01-Fundamentals

HomeSupportConfigure & DeployConfiguration GuidesH3C Access Controllers Configuration Guides(R5228P01)-6W10201-Fundamentals
Table of Contents
Related Documents
01-Text
Title Size Download
01-Text 2.63 MB

Contents

Using the CLI 1

CLI views· 1

Entering system view from user view·· 2

Returning to the upper-level view from any view·· 2

Returning to user view·· 2

Accessing the CLI online help· 2

Using the undo form of a command· 3

Entering a command· 3

Editing a command line· 3

Entering a text or string type value for an argument 4

Entering an interface type· 5

Abbreviating commands· 5

Configuring and using command aliases· 5

Configuring and using command hotkeys· 6

Enabling redisplaying entered-but-not-submitted commands· 8

Understanding command-line error messages· 8

Using the command history feature· 8

Command buffering rules· 9

Repeating commands in the command history buffer for a line· 9

Controlling the CLI output 10

Pausing between screens of output 10

Numbering each output line from a display command· 10

Filtering the output from a display command· 11

Saving the output from a display command to a file· 13

Viewing and managing the output from a display command effectively· 14

Saving the running configuration· 15

Configuring RBAC· 16

Overview·· 16

Permission assignment 16

User role assignment 18

Configuration task list 19

Creating a user role· 19

Configuring user role rules· 20

Configuration restrictions and guidelines· 20

Configuration procedure· 20

Configuring a feature group· 21

Configuring resource access policies· 21

Configuring the user role interface policy· 22

Configuring the user role VLAN policy· 22

Assigning user roles· 22

Enabling the default user role feature· 23

Assigning user roles to remote AAA authentication users· 23

Assigning user roles to local AAA authentication users· 23

Assigning user roles to non-AAA authentication users on user lines· 24

Configuring temporary user role authorization· 24

Configuration restrictions and guidelines· 24

Configuring user role authentication· 26

Obtaining temporary user role authorization· 26

Displaying and maintaining RBAC settings· 26

RBAC configuration examples· 27

RBAC configuration example for local AAA authentication users· 27

RBAC configuration example for RADIUS authentication users· 29

RBAC temporary user role authorization configuration example (HWTACACS authentication) 31

RBAC temporary user role authorization configuration example (RADIUS authentication) 35

Troubleshooting RBAC·· 38

Local users have more access permissions than intended· 38

Login attempts by RADIUS users always fail 38

Login overview· 39

Using the console port for the first device access· 41

Configuring CLI login· 42

CLI overview·· 42

User lines· 42

Login authentication modes· 43

User roles· 43

Configuring local console login· 43

Disabling authentication for console login· 44

Configuring password authentication for console login· 44

Configuring scheme authentication for console login· 45

Configuring common console line settings· 45

Configuring Telnet login· 47

Configuring the device as a Telnet server 47

Using the device to log in to a Telnet server 51

Configuring SSH login· 52

Configuring the device as an SSH server 52

Using the device to log in to an SSH server 53

Displaying and maintaining CLI login· 54

Configuring Web login· 55

Configuring HTTP login· 55

Configuring HTTPS login· 56

Displaying and maintaining Web login· 58

Web login configuration examples· 58

HTTP login configuration example· 58

HTTPS login configuration example· 59

Accessing the device through SNMP· 62

Configuring RESTful access· 63

Configuring RESTful access over HTTP· 63

Configuring RESTful access over HTTPS· 63

Controlling user access to the device· 65

Controlling Telnet/SSH logins· 65

Configuration procedures· 65

Configuration example· 65

Controlling Web logins· 66

Configuring source IP-based Web login control 66

Logging off online Web users· 67

Configuration example· 67

Controlling SNMP access· 67

Configuration procedure· 67

Configuration example· 69

Configuring command authorization· 69

Configuration procedure· 69

Configuration example· 70

Configuring command accounting· 72

Configuration procedure· 72

Configuration example· 73

Configuring FTP· 75

Using the device as an FTP server 75

Configuring basic parameters· 75

Configuring authentication and authorization· 76

Manually releasing FTP connections· 77

Displaying and maintaining the FTP server 77

FTP server configuration example· 77

FTP server configuration example (on an IRF fabric) 78

Using the device as an FTP client 80

Establishing an FTP connection· 80

Managing directories on the FTP server 81

Working with files on the FTP server 81

Changing to another user account 82

Maintaining and troubleshooting the FTP connection· 82

Terminating the FTP connection· 83

Displaying command help information· 83

Displaying and maintaining the FTP client 83

FTP client configuration example· 84

FTP client configuration example (on an IRF fabric) 85

Configuring TFTP· 87

Configuring the device as an IPv4 TFTP client 87

Configuring the device as an IPv6 TFTP client 87

Managing file systems· 89

Overview·· 89

File systems· 89

Directories· 90

Files· 90

Specifying a directory name or file name· 91

Command and hardware compatibility· 91

File system management restrictions and guidelines· 92

Formatting a file system·· 92

Managing directories· 92

Displaying directory information· 92

Displaying the working directory· 93

Changing the working directory· 93

Creating a directory· 93

Renaming a directory· 93

Archiving or extracting directories· 93

Deleting a directory· 94

Setting the operation mode for directories· 94

Managing files· 94

Displaying file information· 94

Displaying the contents of a text file· 94

Renaming a file· 95

Copying a file· 95

Moving a file· 95

Compressing or decompressing a file· 95

Archiving or extracting files· 95

Deleting or restoring a file· 96

Deleting files from the recycle bin· 96

Calculating the file digest 96

Setting the operation mode for files· 96

Managing configuration files· 98

Overview·· 98

Configuration types· 98

Next-startup configuration file redundancy· 98

Configuration file formats· 99

Startup configuration file selection· 99

Configuration file content organization and format 99

Compatibility information· 99

Enabling configuration encryption· 99

Comparing configurations for their differences· 100

Saving the running configuration· 100

Restrictions and guidelines· 100

Using different methods to save the running configuration· 101

Configuring configuration rollback· 102

Configuration task list 102

Setting configuration archive parameters· 102

Enabling automatic configuration archiving· 103

Manually archiving the running configuration· 104

Rolling back configuration· 104

Specifying a next-startup configuration file· 105

Backing up the main next-startup configuration file to a TFTP server 105

Restoring the main next-startup configuration file from a TFTP server 106

Deleting a next-startup configuration file· 106

Displaying and maintaining configuration files· 107

Upgrading software· 108

Overview·· 108

Software types· 108

Software file naming conventions· 108

Comware image redundancy and loading procedure· 108

System startup process· 109

Command and hardware compatibility· 110

Upgrade methods· 110

Preparing for the upgrade· 111

Upgrade task list 111

Preloading the Boot ROM image to Boot ROM·· 111

Specifying startup images and completing the upgrade· 112

IRF-incapable devices· 112

IRF-capable devices· 113

Restoring or downgrading the Boot ROM image· 114

Displaying and maintaining software image settings· 114

Software upgrade example (IRF-incapable devices) 114

Network requirements· 114

Configuration procedure· 114

Software upgrade example (IRF-capable devices) 115

Network requirements· 115

Configuration procedure· 115

Managing the device· 117

Device management task list 117

Configuring the device name· 117

Configuring the system time· 117

Enabling displaying the copyright statement 119

Configuring banners· 119

Banner types· 119

Banner input methods· 120

Configuration procedure· 120

Rebooting the device· 121

Rebooting devices immediately at the CLI 121

Scheduling a device reboot 121

Scheduling a task· 122

Configuration restrictions and guidelines· 122

Configuration procedure· 122

Schedule configuration example· 124

Disabling password recovery capability· 129

Setting the port status detection timer 129

Monitoring CPU usage· 130

Setting memory alarm thresholds· 130

Configuring the temperature alarm thresholds· 132

Verifying and diagnosing transceiver modules· 132

Verifying transceiver modules· 132

Diagnosing transceiver modules· 133

Restoring the factory-default configuration· 133

Displaying and maintaining device management configuration· 134

Using Tcl 135

Using Tcl to configure the device· 135

Executing Comware commands in Tcl configuration view·· 135

Using Python· 137

Overview·· 137

Entering the Python shell 137

Executing a Python script 137

Python usage example· 137

Comware V7 extended Python API 139

Importing and using the Comware V7 extended Python API 139

Comware V7 extended Python API functions· 139

CLI class· 139

Transfer class· 141

API get_self_slot 142

API get_standby_slot 142

API get_slot_range· 143

Managing licenses· 144

Overview·· 144

License types· 144

License pool 144

Compatibility information· 145

Feature and hardware compatibility· 145

Command and hardware compatibility· 145

Restrictions and guidelines· 146

General restrictions and guidelines· 146

Licenses for different device types· 146

License file safety· 146

Licensing procedure summary· 147

Registering licenses· 147

Registering licenses for the first time· 147

Registering upgrade licenses· 150

Installing an activation file· 153

Transferring a license· 153

Compressing the license storage· 154

Displaying and maintaining licenses· 154

Using automatic configuration· 155

Overview·· 155

Automatic configuration task list 155

Configuring the file server 156

Preparing the files for automatic configuration· 156

Host name file· 156

Configuration files· 156

Script files· 157

Configuring the DHCP server 157

Configuration guidelines· 157

Configuring the DHCP server when an HTTP file server is used· 158

Configuring the DHCP server when a TFTP file server is used· 158

Configuring the DNS server 159

Configuring the gateway· 159

Preparing the interface used for automatic configuration· 159

Starting and completing automatic configuration· 159

Automatic configuration examples· 160

Automatic configuration using TFTP server 160

Automatic configuration using HTTP server and Tcl script 161

Automatic configuration using HTTP server and Python script 163

Index· 165

 


Using the CLI

At the command-line interface (CLI), you can enter text commands to configure, manage, and monitor the device. The following text is displayed when you access the CLI:

******************************************************************************

* Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

<Sysname>

You can use different methods to log in to the CLI, including through the console port, Telnet, and SSH. For more information about login methods, see "Login overview."

CLI views

Commands are grouped in different views by feature. To use a command, you must enter its view.

CLI views are hierarchically organized, as shown in Figure 1. Each view has a unique prompt, from which you can identify where you are and what you can do. For example, the prompt [Sysname-vlan100] shows that you are in VLAN 100 view and can configure attributes for that VLAN.

Figure 1 CLI views

 

You are placed in user view immediately after you log in to the CLI. The user view prompt is <Device-name>, where Device-name indicates the device name. The device name is Sysname by default. You can change it by using the sysname command.

In user view, you can perform the following tasks:

·     Perform basic operations including display, debug, file management, FTP, Telnet, clock setting, and reboot.

·     Enter system view. The system view prompt is [Device-name].

In system view, you can perform the following tasks:

·     Configure global settings (such as the daylight saving time, banners, and hotkeys) and some features.

·     Enter different feature views.

For example, you can perform the following tasks:

?     Enter interface view to configure interface parameters.

?     Enter VLAN view to add ports to the VLAN.

?     Enter user line view to configure login user attributes.

A feature view might have child views.

To display all commands available in a view, enter a question mark (?) at the view prompt.

Entering system view from user view

Task

Command

Enter system view.

system-view

 

Returning to the upper-level view from any view

Task

Command

Return to the upper-level view from any view.

quit

 

Executing the quit command in user view terminates your connection to the device.

In public key view, use the peer-public-key end command to return to system view.

Returning to user view

To return directly to user view from any other view, use the return command or press Ctrl+Z.

 

Task

Command

Return directly to user view.

return

Accessing the CLI online help

The CLI online help is context sensitive. Enter a question mark at any prompt or in any position of a command to display all available options.

To access the CLI online help, use one of the following methods:

·     Enter a question mark at a view prompt to display the first keyword of every command available in the view. For example:

<Sysname> ?

User view commands:

  archive           Archive configuration

  backup            Backup operation

  boot-loader       Software image file management

·     Enter a space and a question mark after a command keyword to display all available, subsequent keywords and arguments.

?     If the question mark is in the place of a keyword, the CLI displays all possible keywords, each with a brief description. For example:

<Sysname> terminal ?

  debugging  Enable to display debugging logs on the current terminal

  logging    Display logs on the current terminal

  monitor    Enable to display logs on the current terminal

?     If the question mark is in the place of an argument, the CLI displays the description for the argument. For example:

<Sysname> system-view

[Sysname] interface vlan-interface ?

  <1-4094>  Vlan-interface interface number

[Sysname] interface vlan-interface 1 ?

  <cr>

[Sysname] interface vlan-interface 1

<1-4094> is the value range for the argument. <cr> indicates that the command is complete and you can press Enter to execute the command.

·     Enter an incomplete keyword string followed by a question mark to display all keywords starting with that string. The CLI also displays the descriptions for the keywords. For example:

<Sysname> b?

  backup       Backup operation

  boot-loader  Software image file management

  bootrom      Update/read/backup/restore bootrom

<Sysname> display ftp?

  ftp         FTP module

  ftp-server  FTP server information

  ftp-user    FTP user information

Using the undo form of a command

Most configuration commands have an undo form for the following tasks:

·     Canceling a configuration.

·     Restoring the default.

·     Disabling a feature.

For example, the info-center enable command enables the information center. The undo info-center enable command disables the information center.

Entering a command

When you enter a command, you can perform the following tasks:

·     Use keys or hotkeys to edit the command line.

·     Use abbreviated keywords or keyword aliases.

Editing a command line

To edit a command line, use the keys listed in Table 1 or the hotkeys listed in Table 4. When you are finished, you can press Enter to execute the command.

Table 1 Command line editing keys

Keys

Function

Common keys

If the edit buffer is not full, pressing a common key inserts a character at the cursor and moves the cursor to the right. The edit buffer can store up to 511 characters. Unless the buffer is full, all common characters that you enter before pressing Enter are saved in the edit buffer.

Backspace

Deletes the character to the left of the cursor and moves the cursor back one character.

Left arrow key ()

Moves the cursor one character to the left.

Right arrow key ()

Moves the cursor one character to the right.

Up arrow key ()

Displays the previous command in the command history buffer.

Down arrow key ()

Displays the next command in the command history buffer.

Tab

If you press Tab after entering part of a keyword, the system automatically completes the keyword.

·     If a unique match is found, the system displays the complete keyword.

·     If there is more than one match, press Tab multiple times to pick the keyword you want to enter.

·     If there is no match, the system does not modify what you entered but displays it again in the next line.

 

The total length of a command line cannot exceed 512 characters, including spaces and special characters.

The device supports the following special commands:

·     #Used by the system in a configuration file as separators for adjacent sections.

·     versionUsed by the system in a configuration file to indicate the software version information. For example, version 7.1.064, ESS 5103.

These commands are special because of the following reasons:

·     These commands are not intended for you to use at the CLI.

·     You can enter these commands in any view, or enter any values for them. For example, you can enter # abc or version abc. However, the settings do not take effect.

·     The device does not provide any online help information for these commands.

Entering a text or string type value for an argument

A text type argument value can contain printable characters other than the question mark (?).

A string type argument value can contain any printable characters except for the following characters:

·     Question mark (?).

·     Quotation mark (").

·     Backward slash (\).

·     Space.

A specific argument might have more requirements. For more information, see the relevant command reference.

To enter a printable character, you can enter the character or its ASCII code (in the range of 32 to 126).

Entering an interface type

You can enter an interface type in one of the following formats:

·     Full spelling of the interface type.

·     An abbreviation that uniquely identifies the interface type.

·     Acronym of the interface type.

For a command line, all interface types are case insensitive. Table 2 shows the full spellings and acronyms of interface types.

For example, to use the interface command to enter the view of interface GigabitEthernet 1/0/1, you can enter the command line in the following formats:

·     interface gigabitethernet 1/0/1

·     interface g 1/0/1

·     interface ge 1/0/1

·     interface gigabitethernet1/0/1

·     interface g1/0/1

·     interface ge1/0/1

Table 2 Full spellings and acronyms of interface types

Full spelling

Acronym

Bridge-Aggregation

BAGG

CMTunnel

CMTunnel

Dialer

Dia

GigabitEthernet

GE

LoopBack

Loop

M-GigabitEthernet

MGE

NULL

NULL

Ten-GigabitEthernet

XGE

Tunnel

Tun

Virtual-Template

VT

Vlan-interface

Vlan-int

 

Abbreviating commands

You can enter a command line quickly by entering incomplete keywords that uniquely identify the complete command. In user view, for example, commands starting with an s include startup saved-configuration and system-view. To enter the command system-view, you need to type only sy. To enter the command startup saved-configuration, type st s.

You can also press Tab to complete an incomplete keyword.

Configuring and using command aliases

You can configure an alias for a command or the starting keywords of commands. Then, you can use the alias to execute the command or commands. If the command or commands have undo forms, you can also use the alias to execute the undo command or commands.

For example, if you configure the alias siprt for display ip routing-table, you can enter siprt to execute the display ip routing-table command. If you configure the alias ship for display ip, you can use ship to execute all commands starting with display ip:

·     Enter ship routing-table to execute the display ip routing-table command.

·     Enter ship interface to execute the display ip interface command.

Usage guidelines

After you successfully execute a command by using an alias, the system saves the command, instead of the alias, to the running configuration.

The command string represented by an alias can include up to nine parameters. Each parameter starts with the dollar sign ($) and a sequence number in the range of 1 to 9. For example, you can configure the alias shinc for the display $1 | include $2 command. Then, you can enter shinc hotkey CTRL_C to execute the display hotkey | include CTRL_C command.

To use an alias for a command that has parameters, you must specify a value for each parameter. If you fail to do so, the system informs you that the command is incomplete and displays the command string represented by the alias.

The device has a set of system-defined command aliases, as listed in Table 3.

Table 3 System-defined command aliases

Command alias

Command or command keyword

access-list

acl

end

return

erase

delete

exit

quit

hostname

sysname

logging

info-center

no

undo

show

display

write

save

 

Configuration procedure

To configure a command alias:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure a command alias.

alias alias command

By default, the device has a set of command aliases, as listed in Table 3.

3.     (Optional.) Display command aliases.

display alias [ alias ]

This command is available in any view.

 

Configuring and using command hotkeys

The system defines the hotkeys shown in Table 4 and provides five configurable command hotkeys. Pressing a command hotkey is the same as entering a command.

If a hotkey is also defined by the terminal software you are using to interact with the device, the terminal software definition takes effect.

To configure a command hotkey:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Assign a command to a hotkey.

hotkey { ctrl_g | ctrl_l | ctrl_o | ctrl_t | ctrl_u } command

The following are the defaults:

·     Ctrl+G is assigned the display current-configuration command.

·     Ctrl+L is assigned the display ip routing-table command.

·     Ctrl+O is assigned the undo debugging all command.

·     No command is assigned to Ctrl+T or Ctrl+U.

3.     (Optional.) Display hotkeys.

display hotkey

This command is available in any view.

 

Table 4 System-reserved hotkeys

Hotkey

Function

Ctrl+A

Moves the cursor to the beginning of a line.

Ctrl+B

Moves the cursor one character to the left.

Ctrl+C

Stops the current command.

Ctrl+D

Deletes the character at the cursor.

Ctrl+E

Moves the cursor to the end of a line.

Ctrl+F

Moves the cursor one character to the right.

Ctrl+H

Deletes the character to the left of the cursor.

Ctrl+K

Aborts the connection request.

Ctrl+N

Displays the next command in the history buffer.

Ctrl+P

Displays the previous command in the history buffer.

Ctrl+R

Redisplays the current line.

Ctrl+V

Pastes text from the clipboard.

Ctrl+W

Deletes the word to the left of the cursor.

Ctrl+X

Deletes all characters to the left of the cursor.

Ctrl+Y

Deletes all characters from the cursor to the end of the line.

Ctrl+Z

Returns to user view.

Ctrl+]

Terminates the current connection.

Esc+B

Moves the cursor back one word.

Esc+D

Deletes all characters from the cursor to the end of the word.

Esc+F

Moves the cursor forward one word.

Esc+N

Moves the cursor down one line. You can use this hotkey before pressing Enter.

Esc+P

Moves the cursor up one line. You can use this hotkey before pressing Enter.

Esc+<

Moves the cursor to the beginning of the clipboard.

Esc+>

Moves the cursor to the end of the clipboard.

 

Enabling redisplaying entered-but-not-submitted commands

Your input might be interrupted by system information output. If redisplaying entered-but-not-submitted commands is enabled, the system redisplays your input after finishing the output. You can then continue entering the command line.

To enable redisplaying entered-but-not-submitted commands:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable redisplaying entered-but-not-submitted commands.

info-center synchronous

By default, the system does not redisplay entered-but-not-submitted commands.

For more information about this command, see Network Management and Monitoring Command Reference.

 

Understanding command-line error messages

After you press Enter to submit a command, the command line interpreter examines the command syntax.

·     If the command passes syntax check, the CLI executes the command.

·     If the command fails syntax check, the CLI displays an error message.

Table 5 Common command-line error messages

Error message

Cause

% Unrecognized command found at '^' position.

The keyword in the marked position is invalid.

% Incomplete command found at '^' position.

One or more required keywords or arguments are missing.

% Ambiguous command found at '^' position.

The entered character sequence matches more than one command.

% Too many parameters.

The entered character sequence contains excessive keywords or arguments.

% Wrong parameter found at '^' position.

The argument in the marked position is invalid.

 

Using the command history feature

The system automatically saves commands successfully executed by a login user to the following two command history buffers:

·     Command history buffer for the user line.

·     Command history buffer for all user lines.

Table 6 Comparison between the two types of command history buffers

Item

Command history buffer for a user line

Command history buffer for all user lines

What kind of commands are saved in the buffer?

Commands successfully executed by the current user of the user line.

Commands successfully executed by all login users.

Cleared when the user logs out?

Yes.

No.

How to view buffered commands?

Use the display history-command command.

Use the display history-command all command.

How to recall a buffered command?

·     (Method 1.) Use the up or down arrow key (↑ or ↓) to navigate to the command in the buffer and press Enter.

·     (Method 2.) Use the repeat command. For more information, see "Repeating commands in the command history buffer for a line."

You cannot recall buffered commands.

How to set the buffer size?

Use the history-command max-size size-value command in user line view to set the buffer size.

By default, the buffer can store up to 10 commands.

You cannot set the buffer size.

By default, the buffer can store up to 1024 commands.

How to disable the buffer?

Setting the buffer size to 0 disables the buffer.

You cannot disable the buffer.

 

Command buffering rules

The system follows these rules when buffering commands:

·     If you use incomplete keywords when entering a command, the system buffers the command in the exact form that you use.

·     If you use an alias when entering a command, the system transforms the alias to the represented command or command keywords before buffering the command.

·     If you enter a command in the same format multiple times in succession, the system buffers the command only once. If you enter a command in different formats multiple times, the system buffers each command format. For example, display cu and display current-configuration are buffered as two entries but successive repetitions of display cu create only one entry.

·     To buffer a new command when a buffer is full, the system deletes the oldest command entry in the buffer.

Repeating commands in the command history buffer for a line

You can recall and execute commands in the command history buffer for the current CLI session multiple times.

To repeat commands in the command history buffer for the current CLI session:

 

Task

Command

Remarks

Repeat commands in the command history buffer for the current CLI session.

repeat [ number ] [ count times ] [ delay seconds ]

This command is available in any view.

This command executes commands in the order they were executed.

The system waits for your interaction when it repeats an interactive command.

 

Controlling the CLI output

This section describes the CLI output control features that help you identify the desired output.

Pausing between screens of output

By default, the system automatically pauses after displaying a maximum of 24 lines if the output is too long to fit on one screen. You can change the limit by using the screen-length screen-length command. For more information about this command, see Fundamentals Command Reference.

At a pause, the system displays ----more----. You can use the keys described in "Output controlling keys" to display more information or stop the display.

You can also disable pausing between screens of output for the current session. Then, all output is displayed at one time and the screen is refreshed continuously until the final screen is displayed.

Output controlling keys

Keys

Function

Space

Displays the next screen.

Enter

Displays the next line.

Ctrl+C

Stops the display and cancels the command execution.

<PageUp>

Displays the previous page.

<PageDown>

Displays the next page.

 

Disabling pausing between screens of output

To disable pausing between screens of output, execute the following command in user view:

 

Task

Command

Remarks

Disable pausing between screens of output for the current session.

screen-length disable

By default, a session uses the screen-length screen-length command settings in user line view.

This command is a one-time command and takes effect only for the current session.

 

Numbering each output line from a display command

You can use the | by-linenum option to prefix each display command output line with a number for easy identification.

Each line number is displayed as a 5-character string and might be followed by a colon (:) or hyphen (-). If you specify both | by-linenum and | begin regular-expression for a display command, a hyphen is displayed for all lines that do not match the regular expression.

To number each output line from a display command:

 

Task

Command

Number each output line from a display command.

display command | by-linenum

 

For example:

# Display information about VLAN 999, numbering each output line.

<Sysname> display vlan 999 | by-linenum

    1:  VLAN ID: 999

    2:  VLAN type: Static

    3:  Route interface: Configured

    4:  IPv4 address: 192.168.2.1

    5:  IPv4 subnet mask: 255.255.255.0

    6:  Description: For LAN Access

    7:  Name: VLAN 0999

    8:  Tagged ports:   None

    9:  Untagged ports:

   10:      GigabitEthernet1/0/1

Filtering the output from a display command

You can use the | { begin | exclude | include } regular-expression option to filter the display command output.

·     beginDisplays the first line matching the specified regular expression and all subsequent lines.

·     excludeDisplays all lines not matching the specified regular expression.

·     includeDisplays all lines matching the specified regular expression.

·     regular-expression—A case-sensitive string of 1 to 256 characters, which can contain the special characters described in Table 7.

The required filtering time increases with the complexity of the regular expression. To abort the filtering process, press Ctrl+C.

Table 7 Special characters supported in a regular expression

Characters

Meaning

Examples

^

Matches the beginning of a line.

"^u" matches all lines beginning with "u". A line beginning with "Au" is not matched.

