- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
02-CLI-Based Configuration Cautions and Guidelines | 86.27 KB |
CLI-based configuration cautions and guidelines
Introduction
This guide contains important information that if not understood or followed can result in undesirable situations, including:
· Unexpected shutdown or reboot of devices or cards.
· Service anomalies or interruption.
· Loss of data, configuration, or important files.
· User login failure or unexpected logoff.
Only trained and qualified personnel are allowed to do the configuration tasks described in this guide.
Before you configure your device, read the information in this document carefully.
Configuration cautions and guidelines
Feature |
Command |
Description |
Usage guidelines |
Login management |
authentication-mode |
Sets the authentication mode for a user line. |
When the authentication mode is none, a user can log in without authentication. To improve device security, use the password or scheme authentication mode. When you enable password authentication, you must also configure an authentication password for the line or line class. If no authentication password is configured, you cannot log in to the device through the line or line class at the next time. When you enable scheme authentication, make sure an authentication user account is available. If no authentication user account is available, you cannot log in to the device through the line or line class at the next time. An authentication mode change does not take effect on the current session. It takes effect on subsequent login sessions. |
Login management |
auto-execute command |
Specifies the command to be automatically executed for a login user. |
After using this command for a user line, you might be unable to access the CLI through the user line. Please use it with caution. |
Login management |
redirect disconnect |
Manually terminate redirected Telnet connections. |
Manually terminating a redirected Telnet connection logs out the user of the redirected Telnet connection. |
RBAC |
interface policy deny |
Enters interface policy view of a user role. |
This command denies a user role access to any interfaces if you do not specify accessible interfaces by using the permit interface command. To configure an interface, make sure the interface is permitted by the user role interface policy in use. |
RBAC |
security-zone policy deny |
Enters security zone policy view of a user role. |
This command denies a user role access to any security zones if you do not specify accessible security zones by using the permit security-zone command. To configure a security zone, make sure the security zone is permitted by the user role security zone policy in use. |
RBAC |
vlan policy deny |
Enters VLAN policy view of a user role. |
This command denies a user role access to any VLANs if you do not specify accessible VLANs by using the permit vlan command. To configure a VLAN, make sure the VLAN is permitted by the user role VLAN policy in use. |
RBAC |
vpn-instance policy deny |
Enters VPN instance policy view of a user role. |
This command denies a user role access to any VPN instances if you do not specify accessible VPN instances by using the permit vpn-instance command. To configure a VPN instance, make sure the VPN instance is permitted by the user role VPN instance policy in use. |
FTP and TFTP |
delete |
Permanently deletes a file from the FTP server. |
Make sure the file to delete is not in use before executing this command. |
FTP and TFTP |
rmdir |
Permanently deletes a directory from the FTP server. |
Make sure the directory to delete is not in use before executing this command. |
File system management |
delete [ /unreserved ] file |
Deletes a file. |
The delete /unreserved file command deletes a file permanently. The file cannot be restored. The delete file command (without /unreserved) moves a file to the recycle bin unless it is executed on the default MDC to delete a file from a non-default MDC. |
File system management |
format |
Formats a file system. |
Formatting a file system permanently deletes all files in the file system. If a startup configuration file exists in the file system, back up the file if necessary. |
File system management |
reset recycle-bin |
Deletes files from the recycle bin. |
A file moved to the recycle bin can be restored, but a permanently deleted file cannot. Make sure the files in the recycle bin will not be used any more before you execute this command. |
File system management |
rmdir |
Deletes a directory. |
To delete a directory, you must delete all files and subdirectories in the directory permanently or move them to the recycle bin. If you move them to the recycle bin, executing the rmdir command permanently deletes them. Make sure the files and subdirectories in the directory will not be used any more before you execute this command. |
Configuration file management |
configuration replace file |
Rolls the running configuration back by using a local replacement configuration file. |
Configuration rollback allows you to replace the running configuration with the configuration in a replacement configuration file without rebooting the device. A configuration rollback might cause service disruption. |
