assigns the idle user interface with the smallest number to the user based on the login  
method. During the login, the configuration in the user interface view takes effect. The user interface  
varies depending on the login method and the login time.  
Numbering user interfaces  
User interfaces can be numbered by using absolute numbering or relative numbering.  
Absolute numbering  
Absolute numbering identifies a user interface or a group of different types of user interfaces. The  
specified user interfaces are numbered from number 0 with a step of 1 and in the sequence of AUX, and  
22  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
VTY user interfaces. You can use the display user-interface command without any parameters to view  
supported user interfaces and their absolute numbers.  
Relative numbering  
Relative numbering allows you to specify a user interface or a group of user interfaces of a specific type.  
The number format is “user interface type + number. The following rules of relative numbering apply:  
AUX user interfaces are numbered from 0 in the ascending order, with a step of 1.  
VTY user interfaces are numbered from 0 in the ascending order, with a step of 1.  
23  
Download from Www.Somanuals.com. All Manuals Search And Download.  
CLI login  
Overview  
The CLI enables you to interact with a device by typing text commands. At the CLI, you can instruct your  
device to perform a given task by typing a text command and then pressing Enter to submit it to your  
device. Compared with a GUI, where you can use a mouse to perform configuration, the CLI allows you  
to input more information in one command line.  
You can log in to the device at the CLI through the console port, Telnet, SSH, or modem.  
By default, you can log in to a device through the console port without any authentication, which  
introduces security problems.  
By default, you cannot log in to a device through Telnet, SSH, so you cannot remotely manage and  
maintain the device.  
Therefore, you need to perform configurations to increase device security and manageability.  
Logging in through the console port  
Introduction  
Logging in through the console port is the most common login method, and is also the first step to  
configure other login methods.  
After logging in to the device through the console port, you can configure other login methods. By default,  
you can log in to a device only through its console port.  
This section includes:  
Configuration requirements  
The following table shows the configuration requirements for console port login.  
Object  
Requirements  
Device  
No configuration requirement  
Run the hyper terminal program.  
Terminal  
Configure the hyper terminal attributes.  
24  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
The port properties of the hyper terminal must be the same as the default settings of the console port  
shown in the following table.  
Setting  
Default  
9,600 bps  
None  
None  
1
Bits per second  
Flow control  
Parity  
Stop bits  
Data bits  
8
Login procedure  
Step1 Use the console cable shipped with the device to connect the PC and the device. Plug the DB-9 connector  
of the console cable into the serial port of the PC, and plug the RJ-45 connector into the console port of  
your device.  
Figure 4 Connect the device and PC through a console cable  
WARNING!  
Identify interfaces to avoid connection errors.  
NOTE:  
The serial port of a PC does not support hot-swap, so do not plug or unplug the console cable into or from  
the PC when your device is powered on. To connect the PC to the device, first plug the DB-9 connector of  
the console cable into the PC, and then plug the RJ-45 connector of the console cable into your device. To  
disconnect the PC from the device, first unplug the RJ-45 connector and then the DB-9 connector.  
Step2 Launch a terminal emulation program (such as HyperTerminal in Windows XP/Windows 2000). The  
following takes Windows XP’s HyperTerminal as an example. Select a serial port to be connected to the  
device, and set terminal parameters as follows: set Bits per second to 9600, Data bits to 8, Parity to  
None, Stop bits to 1, and Flow control to None, as shown in Figure 5 through Figure 7.  
NOTE:  
On Windows 2003 Server operating system, you need to add the HyperTerminal program first, and then  
log in to and manage the device as described in this document. On Windows 2008 Server, Windows 7,  
Windows Vista, or some other operating system, you need to obtain a third party terminal control  
program first, and follow the user guide or online help of that program to log in to the device.  
25  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Figure 5 Connection description  
Figure 6 Specify the serial port used to establish the connection  
26  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Figure 7 Set the properties of the serial port  
Step3 Turn on the device. You are prompted to press Enter if the device successfully completes the power-on self  
test (POST). A prompt such as <HP> appears after you press Enter, as shown in Figure 8.  
Figure 8 Configuration page  
Step4 Execute commands to configure the device or check the running status of the device. To get help, type ?.  
Console login authentication modes  
The following authentication modes are available for console port login: none, password, and scheme.  
27  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
none—Requires no username and password at the next login through the console port. This mode  
is insecure.  
password—Requires password authentication at the next login through the console port. Keep your  
password.  
scheme—Requires username and password authentication at the next login through the console  
port. Authentication falls into local authentication and remote authentication. To use local  
authentication, configure a local user and related parameters. To use remote authentication,  
configure the username and password on the remote authentication server. For more information  
about authentication modes and parameters, see the Security Configuration Guide.  
The following table lists console port login configurations for different authentication modes:  
Authenticat  
ion mode  
Configuration  
Remarks  
For more information, see  
login.”  
None  
Configure not to authenticate users  
Configure to authenticate users by using the local password  
Set the local password  
For more information, see  
login.”  
Password  
Configure the authentication scheme  
Configure a  
RADIUS/HWTACAC  
S scheme  
Configure the AAA  
scheme used by the  
domain  
Remote AAA  
authentication  
For more information, see  
login.”  
Configure the  
username and  
password on the  
AAA server  
Select an  
authentication  
scheme  
Scheme  
Configure the  
authentication  
username and  
password  
Local  
authentication  
Configure the AAA  
scheme used by the  
domain as local  
NOTE:  
A newly configured authentication mode does not take effect unless you exit and enter the CLI again.  
Configuring none authentication for console login  
Configuration prerequisites  
You have logged in to the device.  
28  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure none authentication for console login:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Enter AUX user interface view  
user-interface aux first-number  
[ last-number ]  
Required  
By default, you can log in to the  
device through the console port  
without authentication, and have  
user privilege level 3 after login.  
Specify the none authentication  
mode  
authentication-mode none  
Optional  
Configure common settings for  
AUX user interface view  
After the configuration, the next time you log in to the device through the console port, you are prompted  
to press Enter. A prompt such as <HP> appears after you press Enter, as shown in Figure 9.  
Figure 9 Configuration page  
Configuring password authentication for console login  
Configuration prerequisites  
You have logged in to the device.  
29  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure password authentication for console login:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
user-interface aux first-number  
[ last-number ]  
Enter AUX user interface view  
Required  
By default, you can log in to the  
device through the console port  
without authentication and have  
user privilege level 3 after login.  
Configure the authentication mode  
as local password authentication  
authentication-mode password  
Required  
set authentication password  
Set the local password  
By default, no local password is  
set.  
{ cipher | simple } password  
Optional  
Configure common settings for  
AUX user interface view  
When you log in to the device through the console port after configuration, you are prompted to enter a  
login password. A prompt such as <HP> appears after you input the password and press Enter, as shown  
in Figure 10.  
Figure 10 Configuration page  
30  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Configuring scheme authentication for console login  
Configuration prerequisites  
You have logged in to the device.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure scheme authentication for console login:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
user-interface aux first-number  
[ last-number ]  
Enter AUX user interface view  
Required  
Whether local, RADIUS, or  
HWTACACS authentication is  
adopted depends on the configured  
AAA scheme.  
Specify the scheme  
authentication mode  
authentication-mode scheme  
By default, users that log in through  
the console port are not  
authenticated.  
Optional  
By default, command  
authorization is not enabled.  
By default, the command level  
depends on the user privilege  
level. A user is authorized a  
command level not higher than  
the user privilege level. With  
command authorization  
enabled, the command level for  
a login user is determined by  
both the user privilege level and  
AAA authorization. If a user  
executes a command of the  
corresponding command level,  
the authorization server checks  
whether the command is  
Enable command authorization command authorization  
authorized. If yes, the command  
can be executed.  
Before enabling command  
authorization, configure the AAA  
authorization server. After you  
enable command authorization,  
only commands authorized by  
the AAA authorization server can  
be executed.  
31  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Optional  
By default, command accounting  
is disabled. The accounting  
server does not record the  
commands executed by users.  
Command accounting allows the  
HWTACACS server to record all  
the commands executed by  
users, regardless of command  
execution results. This helps  
control and monitor user  
operations on the device. If  
command accounting is enabled  
and command authorization is  
not enabled, every executed  
command is recorded on the  
HWTACACS server. If both  
command accounting and  
command authorization are  
enabled, only the authorized and  
executed commands are  
Enable command accounting  
command accounting  
recorded on the HWTACACS  
server.  
Configure the AAA accounting  
server before enabling command  
accounting.  
Return to system view  
quit  
Enter the ISP  
domain view  
Optional  
domain domain-name  
By default, the AAA scheme is local.  
authentication default  
{ hwtacacs-scheme  
hwtacacs-scheme-name [ local ] |  
local | none | radius-scheme  
radius-scheme-name [ local ] }  
If you specify the local AAA scheme,  
you need to perform local user  
configuration. If you specify an  
existing scheme by providing the  
radius-scheme-name argument,  
perform the following configuration  
as well:  
Apply the  
specified AAA  
scheme to the  
domain  
Configure  
the  
authentica  
tion mode  
For RADIUS and HWTACACS  
configuration, see the Security  
Configuration Guide.  
Exit to system view quit  
Configure the username and  
password on the AAA server.  
(For more information about  
AAA, see the Security  
Configuration Guide.)  
Required  
Create a local user and enter  
local user view  
local-user user-name  
By default, no local user exists.  
Set the authentication password password { cipher | simple }  
Required  
for the local user  
password  
Optional  
Specify the command level of  
the local user  
authorization-attribute level level  
By default, the command level is 0.  
32  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
service-type terminal  
Remarks  
Required  
Specify the service type for the  
local user  
By default, no service type is  
specified.  
Optional  
Configure common settings for  
AUX user interface view  
After you enable command authorization, you need to perform the following configuration to make the  
function take effect:  
Create a HWTACACS scheme, and specify the IP address of the authorization server and other  
authorization parameters. For more information about AAA, see the Security Configuration Guide.  
Reference the created HWTACACS scheme in the ISP domain. For more information about AAA,  
see the Security Configuration Guide.  
After you enable command accounting, you need to perform the following configuration to make the  
function take effect:  
Create a HWTACACS scheme, and specify the IP address of the accounting server and other  
accounting parameters. For more information about AAA, see the Security Configuration Guide.  
Reference the created HWTACACS scheme in the ISP domain. For more information about AAA,  
see the Security Configuration Guide.  
When users adopt the scheme mode to log in to the device, the level of the commands that the users can  
access depends on the user privilege level defined in the AAA scheme.  
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute  
level level command.  
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the  
RADIUS or HWTACACS server.  
For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration  
Guide.  
When you log in to the device through the console port after the configuration, you are prompted to enter  
a login username and password. A prompt such as <HP> appears after you input the password and  
username and press Enter, as shown in Figure 11.  
33  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Figure 11 Configuration page  
Configuring common settings for console login (optional)  
Follow these steps to configure common settings for console port login  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Enable display of copyright  
information  
copyright-info enable  
Enabled by default.  
user-interface aux first-number  
[ last-number ]  
Enter AUX user interface view  
Optional  
Configure  
By default, the transmission rate is  
9600 bps.  
AUX user  
Configure the  
interface  
baud rate  
view  
speed speed-value  
Transmission rate is the number of  
bits that the device transmits to the  
terminal per second.  
properties  
Optional  
Configure the  
parity check mode  
parity { even | none | odd }  
none by default.  
Optional  
By default, the stop bits of the  
console port is 1.  
Configure the stop  
bits  
Stop bits are the last bits transmitted  
in data transmission to  
stopbits { 1 | 1.5 | 2 }  
unequivocally indicate the end of a  
character. The more the bits are, the  
slower the transmission is.  
34  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Optional  
By default, the data bits of the  
console port is 8.  
Data bits is the number of bits  
representing one character. The  
setting depends on the contexts to  
be transmitted. For example, you  
can set it to 7 if standard ASCII  
characters are to be sent, and set it  
to 8 if extended ASCII characters  
are to be sent.  
Configure the data  
bits  
databits { 5 | 6 | 7 | 8 }  
Optional  
Define a shortcut  
key for enabling a activation-key character  
terminal session  
By default, you can press Enter to  
enable a terminal session.  
Optional  
Define a shortcut  
key for terminating escape-key { default | character }  
tasks  
By default, you can press Ctrl+C to  
terminate a task.  
Optional  
Configure the flow flow-control { hardware | none |  
control mode  
software }  
By default, the value is none  
Optional  
By default, the terminal display type  
is ANSI.  
The device supports two types of  
terminal display: ANSI and VT100.  
HP recommends that you set the  
display type of both the device and  
the client to VT100. If the device and  
the client use different display types  
(for example, hyper terminal or  
Telnet terminal) or both are set to  
ANSI, when the total number of  
characters of the edited command  
line exceeds 80, an anomaly such  
as cursor corruption or abnormal  
display of the terminal display may  
occur on the client.  
Configure the type  
of terminal display  
terminal type { ansi | vt100 }  
Optional  
Configure the user  
privilege level for  
login users  
user privilege level level  
By default, the default command  
level is 3 for the AUX user interface.  
Optional  
Set the maximum  
number of lines on screen-length screen-length  
the next screen.  
By default, the next screen displays  
24 lines.  
A value of 0 disables the function.  
Optional  
Set the size of  
history command  
buffer  
history-command max-size value  
By default, the buffer saves 10  
history commands at most.  
35  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
Optional  
The default idle-timeout is 10  
minutes. The system automatically  
terminates the user’s connection if  
no information interaction occurs  
between the device and the user  
within the idle-timeout time.  
Set the idle-timeout  
timer  
idle-timeout minutes [ seconds ]  
Setting idle-timeout to 0 disables the  
timer.  
CAUTION:  
The common settings configured for console login take effect immediately. If you configure the common  
settings after you log in through the console port, the current connection may be interrupted, so you must  
use another login method. After you configure common settings for console login, you need to modify the  
settings on the terminal to make them consistent with those on the device.  
Logging in through Telnet  
Introduction  
The device supports Telnet. You can Telnet to the device to remotely manage and maintain it, as shown  
in Figure 12.  
Figure 12 Telnet login  
The following table shows the configuration requirements of Telnet login.  
Object  
Requirements  
Configure the IP address of the VLAN interface, and make sure the Telnet  
server and client can reach each other.  
Telnet server  
Configure the authentication mode and other settings  
Run the Telnet client program.  
Telnet client  
Obtain the IP address of the VLAN interface on the server  
By default, the device is enabled with the Telnet server and client functions.  
On a device that serves as the Telnet client, you can log in to a Telnet server to perform operations  
on the server.  
On a device that serves as the Telnet server, you can configure the authentication mode and user  
privilege level for Telnet users. By default, you cannot log in to the device through Telnet. Before you  
can Telnet to the device, you need to log in to the device through the console port, enable Telnet  
server, and configure the authentication mode, user privilege level, and common settings.  
36  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
This section includes these topics:  
Telnet login authentication modes  
Three authentication modes are available for Telnet login: none, password, and scheme.  
none—Requires no username and password at the next login through Telnet. This mode is insecure.  
password—Requires password authentication at the next login through Telnet. Keep your password.  
If you lose your password, log in to the device through the console port to view or modify the  
password.  
scheme—Requires username and password authentication at the next login through Telnet.  
Authentication falls into local authentication and remote authentication. To use local authentication,  
configure a local user and related parameters. To use remote authentication, configure the username  
and password on the remote authentication server. For more information about authentication modes  
and parameters, see the Security Configuration Guide. Keep your username and password. If you  
lose your local authentication password, log in to the device through the console port to view or  
modify the password. If you lose your remote authentication password, contact the administrator.  
The following table lists Telnet login configurations for different authentication modes.  
Authentication  
mode  
Configuration  
Remarks  
For more information, see  
login.”  
None  
Configure not to authenticate users  
Configure to authenticate users by using the local  
password  
For more information, see  
login.”  
Password  
Set the local password  
37  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Authentication  
mode  
Configuration  
Remarks  
Configure the authentication scheme  
Configure a  
RADIUS/HWTACAC  
S scheme  
Configure the AAA  
scheme used by the  
domain  
Remote AAA  
authentication  
For more information, see  
login.”  
Configure the  
username and  
password on the  
AAA server  
Select an  
authenticati  
on scheme  
Scheme  
Configure the  
authentication  
username and  
password  
Local  
authentication  
Configure the AAA  
scheme used by the  
domain as local  
Configuring none authentication for Telnet login  
Configuration prerequisites  
You have logged in to the device.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure none authentication for Telnet login:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
Enable Telnet  
telnet server enable  
By default, the Telnet service is  
disenabled.  
Enter one or multiple VTY user  
interface views  
user-interface vty first-number  
[ last-number ]  
Required  
Specify the none authentication  
mode  
authentication-mode none  
By default, authentication mode for  
VTY user interfaces is password.  
Required  
Configure the command level for  
login users on the current user  
interfaces  
user privilege level level  
By default, the default command  
level is 0 for VTY user interfaces.  
38  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Optional  
Configure common settings for  
VTY user interfaces  
When you log in to the device through Telnet again:  
You enter the VTY user interface, as shown in Figure 13.  
If All user interfaces are used, please try later!” is displayed, it means the current login users  
exceed the maximum number. Please try later.  
Figure 13 Configuration page  
Configuring password authentication for Telnet login  
Configuration prerequisites  
You have logged in to the device.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure password authentication for Telnet login:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
Enable Telnet  
telnet server enable  
By default, the Telnet service is  
disenabled.  
39  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Enter one or multiple VTY user  
interface views  
user-interface vty first-number  
[ last-number ]  
Required  
Specify the password  
authentication mode  
By default, authentication mode  
for VTY user interfaces is  
password.  
authentication-mode password  
Required  
set authentication password { cipher |  
simple } password  
Set the local password  
By default, no local password is  
set.  
Required  
Configure the user privilege level  
for login users  
user privilege level level  
0 by default.  
Optional  
Configure common settings for  
VTY user interfaces  
(optional).”  
When you log in to the device through Telnet again:  
You are required to enter the login password. A prompt such as <HP> appears after you enter the  
correct password and press Enter, as shown in Figure 14.  
If All user interfaces are used, please try later!” is displayed, it means the number of current  
concurrent login users exceed the maximum. Please try later.  
Figure 14 Configuration page  
40  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Configuring scheme authentication for Telnet login  
Configuration prerequisites  
You have logged in to the device.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure scheme authentication for Telnet login  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
Enable Telnet  
telnet server enable  
By default, the Telnet service is  
disabled.  
Enter one or multiple VTY user  
interface views  
user-interface vty first-number  
[ last-number ]  
Required  
Whether local, RADIUS, or  
HWTACACS authentication is  
adopted depends on the  
configured AAA scheme.  
Specify the scheme authentication  
mode  
authentication-mode scheme  
By default, local authentication is  
adopted.  
41  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Optional  
By default, command  
authorization is not enabled.  
By default, the command level  
depends on the user privilege  
level. A user is authorized a  
command level not higher than  
the user privilege level. With  
command authorization  
enabled, the command level for  
a login user is determined by  
both the user privilege level and  
AAA authorization. If a user  
executes a command of the  
corresponding command level,  
the authorization server checks  
whether the command is  
Enable command authorization  
command authorization  
authorized. If yes, the command  
can be executed.  
Before enabling command  
authorization, configure the  
AAA authorization server. After  
you enable command  
authorization, only commands  
authorized by the AAA  
authorization server can be  
executed.  
42  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
Optional  
By default, command  
accounting is disabled. The  
accounting server does not  
record the commands executed  
by users.  
Command accounting allows  
the HWTACACS server to  
record all executed commands  
that are supported by the  
device, regardless of the  
command execution result. This  
helps control and monitor user  
operations on the device. If  
command accounting is  
Enable command accounting  
command accounting  
enabled and command  
authorization is not enabled,  
every executed command is  
recorded on the HWTACACS  
server. If both command  
accounting and command  
authorization are enabled, only  
the authorized and executed  
commands are recorded on the  
HWTACACS server.  
Configure the AAA accounting  
server before enabling  
command accounting.  
Exit to system view  
quit  
Enter the default ISP  
domain view  
Optional  
domain domain-name  
By default, the AAA scheme is  
local.  
authentication default  
Specify the AAA  
scheme to be applied to hwtacacs-scheme-name [ local ]  
the domain  
{ hwtacacs-scheme  
If you specify the local AAA  
scheme, perform the configuration  
concerning local user as well. If you  
specify an existing scheme by  
providing the radius-scheme-name  
argument, perform the following  
configuration as well:  
| local | none | radius-scheme  
radius-scheme-name [ local ] }  
Configure  
the  
authentic  
ation  
mode  
For RADIUS and HWTACACS  
configuration, see the Security  
Configuration Guide.  
Exit to system view  
quit  
Configure the username and  
password on the AAA server.  
(For more information, see the  
Security Configuration Guide.)  
Create a local user and enter local  
user view  
local-user user-name  
By default, no local user exists.  
Required  
password { cipher | simple }  
password  
Set the local password  
By default, no local password is set.  
43  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
Optional  
Specify the command level of the  
local user  
authorization-attribute level  
level  
By default, the command level is 0.  
Required  
Specify the service type for the local  
user  
service-type Telnet  
By default, no service type is  
specified.  
Exit to system view  
quit  
Optional  
Configure common settings for VTY  
user interfaces  
After you enable command authorization, you need to perform the following configuration to make the  
function take effect:  
Create a HWTACACS scheme, and specify the IP address of the authorization server and other  
authorization parameters. For more information, see the Security Configuration Guide.  