$

Matches the end of a line.

"u$" matches all lines ending with "u". A line ending with "uA" is not matched.

. (period)

Matches any single character.

".s" matches "as" and "bs".

*

Matches the preceding character or string zero, one, or multiple times.

"zo*" matches "z" and "zoo", and "(zo)*" matches "zo" and "zozo".

+

Matches the preceding character or string one or multiple times.

"zo+" matches "zo" and "zoo", but not "z".

|

Matches the preceding or succeeding string.

"def|int" matches a line containing "def" or "int".

( )

Matches the string in the parentheses, usually used together with the plus sign (+) or asterisk sign (*).

"(123A)" matches "123A".

"408(12)+" matches "40812" and "408121212", but not "408".

\N

Matches the preceding strings in parentheses, with the Nth string repeated once.

"(string)\1" matches a string containing "stringstring".

"(string1)(string2)\2" matches a string containing "string1string2string2".

"(string1)(string2)\1\2" matches a string containing " string1string2string1string2".

[ ]

Matches a single character in the brackets.

"[16A]" matches a string containing 1, 6, or A; "[1-36A]" matches a string containing 1, 2, 3, 6, or A (- is a hyphen).

To match the character "]", put it immediately after "[", for example, []abc]. There is no such limit on "[".

[^]

Matches a single character that is not in the brackets.

"[^16A]" matches a string that contains one or more characters except for 1, 6, or A, such as "abc". A match can also contain 1, 6, or A (such as "m16"), but it cannot contain these three characters only (such as 1, 16, or 16A).

{n}

Matches the preceding character n times. The number n must be a nonnegative integer.

"o{2}" matches "food", but not "Bob".

{n,}

Matches the preceding character n times or more. The number n must be a nonnegative integer.

"o{2,}" matches "foooood", but not "Bob".

{n,m}

Matches the preceding character n to m times or more. The numbers n and m must be nonnegative integers and n cannot be greater than m.

" o{1,3}" matches "fod", "food", and "foooood", but not "fd".

\<

Matches a string that starts with the pattern following \<. A string that contains the pattern is also a match if the characters preceding the pattern are not digits, letters, or underscores.

"\<do" matches "domain" and "doa".

\>

Matches a string that ends with the pattern preceding \>. A string that contains the pattern is also a match if the characters following the pattern are not digits, letters, or underscores.

"do\>" matches "undo" and "cdo".

\b

Matches a word that starts with the pattern following \b or ends with the pattern preceding \b.

"er\b" matches "never", but not "verb" or "erase".

"\ber" matches "erase", but not "verb" or "never".

\B

Matches a word that contains the pattern but does not start or end with the pattern.

"er\B" matches "verb", but not "never" or "erase".

\w

Same as [A-Za-z0-9_], matches a digit, letter, or underscore.

"v\w" matches "vlan" and "service".

\W

Same as [^A-Za-z0-9_], matches a character that is not a digit, letter, or underscore.

"\Wa" matches "-a", but not "2a" or "ba".

\

Escape character. If a special character listed in this table follows \, the specific meaning of the character is removed.

"\\" matches a string containing "\", "\^" matches a string containing "^", and "\\b" matches a string containing "\b".

 

For example:

# Use | begin line for the display current-configuration command to match the first line of output that contains line to the last line of output.

<Sysname> display current-configuration | begin line

#

line con 0

 user-role network-admin

#

line vty 0 31

 authentication-mode scheme

 user-role network-operator

#

 ssh server enable

#

return

# Use | exclude Static for the display ip routing-table command to filter out static routes and display only the static routes.

<Sysname> display ip routing-table | exclude Static

 

Destinations : 13       Routes : 13

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0

127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0

127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0

127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0

127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

# Use | include wlan for the display current-configuration command to filter in entries that contain wlan.

<Sysname> display current-configuration | include wlan

wlan global-configuration

wlan ap-group default-group

...

Saving the output from a display command to a file

A display command shows certain configuration and operation information of the device. Its output might vary over time or with user configuration or operation. You can save the output to a file for future retrieval or troubleshooting.

Use one of the following methods to save the output from a display command:

·     Save the output to a separate file. Use this method if you want to use one file for a single display command.

·     Append the output to the end of a file. Use this method if you want to use one file for multiple display commands.

To save the output from a display command to a file, use one of the following commands in any view:

 

Task

Command

Save the output from a display command to a separate file.

display command > filename

Append the output from a display command to the end of a file.

display command >> filename

 

For example:

# Save the VLAN 1 settings to a separate file named vlan.txt.

<Sysname> display vlan 1 > vlan.txt

# Verify that the VLAN 1 settings are saved to file vlan.txt.

<Sysname> more vlan.txt

VLAN ID: 1

 VLAN type: Static

 Route interface: Not configured

 Description: VLAN 0001

 Name: VLAN 0001

 Tagged ports:   None

 Untagged ports:

    GigabitEthernet1/0/2

# Append the VLAN 999 settings to the end of file vlan.txt.

<Sysname> display vlan 999 >> vlan.txt

# Verify that the VLAN 999 settings are appended to the end of file vlan.txt.

<Sysname> more vlan.txt

VLAN ID: 1

 VLAN type: Static

 Route interface: Not configured

 Description: VLAN 0001

 Name: VLAN 0001

 Tagged ports:   None

 Untagged ports:

    GigabitEthernet1/0/2

 

 VLAN ID: 999

 VLAN type: Static

 Route interface: Configured

 IPv4 address: 192.168.2.1

 IPv4 subnet mask: 255.255.255.0

 Description: For LAN Access

 Name: VLAN 0999

 Tagged ports:   None

 Untagged ports:

    GigabitEthernet1/0/1

Viewing and managing the output from a display command effectively

You can use the following methods in combination to filter and manage the output from a display command:

·     Numbering each output line from a display command

·     Filtering the output from a display command

·     Saving the output from a display command to a file

To use multiple measures to view and manage the output from a display command effectively, execute the following command in any view:

 

Task

Command

View and manage the output from a display command effectively.

display command [ | [ by-linenum ] { begin | exclude | include } regular-expression ] [ > filename | >> filename ]

 

For example:

# Save the running configuration to a separate file named test.txt, with each line numbered.

<Sysname> display current-configuration | by-linenum > test.txt

# Append lines including snmp in the running configuration to the file test.txt.

<Sysname> display current-configuration | include snmp >> test.txt

# Display the first line that begins with user-group in the running configuration and all the following lines.

<Sysname> display current-configuration | by-linenum begin user-group

  114:  user-group system

  115-  #

  116-  return

// The colon (:) following a line number indicates that the line contains the string user-group. The hyphen (-) following a line number indicates that the line does not contain the string user-group.

Saving the running configuration

To make your configuration take effect after a reboot, save the running configuration to a configuration file by using the save command in any view. This command saves all commands that have been successfully executed, except for the one-time commands. Typical one-time commands include display commands used for displaying information and reset commands used for clearing information.

For more information about the save command, see Fundamentals Command Reference.


Configuring RBAC

Overview

Role-based access control (RBAC) controls user access to items and system resources based on user roles. In this chapter, items include commands, Web pages, XML elements, and MIB nodes, and system resources include interfaces and VLANs.

RBAC assigns access permissions to user roles that are created for different job functions. Users are given permission to access a set of items and resources based on the users' user roles. Because user roles are persistent, in contrast to users, separating permissions from users enables easy permission authorization management. You only need to change the user role permissions, remove user roles, or assign new user roles in case of user changes. For example, you can change the user role permissions or assign new user roles to change the job responsibilities of a user.

Permission assignment

Use the following methods to assign permissions to a user role:

·     Define a set of rules to determine accessible or inaccessible items for the user role. (See "User role rules.")

·     Configure resource access policies to specify which interfaces and VLANs are accessible to the user role. (See "Resource access policies.")

To use a command related to a system resource, a user role must have access to both the command and the resource.

For example, a user role has access to the qos apply policy command and access only to interface GigabitEthernet 1/0/1. When the user role is assigned, you can enter the interface view and use the qos apply policy command on the interface. However, you cannot enter the view of any other interfaces or use the command on any other interfaces. If the user role has access to all interfaces but does not have access to the qos apply policy command, you cannot use the command on any interfaces.

Any user role has access to the system-view, quit, and exit commands.

User role rules

User role rules permit or deny access to commands, Web pages, XML elements, or MIB nodes. You can define the following types of rules for different access control granularities:

·     Command rule—Controls access to a command or a set of commands that match a regular expression.

·     Feature rule—Controls access to the commands of a feature by command type.

·     Feature group rule—Controls access to the commands of features in a feature group by command type.

·     Web menu rule—Controls access to Web pages used for configuring the device. These Web pages are called Web menus.

·     XML element ruleControls access to XML elements used for configuring the device.

·     OID ruleControls SNMP access to a MIB node and its child nodes. An OID is a dotted numeric string that uniquely identifies the path from the root node to a leaf node.

The commands, Web menus, XML elements, and MIB nodes are controlled based on the following types:

·     ReadCommands, Web menus, XML elements, or MIB nodes that display configuration and maintenance information. For example, the display commands and the dir command.

·     WriteCommands, Web menus, XML elements, or MIB nodes that configure the features in the system. For example, the info-center enable command and the debugging command.

·     Execute—Commands, Web menus, XML elements, or MIB nodes that execute specific functions. For example, the ping command and the ftp command.

A user role can access the set of permitted commands, Web pages, XML elements, and MIB nodes specified in the user role rules. The user role rules include predefined (identified by sys-n) and user-defined user role rules. For more information about the user role rule priority, see "Configuring user role rules."

Resource access policies

Resource access policies control access of a user role to system resources and include the following types:

·     Interface policy—Controls access to interfaces.

·     VLAN policy—Controls access to VLANs.

Resource access policies do not control access to the interface or VLAN options in the display commands. You can specify these options in the display commands if the options are permitted by any user role rule.

Predefined user roles

The system provides predefined user roles. These user roles have access to all system resources (interfaces and VLANs). However, their access permissions differ, as shown in Table 8.

Among all of the predefined user roles, only network-admin and level-15 can perform the following tasks:

·     Access the RBAC feature.

·     Change the settings in user line view, including the user-role, authentication-mode, protocol inbound, and set authentication password commands.

·     Create SNMP communities, users, and groups by using the snmp-agent community, snmp-agent usm-user, and snmp-agent group commands, respectively.

·     Create, modify, and delete local users and local user groups. The other user roles can only modify their own passwords if they have permissions to configure local users and local user groups.

The access permissions of the level-0 to level-14 user roles can be modified through user role rules and resource access policies. However, you cannot make changes on the predefined access permissions of these user roles. For example, you cannot change the access permission of these user roles to the display history-command all command.

Table 8 Predefined roles and permissions matrix

User role name

Permissions

network-admin

Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands.

network-operator

·     Accesses the display commands for features and resources in the system. To display all accessible commands of the user role, use the display role command.

·     Enables local authentication login users to change their own passwords.

·     Accesses the command used for entering XML view.

·     Accesses all read-type Web menu items.

·     Accesses all read-type XML elements.

·     Accesses all read-type MIB nodes.

level-n (n = 0 to 15)

·     level-0Has access to diagnostic commands, including ping, tracert, ssh2, telnet, and super. Level-0 access rights are configurable.

·     level-1—Has access to the display commands of all features and resources in the system except for display history-command all. The level-1 user role also has all access rights of the level-0 user role. Level-1 access rights are configurable.

·     level-2 to level-8, and level-10 to level-14—Have no access rights by default. Access rights are configurable.

·     level-9Has access to most of the features and resources in the system. If you are logged in with a local user account that has a level-9 user role, you can change the password in the local user account. The following are the major features and commands that the level-9 user role cannot access:

?     RBAC non-debugging commands.

?     Local users.

?     File management.

?     Device management.

?     The display history-command all command.

·     level-15—Has the same rights as network-admin.

security-audit

Security log manager. The user role has the following access rights to security log files:

·     Accesses the commands for displaying and maintaining security log files (for example, the dir, display security-logfile summary, and more commands).

·     Accesses the commands for managing security log files and security log file system (for example, the info-center security-logfile directory, mkdir, and security-logfile save commands).

For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see "Managing file systems."

IMPORTANT IMPORTANT:

Only the security-audit user role has access to security log files. You cannot assign the security-audit user role to non-AAA authentication users.

guest-manager

Accesses only guest-related web pages, and has no access to commands.

 

User role assignment

You assign access rights to a user by assigning a minimum of one user role. The user can use the collection of items and resources accessible to all user roles assigned to the user. For example, you can access all interfaces to use the qos apply policy command if you are assigned the following user roles:

·     User role A denies access to the qos apply policy command and permits access only to interface GigabitEthernet 1/0/1.

·     User role B permits access to the qos apply policy command and all interfaces.

Depending on the authentication method, user role assignment has the following methods:

·     AAA authorization—If scheme authentication is used, the AAA module handles user role assignment.

?     If the user passes local authorization, the device assigns the user roles specified in the local user account.

?     If the user passes remote authorization, the remote AAA server assigns the user roles specified on the server. The AAA server can be a RADIUS or HWTACACS server.

·     Non-AAA authorizationWhen the user accesses the device without authentication or by passing password authentication on a user line, the device assigns user roles specified on the user line. This method also applies to SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective device management user accounts.

For more information about AAA and SSH, see Security Configuration Guide. For more information about user lines, see "Login overview" and "Configuring CLI login."

Configuration task list

Tasks at a glance

(Required.) Creating a user role

(Required.) Configuring user role rules

(Optional.) Configuring a feature group

(Required.) Configuring resource access policies:

·     Configuring the user role interface policy

·     Configuring the user role VLAN policy

(Optional.) Assigning user roles

(Optional.) Configuring temporary user role authorization

 

Creating a user role

In addition to the predefined user roles, you can create a maximum of 64 custom user roles for granular access control.

To create a user role:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a user role and enter user role view.

role name role-name

By default, the system has the following predefined user roles:

·     network-admin.

·     network-operator.

·     level-n (where n equals an integer in the range of 0 to 15).

·     security-audit.

·     guest-manager.

Among these user roles, only the permissions and descriptions of the level-0 to level-14 user roles are configurable.

3.     (Optional.) Configure a description for the user role.

description text

By default, a user role does not have a description.

 

Configuring user role rules

You can configure user role rules to permit or deny the access of a user role to specific commands, Web pages, XML elements, and MIB nodes.

Configuration restrictions and guidelines

When you configure RBAC user role rules, follow these restrictions and guidelines:

·     You can configure a maximum of 256 user-defined rules for a user role. The total number of user-defined user role rules cannot exceed 1024.

·     Any rule modification, addition, or removal for a user role takes effect only on users who are logged in with the user role after the change.

The following guidelines apply to non-OID rules:

·     If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For example, a user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:

?     rule 1 permit command ping

?     rule 2 permit command tracert

?     rule 3 deny command ping

·     If a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule takes effect.

The following guidelines apply to OID rules:

·     The system compares an OID with the OIDs specified in user role rules, and it uses the longest match principle to select a rule for the OID. For example, a user role cannot access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:

?     rule 1 permit read write oid 1.3.6

?     rule 2 deny read write oid 1.3.6.1.4.1

?     rule 3 permit read write oid 1.3.6.1.4

·     If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For example, a user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:

?     rule 1 permit read write oid 1.3.6

?     rule 2 deny read write oid 1.3.6.1.4.1

?     rule 3 permit read write oid 1.3.6.1.4.1

Configuration procedure

To configure rules for a user role:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter user role view.

role name role-name

N/A

3.     Configure rules for the user role.

·     Configure a command rule:
rule number { deny | permit } command command-string

·     Configure a feature rule:
rule number { deny | permit } { execute | read | write } * feature [ feature-name ]

·     Configure a feature group rule:
rule number { deny | permit } { execute | read | write } * feature-group feature-group-name

·     Configure a Web menu rule:
rule number { deny | permit } { execute | read | write } * web-menu [ web-string ]

·     Configure an XML element rule:
rule number { deny | permit } { execute | read | write } * xml-element [ xml-string ]

·     Configure an OID rule:
rule number { deny | permit } { execute | read | write } * oid oid-string

By default, a user-defined user role does not have any rules or access to any commands, Web pages, XML elements, or MIB nodes.

Repeat this step to add a maximum of 256 rules to the user role.

IMPORTANT IMPORTANT:

When you configure feature rules, you can specify only features available in the system. Enter feature names the same as the feature names are displayed, including the case.

 

Configuring a feature group

Use feature groups to bulk assign command access permissions to sets of features. In addition to the predefined feature groups, you can create a maximum of 64 custom feature groups and assign a feature to multiple feature groups.

To configure a feature group:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a feature group and enter feature group view.

role feature-group name feature-group-name

By default, the system has the following predefined feature groups:

·     L2—Includes all Layer 2 commands.

·     L3—Includes all Layer 3 commands.

These two groups are not user configurable.

3.     Add a feature to the feature group.

feature feature-name

By default, a feature group does not have any features.

Repeat this step to add multiple features to the feature group.

IMPORTANT IMPORTANT:

You can specify only features available in the system. Enter feature names the same as the feature names are displayed, including the case.

 

Configuring resource access policies

Every user role has one interface policy and VLAN policy. By default, these policies permit a user role to access all interfaces and VLANs. You can configure the policies of a user-defined user role or a predefined level-n user role to limit its access to interfaces and VLANs. The policy configuration takes effect only on users who are logged in with the user role after the configuration.

Configuring the user role interface policy

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter user role view.

role name role-name

N/A

3.     Enter user role interface policy view.

interface policy deny

By default, the interface policy of the user role permits access to all interfaces.

This command denies the access of the user role to any interfaces if the permit interface command is not configured.

4.     (Optional.) Specify a list of interfaces accessible to the user role.

permit interface interface-list

By default, no accessible interfaces are configured in user role interface policy view.

Repeat this step to add multiple accessible interfaces.

 

Configuring the user role VLAN policy

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter user role view.

role name role-name

N/A

3.     Enter user role VLAN policy view.

vlan policy deny

By default, the VLAN policy of the user role permits access to all VLANs.

This command denies the access of the user role to any VLANs if the permit vlan command is not configured.

4.     (Optional.) Specify a list of VLANs accessible to the user role.

permit vlan vlan-id-list

By default, no accessible VLANs are configured in user role VLAN policy view.

Repeat this step to add multiple accessible VLANs.

 

Assigning user roles

To control user access to the system, you must assign a minimum of one user role. Make sure a minimum of one user role among the user roles assigned by the server exists on the device. User role assignment procedure varies for remote AAA authentication users, local AAA authentication users, and non-AAA authentication users (see "User role assignment"). For more information about AAA authentication, see Security Configuration Guide.

Enabling the default user role feature

The default user role feature assigns the default user role to AAA-authenticated users if the authentication server does not assign any user roles to the users. These users are allowed to access the system with the default user role.

You can specify any user role existing in the system as the default user role.

To enable the default user role feature for AAA authentication users:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable the default user role feature.

role default-role enable [ role-name ]

By default, the default user role feature is disabled.

If you do not specify a user role, the default user role is network-operator.

If the no authorization method is used for local users, you must enable the default user role feature.

 

Assigning user roles to remote AAA authentication users

For remote AAA authentication users, user roles are configured on the remote authentication server. For information about configuring user roles for RADIUS users, see the RADIUS server documentation. For HWTACACS users, the role configuration must use the roles="role-1 role-2 … role-n" format, where user roles are space separated. For example, configure roles="level-0 level-1 level-2" to assign level-0, level-1, and level-2 to an HWTACACS user.

If the AAA server assigns the security-audit user role and other user roles to the same user, only the security-audit user role takes effect.

Assigning user roles to local AAA authentication users

Configure user roles for local AAA authentication users in their local user accounts. Every local user has a default user role. If this default user role is not suitable, remove it.

If a local user is the only user with the security-audit user role, the user cannot be deleted.

The security-audit user role is mutually exclusive with other user roles.

·     When you assign the security-audit user role to a local user, the system requests confirmation to remove all the other user roles from the user.

·     When you assign the other user roles to a local user who has the security-audit user role, the system requests confirmation to remove the security-audit role from the user.

To assign a user role to a local user:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a local user and enter local user view.

local-user user-name class { manage | network }

N/A

3.     Authorize the user to have a user role.

authorization-attribute user-role role-name

Repeat this step to assign a maximum of 64 user roles to the user.

By default, the network-operator user role is assigned to local users created by a network-admin or level-15 user.

 

Assigning user roles to non-AAA authentication users on user lines

Specify user roles for the following two types of login users on the user lines:

·     Users who use password authentication or no authentication.

·     SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective device management user accounts.

For more information about user lines, see "Login overview" and "Configuring CLI login." For more information about SSH, see Security Configuration Guide.

To assign a user role to non-AAA authentication users on a user line:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter user line view or user line class view.

·     Enter user line view:
line { first-num1 [ last-num1 ] | { console | vty } first-num2 [ last-num2 ] }

·     Enter user line class view:
line class { console | vty }

For information about the priority order and application scope of the settings in user line view and user line class view, see "Configuring CLI login."

3.     Specify a user role on the user line.

user-role role-name

Repeat this step to specify a maximum of 64 user roles on a user line.

By default, the network-admin user role is specified on the console user line, and the network-operator user role is specified on any other user line.

The device cannot assign the security-audit user role to non-AAA authentication users.

 

Configuring temporary user role authorization

Temporary user role authorization allows you to obtain another user role without reconnecting to the device. This feature is useful when you want to use a user role temporarily to configure a feature.

Temporary user role authorization is effective only on the current login. This feature does not change the user role settings in the user account that you have been logged in with. The next time you are logged in with the user account, the original user role settings take effect.

Configuration restrictions and guidelines

When you configure temporary user role authorization, follow these guidelines:

·     To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. Table 9 describes the available authentication modes and configuration requirements.

·     If HWTACACS authentication is used, the following rules apply:

?     The device uses the entered username and password to request role authentication, and it sends the username to the server in the username or username@domain-name format. Whether the domain name is included in the username depends on the user-name-format command in the HWTACACS scheme.

?     To obtain a level-n user role, the user account on the server must have the target user role level or a level higher than the target user role. A user account that obtains the level-n user role can obtain any user role among level-0 through level-n.

?     To obtain a non-level-n user role, make sure the user account on the server meets the following requirements:

-     The account has a user privilege level.

-     The HWTACACS custom attribute is configured for the account in the form of allowed-roles="role". The variable role represents the target user role.

·     If RADIUS authentication is used, the following rules apply:

?     The device does not use the username you enter to request user role authentication. It uses a username in the $enabn$ format. The variable n represents a user role level, and a domain name is not included in the username. You can always pass user role authentication when the password is correct.

?     To obtain a level-n user role, you must create a user account for the level-n user role in the $enabn$ format on the RADIUS server. The variable n represents the target user role level. For example, to obtain the authorization of the level-3 user role, you can enter any username. The device uses the username $enab3$ to request user role authentication from the server.

?     To obtain a non-level-n user role, you must perform the following tasks:

-     Create the user account $enab0$ on the server.

-     Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role". The variable role represents the target user role.

·     The device selects an authentication domain for user role authentication in the following order:

a.     The ISP domain included in the entered username.

b.     The default ISP domain.

·     If you execute the quit command after obtaining user role authorization, you are logged out of the device.

Table 9 User role authentication modes

Keywords

Authentication mode

Description

local

Local password authentication only (local-only)

The device uses the locally configured password for authentication.

If no local password is configured for a user role in this mode, a console user can obtain the user role by either entering a string or not entering anything.

scheme

Remote AAA authentication through HWTACACS or RADIUS (remote-only)

The device sends the username and password to the HWTACACS or RADIUS server for remote authentication.

To use this mode, you must perform the following configuration tasks:

·     Configure the required HWTACACS or RADIUS scheme, and configure the ISP domain to use the scheme for the user. For more information, see Security Configuration Guide.

·     Add the user account and password on the HWTACACS or RADIUS server.

local scheme

Local password authentication first, and then remote AAA authentication (local-then-remote)

Local password authentication is performed first.

If no local password is configured for the user role in this mode, the device performs remote AAA authentication for console and VTY users.

scheme local

Remote AAA authentication first, and then local password authentication (remote-then-local)

Remote AAA authentication is performed first.

Local password authentication is performed in either of the following situations:

·     The HWTACACS or RADIUS server does not respond.

·     The remote AAA configuration on the device is invalid.

 

Configuring user role authentication

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set an authentication mode.

super authentication-mode { local | scheme } *

By default, local-only authentication applies.

3.     (Optional.) Specify the default target user role for temporary user role authorization.

super default role role-name

By default, the default target user role is network-admin.

4.     Set a local authentication password for a user role.

super password [ role role-name ] [ { hash | simple } string ]

Use this step for local password authentication.

By default, no password is configured.

If you do not specify the role role-name option, the command sets a password for the default target user role.

 

Obtaining temporary user role authorization

Perform the following task in user view:

 

Task

Command

Remarks

Obtain the temporary authorization to use a user role.

super [ role-name ]

If you do not specify the role-name argument, you obtain the default target user role for temporary user role authorization.

The operation fails after three consecutive unsuccessful password attempts.

The user role must have the permission to execute the super command to obtain temporary user role authorization.

 

Displaying and maintaining RBAC settings

Execute display commands in any view.

 

Task

Command

Display user role information.

display role [ name role-name ]

Display user role feature information.

display role feature [ name feature-name | verbose ]

Display user role feature group information.

display role feature-group [ name feature-group-name ] [ verbose ]

 

RBAC configuration examples

RBAC configuration example for local AAA authentication users

Network requirements

As shown in Figure 2, the AC performs local AAA authentication for the Telnet user. The Telnet user has the username user1@bbb and is assigned the user role role1.

Configure role1 to have the following permissions:

·     Can execute the read commands of all features.

·     Cannot configure any VLANs except VLANs 10 to 20.

Figure 2 Network diagram

 

Configuration procedure

# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).