Configuration file management |
configuration replace server file |
Enables remote configuration rollback. |
The remote configuration rollback feature replaces the running configuration with the configuration in a remote configuration file without rebooting the device. This operation will cause settings not in the replacement configuration file to be lost, which might cause service interruption. When you perform configuration rollback, make sure you fully understand its impact on your network. |
Configuration file management |
reset saved-configuration |
Deletes a next-startup configuration file. |
This command permanently deletes the specified next-startup configuration file from the device. |
Configuration file management |
save |
Saves the running configuration to a configuration file. |
If the file specified for this command already exists, the system prompts you to confirm whether to overwrite the file. |
Software upgrade |
undo version auto-update enable |
Disables software synchronization from active MPU to standby MPU at startup. |
When the standby MPU starts up, this command disables the system to examine the standby MPU's startup software images for version inconsistency with the active MPU's current software images. The standby MPU can start up with a different software version than the active MPU. This might cause device anomalies. |
Software upgrade |
version check ignore |
Disables startup software version check for the standby MPU at startup. |
When the standby MPU starts up, this command disables the system to examine the standby MPU's startup software images for version inconsistency with the active MPU's current software images. The standby MPU can start up with a different software version than the active MPU. This might cause device anomalies. |
ISSU |
issu commit |
Completes an ISSU upgrade to a compatible version. |
This command ends the ISSU process. When this command is completed, the ISSU status changes to Init and the ISSU process cannot be rolled back. |
Device management |
reboot |
Reboots the device. |
A reboot might interrupt network services. Use the force keyword only when the device fails or a reboot command without the force keyword cannot perform a reboot correctly. A reboot command with the force keyword might result in file system corruption, because it does not perform data protection. |
Device management |
restore factory-default |
Restores the factory-default configuration for the device. |
Use this command with caution. This command is disruptive. It clears the running configuration and data and deletes all files except .bin files and license files. The operation cannot be reverted. Use this command only when you cannot troubleshoot the device by using other methods, or when you want to use the device in a different scenario. |
IRF |
undo chassis convert mode |
Restores the standalone mode of a member device in an IRF fabric. |
Read the virtual technologies or IRF configuration guide for restrictions and guidelines before restore the standalone mode of a member device. This operation removes the member device from the IRF fabric. IP or bridge MAC conflict might occur after a member device is removed from an IRF fabric and operate as a standalone device on the network. You must change the IP address or bridge MAC settings to remove the conflict. |
IRF |
irf mac-address persistent |
Configures IRF bridge MAC persistence. |
IRF bridge MAC address change causes transient traffic disruption. Use this command with caution. |
IRF |
irf member renumber |
Changes the member ID of an IRF member device. |
IRF member ID change can invalidate member ID-related settings, including interface and file path settings, and cause data loss. Make sure you fully understand its impact on your live network. |
MDC |
allocate interface |
Removes physical interfaces from an MDC. |
After you remove a physical interface from an MDC, the MDC will be unable to use that interface to forward traffic. Make sure you fully understand the impact of this operation on services. |
MDC |
undo location |
Cancels the authorization of an LPU. |
Use this command with caution. An MDC cannot use the LPU to send or receive packets after this command is executed. |
MDC |
undo mdc start |
Stops an MDC. |
Stopping an MDC interrupts all services on the MDC and logs out all login users on the MDC. Use this command with caution. |
Common interface settings |
default |
Restores the default settings for an interface. |
The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it in a live network. |
Common interface settings |
shutdown |
Shuts down an interface. |
Use this command with caution. This command disables the interface from forwarding or receiving traffic. |
Ethernet interface |
port link-mode |
Changes the link mode of an Ethernet interface. |
Changing the link mode of an Ethernet interface also restores all commands (except shutdown and combo enable) on the Ethernet interface to their defaults in the new link mode. |
Ethernet interface |
· port-type switch gigabitethernet · port-type switch pos |
Switches the interface type between POS and Layer 3 GigabitEthernet. |