Reference the created HWTACACS scheme in the ISP domain. For more information, see the  
Security Configuration Guide.  
After you enable command accounting, you need to perform the following configuration to make the  
function take effect:  
Create a HWTACACS scheme, and specify the IP address of the accounting server and other  
accounting parameters. For more information, see the Security Configuration Guide.  
Reference the created HWTACACS scheme in the ISP domain. For more information, see the  
Security Configuration Guide.  
When users adopt the scheme mode to log in to the device, the level of the commands that the users can  
access depends on the user privilege level defined in the AAA scheme.  
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute  
level level command.  
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the  
RADIUS or HWTACACS server.  
For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration Guide.  
When you log in to the device through Telnet again:  
You are required to enter the login username and password. A prompt such as <HP> appears after  
you enter the correct username (for example, admin) and password and press Enter, as shown in  
After you enter the correct username and password, if the device prompts you to enter another  
password of the specified type, you will be authenticated for the second time. In other words, to  
pass authentication, you must enter a correct password as prompted.  
If All user interfaces are used, please try later!” is displayed, it means the current login users  
exceed the maximum number. Please try later.  
44  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Figure 15 Configuration page  
Configuring common settings for VTY user interfaces (optional)  
Follow these steps to configure common settings for VTY user interfaces:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Enable display of copyright  
information  
copyright-info enable  
Enabled by default.  
Enter one or multiple VTY user  
interface views  
user-interface vty first-number  
[ last-number ]  
User  
interface  
configuration  
Optional  
Enable the terminal  
service  
shell  
Enabled by default.  
Optional  
Enable the current  
user interface(s) to  
support either Telnet,  
SSH, or both of them  
By default, both protocols are  
supported.  
protocol inbound { all | ssh |  
telnet }  
The configuration takes effect next  
time you log in.  
Optional  
Define a shortcut key  
for terminating tasks  
escape-key { default |  
character }  
By default, you can press Ctrl+C to  
terminate a task.  
Optional  
Configure the type of  
terminal display  
terminal type { ansi | vt100 }  
By default, the terminal display  
type is ANSI.  
45  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Optional  
Set the maximum  
number of lines on the screen-length screen-length  
next screen  
By default, the next screen displays  
24 lines.  
A value of 0 disables the function.  
Optional  
Set the size of history history-command max-size  
command buffer  
By default, the buffer saves 10  
history commands.  
value  
Optional  
The default idle-timeout is 10  
minutes for all user interfaces.  
The system automatically  
Set the idle-timeout  
timer  
terminates the user’s connection if  
no information interaction occurs  
between the device and the user in  
timeout time.  
idle-timeout minutes [ seconds ]  
Setting idle-timeout to 0 disables  
the timer.  
Optional  
By default, command  
auto-execution is disabled.  
The system automatically executes  
the specified command when a  
user logs in to the user interface,  
and tears down the user  
connection after the command is  
executed. If the command triggers  
another task, the system does not  
tear down the user connection until  
the task is completed. A Telnet  
command is usually specified to  
enable the user to automatically  
Telnet to the specified device.  
Specify a command  
to be automatically  
executed when a user  
logs in to the current  
user interface  
auto-execute command  
command  
CAUTION:  
The auto-execute command command may disable you from configuring the system through the user  
interface to which the command is applied. Use it with caution.  
Before executing the auto-execute command command and saving the configuration (by using the save  
command), make sure that you can access the device through VTY and AUX user interfaces so that you  
can remove the configuration if a problem occurs.  
Configuring the device to log in to a Telnet server as a Telnet  
client  
Configuration prerequisites  
You have logged in to the device.  
46  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Figure 16 Log in to another device from the current device  
NOTE:  
If the Telnet client port and the Telnet server port that connect them are not in the same subnet, make sure  
that the two devices can reach each other.  
Configuration procedure  
Follow the step below to configure the device to log in to a Telnet server as a Telnet client:  
To do…  
Use the command…  
Remarks  
telnet remote-host [ service-port ] [ |  
[ source { interface interface-type  
interface-number | ip  
Required  
Configure the device to log in to a  
Telnet server as a Telnet client  
ip-address } ] ]  
Use either command  
Available in user view  
telnet ipv6 remote-host [ -i  
interface-type interface-number ]  
[ port-number ]  
Optional  
Specify the source IPv4 address or telnet client source { interface  
source interface for sending Telnet interface-type interface-number | ip  
By, no source IPv4 address or  
source interface is specified. The  
source IPv4 address is selected by  
routing.  
packets  
ip-address }  
Logging in through SSH  
Introduction  
Secure Shell (SSH) offers an approach to log into a remote device securely. By providing encryption and  
strong authentication, it protects devices against attacks such as IP spoofing and plain text password  
interception. The device supports SSH, and you can log in to the device through SSH to remotely manage  
and maintain the device, as shown in Figure 17.  
Figure 17 SSH login diagram  
The following table shows the configuration requirements of SSH login.  
47  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Object  
Requirements  
Configure the IP address of the VLAN interface, and make sure the SSH server  
and client can reach each other.  
SSH server  
Configure the authentication mode and other settings.  
Run the SSH client program.  
SSH client  
Obtain the IP address of the VLAN interface on the server.  
By default, the device is enabled with the SSH server and client functions.  
On a device that serves as the SSH client, you can log in to an SSH server to perform operations on  
the server.  
On a device that serves as the SSH server, you can configure the authentication mode and user level  
for SSH users. By default, password authentication is adopted for SSH login, but no login password  
is configured, so you cannot log in to the device through SSH by default. Before you can log in to  
the device through SSH, you need to log in to the device through the console port and configure the  
authentication mode, user level, and common settings.  
This section includes these topics:  
Configuring the SSH server  
Configuration prerequisites  
You have logged in to the device, and want to log in to the device through SSH in the future.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure the device that serves as an SSH server:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
Create local key pair(s)  
Enable SSH server  
public-key local create { dsa | rsa }  
By default, no local key pair(s) are  
created.  
Required  
ssh server enable  
By default, SSH server is disabled.  
Enter one or more VTY user  
interface views  
user-interface vty first-number  
[ last-number ]  
Required  
Specify the scheme authentication  
mode  
authentication-mode scheme  
By default, authentication mode for  
VTY user interfaces is password.  
48  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Optional  
Enable the current user interface to  
support SSH  
protocol inbound { all | ssh }  
By default, Telnet and SSH are  
supported.  
Optional  
By default, command  
authorization is not enabled.  
By default, command level for a  
login user depends on the user  
privilege level. The user is  
authorized the command with  
the default level not higher than  
the user privilege level. With  
the command authorization  
configured, the command level  
for a login user is determined  
by both the user privilege level  
and AAA authorization. If a  
user executes a command of  
the corresponding command  
level, the authorization server  
checks whether the command is  
authorized. If yes, the  
Enable command authorization  
command authorization  
command can be executed.  
Optional  
By default, command  
accounting is disabled. The  
accounting server does not  
record the commands executed  
by users.  
Command accounting allows  
the HWTACACS server to  
record all executed commands  
that are supported by the  
device, regardless of the  
command execution result. This  
helps control and monitor user  
operations on the device. If  
command accounting is  
Enable command accounting  
command accounting  
enabled and command  
authorization is not enabled,  
every executed command is  
recorded on the HWTACACS  
server. If both command  
accounting and command  
authorization are enabled, only  
the authorized and executed  
commands are recorded on the  
HWTACACS server.  
Exit to system view  
quit  
49  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
Optional  
Enter the default  
ISP domain  
view  
domain domain-name  
By default, the AAA scheme is  
local.  
authentication default  
{ hwtacacs-scheme  
hwtacacs-scheme-name [ local ] |  
local | none | radius-scheme  
radius-scheme-name [ local ] }  
If you specify the local AAA  
Apply the  
scheme, perform the configuration  
concerning local user as well. If  
you specify an existing scheme by  
providing the radius-scheme-name  
argument, perform the following  
configuration as well:  
specified AAA  
scheme to the  
domain  
Configure the  
authentication  
mode  
For RADIUS and HWTACACS  
configuration, see the Security  
Configuration Guide.  
Exit to system  
view  
quit  
Configure the username and  
password on the AAA server.  
(For more information, see the  
Security Configuration Guide.)  
Required  
Create a local user and enter local  
user view  
local-user user-name  
By default, no local user exists.  
Required  
password { cipher | simple }  
Set the local password  
By default, no local password is  
set.  
password  
Optional  
Specify the command level of the  
local user  
authorization-attribute level level  
By default, the command level is 0.  
Required  
Specify the service type for the  
local user  
service-type ssh  
quit  
By default, no service type is  
specified.  
Return to system view  
ssh user username service-type  
stelnet authentication-type  
{ password | { any |  
password-publickey | publickey }  
assign publickey keyname }  
Required  
Create an SSH user, and specify  
the authentication mode for the  
SSH user  
By default, no SSH user exists, and  
no authentication mode is  
specified.  
Optional  
Configure common settings for VTY  
user interfaces  
See “Configuring common settings  
for VTY user interfaces (optional).”  
NOTE:  
This chapter describes how to configure an SSH client by using password authentication. For more  
information about SSH and how to configure an SSH client by using publickey, see the Security  
Configuration Guide.  
After you enable command authorization or command accounting, you need to perform the following  
configuration to make the function take effect:  
Create a HWTACACS scheme, and specify the IP address of the authorization server and other  
authorization parameters.  
50  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference the created HWTACACS scheme in the ISP domain.  
For more information, see the Security Configuration Guide.  
When users adopt the scheme mode to log in to the device, the level of the commands that the users can  
access depends on the user privilege level defined in the AAA scheme.  
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute  
level level command.  
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the  
RADIUS or HWTACACS server.  
For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration  
Guide.  
Configuring the SSH client to log in to the SSH server  
Configuration prerequisites  
You have logged in to the device.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
see “Configuration requirements.”  
Figure 18 Log in to another device from the current device  
NOTE:  
If the SSH client and the SSH server are not in the same subnet, make sure that the two devices can reach  
each other.  
Configuration procedure  
Follow these steps to configure the SSH client to log in to the SSH server:  
To do…  
Use the command…  
Remarks  
Required  
server is the IPv4 address or host  
name of the server.  
Log in to an IPv4 SSH server  
ssh2 server  
Available in user view  
Required  
server is the IPv6 address or host  
name of the server.  
Log in to an IPv6 SSH server  
ssh2 ipv6 server  
Available in user view  
NOTE:  
You can configure other settings for the SSH client to work with the SSH server. For more information, see  
the Security Configuration Guide.  
51  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Logging in through modems  
Introduction  
The administrator can use two modems to remotely maintain a switch through its Console port over the  
Public Switched Telephone Network (PSTN) when the IP network connection is broken.  
This section includes these topics:  
Configuration requirements  
By default, no authentication is needed when you log in through modems, and the default user privilege  
level is 3.  
To use this method, perform necessary configurations on both the device side and administrator side.  
The following table shows the remote login configuration requirements through the console port by using  
modem dial-in:  
Object  
Requirement  
The PC is correctly connected to the modem.  
The modem is connected to a telephone cable that works properly.  
Administrator side  
The telephone number of the remote modem connected to the console port of the  
remote switch is obtained.  
The console port is correctly connected to the modem.  
Configurations have been configured on the modem.  
Device side  
The modem is connected to a telephone cable that works properly.  
Authentication configuration has been completed on the remote switch.  
Login procedure  
Step1 Set up a configuration environment as shown in Figure 19: connect the serial port of the PC and the  
console port of the device to a modem respectively.  
Figure 19 Set up a configuration terminal  
52  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Step2 Configuration on the administrator side  
The PC and the modem are correctly connected, the modem is connected to a telephone cable, and the  
telephone number of the remote modem connected to the console port of the remote switch is obtained.  
NOTE:  
Note the following device settings:  
The baud rate of the Console port is lower than the transmission rate of the modem. Otherwise, packets  
may be lost.  
The parity check mode, stop bits, and data bits of the console port adopt the default settings.  
Step3 Perform the following configurations on the modem that is directly connected to the device:  
AT&F  
----------------------- Restore the factory defaults  
----------------------- Configure auto-answer on first ring  
----------------------- Ignore data Terminal Ready signals  
----------------------- Disable local flow control  
----------------------- Ignore Data Flow Control signals  
----------------------- Force DSR to remain on  
ATS0=1  
AT&D  
AT&K0  
AT&R1  
AT&S0  
ATEQ1&W ----------------------- Disable the modem from response to commands and save the  
configuration  
To verify your configuration, enter AT&V to show the configuration results.  
NOTE:  
The configuration commands and the output for different modems may be different. For more information,  
see your modem’s user guide.  
Step4 Launch a terminal emulation utility (such as HyperTerminal in Windows XP/Windows 2000), and create  
a new connection (the telephone number is the number of the modem connected to the device).  
NOTE:  
On Windows 2003 Server operating system, you need to add the HyperTerminal program first, and then  
log in to and manage the device as described in this document. On Windows 2008 Server, Windows 7,  
Windows Vista, or some other operating system, you need to obtain a third party terminal control  
program first, and follow that program’s user guide or online help to log in to the device.  
Step5 Dial the destination number on the PC to establish a connection with the device, as shown in Figure 20  
through Figure 22.  
53  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Figure 20 Connection description  
Figure 21 Enter the phone number  
Figure 22 Dial the number  
54  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Step6 Character string CONNECT9600 is displayed on the terminal. Then a prompt appears when you press  
Enter.  
Figure 23 Configuration page  
Step7 If the authentication mode is password, a prompt (for example, HP) appears when you type the  
configured password on the remote terminal. Then you can configure or manage the router. To get help,  
type ?.  
Step8 Execute commands to configure the device or check the running status of the device. To get help, type ?.  
NOTE:  
To terminate the connection between the PC and device, execute the ATH command on the terminal to  
terminate the connection between the PC and modem. If you cannot execute the command on the  
terminal, input AT+ + + and then press Enter. When you are prompted OK, execute the ATH command,  
and the connection is terminated if OK is displayed. You can also terminal the connection between the  
PC and device by clicking  
on the hyper terminal window.  
Do not close the hyper terminal directly. Otherwise, the remote modem may always be online, and you  
will fail to dial in the next time.  
Modem login authentication modes  
The following authentication modes are available for modem dial-in login: none, password, and  
scheme.  
none—Requires no username and password at the next login through modems. This mode is insecure.  
password—Requires password authentication at the next login through the console port. Keep your  
password.  
scheme—Requires username and password authentication at the next login through the console port.  
Authentication falls into local authentication and remote authentication. To use local authentication,  
configure a local user and related parameters. To use remote authentication, configure the username  
55  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
and password on the remote authentication server. For more information about authentication modes  
and parameters, see the Security Configuration Guide. Keep your username and password.  
The following table lists modem login configurations for different authentication modes:  
Authentication  
mode  
Configuration  
Remarks  
For more information, see  
login.”  
None  
Configure not to authenticate users  
Configure to authenticate users by using the local  
password  
For more information, see  
login.”  
Password  
Set the local password  
Configure the authentication scheme  
Configure a  
RADIUS/HWTACAC  
S scheme  
Configure the AAA  
scheme used by the  
domain  
Remote AAA  
authentication  
For more information, see  
login.”  
Configure the  
username and  
password on the AAA  
server  
Select an  
authentic  
ation  
Scheme  
scheme  
Configure the  
authentication  
username and  
password  
Local authentication  
Configure the AAA  
scheme used by the  
domain as local  
NOTE:  
Modem login authentication changes do not take effect until you exit the CLI and log in again.  
Configuring none authentication for modem login  
Configuration prerequisites  
You have logged in to the device.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure none authentication for modem login:  
56  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Enter one or more AUX user  
interface views  
user-interface aux first-number  
[ last-number ]  
Required  
Specify the none authentication  
mode  
By default, users that log in through  
the console port are not  
authenticated.  
authentication-mode none  
Optional  
Configure common settings for VTY  
user interfaces  
When you log in to the device through modems after the configuration, you are prompted to press Enter.  
A prompt such as <HP> appears after you press Enter, as shown in Figure 24.  
Figure 24 Configuration page  
Configuring password authentication for modem login  
Configuration prerequisites  
You have logged in to the device.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
Configuration procedure  
Follow these steps to configure password authentication for modem login:  
57  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Enter one or more AUX user  
interface views  
user-interface aux first-number  
[ last-number ]  
Required  
Specify the password  
authentication mode  
authentication-mode password  
By default, the authentication  
mode is none for modem users  
Required  
set authentication password  
Set the local password  
By default, no local password is  
set.  
{ cipher | simple } password  
Optional  
Configure common settings for  
VTY user interfaces  
For more information, see  
When you log in to the device through modems after the configuration, you are prompted to enter a login  
password. A prompt such as <HP> appears after you input the password and press Enter, as shown in  
Figure 25 Configuration page  
Configuring scheme authentication for modem login  
Configuration prerequisites  
You have logged in to the device.  
By default, you can log in to the device through the console port without authentication and have user  
privilege level 3 after login. For information about logging in to the device with the default configuration,  
58  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuration procedure  
Follow these steps to configure scheme authentication for modem login:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Enter AUX user interface  
view  
user-interface aux first-number  
[ last-number ]  
Required  
Whether local, RADIUS, or  
HWTACACS authentication is  
adopted depends on the configured  
AAA scheme.  
Specify the scheme  
authentication mode  
authentication-mode scheme  
By default, the authentication mode  
is none for modem users  
Optional  
By default, command  
authorization is not enabled.  
By default, command level for a  
login user depends on the user  
privilege level. The user is  
authorized the command with the  
default level not higher than the  
user privilege level. With the  
command authorization  
configured, the command level  
for a login user is determined by  
both the user privilege level and  
AAA authorization. If a user  
executes a command of the  
corresponding command level,  
the authorization server checks  
whether the command is  
Enable command  
authorization  
command authorization  
authorized. If yes, the command  
can be executed.  
Before enabling command  
authorization, configure the AAA  
authorization server. After you  
enable command authorization,  
only commands authorized by  
the AAA authorization server can  
be executed.  
59  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
Optional  
By default, command accounting  
is disabled. The accounting  
server does not record the  
commands executed by users.  
Command accounting allows the  
HWTACACS server to record all  
executed commands that are  
supported by the device,  
regardless of the command  
execution result. This helps  
control and monitor user  
operations on the device. If  
command accounting is enabled  
and command authorization is  
not enabled, every executed  
command is recorded on the  
HWTACACS server. If both  
command accounting and  
command authorization are  
enabled, only the authorized and  
executed commands are  
Enable command  
accounting  
command accounting  
recorded on the HWTACACS  
server.  
Configure the AAA accounting  
server before enabling command  
accounting.  
Exit to system view  
quit  
Enter the  
Optional  
default ISP  
domain view  
domain domain-name  
By default, the AAA scheme is local.  
If you specify the local AAA scheme,  
perform the configuration  
concerning local user as well. If you  
specify an existing scheme by  
providing the radius-scheme-name  
argument, perform the following  
configuration as well:  
authentication default  
{ hwtacacs-scheme  
hwtacacs-scheme-name [ local ] | local |  
none | radius-scheme  
radius-scheme-name [ local ] }  
Apply the  
specified  
AAA scheme  
to the domain  
Configure  
the  
authentica  
tion mode  
For RADIUS and HWTACACS  
configuration, see the Security  
Configuration Guide.  
Return to  
system view  
quit  
Configure the username and  
password on the AAA server.  
(For more information, see the  
Security Configuration Guide.)  
Required  
Create a local user and  
enter local user view  
local-user user-name  
By default, no local user exists.  
Set the authentication  
password for the local user  
password { cipher | simple } password  
authorization-attribute level level  
Required  
Optional  
Specify the command level  
of the local user  
By default, the command level is 0.  
60  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
service-type terminal  
Remarks  
Required  
Specify the service type for  
the local user  
By default, no service type is  
specified.  
Optional  
Configure common settings  
for VTY user interfaces  
After you enable command authorization, you need to perform the following configuration to make the  
function take effect:  
Create a HWTACACS scheme, and specify the IP address of the authorization server and other  
authorization parameters. For more information, see the Security Configuration Guide.  
Reference the created HWTACACS scheme in the ISP domain. For more information, see the  
Security Configuration Guide.  
After you enable command accounting, you need to perform the following configuration to make the  
function take effect:  
Create a HWTACACS scheme, and specify the IP address of the accounting server and other  
accounting parameters. For more information, see the Security Configuration Guide.  
Reference the created HWTACACS scheme in the ISP domain. For more information, see the  
Security Configuration Guide.  
When users adopt the scheme mode to log in to the device, the level of the commands that the users can  
access depends on the user privilege level defined in the AAA scheme.  
When the AAA scheme is local, the user privilege level is defined by the authorization-attribute  
level level command.  
When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the  
RADIUS or HWTACACS server.  
For more information about AAA, RADIUS, and HWTACACS, see the Security Configuration Guide.  
When you log in to the device through modems after the configuration, you are prompted to enter a login  
username and password. A prompt such as <HP> appears after you input the password and username  
and press Enter, as shown in Figure 26.  
61  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Figure 26 Configuration page  
Configuring common settings for modem login (optional)  
Follow these steps to configure common settings for modem login:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Enable display of copyright  
information  
copyright-info enable  
Enabled by default.  
Enter one or more AUX user  
interface views  
user-interface aux first-number  
[ last-number ]  
Optional  
Configure  
By default ,the baud rate is 9600  
bps.  
AUX user  
interface  
properties  
Configure the  
baud rate  
speed speed-value  
Transmission rate is the number of  
bits that the device transmits to the  
terminal per second.  