<AC> system-view

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[AC-Vlan-interface2] quit

# Enable Telnet server.

[AC] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[AC] line vty 0 4

[AC-line-vty0-4] authentication-mode scheme

[AC-line-vty0-4] quit

# Enable local authentication and authorization for the ISP domain bbb.

[AC] domain bbb

[AC-isp-bbb] authentication login local

[AC-isp-bbb] authorization login local

[AC-isp-bbb] quit

# Create the user role role1.

[AC] role name role1

# Configure rule 1 to permit the user role to access the read commands of all features.

[AC-role-role1] rule 1 permit read feature

# Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view.

[AC-role-role1] rule 2 permit command system-view ; vlan *

# Change the VLAN policy to permit the user role to configure only VLANs 10 to 20.

[AC-role-role1] vlan policy deny

[AC-role-role1-vlanpolicy] permit vlan 10 to 20

[AC-role-role1-vlanpolicy] quit

[AC-role-role1] quit

# Create a device management user named user1 and enter local user view.

[AC] local-user user1 class manage

# Set a plaintext password aabbcc for the user.

[AC-luser-manage-user1] password simple aabbcc

# Set the service type to Telnet.

[AC-luser-manage-user1] service-type telnet

# Assign role1 to the user.

[AC-luser-manage-user1] authorization-attribute user-role role1

# Remove the default user role network-operator from the user. This operation ensures that the user has only the permissions of role1.

[AC-luser-manage-user1] undo authorization-attribute user-role network-operator

[AC-luser-manage-user1] quit

Verifying the configuration

# Telnet to the AC, and enter the username and password to access the AC. (Details not shown.)

# Verify that you can create VLANs 10 to 20. This example uses VLAN 10.

<AC> system-view

[AC] vlan 10

[AC-vlan10] quit

# Verify that you cannot create any VLANs other than VLANs 10 to 20. This example uses VLAN 30.

[AC] vlan 30

Permission denied.

# Verify that you can use all read commands of all features. This example uses display clock.

[AC] display clock

09:31:56 UTC Sun 01/01/2017

[AC] quit

# Verify that you cannot use the write or execute commands of any feature.

<AC> debugging role all

Permission denied.

<AC> ping 192.168.1.58

Permission denied.

RBAC configuration example for RADIUS authentication users

Network requirements

As shown in Figure 3, the AC uses the FreeRADIUS server to provide AAA service for login users, including the Telnet user. The Telnet user uses the username hello@bbb and is assigned the user role role2.

The user role role2 has the following permissions:

·     Can use all commands in ISP domain view.

·     Can use the read and write commands of the arp and radius features.

·     Cannot access the read commands of the acl feature.

·     Can configure only VLANs 1 to 20.

The AC and the FreeRADIUS server use the shared key expert and authentication port 1812. The AC delivers usernames with their domain names to the server.

Figure 3 Network diagram

 

Configuration procedure

Make sure the settings on the AC and the RADIUS server match.

1.     Configure the AC:

# Assign VLAN-interface 2 an IP address from the same subnet as the Telnet user.

<AC> system-view

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[AC-Vlan-interface2] quit

# Assign VLAN-interface 3 an IP address from the same subnet as the RADIUS server.

[AC] interface vlan-interface 3

[AC-Vlan-interface3] ip address 10.1.1.2 255.255.255.0

[AC-Vlan-interface3] quit

# Enable Telnet server.

[AC] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[AC] line vty 0 4

[AC-line-vty0-4] authentication-mode scheme

[AC-line-vty0-4] quit

# Create the RADIUS scheme rad and enter RADIUS scheme view.

[AC] radius scheme rad

# Specify the primary server address 10.1.1.1 and the service port 1812 in the scheme.

[AC-radius-rad] primary authentication 10.1.1.1 1812

# Set the shared key to expert in the scheme for the AC to authenticate to the server.

[AC-radius-rad] key authentication simple expert

[AC-radius-rad] quit

# Specify the scheme rad as the authentication and authorization schemes for the ISP domain bbb.

 

IMPORTANT:

Because RADIUS user authorization information is piggybacked in authentication responses, the authentication and authorization methods must use the same RADIUS scheme.

 

[AC] domain bbb

[AC-isp-bbb] authentication login radius-scheme rad

[AC-isp-bbb] authorization login radius-scheme rad

[AC-isp-bbb] quit

# Create feature group fgroup1.

[AC] role feature-group name fgroup1

# Add the arp and radius features to the feature group.

[AC-featuregrp-fgroup1] feature arp

[AC-featuregrp-fgroup1] feature radius

[AC-featuregrp-fgroup1] quit

# Create the user role role2.

[AC] role name role2

# Configure rule 1 to permit the user role to use all commands available in ISP domain view.

[AC-role-role2] rule 1 permit command system-view ; domain *

# Configure rule 2 to permit the user role to use the read and write commands of all features in fgroup1.

[AC-role-role2] rule 2 permit read write feature-group fgroup1

# Configure rule 3 to disable access to the read commands of the acl feature.

[AC-role-role2] rule 3 deny read feature acl

# Configure rule 4 to permit the user role to create VLANs and use all commands available in VLAN view.

[AC-role-role2] rule 4 permit command system-view ; vlan *

# Configure rule 5 to permit the user role to enter interface view and use all commands available in interface view.

[AC-role-role2] rule 5 permit command system-view ; interface *

# Configure the user role VLAN policy to disable configuration of any VLANs except VLANs 1 to 20.

[AC-role-role2] vlan policy deny

[AC-role-role2-vlanpolicy] permit vlan 1 to 20

[AC-role-role2-vlanpolicy] quit

2.     Configure the RADIUS server:

# Add either of the user role attributes to the dictionary file of the FreeRADIUS server.

Cisco-AVPair = "shell:roles=\"role2\""

Cisco-AVPair = "shell:roles*\"role2\""

# Configure the settings required for the FreeRADIUS server to communicate with the AC. (Details not shown.)

Verifying the configuration

# Telnet to the AC, and enter the username and password to access the AC. (Details not shown.)

# Verify that you can use all commands available in ISP domain view.

<AC> system-view

[AC] domain abc

[AC-isp-abc] authentication login radius-scheme abc

[AC-isp-abc] quit

# Verify that you can use all read and write commands of the radius and arp features. This example uses radius.

[AC] radius scheme rad

[AC-radius-rad] primary authentication 2.2.2.2

[AC-radius-rad] display radius scheme rad

Output of the RADIUS scheme is omitted.

# Verify that you cannot configure any VLANs except VLANs 1 to 20. This example uses VLAN 10 and VLAN 30.

[AC] vlan 10

[AC-vlan10] quit

[AC] vlan 30

Permission denied.

RBAC temporary user role authorization configuration example (HWTACACS authentication)

Network requirements

As shown in Figure 4, the AC uses local authentication for login users, including the Telnet user. The Telnet user uses the username test@bbb and is assigned the user role level-0.

Configure the remote-then-local authentication mode for temporary user role authorization. The AC uses the HWTACACS server to provide authentication for changing the user role among level-0 through level-3 or changing the user role to network-admin. If the AAA configuration is invalid or the HWTACACS server does not respond, the AC performs local authentication.

Figure 4 Network diagram

 

Configuration procedure

1.     Configure the AC:

# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).

<AC> system-view

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[AC-Vlan-interface2] quit

# Assign an IP address to VLAN-interface 3 (the interface connected to the HWTACACS server).

[AC] interface vlan-interface 3

[AC-Vlan-interface3] ip address 10.1.1.2 255.255.255.0

[AC-Vlan-interface3] quit

# Enable Telnet server.

[AC] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[AC] line vty 0 4

[AC-line-vty0-4] authentication-mode scheme

[AC-line-vty0-4] quit

# Enable remote-then-local authentication for temporary user role authorization.

[AC] super authentication-mode scheme local

# Create the HWTACACS scheme hwtac and enter HWTACACS scheme view.

[AC] hwtacacs scheme hwtac

# Specify the primary authentication server address 10.1.1.1 and the service port 49 in the scheme.

[AC-hwtacacs-hwtac] primary authentication 10.1.1.1 49

# Set the shared key to expert in the scheme for the AC to authenticate to the server.

[AC-hwtacacs-hwtac] key authentication simple expert

# Exclude ISP domain names from the usernames sent to the HWTACACS server.

[AC-hwtacacs-hwtac] user-name-format without-domain

[AC-hwtacacs-hwtac] quit

# Create ISP domain bbb and enter ISP domain view.

[AC] domain bbb

# Configure ISP domain bbb to use local authentication for login users.

[AC-isp-bbb] authentication login local

# Configure ISP domain bbb to use local authorization for login users.

[AC-isp-bbb] authorization login local

# Apply the HWTACACS scheme hwtac to the ISP domain for user role authentication.

[AC-isp-bbb] authentication super hwtacacs-scheme hwtac

[AC-isp-bbb] quit

# Create a device management user named test and enter local user view.

[AC] local-user test class manage

# Set the user service type to Telnet.

[AC-luser-manage-test] service-type telnet

# Set the user password to aabbcc.

[AC-luser-manage-test] password simple aabbcc

# Assign level-0 to the user.

[AC-luser-manage-test] authorization-attribute user-role level-0

# Remove the default user role network-operator.

[AC-luser-manage-test] undo authorization-attribute user-role network-operator

[AC-luser-manage-test] quit

# Set the local authentication password to 654321 for the user role level-3.

[AC] super password role level-3 simple 654321

[AC] quit

# Set the local authentication password to 654321 for the user role network-admin.

[AC] super password role network-admin simple 654321

[AC] quit

2.     Configure the HWTACACS server:

This example uses ACSv4.0.

a.     Access the User Setup page.

b.     Add a user account test. (Details not shown.)

c.     In the Advanced TACACS+ Settings area, configure the following parameters:

-     Select Level 3 for the Max Privilege for any AAA Client option.

If the target user role is only network-admin for temporary user role authorization, you can select any level for the option.

-     Select the Use separate password option, and specify enabpass as the password.

Figure 5 Configuring advanced TACACS+ settings

 

d.     Select Shell (exec) and Custom attributes, and enter allowed-roles="network-admin" in the Custom attributes field.

Use a blank space to separate the allowed roles.

Figure 6 Configuring custom attributes for the Telnet user

 

Verifying the configuration

1.     Telnet to the AC, and enter the username test@bbb and password aabbcc to access the AC. Verify that you have access to diagnostic commands.

C:\> telnet 192.168.1.70

Trying 192.168.1.70 ...

Press CTRL+K to abort

Connected to 192.168.1.59 ...

********************************************************************************

* Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                   *

* no decompiling or reverse-engineering shall be allowed.                      *

********************************************************************************

 

login: test@bbb

Password:

<AC> ?

User view commands:

  ping         Ping function

  quit         Exit from current command view

  ssh2         Establish a secure shell client connection

  super        Switch to a user role

  system-view  Enter the System View

  telnet       Establish a telnet connection

  tracert      Tracert function

 

<AC>

2.     Verify that you can obtain the level-3 user role:

# Use the super password to obtain the level-3 user role. When the system prompts for a username and password, enter the username test@bbb and password enabpass.

<AC> super level-3

Username: test@bbb

Password:

The following output shows that you have obtained the level-3 user role.

User privilege role is level-3, and only those commands that authorized to the role can be used.

# If the ACS server does not respond, enter the local authentication password 654321 at the prompt.

Invalid configuration or no response from the authentication server.

Change authentication mode to local.

Password:

User privilege role is level-3, and only those commands that authorized to the role can be used.

The output shows that you have obtained the level-3 user role.

3.     Use the method in step 2 to verify that you can obtain the level-0, level-1, level-2, and network-admin user roles. (Details not shown.)

RBAC temporary user role authorization configuration example (RADIUS authentication)

Network requirements

As shown in Figure 7, the AC uses local authentication for login users, including the Telnet user. The Telnet user uses the username test@bbb and is assigned the user role level-0.

Configure the remote-then-local authentication mode for temporary user role authorization. The AC uses the RADIUS server to provide authentication for the network-admin user role. If the AAA configuration is invalid or the RADIUS server does not respond, the AC performs local authentication.

Figure 7 Network diagram

 

Configuration procedure

1.     Configure the AC:

# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).

<AC> system-view

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 192.168.1.70 255.255.255.0

[AC-Vlan-interface2] quit

# Assign an IP address to VLAN-interface 3 (the interface connected to the RADIUS server).

[AC] interface vlan-interface 3

[AC-Vlan-interface3] ip address 10.1.1.2 255.255.255.0

[AC-Vlan-interface3] quit

# Enable Telnet server.

[AC] telnet server enable

# Enable scheme authentication on the user lines for Telnet users.

[AC] line vty 0 4

[AC-line-vty0-4] authentication-mode scheme

[AC-line-vty0-4] quit

# Enable remote-then-local authentication for temporary user role authorization.

[AC] super authentication-mode scheme local

# Create RADIUS scheme radius and enter RADIUS scheme view.

[AC] radius scheme radius

# Specify the primary authentication server address 10.1.1.1, and set the shared key to expert in the scheme for secure communication between the AC and the server.

[AC-radius-radius] primary authentication 10.1.1.1 key simple expert

# Exclude ISP domain names from the usernames sent to the RADIUS server.

[AC-radius-radius] user-name-format without-domain

[AC-radius-radius] quit

# Create ISP domain bbb and enter ISP domain view.

[AC] domain bbb

# Configure ISP domain bbb to use local authentication for login users.

[AC-isp-bbb] authentication login local

# Configure ISP domain bbb to use local authorization for login users.

[AC-isp-bbb] authorization login local

# Apply RADIUS scheme radius to the ISP domain for user role authentication.

[AC-isp-bbb] authentication super radius-scheme radius

[AC-isp-bbb] quit

# Create a device management user named test and enter local user view.

[AC] local-user test class manage

# Set the user service type to Telnet.

[AC-luser-manage-test] service-type telnet

# Set the user password to aabbcc.

[AC-luser-manage-test] password simple aabbcc

# Assign level-0 to the user.

[AC-luser-manage-test] authorization-attribute user-role level-0

# Remove the default user role network-operator.

[AC-luser-manage-test] undo authorization-attribute user-role network-operator

[AC-luser-manage-test] quit

# Set the local authentication password to abcdef654321 for the user role network-admin.

[AC] super password role network-admin simple abcdef654321

[AC] quit

2.     Configure the RADIUS server:

This example uses ACSv4.2.

a.     Add a user account named $enab0$ and set the password to 123456. (Details not shown.)

b.     Access the Cisco IOS/PIX 6.x RADIUS Attributes page.

c.     Configure the cisco-av-pair attribute, as shown in Figure 8.

Figure 8 Configuring the cisco-av-pair attribute

 

Verifying the configuration

1.     Telnet to the AC, and enter the username test@bbb and password aabbcc to access the AC. Verify that you have access to diagnostic commands.

C:\> telnet 192.168.1.70

Trying 192.168.1.70 ...

Press CTRL+K to abort

Connected to 192.168.1.59 ...

********************************************************************************

* Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.  *

* Without the owner's prior written consent,                                   *

* no decompiling or reverse-engineering shall be allowed.                      *

********************************************************************************

 

login: test@bbb

Password:

<AC> ?

User view commands:

  ping         Ping function

  quit         Exit from current command view

  ssh2         Establish a secure shell client connection

  super        Switch to a user role

  system-view  Enter the System View

  telnet       Establish a telnet connection

  tracert      Tracert function

 

<AC>

2.     Verify that you can obtain the network-admin user role:

# Use the super password to obtain the network-admin user role. When the system prompts for a username and password, enter the username test@bbb and password 123456.

<AC> super network-admin

Username: test@bbb

Password:

The following output shows that you have obtained the network-admin user role.

User privilege role is network-admin, and only those commands that authorized to the role can be used.

# If the ACS server does not respond, enter the local authentication password abcdef654321 at the prompt.

Invalid configuration or no response from the authentication server.

Change authentication mode to local.

Password:

User privilege role is network-admin, and only those commands that authorized to the role can be used.

The output shows that you have obtained the network-admin user role.

Troubleshooting RBAC

This section describes several typical RBAC issues and their solutions.

Local users have more access permissions than intended

Symptom

A local user can use more commands than should be permitted by the assigned user roles.

Analysis

The local user might have been assigned to user roles without your knowledge. For example, the local user is automatically assigned the default user role when you create the user.

Solution

To resolve the issue:

1.     Use the display local-user command to examine the local user accounts for undesirable user roles, and remove them.

2.     If the issue persists, contact H3C Support.

Login attempts by RADIUS users always fail

Symptom

Attempts by a RADIUS user to log in to the network access device always fail, even though the following conditions exist:

·     The network access device and the RADIUS server can communicate with one another.

·     All AAA settings are correct.

Analysis

RBAC requires that a login user have a minimum of one user role. If the RADIUS server does not authorize the login user to use any user roles, the user cannot log in to the device.

Solution

To resolve the issue:

1.     Use one of the following methods:

?     Configure the role default-role enable command. A RADIUS user can log in with the default user role when no user role is assigned by the RADIUS server.

?     Add the user role authorization attributes on the RADIUS server.

2.     If the issue persists, contact H3C Support.


Login overview

The first time you access the WX1800H series wireless controller after the controller starts up with the factory-default configuration, you can use the following methods:

·     Log in to the CLI through the console port without providing username or password.

·     Log in to the Web interface by using the username admin and password admin.

The first time you access the other types of devices after the devices start up with the factory-default configuration, you can use the following methods:

·     Log in to the CLI through the console port without providing username or password.

·     Log in to the CLI by using Telnet and entering the username admin and password admin.

·     Log in to the Web interface by using the username admin and password admin.

After login, you are assigned the network-admin user role. To improve device security, change the factory-default authentication settings immediately after you log in to the device for the first time.

Table 10 describes the login methods supported by the device, the default settings of login methods, and the minimum configuration requirements.

Table 10 Login methods at a glance

Login method

Default settings and minimum configuration requirements

Login configuration

CLI login:

 

Configuring CLI login

·     Local console login

By default, console login is enabled and does not require authentication. The user role is network-admin. To improve device security, configure password or scheme authentication for the console line immediately after you log in to the device for the first time.

Configuring local console login

·     Telnet login

By default, Telnet login is disabled.

To enable Telnet login, perform the following tasks:

·     Enable the Telnet server feature.

·     Assign an IP address to a Layer 3 interface and make sure the interface and the Telnet client can reach each other.

·     Configure an authentication mode for VTY login users.

·     Assign a user role to VTY login users.

Configuring Telnet login

·     SSH login

By default, SSH login is disabled.

To enable SSH login, perform the following tasks:

·     Enable the SSH server feature and configure SSH attributes.

·     Assign an IP address to a Layer 3 interface. Make sure the interface and the SSH client can reach each other.

·     Configure scheme authentication for VTY login users.

·     Assign a user role to VTY login users.

Configuring SSH login

Web login

By default, Web login is disabled.

To enable Web login, perform the following tasks:

·     Assign an IP address to a Layer 3 interface. Make sure the interface and the Web user's host can reach each other.

·     Configure a local user account for Web login and assign a user role to the account.

·     Assign HTTP or HTTPS service to the user.

Configuring Web login

SNMP access

By default, SNMP access is disabled.

To enable SNMP access, perform the following tasks:

·     Assign an IP address to a Layer 3 interface. Make sure the interface and the NMS can reach each other.

·     Configure SNMP basic parameters.

Accessing the device through SNMP

RESTful access

By default, RESTful access is disabled.

To enable RESTful access, perform the following tasks:

·     Assign an IP address to a Layer 3 interface. Make sure the interface and the RESTful access user's host can reach each other.

·     Enable RESTful access over HTTP or RESTful access over HTTPS.

·     Configure a local user account for RESTful access and assign a user role to the account.

·     Assign HTTP or HTTPS service to the user.

Configuring RESTful access over HTTP

 


Using the console port for the first device access

The first time you access the device, you can log in to the CLI through the console port.

To log in through the console port, prepare a console terminal, for example, a PC. Make sure the console terminal has a terminal emulation program, such as HyperTerminal or PuTTY. For information about how to use terminal emulation programs, see the programs' user guides.

To log in through the console port:

1.     Connect the DB-9 female connector of the console cable to the serial port of the PC.

2.     Identify the console port of the device carefully and connect the RJ-45 connector of the console cable to the console port.

 

IMPORTANT

IMPORTANT:

The serial ports on PCs do not support hot swapping. To connect a PC to an operating device, first connect the PC end. To disconnect a PC from an operating device, first disconnect the device end.

 

Figure 9 Connecting a terminal to the console port

 

3.     If the PC is off, turn on the PC.

4.     On the PC, launch the terminal emulation program, and create a connection that uses the serial port connected to the device. Set the port properties so the port properties match the following console port default settings:

?     Bits per second9600 bps.

?     Flow controlNone.

?     ParityNone.

?     Stop bits—1.

?     Data bits—8.

5.     Power on the device and press Enter as prompted.

The default user view prompt appears. You can enter commands to configure or manage the device. To get help, enter ?.


Configuring CLI login

The device supports the following CLI login methods: using the console port, Telnet, or SSH.

To prevent illegal access to the CLI and control user behavior, you can perform the following tasks as required:

·     Configure login authentication.

·     Assign user roles.

·     Configure command authorization and command accounting.

·     Use ACLs to filter unauthorized logins.

This chapter describes how to configure and use CLI login methods, including login authentication, user roles, and common user line settings. For more information about command authorization, command accounting, and unauthorized access filtering, see "Controlling user access to the device."

CLI overview

User lines

The device uses user lines (also called user interfaces) to manage CLI sessions and monitor user behavior. For a user line, you can configure access control settings, including the login authentication method and user roles.

The device supports the user lines listed in Table 11. Different user lines require different login methods.

Table 11 CLI login method and user line matrix

User line

Login method

Console line

Console port.

Virtual type terminal (VTY) line

Telnet or SSH.

 

User line numbering

Every user line has an absolute number and a relative number.

An absolute number uniquely identifies a user line among all user lines. The user lines are numbered starting from 0 and incrementing by 1, in the sequence of console and VTY lines. You can use the display line command without any parameters to view supported user lines and their absolute numbers.

A relative number uniquely identifies a user line among all user lines of the same type. The number format is user line type + number. User lines are numbered starting from 0 and incrementing by 1. For example, the first VTY line is VTY 0.

User line assignment

The device assigns user lines to CLI login users depending on their login methods, as shown in Table 11. When a user logs in, the device checks the idle user lines for the login method, and assigns the lowest numbered user line to the user. For example, four VTY lines (0 to 3) are configured, of which VTY 0 and VTY 3 are idle. When a user Telnets to the device, the device assigns VTY 0 to the user.

Each user line can be assigned only to one user at a time. If no user line is available, a CLI login attempt will be rejected.

Login authentication modes

You can configure login authentication to prevent illegal access to the device CLI.

The device supports the following login authentication modes:

·     None—Disables authentication. This mode allows access without authentication and is insecure.

·     Password—Requires password authentication. A user must provide the correct password at login.

·     Scheme—Uses the AAA module to provide local or remote login authentication. A user must provide the correct username and password at login.

Different login authentication modes require different user line configurations, as shown in Table 12.

Table 12 Configuration required for different login authentication modes

Authentication mode

Configuration tasks

 

None

Set the authentication mode to none.

 

Password

1.     Set the authentication mode to password.

2.     Set a password.

Scheme

1.     Set the authentication mode to scheme.

2.     Configure login authentication methods in ISP domain view. For more information, see Security Configuration Guide.

 

User roles

A user is assigned user roles at login. The user roles control the commands available for the user. For more information about user roles, see "Configuring RBAC."

The device assigns user roles based on the login authentication mode and user type.

·     In none or password authentication mode, the device assigns the user roles specified for the user line.

·     In scheme authentication mode, the device uses the following rules to assign user roles:

?     For an SSH login user who uses publickey or password-publickey authentication, the device assigns the user roles specified for the local device management user with the same name.

?     For other users, the device assigns user roles according to the user role configuration of the AAA module. If the AAA server does not assign any user roles and the default user role feature is disabled, a remote AAA authentication user cannot log in.

Configuring local console login

You can connect a terminal to the console port of the device to log in and manage the device, as shown in Figure 10. For the login procedure, see "Using the console port for the first device access."

Figure 10 Logging in through the console port

 

By default, console login is enabled and does not require authentication. The user role is network-admin. To improve device security, configure password or scheme authentication for the console line immediately after you log in to the device for the first time.

To configure console login, perform the following tasks:

 

Tasks at a glance

(Required.) Perform one of the following tasks:

·     Disabling authentication for console login

·     Configuring password authentication for console login

·     Configuring scheme authentication for console login

(Optional.) Configuring common console line settings

 

Console login configuration changes do not take effect for current online users. They take effect only for new login users.

Disabling authentication for console login

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter console line view or class view.

·     Enter console line view:
line console first-number [ last-number ]

·     Enter console line class view:
line class console

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Disable authentication.

authentication-mode none

Authentication is disabled for the console line by default.

4.     Assign a user role.

user-role role-name

By default, a console line user is assigned the network-admin user role.

 

After you finish this configuration task, a user can log in through the console port without authentication.

Configuring password authentication for console login

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter console line view or class view.

·     Enter console line view:
line console first-number [ last-number ]

·     Enter console line class view:
line class console

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Enable password authentication.

authentication-mode password

Authentication is disabled for the console line by default.

4.     Set a password.

set authentication password { hash | simple } password

By default, no password is set.

5.     Assign a user role.

user-role role-name

By default, a console line user is assigned the network-admin user role.

 

After you finish this configuration task, a user must provide the configured password when logging in through the console port.

Configuring scheme authentication for console login

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter console line view or class view.

·     Enter console line view:
line console first-number [ last-number ]

·     Enter console line class view:
line class console

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Enable scheme authentication.

authentication-mode scheme

Authentication is disabled for the console line by default.

 

To use scheme authentication, you must also perform the following tasks:

·     Configure login authentication methods in ISP domain view.