This command removes the original interface, and then creates the target interface with the same number as the original interface. All commands on the original interface will be restored to their defaults on the new interface. |
FlexE interface |
port link-mode |
Changes the link mode of a FlexE logical interface. |
Changing the link mode of a FlexE logical interface also restores all commands (except shutdown) on the FlexE logical interface to their defaults in the new link mode. |
FlexE interface |
· port-type flexe · port-type ethernet |
Switches the interface type between standard Ethernet and FlexE. |
After the type of an interface is changed, the system deletes the original interface and creates a new interface that is numbered the same as the original interface. All the other commands are restored to the default on the new interface. |
ISDN |
undo power-source |
Disables a BRI interface from supplying line power to the terminal equipment. |
After you execute this command on an ISDN BRI interface, the device (for example, an ISDN digital telephone) whose power is remotely provided by the BRI interface is powered off. |
Modem management |
undo modem enable |
Disables the modem from answering incoming calls and initiating outgoing calls. |
Execute this command with caution. This command can cause disconnection of the modem connection that has been established. |
3G/4G modem management |
modem reboot |
Reboots a 3G/4G modem. |
Execute this command with caution. It can cause disconnection of the established 3G/4G modem connections. |
ARP |
reset arp |
Clears ARP entries from the ARP table. |
This command might increase the latency to send external traffic to users on LANs attached to the device. |
ARP |
arp pnp |
Enables the ARP plug and play (PnP) feature. |
Features that use ARP entries, for example, static routes and proxy ARP, cannot operate correctly when the ARP PnP feature is enabled. |
DHCP |
dhcp snooping deny |
Configures a port to block incoming DHCP requests. |
This command prevents the DHCP clients connected to the port from obtaining an IP address. Use this command on an interface only if no DHCP clients are attached to the interface. |
DHCPv6 |
ipv6 dhcp snooping deny |
Configures a port to block incoming DHCPv6 requests. |
This command prevents the DHCPv6 clients connected to the port from obtaining an IPv6 address or prefix. Use this command on an interface only if no DHCPv6 clients are attached to the interface. |
ADVPN |
reset vam server address-map |
Clears IPv4 private-public address mapping information for VAM clients registered with the VAM server. |
When this command is executed, the system sends an error notification to VAM clients that have registered the private IPv4 addresses and logs off the clients. |
ADVPN |
reset vam server ipv6 address-map |
Clears IPv6 private-public address mapping information for VAM clients registered with the VAM server. |
When this command is executed, the system sends an error notification to VAM clients that have registered the private IPv6 addresses and logs off the clients. |
ADVPN |
reset vam client fsm |
Resets FSMs for VAM clients. |
After you use this command to reset the FSM for a VAM client, the client will immediately try to come online. |
ADVPN |
reset vam client ipv6 fsm |
Resets FSMs for IPv6 VAM clients. |
After you use this command to reset the FSM for an IPv6 VAM client, the client will immediately try to come online. |
Static routing |
delete static-routes all |
Deletes all static routes. |
Use this command with caution. This command might cause forwarding failure. |
IPv6 static routing |
delete ipv6 static-routes all |
Deletes all IPv6 static routes. |
Use this command with caution. This command might cause packet forwarding failure. |
IS-IS |
network-entity |
Configures the Network Entity Title (NET) for an IS-IS process. |
To avoid data loss, execute the network-entity command after the cost-style and is-level commands if you want to execute these three commands for the same IS-IS process. |
BGP |
label-allocation-mode |
Specifies a label allocation mode. |
Use this command with caution. A change to the label allocation mode enables BGP to re-advertise all routes, which will cause service interruption. |
BGP |
peer ignore |
Disables BGP session establishment with a peer or peer group. |
If a session has been established to a peer, executing this command for the peer tears down the session and clears all related routing information. If sessions have been established to a peer group, executing this command for the peer group disables the sessions to all peers in the group and clears all related routing information. |
BGP |
reset bgp |
Resets BGP sessions for the specified address family. |
This operation breaks down BGP sessions for a short period of time. |
BGP |
reset bgp all |
Resets all BGP sessions for all address families. |
This operation breaks down BGP sessions for a short period of time. |
IGMP |
igmp version |
Specifies an IGMP version on an interface. |
For IGMP to operate correctly, specify the same IGMP version for all devices on the same subnet. |
IGMP |
reset igmp group |
Clears dynamic IGMP multicast group entries. |
This command might interrupt multicast information transmission. |
MLD |
mld version |
Specifies an MLD version on an interface. |