Optional  
Configure the  
parity check mode  
parity { even | none | odd }  
By default, the parity check mode is  
none, which means no check bit.  
Optional  
By default, the stop bits of the  
console port is 1.  
Configure the stop  
bits  
Stop bits are the last bits transmitted  
in data transmission to  
stopbits { 1 | 1.5 | 2 }  
unequivocally indicate the end of a  
character. The more the bits are, the  
slower the transmission is.  
62  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Optional  
By default, the data bits is 8.  
Data bits is the number of bits  
representing one character. The  
setting depends on the contexts to  
be transmitted. For example, you  
can set it to 7 if standard ASCII  
characters are to be sent, and set it  
to 8 if extended ASCII characters  
are to be sent.  
Configure the data  
bits  
databits { 5 | 6 | 7 | 8 }  
Optional  
Define a shortcut  
key for starting a  
session  
activation-key character  
By default, you can press Enter to  
start a session.  
Optional  
Define a shortcut  
key for terminating escape-key { default | character }  
tasks  
By default, you can press Ctrl+C to  
terminate a task.  
Optional  
Configure the flow flow-control { hardware | none |  
control mode  
software }  
By default, the value is none  
Optional  
By default, the terminal display type  
is ANSI.  
The device supports two types of  
terminal display: ANSI and VT100.  
HP recommends that you set the  
display type of both the device and  
the client to VT100. If the device and  
the client use different display types  
(for example, hyper terminal or  
Telnet terminal) or both are set to  
ANSI, when the total number of  
characters of the edited command  
line exceeds 80, an anomaly such  
as cursor corruption or abnormal  
display of the terminal display may  
occur on the client.  
Configure the type  
of terminal display  
terminal type { ansi | vt100 }  
Configure the user  
privilege level for  
login users  
Optional  
user privilege level level  
3 by default.  
Optional  
Set the maximum  
number of lines on screen-length screen-length  
the next screen  
By default, the next screen displays  
24 lines at most.  
A value of 0 disables the function.  
Optional  
Set the size of the  
history command  
buffer  
history-command max-size value  
By default, the buffer saves 10  
history commands at most.  
63  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
Optional  
The default idle-timeout is 10  
minutes. The system automatically  
terminates the user’s connection if  
no information interaction occurs  
between the device and the user  
within the idle-timeout time.  
Set the idle-timeout  
timer  
idle-timeout minutes [ seconds ]  
Setting idle-timeout to 0 disables the  
timer.  
CAUTION:  
The common settings configured for console login take effect immediately. If you configure the common  
settings after you log in through the console port, the current connection may be interrupted. To avoid  
this problem, use another login method. After you configure the common settings for console login, you  
will need to modify the settings on the terminal to make them consistent with those on the device.  
The baud rate of the console port must be lower than the transmission rate of the modem. Otherwise,  
packets may be lost.  
Displaying and maintaining CLI login  
To do…  
Use the command…  
Remarks  
Display the source IP  
address/interface specified for  
Telnet packets  
display telnet client configuration  
[ | { begin | exclude | include }  
regular-expression ]  
Available in any view  
Display information about the user display users [ | { begin | exclude  
Available in any view  
Available in any view  
interfaces that are being used  
| include } regular-expression ]  
display users all [ | { begin |  
exclude | include }  
regular-expression ]  
Displays information about all user  
interfaces that the device supports  
display user-interface [ num1 |  
{ aux | vty } num2 ] [ summary ] [ |  
{ begin | exclude | include }  
regular-expression ]  
Display user interface information  
Available in any view  
64  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Available in user view  
Multiple users can log in to the  
system to simultaneously configure  
the device. In some circumstances,  
when the administrator wants to  
make configurations without  
interruption from the users that  
have logged in through other user  
interfaces, the administrator can  
execute the command to release  
the connections established on the  
specified user interfaces.  
free user-interface { num1 | { aux |  
vty } num2 }  
Release a specified user interface  
You cannot use this command to  
release the connection that you are  
using.  
Available in user view  
Lock the current user interface  
lock  
By default, the current user  
interface is not locked.  
Send messages to the specified  
user interfaces  
send { all | num1 | { aux | vty }  
num2 }  
Available in user view  
65  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Web login  
Web login overview  
The device provides a built-in web server that enables you to log in to the web interface of the device from  
a PC. Web login is disabled by default.  
To enable web login, log in to the device via the console port, and perform the following configuration:  
Enable HTTP or HTTPS service  
Configure the IP address of the VLAN interface  
Configure a username and password  
The device supports the following web login methods:  
HTTP login: The Hypertext Transfer Protocol (HTTP) is used for transferring web page information  
across the Internet. It is an application-layer protocol in the TCP/IP protocol suite. The  
connection-oriented Transport Control Protocol (TCP) is adopted at the transport layer. The device  
supports HTTP 1.0.  
HTTPS login: The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket  
Layer (SSL) protocol. HTTPS uses SSL to encrypt the data exchanged between the HTTPS client and  
the server to ensure data security and integrity. You can define a certificate attribute-based access  
control policy to allow legal clients to access the device securely and to prohibit illegal clients.  
The following table shows the configuration requirements of web login.  
Object  
Requirements  
Configure the IP address of the VLAN interface  
Make sure the device and the PC can reach each other  
Device  
Required to use one approach  
Install a web browser  
PC  
Obtain the IP address of the VLAN interface of the device  
Configuring HTTP login  
Follow these steps to configure HTTP login:  
To do…  
Use the command…  
Remarks  
Enter system view  
system-view  
Required  
Enable the HTTP service  
ip http enable  
Enabled by default.  
66  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Optional  
80 by default.  
Configure the HTTP service port  
number  
ip http port port-number  
If you execute the command  
multiple times, the last one takes  
effect.  
Optional  
By default, the HTTP service is not  
associated with any ACL.  
Associate the HTTP service with an  
ACL  
ip http acl acl-number  
local-user user-name  
Associating the HTTP service with  
an ACL enables the device to allow  
only clients permitted by the ACL to  
access the device.  
Required  
Create a local user and enter local  
user view  
By default, no local user is  
configured.  
Required  
Configure a password for the local password { cipher | simple }  
By default, no password is  
configured for the local user.  
user  
password  
Required  
Specify the command level of the  
local user  
authorization-attribute level level  
No command level is configured  
for the local user.  
Required  
Specify the Telnet service type for  
the local user  
service-type telnet  
quit  
By default, no service type is  
configured for the local user.  
Exit to system view  
Required  
Create a VLAN interface and enter interface vlan-interface  
If the VLAN interface already  
exists, the command enters its  
view.  
its view  
vlan-interface-id  
Required  
Assign an IP address and subnet  
mask to the VLAN interface  
ip address ip-address { mask |  
mask-length }  
By default, no IP address is  
assigned to the VLAN interface.  
Configuring HTTPS login  
Follow these steps to configure HTTPS login:  
To do…  
Use the command…  
Remarks  
Enter system view  
system-view  
67  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Required  
By default, PKI and SSL are not configured.  
Configure PKI and SSL related  
features  
For more information about PKI, see the  
Security Configuration Guide.  
For more information about SSL, see the  
Security Configuration Guide.  
Required  
By default, the HTTPS service is not associated  
with any SSL server policy.  
If you disable the HTTPS service, the system  
automatically de-associates the HTTPS  
service from the SSL service policy. Before  
re-enabling the HTTPS service, associate  
the HTTPS service with an SSL server policy  
first.  
Associate the HTTPS service  
with an SSL server policy  
ip https ssl-server-policy  
policy-name  
Any changes to the SSL server policy  
associated with the HTTP service that is  
enabled do not take effect.  
Required  
Disabled by default.  
Enabling the HTTPS service triggers an SSL  
handshake negotiation process. During the  
process, if the local certificate of the device  
exists, the SSL negotiation succeeds, and the  
HTTPS service can be started normally. If no  
local certificate exists, a certificate application  
process will be triggered by the SSL  
Enable the HTTPS service  
ip https enable  
negotiation. Because the application process  
takes much time, the SSL negotiation often fails  
and the HTTPS service cannot be started  
normally. In that case, you need to execute the  
ip https enable command multiple times to  
start the HTTPS service.  
68  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
Optional  
By default, the HTTPS service is not associated  
with any certificate-based attribute access  
control policy.  
Associating the HTTPS service with a  
certificate-based attribute access control  
policy enables the device to control the  
access rights of clients.  
Associate the HTTPS service  
with a certificate  
attribute-based access control  
policy  
ip https certificate  
access-control-policy  
policy-name  
You must configure the client-verify enable  
command in the associated SSL server  
policy. If not, no clients can log in to the  
device.  
The associated SSL server policy must  
contain at least one permit rule.  
Otherwise, no clients can log in to the  
device.  
For more information about certificate  
attribute-based access control policies, see  
the Security Configuration Guide.  
Optional  
Configure the port number of  
the HTTPS service  
ip https port port-number  
ip https acl acl-number  
local-user user-name  
443 by default.  
Required  
By default, the HTTPS service is not associated  
with any ACL.  
Associate the HTTPS service  
with an ACL  
Associating the HTTPS service with an ACL  
enables the device to allow only clients  
permitted by the ACL to access the device.  
Required  
Create a local user and enter  
local user view  
By default, no local user is configured.  
Required  
Configure a password for the password { cipher | simple }  
local user password  
By default, no password is configured for the  
local user.  
Required  
Specify the command level of authorization-attribute level  
By default, no command level is configured for  
the local user.  
the local user  
level  
Required  
Specify the Telnet service type  
for the local user  
service-type telnet  
quit  
By default, no service type is configured for  
the local user.  
Exit to system view  
Required  
Create a VLAN interface and interface vlan-interface  
If the VLAN interface already exists, the  
command enters its view.  
enter its view  
vlan-interface-id  
Required  
Assign an IP address and  
subnet mask to the VLAN  
interface  
ip address ip-address { mask  
| mask-length }  
By default, no IP address is assigned to the  
VLAN interface.  
69  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Displaying and maintaining web login  
To do…  
Use the command…  
Remarks  
Display information about web  
users  
display web users [ | { begin | exclude |  
include } regular-expression ]  
Available in any view  
display ip http [ | { begin | exclude |  
include } regular-expression ]  
Display HTTP state information  
Display HTTPS state information  
Available in any view  
Available in any view  
display ip https [ | { begin | exclude |  
include } regular-expression ]  
Web login example  
HTTP login example  
Network requirements  
As shown in Figure 27, the PC is connected to the device over an IP network. The IP address of the Device  
is 192.168.20.66/24.  
Figure 27 Network diagram for configuring HTTP login  
Configuration procedure  
Configuration on the device  
1.  
# Log in to the device via the console port and configure the IP address of VLAN 1 of the device. VLAN  
1 is the default VLAN.  
<Sysname> system-view  
[Sysname] interface vlan-interface 1  
[Sysname-VLAN-interface1] ip address 192.168.20.66 255.255.255.0  
[Sysname-VLAN-interface1] quit  
# Create a local user named admin, and set the password to admin for the user. Specify the Telnet  
service type for the local user, and set the command level to 3 for this user.  
[Sysname] local-user admin  
[Sysname-luser-admin] service-type telnet  
[Sysname-luser-admin] authorization-attribute level 3  
[Sysname-luser-admin] password simple admin  
2.  
Configuration on the PC  
# On the PC, run the web browser. Enter the IP address of the device in the address bar, 192.168.20.66  
in this example. The web login page appears, as shown in Figure 28.  
70  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Figure 28 Web login page  
# Type the user name, password, verify code, select English, and click Login. The homepage appears.  
After login, you can configure device settings through the web interface.  
HTTPS login example  
Network requirements  
As shown in Figure 29, to prevent unauthorized users from accessing the Device, configure HTTPS login  
as follows:  
Configure the Device as the HTTPS server, and request a certificate for it.  
The Host acts as the HTTPS client. Request a certificate for it.  
In this example, Windows Server acts as the CA. Install Simple Certificate Enrollment Protocol (SCEP)  
add-on on the CA. The name of the CA that issues certificates to the Device and Host is new-ca.  
Before performing the following configuration, make sure that the Device, Host, and CA can reach each  
other.  
Figure 29 Network diagram for configuring HTTPS login  
71  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuration procedure  
1.  
Configure the device that acts as the HTTPS server  
# Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the  
entity as ssl.security.com.  
<Device> system-view  
[Device] pki entity en  
[Device-pki-entity-en] common-name http-server1  
[Device-pki-entity-en] fqdn ssl.security.com  
[Device-pki-entity-en] quit  
# Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as  
http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and the entity for  
certificate request as en.  
[Device] pki domain 1  
[Device-pki-domain-1] ca identifier new-ca  
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll  
[Device-pki-domain-1] certificate request from ra  
[Device-pki-domain-1] certificate request entity en  
[Device-pki-domain-1] quit  
# Create RSA local key pairs.  
[Device] public-key loc al create rsa  
# Retrieve the CA certificate from the certificate issuing server.  
[Device] pki retrieval-certificate ca domain 1  
# Request a local certificate from a CA through SCEP for the device.  
[Device] pki request-certificate domain 1  
# Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable  
certificate-based SSL client authentication.  
[Device] ssl server-policy myssl  
[Device-ssl-server-policy-myssl] pki-domain 1  
[Device-ssl-server-policy-myssl] client-verify enable  
[Device-ssl-server-policy-myssl] quit  
# Create a certificate attribute group mygroup1, and configure a certificate attribute rule, specifying that  
the Distinguished Name (DN) in the subject name includes the string of new-ca.  
[Device] pki certificate attribute-group mygroup1  
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca  
[Device-pki-cert-attribute-group-mygroup1] quit  
# Create a certificate attribute-based access control policy myacp. Configure a certificate  
attribute-based access control rule, specifying that a certificate is considered valid when it matches an  
attribute rule in certificate attribute group myacp.  
[Device] pki certificate access-control-policy myacp  
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1  
[Device-pki-cert-acp-myacp] quit  
# Associate the HTTPS service with SSL server policy myssl.  
[Device] ip https ssl-server-policy myssl  
# Associate the HTTPS service with certificate attribute-based access control policy myacp.  
[Device] ip https certificate access-control-policy myacp  
72  
Download from Www.Somanuals.com. All Manuals Search And Download.  
# Enable the HTTPS service.  
[Device] ip https enable  
# Create a local user named usera, set the password to 123 for the user, and specify the Telnet service  
type for the local user.  
[Device] local-user usera  
[Device-luser-usera] password simple 123  
[Device-luser-usera] service-type telnet  
2.  
Configure the host that acts as the HTTPS client  
On the host, run the IE browser. In the address bar, enter http://10.1.2.2/certsrv and request a certificate  
for the host as prompted.  
3.  
Verify the configuration  
Enter https://10.1.1.1 in the address bar, and select the certificate issued by new-ca. Then the web login  
page of the Device appears. On the login page, type the username usera, and password 123 to enter  
the web management page.  
NOTE:  
To log in to the web interface through HTTPS, enter the URL address starting with https://. To log in to  
the web interface through HTTP, enter the URL address starting with http://.  
For more information about PKI configuration commands, see the Security Command Reference.  
For more information about the public-key local create rsa command, see the Security Command  
Reference.  
For more information about SSL configuration commands, see the Security Command Reference.  
73  
Download from Www.Somanuals.com. All Manuals Search And Download.  
NMS login  
NMS login overview  
An NMS runs the SNMP client software. It offers a user-friendly interface to facilitate network  
management. An agent is a program that resides in the device. It receives and handles requests from the  
NMS. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the NMS.  
The NMS and agents exchange information through the SNMP protocol. The device supports multiple  
NMS programs, such as iMC and CAMS.  
By default, you cannot log in to the device through NMS. To enable NMS login, log in to the device via  
the console port and make the configuration changes described in the following table.  
The following table shows the configuration requirements of NMS login.  
Object  
Requirements  
Configure the IP address of the VLAN interface  
Make sure the device and the NMS can reach each other  
Device  
Configure SNMP settings  
NMS  
Configure the NMS. For more information, see your NMS manual.  
Configuring NMS login  
Connect the Ethernet port of the PC to an Ethernet port of VLAN 1 of the device, as shown in Figure 30.  
Make sure the PC and VLAN 1 interface can reach each other.  
Figure 30 Network diagram for configuring NMS login  
Follow these steps to configure SNMPv3 settings:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Disabled by default.  
Enable SNMP agent  
snmp-agent  
You can enable SNMP agent with this  
command or any command that  
begins with snmp-agent.  
snmp-agent group v3 group-name  
[ authentication | privacy ]  
[ read-view read-view ] [ write-view  
write-view ] [ notify-view  
Required  
Configure an SNMP group  
and specify its access right  
By default, no SNMP group is  
configured.  
notify-view ] [ acl acl-number ]  
74  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
To do…  
Use the command…  
Remarks  
snmp-agent usm-user v3 user-name  
group-name [ [ cipher ]  
Required  
authentication-mode { md5 | sha }  
auth-password [ privacy-mode  
{ 3des | aes128 | des56 }  
If the cipher keyword is specified, both  
auth-password and priv-password are  
cipher text passwords.  
Add a user to the SNMP group  
priv-password ] ] [ acl acl-number ]  
Follow these steps to configure SNMPv1 and SNMPv2c settings:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Disabled by default.  
You can enable SNMP agent  
with this command or any  
command that begins with  
snmp-agent.  
Enable SNMP agent  
snmp-agent  
Optional  
snmp-agent mib-view  
{ excluded | included }  
view-name oid-tree [ mask  
mask-value ]  
By default, the MIB view  
name is ViewDefault and  
OID is 1.  
Create or update MIB view information  
Configure an  
snmp-agent community  
{ read | write }  
community-name [ acl  
acl-number | mib-view  
view-name ]*  
Required  
Directly  
SNMP  
Use either approach.  
community  
The direction configuration  
approach is for SNMPv1 or  
SNMPv2c. The community  
name configured on the  
NMS should be consistent  
with the username configured  
on the agent.  
snmp-agent group { v1 |  
v2c } group-name  
[ read-view read-view ]  
[ write-view write-view ]  
[ notify-view notify-view ]  
[ acl acl-number ]  
Configure  
SNMP NMS  
access right  
Configure an  
SNMP group  
Indirectly  
The indirect configuration  
approach is for SNMPv3.  
snmp-agent usm-user { v1 |  
v2c } user-name group-name  
[ acl acl-number ]  
Add a user to the  
SNMP group  
NOTE:  
The device supports the following SNMP versions: SNMPv1, SNMPv2c and SNMPv3. For more  
information about SNMP, see the Network Management and Monitoring Configuration Guide.  
NMS login example  
In this example, iMC is used as the NMS.  
1.  
Configuration on the device  
# Assign IP address of device. Make sure the device and the NMS can reach each other. (Configuration  
steps are omitted.)  
75  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
# Enter system view.  
<Sysname> system-view  
# Enable the SNMP agent.  
[Sysname] snmp-agent  
# Configure an SNMP group.  
[Sysname] snmp-agent group v3 managev3group read-view test write-view test  
# Add a user to the SNMP group.  
[Sysname] snmp-agent usm-user v3 managev3user managev3group  
2.  
Configuration on the NMS  
On the PC, start the browser. In the address bar, enter http://192.168.20.107:8080/imc, where  
192.168.20.107 is the IP address of the iMC.  
Figure 31 iMC login page  
Type the username and password, and then click Login. The iMC homepage appears, as shown in Figure  
32.  
76  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Figure 32 iMC homepage  
Log in to the iMC and configure SNMP settings for the iMC to find the device. After the device is found,  
you can manage and maintain the device through the iMC. For example, you can query device  
information or configure device parameters.  
The SNMP settings on the iMC must be the same as those configured on the device. If not, the device  
cannot be found or managed by the iMC. See the iMC manuals for more information.  
Click Help in the upper right corner of each configuration page to get corresponding help information.  
77  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
User login control  
User login control methods  
The device provides the following login control methods.  
Login Through  
Login control methods  
ACL used  
Basic ACL  
Telnet  
Advanced ACL  
Ethernet frame header ACL  
NMS  
Web  
Basic ACL  
Basic ACL  
Configuring login control over Telnet users  
Configuration preparation  
Before configuration, determine the permitted or denied source IP addresses, source MAC addresses,  
and destination IP addresses.  
Configuring source IP-based login control over Telnet users  
Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement  
source IP-based login control over Telnet users. Basic ACLs are numbered from 2000 to 2999. For more  
information about ACL, see the ACL and QoS Configuration Guide.  
Follow these steps to configure source IP-based login control over Telnet users:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Create a basic ACL and enter its  
view, or enter the view of an  
existing basic ACL  
Required  
acl [ ipv6 ] number acl-number  
[ match-order { config | auto } ]  
By default, no basic ACL exists.  
rule [ rule-id ] { permit | deny }  
[ source { sour-addr sour-wildcard  
| any } | time-range time-name |  
fragment | logging ]*  
Configure rules for this ACL  
Exit the basic ACL view  
Required  
quit  
78  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
To do…  
Use the command…  
Remarks  
user-interface [ type ] first-number  
[ last-number ]  
Enter user interface view  
Required  
inbound: Filters incoming Telnet  
packets.  
Use the ACL to control user login  
by source IP address  
acl [ ipv6 ] acl-number { inbound |  
outbound }  
outbound: Filters outgoing Telnet  
packets.  
Configuring source and destination IP-based login control over  
Telnet users  
Because advanced ACLs can match both source and destination IP addresses of packets, you can use  
advanced ACLs to implement source and destination IP-based login control over Telnet users. Advanced  
ACLs are numbered from 3000 to 3999. For more information about ACL, see the ACL and QoS  
Configuration Guide.  