·     For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.

·     For local authentication, create a local user account and configure the relevant attributes.

For more information, see Security Configuration Guide.

After you finish this configuration task, a user must provide the configured username and password when logging in through the console port.

Configuring common console line settings

Some common settings for a console line take effect immediately and can interrupt the current session. Use a login method different from console login to log in to the device before you change console line settings.

After you change console line settings, adjust the settings on the configuration terminal accordingly for successful login.

To configure common settings for a console line:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter console line view or class view.

·     Enter console line view:
line console first-number [ last-number ]

·     Enter console line class view:
line class console

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Set the transmission rate.

speed speed-value

By default, the transmission rate is 9600 bps.

This command is not available in console line class view.

4.     Specify the parity.

parity { even | mark | none | odd | space }

By default, a user line does not use parity.

This command is not available in console line class view.

5.     Specify the number of stop bits for a character.

stopbits { 1 | 1.5 | 2 }

The default is 1.

Stop bits indicate the end of a character. The more the stop bits, the slower the transmission.

This command is not available in console line class view.

6.     Specify the number of data bits for a character.

databits { 5 | 6 | 7 | 8 }

The default is 8.

Configure this command depending on the character coding type. For example, set the number of data bits to 7 for standard ASCII characters. Set the number of data bits to 8 for extended ASCII characters.

Keywords 5 and 6 are not available in the current software version.

This command is not available in console line class view.

7.     Specify the terminal session activation key.

activation-key character

By default, pressing Enter starts the terminal session.

8.     Specify the escape key.

escape-key { character | default }

By default, pressing Ctrl+C terminates a command.

9.     Set the user line locking key.

lock-key key-string

By default, no user line locking key is set.

10.     Configure the flow control mode.

flow-control { hardware | none | software }

This command is not available in console line class view.

11.     Specify the terminal display type.

terminal type { ansi | vt100 }

By default, the terminal display type is ANSI.

The device supports two terminal display types: ANSI and VT100. H3C recommends that you specify VT100 type on both the device and the configuration terminal. If either side uses the ANSI type, a display problem might occur when a command line has more than 80 characters. For example, a cursor positioning error might occur.

12.     Set the maximum number of lines of command output to send to the terminal at a time.

screen-length screen-length

By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled.

To disable pausing between screens of output, set the value to 0.

13.     Set the size for the command history buffer.

history-command max-size value

By default, the buffer saves up to 10 history commands.

14.     Set the session idle timeout.

idle-timeout minutes [ seconds ]

The default is 10 minutes.

If there is no interaction between the device and the user within the idle timeout, the system automatically terminates the user connection on the user line.

If you set the idle timeout to 0, the session will not be aged out.

15.     Specify the command to be automatically executed for login users on the lines.

auto-execute command command

By default, no command is specified for a user line to be automatically executed.

The device will automatically execute the specified command when a user logs in through the user line, and close the user connection after the command is executed.

16.     Enable the terminal service.

shell

Be default, the terminal service is enabled on all user lines.

 

Configuring Telnet login

The device can act as a Telnet server to allow Telnet login, or as a Telnet client to Telnet to other devices.

By default, Telnet login is disabled on the device. To configure Telnet login, you must first log in to the device through any other method.

Configuring the device as a Telnet server

Tasks at a glance

(Required.) Enabling Telnet server

(Required.) Perform one of the following tasks:

·     Disabling authentication for Telnet login

·     Configuring password authentication for Telnet login

·     Configuring scheme authentication for Telnet login

(Optional.) Configuring common Telnet server settings

(Optional.) Configuring common VTY line settings

 

Telnet login configuration changes do not take effect for current online users. They take effect only for new login users.

Enabling Telnet server

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable the Telnet server.

telnet server enable

By default, the Telnet server is disabled.

 

Disabling authentication for Telnet login

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter VTY line view or class view.

·     Enter VTY line view:
line vty first-number [ last-number ]

·     Enter VTY line class view:
line class
vty

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Disable authentication.

authentication-mode none

Password authentication is enabled for VTY lines by default.

In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

4.     (Optional.) Assign a user role.

user-role role-name

By default, a VTY line user is assigned the network-operator user role.

 

Configuring password authentication for Telnet login

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter VTY line view or class view.

·     Enter VTY line view:
line vty first-number [ last-number ]

·     Enter VTY line class view:
line class
vty

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Enable password authentication.

authentication-mode password

Password authentication is enabled for VTY lines by default.

In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

4.     Set a password.

set authentication password { hash | simple } password

By default, no password is set.

5.     (Optional.) Assign a user role.

user-role role-name

By default, a VTY line user is assigned the network-operator user role .

 

Configuring scheme authentication for Telnet login

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter VTY line view or class view.

·     Enter VTY line view:
line vty first-number [ last-number ]

·     Enter VTY line class view:
line class
vty

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Enable scheme authentication.

authentication-mode scheme

Password authentication is enabled for VTY lines by default.

In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

 

To use scheme authentication, you must also perform the following tasks:

·     Configure login authentication methods in ISP domain view.

·     For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.

·     For local authentication, create a local user account and configure the relevant attributes.

For more information, see Security Configuration Guide.

Configuring common Telnet server settings

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify the Telnet service port number.

·     In an IPv4 network:
telnet server port port-number

·     In an IPv6 network:
telnet server
ipv6 port port-number

By default, the Telnet service port number is 23.

3.     Set the DSCP value for outgoing Telnet packets.

·     For a Telnet server running IPv4:
telnet server dscp dscp-value

·     For a Telnet server running IPv6:
telnet server ipv6 dscp dscp-value

By default, the DSCP value is 48.

The DSCP value is carried in the ToS or Traffic class field of an IP or IPv6 packet to indicate the transmission priority of the packet.

4.     Set the maximum number of concurrent Telnet users.

aaa session-limit telnet max-sessions

The default maximum number is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online Telnet users, no additional users can Telnet in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

 

Configuring common VTY line settings

For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command and performing the incurred task, the system automatically disconnects the Telnet session. Typically, you configure the auto-execute command telnet X.X.X.X command on the device so the device redirects a Telnet user to the host at X.X.X.X. The connection to the current device is closed when the user terminates the Telnet connection to X.X.X.X.

To configure common settings for VTY lines:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter VTY line view or class view.

·     Enter VTY line view:
line vty first-number [ last-number ]

·     Enter VTY line class view:
line class
vty

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Enable the terminal service.

shell

By default, terminal service is enabled.

4.     Specify the supported protocols.

protocol inbound { all | ssh | telnet }

By default, Telnet and SSH are supported.

A protocol change does not take effect for current online users. It takes effect only for new login users.

In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

5.     Specify the shortcut key for terminating a task.

escape-key { character | default }

The default setting is Ctrl+C.

6.     Set the user line locking key.

lock-key key-string

By default, no user line locking key is set.

7.     Specify the terminal display type.

terminal type { ansi | vt100 }

The default terminal display type is ANSI.

8.     Set the maximum number of lines of command output to send to the terminal at a time.

screen-length screen-length

By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled.

To disable pausing between screens of output, set the value to 0.

9.     Set the size for the command history buffer.

history-command max-size value

The default size is 10 history commands.

10.     Set the session idle timeout.

idle-timeout minutes [ seconds ]

The default idle timeout is 10 minutes for all user lines.

If there is no interaction between the device and the user within the idle timeout, the system automatically terminates the session on the user line.

If you do not want sessions to be aged out, set the idle timeout to 0.

11.     Specify the command to be automatically executed for login users on the user lines.

auto-execute command command

By default, no command is specified for auto execution.

IMPORTANT IMPORTANT:

Before you configure this command and save the configuration, make sure you can access the CLI through a different user line.

 

Using the device to log in to a Telnet server

You can use the device as a Telnet client to log in to a Telnet server. If the server is located in a different subnet than the client, make sure the two devices can reach each other.

Figure 11 Telnetting from the device to a Telnet server

 

To use the device to log in to a Telnet server:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     (Optional.) Specify the source IPv4 address or source interface for outgoing Telnet packets.

telnet client source { interface interface-type interface-number | ip ip-address }

By default, no source IPv4 address or source interface is specified. The device uses the primary IPv4 address of the output interface as the source address for outgoing Telnet packets.

3.     Exit to user view.

quit

N/A

4.     Use the device to log in to a Telnet server.

·     Log in to an IPv4 Telnet server:
telnet remote-host [ service-port ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number | ip ip-address } ] [ dscp dscp-value ]

·     Log in to an IPv6 Telnet server:
telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ] [ vpn-instance vpn-instance-name ] [ source { interface interface-type interface-number | ipv6 ipv6-address } ] [ dscp dscp-value ]

N/A

 

Configuring SSH login

SSH offers a secure method to remote login. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plaintext password interception. For more information, see Security Configuration Guide.

The device can act as an SSH server to allow Telnet login, or as an SSH client to log in to an SSH server.

By default, SSH login is disabled on the device. To configure SSH login, you must first log in to the device through any other method.

Configuring the device as an SSH server

This section provides the SSH server configuration procedure used when the SSH client authentication method is password. For more information about SSH and publickey authentication configuration, see Security Configuration Guide.

To configure the device as an SSH server:

 

Step

Command

Remarks

 

1.     Enter system view.

system-view

N/A

 

2.     Create local key pairs.

public-key local create { dsa | ecdsa secp256r1 | rsa }

By default, no local key pairs are created.

 

3.     Enable the Stelnet server.

ssh server enable

By default, the Stelnet server is disabled.

 

4.     (Optional.) Create an SSH user and specify the authentication mode.

ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }

By default, no SSH user is configured on the device.

 

5.     Enter VTY line view or class view.

·     Enter VTY line view:
line vty first-number [ last-number ]

·     Enter VTY line class view:
line class
vty

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

 

6.     Enable scheme authentication.

authentication-mode scheme

Password authentication is enabled for VTY lines by default.

In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

 

7.     (Optional.) Specify the protocols for the user lines to support.

protocol inbound { all | ssh | telnet }

By default, both Telnet and SSH are supported.

A protocol change does not take effect for current online users. It takes effect only for new login users.

In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

 

8.     (Optional.) Set the maximum number of concurrent SSH users.

aaa session-limit ssh max-sessions

The default maximum number is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online SSH users, no additional SSH users can log in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

 

9.     Exit to system view.

quit

N/A

10.     (Optional.) Configure common settings for VTY lines.

See "Configuring common VTY line settings."

N/A

 

 

Using the device to log in to an SSH server

You can use the device as an SSH client to log in to an SSH server. If the server is located in a different subnet than the client, make sure the two devices can reach each other.

Figure 12 Logging in to an SSH server from the device

 

Perform the following tasks in user view:

 

Task

Command

Log in to an IPv4 SSH server.

ssh2 server

Log in to an IPv6 SSH server.

ssh2 ipv6 server

 

To work with the SSH server, you might need to specify a set of parameters. For more information, see Security Configuration Guide.

Displaying and maintaining CLI login

Execute display commands in any view.

 

Task

Command

Remarks

Display online CLI users.

display users [ all ]

N/A

Display user line information.

display line [ num1 | { console | vty } num2 ] [ summary ]

N/A

Display the packet source setting for the Telnet client.

display telnet client

N/A

Release a user line.

free line { num1 | { console | vty } num2 }

Multiple users can log in to the device to simultaneously configure the device. When necessary, you can execute this command to release some connections.

You cannot use this command to release the connection you are using.

This command is available in user view.

Lock the current user line and set the password for unlocking the line.

lock

By default, the system does not lock any user lines.

Lock the current user line and enable unlocking authentication.

lock reauthentication

By default, the system does not lock any user lines or initiate reauthentication.

To unlock the locked user line, you must press Enter and provide the login password to pass reauthentication.

This command is available in any view.

Send messages to user lines.

send { all | num1 | { console | vty } num2 }

This command is available in user view.

 


Configuring Web login

The device provides a built-in Web server that supports HTTP 1.0, HTTP 1.1, and HTTPS. You can use a Web browser to log in to and configure the device.

HTTPS uses SSL to ensure the integrity and security of data exchanged between the client and the server, and is more secure than HTTP. You can define a certificate-based access control policy to allow only legal clients to access the Web interface.

Web login is disabled by default. To configure Web login, you must first log in through the console port.

Configuring HTTP login

Step

Command

Remarks

1.     (Optional.) Specify a fixed verification code for Web login.

web captcha verification-code

By default, no fixed verification code is configured. A Web user must enter the verification code displayed on the login page at login.

2.     Enter system view.

system-view

N/A

3.     Enable the HTTP service.

ip http enable

By default, the HTTP service is disabled.

4.     (Optional.) Specify the HTTP service port number.

ip http port port-number

The default HTTP service port number is 80.

5.     (Optional.) Set the idle timeout for Web connections.

web idle-timeout minutes

By default, the Web connection idle timeout timer is 10 minutes.

6.     (Optional.) Specify the maximum number of online HTTP users.

aaa session-limit http max-sessions

The default maximum number is 32.

Changing this setting does not affect users who are currently online. If the new setting is less than the number of online HTTP users, no additional HTTP users can log in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

7.     (Optional.) Enable Web operation logging.

webui log enable

By default, Web operation logging is disabled.

8.     Create a local user and enter local user view.

local-user user-name [ class manage ]

By default, no local user is configured.

9.     Configure a password for the local user.

password [ { hash | simple } password ]

A password is saved in hashed form.

By default, no password is configured for a local user. The local user can pass authentication after entering the correct username and passing attribute checks.

For security purposes, configure a password for the local user.

10.     Assign a user role to the local user.

authorization-attribute user-role user-role

The default user role is network-operator for a Web user.

11.     Specify the HTTP service for the local user.

service-type http

By default, no service type is specified for a local user.

 

Configuring HTTPS login

The device supports the following HTTPS login modes:

·     Simplified modeThe device uses a self-signed certificate (a certificate that is generated and signed by the device itself) and the default SSL settings. The device operates in simplified mode after you enable HTTPS service on the device.

·     Secure modeThe device uses a certificate signed by a CA and a set of user-defined security protection settings to ensure security. For the device to operate in secure mode, you must perform the following tasks:

?     Enable HTTPS service on the device.

?     Specify an SSL server policy for the service.

?     Configure PKI domain-related parameters.

Simplified mode is simple to configure but has potential security risks. Secure mode is more complicated to configure but provides higher security.

For more information about SSL and PKI, see Security Configuration Guide.

To configure HTTPS login:

 

Step

Command

Remarks

1.     (Optional.) Specify a fixed verification code for Web login.

web captcha verification-code

By default, no fixed verification code is configured. A Web user must enter the verification code displayed on the login page at login.

2.     Enter system view.

system-view

N/A

3.     (Optional.) Apply an SSL server policy to control HTTPS access.

ip https ssl-server-policy policy-name

By default, no SSL server policy is applied. The HTTP service uses a self-signed certificate.

Disabling the HTTPS service removes the SSL service policy application. To enable the HTTPS service again, you must reconfigure this command again.

If the HTTPS service has been enabled, any changes to the associated SSL server policy do not take effect. For the changes to take effect, you must disable HTTP and HTTPS, and then apply the policy and enable HTTP and HTTPS again.

4.     Enable the HTTPS service.

ip https enable

By default, HTTPS is disabled.

Enabling the HTTPS service triggers the SSL handshake negotiation process.

·     If the device has a local certificate, the SSL handshake negotiation succeeds and the HTTPS service starts up.

·     If the device does not have a local certificate, the certificate application process starts. Because the certificate application process takes a long time, the SSL handshake negotiation might fail and the HTTPS service might not be started. To solve the problem, execute this command again until the HTTPS service is enabled.

5.     (Optional.) Apply a certificate-based access control policy to control HTTPS access.

ip https certificate access-control-policy policy-name

By default, no certificate-based access control policy is applied for HTTPS access control.

For clients to log in through HTTPS, you must configure the client-verify enable command and a minimum of one permit rule in the associated SSL server policy.

For more information about certificate-based access control policies, see the chapter on PKI in Security Configuration Guide.

6.     (Optional.) Specify the HTTPS service port number.

ip https port port-number

The default HTTPS service port number is 443.

7.     (Optional.) Set the HTTPS login authentication mode.

web https-authorization mode { auto | manual }

By default, manual authentication mode is used for HTTPS login.

8.     (Optional.) Set the idle timeout for Web connections.

web idle-timeout minutes

By default, the Web connection idle timeout timer is 10 minutes.

9.     (Optional.) Specify the maximum number of online HTTPS users.

aaa session-limit https max-sessions

The default maximum number is 32.

Changing this setting does not affect users who are currently online. If the new setting is less than the number of online HTTPS users, no additional HTTPS users can log in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

10.     (Optional.) Enable Web operation logging.

webui log enable

By default, Web operation logging is disabled.

11.     Create a local user and enter local user view.

local-user user-name [ class manage ]

By default, no local user is configured.

12.     Configure a password for the local user.

password [ { hash | simple } password ]

The password is saved in hashed form.

By default, no password is configured for a local user. The local user can pass authentication after entering the correct username and passing attribute checks.

For security purposes, configure a password for the local user.

13.     Assign a user role to the local user.

authorization-attribute user-role user-role

The default user role is network-operator for a Web user.

14.     Specify the HTTPS service for the local user.

service-type https

By default, no service type is specified for a local user.

 

Displaying and maintaining Web login

Execute display commands in any view and the free web users command in user view.

 

Task

Command

Display online Web users.

display web users

Display Web interface navigation tree information.

display web menu [ chinese ]

Display HTTP service configuration and status information.

display ip http

Display HTTPS service configuration and status information.

display ip https

Log off online Web users.

free web users { all | user-id user-id | user-name user-name }

 

Web login configuration examples

HTTP login configuration example

Network requirements

As shown in Figure 13, the PC and the AC can communicate over the IP network.

Configure the AC to allow the PC to log in by using HTTP.

Figure 13 Network diagram

 

Configuration procedure

# Create VLAN 100.

<Sysname> system-view

[Sysname] vlan 100

[Sysname-vlan100] quit

# Create VLAN-interface 100 and assign IP address 192.168.100.99/24 to the interface.

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ip address 192.168.100.99 24

[Sysname-Vlan-interface100] quit

# Create a local user named admin. Set the password to admin, the service type to HTTP, and the user role to network-admin.

[Sysname] local-user admin

[Sysname-luser-manage-admin] service-type http

[Sysname-luser-manage-admin] authorization-attribute user-role network-admin

[Sysname-luser-manage-admin] password simple admin

[Sysname-luser-manage-admin] quit

# Enable HTTP.

[Sysname] ip http enable

Verifying the configuration

1.     On the PC, run the IE browser and enter the IP address of the device in the address bar.

The Web login page appears, as shown in Figure 14.

Figure 14 Web login page

 

 

2.     Enter the username and password. Select English and click Login.

After you pass authentication, the homepage appears and you can configure the AC.

HTTPS login configuration example

Network requirements

As shown in Figure 15, the host, AC, and CA can communicate over the IP network.

Perform the following tasks to allow only authorized users to access the AC's Web interface:

·     Configure the AC as the HTTPS server and request a certificate for the AC.

·     Configure the host as the HTTPS client and request a certificate for the host.

Figure 15 Network diagram

 

Configuration procedure

In this example, the CA runs Windows Server and has the SCEP add-on installed.

1.     Configure the AC (HTTPS server):

# Create PKI entity en and set entity parameters.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] common-name http-server1

[Sysname-pki-entity-en] fqdn ssl.security.com

[Sysname-pki-entity-en] quit

# Create PKI domain 1 and set domain parameters.

[Sysname] pki domain 1

[Sysname-pki-domain-1] ca identifier new-ca

[Sysname-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll

[Sysname-pki-domain-1] certificate request from ra

[Sysname-pki-domain-1] certificate request entity en

# Configure the PKI domain to use the 1024-bit long RSA key pair hostkey for both signing and encryption.

[Sysname-pki-domain-1] public-key rsa general name hostkey length 1024

[Sysname-pki-domain-1] quit

# Create RSA local key pairs.

[Sysname] public-key local create rsa

# Retrieve the CA certificate.

[Sysname] pki retrieve-certificate domain 1 ca

# Configure the AC to request a local certificate through SCEP.

[Sysname] pki request-certificate domain 1

# Create SSL server policy myssl. Specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.

[Sysname] ssl server-policy myssl

[Sysname-ssl-server-policy-myssl] pki-domain 1

[Sysname-ssl-server-policy-myssl] client-verify enable

[Sysname-ssl-server-policy-myssl] quit

# Create certificate attribute group mygroup1. Configure a certificate attribute rule that matches statements with the string of new-ca in the distinguished name of the subject name.

[Sysname] pki certificate attribute-group mygroup1

[Sysname-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[Sysname-pki-cert-attribute-group-mygroup1] quit

# Create certificate-based access control policy myacp. Configure a certificate access control rule that uses the matching criteria in certificate attribute group mygroup1.

[Sysname] pki certificate access-control-policy myacp

[Sysname-pki-cert-acp-myacp] rule 1 permit mygroup1

[Sysname-pki-cert-acp-myacp] quit

# Associate SSL server policy myssl with the HTTPS service.

[Sysname] ip https ssl-server-policy myssl

# Use certificate-based access control policy myacp to control HTTPS access.

[Sysname] ip https certificate access-control-policy myacp

# Enable the HTTPS service.

[Sysname] ip https enable

# Create local user usera. Set the password to 123, the service type to HTTPS, and the user role to network-admin.

[Sysname] local-user usera

[Sysname-luser-usera] password simple 123

[Sysname-luser-usera] service-type https

[Sysname-luser-usera] authorization-attribute user-role network-admin

2.     Configure the host (HTTPS client):

# On the host, run the IE browser and enter http://10.1.2.2/certsrv in the address bar.

# Request a certificate for the host as prompted.

Verifying the configuration

1.     On the host, enter https://10.1.1.1 in the browser's address bar, and select the certificate issued by new-ca.

2.     When the Web login page appears, enter the username usera and password 123 to log in to the Web interface.

For more information about PKI and SSL configuration commands and the public-key local create rsa command, see Security Command Reference.


Accessing the device through SNMP

You can run SNMP on an NMS to access the device MIB and perform Get and Set operations to manage and monitor the device.

Figure 16 SNMP access diagram

 

The device supports SNMPv1, SNMPv2c, and SNMPv3, and can cooperate with various network management software products. However, the device and the NMS must use the same SNMP version.

By default, SNMP access is disabled. To configure SNMP access, you must first log in to the device through any other method.

For more information about SNMP, see Network Management and Monitoring Configuration Guide.


Configuring RESTful access

The device provides the Representational State Transfer application programming interface (RESTful API). Based on this API, you can use programming languages such as Python, Ruby, or Java to write programs to perform the following tasks:

·     Send RESTful requests to the device to pass authentication.

·     Use RESTful API operations to configure and manage the device. RESTful API operations include Get, Put, Post, and Delete.

The device supports using HTTP or HTTPS to transfer RESTful packets.

RESTful access is disabled by default. To configure RESTful access, you must first log in through the console port.

Configuring RESTful access over HTTP

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable RESTful access over HTTP.

restful http enable

By default, RESTful access over HTTP is disabled.

3.     Create a local user and enter local user view.

local-user user-name [ class manage ]

By default, no local user is configured.

4.     Configure a password for the local user.

password [ { hash | simple } password ]

The password is saved in hashed form.

By default, no password is configured for a local user.

5.     (Optional.) Assign a user role to the local user.

authorization-attribute user-role user-role

The default user role is network-operator for a RESTful access user.

6.     Specify the HTTP service for the local user.

service-type http

By default, no service type is specified for a local user.

 

Configuring RESTful access over HTTPS

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable RESTful access over HTTPS.

restful https enable

By default, RESTful access over HTTPS is disabled.

3.     Create a local user and enter local user view.

local-user user-name [ class manage ]

By default, no local user is configured.

4.     Configure a password for the local user.

password [ { hash | simple } password ]

The password is saved in hashed form.

By default, no password is configured for a local user.

5.     (Optional.) Assign a user role to the local user.

authorization-attribute user-role user-role

The default user role is network-operator for a RESTful access user.

6.     Specify the HTTPS service for the local user.

service-type https

By default, no service type is specified for a local user.

 


Controlling user access to the device

Use ACLs to prevent unauthorized access, and configure command authorization and accounting to monitor and control user behavior. For more information about ACLs, see ACL and QoS Configuration Guide.

Controlling Telnet/SSH logins

Use different types of ACLs to filter Telnet and SSH logins by different match criteria:

·     Basic ACL (2000 to 2999)—Source IP address.

·     Advanced ACL (3000 to 3999)—Source IP address and destination IP address.

·     Ethernet frame header ACL (4000 to 4999)—Source MAC address.

If an applied ACL does not exist or does not have any rules, no user login restriction is applied. If the ACL exists and has rules, only users permitted by the ACL can access the device through Telnet or SSH.

Configuration procedures

To control Telnet logins:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Apply an ACL to filter Telnet logins.

·     telnet server acl acl-number

·     telnet server ipv6 acl [ ipv6 ] acl-number

By default, no ACL is used to filter Telnet logins.

 

To control SSH logins:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Apply an ACL to filter SSH logins.

·     ssh server acl acl-number

·     ssh server ipv6 acl [ ipv6 ] acl-number

By default, no ACL is used to filter SSH logins.

For more information about these two commands, see Security Command Reference.

 

Configuration example

Network requirements

As shown in Figure 17, the AC is a Telnet server.

Configure the AC to permit only Telnet packets sourced from Host A and Host B.

Figure 17 Network diagram

 

Configuration procedure

# Configure an ACL to permit packets sourced from Host A and Host B.

<Sysname> system-view

[Sysname] acl basic 2000 match-order config

[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0

[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-ipv4-basic-2000] quit

# Apply the ACL to filter Telnet logins.

[Sysname] telnet server acl 2000

Controlling Web logins

Use a basic ACL (2000 to 2999) to filter HTTP/HTTPS traffic by source IP address. Only Web users whose IP addresses are permitted by the ACL can access the device. If the ACL does not exist or does not have any rules, no user login restriction is applied.