For MLD to operate correctly, specify the same MLD version for all devices on the same subnet. |
MLD |
reset mld group |
Clears dynamic MLD multicast group entries. |
This command might interrupt IPv6 multicast information transmission. |
MPLS L3VPN, MCE |
ip binding vpn-instance |
Associates an interface with a VPN instance. |
This command or its undo form clears the IP address and routing protocol configuration on the interface. |
ARP attack protection |
arp scan |
Triggers an ARP scanning in an address range. |
ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated. |
FIPS |
fips mode enable |
Enables FIPS mode. |
After you configure the username and password at prompt, the system automatically uses the specified startup configuration file to reboot the device. A reboot might interrupt network services. After executing this command, the system prompts you to choose a reboot method. If you do not make a choice within 30 seconds, the system uses the manual reboot method by default. In this mode, you must manually complete the configuration tasks for entering non-FIPS mode, and then reboot the device. To log in to the device after the reboot, you must enter user information as required by the authentication mode settings. |
FIPS |
fips self-test |
Triggers a self-test on the cryptographic algorithms. |
A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots. |
Portal |
portal authorization strict-checking |
Enables strict checking on portal authorization information. |
You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails. An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed. |
Portal |
portal user-dhcp-only |
Allows only users with DHCP-assigned IP addresses to pass portal authentication. |
With this feature enabled, users with static IP addresses cannot pass portal authentication to come online. In an AC+fit network, this command takes effect only when the AC acts as a DHCP server. To ensure that IPv6 users can pass portal authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices. |
SSH |
ssh server port |
Specifies the SSH service port. |
If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server. If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024. |
IPsec |
ipsec no-nat-process enable |
Enables the IPsec no NAT feature on an interface. |
This feature affects NAT processing. Use it with caution. |
AP management |
undo wlan detect-anomaly enable |
Disables service anomaly detection. |
With this feature disabled, the AC cannot restart automatically if a service exception occurs. As a best practice, do not disable this feature. |
VRRP |
vrrp vrid shutdown |
Disables an IPv4 VRRP group. |
This command will cause the device to drop packets sent to the IPv4 VRRP group. Use this command only when necessary, for example, for purposes such as testing or troubleshooting. Bring the group up as soon as possible to restore services. |
VRRP |
vrrp ipv6 vrid shutdown |
Disables an IPv6 VRRP group. |
With this command configured, packets sent to the IPv6 VRRP group might be discarded. |
BFD |
bfd init-fail-timer |
Sets the delay timer for BFD to notify upper-layer protocols of session establishment failures. |
For session establishment failures caused by configuration mismatches at the two ends, this command can cause the upper-layer protocol to act incorrectly. Therefore, use this command with caution. BFD status mismatch and BFD authentication configuration mismatch are examples of configuration mismatches. |
Process placement |
placement reoptimize |
Applies configured process placement policies for optimizing process placement. |
After you execute this command, the system bases its placement decisions on the new process placement policies, hardware resources, and locations and states of active processes. If the new location for an active process is different from its current location, a process switchover is triggered. To prevent undesirable situations such as neighbor flapping in routing protocols, make sure backup features such as NSR and GR have been configured for the processes and they are in stable state. |
Process placement |
monitor kernel deadloop action |
Specifies the action to be taken in response to a kernel thread deadloop. |
In most situations, use the default settings. Use this command only under the guidance of H3C Support. Inappropriate configuration can cause system breakdown. As a best practice, leave the default unchanged. |
OAP module |
oap reboot |
Reboots an OAP module. |
Resetting an OAP module might cause a service outage. To avoid service data loss, close the operating system of an OAP module before resetting the module. |
DPI engine |
inspect bypass |
Disables the DPI engine. |
This command causes packets of any protocols not to be processed by DPI. DPI-based services might also be interrupted. For example, security policies cannot control access to applications and Layer 7 load balancing services cannot load share traffic based on applications. |
DPI engine |
inspect activate |
Activates the policy and rule settings for DPI service modules. |
This command causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications and Layer 7 load balancing services cannot load share traffic based on applications. |