Follow these steps to configure source and destination IP-based login control over Telnet users:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Create an advanced ACL  
and enter its view, or enter  
the view of an existing  
advanced ACL  
Required  
acl [ ipv6 ] number acl-number  
[ match-order { config | auto } ]  
By default, no advanced ACL  
exists.  
Configure rules for the ACL rule [ rule-id ] { permit | deny } rule-string Required  
Exit advanced ACL view  
Enter user interface  
quit  
user-interface [ type ] first-number  
[ last-number ]  
Required  
Use the ACL to control user  
login by source and  
destination IP addresses  
inbound: Filters incoming Telnet  
packets.  
acl [ ipv6 ] acl-number { inbound |  
outbound }  
outbound: Filters outgoing Telnet  
packets.  
Configuring source MAC-based login control over Telnet users  
Ethernet frame header ACLs can match the source MAC addresses of packets, so you can use Ethernet  
frame header ACLs to implement source MAC-based login control over Telnet users. Ethernet frame  
header ACLs are numbered from 4000 to 4999. For more information about ACL, see the ACL and QoS  
Configuration Guide.  
Follow these steps to configure source MAC-based login control over Telnet users:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
79  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Required  
Create an Ethernet frame header  
ACL and enter its view  
acl number acl-number  
[ match-order { config | auto } ]  
By default, no advanced ACL  
exists.  
rule [ rule-id ] { permit | deny }  
rule-string  
Configure rules for the ACL  
Exit the advanced ACL view  
Enter user interface view  
Required  
quit  
user-interface [ type ] first-number  
[ last-number ]  
Required  
Use the ACL to control user login  
by source MAC address  
acl acl-number inbound  
inbound: Filters incoming Telnet  
packets.  
NOTE:  
The above configuration does not take effect if the Telnet client and server are not in the same subnet.  
Source MAC-based login control configuration example  
Network requirements  
As shown in Figure 33, configure an ACL on the Device to permit only incoming Telnet packets sourced  
from Host A and Host B.  
Figure 33 Network diagram for configuring source MAC-based login control  
Configuration procedure  
# Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to  
permit packets sourced from Host A.  
<Sysname> system-view  
[Sysname] acl number 2000 match-order config  
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0  
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0  
[Sysname-acl-basic-2000] quit  
# Reference ACL 2000 in user interface view to allow Telnet users from Host A and Host B to access the  
Device.  
80  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
[Sysname] user-interface vty 0 4  
[Sysname-ui-vty0-4] acl 2000 inbound  
Configuring source IP-based login control over  
NMS users  
You can log in to the NMS to remotely manage the devices. SNMP is used for communication between  
the NMS and the agent that resides in the device. By using the ACL, you can control SNMP user access  
to the device.  
Configuration preparation  
Before configuration, determine the permitted or denied source IP addresses.  
Configuring source IP-based login control over NMS users  
Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement  
source IP-based login control over NMS users. Basic ACLs are numbered from 2000 to 2999. For more  
information about ACL, see the ACL and QoS Configuration Guide.  
Follow these steps to configure source IP-based login control over NMS users:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Create a basic ACL and enter its  
view, or enter the view of an  
existing basic ACL  
Required  
acl [ ipv6 ] number acl-number  
[ match-order { config | auto } ]  
By default, no basic ACL exists.  
rule [ rule-id ] { permit | deny }  
[ source { sour-addr sour-wildcard |  
any } | time-range time-name |  
fragment | logging ]*  
Create rules for this ACL  
Exit the basic ACL view  
Required  
quit  
snmp-agent community { read |  
write } community-name [ acl  
acl-number | mib-view  
view-name ]*  
Required  
Associate this SNMP community  
with the ACL  
You can associate the ACL when  
creating the community, the SNMP  
group, and the user.  
snmp-agent group { v1 | v2c }  
group-name [ read-view  
read-view ] [ write-view  
write-view ] [ notify-view  
notify-view ] [ acl acl-number ]  
For more information about  
SNMP, see the Network  
Management and Monitoring  
Configuration Guide.  
Associate the SNMP group with  
the ACL  
snmp-agent group v3 group-name  
[ authentication | privacy ]  
[ read-view read-view ]  
[ write-view write-view ]  
[ notify-view notify-view ] [ acl  
acl-number ]  
81  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
snmp-agent usm-user { v1 | v2c }  
user-name group-name [ acl  
acl-number ]  
snmp-agent usm-user v3  
Associate the user with the ACL  
user-name group-name [ [ cipher ]  
authentication-mode { md5 | sha }  
auth-password [ privacy-mode  
{ 3des | aes128 | des56 }  
priv-password ] ] [ acl acl-number ]  
Source IP-based login control over NMS users configuration  
example  
Network requirements  
As shown in Figure 34, configure the device to allow only NMS users from Host A and Host B to access.  
Figure 34 Network diagram for configuring source IP-based login control over NMS users  
Configuration procedure  
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit  
packets sourced from Host A.  
<Sysname> system-view  
[Sysname] acl number 2000 match-order config  
[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0  
[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0  
[Sysname-acl-basic-2000] quit  
# Associate the ACL with the SNMP community and the SNMP group.  
[Sysname] snmp-agent community read aaa acl 2000  
[Sysname] snmp-agent group v2c groupa acl 2000  
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000  
82  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring source IP-based login control over web  
users  
You can log in to the web management page of the device through HTTP/HTTPS to remotely manage the  
devices. By using the ACL, you can control web user access to the device.  
Configuration preparation  
Before configuration, determine the permitted or denied source IP addresses.  
Configuring source IP-based login control over web users  
Because basic ACLs match the source IP addresses of packets, you can use basic ACLs to implement  
source IP-based login control over web users. Basic ACLs are numbered from 2000 to 2999. For more  
information about ACL, see the ACL and QoS Configuration Guide.  
Follow these steps to configure source IP-based login control over web users:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Create a basic ACL and enter its  
view, or enter the view of an  
existing basic ACL  
Required  
acl [ ipv6 ] number acl-number  
[ match-order { config | auto } ]  
By default, no basic ACL exists.  
rule [ rule-id ] { permit | deny }  
[ source { sour-addr sour-wildcard  
| any } | time-range time-name |  
fragment | logging ]*  
Create rules for this ACL  
Exit the basic ACL view  
Required  
quit  
Associate the HTTP service with the  
ACL  
ip http acl acl-number  
Required to use one command  
Associate the HTTPS service with  
the ACL  
ip https acl acl-number  
Logging off online web users  
Follow the step to log off online web users:  
To do…  
Use the command…  
Remarks  
Required  
free web-users { all | user-id  
Log off online web users  
Execute the command in user  
interface view.  
user-id | user-name user-name }  
83  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Source IP-based login control over web users configuration  
example  
Network requirements  
As shown in Figure 35, configure the device to allow only web users from Host B to access.  
Figure 35 Network diagram for configuring source IP-based login control  
Configuration procedure  
# Create ACL 2000, and configure rule 1 to permit packets sourced from Host B.  
<Sysname> system-view  
[Sysname] acl number 2030 match-order config  
[Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0  
# Associate the ACL with the HTTP service so that only web users from Host B are allowed to access the  
device.  
[Sysname] ip http acl 2030  
84  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
FTP configuration  
FTP overview  
Introduction to FTP  
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client  
over a TCP/IP network.  
FTP uses TCP ports 20 and 21 for file transfer. Port 20 is used to transmit data, and port 21 to transmit  
control commands. For more information about FTP basic operations, see RFC 959.  
FTP transfers files in the following modes:  
Binary mode: Transfers files as raw data, such as .app, .bin, and .btm files.  
ASCII mode: Transfers files as text, such as .txt, .bat, and .cfg files.  
FTP operation  
FTP adopts the client/server model. Your device can function either as the client or the server. See Figure  
36.  
When the device serves as the FTP client, use Telnet or an emulation program to log in to the device  
from the PC, execute the ftp command to establish a connection from the device (FTP client) to the  
PC (FTP server), and then upload/download files to/from the server.  
When the device serves as the FTP server, run the FTP client program on the PC to establish a  
connection to the FTP server and upload/download files to/from the server.  
Figure 36 Network diagram for FTP  
When the device serves as the FTP client, you need to perform the following configuration:  
Table 8 Configuration when the device serves as the FTP client  
Device  
Configuration  
Remarks  
If the remote FTP server supports anonymous  
FTP, the device can log in to it directly; if not,  
the device must obtain the FTP username and  
password first to log in to the remote FTP  
server.  
Use the ftp command to establish the  
connection to the remote FTP server  
Device (FTP client)  
Enable FTP server on the PC, and  
configure the username, password,  
user privilege level, and so on.  
PC (FTP server)  
When the device serves as the FTP server, you need to perform the following configuration:  
85  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Table 9 Configuration when the device serves as the FTP server  
Device  
Configuration  
Remarks  
Disabled by default.  
Enable the FTP server function  
You can use the display ftp-server command to view the  
FTP server configuration on the device.  
Configure the username, password, and authorized  
directory for an FTP user.  
Device (FTP  
server)  
Configure authentication and  
authorization  
The device does not support anonymous FTP for security  
reasons. You must set a valid username and password.  
By default, authenticated users can access the root  
directory of the device.  
Configure the FTP server  
operating parameters  
Parameters such as the FTP connection timeout time  
Use the FTP client program to log You can log in to the FTP server only after you input the  
in to the FTP server. correct FTP username and password.  
PC (FTP client)  
CAUTION:  
Make sure that the FTP server and the FTP client can reach each other before establishing the FTP  
connection.  
When you use IE to log in to the device serving as the FTP server, some FTP functions are not available.  
This is because multiple connections are established during the login process but the device supports  
only one connection at a time.  
Configuring the FTP client  
NOTE:  
Only manage level users can use the ftp command to log in to an FTP server, enter FTP client view, and  
execute directory and file related commands. However, whether the commands can be executed  
successfully depends on the FTP server authorizations.  
Establishing an FTP connection  
Before you can access the FTP server, you must first establish a connection from the FTP client to the FTP  
server. You can either use the ftp command to establish the connection directly or use the open command  
in FTP client view to establish the connection.  
When using the ftp command, you can specify the source interface (such as a loopback) or source IP  
address. The primary IP address of the specified source interface or the specified source IP address is  
used as the source IP address of sent FTP packets. The source address of the transmitted packets is  
selected following these rules:  
If no source address is specified, the FTP client uses the interface’s IP address determined by the  
matched route as the source IP address to communicate with an FTP server.  
If the source address is specified with the ftp client source or ftp command, this source address is  
used to communicate with an FTP server.  
86  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
If you use the ftp client source command and the ftp command to specify a source address  
respectively, the source address specified with the ftp command is used to communicate with an FTP  
server.  
The source address specified with the ftp client source command is valid for all FTP connections and  
the source address specified with the ftp command is valid only for the current FTP connection.  
Follow these steps to establish an IPv4 FTP connection:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
A switch uses the IP address  
of the interface determined by  
the matched route as the  
source IP address to  
Configure the source address of  
the FTP client  
ftp client source { interface interface-type  
interface-number | ip source-ip-address }  
communicate with the FTP  
server by default.  
Exit to system view  
quit  
ftp [ server-address [ service-port ]  
[ source { interface interface-type  
interface-number | ip  
Log in to the remote FTP server  
directly in user view  
Use either approach.  
The ftp command is available  
in user view, and the open  
command is available in FTP  
client view.  
source-ip-address } ] ]  
ftp  
Log in to the remote FTP server  
indirectly in FTP client view  
open server-address [ service-port ]  
NOTE:  
If there is not a primary IP address configured on the specified source interface, you cannot establish an  
FTP connection.  
If you use the ftp client source command to configure a source interface and then use it to configure a  
source IP address, the source IP address overwrites the source interface, and vice versa.  
Follow these steps to establish an IPv6 FTP connection:  
To do…  
Use the command…  
Remarks  
ftp ipv6 [ server-address  
[ service-port ] [ source ipv6  
source-ipv6-address ] [ -i  
Log in to the remote FTP server  
directly in user view  
Use either approach.  
interface-type interface-number ] ]  
The ftp ipv6 command is available  
in user view; and the open ipv6  
command is available in FTP client  
view.  
ftp ipv6  
Log in to the remote FTP server  
indirectly in FTP client view  
open ipv6 server-address  
[ service-port ] [ -i interface-type  
interface-number ]  
Operating the directories on an FTP server  
After the switch serving as the FTP client has established a connection with an FTP server, you can create  
or delete folders under the authorized directory of the FTP server. For more information about establishing  
an FTP connection, see “Establishing an FTP connection.”  
87  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Follow these steps to operate the directories on an FTP server:  
To do…  
Use the command…  
Remarks  
Optional  
Optional  
Optional  
Display detailed information about a directory or  
file on the remote FTP server  
dir [ remotefile [ localfile ] ]  
Query a directory or file on the remote FTP server ls [ remotefile [ localfile ] ]  
Change the working directory of the remote FTP  
server  
cd { directory | .. | / }  
Exit the current working directory and return to an  
cdup  
Optional  
upper level directory of the remote FTP server  
Display the working directory that is being  
accessed  
pwd  
Optional  
Optional  
Optional  
Create a directory on the remote FTP server  
mkdir directory  
rmdir directory  
Remove the specified working directory on the  
remote FTP server  
Operating the files on an FTP server  
After the switch serving as the FTP client has established a connection with an FTP server, you can upload  
a file to or download a file from the FTP server under the authorized directory of the FTP server by  
following these steps. For information about establishing an FTP connection, see “Establishing an FTP  
connection.”  
1.  
2.  
3.  
Use the dir or ls command to display the directory and the location of the file on the FTP server.  
Delete useless files for effective use of the storage space.  
Set the file transfer mode. FTP transmits files in two modes: ASCII and binary. ASCII mode transfers  
files as text. Binary mode transfers files as raw data.  
4.  
Use the lcd command to display the local working directory of the FTP client. You can upload the  
file under this directory, or save the downloaded file under this directory.  
5.  
Upload or download the file.  
Follow these steps to operate the files on an FTP server:  
To do…  
Use the command…  
Remarks  
Optional  
Display detailed information  
about a directory or file on the  
remote FTP server  
The ls command displays the name of a  
directory or file only, while the dir  
command displays detailed information  
such as the file size and creation time.  
dir [ remotefile [ localfile ] ]  
Optional  
The ls command displays the name of a  
directory or file only, while the dir  
command displays detailed information  
such as the file size and creation time.  
Query a directory or file on the  
remote FTP server  
ls [ remotefile [ localfile ] ]  
Delete the specified file on the  
remote FTP server permanently  
delete remotefile  
Optional  
Optional  
Set the file transfer mode to  
ASCII  
ascii  
ASCII by default.  
88  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
To do…  
Use the command…  
binary  
Remarks  
Optional  
Set the file transfer mode to  
binary  
ASCII by default.  
Optional  
Set the data transmission mode  
to passive  
passive  
Passive by default.  
Display the local working  
directory of the FTP client  
lcd  
Optional  
Optional  
Optional  
Upload a file to the FTP server  
put localfile [ remotefile ]  
get remotefile [ localfile ]  
Download a file from the FTP  
server  
Using another username to log in to an FTP server  
After the switch serving as the FTP client has established a connection with the FTP server, you can use  
another username to log in to the FTP server. For more information about establishing an FTP connection,  
This feature allows you to switch to different user levels without affecting the current FTP connection; if you  
input an incorrect username or password, the current connection will be terminated, and you must log in  
again to access the FTP server.  
Follow the step below to use another username to log in to the FTP server:  
To do…  
Use the command…  
Remarks  
Use another username to re-log in after  
successfully logging in to the FTP server  
user username [ password ]  
Optional  
Maintaining and debugging an FTP connection  
After a switch serving as the FTP client has established a connection with the FTP server, you can perform  
the following operations to locate and diagnose problems encountered in an FTP connection. For more  
information about establishing an FTP connection, see “Establishing an FTP connection.”  
To do…  
Use the command…  
Remarks  
Display the help information of  
FTP-related commands supported by the remotehelp [ protocol-command ]  
Optional  
remote FTP server  
Optional  
Enable information display in a detailed  
manner  
verbose  
Enabled by default  
Optional  
Enable FTP related debugging when the  
debugging  
switch acts as the FTP client  
Disabled by default  
Terminating an FTP connection  
After the switch serving as the FTP client has established a connection with the FTP server, you can use  
any of the following commands to terminate an FTP connection. For more information about establishing  
an FTP connection, see “Establishing an FTP connection.”  
89  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
To do…  
Use the command…  
disconnect  
Remarks  
Optional  
Terminate the connection to the FTP server  
without exiting FTP client view  
Equal to the close command.  
Optional  
Terminate the connection to the FTP server  
without exiting FTP client view  
close  
bye  
Equal to the disconnect  
command.  
Optional  
Terminate the connection to the FTP server  
and return to user view  
Equal to the quit command in  
FTP client view.  
Optional  
Terminate the connection to the FTP server  
and return to user view  
quit  
Available in FTP client view,  
equal to the bye command.  
FTP client configuration example  
Network requirements  
As shown in Figure 37, use the device as an FTP client and the PC as the FTP server. Their IP  
addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. The device and PC can reach each other.  
The device downloads a system software image file from the PC for device upgrade, and uploads  
the configuration file to the PC for backup.  
On the PC, an FTP user account has been created for the FTP client, with the username abc and the  
password pwd.  
Figure 37 Network diagram for FTPing a system software image file from an FTP server  
Configuration procedure  
CAUTION:  
If the available memory space of the device is not enough, use the fixdisk command to clear the memory  
or use the delete /unreserved file-url command to delete the files not in use and then perform the following  
operations.  
# Log in to the server through FTP.  
<Sysname> ftp 10.1.1.1  
Trying 10.1.1.1  
Connected to 10.1.1.1  
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user  
User(10.1.1.1:(none)):abc  
331 Give me your password, please  
Password:  
90  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
230 Logged in successfully  
# Set the file transfer mode to binary to transmit system software image file.  
[ftp] binary  
200 Type set to I.  
# Download the system software image file newest.bin from the PC to the device.  
[ftp] get newest.bin  
# Upload the configuration file config.cfg of the device to the server for backup.  
[ftp] ascii  
[ftp] put config.cfg back-config.cfg  
227 Entering Passive Mode (10,1,1,1,4,2).  
125 ASCII mode data connection already open, transfer starting for /config.cfg.  
226 Transfer complete.  
FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec.  
[ftp] bye  
# Specify newest.bin as the main system software image file for next startup.  
<Sysname> boot-loader file newest.bin main  
# Reboot the device, and the system software image file is updated at the system reboot.  
<Sysname> reboot  
CAUTION:  
The system software image file for next startup must be saved in the storage medium’s root directory. You  
can copy or move a file to the storage medium’s root directory. For more information about the  
boot-loader command, see the Fundamentals Command Reference.  
Configuring the FTP server  
Configuring FTP server operating parameters  
The FTP server uses one of the following modes to update a file when you upload the file (use the put  
command) to the FTP server:  
In fast mode, the FTP server starts writing data to the storage medium after a file is transferred to the  
memory. This prevents the existing file on the FTP server from being corrupted in the event that  
anomaly, such as a power failure occurs during a file transfer.  
In normal mode, the FTP server writes data to the storage medium while receiving data. This means  
that any anomaly, such as a power failure during file transfer might result in file corruption on the  
FTP server. This mode, however, consumes less memory space than the fast mode.  
Follow these steps to configure the FTP server:  
To do…  
Use the command…  
Remarks  
Enter system view  
system-view  
Required  
Enable the FTP server  
ftp server enable  
Disabled by default.  
91  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Optional  
Use an ACL to control FTP clients’  
access to the switch  
ftp server acl acl-number  
By default, no ACL is used to control  
FTP clients’ access to the switch.  
Optional  
30 minutes by default.  
Within the idle-timeout time, if there is  
no information interaction between  
the FTP server and client, the  
connection between them is  
terminated.  
Configure the idle-timeout timer  
ftp timeout minutes  
Optional  
Set the file update mode for the FTP  
server  
ftp update { fast | normal }  
Normal update is used by default.  
Quit to user view  
quit  
Manually release the FTP  
connection established with the  
specified username  
Optional  
free ftp user username  
Available in user view  
Configuring authentication and authorization on the FTP server  
To allow an FTP user to access certain directories on the FTP server, you must create an account for the  
user, authorizing access to the directories and associating the username and password with the account.  
The following configuration is used when the FTP server authenticates and authorizes a local FTP user. If  
the FTP server needs to authenticate a remote FTP user, you must configure authentication, authorization  
and accounting (AAA) policy instead of the local user. For detailed configuration, see the Security  
Command Reference.  
In local authentication, the switch checks the input username and password against those configured on  
the switch. In remote authentication, the switch sends the input username and password to the remote  
authentication server, which then checks whether they are consistent with those configured on the switch.  
Follow these steps to configure authentication and authorization for FTP server:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
Create a local user and enter its  
view  
No local user exists by default, and  
the system does not support FTP  
anonymous user access.  
local-user user-name  
password { simple | cipher }  
password  
Assign a password to the user  
Assign the FTP service to the user  
Required  
Required  
By default, the system does not  
support anonymous FTP access,  
and does not assign any service. If  
the FTP service is assigned, the root  
directory of the switch is used by  
default.  
service-type ftp  
92  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
To do…  
Use the command…  
Remarks  
Optional  
authorization-attribute { acl  
acl-number | callback-number  
callback-number | idle-cut minute  
| level level | user-profile  
profile-name | user-role  
security-audit | vlan vlan-id |  
work-directory directory-name } *  
By default, the FTP/SFTP users can  
access the root directory of the  
switch, and the user level is 0. You  
can change the default  
configuration by using this  
command.  