You can also log off suspicious Web users.

Configuring source IP-based Web login control

Web login requests contain usernames and passwords. For security purposes, the device always uses HTTPS to transfer Web login requests. Only users that are permitted by the following ACLs can access the device through HTTP:

·     ACL applied to the HTTPS service.

·     ACL applied to the HTTP service.

To configure source IP-based Web login control:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Apply a basic ACL for Web access control.

·     ip http acl { acl-number | name acl-name }

·     ip https acl { acl-number | name acl-name }

By default, no ACL is applied to the HTTP or HTTPS service.

 

Logging off online Web users

To log off online Web users, execute the following command in user view:

 

Task

Command

Log off online Web users.

free web-users { all | user-id user-id | user-name user-name }

 

Configuration example

Network requirements

As shown in Figure 18, the AC is an HTTP server.

Configure the AC to provide HTTP service only to Host B.

Figure 18 Network diagram

 

Configuration procedure

# Create an ACL and configure rule 1 to permit packets sourced from Host B.

<Sysname> system-view

[Sysname] acl basic 2030 match-order config

[Sysname-acl-ipv4-basic-2030] rule 1 permit source 10.110.100.52 0

[Sysname-acl-ipv4-basic-2030] quit

# Apply the ACL to the HTTP service so only a Web user on Host B can access the AC.

[Sysname] ip http acl 2030

Controlling SNMP access

Use a basic ACL (2000 to 2999) to control SNMP access by source IP address. To access the requested MIB view, an NMS must use a source IP address permitted by the ACL. If the ACL does not exist or does not have any rules, no user login restriction is applied.

Configuration procedure

To control SNMPv1 or SNMPv2c access:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure the SNMP access right.

·     (Method 1.) Create an SNMP community and specify ACLs for the community:

?     In VACM mode:
snmp-agent community { read | write } [ simple | cipher ] community-name [ mib-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

?     In RBAC mode:
snmp-agent community [ simple | cipher ] community-name user-role role-name [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

·     (Method 2.) Create an SNMPv1/v2c group and add a user to the group, specifying ACLs for the group and user:

a.     snmp-agent group { v1 | v2c } group-name [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

b.     snmp-agent usm-user { v1 | v2c } user-name group-name [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

For more information about SNMP, see Network Management and Monitoring Configuration Guide.

 

To control SNMPv3 access:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create an SNMPv3 group, specifying ACLs for the group.

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

N/A

3.     Create an SNMPv3 user, specifying ACLs for the user.

·     In VACM mode:
snmp-agent usm-user v3 user-name group-name [ remote { ipv4-address | ipv6 ipv6-address } ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | 3des | des56 } priv-password ] ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

·     In RBAC mode:
snmp-agent usm-user v3 user-name user-role role-name [ remote { ipv4-address | ipv6 ipv6-address } ] [ { cipher | simple } authentication-mode { md5 | sha } auth-password [ privacy-mode { aes128 | 3des | des56 } priv-password ] ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] *

For more information about SNMP, see Network Management and Monitoring Configuration Guide.

 

Configuration example

Network requirements

As shown in Figure 19, the AC is running SNMP.

Configure the AC to allow Host A and Host B to access the AC through SNMP.

Figure 19 Network diagram

 

Configuration procedure

# Create an ACL to permit packets sourced from Host A and Host B.

<Sysname> system-view

[Sysname] acl basic 2000 match-order config

[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0

[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0

[Sysname-acl-ipv4-basic-2000] quit

# Associate the ACL with the SNMP community and the SNMP group.

[Sysname] snmp-agent community read aaa acl 2000

[Sysname] snmp-agent group v2c groupa acl 2000

[Sysname] snmp-agent usm-user v2c usera groupa acl 2000

Configuring command authorization

By default, commands available for a user depend only on the user's user roles. When the authentication mode is scheme, you can configure the command authorization feature to further control access to commands.

After you enable command authorization, a user can use only commands that are permitted by both the AAA scheme and user roles.

The command authorization method can be different from the user login authorization method.

This section provides the procedure for configuring command authorization. To make the command authorization feature take effect, you must configure a command authorization method in ISP domain view. For more information, see Security Configuration Guide.

Configuration procedure

To configure command authorization:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter user line view or user line class view.

·     Enter user line view:
line { first-number1 [ last-number1 ] | { console | vty } first-number2 [ last-number2 ] }

·     Enter user line class view:
line class { console
| vty }

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Enable scheme authentication.

authentication-mode scheme

Authentication is disabled for console lines, and password authentication is enabled for VTY lines by default.

By default, scheme authentication is enabled.

In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

4.     Enable command authorization.

command authorization

By default, command authorization is disabled, and the commands available for a user only depend on the user role.

If the command authorization command is configured in user line class view, command authorization is enabled on all user lines in the class. You cannot configure the undo command authorization command in the view of a user line in the class.

 

Configuration example

Network requirements

As shown in Figure 20, a user needs to log in to the AC to manage the AC from Host A.

Configure the AC to perform the following operations:

·     Allow Host A to Telnet in after authentication.

·     Use the HWTACACS server to control the commands that the user can execute.

·     Use local authorization if the HWTACACS server is not available.

Figure 20 Network diagram

 

Configuration procedure

# Assign IP addresses to relevant interfaces. Make sure the AC and the HWTACACS server can reach each other. Make sure the AC and Host A can reach each other. (Details not shown.)

# Enable the Telnet server.

<Sysname> system-view

[Sysname] telnet server enable

# Enable scheme authentication for user lines VTY 0 through VTY 4.

[Sysname] line vty 0 4

[Sysname-line-vty0-4] authentication-mode scheme

# Enable command authorization for the user lines.

[Sysname-line-vty0-4] command authorization

[Sysname-line-vty0-4] quit

# Create HWTACACS scheme tac.

[Sysname] hwtacacs scheme tac

# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for authentication and authorization.

[Sysname-hwtacacs-tac] primary authentication 192.168.2.20 49

[Sysname-hwtacacs-tac] primary authorization 192.168.2.20 49

# Set the shared keys to expert.

[Sysname-hwtacacs-tac] key authentication simple expert

[Sysname-hwtacacs-tac] key authorization simple expert

# Remove domain names from usernames sent to the HWTACACS server.

[Sysname-hwtacacs-tac] user-name-format without-domain

[Sysname-hwtacacs-tac] quit

# Configure the system-defined domain system.

[Sysname] domain system

# Use HWTACACS scheme tac for login user authentication and command authorization. Use local authentication and local authorization as the backup method.

[Sysname-isp-system] authentication login hwtacacs-scheme tac local

[Sysname-isp-system] authorization command hwtacacs-scheme tac local

[Sysname-isp-system] quit

# Create the local user monitor. Set the simple password to 123, the service type to Telnet, and the default user role to level-1.

[Sysname] local-user monitor

[Sysname-luser-manage-monitor] password simple 123

[Sysname-luser-manage-monitor] service-type telnet

[Sysname-luser-manage-monitor] authorization-attribute user-role level-1

Configuring command accounting

Command accounting uses the HWTACACS server to record all executed commands to monitor user behavior on the device.

If command accounting is enabled but command authorization is not, every executed command is recorded. If both command accounting and command authorization are enabled, only authorized commands that are executed are recorded.

The command accounting method can be the same as or different from the command authorization method and user login authorization method.

This section provides only the procedure for configuring command accounting. To make the command accounting feature take effect, you must configure a command accounting method in ISP domain view. For more information, see Security Configuration Guide.

Configuration procedure

To configure command accounting:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter user line view or user line class view.

·     Enter user line view:
line { first-number1 [ last-number1 ] | { console | vty } first-number2 [ last-number2 ] }

·     Enter user line class view:
line class { console
| vty }

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

3.     Enable scheme authentication.

authentication-mode scheme

Authentication is disabled for console lines, and password authentication is enabled for VTY lines by default.

In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

4.     Enable command accounting.

command accounting

By default, command accounting is disabled. The accounting server does not record the commands executed by users.

If the command accounting command is configured in user line class view, command accounting is enabled on all user lines in the class. You cannot configure the undo command accounting command in the view of a user line in the class.

 

Configuration example

Network requirements

As shown in Figure 21, users need to log in to the AC to manage the AC.

Configure the AC to send commands executed by users to the HWTACACS server to monitor and control user operations on the AC.

Figure 21 Network diagram

 

Configuration procedure

# Enable the Telnet server.

<Sysname> system-view

[Sysname] telnet server enable

# Enable command accounting for user line Console 0.

[Sysname] line console 0

[Sysname-line-console0] command accounting

[Sysname-line-console0] quit

# Enable command accounting for user lines VTY 0 through VTY 4.

[Sysname] line vty 0 4

[Sysname-line-vty0-4] command accounting

[Sysname-line-vty0-4] quit

# Create HWTACACS scheme tac.

[Sysname] hwtacacs scheme tac

# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for accounting.

[Sysname-hwtacacs-tac] primary accounting 192.168.2.20 49

# Set the shared key to expert.

[Sysname-hwtacacs-tac] key accounting simple expert

# Remove domain names from usernames sent to the HWTACACS server.

[Sysname-hwtacacs-tac] user-name-format without-domain

[Sysname-hwtacacs-tac] quit

# Configure the system-defined domain system to use the HWTACACS scheme for command accounting.

[Sysname] domain system

[Sysname-isp-system] accounting command hwtacacs-scheme tac

[Sysname-isp-system] quit


Configuring FTP

File Transfer Protocol (FTP) is an application layer protocol for transferring files from one host to another over an IP network. It uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959.

FTP is based on the client/server model. The AC can act as the FTP server or FTP client. Make sure the FTP server and the FTP client can reach each other before establishing the FTP connection.

Figure 22 FTP application scenario

 

FTP supports the following transfer modes:

·     Binary modeUsed to non-text files, such as .app, .bin, and .btm files.

·     ASCII mode—Used to transfer text files, such as .txt, .bat, and .cfg files.

When the device acts as the FTP client, you can set the transfer mode (binary by default). When the device acts as the FTP server, the transfer mode is determined by the FTP client.

FTP can operate in either of the following modes:

·     Active mode (PORT)—The FTP server initiates the TCP connection. This mode is not suitable when the FTP client is behind a firewall, for example, when the FTP client resides in a private network.

·     Passive mode (PASV)—The FTP client initiates the TCP connection. This mode is not suitable when the server does not allow the client to use a random unprivileged port greater than 1024.

FTP operation mode varies depending on the FTP client program.

Using the device as an FTP server

To use the device as an FTP server, you must enable the FTP server and configure authentication and authorization on the device. Other commands are optional.

Configuring basic parameters

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable the FTP server.

ftp server enable

By default, the FTP server is disabled.

3.     (Optional.) Use an ACL to control access to the FTP server.

ftp server acl { acl-number | ipv6 acl-number6 }

By default, no ACL is used for access control.

4.     (Optional.) Associate an SSL server policy with the FTP server to ensure data security.

ftp server ssl-server-policy policy-name

By default, no SSL server policy is associated with the FTP server.

5.     (Optional.) Configure the idle-timeout interval.

ftp timeout minutes

The default idle-timeout interval is 30 minutes.

If no data is transferred between the FTP server and FTP client within the idle-timeout interval, the connection is terminated.

6.     (Optional.) Set the DSCP value for outgoing FTP packets.

·     For an IPv4 FTP server:
ftp server dscp dscp-value

·     For an IPv6 FTP server:
ftp server ipv6 dscp dscp-value

By default, the DSCP value is 0.

7.     (Optional.) Set the maximum number of concurrent FTP users.

aaa session-limit ftp max-sessions

The default maximum number is 32.

Changing this setting does not affect users who are currently online. If the new list is less than the number of online FTP users, no additional FTP users can log in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

 

Configuring authentication and authorization

Perform this task on the FTP server to authenticate FTP clients and set the authorized directories that authenticated clients can access.

The following authentication modes are available:

·     Local authentication—The device looks up the client's username and password in the local user account database. If a match is found, authentication succeeds.

·     Remote authentication—The device sends the client's username and password to a remote authentication server for authentication. The user account is configured on the remote authentication server rather than the device.

The following authorization modes are available:

·     Local authorization—The device assigns authorized directories to FTP clients based on the locally configured authorization attributes.

·     Remote authorization—A remote authorization server assigns authorized directories on the device to FTP clients.

For information about configuring authentication and authorization, see Security Configuration Guide.

Manually releasing FTP connections

Task

Command

Manually release FTP connections.

·     Release the FTP connection established by using a specific user account:
free ftp user username

·     Release the FTP connection to a specific IP address:
free ftp user-ip [ ipv6 ] client-address [ port port-num ]

 

Displaying and maintaining the FTP server

Execute display commands in any view.

 

Task

Command

Display FTP server configuration and status information.

display ftp-server

Display detailed information about online FTP users.

display ftp-user

 

FTP server configuration example

Network requirements

·     Configure the AC as an FTP server.

·     Create a local user account with the username abc and password 123456 on the FTP server.

·     Use the user account to log in to the FTP server from the FTP client.

·     Upload the file temp.bin from the FTP client to the FTP server.

·     Download the configuration file startup.cfg from the FTP server to the FTP client for backup.

Figure 23 Network diagram

 

Configuration procedure

1.     Configure IP addresses as shown in Figure 23. Make sure the AC and PC can reach each other. (Details not shown.)

2.     Configure the AC (FTP server):

# Create a local user with the username abc and password 123456.

<Sysname> system-view

[Sysname] local-user abc class manage

[Sysname-luser-abc] password simple 123456

# Assign the user role network-admin to the user. Set the working directory to the root directory of the flash memory.

[Sysname-luser-abc] authorization-attribute user-role network-admin work-directory flash:/

# Assign the service type FTP to the user.

[Sysname-luser-abc] service-type ftp

[Sysname-luser-abc] quit

# Enable the FTP server.

[Sysname] ftp server enable

[Sysname] quit

# Examine the storage space for space insufficiency and delete unused files for more free space.

<Sysname> dir

Directory of flash:

     0      drw-           -  Jun 29 2016 18:30:38     logfile

     1      drw-           -  Jun 21 2016 14:51:38     diagfile

     2      drw-           -  Jun 21 2016 14:51:38     seclog

     3      -rw-        2943  Jul 02 2016 08:03:08     startup.cfg

     4      -rw-       63901  Jul 02 2016 08:03:08     startup.mdb

     5      -rw-         716  Jun 21 2016 14:58:02     hostkey

     6      -rw-         572  Jun 21 2016 14:58:02     serverkey

     7      -rw-     6541264  Aug 04 2016 20:40:49     backup.bin

 

473664 KB total (467080 KB free)

<Sysname> delete /unreserved flash:/backup.bin

3.     Perform FTP operations from the PC (FTP client):

# Log in to the FTP server at 1.2.1.1 using the username abc and password 123456.

c:\> ftp 1.2.1.1

Connected to 1.2.1.1.

220 FTP service ready.

User (1.2.1.1:(none)): abc

331 Password required for abc.

Password:

230 User logged in.

# Use the ASCII mode to download the configuration file startup.cfg from the AC to the PC for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> get startup.cfg back-startup.cfg

# Use the binary mode to upload the file temp.bin to the AC.

ftp> binary

200 TYPE is now 8-bit binary

ftp> put temp.bin

# Exit FTP.

ftp> bye

FTP server configuration example (on an IRF fabric)

Network requirements

·     Configure the IRF fabric as an FTP server.

·     Create a local user account with the username abc and password 123456 on the FTP server.

·     Use the user account to log in to the FTP server from the FTP client.

·     Upload the file temp.bin from the FTP client to the FTP server.

·     Download the configuration file config.cfg from the FTP server to the FTP client for backup.

Figure 24 Network diagram

 

 

Configuration procedure

1.     Configure IP addresses as shown in Figure 24. Make sure the IRF fabric and the PC can reach each other. (Details not shown.)

2.     Configure the FTP server:

# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)

# Create a local user with the username abc and password 123456.

<Sysname> system-view

[Sysname] local-user abc class manage

[Sysname-luser-abc] password simple 123456

# Assign the user role network-admin to the user. Set the working directory to the root directory of the CF card on the master. (To set the working directory to the root directory of the CF card on the subordinate member, replace cfa0:/ with slot2#cfa0:/.)

[Sysname-luser-abc] authorization-attribute user-role network-admin work-directory cfa0:/

# Assign the service type FTP to the user.

[Sysname-luser-abc] service-type ftp

[Sysname-luser-abc] quit

# Enable the FTP server.

[Sysname] ftp server enable

[Sysname] quit

3.     Perform FTP operations from the FTP client:

# Log in to the FTP server at 1.1.1.1 using the username abc and password 123456.

c:\> ftp 1.1.1.1

Connected to 1.1.1.1.

220 FTP service ready.

User(1.1.1.1:(none)):abc

331 Password required for abc.

Password:

230 User logged in.

# Use the ASCII mode to download the configuration file config.cfg from the FTP server to the PC for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> get config.cfg back-config.cfg

# Use the binary mode to upload the file temp.bin from the PC to the root directory of the CF card on the master.

ftp> binary

200 TYPE is now 8-bit binary

ftp> put temp.bin

# Exit FTP.

ftp> bye

Using the device as an FTP client

Establishing an FTP connection

To access the FTP server, you must establish a connection from the FTP client to the FTP server.

To establish an IPv4 FTP connection:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     (Optional.) Specify a source IP address for outgoing FTP packets.

ftp client source { interface interface-type interface-number | ip source-ip-address }

By default, no source IP address is specified. The device uses the primary IP address of the output interface as the source IP address.

3.     Return to user view.

quit

N/A

4.     Log in to the FTP server.

·     (Method 1.) Log in to the FTP server from user view:
ftp ftp-server [ service-port ] [ dscp dscp-value | source { interface { interface-name | interface-type interface-number } | ip source-ip-address } ] *

·     (Method 2.) Log in to the FTP server from FTP client view:

a.     Enter FTP client view:
ftp

b.     Log in to the FTP server:
open server-address [ service-port ]

The source IP address specified in the ftp command takes precedence over the one set by the ftp client source command.

 

To establish an IPv6 FTP connection:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     (Optional.) Specify the source IPv6 address for FTP packets sent by the FTP client.

ftp client ipv6 source { interface interface-type interface-number | ipv6 source-ipv6-address }

By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484.

3.     Return to user view.

quit

N/A

4.     Log in to the FTP server.

·     (Method 1.) Log in to the FTP server from user view:
ftp ipv6 ftp-server [ service-port ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 source-ipv6-address } ] * [ -i interface-type interface-number ]

·     (Method 2.) Log in to the FTP server from FTP client view:

a.     Enter FTP client view:
ftp ipv6

b.     Log in to the FTP server:
open server-address [ service-port ]

The source IP address specified in the ftp ipv6 command takes precedence over the one set by the ftp client ipv6 source command.

 

Managing directories on the FTP server

Perform the following tasks in FTP client view:

 

Task

Command

Display directory and file information on the FTP server.

·     Display the detailed information of a directory or file on the FTP server:
dir [ remotefile [ localfile ] ]

·     Display the name of a directory or file on the FTP server:
ls [ remotefile [ localfile ] ]

Change the working directory on the FTP server.

cd { directory | .. | / }

Return to the upper level directory on the FTP server.

cdup

Display the working directory that is being accessed.

pwd

Create a directory on the FTP server.

mkdir directory

Delete a directory from the remote FTP server.

rmdir directory

 

Working with files on the FTP server

After you log in to the server, you can upload a file to or download a file from the authorized directory by following these steps:

1.     Use the dir or ls command to display the directory and location of the file on the FTP server.

2.     Delete unused files to get more free storage space.

3.     Set the file transfer mode to ASCII for text files or to binary for non-text files.

4.     Use the lcd command to change the local working directory of the FTP client. You can upload the file or save the downloaded file in this directory.

5.     Upload or download the file.

To work with files on an FTP server, execute the following commands in FTP client view:

 

Task

Command

Remarks

Display directory or file information on the FTP server.

·     Display the detailed information of a directory or file on the FTP server:
dir [ remotefile [ localfile ] ]

·     Display the name of a directory or file on the FTP server:
ls [ remotefile [ localfile ] ]

N/A

Delete the specified file on the FTP server permanently.

delete remotefile

N/A

Set the file transfer mode.

·     Set the file transfer mode to ASCII:
ascii

·     Set the file transfer mode to binary:
binary

The default file transfer mode is binary.

Set the FTP operation mode to passive.

passive

The default mode is passive.

Display or change the local working directory of the FTP client.

lcd [ directory | / ]

N/A

Upload a file to the FTP server.

put localfile [ remotefile ]

N/A

Download a file from the FTP server.

get remotefile [ localfile ]

N/A

Add the content of a file on the FTP client to a file on the FTP server.

append localfile [ remotefile ]

N/A

Specify the retransmit marker.

restart marker

Use this command together with the put, get, or append command.

Update the local file.

newer remotefile

N/A

Get the missing part of a file.

reget remotefile [ localfile ]

N/A

Rename the file.

rename [ oldfilename [ newfilename ] ]

N/A

 

Changing to another user account

After you log in to the FTP server, you can initiate an FTP authentication to change to a new account. By changing to a new account, you can get a different privilege without re-establishing the FTP connection.

For successful account change, you must enter the new username and password correctly. A wrong username or password can cause the FTP connection to be disconnected.

To change to another user account, execute the following command in user view:

 

Task

Command

Initiate an FTP authentication on the current FTP connection.

user username [ password ]

 

Maintaining and troubleshooting the FTP connection

Perform the following tasks in FTP client view:

 

Task

Command

Remarks

Display FTP commands on the FTP server.

rhelp

N/A

Display FTP commands help information on the FTP server.

rhelp protocol-command

N/A

Display FTP server status.

rstatus

N/A

Display detailed information about a directory or file on the FTP server.

rstatus remotefile

N/A

Display FTP connection status.

status

N/A

Display the system information of the FTP server.

system

N/A

Enable or disable FTP operation information display.

verbose

By default, this function is enabled.

Enable or disable FTP client debugging.

debug

By default, FTP client debugging is disabled.

Clear the reply information in the buffer.

reset

N/A

 

Terminating the FTP connection

Execute one of the following commands in FTP client view:

 

Task

Command

Terminate the connection to the FTP server without exiting FTP client view.

·     disconnect

·     close

Terminate the connection to the FTP server and return to user view.

·     bye

·     quit

 

Displaying command help information

Execute one of the following commands in FTP client view:

 

Task

Command

Display command help information.

·     help [ command-name ]

·     ? [ command-name ]

 

Displaying and maintaining the FTP client

Execute the display command in any view.

 

Task

Command

Display source IP address information on the FTP client.

display ftp client source

 

FTP client configuration example

Network requirements

As shown in Figure 25, the PC is acting as an FTP server. A user account with the username abc and password 123456 has been created on the PC.

·     Use the AC as an FTP client to log in to the FTP server.

·     Download the file temp.bin from the PC to the AC.

·     Upload the configuration file startup.cfg from the AC to the PC for backup.

Figure 25 Network diagram

 

Configuration procedure

# Configure IP addresses as shown in Figure 25. Make sure the AC and PC can reach each other. (Details not shown.)

# Examine the storage space on the AC. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)

# Log in to the FTP server at 10.1.1.1 using the username abc and password 123456.

<Sysname> ftp 10.1.1.1

Press CTRL+C to abort.

Connected to 10.1.1.1 (10.1.1.1).

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user

User (10.1.1.1:(none)): abc

331 Give me your password, please

Password:

230 Logged in successfully

Remote system type is MSDOS.

ftp>

# Set the file transfer mode to binary.

ftp> binary

200 TYPE is now 8-bit binary

# Download the file temp.bin from the PC to the AC.

ftp> get temp.bin

local: temp.bin remote: temp.bin

150 Connecting to port 47457

226 File successfully transferred

23951480 bytes received in 95.399 seconds (251.0 kbyte/s)

# Use the ASCII mode to upload the configuration file startup.cfg from the AC to the PC for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> put startup.cfg back-startup.cfg

local: startup.cfg remote: back-startup.cfg

150 Connecting to port 47461

226 File successfully transferred

3494 bytes sent in 5.646 seconds (618.00 kbyte/s)

ftp> bye

221-Goodbye. You uploaded 2 and downloaded 2 kbytes.

221 Logout.

<Sysname>

FTP client configuration example (on an IRF fabric)

Network requirements

As shown in Figure 26, the PC is acting as an FTP server. A user account with the username abc and password 123456 has been created on the PC.

·     Use the IRF fabric as an FTP client to log in to the FTP server.

·     Download the file temp.bin from the FTP server to the FTP client.

·     Upload the configuration file config.cfg from the FTP client to the FTP server for backup.

Figure 26 Network diagram

 

 

Configuration procedure

# Configure IP addresses as shown in Figure 26. Make sure the IRF fabric and PC can reach each other. (Details not shown.)

# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)

# Log in to the FTP server at 10.1.1.1 using the username abc and password 123456.

<Sysname> ftp 10.1.1.1

Press CTRL+C to abort.

Connected to 10.1.1.1 (10.1.1.1).

220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user

User (10.1.1.1:(none)): abc

331 Give me your password, please

Password:

230 Logged in successfully

Remote system type is MSDOS.

ftp>

# Set the file transfer mode to binary.

ftp> binary

200 TYPE is now 8-bit binary

# Download the file temp.bin from the PC to the root directory of the CF card on the master device.

ftp> get temp.bin

local: temp.bin remote: temp.bin

150 Connecting to port 47457

226 File successfully transferred

23951480 bytes received in 95.399 seconds (251.0 kbyte/s)

# Download the file temp.bin from the PC to the root directory of the CF card on the subordinate member (with member ID of 2).

ftp> get temp.bin slot2#cfa0:/temp.bin

# Use the ASCII mode to upload the configuration file config.cfg from the IRF fabric to the PC for backup.

ftp> ascii

200 TYPE is now ASCII

ftp> put config.cfg back-config.cfg

local: config.cfg remote: back-config.cfg

150 Connecting to port 47461

226 File successfully transferred

3494 bytes sent in 5.646 seconds (618.00 kbyte/s)

ftp> bye

221-Goodbye. You uploaded 2 and downloaded 2 kbytes.

