CLI-based configuration cautions and guidelines

Login management

authentication-mode

Sets the authentication mode for a user line.

When the authentication mode is none, a user can log in without authentication. To improve device security, use the password or scheme authentication mode.

An authentication mode change does not take effect on the current session. It takes effect on subsequent login sessions.

Login management

auto-execute command

Specifies the command to be automatically executed for a login user.

After configuring this command for a user line, you might be unable to access the CLI through the user line. Please use it with caution.

RBAC

interface policy deny

Enters interface policy view of a user role.

This command denies the access of the user role to any interfaces if the permit interface command is not configured. To restrict the interface access of a user role to a set of interfaces, configure the permit interface command.

RBAC

vlan policy deny

Enters VLAN policy view of a user role.

This command denies the access of the user role to any VLANs if no VLANs are specified by using the permit vlan command. To restrict the VLAN access of a user role to a set of VLANs, configure the permit vlan command.

RBAC

vpn-instance policy deny

Enters VPN instance policy view of a user role.

This command denies the access of the user role to any VPN instances if no VPN instances are specified by using the permit vpn-instance command. To restrict the VPN instance access of a user role to a set of VPN instances, configure the permit vpn-instance command.

FTP and TFTP

delete

Permanently deletes a file from the FTP server.

Make sure the file to delete is not in use before executing this command.

FTP and TFTP

rmdir

Permanently deletes a directory from the FTP server.

Make sure the directory to delete is not in use before executing this command.

File system management

delete [ /unreserved ] file

Deletes a file.

The delete /unreserved file command deletes a file permanently. The file cannot be restored.

The delete file command (without /unreserved) moves a file to the recycle bin unless it is executed on the default MDC to delete a file from a non-default MDC.

File system management

format

Formats a file system.

Formatting a file system permanently deletes all files in the file system. If a startup configuration file exists in the file system, back up the file if necessary.

File system management

reset recycle-bin

Deletes files from the recycle bin.

A file moved to the recycle bin can be restored, but a permanently deleted file cannot. Make sure the files in the recycle bin will not be used any more before you execute this command.

File system management

rmdir

Deletes a directory.

To delete a directory, you must delete all files and subdirectories in the directory permanently or move them to the recycle bin. If you move them to the recycle bin, executing the rmdir command permanently deletes them. Make sure the files and subdirectories in the directory will not be used any more before you execute this command.

Configuration file management

configuration replace file

Rolls the running configuration back by using a local replacement configuration file.

Configuration rollback allows you to replace the running configuration with the configuration in a replacement configuration file without rebooting the device. A configuration rollback might cause service disruption.

Configuration file management

reset saved-configuration

Deletes a next-startup configuration file.

This command permanently deletes the specified next-startup configuration file from the device.

Configuration file management

save

Saves the running configuration to a configuration file.

If the file specified for this command already exists, the system prompts you to confirm whether to overwrite the file.

Software upgrade

undo version auto-update enable

Disables software synchronization from active MPU to standby MPU at startup.

When the standby MPU starts up, this command disables the system to examine the standby MPU's startup software images for version inconsistency with the active MPU's current software images. The standby MPU can start up with a different software version than the active MPU. This might cause device anomalies.

Software upgrade

version check ignore

Disables startup software version check for the standby MPU at startup.

When the standby MPU starts up, this command disables the system to examine the standby MPU's startup software images for version inconsistency with the active MPU's current software images. The standby MPU can start up with a different software version than the active MPU. This might cause device anomalies.

ISSU

issu commit

Completes an ISSU upgrade to a compatible version.

This command ends the ISSU process. When this command is completed, the ISSU status changes to Init and the ISSU process cannot be rolled back.

ISSU

reset install rollback oldest

Clears ISSU rollback points.

This command clears the specified rollback point and all rollback points older than the specified rollback point.

Preprovisioning

undo provision [ subslot subslot-number ] model

Disables preprovisioning.

When you disable preprovisioning on a slot, the device removes all preconfigured settings for the slot, including the preconfigured settings for the subslots.

When you disable preprovisioning on a subslot, the device removes preconfigured settings for the subslot.

Device management

clock datetime

Sets the system time.

Use this command with caution. Changing the system time affects operations and features that are time sensitive or require time synchronization, such as task scheduling, log output, and statistics collection.

Device management

power-supply off

Powers off a card.

Use this command with caution. A card cannot send or receive packets after this command is executed.

Device management

reboot

Reboots the device.

A reboot might interrupt network services.

Use the force keyword only when the device fails or a reboot command without the force keyword cannot perform a reboot correctly. A reboot command with the force keyword might result in file system corruption, because it does not perform data protection.