Configure user properties  
NOTE:  
For more information about the local-user, password, service-type ftp, and authorization-attribute  
commands, see the Security Command Reference.  
When the switch serves as the FTP server, if the client is to perform the write operations (such as upload,  
delete, and create) on the device’s file system, the FTP login users must be level 3 users; if the client is to  
perform other operations such as the read operation, the switch has no restriction on the user level of the  
FTP login users.  
FTP server configuration example  
Network requirements  
As shown in Figure 38, use the device as an FTP server, and the PC as the FTP client. Their IP  
addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. The device and PC can reach each other.  
PC keeps the updated system software image file of the device. Use FTP to upgrade the device and  
back up the configuration file.  
Set the username to ftp and the password to pwd for the FTP client to log in to the FTP server.  
Figure 38 Upgrading using the FTP server  
Configuration procedure  
Configure the device (FTP Server)  
1.  
# Create an FTP user account ftp, set its password to pwd and the user privilege level to level 3 (the  
manage level). Allow user ftp to access the root directory of the flash, and specify ftp to use FTP.  
<Sysname> system-view  
[Sysname] local-user ftp  
[Sysname-luser-ftp] password simple pwd  
[Sysname-luser-ftp] authorization-attribute level 3  
[Sysname-luser-ftp] authorization-attribute work-directory flash:/  
[Sysname-luser-ftp] service-type ftp  
[Sysname-luser-ftp] quit  
# Enable FTP server.  
[Sysname] ftp server enable  
[Sysname] quit  
93  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
# Check files on your device. Remove those redundant to ensure adequate space for the system software  
image file to be uploaded.  
<Sysname> dir  
Directory of flash:/  
0
1
2
3
drw-  
drw-  
-rw-  
-rw-  
- Dec 07 2005 10:00:57  
- Jan 02 2006 14:27:51  
1216 Jan 02 2006 14:28:59  
1216 Jan 02 2006 16:27:26  
filename  
logfile  
config.cfg  
back.cfg  
14986 KB total (2511 KB free)  
<Sysname> delete /unreserved flash:/back.cfg  
2.  
Configure the PC (FTP Client)  
# Log in to the FTP server through FTP.  
c:\> ftp 1.1.1.1  
Connected to 1.1.1.1.  
220 FTP service ready.  
User(1.1.1.1:(none)): ftp  
331 Password required for ftp.  
Password:  
230 User logged in.  
# Download the configuration file config.cfg of the device to the PC for backup.  
ftp> get config.cfg back-config.cfg  
# Upload the configuration file newest.bin to the device.  
ftp> put newest.bin  
ftp> bye  
NOTE:  
You can take the same steps to upgrade configuration file with FTP. When upgrading the configuration  
file with FTP, put the new file in the storage medium’s root directory.  
After you finish transferring Boot ROM through FTP, you must execute the bootrom update command to  
upgrade Boot ROM.  
3.  
Upgrade the device  
# Specify newest.bin as the main system software image file for next startup.  
<Sysname> boot-loader file newest.bin main  
# Reboot the device and the system software image file is updated at the system reboot.  
<Sysname> reboot  
CAUTION:  
The system software image file used for the next startup must be saved in the storage medium’s root  
directory. You can copy or move a file to the storage medium’s root directory. For more information about  
the boot-loader command, see the Fundamentals Command Reference.  
94  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Displaying and maintaining FTP  
To do…  
Use the command…  
Remarks  
display ftp client configuration [ |  
{ begin | exclude | include }  
regular-expression ]  
Display the configuration of the FTP  
client  
Available in any view  
display ftp-server [ | { begin |  
exclude | include }  
regular-expression ]  
Display the configuration of the FTP  
server  
Available in any view  
Available in any view  
display ftp-user [ | { begin |  
exclude | include }  
regular-expression ]  
Display detailed information about  
logged-in FTP users  
95  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
TFTP configuration  
TFTP overview  
Introduction to TFTP  
The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less  
complex than FTP in interactive access interface and authentication. It is more suitable in environments  
where complex interaction is not needed between client and server.  
TFTP uses the UDP port 69 for data transmission. For more information about TFTP basic operation, see  
RFC 1350.  
In TFTP, file transfer is initiated by the client.  
In a normal file downloading process, the client sends a read request to the TFTP server, receives  
data from the server, and then sends the acknowledgement to the server.  
In a normal file uploading process, the client sends a write request to the TFTP server, sends data to  
the server, and receives the acknowledgement from the server.  
TFTP transfers files in the following modes:  
Binary mode: Transfers files as raw data, such as .app, .bin, and .btm files.  
ASCII mode: Transfers files as text, such as .txt, .bat, and .cfg files.  
TFTP operation  
NOTE:  
Only the TFTP client service is available with your device at present.  
Figure 39 TFTP configuration diagram  
Before using TFTP, the administrator needs to configure IP addresses for the TFTP client and server, and  
make sure that there is a reachable route between the TFTP client and server.  
When the device serves as the TFTP client, you need to perform the following configuration:  
96  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Table 10 Configuration when the device serves as the TFTP client  
Device  
Configuration  
Remarks  
Configure the IP address and routing function, and  
ensure that the route between the device and the TFTP  
server is available.  
Device (TFTP client)  
Use the tftp command to establish a connection to the  
remote TFTP server to upload/download files to/from  
the TFTP server  
Enable TFTP server on the PC, and configure the TFTP  
working directory.  
PC (TFTP server)  
Configuring the TFTP client  
When a device acts as a TFTP client, you can upload a file on the device to a TFTP server or download  
a file from the TFTP server to the local device. You can use either of the following methods to download  
a file:  
Normal download: The device writes the obtained file to the storage medium directly. In this way,  
if you download a remote file using a filename destination-filename that exists in the directory, the  
device deletes the original file and then saves the new one. If file download fails due to network  
disconnection or other reasons, the original system file will never recover because it has been  
deleted.  
Secure download: The device saves the obtained file to its memory and does not write it to the  
storage medium until the whole file is obtained. If you download a remote file using a filename  
destination-filename that exists in the directory, the original file is not overwritten. If file download  
fails due to network disconnection or other reasons, the original file still exists. This mode is more  
secure but consumes more memory.  
HP recommends that you use the secure mode or, if you use the normal mode, specify a filename not  
existing in the current directory as the target filename when downloading the system software image file  
or the startup configuration file.  
Before using the tftp command to establish a TFTP connection, you can perform source address binding.  
Source address binding means configuring an IP address on a stable interface such as a loopback  
interface, and then using this IP address as the source IP address of a TFTP connection. The source  
address binding function simplifies the configuration of ACL rules and security policies. You only need to  
specify the source or destination address argument in an ACL rule as the address to filter inbound and  
outbound packets on the device, ignoring the difference between interface IP addresses as well as the  
effect of interface statuses. You can configure the source address by configuring the source interface or  
source IP address. The primary IP address configured on the source interface is the source address of the  
transmitted packets.  
Follow these steps to configure the TFTP client:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Use an ACL to control the device’s  
access to TFTP servers  
By default, no ACL is used to  
control the device’s access to  
TFTP servers.  
tftp-server [ ipv6 ] acl acl-number  
97  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Optional  
tftp client source { interface  
interface-type interface-number | ip  
source-ip-address }  
A device uses the source  
Configure the source address of  
the TFTP client  
address determined by the  
matched route to communicate  
with the TFTP server by default.  
Return to user view  
quit  
tftp server-address { get | put | sget }  
source-filename  
[ destination-filename ] [ source  
{ interface interface-type  
interface-number | ip  
Optional  
Download or upload a file in an  
IPv4 network  
Available in user view  
source-ip-address } ]  
tftp ipv6 tftp-ipv6-server [ -i  
interface-type interface-number ] { get  
| put } source-file [ destination-file ]  
Optional  
Download or upload a file in an  
IPv6 network  
Available in user view  
NOTE:  
If no primary IP address is configured on the source interface, no TFTP connection can be established.  
If you use the ftp client source command to first configure the source interface and then the source IP  
address of the packets of the TFTP client, the new source IP address will overwrite the current one, and  
vice versa.  
Displaying and maintaining the TFTP client  
To do…  
Use the command…  
Remarks  
display tftp client configuration [ |  
{ begin | exclude | include }  
regular-expression ]  
Display the configuration of the  
TFTP client  
Available in any view  
TFTP client configuration example  
Network requirements  
As shown in Figure 40, use a PC as the TFTP server and the device as the TFTP client. Their IP  
addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. The device and PC can reach each other.  
The device downloads a system software image file from PC for upgrading and uploads a  
configuration file named config.cfg to PC for backup.  
Figure 40 Smooth upgrading using the TFTP client function  
98  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Configuration procedure  
1.  
Configure the PC (TFTP Server), the configuration procedure is omitted.  
On the PC, enable the TFTP server  
Configure a TFTP working directory  
Configure the device (TFTP Client)  
2.  
CAUTION:  
If the available memory space of the device is not enough, use the fixdisk command to clear the memory  
or use the delete /unreserved file-url command to delete the files not in use and then perform the following  
operations.  
# Enter system view.  
<Sysname> system-view  
# Download system software image file newest.bin from the PC.  
<Sysname> tftp 1.2.1.1 get newest.bin  
# Upload a configuration file config.cfg to the TFTP server.  
<Sysname> tftp 1.2.1.1 put config.cfg configback.cfg  
# Specify newest.bin as the main system software image file for the next startup.  
<Sysname> boot-loader file newest.bin bbb.bin main  
# Reboot the device and the system software image file is upgraded.  
<Sysname> reboot  
CAUTION:  
The system software image file used for the next startup must be saved in the storage medium’s root  
directory of the. You can copy or move a file to the root directory of the storage medium. For more  
information about the boot-loader command, see the Fundamentals Command Reference.  
99  
Download from Www.Somanuals.com. All Manuals Search And Download.  
File management  
Managing files  
Files such as host software and configuration files that are necessary for the operation of the device are  
saved in the storage media of the device. You can manage files on your device through these operations:  
Filename formats  
When you specify a file, you must enter the filename in one of the following formats.  
Filename formats:  
Format  
Description  
Length  
Example  
Specifies a file in the current  
working directory.  
1 to 91  
characters  
a.cfg indicates a file named a.cfg  
in the current working directory  
file-name  
Specifies a file in the specified  
folder in the current working  
directory. path indicates the name 1 to 135  
of the folder. You can specify  
multiple folders, indicating a file  
under a multi-level folder.  
test/a.cfg indicates a file named  
a.cfg in the test folder in the current  
working directory.  
path/file-name  
characters  
Specifies a file in the specified  
storage medium on the device.  
drive represents the storage  
medium name, which is usually  
flash or cf. If there is only one  
storage medium on the device, you 1 to 135  
do not need to provide information characters  
about the storage medium. If  
flash:/test/a.cfg indicates a file  
named a.cfg in the test folder in the  
root directory of the flash memory.  
drive:/[path]/file-  
name  
multiple storage media exist on the  
device, you must provide the  
related information to identify the  
storage medium.  
Performing directory operations  
You can create or remove a directory, display the current working directory, the specified directory, and  
file information.  
100  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Displaying directory information  
To do…  
Use the command…  
Remarks  
Required  
Display directory or file  
information  
dir [ /all ] [ file-url ]  
Available in user view  
Displaying the current working directory  
To do…  
Use the command…  
Remarks  
Required  
Display the current working  
directory  
pwd  
Available in user view  
Changing the current working directory  
To do…  
Use the command…  
Remarks  
Required  
Change the current working  
directory  
cd { directory | .. | / }  
Available in user view  
Creating a directory  
To do…  
Use the command…  
Remarks  
Required  
Create a directory  
mkdir directory  
Available in user view  
Removing a directory  
To do…  
Use the command…  
Remarks  
Required  
Remove a directory  
rmdir directory  
Available in user view  
NOTE:  
The directory to be removed must be empty, meaning that before you remove a directory, you must  
delete all the files and the subdirectory in this directory. For file deletion, see the delete command; for  
subdirectory deletion, see the rmdir command.  
The rmdir command automatically deletes the files in the recycle bin in the current directory.  
Performing file operations  
You can display the specified directory or file information; display file contents; rename, copy, move,  
remove, restore, and delete files.  
101  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
NOTE:  
You can create a file by copying, downloading or using the save command.  
Displaying file information  
To do…  
Use the command…  
Remarks  
Required  
Display file or directory  
information  
dir [ /all ] [ file-url ]  
Available in user view  
Displaying the contents of a file  
To do…  
Use the command…  
Remarks  
Required  
Display the contents of a file  
more file-url  
Only text files can be displayed.  
Available in user view  
Renaming a file  
To do…  
Use the command…  
Remarks  
Required  
Rename a file  
rename fileurl-source fileurl-dest  
Available in user view  
Copying a file  
To do…  
Use the command…  
Remarks  
Required  
Copy a file  
copy fileurl-source fileurl-dest  
Available in user view  
Moving a file  
To do…  
Use the command…  
Remarks  
Required  
Move a file  
move fileurl-source fileurl-dest  
Available in user view  
Deleting a file  
To do…  
Use the command…  
Remarks  
Required  
Move a file to the recycle bin or  
delete it permanently  
delete [ /unreserved ] file-url  
Available in user view  
102  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
CAUTION:  
The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, execute the reset  
recycle-bin command in the directory to which the file originally belongs. HP recommends you to empty  
the recycle bin periodically with the reset recycle-bin command to save storage space.  
The delete /unreserved file-url command deletes a file permanently and the action cannot be undone.  
Executing this command equals executing the delete file-url command and then the reset recycle-bin  
command in the same directory.  
Restoring a file from the recycle bin  
To do…  
Use the command…  
Remarks  
Required  
Restore a file from the recycle bin  
undelete file-url  
Available in user view  
Emptying the recycle bin  
To do…  
Use the command…  
Remarks  
Optional  
If the original directory of the file to  
be deleted is not the current  
working directory, this command is  
required.  
Enter the original working  
directory of the file to be deleted  
cd { directory | .. | / }  
Available in user view  
Required  
Delete the file in the current  
directory and in the recycle bin  
reset recycle-bin [ /force ]  
Available in user view  
Performing batch operations  
A batch file is a set of executable commands. Executing a batch file is the same as executing the  
commands in the batch file one by one.  
Before executing a batch file, edit the batch file on your PC, and then download the batch file to the  
device. If the suffix of the file is not .bat, use the rename command to change the suffix to .bat.  
Follow these steps to execute a batch file:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Execute a batch file  
execute filename  
Required  
CAUTION:  
Executing a batch file does not guarantee successful execution of every command in the batch file. If a  
command has error settings or the conditions for executing the command are not satisfied, this command  
fails to be executed, and the system skips to the next command.  
103  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Performing storage medium operations  
Managing the space of a storage medium  
When the space of a storage medium becomes inaccessible due to abnormal operations, you can use  
the fixdisk command to restore it. The execution of the format command formats the storage medium,  
and all the data on the storage medium is deleted.  
Use the following commands to manage the space of a storage medium:  
To do…  
Use the command…  
Remarks  
Optional  
Restore the space of a storage  
medium  
fixdisk device  
Available in user view  
Optional  
Format a storage medium  
format device  
Available in user view  
CAUTION:  
When you format a storage medium, all the files stored on it are erased and cannot be restored. If a  
startup configuration file exists on the storage medium, formatting the storage medium results in loss of the  
startup configuration file.  
Setting prompt modes  
The system provides the following prompt modes:  
alert—In this mode, the system warns you about operations that may bring undesirable  
consequences such as file corruption or data loss.  
quiet—In this mode, the system does not prompt confirmation for any operation.  
To prevent undesirable consequences resulting from mis-operations, the alert mode is preferred.  
Follow these steps to set the operation prompt mode:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Set the operation prompt mode of  
the file system  
file prompt { alert | quiet }  
The default is alert.  
Example for file operations  
# Display the files and the subdirectories in the current directory.  
<Sysname> dir  
Directory of flash:/  
0
drw-  
- Feb 16 2006 11:45:36  
logfile  
104  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
1
2
3
-rw-  
drw-  
-rw-  
1218 Feb 16 2006 11:46:19  
- Feb 16 2006 15:20:27  
config.cfg  
test  
184108 Feb 16 2006 15:30:20  
aaa.bin  
14986 KB total (2521 KB free)  
# Create a new folder mytest in the test directory.  
<Sysname> cd test  
<Sysname> mkdir mytest  
%Created dir flash:/test/mytest.  
# Display the current working directory.  
<Sysname> pwd  
flash:/test  
# Display the files and the subdirectories in the test directory.  
<Sysname> dir  
Directory of flash:/test/  
0
drw-  
- Feb 16 2006 15:28:14  
mytest  
14986 KB total (2519 KB free)  
# Return to the upper directory.  
<Sysname> cd ..  
# Display the current working directory.  
<Sysname> pwd  
flash:  
105  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Configuration file management  
Configuration file overview  
A configuration file contains a set of commands. You can save the current configuration to a  
configuration file so that the configuration can take effect after a switch reboot. In addition, you can  
conveniently view the configuration information, or upload and download the configuration file to/from  
another switch to configure switches in batches.  
Types of configuration  
The switch maintains the following types of configurations: factory defaults, startup configuration, and  
running configuration.  
Factory defaults  
Switches are shipped with some basic settings, which are called factory defaults. These default settings  
ensure that a switch can start up and run normally when it has no configuration file or the configuration  
file is damaged.  
Startup configuration  
Use startup configuration for initialization when the switch boots. If this file does not exist, the system  
boots using null configuration. Null configuration is the factory default configuration, which may differ  
from the default settings for commands. The factory default configuration may vary with switch models.  
View the startup configuration using either of the following methods:  
Use the display startup command to view the currently using configuration file, and use the more  
command to view the content of the configuration file.  
After the reboot of the switch and before configuring the switch, use the display  
current-configuration command to view the startup configuration.  
Running configuration  
The running configuration is stored in the temporary storage media of the switch, and will be removed if  
not saved when the switch reboots.  
Use the display current-configuration command to view the current validated configuration of the switch.  
Format and content of a configuration file  
A configuration file is saved as a text file; the following rules apply:  
Only non-default configuration settings are saved.  
Commands in a configuration file are listed in sections by views, usually in the order of system view,  
interface view, routing protocol view, and user interface view. Sections are separated with one or  
multiple blank lines or comment lines that start with a pound sign #.  
A configuration file ends with a return.  
106  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Coexistence of multiple configuration files  
The switch can save multiple configuration files on its storage media. You can save the configurations  
used in different networking environments as different configuration files. When the switch moves  
between networking environments, specify the configuration file as the startup configuration file of the  
switch and then restart the switch. Multiple configuration files allow the switch to adapt to a network  
rapidly, saving the configuration workload.  
A switch starts up using only one configuration file. However, you can specify two startup configuration  
files, main startup configuration file and backup startup configuration file as needed when the switch has  
main and backup configuration files. The switch starts up using the main startup configuration file. If the  
main startup configuration file is corrupted or lost, the switches starts up using the backup startup  
configuration file. Switches supporting main and backup startup configuration files are more secure and  
reliable.  
At a moment, the switch has at most one main startup configuration file and one backup startup  
configuration file. You can specify neither of the two files (displayed as NULL).  
You can specify main and backup startup configuration files using one of the following methods:  
Specify them when saving the running configuration. For more information, see “Saving the running  
Specify them when specifying the startup configuration file. For more information, see “Specifying  
Startup with the configuration file  
The switch takes the following steps when it starts up:  
1.  
2.  
3.  
If the main startup configuration file you specified exists, the switch starts up with this configuration  
file.  
If the main startup configuration file you specified does not exist but the backup startup  
configuration file exists, the switch starts up with the backup startup configuration file.  
If neither the main nor the backup startup configuration file exists, the switch starts up with null  
configuration.  
Saving the running configuration  
Introduction  
To make configuration changes take effect at the next startup of the switch, save the running configuration  
to the startup configuration file to be used at the next startup before the switch reboots.  
Modes in saving the configuration  
Fast saving mode. This is the mode when you use the save command without the safely keyword.  
The mode saves the file more quickly but is likely to lose the existing configuration file if the switch  
reboots or the power fails during the process.  
Safe mode. This is the mode when you use the save command with the safely keyword. The mode  
saves the file more slowly but can retain the configuration file in the switch even if the switch reboots  
or the power fails during the process.  
107  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
The fast saving mode is suitable for environments where the power supply is stable. The safe mode is  
preferred in environments where a stable power supply is unavailable or remote maintenance is  
involved.  
Follow these steps to save the current configuration:  
To do…  
Use the command…  
Remarks  
Save the current configuration to  
the specified file, but the  
configuration file will not be set as  
the file for the next startup  
save file-url  
Required  
Use either command  
Available in any view.  
Save the current configuration to  
the root directory of the storage  
medium and specify the file as the  
startup configuration file to be used  
at the next system startup  
save [ safely ] [ backup | main ]  
[ force ]  
NOTE:  
The configuration file must have the .cfg extension.  
The execution of the save [ safely ] and save [ safely ] main commands has the same effect: The system  
will save the current configuration and specify the configuration file as the main startup configuration file  
to be used at the next system startup.  