221 Logout.

<Sysname>


Configuring TFTP

Trivial File Transfer Protocol (TFTP) is a simplified version of FTP for file transfer over secure reliable networks. TFTP uses UDP port 69 for data transmission. In contrast to TCP-based FTP, TFTP does not require authentication or complex message exchanges, and is easier to deploy. TFTP is suited for reliable network environments.

The device can only operate as a TFTP client. You can upload a file from the device to the TFTP server or download a file from the TFTP server to the device. If you download a file with a file name that exists in the target directory, the device deletes the existing file and saves the new one. If file download fails due to network disconnection or other reasons, the original file cannot be restored. Therefore, use a nonexistent file name instead.

Figure 27 TFTP application scenario

 

Configuring the device as an IPv4 TFTP client

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     (Optional.) Use an ACL to control the client's access to TFTP servers.

tftp-server acl acl-number

By default, no ACL is used for access control.

3.     Specify the source IP address for TFTP packets sent by the TFTP client.

tftp client source { interface interface-type interface-number | ip source-ip-address }

By default, no source IP address is specified. The device uses the primary IP address of the output interface as the source IP address.

4.     Return to user view.

quit

N/A

5.     Download or upload a file in an IPv4 network.

tftp tftp-server { get | put | sget } source-filename [ destination-filename ] [ dscp dscp-value | source { interface interface-type interface-number | ip source-ip-address } ] *

The source IP address specified in this command takes precedence over the one set by the tftp client source command.

Use this command in user view.

 

Configuring the device as an IPv6 TFTP client

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     (Optional.) Use an ACL to control the client's access to TFTP servers.

tftp-server ipv6 acl acl-number

By default, no ACL is used for access control.

3.     Specify the source IPv6 address for TFTP packets sent by the TFTP client.

tftp client ipv6 source { interface interface-type interface-number | ipv6 source-ip-address }

By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484.

4.     Return to user view.

quit

N/A

5.     Download or upload a file in an IPv6 network.

tftp ipv6 tftp-server [ -i interface-type interface-number ] { get | put | sget } source-filename [ destination-filename ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 source-ipv6-address } ] *

The source IP address specified in this command takes precedence over the one set by the tftp client ipv6 source command.

Use this command in user view.

 

 


Managing file systems

Overview

File systems

Each storage medium on the device has a file system.

The following matrix shows the supported storage medium types:

 

Hardware series

Model

Fixed storage medium types

Hot swappable storage medium types

WX1800H series

WX1804H

WX1810H

Flash memory

USB disk

WX1820H

WX1840H

Flash memory

SD card

USB disk

WX3800H series

WX3820H

WX3840H

CF card

Not supported

WX5800H series

WX5860H

CF card

Not supported

 

File system location

To identify a file system that is located on a subordinate member of an IRF fabric, you must specify the file system location in the slotn# format. The n argument represents the IRF member ID of a member device. For example, the location is slot2# for a file system that resides on member device 2.

File system naming conventions

The file system on the flash memory has the following parts:

·     (Optional.) File system location. For more information, see "File system location".

·     Storage medium type flash.

·     Colon (:).

The name of a file system on the CF card, SD card, or USB disk has the following parts:

·     (Optional.) File system location. For more information, see "File system location".

·     Storage medium type, cf, sd, or usb.

·     Sequence number, a lower-case English letter such as a, b, or c.

·     Number 0.

·     Colon (:).

For example, the file system on the USB disk is named  usba0:.

 

IMPORTANT

IMPORTANT:

File system names are case sensitive and must be entered in lower case.

 

Default file system

You are working with the default file system by default after you log in. To specify a file or directory on the default file system, you do not need to specify the file system name. For example, you do not need to specify any location information if you want to save the running configuration to the root directory of the default file system.

Directories

Directories in a file system are structured in a tree form.

Root directory

The root directory is represented by a forwarding slash (/). For example, flash:/ represents the root directory of the flash memory.

Working directory

The working directory is also called the current directory.

On standalone devices that support the flash memory, the default working directory is the root directory of the flash memory.

On standalone devices that support the CF card, the default working directory is the root directory of the CF card.

On an IRF fabric that supports the flash memory, the default working directory is the root directory of the flash memory on the master device.

On an IRF fabric that supports the CF card, the default working directory is the root directory of the CF card on the master device.

Directory naming conventions

When you specify a name for a directory, follow these conventions:

·     A directory name can contain letters, digits, and special characters except for asterisks (*), vertical bars (|), forward slashes (/), backward slashes (\), question marks (?), left angle brackets (<), right angle brackets (>), quotation marks ("), and colons (:).

·     A directory whose name starts with a dot character (.) is a hidden directory. To prevent the system from hiding a directory, make sure the directory name does not start with a dot character.

Commonly used directories

The device has some factory-default directories. The system automatically creates directories during operation. These directories include:

·     diagfile—Stores diagnostic information files.

·     license—Stores license files.

·     logfile—Stores log files.

·     seclog—Stores security log files.

·     versionInfo—Stores software version information files.

Files

File naming conventions

When you specify a name for a file, follow these conventions:

·     A file name can contain letters, digits, and special characters except for asterisks (*), vertical bars (|), forward slashes (/), backward slashes (\), question marks (?), left angle brackets (<), right angle brackets (>), quotation marks ("), and colons (:).

·     A file whose name starts with a dot character (.) is a hidden file. To prevent the system from hiding a file, make sure the file name does not start with a dot character.

Common file types

The device is shipped with some files. The system automatically creates files during operation. The types of these files include:

·     .ipe file—Compressed software image package file.

·     .bin file—Software image file.

·     .cfg file—Configuration file.

·     .mdb file—Binary configuration file.

·     .log file—Log file.

Hidden files and directories

Some system files and directories are hidden. For correct system operation and full functionality, do not modify or delete hidden files or directories.

Specifying a directory name or file name

Specifying a directory name

To specify a directory, you can use the absolute path or a relative path. For example, the working directory is flash:/. To specify the test2 directory in Figure 28, you can use the following methods:

·     flash:/test/test1/test2 (absolute path)

·     flash:/test/test1/test2/ (absolute path)

·     test/test1/test2 (relative path)

·     test/test1/test2/ (relative path)

Figure 28 Sample directory hierarchy

 

Specifying a file name

To specify a file, use the following methods:

·     Enter the absolute path of the file and the file name in the format of filesystem/directory1/directory2//directoryn/filename, where directoryn is the directory in which the file resides.

·     Enter the relative path of the file and the file name.

For example, the working directory is flash:/. The samplefile.cfg file is in the test2 directory shown in Figure 28. To specify the file, you can use the following methods:

·     flash:/test/test1/test2/samplefile.cfg

·     test/test1/test2/samplefile.cfg

Command and hardware compatibility

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

File system management restrictions and guidelines

To avoid file system corruption, do not perform the following tasks during file system management:

·     Installing or removing storage media.

·     Performing master/subordinate switchover on the IRF fabric.

If you remove a storage medium while a directory or file on the medium is being accessed, the device might not recognize the medium when you reinstall it. To reinstall this kind of storage medium, perform one of the following tasks:

·     If you were accessing a directory on the storage medium, change the working directory.

·     If you were accessing a file on the storage medium, close the file.

Make sure a USB disk is not write protected before an operation that requires the write right on the disk.

You cannot access a file system that is being formatted or repaired. To access a file system after it is formatted or repaired, use one of the following methods:

·     Use the absolute path to specify a file or directory. For example, use the dir flash:/ command to display the files and directories in the file system on the flash memory.

·     Use the cd command to change the working directory to the root directory of the file system before accessing a file or directory in the file system. For example, to display the files and directories in the root directory of the file system on the flash memory, perform the following tasks:

a.     Use the cd flash:/ command to change the working directory to the root directory of the file system.

b.     Execute the dir command.

Before managing file systems, directories, and files, make sure you know the possible impacts.

Formatting a file system

CAUTION

CAUTION:

Formatting a file system permanently deletes all files and directories in the file system. You cannot restore the deleted files or directories.

 

You can format a file system only when no other users are accessing the file system.

Perform this task in user view.

 

Task

Command

Format a file system.

format filesystem

 

Managing directories

Displaying directory information

Perform this task in user view.

 

Task

Command

Display directory or file information.

dir [ /all ] [ file | directory | /all-filesystems ]

 

Displaying the working directory

Perform this task in user view.

 

Task

Command

Display the working directory.

pwd

 

Changing the working directory

Perform this task in user view.

 

Task

Command

Change the working directory.

cd { directory | .. }

 

Creating a directory

Perform this task in user view.

 

Task

Command

Create a directory.

mkdir directory

 

Renaming a directory

Perform this task in user view.

 

Task

Command

Rename a directory.

rename source-directory dest-directory

 

Archiving or extracting directories

When you archive or extract directories or display archived directories, files in the directories are also archived, extracted, or displayed.

Perform the following tasks in user view:

 

Task

Command

Archive directories.

tar create [ gz ] archive-file dest-file [ verbose ] source source-directory &<1-5>

Extract directories.

tar extract archive-file file [ verbose ] [ screen | to directory ]

Display archived directories.

tar list archive-file file

 

Deleting a directory

To delete a directory, you must delete all files and subdirectories in the directory. To delete a file, use the delete command. To delete a subdirectory, use the rmdir command.

Deleting a directory permanently deletes all its files in the recycle bin, if any.

Perform this task in user view.

 

Task

Command

Delete a directory.

rmdir directory

 

Setting the operation mode for directories

The device supports the following directory operation modes:

·     alert—The system prompts for confirmation when your operation might cause problems such as data loss. This mode provides an opportunity to cancel a disruptive operation.

·     quiet—The system does not prompt for confirmation.

To set the operation mode for directories:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the operation mode for directories.

file prompt { alert | quiet }

The default mode is alert.

This command also sets the operation mode for files.

 

Managing files

You can create a file by copying a file, downloading a file, or using the save command. For more information about downloading a file, see "Configuring FTP" and "Configuring TFTP." For more information about the save command, see Fundamentals Command Reference.

Displaying file information

Perform this task in user view.

 

Task

Command

Display directory or file information.

dir [ /all ] [ file | directory | /all-filesystems ]

 

Displaying the contents of a text file

Perform this task in user view.

 

Task

Command

Display the contents of a text file.

more file

 

Renaming a file

Perform this task in user view.

 

Task

Command

Rename a file.

rename source-file dest-file

 

Copying a file

Perform this task in user view.

 

Task

Command

Copy a file.

copy source-file { dest-file | dest-directory } [ source interface interface-type interface-number ]

 

Moving a file

Perform this task in user view.

 

Task

Command

Move a file.

move source-file { dest-file | dest-directory }

 

Compressing or decompressing a file

Perform the following tasks in user view:

 

Task

Command

Compress a file.

gzip file

Decompress a file.

gunzip file

 

Archiving or extracting files

Perform the following tasks in user view:

 

Task

Command

Archive files.

tar create [ gz ] archive-file dest-file [ verbose ] source source-file &<1-5>

Extract files.

tar extract archive-file file [ verbose ] [ screen | to directory ]

Display the names of archived files.

tar list archive-file file

 

Deleting or restoring a file

You can delete a file permanently or move it to the recycle bin. A file moved to the recycle bin can be restored, but a permanently deleted file cannot.

Files in the recycle bin occupy storage space. To save storage space, periodically empty the recycle bin by using the reset recycle-bin command.

Perform the following tasks in user view:

 

Task

Command

Delete a file by moving it to the recycle bin.

delete file

Restore a file from the recycle bin.

undelete file

Delete a file permanently.

delete /unreserved file

 

IMPORTANT:

Do not use the delete command to delete files from the recycle bin. To delete files from the recycle bin, use the reset recycle-bin command.

 

Deleting files from the recycle bin

Each file system has a recycle bin of its own.

A recycle bin is a folder named .trash in the root directory of a file system.

To view which files or directories are in a recycle bin, use either of the following methods:

·     Access the file system and execute the dir/all .trash command.

·     Execute the cd .trash command to enter the recycle bin folder, and then execute the dir command.

To delete files from a recycle bin, perform the following task in user view:

 

Task

Command

Delete files from the recycle bin.

reset recycle-bin [ /force ]

 

Calculating the file digest

File digests are used to verify file integrity.

Use the following commands in user view:

 

Task

Command

Calculate the digest of a file by using the SHA-256 algorithm.

sha256sum file

Calculate the digest of a file by using the MD5 algorithm.

md5sum file

Setting the operation mode for files

The device supports the following file operation modes:

·     alert—The system prompts for confirmation when your operation might cause problems such as file corruption or data loss. This mode provides an opportunity to cancel a disruptive operation.

·     quiet—The system does not prompt for confirmation.

To set the operation mode for files:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the operation mode for files.

file prompt { alert | quiet }

The default mode is alert.

This command also sets the operation mode for directories.

 


Managing configuration files

Overview

You can manage configuration files from the CLI or the Boot ROM menu. The following information explains how to manage configuration files from the CLI.

A configuration file saves a set of commands for configuring software features on the device. You can save any configuration to a configuration file so the configuration can survive a reboot. You can also back up configuration files to a host for future use.

Configuration types

Factory defaults

The device is shipped with some basic settings called factory defaults. These default settings ensure that the device can start up and run correctly when it does not have a startup configuration file or when the configuration file is corrupt.

Factory defaults vary by device models and might differ from the initial default settings for the commands.

To display the factory defaults, use the display default-configuration command.

Startup configuration

The device uses startup configuration to configure software features during startup. After the device starts up, you can specify the configuration file to be loaded at the next startup. This configuration file is called the next-startup configuration file. The configuration file that has been loaded is called the current startup configuration file.

If no next-startup configuration files exist, the device starts up with the factory defaults.

You can display the startup configuration by using one of the following methods:

·     Execute the display startup command. To display detailed file contents, use the more command.

·     Execute the display current-configuration command before changing the configuration after the device reboots.

Running configuration

The running configuration includes unchanged startup settings and new settings. The running configuration is stored in memory and is cleared at a device reboot or power off. To use the running configuration after a power cycling or reboot, save it to a configuration file.

To display the running configuration, use the display current-configuration command.

Next-startup configuration file redundancy

You can specify one main next-startup configuration file and one backup next-startup configuration file for redundancy.

At startup, the device tries to load the startup configuration in the following order:

1.     The main next-startup configuration file.

2.     The backup next-startup configuration file if the main next-startup configuration file does not exist or is corrupt.

3.     The factory defaults if the backup configuration file is unavailable.

Configuration file formats

Configuration files you specify for saving configuration must use the .cfg extension. A .cfg configuration file is a human-readable text file. When you save configuration to a .cfg file, the device automatically saves the configuration to an .mdb user-inaccessible binary file that has the same name as the .cfg file. The device loads an .mdb file faster than loading a .cfg file.

Startup configuration file selection

At startup, the device uses the following procedure to identify the configuration file to load:

1.     The device searches for a valid .cfg next-startup configuration file.

2.     If one is found, the device searches for an .mdb file that has the same name and content as the .cfg file.

3.     If a matching .mdb file is found, the device starts up with the .mdb file. If none is found, the device starts up with the .cfg file.

Unless otherwise stated, the term "configuration file" in this document refers to a .cfg configuration file.

Configuration file content organization and format

IMPORTANT:

To run on the device, a configuration file must meet the content and format requirements. To ensure a successful configuration load at startup, use a configuration file created on the device. If you edit the configuration file, make sure all edits are compliant with the requirements.

 

A configuration file must meet the following requirements:

·     All commands are saved in their complete form.

·     Commands are sorted in sections by different command views, including system view, interface view, protocol view, and user line view.

·     Two adjacent sections are separated by a pound sign (#).

·     The configuration file ends with the word return.

Compatibility information

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Enabling configuration encryption

Configuration encryption enables the device to encrypt a startup configuration file automatically when it saves the running configuration. All H3C devices running Comware 7 software use the same private key or public key to encrypt configuration files.

 

 

NOTE:

Only H3C devices running Comware 7 software can decrypt the encrypted configuration files.

 

To enable configuration encryption:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable configuration encryption.

configuration encrypt { private-key | public-key }

By default, configuration encryption is disabled. Configuration is saved unencrypted.

 

Comparing configurations for their differences

You can compare configuration files or compare a configuration file with the running configuration for their differences.

If you specify the next-startup configuration for a comparison, the system selects the next-startup configuration file to be compared with in the following order:

1.     The main next-startup configuration file.

2.     The backup next-startup configuration file if the main next-startup configuration file is unavailable. For example, the configuration file does not exist or is corrupt.

If both the main and backup next-startup configuration files are unavailable, the system displays a message indicating that no next-startup configuration files exist.

To compare configurations for their differences in any view:

 

Task

Command

Display the differences that a configuration file, the running configuration, or the next-startup configuration has as compared with the specified source configuration file.

display diff configfile file-name-s { configfile file-name-d | current-configuration | startup-configuration }

Display the differences that a configuration file or the next-startup configuration has as compared with the running configuration.

display diff current-configuration { configfile file-name-d | startup-configuration }

Display the differences that a configuration file has as compared with the next-startup configuration.

display diff startup-configuration configfile file-name-d

Display the differences that the running configuration has as compared with the next-startup configuration.

·     Method 1:
display diff startup-configuration current-configuration

·     Method 2:
display current-configuration diff

 

Saving the running configuration

Restrictions and guidelines

When an IRF member device splits from the IRF fabric, its settings are retained in memory but removed from the running configuration on the IRF fabric. Saving the running configuration before the IRF fabric recovers will remove the member device's settings from the next-startup configuration file.

If you have saved the running configuration before the member device rejoins the IRF fabric, perform the following steps to restore the member device settings to the next-startup configuration file:

1.     Resolve the split issue.

2.     Reboot the member device to rejoin the IRF fabric.

3.     After the member device rejoins the IRF fabric, execute the display current-configuration command to verify that the member device's settings have been restored from memory to the running configuration.

4.     Save the running configuration to the next-startup configuration file on the IRF fabric.

 

IMPORTANT

IMPORTANT:

To ensure a successful configuration restoration, make sure the IRF fabric has not rebooted after the member device left.

 

Using different methods to save the running configuration

When you save the running configuration to a configuration file, you can specify the file as a next-startup configuration file.

If you are specifying the file as a next-startup configuration file, use one of the following methods to save the configuration:

·     Fast mode—Use the save command without the safely keyword. In this mode, the device directly overwrites the target next-startup configuration file. If a reboot or power failure occurs during this process, the next-startup configuration file is lost. You must specify a new startup configuration file after the device reboots (see "Specifying a next-startup configuration file").

·     Safe mode—Use the save command with the safely keyword. Safe mode is slower than fast mode, but more secure. In safe mode, the system saves the configuration in a temporary file and starts overwriting the target next-startup configuration file after the save operation is complete. If a reboot or power failure occurs during the save operation, the next-startup configuration file is still retained.

Use the safe mode if the power source is not reliable or you are remotely configuring the device.

To save the running configuration, perform one of the following tasks in any view:

 

Task

Command

Remarks

Save the running configuration to a configuration file without specifying the file as a next-startup configuration file.

save file-url [ all | slot slot-number ]

Support for the all keyword depends on the device model. For more information, see Fundamentals Command Reference.

Save the running configuration to a configuration file and specify the file as a next-startup configuration file.

save [ safely ] [ backup | main ] [ force ] [ changed ]

Make sure you save the configuration to a file in the root directory of a storage medium.

In an IRF fabric, this command saves the configuration to all IRF member devices.

As a best practice, specify the safely keyword for reliable configuration saving.

If you specify only the safely keyword, the command saves the configuration to the main startup configuration file.

If the force keyword is specified, the command saves the configuration to the existing next-startup configuration file.

If the force keyword is not specified, the command allows you to specify a new next-startup configuration file.

 

Configuring configuration rollback

To replace the running configuration with the configuration in a configuration file without rebooting the device, use the configuration rollback feature. This feature helps you revert to a previous configuration state or adapt the running configuration to different network environments.

The configuration rollback feature compares the running configuration against the specified replacement configuration file and handles configuration differences as follows:

·     If a command in the running configuration is not in the replacement file, the rollback feature executes the undo form of the command.

·     If a command in the replacement file is not in the running configuration, the rollback feature adds the command to the running configuration.

·     If a command has different settings in the running configuration and the configuration file, the rollback feature replaces the running command setting with the setting in the configuration file.

To facilitate configuration rollback, the configuration archive feature was developed. This feature enables the system to save the running configuration automatically at regular intervals.

Configuration task list

Tasks at a glance

(Required.) Setting configuration archive parameters

(Required.) Perform one of the following tasks:

·     Enabling automatic configuration archiving

·     Manually archiving the running configuration

(Required.) Rolling back configuration

 

Setting configuration archive parameters

Before archiving the running configuration, either manually or automatically, you must set a file directory and file name prefix for configuration archives.

Configuration archives are named in the format of prefix_serial number.cfg, for example, 20080620archive_1.cfg and 20080620archive_2.cfg. The serial number is automatically assigned from 1 to 1000, increasing by 1. After the serial number reaches 1000, it restarts from 1.

If you change the file directory or file name prefix, or reboot the device, the following events occur:

·     The old configuration archives change to common configuration files.

·     The configuration archive counter is reset.

·     The display archive configuration command no longer displays the old configuration archives.

·     The serial number for new configuration archives starts at 1.

After the maximum number of configuration archives is reached, the system deletes the oldest archive to make room for the new archive.

Configuration guidelines

In an IRF fabric, the configuration archive feature saves the running configuration only on the master device. To make sure the system can archive the running configuration after a master/subordinate switchover, create the directory on all IRF members.

Configuration procedure

To set configuration archive parameters:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the directory and file name prefix for archiving the running configuration.

archive configuration location directory filename-prefix filename-prefix

For IRF-capable devices, do not include member ID information in the directory name.

By default, no path or file name prefix is set for configuration archives, and the system does not regularly save configuration.

IMPORTANT IMPORTANT:

The undo form of this command performs the following operations:

·     Disables both manual and automatic configuration archiving.

·     Restores the default settings for the archive configuration interval and archive configuration max commands.

·     Clears the configuration archive information displayed by using the display archive configuration command.

3.     (Optional.) Set the maximum number of configuration archives.

archive configuration max file-number

The default number is 5.

Change the setting depending on the amount of storage available on the device.

 

Enabling automatic configuration archiving

Make sure you have set an archive path and file name prefix before performing this task.

To enable automatic configuration archiving:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable automatic configuration archiving and set the archiving interval.

archive configuration interval minutes

By default, automatic configuration archiving is disabled.

To display configuration archive names and their archiving time, use the display archive configuration command.

 

Manually archiving the running configuration

To save system resources, disable automatic configuration archiving and manually archive the configuration if the configuration will not be changed very often. You can also manually archive configuration before performing complicated configuration tasks. Then, you can use the archive for configuration recovery if the configuration attempt fails.

Make sure you have set an archive path and file name prefix before performing this task.

Perform the following task in user view:

 

Task

Command

Manually archive the running configuration.

archive configuration

 

Rolling back configuration

To avoid a rollback failure, follow these guidelines:

·     Make sure the replacement configuration file is created by using the configuration archive feature or the save command on the local device.

·     If the configuration file is not created on the local device, make sure the command lines in the configuration file are fully compatible with the local device.

·     The replacement configuration file is not encrypted.

To perform a configuration rollback:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Roll the running configuration back to the configuration defined by a configuration file.

configuration replace file filename

The specified configuration file must not be encrypted.

 

The configuration rollback feature might fail to reconfigure some commands in the running configuration for one of the following reasons:

·     A command cannot be undone because prefixing the undo keyword to the command does not result in a valid undo command. For example, if the undo form designed for the A [B] C command is undo A C, the configuration rollback feature cannot undo the A B C command. This is because the system does not recognize the undo A B C command.

·     A command (for example, a hardware-dependent command) cannot be deleted, overwritten, or undone due to system restrictions.

·     The commands in different views are dependent on each other.

·     Commands or command settings that the device does not support cannot be added to the running configuration.

If configuration rollback fails for some command lines, the system outputs a rollback failure message. To identify those command lines, use the display diff current-configuration configfile file-name-d command, with the replacement file specified for the file-name-d argument. The command lines that have failed to roll back are displayed as configuration differences between the running configuration and the replacement configuration file.

Specifying a next-startup configuration file

CAUTION:

In an IRF fabric, the undo startup saved-configuration command can cause an IRF split after the IRF fabric or an IRF member reboots.

 

You can specify a .cfg file as a next-startup configuration file when you execute the save [ safely ] [ backup | main ] [ force ] command.

Alternatively, you can execute the startup saved-configuration cfgfile [ backup | main ] command to specify a .cfg configuration file as the main or backup next-startup configuration file.

When you perform this task, follow these restrictions and guidelines:

·     On an IRF-incapable device, make sure the specified configuration file is valid and has been saved to the root directory of a storage medium.

·     On an IRF fabric, make sure the specified configuration file is valid and has been saved to the root directory of the storage medium on each member device.

·     As a best practice, specify different files as the main and backup next-startup configuration files.

·     The undo startup saved-configuration command changes the attribute of the main or backup next-startup configuration file to NULL instead of deleting the file.

To specify a next-startup configuration file, perform the following task in user view:

 

Task

Command

Remarks

Specify a next-startup configuration file.

startup saved-configuration cfgfile [ backup | main ]

By default, no next-startup configuration files are specified.

If you do not specify the backup or main keyword, this command specifies the configuration file as the main next-startup configuration file.

Use the display startup command and the display saved-configuration command in any view to verify the configuration.

 

Backing up the main next-startup configuration file to a TFTP server

Before performing this task, make sure the following requirements are met:

·     The server is reachable.