Device management

restore factory-default

Restores the factory-default configuration for the device.

Use this command with caution. This command is disruptive. It clears the running configuration and data and deletes all files except .bin files and license files. The operation cannot be reverted. Use this command only when you cannot troubleshoot the device by using other methods, or when you want to use the device in a different scenario.

Device management

scheduler reboot

Specifies the reboot date and time.

Device reboot interrupts network services. Please use it with caution.

Device management

scheduler reboot delay

Specifies the reboot delay time.

Device reboot interrupts network services. Please use it with caution.

Device management

switch-fabric isolate

Isolates a switching fabric module or channel from the data plane.

Use this command only if required. If the device has multiple switching fabric modules, isolating a switching fabric module or channel decreases the forwarding bandwidth and reduces the forwarding performance.

Do not isolate the only switching fabric module on a device.

Device management

switch-fabric removal-signal-suppression

Suppresses removal interrupt signals from switching fabric modules.

Use this command with caution. This command might result in packet loss and service outage.

IRF

undo chassis convert mode

Restores the standalone mode of a member device in an IRF fabric.

Read the virtual technologies or IRF configuration guide for restrictions and guidelines before restore the standalone mode of a member device.

This operation removes the member device from the IRF fabric. IP or bridge MAC conflict might occur after a member device is removed from an IRF fabric and operate as a standalone device on the network. You must change the IP address or bridge MAC settings to remove the conflict.

IRF

irf domain

Assigns a domain ID to the IRF fabric.

Changing the IRF domain ID for a device removes the device from the IRF fabric and disables the device from exchanging IRF packets with the member devices in the IRF fabric.

IRF

irf isolate member

Isolates the unused IRF member IDs in the valid member ID range to avoid heavy CRC errors or traffic storms.

CRC errors or traffic storms occur if an IRF member device tags inter-chassis packets with a valid unused member ID. This issue is typically caused by poor-quality fiber modules, fibers, or cables on IRF links.

To avoid CRC errors or traffic storms, isolate the unused member IDs in the valid member ID range. When an unused member ID is isolated, the member devices will drop all packets that are tagged with the member ID.

Before you assign an isolated ID to a new member device, remove the isolation setting for the member ID.

IRF

irf mac-address

Specifies a MAC address as the IRF bridge MAC address.

IRF bridge MAC address change causes transient traffic disruption. Use this command with caution.

IRF

irf mac-address persistent

Configures IRF bridge MAC persistence.

IRF bridge MAC address change causes transient traffic disruption. Use this command with caution.

IRF

irf member renumber

Changes the member ID of an IRF member device.

IRF member ID change can invalidate member ID-related settings, including interface and file path settings, and cause data loss. Make sure you fully understand its impact on your live network.

IRF

undo port group interface

Removes the binding of a physical interface and an IRF port.

Use this command with caution. If the physical interface is the only up member interface of the IRF port, the IRF fabric will split after you remove the binding.

IRF3.1

pex system-working-mode

Sets the device operating mode in an IRF 3.1 system.

An IRF 3.1-capable device can operate in the following modes:

·     Auto—When the device detects LLDP packets from the parent fabric, it automatically reboots, starts up with factory defaults, and operates as a PEX. Before changing to a PEX, the device operates as an independent node.

·     PEX—The device operates as a PEX and acts as an interface module on the parent fabric.

·     Switch—The device operates as an independent node or a parent device in an IRF 3.1 system. The device does not change to a PEX even if it receives protocol packets from a parent device.

If a device operates in auto mode, its operating mode might change from auto to PEX because of connection errors or attacks. As a best practice to avoid this issue, change the operating mode of that device to switch if you will use it as a parent fabric device or a standalone device.

IRF3.1

pex-capability enable

Enables PEX connection capability on an aggregate interface and assigns the interface to a PEX group.

After you disable PEX connection capability on an aggregate interface, the aggregate interface is automatically removed from the PEX group, and its attached PEX goes offline.

MDC

allocate interface

Removes physical interfaces from an MDC.

After you remove a physical interface from an MDC, the MDC will be unable to use that interface to forward traffic. Make sure you fully understand the impact of this operation on services.

MDC

undo location

Cancels the authorization of an LPU.

Use this command with caution. An MDC cannot use the LPU to send or receive packets after this command is executed.

MDC

undo mdc start

Stops an MDC.

Stopping an MDC interrupts all services on the MDC and logs out all login users on the MDC. Use this command with caution.

Common interface settings

default

Restores the default settings for an interface.

The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it in a live network.

Common interface settings

shutdown

Shuts down an interface.