During the execution of the save [ backup | main ] command, the startup configuration file to be used  
at the next system startup may be lost if the switch reboots or the power supply fails. The switch will boot  
with the null configuration, and after the switch reboots, you will need to re-specify a startup  
configuration file for the next system startup (see “Specifying a startup configuration file to be used at  
Setting configuration rollback  
Configuration rollback  
Configuration rollback allows you to revert to a previous configuration state based on a specified  
configuration file. The specified configuration file must be a valid .cfg file generated by using either the  
backup function (manually or automatically) or the save command, or, if a configuration file is generated  
by another switch, the configuration file must comply with the format of the configuration file on the  
current switch. HP recommends that you use the configuration file that is generated by using the backup  
function (manually or automatically). Configuration rollback can be applied in the following situations:  
Running configuration error. Rolling back the running configuration to a correct one is needed.  
The application environment has changed and the switch has to run in a configuration state based  
on a previous configuration file without being rebooted.  
Before setting configuration rollback, perform the following steps:  
1.  
2.  
Specify the filename prefix and path for saving the running configuration.  
Save the running configuration with the specified filename (filename prefix + serial number) to the  
specified path. The running configuration can be saved automatically or manually.  
108  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
When you enter the configuration replace file command, the system compares the running configuration  
and the specified replacement configuration file. The configuration replace file command performs the  
following actions:  
Preserves all commands present in both the replacement configuration file and the running  
configuration.  
Removes commands from the running configuration that are not present in the replacement  
configuration file.  
Applies the commands from the replacement configuration file that are not present in the running  
configuration.  
Applies the commands from the replacement configuration file that have different configurations in  
the running configuration.  
Configuration task list  
Complete these tasks to configure the configuration rollback:  
Task  
Remarks  
Required  
Required  
Use either approach  
Required  
Configuring parameters for saving the running configuration  
Before the running configuration is saved manually or automatically, the file path and filename prefix  
must be configured. After that, the system saves the running configuration with the specified filename  
(filename prefix_serial number.cfg) to the specified path. The filename of a saved configuration file is like  
20080620archive_1.cfg, or 20080620archive_2.cfg. The saved configuration files are numbered  
automatically, from 1 to 1,000 (with an increment of 1). If the serial number reaches 1,000, it restarts from  
1. If you change the path or filename prefix, or reboot the switch, the saved file serial number restarts from  
1, and the system recounts the saved configuration files. If you change the path of the saved configuration  
files, the files in the original path become common configuration files, and are not processed as saved  
configuration files, and are not displayed when you view saved configuration files.  
The number of saved configuration files has an upper limit. After the maximum number of files is saved,  
the system deletes the oldest files when the next configuration file is saved.  
Follow these steps to configure parameters for saving the running configuration:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
By default, the path and filename  
for saving configuration files are  
not configured, and the system  
does not save the configuration  
file at a specified interval.  
Configure the path and filename  
prefix for saving configuration  
files  
archive configuration location  
directory filename-prefix  
filename-prefix  
109  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
Set the maximum number of  
configuration files that can be  
saved  
Optional  
archive configuration max  
file-number  
The default number is 5.  
NOTE:  
If the undo archive configuration location command is executed, the running configuration cannot be  
saved either manually or automatically, and the configuration is restored to the default by executing the  
archive configuration interval and archive configuration max commands. The saved configuration  
files are cleared.  
The value of the file-number argument is determined by memory space. Set a comparatively small value  
for the file-number argument if the available memory space is small.  
Enabling automatic saving of the running configuration  
You can configure the system to save the running configuration at a specified interval, and use the  
display archive configuration command to view the filenames and save time of the saved configuration  
files. This enables you to easily roll back the current configuration to a previous configuration state.  
Configure an automatic save interval based on the storage media’s performance and the frequency of  
configuration modification using the following guidelines:  
If the configuration of the switch does not change frequently, manually save the running  
configuration as needed  
Save the running configuration manually, or configure automatic saving with an interval longer  
than 1,440 minutes (24 hours).  
Follow these steps to enable automatic saving of the running configuration:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Enable the automatic saving of  
the running configuration, and set  
the interval  
Optional  
archive configuration interval  
minutes  
Disabled by default  
NOTE:  
The path and filename prefix for saving configuration files must be specified before you configure the  
automatic saving period.  
Manually saving the running configuration  
Automatic saving of the running configuration occupies system resources, and frequent saving can  
greatly affect system performance. If the system configuration does not change frequently, disable  
automatic saving of the running configuration and save it manually.  
In addition, automatic saving of the running configuration is performed periodically, while manual  
saving can be used to immediately save the running configuration. Before performing a complicated  
configuration, manually save the running configuration so that the switch can revert to the previous state  
if the configuration fails.  
Follow the step below to manually save the running configuration:  
110  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
archive configuration  
Remarks  
Required  
Manually save the running  
configuration  
Available in user view  
NOTE:  
Specify the path and filename prefix of a save configuration file before you manually save the running  
configuration; otherwise, the operation fails.  
Setting configuration rollback  
Follow these steps to set configuration rollback:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Set configuration rollback  
configuration replace file filename  
Required  
CAUTION:  
Configuration rollback may fail if one of the following situations is present (if a command cannot be rolled  
back, the system skips it and processes the next one):  
The complete undo form of a command is not supported. You cannot get the actual undo form of the  
command by simply putting the keyword undo in front of the command, so the complete undo form of  
the command cannot be recognized by the switch.  
The configuration cannot be removed, such as hardware-related commands  
Commands in different views are dependent on each other  
If the replacement configuration file is not a complete file generated by using the save or archive  
configuration command, or the file is copied from a different type of switch, the configuration cannot be  
rolled back. Ensure that the replacement configuration file is correct and compatible with the current  
switch.  
The configuration file specified with the configuration replace file filename command can only be a  
configuration file in simple text. Otherwise, errors may occur in configuration rollback.  
Specifying a startup configuration file to be used at  
the next system startup  
To specify a startup configuration file to be used at the next system startup, use the following guidelines:  
Use the save command. If you save the running configuration to the specified configuration file in  
the interactive mode, the system automatically sets the file as the main startup configuration file to  
be used at the next system startup.  
Use the command dedicated to specify a startup configuration file to be used at the next startup,  
which is described in the following table:  
Follow the step below to specify a startup configuration file to be used at the next startup:  
111  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Required  
Specify a startup configuration file startup saved-configuration cfgfile  
to be used at the next startup  
[ backup | main ]  
Available in user view  
CAUTION:  
A configuration file must use .cfg as its extension name and the startup configuration file must be saved in  
the storage media’s root directory.  
Backing up the startup configuration file  
The backup function allows you to copy the startup configuration file to be used at the next startup from  
the switch to the TFTP server.  
The backup operation backs up the main startup configuration file to the TFTP server for switches  
supporting main and backup startup configuration files.  
Follow the step below to back up the startup configuration file to be used at the next startup:  
To do…  
Use the command…  
Remarks  
Back up the startup configuration  
file to be used at the next startup to  
the specified TFTP server  
Required  
backup startup-configuration to  
dest-addr [dest- filename ]  
Available in user view  
NOTE:  
Before the backup operation:  
Make sure that the server is reachable and enabled with TFTP service, and the client has the read and  
write permission.  
Use the display startup command (in user view) to check whether you have specified a startup  
configuration file to be used at the next startup. If the file is set as NULL or does not exist, the backup  
operation fails.  
Deleting a startup configuration file  
You can delete a startup configuration file at the CLI. On a switch that has main and backup startup  
configuration files, you can choose to delete the main, the backup, or both. If the switch has only one  
startup configuration to be used at the next startup, the system only sets the startup configuration file to  
NULL.  
You may need to delete a startup configuration file to be used at the next startup for one of the following  
reasons:  
After you upgrade system software, the existing startup configuration files do not match the new  
system software.  
Startup configuration files are corrupted (often caused by loading a wrong configuration file).  
With startup configuration files deleted, the switch uses null configuration at the next startup.  
Follow the step below to delete a startup configuration file to be used at the next startup:  
112  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Delete a startup configuration file  
to be used at the next startup from  
the storage media  
Required  
reset saved-configuration [ backup  
| main ]  
Available in user view  
CAUTION:  
This command permanently deletes startup configuration files to be used at the next startup from the  
switch. Use the command with caution.  
Restoring a startup configuration file  
The restore function allows you to copy a configuration file from a TFTP server to the switch and specify  
the file as the startup configuration file to be used at the next startup.  
Follow the step below to restore a startup configuration file to be used at the next startup:  
To do…  
Use the command…  
Remarks  
Required  
Restore a startup configuration file restore startup-configuration from  
to be used at the next startup  
src-addr src-filename  
Available in user view  
NOTE:  
The restore operation restores the main startup configuration file.  
Before restoring a configuration file, ensure that the server is reachable, the server is enabled with TFTP  
service, and the client has read and write permission.  
After execution of the command, use the display startup command (in user view) to verify that the  
filename of the configuration file to be used at the next system startup is the same with that specified by  
the filename argument.  
Displaying and maintaining a configuration file  
To do…  
Use the command…  
Remarks  
display archive configuration [ |  
{ begin | exclude | include }  
regular-expression ]  
Display the information about  
configuration rollback  
Available in any view  
display default-configuration [ |  
{ begin | exclude | include }  
regular-expression ]  
Display the factory defaults of the  
switch  
Available in any view  
Available in any view  
display current-configuration  
[ [ configuration [ configuration ] |  
interface [ interface-type ]  
[ interface-number ] | exclude  
modules ] [ by-linenum ] [ | { begin  
| exclude | include }  
Display the current validated  
configurations of the switch  
regular-expression ] ]  
Display the running configuration  
display saved-configuration  
file saved on the storage media of [ by-linenum ] [ | { begin | exclude Available in any view  
the switch  
| include } regular-expression ]  
113  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
display startup [ | { begin |  
exclude | include }  
regular-expression ]  
Display the configuration files used  
at this and the next system startup  
Available in any view  
display this [ by-linenum ] [ |  
{ begin | exclude | include }  
regular-expression ]  
Display the valid configuration  
under the current view  
Available in any view  
114  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Software upgrade configuration  
Switch software overview  
Switch software includes the Boot ROM and the system software images. After powered on, the device  
runs the Boot ROM image, initializes the hardware, and displays the hardware information. Then the  
device runs the system software image, which provides drivers and adaption for hardware, and  
implements service features. The Boot ROM and system software images are required for the startup and  
running of a device.  
Figure 41 Relationship between the Boot ROM program and the system software images  
Software upgrade methods  
You can upgrade both Boot ROM and system software at the Boot menu or at the command line interface  
(CLI). The following sections cover how to upgrade them at the CLI. For instructions about how to upgrade  
them at the Boot menu, see the installation manual of your switch.  
Upgrading at the CLI falls into the following categories:  
Upgrade method  
Upgrade object Description  
You need to reboot the whole system to upgrade the  
software of a switch.  
Boot ROM image  
This causes running service interruption during the  
115  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Upgrade method  
Upgrade object Description  
upgrade process, and is not recommended.  
System software  
Hotfix is a fast, cost-effective method to repair  
software defects of a switch.  
Compared with software version upgrade, hotfix can  
upgrade the software without interrupting the running  
services of the switch. It can repair the software  
defects of the current version without rebooting the  
switch.  
System software  
The patch files match the switch model and software  
version. If they are not matched, the hotfixing  
operation fails.  
Upgrading the Boot ROM program through a  
system reboot  
Follow these steps to upgrade Boot ROM:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Enable the validity check function  
when upgrading Boot ROM  
bootrom-update security-check  
enable  
By default, the validity check  
function is enabled at the time of  
upgrading Boot ROM.  
Return to user view  
quit  
Required  
Save the Boot ROM image to the  
root directory of the Flash of the  
switch by using FTP, TFTP, or other  
approaches.  
For more information about FTP or  
TFTP, see the chapters “FTP  
configuration” and “TFTP  
configuration.”  
Required  
bootrom update file file-url slot  
slot-number-list  
Upgrade Boot ROM on the switch  
Available in user view.  
The slot keyword specifies the ID of  
a switch. The ID can only be 1.  
Reboot the switch  
reboot [ slot slot-number ]  
Available in user view.  
CAUTION:  
To execute the bootrom command successfully, save the Boot ROM image in the storage media’s root  
directory on the switch.  
116  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Upgrading system software through a system  
reboot  
Follow these steps to upgrade system software through a system reboot:  
To do…  
Use the command…  
Remarks  
Required  
Save the system software image to  
the root directory of the Flash of the  
switch by using FTP, TFTP, or other  
approaches.  
For more information about FTP  
or TFTP, see the chapters “FTP  
configuration” and “TFTP  
configuration.”  
Specify system software image to  
be used at the next boot of the  
switch  
Required  
boot-loader file file-url slot slot-number  
{ main | backup }  
Available in user view.  
The slot keyword specifies the ID  
of a switch. The switch ID can  
only be 1.  
Reboot the switch  
reboot [ slot slot-number ]  
Available in user view.  
CAUTION:  
You must save the file to be used at the next switch boot in the root directory of the switch. You can copy  
or move a file to change the path of it to the root directory.  
To execute the boot-loader command successfully, save the file to be used at the next device boot in the  
storage media’s root directory on the switch.  
Software upgrade by installing hotfixes  
Hotfix can repair software defects of the current version without rebooting the device, protecting the  
running services of the device from being interrupted.  
Basic concepts in hotfix  
Patch and patch file  
A patch, also called “patch unit, is a package used to fix software defects. Patches are usually released  
as patch files. A patch file may contain one or more patches for different defects. After loaded from the  
storage medium to the memory patch area, each patch is assigned a unique number, which starts from  
1, for identification, management and operation. For example, if a patch file has three patch units, they  
are numbered as 1, 2, and 3 respectively.  
Incremental patch  
An incremental patch means that the patch is dependent on the previous patch units. For example, if a  
patch file has three patch units, patch 3 can be run only after patch 1 and 2 take effect. You cannot run  
patch 3 separately.  
Currently released patches are all incremental patches.  
117  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Common patch and temporary patch  
Common patches are those formally released through the version release flow.  
Temporary patches are those not formally released through the version release flow, but temporarily  
provided to solve the emergent problems.  
Common patches always include the functions of the previous temporary patches so as to replace them.  
The patch type only affects the patch loading process. The system deletes all of the temporary patches  
before it loads the common patch.  
Patch status  
Each patch has its status, which can be switched only by commands. The relationship between patch  
state changes and command actions is shown in Figure 42. The patch can be in the state of IDLE,  
DEACTIVE, ACTIVE, and RUNNING. Load, run temporarily, confirm running, stop running, delete, install,  
and uninstall represent operations, corresponding to commands of patch load, patch active, patch run,  
patch deactive, patch delete, patch install, and undo patch install. For example, if you execute the patch  
active command for the patches in the DEACTIVE state, the patches turn to the ACTIVE state.  
Figure 42 Relationship between patch state changes and command actions  
NOTE:  
Information about patch states is saved in the file patchstate on the flash. Do not to operate this file.  
IDLE state  
Patches in the IDLE state are not loaded. You cannot install or run the patches, as shown in Figure 43 (in  
this example, the memory patch area can load up to eight patches).  
118  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Figure 43 Patches are not loaded to the memory patch area  
Patch 1 IDLE  
Patch 2 IDLE  
Patch 3 IDLE  
Patch 4 IDLE  
Patch 5 IDLE  
Patch 6 IDLE  
Memory patch area  
Patch 7 IDLE  
Patch 8 IDLE  
NOTE:  
The memory patch area supports up to 200 patches.  
DEACTIVE state  
Patches in the DEACTIVE state have been loaded to the memory patch area but have not run in the system  
yet. Suppose that the patch file to be loaded has seven patches. After the seven patches successfully pass  
the version check and CRC check, they are loaded to the memory patch area and are in the DEACTIVE  
state. At this time, the patch states in the system are as shown in Figure 44.  
Figure 44 A patch file is loaded to the memory patch area  
ACTIVE state  
Patches in the ACTIVE state are those that have run temporarily in the system and become DEACTIVE after  
system reboot. For the seven patches in Figure 44, if you activate the first five patches, their states change  
from DEACTIVE to ACTIVE. At this time, the patch states in the system are as shown in Figure 45.  
The patches that are in the ACTIVE state are in the DEACTIVE state after system reboot.  
119  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Figure 45 Patches are activated  
Patch 1 ACTIVE  
Patch 2 ACTIVE  
Patch 3 ACTIVE  
Patch 4 ACTIVE  
Patch 5 ACTIVE  
Patch 6 DEACTIVE  
Patch 7 DEACTIVE  
Patch 8 IDLE  
Memory patch area  
RUNNING state  
After you confirm the ACTIVE patches are running, the patch state becomes RUNNING and they are  
placed in the RUNNING state after system reboot. For the five patches in Figure 45, if you confirm the  
first three patches are running, their states change from ACTIVE to RUNNING. At this time, the patch  
states of the system are as shown in Figure 46.  
The patches that are in the RUNNING state are still in the RUNNING state after system reboot.  
Figure 46 Patches are running  
Patch 1 RUNNING  
Patch 2 RUNNING  
Patch 3 RUNNING  
Patch 4 ACTIVE  
Patch 5 ACTIVE  
Patch 6 DEACTIVE  
Memory patch area  
Patch 7 DEACTIVE  
Patch 8 IDLE  
Configuration prerequisites  
Patches are released per switch model. Before patching the system, you need to save the appropriate  
patch files to the switch’s storage media using FTP or TFTP. When saving the patch files, note that the  
following rules apply:  
The patch files match the switch model and software version. If they are not matched, the hotfix  
operation fails.  
Name a patch file properly. Otherwise, the system cannot locate the patch file and the hotfixing  
operation fails. The name is in the format of "patch_PATCH-FLAG suffix.bin". The PATCH-FLAG is  
pre-defined and support for the PATCH-FLAG depends on switch model. The first three characters of  
the version item (using the display patch information command) represent the PATCH-FLAG suffix.  
The system searches the root directory of the storage medium (Flash by default) for patch files based  
120  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
on the PATCH-FLAG. If there is a match, the system loads patches to or installs them on the memory  
patch area.  
The following table describes the default patch name for the switch series.  
PATCH-FLAG  
Default patch name  
PATCH-311  
patch_311.bin  
One-step patch installation  
To install patches in one step, use the patch install command. After you execute the command, the system  
displays the message "Do you want to continue running patches after reboot? [Y/N]:"  
Entering y or Y: All of the specified patches are installed, and turn to the RUNNING state from IDLE.  
This equals execution of the commands patch location, patch load, patch active, and patch run.  
The patches remain RUNNING after system reboot.  
Entering n or N: All of the specified patches are installed and turn to the ACTIVE state from IDLE. This  
equals execution of the commands patch location, patch load and patch active. The patches turn to  
the DEACTIVE state after system reboot.  
Follow these steps to install the patches in one step:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Install the patches in one step  
patch install patch-location  
Required  
NOTE:  
The patch matches the switch type and software version.  
To uninstall all patches in one operation, use the undo patch install command, which has the same  
Step-by-step patch installation  
Follow these steps to load a patch file:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Configure the patch file location  
patch location patch-location  
patch load slot slot-number  
flash: by default  
Load the patch file on from the  
storage medium to the specified  
memory patch area  
Required  
121  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
To do…  
Use the command…  
Remarks  
Required  
After you activate a patch, the  
patch takes effect and is in the  
test-run stage. After the switch is  
reset or rebooted, the patch  
becomes invalid.  
patch active patch-number slot  
slot-number  
Activate the specified patches  
If you find that an ACTIVE patch  
is of some problem, reboot the  
switch to deactivate the patch,  
so as to avoid a series of  
running faults resulting from  
patch error.  
Required  
After you confirm the running of a  
patch, the patch state becomes  
RUNNING, and the patch is in the  
normal running stage. After the  
switch is reset or rebooted, the  
patch is still valid.  
Confirm the running of the  
specified patches  
patch run patch-number [ slot  
slot-number ]  
NOTE:  
Set the file transfer mode to binary mode before using FTP or TFTP to upload/download patch files  
to/from the Flash of the switch. Otherwise, patch file cannot be parsed properly.  
This operation is applicable to patches in the ACTIVE state only.  
Step-by-step patch uninstallation  
Follow these steps to stop running patches:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Required  
When you stop running a patch,  
the patch state becomes  
DEACTIVE, and the system runs in  
the way before it is installed with  
the patch.  
patch deactive patch-number slot  
slot-number  
Stop running the specified patches  
Required  
Deleting patches only removes the  
patches from the memory patch  
area, and does not delete them  
from the storage medium. The  
patches turn to the IDLE state after  
this operation. After a patch is  
deleted, the system runs in the way  
it did before the patch was  
installed.  
Delete the specified patches from  
the memory patch area  
patch delete patch-number slot  
slot-number  
122  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Displaying and maintaining the software upgrade  
To do…  
Use the command…  
Remarks  
display boot-loader [ slot  
slot-number ] [ | { begin | exclude Available in any view  
| include } regular-expression ]  
Display information about system  
software  
display patch information [ |  
Display the patch information  
{ begin | exclude | include }  
regular-expression ]  
Available in any view  
Software upgrade configuration examples  
Scheduled upgrade configuration example  
Network requirement  
As shown in Figure 47, the current software version is soft-version1 for Device. Upgrade the  
software version of Device to soft-version2 and configuration file to new-config at a time when few  
services are processed (for example, at 3 am) through remote operations.  
The latest application soft-version2.bin and the latest configuration file new-config.cfg are both  
saved in the aaa directory of the FTP server.  
The IP address of Device is 1.1.1.1/24, the IP address of the FTP server is 2.2.2.2/24, and Device  
and FTP server can reach each other.  
A user can log in to Device via Telnet, and the user and Device can reach each other.  
Figure 47 Network diagram for scheduled upgrade  
Configuration procedure  
Configure the FTP server (configurations may vary with different types of servers)  
1.  