·     The server is enabled with TFTP service.

·     You have read and write permissions to the server.

To back up the main next-startup configuration file to a TFTP server:

 

Step

Command

Remarks

1.     (Optional.) Verify that a next-startup configuration file has been specified in user view.

display startup

If no next-startup configuration file has been specified, the backup operation will fail.

2.     Back up the next-startup configuration file to a TFTP server in user view.

backup startup-configuration to { ipv4-server | ipv6 ipv6-server } [ dest-filename ]

N/A

 

Restoring the main next-startup configuration file from a TFTP server

Perform this task to download a configuration file to the device from a TFTP server and specify the file as the main next-startup configuration file.

Before restoring the next-startup configuration file, make sure the following requirements are met:

·     The server is reachable.

·     The server is enabled with TFTP service.

·     You have read and write permissions to the server.

To restore the main next-startup configuration file from a TFTP server:

 

Step

Command

1.     Restore the main next-startup configuration file from a TFTP server in user view.

restore startup-configuration from { ipv4-server | ipv6 ipv6-server } src-filename

2.     (Optional.) Verify that the specified configuration file has been set as the main next-startup configuration file.

display startup

display saved-configuration

 

Deleting a next-startup configuration file

CAUTION:

This task permanently deletes a next-startup configuration file from all member devices. Before performing this task, back up the file as needed. (IRF-capable devices.)

This task permanently deletes a next-startup configuration file from the device. Before performing this task, back up the file as needed. (IRF-incapable devices.)

 

Delete a next-startup configuration file if one of the following events occurs:

·     After you upgrade system software, the file no longer matches the new system software.

·     The file is corrupt or not fully compatible with the device.

If both the main and backup next-startup configuration files are deleted, the device uses the factory defaults at the next startup.

To delete a file that is set as both main and backup next-startup configuration files, you must execute both the reset saved-configuration backup command and the reset saved-configuration main command. Using only one of the commands removes the specified file attribute instead of deleting the file.

For example, if the reset saved-configuration backup command is executed, the backup next-startup configuration file setting is set to NULL. However, the file is still used as the main file. To delete the file, you must also execute the reset saved-configuration main command.

Perform the following task in user view:

 

Task

Command

Remarks

Delete a next-startup configuration file.

reset saved-configuration [ backup | main ]

If you do not specify the backup or main keyword, this command deletes the main next-startup configuration file.

 

Displaying and maintaining configuration files

Execute display commands in any view.

 

Task

Command

Display information about configuration rollback.

display archive configuration

Display the running configuration.

display current-configuration [ configuration [ module-name ] | exclude-provision | interface [ interface-type [ interface-number ] ] ]

Display the differences that the running configuration has as compared with the next-startup configuration.

display current-configuration diff

Display the factory defaults.

display default-configuration

Display the differences between configurations.

·     display diff configfile file-name-s { configfile file-name-d | current-configuration | startup-configuration }

·     display diff current-configuration { configfile file-name-d | startup-configuration }

·     display diff startup-configuration { configfile file-name-d | current-configuration }

Display the contents of the configuration file for the next system startup.

display saved-configuration

Display the names of the configuration files for this startup and the next startup.

display startup

Display the valid configuration in the current view.

display this

Delete a next-startup configuration file.

reset saved-configuration [ backup | main ]

 


Upgrading software

Overview

Software upgrade enables you to add new features and fix bugs. This chapter describes types of software and methods to upgrade software from the CLI. For a comparison of all software upgrade methods, see "Upgrade methods."

Software types

The following software types are available:

·     Boot ROM imageContains a basic segment and an extended segment. The basic segment is the minimum code that bootstraps the system. The extended segment enables hardware initialization and provides system management menus. You can use these menus to load software and the startup configuration file or manage files when the device cannot start up correctly. For easy software compatibility management, the Boot ROM image is packaged in the .bin Boot image file. The Boot ROM image is upgraded automatically when the Boot image is upgraded.

·     Comware image—Includes the following image subcategories:

?     Boot image—A .bin file that contains the Linux operating system kernel. It provides process management, memory management, and file system management.

?     System image—A .bin file that contains the minimum feature modules required for device operation and some basic features, including device management, interface management, configuration management, and routing. To have advanced features, you must purchase feature images.

?     Feature image—A .bin file that contains advanced software features. Users purchase feature images as needed.

?     Patch image—A .bin file irregularly released for fixing bugs without rebooting the device. A patch image does not add new features or functions.

Comware images that have been loaded are called current Comware images. Comware images specified to load at the next startup are called startup Comware images.

Boot ROM image, boot image, and system image are required for the system to operate. These images might be released separately or as a whole in one .ipe package file. If an .ipe file is used, the system decompresses the file automatically, loads the .bin images and sets them as startup software images. Typically, the Boot ROM and startup Comware images for the device are released in an .ipe file.

Software file naming conventions

Software image file names use the chassis-comware version-image type-release format, for example, wx5510-cmw710-system-d5104.bin and wx5510-cmw710-boot-d5104.bin.

Comware image redundancy and loading procedure

You can specify one main list and one backup list of Comware images.

The system always attempts to start up with the main images. If any main image does not exist or is invalid, the system tries the backup images. Figure 29 shows the entire Comware image loading procedure.

In this procedure, both the main and backup image lists have feature and patch images. If an image list does not have feature or patch images, the system starts up with the boot and system images after they pass verification.

If both the main and backup boot images are nonexistent or invalid, access the Boot ROM menu during the system startup to upgrade software.

Figure 29 Comware image loading procedure

 

System startup process

Upon power-on, the Boot ROM image runs to initialize hardware, and then the startup software images run to start up the entire system, as shown in Figure 30.

Figure 30 System startup process

 

Command and hardware compatibility

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Upgrade methods

Upgrading method

Software types

Remarks

Upgrading from the CLI

·     Boot ROM image

·     Comware images (excluding patches)

This method is disruptive. You must reboot the entire device to complete the upgrade.

Upgrading from the Boot ROM menu

·     Boot ROM image

·     Comware images

Use this method when the device cannot start up correctly.

To use this method, first connect to the console port and power cycle the device. Then, press Ctrl+B at prompt to access the Boot ROM menu.

For more information about upgrading software from the Boot ROM menu, see the release notes for the software version.

IMPORTANT IMPORTANT:

Upgrade an IRF fabric from the CLI instead of the Boot ROM menu, if possible. The Boot ROM menu method increases the service downtime, because it requires that you upgrade the member devices one by one.

 

Preparing for the upgrade

1.     Use the display version command to verify the current Boot ROM image version and startup software version.

2.     Use the release notes for the upgrade software version to evaluate the upgrade impact on your network and verify the following items:

?     Software and hardware compatibility.

?     Version and size of the upgrade software.

?     Compatibility of the upgrade software with the current Boot ROM image and startup software image.

3.     Use the release notes to verify whether the software images require a license. If licenses are required, register and activate licenses for each license-based software image. For more information about licensing, see "Managing licenses."

4.     On an IRF-incapable or standalone device, use the dir command to verify that the device has sufficient storage space for the upgrade images. On an IRF fabric, use the dir command to verify that all IRF member devices have sufficient storage space for the upgrade images. If the storage space is not sufficient, delete unused files by using the delete command. For more information, see "Managing file systems."

5.     On an IRF-incapable or standalone device, use FTP or TFTP to transfer the upgrade image file to the root directory of the file system. On an IRF fabric, use FTP or TFTP to transfer the upgrade image file to the root directory of the file system on the master device.

For more information about FTP and TFTP, see "Configuring FTP" or "Configuring TFTP."

Upgrade task list

Tasks at a glance

Remarks

(Optional.) Preloading the Boot ROM image to

If a Boot ROM upgrade is required, you can perform this task to shorten the subsequent upgrade time. This task helps avoid upgrade problems caused by unexpected electricity failure.

If you skip this task, the device upgrades the Boot ROM automatically when it upgrades the startup Comware images.

The Boot ROM image preloaded into the Boot ROM takes effect only after you reboot the device.

(Required.) Specifying startup images and completing the upgrade

Perform this task to upgrade a standalone device or an IRF fabric.

(Optional.) Restoring or downgrading the Boot ROM image

N/A

 

Preloading the Boot ROM image to Boot ROM

Perform this task in user view.

To preload the Boot ROM image to Boot ROM:

 

Step

Command

Remarks

1.     (Optional.) Back up the current Boot ROM image in the Normal area of Boot ROM.

·     Back up the image to the Backup area of Boot ROM:
bootrom backup slot slot-number-list
[ all | part ]

·     Back up the image to the file system:
bootrom read slot slot-number-list
[ all | part ]

Use either command to back up the Boot ROM image for a future version rollback or image restoration.

2.     Load the upgrade Boot ROM image to the Normal area of Boot ROM.

bootrom update file file-url slot slot-number-list [ all | part ]

Specify the downloaded software image file for the file-url argument.

The new Boot ROM image takes effect at a reboot.

 

Specifying startup images and completing the upgrade

IRF-incapable devices

Perform this task in user view.

To specify startup images and complete the upgrade:

 

Step

Command

Remarks

1.     Specify main or backup startup images.

·     Use an .ipe file for upgrade:
boot-loader file
ipe-filename { backup | main }

·     Use .bin files for upgrade:
boot-loader file boot
boot-package system system-package [ feature feature-package&<1-30> ] { backup | main }

Upgrade files must be saved in the root directory of the file system.

To avoid configuration failure, make sure no other users are configuring or managing the device.

2.     Save the running configuration.

save

This step ensures that any configuration you have made can survive a reboot.

This step also ensures that the device loads the binary configuration file at reboot. Loading a binary configuration file is faster than loading a text configuration file. For more information about configuration file formats, see "Managing configuration files."

3.     Reboot the device.

reboot

At startup, the device reads the preloaded Boot ROM image to RAM, and loads the startup images.

4.     (Optional.) Verify the software image settings.

display boot-loader

Verify that the current software images are the same as the startup software images.

 

IRF-capable devices

Perform this task in user view.

To specify startup image files and complete the upgrade:

 

Step

Command

Remarks

1.     Specify main or backup startup images for the master device.

·     Use an .ipe file for upgrade:
boot-loader file
ipe-filename { all | slot slot-number } { backup | main }

·     Use .bin files for upgrade:
boot-loader file boot
boot-package system system-package [ feature feature-package&<1-30> ] { all | slot slot-number } { backup | main }

Upgrade files must be saved in the root directory of the file system on an IRF member device.

To avoid configuration failure, make sure no other users are configuring or managing the device.

2.     Specify main startup images for each subordinate device.

·     Method 1 Use an .ipe file for upgrade:
boot-loader file ipe-filename { all | slot slot-number } { backup | main }

·     Method 2 Use .bin files for upgrade:
boot-loader file boot boot-package system system-package [ feature feature-package&<1-30> ] { all | slot slot-number } { backup | main }

·     Method 3:
boot-loader update { all | slot slot-number }

Skip this step if you have only one device.

When you use the boot-loader update command, make sure you understand the following requirements and upgrade results:

·     The boot-loader update command uses the main or backup startup image list for synchronization, instead of the current software images list.

?     The main images list is used if the master device started up with the main startup images.

?     The backup image list is used if the master device started up with the backup startup images.

·     Startup image synchronization will fail if any software image being synchronized is corrupted or is not available.

To avoid configuration failure, make sure no other users are configuring or managing the device.

3.     Save the running configuration.

save

This step ensures that any configuration you have made can survive a reboot.

This step also ensures that the device loads the binary configuration file at reboot. Loading a binary configuration file is faster than loading a text configuration file. For more information about configuration file formats, see "Managing configuration files."

4.     Reboot the IRF fabric.

reboot

At startup, each device reads the preloaded Boot ROM image to RAM, and loads the startup images.

5.     (Optional.) Verify the software image settings.

display boot-loader [ slot slot-number ]

Verify that the current software images are the same as the startup software images.

 

Restoring or downgrading the Boot ROM image

To restore or downgrade the Boot ROM image, make sure you have used the bootrom backup command or the bootrom read command to back up the image to the Backup area of Boot ROM or the file system. The bootrom read command creates two Boot ROM image files on the file system: basicbtm.bin for the basic segment and extendbtm.bin for the extended section.

Before performing a downgrade, also verify software compatibility.

Perform the following task in user view to restore or downgrade the Boot ROM image:

 

Step

Command

Remarks

1.     Replace the Boot ROM image in the Normal area of Boot ROM.

bootrom restore slot slot-number-list [ all | part ]

N/A

2.     Reboot the device.

reboot

At startup, the system runs the new Boot ROM image to complete the restoration or downgrade.

 

Displaying and maintaining software image settings

Execute display commands in any view.

 

Task

Command

Display current software images and startup software images.

display boot-loader [ slot slot-number ]

 

Software upgrade example (IRF-incapable devices)

Network requirements

As shown in Figure 31, use file startup-a2105.ipe to upgrade software images for the AC.

Figure 31 Network diagram

 

Configuration procedure

# Configure IP addresses and routes. Make sure the AC and the TFTP server can reach each other. (Details not shown.)

# Configure TFTP settings on both the AC and the TFTP server. (Details not shown.)

# Display information about the current software images.

<Sysname> display version

# Back up the current software images.

<Sysname> copy boot.bin boot_backup.bin

<Sysname> copy system.bin system_backup.bin

# Specify boot_backup.bin and system_backup.bin as the backup startup image files.

<Sysname> boot-loader file boot flash:/boot_backup.bin system flash:/system_backup.bin backup

# Use TFTP to download the image file startup-a2105.ipe from the TFTP server to the root directory of a file system. The flash memory is used in this example.

<Sysname> tftp 2.2.2.2 get startup-a2105.ipe

# Specify startup-a2105.ipe as the main startup image file.

<Sysname> boot-loader file flash:/startup-a2105.ipe main

# Verify the startup image settings.

<Sysname> display boot-loader

# Reboot the device to complete the upgrade.

<Sysname> reboot

# Verify that the device is running the correct software.

<Sysname> display version

Software upgrade example (IRF-capable devices)

Network requirements

As shown in Figure 32, use file startup-a2105.ipe to upgrade software images for the IRF fabric.

Figure 32 Network diagram

 

Configuration procedure

# Configure IP addresses and routes. Make sure the IRF fabric and the TFTP server can reach each other. (Details not shown.)

# Configure TFTP settings on both the IRF fabric and the TFTP server. (Details not shown.)

# Display information about the current software images.

<Sysname> display version

# Back up the current software images.

<Sysname> copy boot.bin boot_backup.bin

<Sysname> copy system.bin system_backup.bin

# Specify boot_backup.bin and system_backup.bin as the backup startup image files for both member devices.

<Sysname> boot-loader file boot cfa0:/boot_backup.bin system cfa0:/system_backup.bin slot 1 backup

<Sysname> boot-loader file boot cfa0:/boot_backup.bin system cfa0:/system_backup.bin slot 2 backup

# Download image file startup-a2105.ipe from the TFTP server to the root directory of a file system on the master device. The CF card is used in this example.

<Sysname> tftp 2.2.2.2 get startup-a2105.ipe

# Specify startup-a2105.ipe as the main startup image file for both member devices.

<Sysname> boot-loader file cfa0:/startup-a2105.ipe slot 1 main

<Sysname> boot-loader file cfa0:/startup-a2105.ipe slot 2 main

# Verify the startup image settings.

<Sysname> display boot-loader

# Reboot the IRF fabric to complete the upgrade.

<Sysname> reboot

# Verify that the IRF fabric is running the correct software.

<Sysname> display version

 


Managing the device

This chapter describes how to configure basic device parameters and manage the device.

You can perform the configuration tasks in this chapter in any order.

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Device management task list

Tasks at a glance

(Required.) Configuring the device name

(Required.) Configuring the system time

(Optional.) Enabling displaying the copyright statement

(Optional.) Configuring banners

(Optional.) Rebooting the device

(Optional.) Scheduling a task

(Optional.) Disabling password recovery capability

(Optional.) Setting the port status detection timer

(Optional.) Monitoring CPU usage

(Required.) Setting memory alarm thresholds

(Required.) Configuring the temperature alarm thresholds

(Required.) Verifying and diagnosing transceiver modules

(Optional.) Restoring the factory-default configuration

 

Configuring the device name

A device name (also called hostname) identifies a device in a network and is used in CLI view prompts. For example, if the device name is Sysname, the user view prompt is <Sysname>.

To configure the device name:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure the device name.

sysname sysname

The default device name is H3C.

 

Configuring the system time

Correct system time is essential to network management and communication. Configure the system time correctly before you run the device on the network.

The device can use the locally set system time, or obtain the UTC time from an NTP source and calculate the system time.

·     When using the locally set system time, the device uses the clock signals generated by its built-in crystal oscillator to maintain the system time.

·     After obtaining the UTC time from an NTP source, the device uses the UTC time, time zone, and daylight saving time to calculate the system time. Then, the device periodically synchronizes its UTC time and recalculates the system time. For more information about NTP, see Network Management and Monitoring Configuration Guide.

The system time calculated by using the UTC time from an NTP time source is more precise.

To configure the device to use the local system time:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify the system time source.

clock protocol none

By default, the device uses the NTP time source.

If you execute the clock protocol command multiple times, the most recent configuration takes effect.

3.     Return to user view.

quit

N/A

4.     Set the local system time.

clock datetime time date

N/A

5.     Enter system view.

system-view

N/A

6.     Set the time zone.

clock timezone zone-name { add | minus } zone-offset

By default, the system uses the UTC time zone.

This setting must be consistent with the time zone of the place where the device resides.

After a time zone change, the device recalculates the system time. To view the system time, use the display clock command.

7.     (Optional.) Set the daylight saving time.

clock summer-time name start-time start-date end-time end-date add-time

By default, the daylight saving time is not set.

The settings must be consistent with the daylight saving time parameters of the place where the device resides.

After you set the daylight saving time, the device recalculates the system time. To view the system time, use the display clock command.

 

To configure the device to obtain the UTC time from a time source and calculate the system time:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify the system time source.

clock protocol ntp

By default, the device uses the NTP time source.

If you execute the clock protocol command multiple times, the most recent configuration takes effect.

3.     Set the time zone.

clock timezone zone-name { add | minus } zone-offset

By default, the system uses the UTC time zone.

This setting must be consistent with the time zone of the place where the device resides.

After you set the time zone, the device recalculates the system time. To view the system time, use the display clock command.

4.     (Optional.) Set the daylight saving time.

clock summer-time name start-time start-date end-time end-date add-time

By default, the daylight saving time is not set.

The settings must be consistent with the daylight saving time parameters of the place where the device resides.

After you set the daylight saving time, the device recalculates the system time. To view the system time, use the display clock command.

 

Enabling displaying the copyright statement

This feature enables the device to display the copyright statement in the following situations:

·     When a Telnet or SSH user logs in.

·     When a console user quits user view. This is because the device automatically tries to restart the user session.

The following is a sample copyright statement:

****************************************************************************** 

* Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.* 

* Without the owner's prior written consent,                                 * 

* no decompiling or reverse-engineering shall be allowed.                    * 

******************************************************************************

To enable displaying the copyright statement:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable displaying the copyright statement.

copyright-info enable

By default, this function is enabled.

 

Configuring banners

Banners are messages that the system displays when a user logs in.

Banner types

The system supports the following banners:

·     Legal banner—Appears after the copyright or license statement. To continue login, the user must enter Y or press Enter. To quit the process, the user must enter N. Y and N are case insensitive.

·     Message of the Day (MOTD) banner—Appears after the legal banner and before the login banner.

·     Login banner—Appears only when password or scheme authentication is configured.

·     Shell banner—Appears for a user when the user accesses user view.

Banner input methods

You can configure a banner by using one of the following methods:

·     Input the entire command line in a single line.

The entire command line, including the command keywords, the banner, and the delimiters, can have up to 511 characters. The delimiters for the banner can be any printable character but must be the same. You cannot press Enter before you input the end delimiter.

For example, you can configure the shell banner "Have a nice day." as follows:

<System> system-view

[System] header shell %Have a nice day.%

·     Input the command line in multiple lines.

The banner and the delimiters can have up to 2002 characters. The banner can contain carriage returns. A carriage return is counted as two characters.

To input a banner configuration command line in multiple lines, use one of the following methods:

?     Press Enter after the final command keyword, type the banner, and end the final line with the delimiter character %.

For example, you can configure the banner "Have a nice day." as follows:

<System> system-view

[System] header shell

Please input banner content, and quit with the character '%'.

Have a nice day.%

?     After you type the final command keyword, type any printable character as the start delimiter for the banner and press Enter. Then, type the banner and end the final line with the same delimiter.

For example, you can configure the banner "Have a nice day." as follows:

<System> system-view

[System] header shell A

Please input banner content, and quit with the character 'A'.

Have a nice day.A

?     After you type the final command keyword, type the start delimiter and part of the banner. Make sure the final character of the final string is different from the start delimiter. Then, press Enter, type the rest of the banner, and end the final line with the same delimiter.

For example, you can configure the banner "Have a nice day." as follows:

<System> system-view

[System] header shell AHave a nice day.

Please input banner content, and quit with the character 'A'.

A

Configuration procedure

To configure banners:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure the legal banner.

header legal text

By default, no legal banner is configured.

3.     Configure the MOTD banner.

header motd text

By default, no MOTD banner is configured.

4.     Configure the login banner.

header login text

By default, no login banner is configured.

5.     Configure the shell banner.

header shell text

By default, no shell banner is configured.

 

Rebooting the device

CAUTION:

·     A device reboot might interrupt network services.

·     To avoid configuration loss, use the save command to save the running configuration before a reboot. For more information about the save command, see Fundamentals Command Reference.

·     Before a reboot, use the display startup and display boot-loader commands to verify that the startup configuration file and startup software images are correctly specified. If a startup configuration file or software image problem exists, the device cannot start up correctly. For more information about the two display commands, see Fundamentals Command Reference.

 

The following device reboot methods are available:

·     Schedule a reboot at the CLI, so the device automatically reboots at the specified time or after the specified period of time.

·     Immediately reboot the device at the CLI.

During the reboot process, the device performs the following operations:

a.     Resets all of its chips.

b.     Uses the Boot ROM to verify the startup software package, decompress the package, and load the images.

c.     Initializes the system.

·     Power off and then power on the device. This method might cause data loss, and is the least-preferred method.

Using the CLI, you can reboot the device from a remote host.

For data security, the device does not reboot while it is performing file operations.

Rebooting devices immediately at the CLI

Execute the following command in user view:

 

Task

Command

Reboot an IRF member device or all IRF member devices.

reboot [ slot slot-number ] [ force ]

 

Scheduling a device reboot

When you schedule a reboot, follow these guidelines:

·     The device supports only one device reboot schedule. If you configure the scheduler reboot at or scheduler reboot delay command multiple times or configure both commands, the most recent configuration takes effect.

·     The automatic reboot configuration takes effect on all member devices. It will be canceled if a master/subordinate switchover occurs.

To schedule a reboot, execute one of the following commands in user view:

 

Task

Command

Remarks

Specify the reboot date and time.

scheduler reboot at time [ date ]

By default, no reboot date or time is specified.

Specify the reboot delay time.

scheduler reboot delay time

By default, no reboot delay time is specified.

 

Scheduling a task

You can schedule the device to automatically execute a command or a set of commands without administrative interference.

You can configure a periodic schedule or a non-periodic schedule. A non-periodic schedule is not saved to the configuration file and is lost when the device reboots. A periodic schedule is saved to the startup configuration file and is automatically executed periodically.

Configuration restrictions and guidelines

When you schedule a task, follow these restrictions and guidelines:

·     To assign a command (command A) to a job, you must first assign the job the command or commands for entering the view of command A.

·     Make sure all commands in a schedule are compliant to the command syntax. The system does not check the syntax when you assign a command to a job.

·     A schedule cannot contain any one of these commands: telnet, ftp, ssh2, and monitor process.

·     A schedule does not support user interaction. If a command requires a yes or no answer, the system always assumes that a Y or Yes is entered. If a command requires a character string input, the system assumes that either the default character string (if any) or a null string is entered.

·     A schedule is executed in the background, and no output (except for logs, traps, and debug information) is displayed for the schedule.

Configuration procedure

To configure a non-periodic schedule for the device:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a job.

scheduler job job-name

By default, no job exists.

3.     Assign a command to the job.

command id command

By default, no command is assigned to a job.

A command with a smaller ID is executed first.

4.     Exit to system view.

quit

N/A

5.     Create a schedule.

scheduler schedule schedule-name

By default, no schedule exists.

6.     Assign a job to a schedule.

job job-name

By default, no job is assigned to a schedule.

You can assign multiple jobs to a schedule. The jobs will be executed concurrently.

7.     Assign user roles to the schedule.

user-role role-name

By default, a schedule has the user role of the schedule creator.

You can assign up to 64 user roles to a schedule. A command in a schedule can be executed if it is permitted by one or more user roles of the schedule.

The security-audit role is mutually exclusive with any other user roles. Assigning the security-audit role removes existing user role assignments. Assigning any other user roles removes the security-audit role assignment.

8.     Specify an execution time table for the non-periodic schedule.

·     Specify the execution date and time:
time at time date

·     Specify the execution days and time:
time once at time [ month-date month-day | week-day week-day&<1-7> ]

·     Specify the execution delay time:
time once delay time

By default, no execution time is specified for a schedule.

Executing commands clock datetime, clock summer-time, and clock timezone does not change the execution time table that is already configured for a schedule.

 

To configure a periodic schedule for the device:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a job.

scheduler job job-name

By default, no job exists.

3.     Assign a command to the job.

command id command

By default, no command is assigned to a job.

A job with a smaller ID is executed first.

4.     Exit to system view.

quit

N/A

5.     Create a schedule.

scheduler schedule schedule-name

By default, no schedule exists.

6.     Assign a job to a schedule.

job job-name

By default, no job is assigned to a schedule.