Use this command with caution. This command disables the interface from forwarding or receiving traffic.

Ethernet interface

port link-mode

Changes the link mode of an Ethernet interface.

Changing the link mode of an Ethernet interface also restores all commands (except shutdown and combo enable) on the Ethernet interface to their defaults in the new link mode.

Ethernet interface, FC and FCoE

port-type fc
port-type ethernet

Switches the interface type between Layer 2 Ethernet and FC.

This command removes the original interface, and then creates the target interface with the same number as the original interface. All commands on the original interface will be restored to their defaults on the new interface.

Service loopback group

port service-loopback group
undo port service-loopback group

Assigns a port to or removes a port from a service loopback group.

When you assign a port to a service loopback group, the system removes the configuration on the port. Make sure you are fully aware of the impact of this command before using it on a live network.

To avoid IRF split, do not assign a physical interface to a service loopback group if that interface is the only member interface of an IRF port.

Service interruption will occur if you remove the only member interface from a service loopback group used for any of the following services: multicast tunnel, unicast tunnel, multiport ARP, Telemetry streaming, and VSI gateway services to become unavailable.

ARP

reset arp

Clears ARP entries from the ARP table.

This command might increase the latency to send external traffic to users on LANs attached to the device.

DHCP

dhcp snooping deny

Configures a port to block incoming DHCP requests.

This command prevents the DHCP clients connected to the port from obtaining an IP address. Use this command on an interface only if no DHCP clients are attached to the interface.

DHCPv6

ipv6 dhcp snooping deny

Configures a port to block incoming DHCPv6 requests.

This command prevents the DHCPv6 clients connected to the port from obtaining an IPv6 address or prefix. Use this command on an interface only if no DHCPv6 clients are attached to the interface.

Static routing

delete static-routes all

Deletes all static routes.

Use this command with caution. This command might cause forwarding failure.

IPv6 static routing

delete ipv6 static-routes all

Deletes all IPv6 static routes.

Use this command with caution. This command might cause packet forwarding failure.

IS-IS

network-entity

Configures the Network Entity Title (NET) for an IS-IS process.

To avoid data loss, execute the network-entity command after the cost-style and is-level commands if you want to execute these three commands for the same IS-IS process.

BGP

ignore all-peers

Disables BGP session establishment with all peers and peer groups.

If sessions have been established to all peers and peer groups, executing this command disables the sessions to all peers and peer groups and clears all related routing information.

BGP

label-allocation-mode

Specifies a label allocation mode.

Use this command with caution. A change to the label allocation mode enables BGP to re-advertise all routes, which will cause service interruption.

BGP

peer ignore

Disables BGP session establishment with a peer or peer group.

If a session has been established to a peer, executing this command for the peer tears down the session and clears all related routing information. If sessions have been established to a peer group, executing this command for the peer group disables the sessions to all peers in the group and clears all related routing information.

BGP

reset bgp

Resets BGP sessions for the specified address family.

This operation breaks down BGP sessions for a short period of time.

BGP

reset bgp all

Resets all BGP sessions for all address families.

This operation breaks down BGP sessions for a short period of time.

BGP

reset bgp rpki server

Resets BGP RPKI sessions.

This command will cause temporary session interruption.

IGMP

igmp version

Specifies an IGMP version on an interface.

For IGMP to operate correctly, specify the same IGMP version for all devices on the same subnet.

IGMP

reset igmp group

Clears dynamic IGMP multicast group entries.

This command might interrupt multicast information transmission.

MLD

mld version

Specifies an MLD version on an interface.

For MLD to operate correctly, specify the same MLD version for all devices on the same subnet.

MLD

reset mld group

Clears dynamic MLD multicast group entries.

This command might interrupt IPv6 multicast information transmission.

MPLS L3VPN

apply-label

Specifies a label allocation mode.

After you change the label allocation mode, BGP re-advertises all routes in the VPN instance, which will cause service interruption. Use this command with caution.

MPLS L3VPN, MCE

ip binding vpn-instance

Associates an interface with a VPN instance.

This command or its undo form clears the IP address and routing protocol configuration on the interface.

802.1X

dot1x eapol untag

Enables the device to remove the VLAN tags of all 802.1X protocol packets sent out of a port to 802.1X clients.

Use this command only if an 802.1X-enabled hybrid port is a tagged member of its PVID and the attached 802.1X clients cannot recognize VLAN-tagged 802.1X protocol packets.

This command removes the VLAN tags of all 802.1X protocol packets sent out of the port to 802.1X clients. Do not use this command if VLAN-aware 802.1X clients are attached to the port.