Set the access parameters for the FTP client (including enabling the FTP server function, setting the  
FTP username to aaa and password to hello, and setting the user to have access to the flash:/aaa  
directory).  
<FTP-Server> system-view  
[FTP-Server] ftp server enable  
123  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
[FTP-Server] local-user aaa  
[FTP-Server-luser-aaa] password cipher hello  
[FTP-Server-luser-aaa] service-type ftp  
[FTP-Server-luser-aaa] authorization-attribute work-directory flash:/aaa  
Use text editor on the FTP server to edit batch file auto-update.txt. The following is the content of the  
batch file:  
return  
startup saved-configuration new-config.cfg  
boot-loader file soft-version2.bin slot 1 main  
reboot  
2.  
Configure Device  
# Log in to the FTP server (The prompt may vary with servers.)  
<Device> ftp 2.2.2.2  
Trying 2.2.2.2 ...  
Press CTRL+K to abort  
Connected to 2.2.2.2.  
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user  
User(2.2.2.2:(none)):aaa  
331 Give me your password, please  
Password:  
230 Logged in successfully  
[ftp]  
# Download file auto-update.txt on the FTP server.  
[ftp] ascii  
[ftp] get auto-update.txt  
# Download file new-config.cfg on the FTP server.  
[ftp]get new-config.cfg  
# Download file soft-version2.bin on the FTP server.  
[ftp] binary  
[ftp] get soft-version2.bin  
[ftp] bye  
<Device>  
# Change the extension of file auto-update.txt to .bat.  
<Device> rename auto-update.txt auto-update.bat  
To ensure correctness of the file, use the more command to view the content of the file.  
# Execute the scheduled automatic execution function to enable Device to be automatically upgraded at  
3 am.  
<Device> system-view  
[Device] job autoupdate  
[Device-job-autoupdate] view system-view  
[Device-job-autoupdate] time 1 one-off at 03:00 command execute auto-update.bat  
To check if the upgrade is successful after Device reboots, use the display version command.  
124  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Hotfix configuration example  
Network requirements  
As shown in Figure 48, the software running on Device is having problems, and a hotfix is needed.  
The patch file patch_311.bin is saved on the TFTP server.  
The IP address of Device is 1.1.1.1/24, and IP address of TFTP Server is 2.2.2.2/24. Device and  
TFTP server can reach each other.  
Figure 48 Network diagram of hotfix configuration  
Configuration procedure  
1.  
Configure TFTP Server. The configuration varies depending on server type and the configuration  
procedure is omitted.  
Enable the TFTP server function.  
Save the patch file patch_311.bin to the directory of the TFTP server.  
Configure Device.  
2.  
CAUTION:  
Make sure the free Flash space of Device is large enough to store the patch file.  
# Before upgrading the software, use the save command to save the current system configuration. The  
configuration procedure is omitted.  
# Load the patch file patch_311.bin from the TFTP server to the root directory of Device storage media.  
<Device> tftp 2.2.2.2 get patch_311.bin  
# Install the patch.  
<Device> system-view  
[Device] patch install flash:  
Patches will be installed. Continue? [Y/N]:y  
Do you want to continue running patches after reboot? [Y/N]:y  
Installing patches........  
Installation completed, and patches will continue to run after reboot.  
125  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Device management  
Device management includes monitoring the operating status of devices and configuring their running  
parameters.  
NOTE:  
The configuration tasks in this document are order independent. You can perform these tasks in any order.  
Configuring the device name  
A device name identifies a device in a network and works as the user view prompt at the CLI. For  
example, if the device name is Sysname, the user view prompt is <Sysname>.  
Follow these steps to configure the device name:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Configure the device name  
sysname sysname  
The default device name is HP.  
Changing the system time  
You must synchronize your device with a trusted time source by using NTP or changing the system time  
before you run it on the network. Network management depends on an accurate system time setting,  
because the timestamps of system messages and logs use the system time.  
In a small-sized network, you can manually set the system time of each device.  
Configuration guidelines  
You can change the system time by configuring the relative time, time zone, and daylight saving time. The  
configuration result depends on their configuration order (see Table 11). In the first column of this table,  
1 represents the clock datetime command, 2 represents the clock timezone command, and 3 represents  
the clock summer-time command. To verify the system time setting, use the display clock command. This  
table assumes that the original system time is 2005/1/1 1:00:00.  
Table 11 System time configuration results  
Command  
Effective system time  
Configuration example System time  
01:00:00 UTC Mon  
01/01/2007  
clock datetime 1:00  
2007/1/1  
1
date-time  
Original system time ±  
zone-offset  
02:00:00 zone-time Sat  
01/01/2005  
clock  
zone-time add 1  
timezone  
2
126  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Command  
Effective system time  
Configuration example System time  
clock datetime 2:00  
2007/2/2  
03:00:00 zone-time Fri  
02/02/2007  
1, 2  
date-time ± zone-offset  
clock  
timezone  
zone-time add 1  
clock  
timezone  
zone-time add 1  
03:00:00 zone-time Sat  
03/03/2007  
2, 1  
date-time  
clock datetime 3:00  
2007/3/3  
The original system time  
outside the daylight  
saving time range:  
clock summer-time ss  
01:00:00 UTC Sat  
01/01/2005  
one-off  
1:00  
1:00  
The system time does not  
change until it falls into  
the daylight saving time  
range.  
2006/1/1  
2006/8/8 2  
03:00:00 ss Sat  
01/01/2005  
NOTE:  
3
If the original system time  
plus summer-offset is  
The original system time  
in the daylight saving time  
range:  
clock summer-time ss  
beyond the daylight saving  
time range, the original  
system time does not  
change. After you disable  
the daylight saving setting,  
the system time  
one-off  
2005/1/1  
00:30  
1:00  
The system time increases  
by summer-offset.  
2005/8/8 2  
automatically decreases by  
summer-offset.  
clock datetime 1:00  
2007/1/1  
date-time outside the  
daylight saving time  
range:  
01:00:00 UTC Mon  
01/01/2007  
clock summer-time ss  
one-off  
2006/1/1  
1:00  
1:00  
date-time  
2006/8/8 2  
10:00:00 ss Mon  
01/01/2007  
NOTE:  
1, 3  
clock datetime 8:00  
2007/1/1  
If the date-time plus  
date-time in the daylight  
saving time range:  
summer-offset is outside the  
daylight saving time range,  
the system time equals  
date-time. After you disable  
the daylight saving setting,  
the system time  
clock summer-time ss  
one-off  
2007/1/1  
2007/8/8 2  
1:00  
1:00  
date-time + summer-offset  
automatically decreases by  
summer-offset.  
clock summer-time ss  
3, 1  
one-off  
2007/1/1  
1:00  
1:00  
01:00:00 UTC Tue  
01/01/2008  
(date-time outside the  
daylight saving time  
range)  
date-time  
2007/8/8 2  
clock datetime 1:00  
2008/1/1  
127  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Command  
Effective system time  
Configuration example System time  
clock summer-time ss  
date-time summer-offset  
outside the daylight  
saving time range:  
one-off  
1:00  
1:00  
2007/1/1  
2007/8/8 2  
23:30:00 UTC Sun  
12/31/2006  
3, 1  
clock datetime 1:30  
2007/1/1  
date-time summer-offset  
(date-time in the  
daylight saving time  
range)  
clock summer-time ss  
date-time summer-offset  
in the daylight saving time  
range:  
one-off  
2007/1/1  
2007/8/8 2  
1:00  
1:00  
03:00:00 ss Mon  
01/01/2007  
clock datetime 3:00  
2007/1/1  
date-time  
Original system clock ±  
zone-offset outside the  
daylight saving time  
range:  
clock  
zone-time add 1  
timezone  
02:00:00 zone-time Sat  
01/01/2005  
clock summer-time ss  
one-off  
2007/1/1  
2007/8/8 2  
1:00  
1:00  
Original system clock ±  
zone-offset  
2, 3 or 3, 2  
Original system clock ±  
zone-offset outside the  
daylight saving time  
range:  
clock  
zone-time add 1  
timezone  
System clock configured:  
04:00:00 ss Sat  
01/01/2005  
clock summer-time ss  
one-off  
2005/1/1  
2005/8/8 2  
1:00  
1:00  
Original system clock ±  
zone-offset +  
summer-offset  
clock datetime 1:00  
2007/1/1  
date-time ± zone-offset  
outside the daylight  
saving time range:  
clock  
timezone  
02:00:00 zone-time Mon  
01/01/2007  
zone-time add 1  
clock summer-time ss  
one-off  
2008/1/1  
1:00  
1:00  
date-time ± zone-offset  
2008/8/8 2  
1, 2 , 3 or 1, 3, 2  
clock datetime 1:00  
2007/1/1  
date-time ± zone-offset  
outside the daylight  
saving time range:  
clock  
zone-time add 1  
timezone  
04:00:00 ss Mon  
01/01/2007  
clock summer-time ss  
one-off  
2007/1/1  
2007/8/8 2  
date-time ± zone-offset +  
summer-offset  
1:00  
1:00  
clock  
timezone  
zone-time add 1  
date-time outside the  
daylight saving time  
range:  
clock summer-time ss  
one-off  
2008/1/1  
2008/8/8 2  
01:00:00 zone-time Mon  
01/01/2007  
1:00  
1:00  
2, 3, 1 or 3, 2, 1  
date-time  
clock datetime 1:00  
2007/1/1  
128  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Command  
Effective system time  
Configuration example System time  
clock  
zone-time add 1  
timezone  
date-time in the daylight  
saving time range, but  
date-time – summer-offset  
outside the summer-time  
range:  
clock summer-time ss  
one-off  
2008/1/1  
2008/8/8 2  
23:30:00 zone-time Mon  
12/31/2007  
1:00  
1:00  
clock datetime 1:30  
2008/1/1  
date-time – summer-offset  
clock  
timezone  
zone-time add 1  
Both date-time and  
date-time – summer-offset  
in the daylight saving time  
range:  
clock summer-time ss  
one-off  
2008/1/1  
2008/8/8 2  
03:00:00 ss Tue  
01/01/2008  
1:00  
1:00  
date-time  
clock datetime 3:00  
2008/1/1  
Configuration procedure  
Follow these steps to change the system time:  
To do…  
Use the command…  
Remarks  
Optional  
Set the system time and date  
Enter system view  
clock datetime time date  
Available in user view.  
system-view  
Optional  
clock timezone zone-name { add |  
minus } zone-offset  
Set the time zone  
Universal time coordinated (UTC)  
time zone by default.  
Set a non-recurring scheme:  
clock summer-time zone-name  
one-off start-time start-date  
end-time end-date add-time  
Optional  
Use either command.  
Set a daylight saving time scheme  
By default, daylight saving time is  
disabled, and the UTC time zone  
applies.  
Set a recurring scheme:  
clock summer-time zone-name  
repeating start-time start-date  
end-time end-date add-time  
Enabling displaying the copyright statement  
The device by default displays the copyright statement when a Telnet or SSH user logs in, or when a  
console user quits user view. You can disable or enable the function as needed. The following is a sample  
copyright statement:  
******************************************************************************  
* Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P.  
* Without the owner's prior written consent,  
*
*
*
* no decompiling or reverse-engineering shall be allowed.  
******************************************************************************  
Follow these steps to enable displaying the copyright statement:  
129  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Enable displaying the copyright  
statement  
copyright-info enable  
Enabled by default.  
Configuring banners  
Introduction to banners  
Banners are messages that the system displays when a user connects to the device to perform login  
authentication, and start interactive configuration.  
Banner types  
You can configure the following types of banners:  
Legal banner appears after the system displays the copyright or license statement for a user  
attempting to log in. To continue authentication or login, the user must enter Y or press Enter. To quit  
the process, the user must enter N. Y and N are case insensitive.  
Message of the Day (MOTD) banner displays the greeting message, and appears after the legal  
banner and before the login banner.  
Login banner appears only when password or scheme login authentication has been configured.  
Incoming banner appears for Modem dial-in users and the shell banner appears for users that use  
any other access method to access the CLI.  
Message input modes  
The system supports single-line input mode and multiple-line input mode for configuring a banner.  
Single-line input  
1.  
In single-line input mode, all banner information comes after the command keywords in the same line.  
The start and end characters of the input text must be the same but are not part of the banner information.  
In this case, the input text, together with the command keywords, cannot exceed 510 characters.  
2.  
Multiple-line input  
In multiple-line input mode, all the banner information is input in multiple lines by pressing the Enter key.  
In this case, up to 2000 characters can be input.  
Multi-line input mode can be achieved in the following methods:  
Method I—Press the Enter key directly after the command keywords, type the banner information,  
and end with the % character. The Enter and % characters are not part of the banner information.  
Method II—Type a character after the command keywords at the first line, and then press the Enter  
key. Type the banner information, and end with the character you type at the first line. The character  
at the first line and the end character are not part of the banner information.  
Method III—Type multiple characters after the command keywords at the first line—with the first and  
last characters being different, and then press the Enter key. Type the banner information, and end  
with the first character you type at the first line. The first input character at the first line and the end  
character are not part of the banner information.  
130  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuration procedure  
Follow these steps to configure a banner:  
To do…  
Use the command…  
Remarks  
Enter system view  
system-view  
Configure the incoming banner  
Configure the login banner  
Configure the legal banner  
Configure the shell banner  
Configure the MOTD banner  
header incoming text  
header login text  
header legal text  
header shell text  
header motd text  
Optional  
Optional  
Optional  
Optional  
Optional  
Banner configuration examples  
# Configure the shell banner as Welcome to HP!.  
Single-line input mode:  
<System> system-view  
[System] header shell %Welcome to HP!%  
Multiple-line input mode (method I):  
<System> system-view  
[System] header shell  
Please input banner content, and quit with the character '%'.  
Welcome to HP!  
%
Multiple-line input mode (method II):  
<System> system-view  
[System] header shell W  
Please input banner content, and quit with the character 'W'.  
Welcome to HP!  
W
Configuring the exception handling method  
You can configure the device to handle system exceptions in one of the following methods:  
reboot—The device automatically reboots to recover from the error condition.  
maintain—The device stays in the error condition so you can collect complete data, including error  
messages, for diagnosis. In this approach, you must manually reboot the device.  
Follow these steps to configure the exception handling method:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Configure the exception handling  
method  
system-failure { maintain | reboot }  
By default, the system reboots  
when an exception occurs.  
131  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Rebooting the device  
You can reboot the device in one of the following ways to recover from an error condition:  
Reboot the device immediately at the CLI.  
At the CLI, schedule a reboot to occur at a specific time and date or after a delay.  
Power off and then re-power on the device. This method might cause data loss and hardware  
damage, and is the least preferred method.  
Reboot at the CLI enables easy remote device maintenance.  
CAUTION:  
A reboot can interrupt network services.  
To avoid data loss, use the save command to save the current configuration before a reboot.  
Use the display startup and display boot-loader commands to check that you have correctly set the  
startup configuration file and the main system software image file. If the main system software image file  
has been corrupted or does not exist, the device cannot reboot. You must re-specify a main system  
software image file, or power off the device and then power it on so the system can reboot with the  
backup system software image file.  
Rebooting the device immediately at the CLI  
Perform the following command in user view to reboot the device:  
To do…  
Use the command…  
Remarks  
Required  
Reboot the device immediately  
reboot [ slot slot-number ]  
The slot-number argument must be  
1.  
Scheduling a device reboot  
Perform one of the following commands in user view to schedule a device reboot:  
To do…  
Use the command…  
Remarks  
Schedule a reboot to occur at a  
specific time and date  
Required  
schedule reboot at hh:mm [ date ]  
Use either command.  
The scheduled reboot function is  
disabled by default.  
Schedule a reboot to occur after a schedule reboot delay { hh:mm |  
delay  
mm }  
The two commands overwrite each  
other.  
NOTE:  
The system displays the alert “REBOOT IN ONE MINUTE” one minute before the reboot.  
For data security, if you are performing file operations at the reboot time, the system does not reboot.  
132  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Scheduling jobs  
You can schedule a job to automatically run a command or a set of commands without administrative  
interference. The commands in a job are polled every minute. When the scheduled time for a command  
is reached, the job automatically executes the command. If a confirmation is required while the  
command is running, the system automatically inputs Y or Yes. If characters are required, the system  
automatically inputs a default character string, or inputs an empty character string when there is no  
default character string.  
Job configuration approaches  
You can configure jobs in a non-modular or modular approach. Use the non-modular approach for a  
one-time command execution and use non-modular approach for complex maintenance work.  
Table 12 A comparison of non-modular and modular approaches  
Comparison item  
Configuration method  
Configure all elements in one command Separate job, view, and time settings  
Can multiple jobs be  
configured?  
No  
No  
Yes  
Yes  
Can a job have multiple  
commands?  
User view (represented by shell), system All views (monitor represents user  
view view)  
Supported views  
Supported commands  
Commands in user view and system view Commands in any view  
Can a job be repeatedly  
executed?  
No  
No  
Yes  
Yes  
Can a job be saved to the  
configuration file?  
Configuration guidelines  
To have a job successfully run a command, check that the specified view and command are valid.  
The system does not verify their validity.  
The configuration interface, view, and user status that you have before job execution restores even  
if the job has run a command that changes the user interface (for example, telnet, ftp, and ssh2),  
the view (for example, system-view and quit), or the user status (for example, super).  
The jobs run in the background without displaying any messages except log, trap and debugging  
messages.  
In the modular approach:  
{
{
{
Every job can have only one view and up to 10 commands. If you specify multiple views, the  
one specified the last takes effect.  
Input a view name in its complete form. Most commonly used view names include monitor for  
user view, system for system view, and Vlan-interfacex for VLAN interface view.  
The time ID (time-id) must be unique in a job. If two time and command bindings have the same  
time ID, the one configured last takes effect.  
133  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Scheduling a job in the non-modular approach  
Perform one of the following commands in user view to schedule a job:  
To do…  
Use the command…  
Remarks  
Required  
Schedule a job to run a command schedule job at time [ date ] view  
at a specific time view command  
Use either command.  
NOTE:  
If you change the system time by  
using the clock datetime, clock  
summer-time, or clock timezone  
command after you configure a  
scheduled job, the job configuration  
becomes invalid automatically.  
Schedule a job to run a command schedule job delay time view view  
after a delay command  
Scheduling a job in the modular approach  
Follow these steps to configure a scheduled job:  
To do…  
Use the command…  
Remarks  
Enter system view  
system-view  
Create a job and enter job view  
job job-name  
Required  
Required  
Specify the view in which the  
commands in the job run  
You can specify only one view for  
a job. The job executes all  
view view-name  
commands in the specified view.  
Configure a command to run at a  
specific time and date:  
time time-id at time date command  
command  
Required  
Configure a command to run at a  
specific time  
Use any of the commands.  
NOTE:  
time time-id { one-off | repeating }  
at time [ month-date month-day |  
week-day week-daylist ] command  
command  
Add commands to the job  
Changing the system time does not  
affect the execution time of the job  
set by the time at command or the  
time delay command.  
Configure a command to run after  
a delay:  
time time-id { one-off | repeating }  
delay time command command  
Disabling Boot ROM access  
By default, anyone can press Ctrl+B during startup to enter the Boot menu and configure the Boot ROM.  
To protect the system, you can disable Boot ROM access so the users can access only the CLI.  
You can also set a Boot ROM password the first time you access the Boot menu to protect the Boot ROM.  
134  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
To view Boot ROM accessibility status, use the display startup command. For more information about the  
display startup command, see the Fundamentals Command Reference.  
Follow the step below to disable Boot ROM access:  
To do…  
Use the command…  
Remarks  
Required  
undo startup bootrom-access  
enable  
By default, Boot ROM access is  
enabled.  
Disable Boot ROM access  
Available in user view.  
Configuring the detection timer  
Some protocols might shut down ports under specific circumstances. For example, MSTP shuts down a  
BPDU guard enabled port when the port receives a BPDU. Then, the device starts the detection timer. If  
the port is still down when the detection timer expires, the port quits the shutdown status and resume its  
actual physical status.  
Follow these steps to configure the detection timer:  
To do…  
Use the command…  
system-view  
Remarks  
Enter system view  
Optional  
Configure the detection timer  
shutdown-interval time  
The detection interval is 30  
seconds by default.  
Configuring temperature alarm thresholds  
(available only on the A3100 v2 EI)  
You can set the temperature alarm thresholds to monitor the temperature of a device.  
The temperature alarm thresholds include lower temperature limit, warning temperature threshold, and  
temperature alarming threshold.  
When the device temperature drops below the lower limit or reaches the warning threshold, the device  
logs the event and outputs a log message and a trap.  
When the device temperature reaches the alarming threshold, the device constantly outputs log and tap  
messages to the configuration terminal and lights the temperature alarm LED on the device panel.  
Follow these steps to configure temperature alarm thresholds:  
To do…  
Use the command…  
Remarks  
Enter system view  
system-view  
135  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
To do…  
Use the command…  
Remarks  
Optional  
By default :  
The lower temperature limit is 5°C  
(41°F).  
The warning temperature threshold is  
70°C (158°F).  
temperature-limit slot slot-number  
inflow sensor-number lowerlimit  
warninglimit [ alarmlimit ]  
Configure temperature alarm  
thresholds  
The Alarming temperature threshold  
is 80°C (176°F).  
The warning and alarming thresholds  
must be higher than the lower  
temperature limit.  
The alarming threshold must be higher  
than the warning threshold.  
NOTE:  
This feature is available only on PoE-capable models of the A3100 v2 EI Switch Series.  