ARP attack protection

arp scan

Triggers an ARP scanning in an address range.

ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

FIPS

fips mode enable

Enables FIPS mode.

After you configure the username and password at prompt, the system automatically uses the specified startup configuration file to reboot the device. A reboot might interrupt network services.

After executing this command, the system prompts you to choose a reboot method. If you do not make a choice within 30 seconds, the system uses the manual reboot method by default. In this mode, you must manually complete the configuration tasks for entering non-FIPS mode, and then reboot the device. To log in to the device after the reboot, you must enter user information as required by the authentication mode settings.

FIPS

fips self-test

Triggers a self-test on the cryptographic algorithms.

A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots.

Portal

portal authorization strict-checking

Enables strict checking on portal authorization information.

You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails.

An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed.

Portal

portal user-dhcp-only

Allows only users with DHCP-assigned IP addresses to pass portal authentication.

With this feature enabled, users with static IP addresses cannot pass portal authentication to come online.

In an AC+fit network, this command takes effect only when the AC acts as a DHCP server.

To ensure that IPv6 users can pass portal authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices.

SSH

ssh server port

Specifies the SSH service port.

If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server.

If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024.

AP management (applicable only to devices with access controller functionality)

undo wlan detect-anomaly enable

Disables service anomaly detection.

With this feature disabled, the AC cannot restart automatically if a service exception occurs. As a best practice, do not disable this feature.

AP management (applicable only to devices with access controller functionality)

undo wlan enable

Disables the WLAN function.

Disabling the WLAN function logs off all online APs. Please use this feature with caution.

VRRP

vrrp vrid shutdown

Disables an IPv4 VRRP group.

This command will cause the device to drop packets sent to the IPv4 VRRP group. Use this command only when necessary, for example, for purposes such as testing or troubleshooting. Bring the group up as soon as possible to restore services.

VRRP

vrrp ipv6 vrid shutdown

Disables an IPv6 VRRP group.

With this command configured, packets sent to the IPv6 VRRP group might be discarded.

Process placement

placement reoptimize

Applies configured process placement policies for optimizing process placement.

After you execute this command, the system bases its placement decisions on the new process placement policies, hardware resources, and locations and states of active processes. If the new location for an active process is different from its current location, a process switchover is triggered. To prevent undesirable situations such as neighbor flapping in routing protocols, make sure backup features such as NSR and GR have been configured for the processes and they are in stable state.

Network management and monitoring

poe force-power

Enables forced power supply.

This command enables the device to supply power to a PD directly without performing a detection of the PD. To avoid damaging the PD, make sure the power provided by the device meets the PD specifications before executing this command.

Process monitoring and maintenance

monitor kernel deadloop action

Specifies the action to be taken in response to a kernel thread deadloop.

In most situations, use the default settings. Use this command only under the guidance of H3C Support. Inappropriate configuration can cause system breakdown. As a best practice, leave the default unchanged.

SmartMC

smartmc upgrade boot-loader

Upgrades the startup software on a list of members or SmartMC groups.

This command might cause service interruption. Make sure this command will not affect ongoing services before executing this command.

SmartMC

smartmc upgrade startup-configuration

Upgrades the startup software on a list of members or SmartMC groups.

The device uses the configuration in the specified configuration file as its running configuration after this command is executed. For the device to operate correctly after upgrade, make sure the contents in the configuration file are correct before you execute this command.

Mirroring

mirroring-group reflector-port

Configures the reflector port for a remote source group.

Do not assign the reflector port of a mirroring group to a source VLAN of the mirroring group.

The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port.

When a port is configured as a reflector port, the port restores to the factory default settings. You cannot configure other features on a reflector port.

To avoid IRF split, do not configure the physical interface as a reflector port if an IRF port is bound to only one physical interface.

OAP manager

oap client close

Shuts down an OAP client.

When you execute this command for a client in registered state, the OAP manager sends a shutdown notification to the specified OAP client. The client stops after receiving the notification. When you execute this command for a non-existent client, an error message appears.

OAP manager

oap client reboot

Restarts an OAP client.

When you execute this command for a client in registered state, the OAP manager sends a restart notification to the specified OAP client. The client restarts after receiving the notification. When you execute this command for a non-existent client, an error message appears.

OAP module

oap reboot

Reboots an OAP module.

Resetting an OAP module might cause a service outage. To avoid service data loss, close the operating system of an OAP module before resetting the module.

FC and FCoE

domain restart

Enables manual initiation of a fabric reconfiguration in a VSAN.

During the reconfiguration procedure, each device clears all data and performs renegotiation, and data transmission in the fabric is disrupted. Use this command with caution.