Clearing idle 16-bit interface indexes  
The device must maintain persistent 16-bit interface indexes and keep one interface index match one  
interface name for network management. After deleting a logical interface, the device retains its 16-bit  
interface index so the same index can be assigned to the interface at interface re-creation.  
To avoid index depletion causing interface creation failures, you can clear all 16-bit indexes that have  
been assigned but not in use. The operation does not affect the interface indexes of the interfaces that  
have been created but the indexes assigned to re-recreated interfaces might change.  
Follow the step below to clear idle 16-bit interface indexes:  
To do…  
Use the command…  
Remarks  
Required  
Clear idle 16-bit interface indexes reset unused porttag  
Available in user view.  
NOTE:  
A confirmation is required when you execute this command. The command will not run if you fail to make  
a confirmation within 30 seconds or enter N to cancel the operation.  
Verifying and diagnosing transceiver modules  
Verifying transceiver modules  
You can verify the genuineness of a transceiver module in the following ways:  
Display the key parameters of a transceiver module, including its transceiver type, connector type,  
central wavelength of the transmit laser, transfer distance and vendor name.  
136  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Display its electronic label. The electronic label is a profile of the transceiver module and contains  
the permanent configuration including the serial number, manufacturing date, and vendor name.  
The data is written to the storage component during debugging or testing.  
Perform the following commands in any view to verify transceiver modules:  
To do…  
Use the command…  
display transceiver interface [ interface-type  
Display key parameters of transceiver modules interface-number ] [ | { begin | exclude | include }  
regular-expression ]  
display transceiver manuinfo interface [ interface-type  
Display transceiver modules’ electronic label  
interface-number ] [ | { begin | exclude | include }  
information  
regular-expression ]  
NOTE:  
The display transceiver manuinfo command cannot display information for some transceiver modules.  
Diagnosing transceiver modules  
The device provides the alarm function and digital diagnosis function for transceiver modules. When a  
transceiver module fails or inappropriately work, you can check for alarms present on the transceiver  
module to identify the fault source or examine the key parameters monitored by the digital diagnosis  
function, including the temperature, voltage, laser bias current, TX power, and RX power.  
Perform the following commands in any view to diagnose transceiver modules:  
To do…  
Use the command…  
display transceiver alarm interface [ interface-type  
Display alarms present on transceiver modules interface-number ] [ | { begin | exclude | include }  
regular-expression ]  
Display the present measured values of the  
digital diagnosis parameters for pluggable  
transceivers  
display transceiver diagnosis interface [ interface-type  
interface-number ] [ | { begin | exclude | include }  
regular-expression ]  
NOTE:  
The display transceiver diagnosis command cannot display information for some transceiver modules.  
Displaying and maintaining device management  
configuration  
For diagnosis or troubleshooting, you can use separate display commands to collect running status data  
module by module, or use the display diagnostic-information command to bulk collect running data for  
multiple modules. The display diagnostic-information command equals this set of commands: display  
clock, display version, display device, and display current-configuration.  
To do…  
Use the command…  
Remarks  
Display system version  
information  
display version [ | { begin | exclude |  
include } regular-expression ]  
Available in any view  
137  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
To do…  
Use the command…  
Remarks  
display clock [ | { begin | exclude |  
include } regular-expression ]  
Display the system time and date  
Available in any view  
Display or save operating  
statistics for multiple feature  
modules  
display diagnostic-information [ | { begin  
| exclude | include } regular-expression ]  
Available in any view  
Available in any view  
display cpu-usage [ slot slot-number [ cpu  
cpu-number ] ] [ | { begin | exclude |  
include } regular-expression ]  
Display CPU usage statistics  
display cpu-usage entry-number [ offset ]  
[ verbose ] [ slot slot-number ] [ | { begin |  
exclude | include } regular-expression ]  
display cpu-usage history [ task task-id ]  
[ slot slot-number [ cpu cpu-number ] ] [ |  
{ begin | exclude | include }  
Display historical CPU usage  
statistics in charts  
Available in any view  
regular-expression ]  
display device [ [ slot slot-number [ subslot  
Display hardware information  
subslot-number ] ] | verbose ] [ | { begin | Available in any view  
exclude | include } regular-expression ]  
Display the electronic label data  
for the device  
display device manuinfo [ | { begin |  
Available in any view  
exclude | include } regular-expression ]  
Available in any view  
display environment [ slot slot-number ]  
[ | { begin | exclude | include }  
regular-expression ]  
This command is available on  
only PoE-capable models of  
the A3100 v2 EI Switch  
Series.  
Display device temperature  
statistics  
Available in any view  
This command is available on  
only PoE-capable models of  
the A3100 v2 EI Switch  
Series.  
display fan [ fan-id ] [ | { begin | exclude  
| include } regular-expression ]  
Display the operating state of fans  
display memory [ slot slot-number [ cpu  
cpu-number ] ] [ | { begin | exclude |  
include } regular-expression ]  
Display memory usage statistics  
Display the power state  
Available in any view  
display power [ power-id ] [ | { begin |  
exclude | include } regular-expression ]  
Available in any view  
Available in any view  
This feature is available on  
only A3100-24-PoE v2 EI  
Switch(JD313B) and  
display rps [ rps-id ] [ | { begin | exclude  
| include } regular-expression ]  
Display RPS state information  
A3100-16-PoE v2 EI  
Switch(JD312B) models.  
display reboot-type [ slot slot-number ] [ |  
{ begin | exclude | include }  
regular-expression ]  
Display the mode of the last  
reboot  
Available in any view  
Available in any view  
Display the configuration of the  
job configured by using the  
schedule job command  
display schedule job [ | { begin | exclude  
| include } regular-expression ]  
138  
Download from Www.Somanuals.com. All Manuals Search And Download.  
To do…  
Use the command…  
Remarks  
display schedule reboot [ | { begin |  
exclude | include } regular-expression ]  
Display the device reboot setting  
Available in any view  
Display the configuration of jobs  
configured by using the job  
command  
display job [ job-name ] [ | { begin |  
exclude | include } regular-expression ]  
Available in any view  
Display the exception handling  
method  
display system-failure [ | { begin |  
exclude | include } regular-expression ]  
Available in any view  
Available in any view  
Available in system view  
Display the device software  
version update history  
display version-update-record [ | { begin  
| exclude | include } regular-expression ]  
Clear the device software version reset version-update-record [ | { begin |  
update history  
exclude | include } regular-expression ]  
139  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Automatic configuration  
Automatic configuration overview  
Automatic configuration enables a device without any configuration file to automatically obtain and  
execute a configuration file during startup. Automatic configuration simplifies network configuration,  
facilitates centralized management, and reduces maintenance workload.  
To implement automatic configuration, the network administrator saves configuration files on a server  
and a device automatically obtains and executes a specific configuration file.  
Typical automatic configuration network  
Figure 49 Network diagram for automatic configuration  
DHCP server  
IP network  
Device  
Gateway  
TFTP server  
DNS server  
As shown in Figure 49, the device implements automatic configuration with the cooperation of the  
following servers: a DHCP server, TFTP server, and DNS server:  
DHCP serverassigns an IP address and other configuration parameters such as the configuration  
file name, TFTP server IP address, and DNS server IP address to the device.  
TFTP server: Saves files needed in automatic configuration such as the host name file and the  
configuration file.  
DNS serverresolves between IP addresses and host names. In some cases, the device resolves its  
IP address to the host name through the DNS server, and then uses the host name to request the  
configuration file with the same name (hostname.cfg) from the TFTP server. If the device gets the  
domain name of the TFTP server from the DHCP response, the device can also resolve the domain  
name of the TFTP server to the IP address of the TFTP server through the DNS server.  
If the DHCP server, TFTP server, DNS server, and the device are not in the same network segment, you  
need to configure the DHCP relay agent on the gateway.  
140  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
How automatic configuration works  
Automatic configuration works in the following manner:  
1.  
During startup, the device sets the first up interface (if up Layer 2 Ethernet interfaces are available,  
the VLAN interface of the default VLAN of the Ethernet interfaces is selected as the first up  
interface.) as the DHCP client to request parameters from the DHCP server, such as an IP address  
and name of a TFTP server, IP address of a DNS server, and the configuration file name.  
2.  
After getting related parameters, the device sends a TFTP request to obtain the configuration file  
from the specified TFTP server and executes the configuration file. If the client cannot get such  
parameters, it uses factory default configuration.  
NOTE:  
To implement automatic configuration, you need to configure the DHCP server, DNS server and TFTP  
server, but you do not need to perform any configuration on the device that performs automatic  
configuration.  
Before starting the device, connect only the interface needed in automatic configuration to the network.  
Work flow of automatic configuration  
Figure 50 shows the work flow of automatic configuration.  
Figure 50 Work flow of automatic configuration  
Start the device with  
default configuration  
No  
The interface obtains  
parameters through DHCP  
Yes  
No  
Is the TFTP server address  
contained in the parameters?  
Yes  
Is the TFTP server domain  
name contained in the  
parameters?  
No  
Yes  
Broadcast a TFTP  
request to obtain  
the configuration file  
No  
Fails  
Resolve domain name of  
the TFTP server  
Yes  
Fails  
Succeeds  
Unicast a TFTP request to  
obtain the configuration file  
Succeeds  
Remove the temporary  
configurations and the device  
starts with default configuration  
Remove the temporary  
configurations and execute  
the obtained configuration file  
Remove the temporary  
configurations and the device  
starts with default configuration  
End  
141  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Using DHCP to obtain an IP address and other configuration  
information  
Address acquisition process  
As mentioned before, a device sets the first up interface as the DHCP client during startup. The DHCP  
client broadcasts a DHCP request, where the Option 55 field specifies the information that the client  
wants to obtain from the DHCP server such as the configuration file name, domain name and IP address  
of the TFTP server, and DNS server IP address.  
After receiving the DHCP response from the DHCP server, the device obtains the IP address and resolves  
the following fields in the DHCP response:  
Option 67 or the file field that specifies the configuration file name. If Option 67 contains the  
configuration file name, the device does not resolve the file field. If not, the device resolves the file  
field.  
Option 66 that specifies the TFTP server domain name  
Option 150 that specifies the TFTP server IP address  
Option 6 that specifies the DNS server IP address.  
If no response is received from the DHCP server, the device removes the temporary configuration and  
starts up with factory defaults.  
NOTE:  
The configuration file name is saved in the Option 67 or file field of the DHCP response. The device first  
resolves the Option 67 field. If this field contains the configuration file name, the device does not resolve  
the file field. If not, it resolves the file field.  
The temporary configuration contains two parts: the configuration made on the interface through which  
automatic configuration is performed, and the configuration made by executing the ip host commands  
in the host name file (For more information about the ip host command, see the Layer 3—IP Services  
Command Reference.). The temporary configuration is removed by executing the undo commands.  
For more information about DHCP, see the Layer 3—IP Services Configuration Guide.  
Principles for selecting an address pool on the DHCP server  
The DHCP server selects IP addresses and other network configuration parameters from an address pool  
for clients. DHCP supports the following types of address pools:  
Dynamic address pool: A dynamic address pool contains a range of IP addresses and other  
parameters that the DHCP server dynamically assigns to clients.  
Static address pool: A static address pool contains the binding of an IP address and a MAC  
address (or a client ID). The DHCP server assigns the IP address of the binding and specific  
configuration parameters to a requesting client whose MAC address or ID is contained in the  
binding. In this way, the client can get a fixed IP address.  
Select address pools by using one of the following methods.  
If devices use the same configuration file, you can configure a dynamic address pool on the DHCP  
server to assign IP addresses and the same configuration parameters (for example, configuration  
file name) to the devices. The configuration file can only contain common configurations of the  
devices, and the specific configurations of each device need to be performed in other ways. For  
example, the configuration file can enable Telnet and create a local user on devices so that the  
142  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
administrator can Telnet to each device to perform specific configurations (for example, configure  
the IP address of each interface).  
If devices use different configuration files, you need to configure static address pools to ensure that  
each device can get a fixed IP address and a specific configuration file. With this method, the  
administrator does not need to perform any other configuration for the devices.  
NOTE:  
To configure static address pools, you must obtain client IDs. To obtain a device’s client ID, use the display  
dhcp server ip-in-use command to display address binding information on the DHCP server after the  
device obtains its IP address through DHCP.  
Obtaining the configuration file from the TFTP server  
File types  
A device can obtain the following files from the TFTP server during automatic configuration:  
The configuration file specified by the Option 67 or file field in the DHCP response  
The host name file named network.cfg, which stores mappings between IP addresses and host  
names.  
For example, the host name file can include the following:  
ip host host1 101.101.101.101  
ip host host2 101.101.101.102  
ip host client1 101.101.101.103  
ip host client2 101.101.101.104  
CAUTION:  
There must be a space before the keyword ip host.  
The host name of a device saved in the host name file must be the same as the configuration file name  
of the device, and can be identical with or different from that saved in the DNS server.  
The configuration file of a device is named hostname.cfg, where hostname is the host name of the  
device. For example, if the host name of a device is aaa, the configuration file of the device is  
named aaa.cfg.  
The default configuration file is named device.cfg.  
143  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Obtaining the configuration file  
Figure 51 Obtain the configuration file  
Is the configuration file  
contained in the DHCP  
response?  
Yes  
No  
No  
Obtain the network  
intermediate file  
Yes  
Search the domain name  
corresponding to the IP address  
in the network intermediate file  
Yes  
No  
Resolve an IP  
address to a domain  
name through DNS  
No  
Yes  
Obtain the configuration  
file corresponding to the  
domain name  
Yes  
Yes  
No  
Obtain the specified  
configuration file in the  
response  
No  
Obtain the default  
configuration file  
No  
Yes  
Remove the temporary  
configurations and the device  
starts without loading the  
configuration file  
Remove the temporary  
configurations and execute the  
obtained configuration file  
A device obtains its configuration file by using the following workflow:  
If the DHCP response contains the configuration file name, the device requests the specified  
configuration file from the TFTP server.  
If not, the device tries to get its host name from the host name file obtained from the TFTP server. If  
it fails, the device resolves its IP address to the host name through DNS server. Once the device gets  
its host name, it requests the configuration file with the same name from the TFTP server.  
If all the operations fail, the device requests the default configuration file from the TFTP server.  
TFTP request sending mode  
The device selects to unicast or broadcast a TFTP request by using the following workflow:  
If a legitimate TFTP server IP address is contained in the DHCP response, the device unicasts a TFTP  
request to the TFTP server.  
If not, the device resolves the TFTP server domain name contained in the DHCP response to the IP  
address through the DNS server. If successful, the device unicasts a TFTP request to the TFTP server;  
if not, the device broadcasts a TFTP request.  
If the IP address and the domain name of the TFTP server are not contained in the DHCP response  
or they are illegitimate, the device broadcasts a TFTP request.  
144  
Download from Www.Somanuals.com. All Manuals Search And Download.  
NOTE:  
After broadcasting a TFTP request, the device selects the TFTP server that responds first to obtain the  
configuration file. If the requested configuration file does not exist on the TFTP server, the request  
operation fails, and the device removes the temporary configuration and starts up with factory defaults.  
Executing the configuration file  
After obtaining the configuration file, the device removes the temporary configuration and executes the  
configuration file. If no configuration file is obtained, the device removes the temporary configuration  
and starts up with factory defaults.  
NOTE:  
The configuration file is deleted after executed. Save the configuration by using the save command.  
Otherwise, the device has to perform automatic configuration again after reboot. For more information  
about the save command, see the Fundamentals Command Reference.  
145  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Support and other resources  
Contacting HP  
For worldwide technical support information, see the HP support website:  
Before contacting HP, collect the following information:  
Product model names and numbers  
Technical support registration number (if applicable)  
Product serial numbers  
Error messages  
Operating system type and revision level  
Detailed questions  
Subscription service  
HP recommends that you register your product at the Subscriber's Choice for Business website:  
After registering, you will receive email notification of product enhancements, new driver versions,  
firmware updates, and other product resources.  
Related information  
Documents  
To find related documents, browse to the Manuals page of the HP Business Support Center website:  
For related documentation, navigate to the Networking section, and select a networking category.  
For a complete list of acronyms and their definitions, see HP A-Series Acronyms.  
Websites  
HP download drivers and software http://www.hp.com/support/downloads  
146  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Conventions  
This section describes the conventions used in this documentation set.  
Command conventions  
Convention  
Boldface  
Italic  
Description  
Bold text represents commands and keywords that you enter literally as shown.  
Italic text represents arguments that you replace with actual values.  
Square brackets enclose syntax choices (keywords or arguments) that are optional.  
[ ]  
Braces enclose a set of required syntax choices separated by vertical bars, from which  
you select one.  
{ x | y | ... }  
[ x | y | ... ]  
{ x | y | ... } *  
[ x | y | ... ] *  
Square brackets enclose a set of optional syntax choices separated by vertical bars, from  
which you select one or none.  
Asterisk-marked braces enclose a set of required syntax choices separated by vertical  
bars, from which you select at least one.  
Asterisk-marked square brackets enclose optional syntax choices separated by vertical  
bars, from which you select one choice, multiple choices, or none.  
The argument or keyword and argument combination before the ampersand (&) sign can  
be entered 1 to n times.  
&<1-n>  
#
A line that starts with a pound (#) sign is comments.  
GUI conventions  
Convention  
Boldface  
>
Description  
Window names, button names, field names, and menu items are in bold text. For  
example, the New User window appears; click OK.  
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.  
Symbols  
Convention  
WARNING  
Description  
An alert that calls attention to important information that if not understood or followed can  
result in personal injury.  
An alert that calls attention to important information that if not understood or followed can  
result in data loss, data corruption, or damage to hardware or software.  
CAUTION  
An alert that calls attention to essential information.  
An alert that contains additional or supplementary information.  
An alert that provides helpful information.  
IMPORTANT  
NOTE  
TIP  
Network topology icons  
Represents a generic network device, such as a router, switch, or firewall.  
147  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Represents a generic network device, such as a router, switch, or firewall.  
Represents a routing-capable device, such as a router or Layer 3 switch.  
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports  
Layer 2 forwarding and other Layer 2 features.  
Port numbering in examples  
The port numbers in this document are for illustration only and might be unavailable on your device.  
148  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
Displaying and maintaining CLI login,64  
Displaying and maintaining device management  
configuration,137  
A
Automatic configuration overview,140  
B
Displaying and maintaining FTP,95  
Displaying and maintaining the software upgrade,123  
Displaying and maintaining the TFTP client,98  
Displaying and maintaining web login,70  
Backing up the startup configuration file,112  
C
Changing the system time,126  
Checking command-line errors,8  
Clearing idle 16-bit interface indexes,136  
CLI view description,2  
E
Enabling displaying the copyright statement,129  
Entering the CLI,1  
Example for file operations,104  
Command conventions,1  
Configuration file overview,106  
Configuring banners,130  
Configuring HTTP login,66  
Configuring HTTPS login,67  
Configuring login control over Telnet users,78  
Configuring NMS login,74  
F
FTP overview,85  
H
How automatic configuration works,141  
L
Configuring source IP-based login control over NMS  
users,81  
Configuring source IP-based login control over web  
users,83  
Configuring temperature alarm thresholds (available  
only on the A3100 v2 EI),135  
Logging in through modems,52  
Logging in through SSH,47  
Logging in through Telnet,36  
Logging in through the console port,24  
Login methods,21  
Configuring the detection timer,135  
Configuring the device name,126  
Configuring the exception handling method,131  
Configuring the FTP client,86  
Configuring the FTP server,91  
Configuring the TFTP client,97  
Configuring user privilege and command levels,13  
Contacting HP,146  
M
Managing files,100  
N
NMS login example,75  
NMS login overview,74  
O
Overview,24  
Controlling the CLI display,10  
Conventions,147  
P
Performing batch operations,103  
Performing directory operations,100  
Performing file operations,101  
D
Deleting a startup configuration file,112  
Disabling Boot ROM access,134  
Displaying and maintaining a configuration file,113  
Displaying and maintaining CLI,20  
Performing storage medium operations,104  
R
149  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Rebooting the device,132  
Typing commands,5  
Related information,146  
Restoring a startup configuration file,113  
U
Undo form of a command,2  
Upgrading system software through a system  
reboot,117  
Upgrading the Boot ROM program through a system  
reboot,116  
S
Saving the current configuration,20  
Saving the running configuration,107  
Scheduling jobs,133  
User interface overview,22  
User login control methods,78  
Using command history,8  
Using the CLI online help,4  
Setting configuration rollback,108  
Setting prompt modes,104  
Software upgrade by installing hotfixes,117  
Software upgrade configuration examples,123  
Software upgrade methods,115  
V
Specifying a startup configuration file to be used at the  
next system startup,111  
Switch software overview,115  
Verifying and diagnosing transceiver modules,136  
W
Web login example,70  
Web login overview,66  
What is CLI?,1  
T
TFTP client configuration example,98  
TFTP overview,96  
Typical automatic configuration network,140  
150  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 

Graco Inc Paint Sprayer 1100 User Manual
Grizzly Outboard Motor H5373 User Manual
Hamilton Sundstrand Company Flat Panel Television SD 2006 02 User Manual
Harbor Freight Tools Landscape Lighting 95059 User Manual
Harbor Freight Tools Laser Level 92801 User Manual
Heat Glo LifeStyle Indoor Fireplace CFL 18LP B User Manual
Heath Zenith Door 598 1000 07 User Manual
Husqvarna Trimmer 325RJX Series User Manual
Hypertec Carrying Case N17118NHY User Manual
Icom TV Receiver HF VHF UHF ALL MODE TRANSCEIVER User Manual