You can assign multiple jobs to a schedule. The jobs will be executed concurrently.

7.     Assign user roles to the schedule.

user-role role-name

By default, a schedule has the user role of the schedule creator.

You can assign up to 64 user roles to a schedule. A command in a schedule can be executed if it is permitted by one or more user roles of the schedule.

8.     Specify an execution time table for the periodic schedule.

·     Execute the schedule at an interval from the specified time on:
time repeating at time [ month-date [ month-day | last ] | week-day week-day&<1-7> ]

·     Execute the schedule at the specified time on every specified day in a month or week:
time repeating [ at time [date ] ] interval interval-time

By default, no execution time is specified for a schedule.

Executing commands clock datetime, clock summer-time, and clock timezone does not change the execution time table that is already configured for a schedule.

 

Schedule configuration example

Network requirements

As shown in Figure 33, the PC accesses the AC through the AP. The AC acts as the DHCP server to assign IP addresses to the AP and PC. The AP is connected to the AC through Radio 1.

To save energy, configure the AC to perform the following operations:

·     Enable Radio 1 at 8:00 a.m. every day.

·     Disable Radio 1 at 20:00 every day.

Figure 33 Network diagram

 

Scheduling procedure

This section describes only the scheduling procedure. For information about wireless access configuration, see WLAN Configuration Guide.

# Enter system view.

<AC> system-view

# Configure a job for disabling Radio 1.

[AC] scheduler job radio_disable

[AC-job-radio_disable] command 1 system-view

[AC-job-radio_disable] command 2 wlan ap ap1 model WA536-WW

[AC-job-radio_disable] command 3 radio 1

[AC-job-radio_disable] command 4 radio disable

[AC-job-radio_disable] quit

# Configure a periodic schedule for disabling Radio 1 at 20:00 every day.

[AC] scheduler schedule stop_radio

[AC-schedule-stop_radio] job radio_disable

[AC-schedule-stop_radio] time repeating at 20:00

[AC-schedule-stop_radio] quit

# Configure a job for enabling Radio 1.

[AC] scheduler job radio_enable

[AC-job-radio_enable] command 1 system-view

[AC-job-radio_enable] command 2 wlan ap ap1 model WA536-WW

[AC-job-radio_enable] command 3 radio 1

[AC-job-radio_enable] command 4 radio enable

[AC-job-radio_enable] quit

# Configure a periodic schedule for enabling Radio 1 at 8:00 a.m. every day.

[AC] scheduler schedule start_radio

[AC-schedule-start_radio] job radio_enable

[AC-schedule-start_radio] time repeating at 8:00

[AC-schedule-start_radio] quit

 Verifying the scheduling

# Display information about the AP. Verify that the value of the Admin State field is up from 8:00 to 20:00 and down outside of the time range.

[AC] display wlan ap name ap1 verbose

AP name                       : ap1

AP ID                         : 1

AP group name                 : default-group

State                         : Run

Backup Type                   : NULL

Online time                   : 0 days 2 hours 18 minutes 10 seconds

System up time                : 0 days 2 hours 19 minutes 11 seconds

Model                         : WA536-WW

Region code                   : HK

Region code lock              : Disable

Serial ID                     : 219801A1NQB117012935

MAC address                   : 586a-b1fb-e2c0

IP address                    : 100.1.0.1

H/W version                   : Ver.C

S/W version                   : V700R001B64D003

Boot version                  : 7.01

USB state                     : N/A

Power Level                   : Middle

PowerInfo                     : N/A

Description                   : Not configured

Priority                      : 4

Echo interval                 : 10 seconds

Echo count                    : 3 counts

Keepalive interval            : 10 seconds

Statistics report interval    : 50 seconds

Fragment size (data)          : 1500

Fragment size (control)       : 1450

MAC type                      : Local MAC & Split MAC

Tunnel mode                   : Local Bridging & 802.3 Frame & Native Frame

Discovery type                : Unknown

Retransmission count          : 3

Retransmission interval       : 5 seconds

Firmware upgrade              : Enabled

Sent control packets          : 3159

Received control packets      : 3159

Echo requests                 : 0

Lost echo responses           : 0

Average echo delay            : 0

Last reboot reason            : N/A

Latest IP address             : N/A

Tunnel down reason            : N/A

Connection count              : 1

Backup Ipv4                   : Not configured

Backup Ipv6                   : Not configured

Tunnel encryption             : Disabled

LED mode                      : Normal

Remote configuration          : Disabled

Radio 1:

    Basic BSSID               : 586a-b1fb-e2c0

    Admin state               : Up

    Radio type                : 802.11ac

    Antenna type              : internal

    Client dot11ac-only       : Disabled

    Client dot11n-only        : Disabled

    Channel band-width        : 20/40/80MHz

    Secondary channel offset  : SCA

    Short GI for 20MHz        : Supported

    Short GI for 40MHz        : Supported

    Short GI for 80MHz        : Supported

    Short GI for 160MHz       : Not supported

    A-MSDU                    : Enabled

    A-MPDU                    : Enabled

    LDPC                      : Not Supported

    STBC                      : Supported

    Operational VHT-MCS Set:

        Mandatory             : Not configured

        Supported             : NSS1 0,1,2,3,4,5,6,7,8,9

                                NSS2 0,1,2,3,4,5,6,7,8,9

        Multicast             : Not configured

    Operational HT MCS Set:

        Mandatory             : Not configured

        Supported             : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

                                10, 11, 12, 13, 14, 15

        Multicast             : Not configured

    Channel                   : 149

    Channel usage(%)          : 0

    Max power                 : 20 dBm

    Operational rate:

        Mandatory             : 6, 12, 24 Mbps

        Multicast             : Auto

        Supported             : 9, 18, 36, 48, 54 Mbps

        Disabled              : Not configured

    Distance                  : 1 km

    ANI                       : Enabled

    Fragmentation threshold   : 2346 bytes

    Beacon interval           : 100 TU

    Protection threshold      : 2346 bytes

    Long retry threshold      : 4

    Short retry threshold     : 7

    Maximum rx duration       : 2000 ms

    Noise floor               : -102 dBm

Protection mode           : cts-to-self                                     

    MU-TxBF                   : Enabled                                        

    SU-TxBF                   : Enabled                                        

    Continuous mode           : N/A                                             

    HT protection mode        : No protection                                  

Radio 2:                                                                       

    Basic BSSID               : N/A                                            

    Admin state               : Down                                           

    Radio type                : 802.11ac                                       

    Antenna type              : internal                                       

    Client dot11ac-only       : Disabled                                       

    Client dot11n-only        : Disabled                                       

    Channel band-width        : 20/40/80MHz                                    

    Active band-width         : 20/40/80MHz                                    

    Secondary channel offset  : SCA                                            

    Short GI for 20MHz        : Supported                                      

    Short GI for 40MHz        : Supported                                       

    Short GI for 80MHz        : Supported                                      

    Short GI for 160MHz       : Not supported                                  

    A-MSDU                    : Enabled                                        

    A-MPDU                    : Enabled                                        

    LDPC                      : Not Supported                                  

    STBC                      : Supported                                      

    Operational VHT-MCS Set:                                                   

        Mandatory             : Not configured                                 

        Supported             : NSS1 0,1,2,3,4,5,6,7,8,9                       

                                NSS2 0,1,2,3,4,5,6,7,8,9                       

        Multicast             : Not configured                                 

    Operational HT MCS Set:                                                     

        Mandatory             : Not configured                                 

        Supported             : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,                  

                                10, 11, 12, 13, 14, 15                         

        Multicast             : Not configured                                 

    Channel                   : 100(auto)                                      

    Channel usage(%)          : 0                                               

    Max power                 : 25 dBm                                         

    Operational rate:                                                          

        Mandatory             : 6, 12, 24 Mbps                                  

        Multicast             : Auto                                           

        Supported             : 9, 18, 36, 48, 54 Mbps                         

        Disabled              : Not configured                                 

    Distance                  : 1 km                                           

    ANI                       : Enabled                                        

    Fragmentation threshold   : 2346 bytes                                     

    Beacon interval           : 100 TU                                         

    Protection threshold      : 2346 bytes                                     

    Long retry threshold      : 4                                              

    Short retry threshold     : 7                                              

    Maximum rx duration       : 2000 ms                                        

    Noise floor               : 0 dBm                                          

    Protection mode           : cts-to-self                                    

    MU-TxBF                   : Enabled                                        

    SU-TxBF                   : Enabled                                        

    Continuous mode           : N/A                                            

    HT protection mode        : No protection                                  

Radio 3:                                                                       

    Basic BSSID               : N/A                                             

    Admin state               : Down                                           

    Radio type                : 802.11n(2.4GHz)                                

    Antenna type              : internal                                        

    Client dot11n-only        : Disabled                                       

    Channel band-width        : 20MHz                                          

    Active band-width         : 20MHz                                           

    Secondary channel offset  : SCN                                            

    Short GI for 20MHz        : Supported                                      

    Short GI for 40MHz        : Supported                                       

    A-MSDU                    : Enabled                                        

    A-MPDU                    : Enabled                                        

    LDPC                      : Not Supported                                  

    STBC                      : Supported                                      

    Operational HT MCS Set:                                                    

        Mandatory             : Not configured                                 

        Supported             : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,                  

                                10, 11, 12, 13, 14, 15                         

        Multicast             : Not configured                                 

    Channel                   : 1(auto)                                        

    Channel usage(%)          : 0                                              

    Max power                 : 13 dBm                                         

    Preamble type             : Short                                          

    Operational rate:                                                          

        Mandatory             : 1, 2, 5.5, 11 Mbps                             

        Multicast             : Auto                                           

        Supported             : 6, 9, 12, 18, 24, 36, 48, 54 Mbps              

        Disabled              : Not configured                                 

    Distance                  : 1 km                                            

    ANI                       : Enabled                                        

    Fragmentation threshold   : 2346 bytes                                     

    Beacon interval           : 100 TU                                          

    Protection threshold      : 2346 bytes                                     

    Long retry threshold      : 4                                              

    Short retry threshold     : 7                                               

    Maximum rx duration       : 2000 ms                                        

    Noise floor               : 0 dBm                                          

    Protection mode           : cts-to-self                                     

    Continuous mode           : N/A                                            

    HT protection mode        : No protection

Disabling password recovery capability

Password recovery capability controls console user access to the device configuration and SDRAM from Boot ROM menus. For more information about Boot ROM menus, see the release notes.

If password recovery capability is enabled, a console user can access the device configuration without authentication to configure a new password.

If password recovery capability is disabled, console users must restore the factory-default configuration before they can configure new passwords. Restoring the factory-default configuration deletes the next-startup configuration files.

To enhance system security, disable password recovery capability.

To disable password recovery capability:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Disable password recovery capability.

undo password-recovery enable

By default, password recovery capability is enabled.

 

Setting the port status detection timer

The device starts a port status detection timer when a port is shut down by a protocol. Once the timer expires, the device brings up the port so the port status reflects the port's physical status.

To set the port status detection timer:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the port status detection timer.

shutdown-interval time

The default setting is 30 seconds.

 

Monitoring CPU usage

When monitoring the CPU usage, the device performs the following operations:

·     Samples CPU usage at an interval of 1 minute, and compares the sample with the CPU usage threshold. If the sample is greater, the device sends a trap.

·     Samples and saves CPU usage at a configurable interval if CPU usage tracking is enabled.

To monitor CPU usage:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable CPU usage tracking.

monitor cpu-usage enable [ slot slot-number ]

By default, CPU usage tracking is enabled.

3.     Set the sampling interval for CPU usage tracking.

monitor cpu-usage interval interval-value [ slot slot-number ]

By default, the sampling interval for CPU usage tracking is 1 minute.

4.     Set the CPU usage threshold.

monitor cpu-usage threshold cpu-threshold [ slot slot-number ]

By default, the CPU usage threshold is 99%.

5.     Exit to user view.

quit

N/A

6.     Display CPU usage statistics.

display cpu-usage [ summary ] [ slot slot-number ]

This command is available in any view.

7.     Display CPU usage monitoring settings.

display cpu-usage configuration [ slot slot-number ]

This command is available in any view.

8.     Display the historical CPU usage statistics in a coordinate system.

display cpu-usage history [ job job-id ] [ slot slot-number ]

This command is available in any view.

 

Setting memory alarm thresholds

To monitor memory usage, the device performs the following operations:

·     Samples memory usage at an interval of 1 minute, and compares the sample with the memory usage threshold. If the sample is greater, the device sends a trap.

·     Monitors the amount of free memory space in real time. If the amount of free memory space exceeds a free-memory threshold, the system generates an alarm notification and sends it to affected service modules or processes. If the amount of free memory space drops below a free-memory threshold, the system generates an alarm-removed notification and sends it to affected service modules or processes.

As shown in Table 13 and Figure 34, the system supports the following free-memory thresholds:

·     Normal state threshold.

·     Minor alarm threshold.

·     Severe alarm threshold.

·     Critical alarm threshold.

Table 13 Memory alarm notifications and memory alarm-removed notifications

Notification

Triggering condition

Remarks

Minor alarm notification

The amount of free memory space decreases to or below the minor alarm threshold for the first time.

After generating and sending a minor alarm notification, the system does not generate and send any additional minor alarm notifications until the first minor alarm is removed.

Severe alarm notification

The amount of free memory space decreases to or below the severe alarm threshold for the first time.

After generating and sending a severe alarm notification, the system does not generate and send any additional severe alarm notifications until the first severe alarm is removed.

Critical alarm notification

The amount of free memory space decreases to or below the critical alarm threshold for the first time.

After generating and sending a critical alarm notification, the system does not generate and send any additional critical alarm notifications until the first critical alarm is removed.

Critical alarm-removed notification

The amount of free memory space increases to or above the severe alarm threshold.

N/A

Severe alarm-removed notification

The amount of free memory space increases to or above the minor alarm threshold.

N/A

Minor alarm-removed notification

The amount of free memory space increases to or above the normal state threshold.

N/A

 

Figure 34 Memory alarm notifications and alarm-removed notifications

 

 

To set memory alarm thresholds:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the memory usage threshold.

memory-threshold [ slot slot-number ] usage memory-threshold

By default, the memory usage threshold is 100%.

3.     Set the free-memory thresholds.

memory-threshold [ slot slot-number ] minor minor-value severe severe-value critical critical-value normal normal-value

For information about the default settings, see Fundamentals Command Reference.

 

Configuring the temperature alarm thresholds

The device monitors its temperature based on the following thresholds:

·     Low-temperature threshold.

·     High-temperature warning threshold.

·     High-temperature alarming threshold.

When the temperature drops below the low-temperature threshold or reaches the high-temperature warning or alarming threshold, the device performs the following operations:

·     Sends log messages and traps.

·     Sets LEDs on the device panel.

To configure the temperature alarm thresholds:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure the temperature alarm thresholds.

temperature-limit slot slot-number { hotspot | inflow } sensor-number lowlimit warninglimit [ alarmlimit ]

The defaults vary by temperature sensor model. To view the defaults, use the undo temperature-limit command to restore the defaults and then execute the display environment command.

The high-temperature alarming threshold must be higher than the high-temperature warning threshold. The high-temperature warning threshold must be higher than the low-temperature threshold.

 

Verifying and diagnosing transceiver modules

The following matrix shows the feature and hardware compatibility:

 

Hardware series

Model

Feature compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

No

WX1840H

Yes

WX3800H series

WX3820H

WX3840H

Yes

WX5800H series

WX5860H

Yes

 

Verifying transceiver modules

You can use one of the following methods to verify the genuineness of a transceiver module:

·     Display the key parameters of a transceiver module, including its transceiver type, connector type, central wavelength of the transmit laser, transfer distance, and vendor name.

·     Display its electronic label. The electronic label is a profile of the transceiver module and contains the permanent configuration, including the serial number, manufacturing date, and vendor name. The data is written to the storage component during debugging or testing.

Install only transceiver modules that are from H3C. If you install a transceiver module that is not from H3C, the device will generate a log message to prompt you to replace the module. For more information about log messages, see information center configuration in Network Management and Monitoring Configuration Guide.

To verify transceiver modules, execute the following commands in any view:

 

Task

Command

Remarks

Display the key parameters of transceiver modules.

display transceiver interface [ interface-type interface-number ]

N/A

Display the electrical label information of transceiver modules.

display transceiver manuinfo interface [ interface-type interface-number ]

This command cannot display information for some transceiver modules.

 

Diagnosing transceiver modules

The device provides the alarming and digital diagnosis functions for transceiver modules. When a transceiver module fails or is not operating correctly, you can perform the following tasks:

·     Check the alarms that exist on the transceiver module to identify the fault source.

·     Examine the key parameters monitored by the digital diagnosis function, including the temperature, voltage, laser bias current, TX power, and RX power.

To diagnose transceiver modules, execute the following commands in any view:

 

Task

Command

Remarks

Display transceiver alarms.

display transceiver alarm interface [ interface-type interface-number ]

N/A

Display the current values of the digital diagnosis parameters on transceiver modules.

display transceiver diagnosis interface [ interface-type interface-number ]

This command cannot display information about some transceiver modules.

 

Restoring the factory-default configuration

CAUTION

CAUTION:

This task is disruptive. Use this task only when you cannot troubleshoot the device by using other methods, or you want to use the device in a different scenario.

 

To restore the factory-default configuration for the device, execute the following command in user view:

 

Task

Command

Remarks

Restore the factory-default configuration for the device.

restore factory-default

This command takes effect after a device reboot.

 

Displaying and maintaining device management configuration

Execute display commands in any view. Execute the reset command in user view.

 

Task

Command

Display the system time, date, local time zone, and daylight saving time.

display clock

Display the copyright statement.

display copyright

Display CPU usage statistics.

display cpu-usage [ summary ] [ slot slot-number ]

Display historical CPU usage statistics in a chart.

display cpu-usage history [ job job-id ] [ slot slot-number ]

Display hardware information.

display device [ cf-card ] [ slot slot-number | verbose ]

Display electronic label information for the device.

display device manuinfo [ slot slot-number ]

Display or save device diagnostic information.

display diagnostic-information [ hardware | infrastructure | l2 | l3 | service ] [ key-info ] [ filename ]

Display device temperature information.

display environment [ slot slot-number ]

Display the operating states of fans.

display fan [ slot slot-number [ fan-id ] ]

Display memory usage statistics.

display memory [ summary ] [ slot slot-number ]

Display memory alarm thresholds and statistics.

display memory-threshold [ slot slot-number ]

Display power supply information.

display power [ power-id ]

Display job configuration information.

display scheduler job [ job-name ]

Display job execution log information.

display scheduler logfile

Display the automatic reboot schedule.

display scheduler reboot

Display schedule information.

display scheduler schedule [ schedule-name ]

Display system stability and status information.

display system stable state

Display system version information.

display version

Clear job execution log information.

reset scheduler logfile

 


Using Tcl

Comware V7 provides a built-in tool command language (Tcl) interpreter. From user view, you can use the tclsh command to enter Tcl configuration view to execute the following commands:

·     All Tcl 8.5 commands.

·     Comware commands.

The Tcl configuration view is equivalent to the user view. You can use Comware commands in Tcl configuration view in the same way they are used in user view. For example, you can perform the following tasks:

?     Use the system-view command to enter system view to configure features.

?     Use the quit command to return to the upper-level view.

Using Tcl to configure the device

When you use Tcl to configure the device, follow these guidelines and restrictions:

·     You can apply Tcl environment variables to Comware commands.

·     No online help information is provided for Tcl commands.

·     You cannot press Tab to complete an abbreviated Tcl command.

·     Make sure the Tcl commands can be executed correctly. If a problem occurs when the Tcl commands are being executed, you can disable the process if you log in through Telnet or SSH. If you log in from the console port, you must restart the device. H3C recommends that you log in through Telnet or SSH.

To use Tcl to configure the device:

 

Task

Command

Enter Tcl configuration view from user view.

tclsh

Execute a Tcl command.

Tcl command

Return from Tcl configuration view to user view.

tclquit

 

 

NOTE:

·     The tclquit command has the same effect as the quit command in Tcl configuration view.

·     If you have used a Comware command to enter a subview under Tcl configuration view, you can only use the quit command, instead of the tclquit command, to return to the upper-level view.

 

Executing Comware commands in Tcl configuration view

Follow these restrictions and guidelines when you execute Comware commands in Tcl configuration view:

·     For Comware commands, you can enter ? to obtain online help or press Tab to complete an abbreviated command. For more information, see "Using the CLI."

·     The cli command is a Tcl command, so you cannot enter ? to obtain online help or press Tab to complete an abbreviated command.

·     Successfully executed Comware commands are saved to command history buffers. You can use the upper arrow or lower arrow key to obtain executed commands.

·     To execute multiple Comware commands in one operation:

?     Enter multiple Comware commands separated by semi-colons to execute the commands in the order they are entered. For example, wlan ap ap1 model WA536-WW ; radio 1.

?     Specify multiple Comware commands for the cli command, quote them, and separate them by a space and a semicolon. For example, cli " wlan ap ap1 model WA536-WW ; radio 1".

?     Specify one Comware command for each cli command and separate them by a space and a semicolon. For example, cli wlan ap ap1 model WA536-WW ; cli radio 1.

To execute Comware commands in Tcl configuration view:

 

Step

Command

Remarks

1.     Enter Tcl configuration view

tclsh

N/A

2.     Execute Comware commands directly.

Command

Use either method.

If you execute a Comware command directly, a Tcl command is executed when the Tcl command conflicts with the Comware command.

If you execute a Comware command by using the cli command, the Comware command is executed when it conflicts with a Tcl command.

3.     Execute Comware commands by using the cli command.

cli command

 


Using Python

Overview

Comware V7 provides a built-in Python interpreter that supports the following items:

·     Python 2.7 commands.

·     Python 2.7 standard API.

·     Comware V7 extended API. For more information about the Comware V7 extended API, see "Comware V7 extended Python API."

·     Python scripts. You can use a Python script to configure the system.

Entering the Python shell

To use Python commands and APIs, you must enter the Python shell.

 

Task

Command

Enter the Python shell from user view.

python

 

Executing a Python script

Execute a Python script in user view.

 

Task

Command

Execute a Python script.

python filename

 

Python usage example

Network requirements

Use a Python script to perform the following tasks:

·     Download configuration files main.cfg and backup.cfg to the device.

·     Configure the files as the main and backup configuration files for the next startup.

Figure 35 Network diagram

 

Usage procedure

# Use a text editor on the PC to edit Python script test.py as follows:

#!usr/bin/python

import comware

 

comware.Transfer('tftp', '192.168.1.26', 'main.cfg', 'flash:/main.cfg')

comware.Transfer('tftp', '192.168.1.26', 'backup.cfg', 'flash:/backup.cfg')

comware.CLI('startup saved-configuration flash:/main.cfg main ;startup saved-configuration flash:/backup.cfg backup')

# Use TFTP to download the script to the device.

<Sysname> tftp 192.168.1.26 get test.py

# Execute the script.

<Sysname> python flash:/test.py

<Sysname> startup saved-configuration flash:/main.cfg main

Please wait...... Done.

<Sysname> startup saved-configuration flash:/backup.cfg backup

Please wait...... Done.

Verifying the configuration

# Display startup configuration files.

<Sysname> display startup

 Current startup saved-configuration file: flash:/startup.cfg

 Next main startup saved-configuration file: flash:/main.cfg

 Next backup startup saved-configuration file: flash:/backup.cfg


Comware V7 extended Python API

The Comware V7 extended Python API is compatible with the Python syntax.

The WX1800H series access controllers do not support the slot-number arguments.

Importing and using the Comware V7 extended Python API

To use the Comware V7 extended Python API, you must import the API to Python.

Use either of the following methods to import and use the Comware V7 extended Python API:

·     Use import comware to import the entire API and use comware.API to execute an API.

For example, to use the extended API Transfer to download file test.cfg from TFTP server 192.168.1.26:

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import comware

>>> comware.Transfer('tftp', '192.168.1.26', 'test.cfg', 'flash:/test.cfg', user='', password='')

<comware.Transfer object at 0xb7eab0e0>

·     Use from comware import API to import an API and use API to execute the API.

For example, to use the extended API Transfer to download file test.cfg from TFTP server 192.168.1.26:

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> from comware import Transfer

>>> Transfer('tftp', '192.168.1.26', 'test.cfg', 'flash:/test.cfg', user='', password='')

<comware.Transfer object at 0xb7e5e0e0>

Comware V7 extended Python API functions

CLI class

CLI

Use CLI to execute Comware V7 CLI commands and create CLI objects.

Syntax

CLI(command=‘’, do_print=True)

Parameters

command: Specifies the commands to be executed. To enter multiple commands, use a space and a semicolon (;) as the delimiter. To enter a command in a view other than user view, you must first enter the commands used to enter the view. For example, you must enter ’system-view ;local-user test class manage’ to execute the local-user test class manage command.

do_print: Specifies whether to output the execution result:

·     True—Outputs the execution result. This value is the default.

·     False—Does not output the execution result.

Usage guidelines

This API supports only Comware commands. It does not support Linux, Python, or Tcl commands.

Returns

CLI objects

Examples

# Add a local user with the username test.

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import comware

>>> comware.CLI('system-view ;local-user test class manage')

Sample output

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user test class manage

New local user added.

<comware.CLI object at 0xb7f680a0>

get_output

Use get_output to get the output from executed commands.

Syntax

CLI.get_output()

Returns

Output from executed commands

Examples

# Add a local user and get the output from the command.

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import comware

>>> c = comware.CLI('system-view ;local-user test class manage', False)

>>> c.get_output()

Sample output

['<Sysname>system-view', 'System View: return to User View with Ctrl+Z.', '[Sysname]local-user test class manage', 'New local user added.']

Transfer class

Transfer

Use Transfer to download a file from a server.

Syntax

Transfer(protocol=‘’, host=‘’, source=‘’, dest=‘’, vrf=‘’,login_timeout=10, user=‘’, password=‘’)

Parameters

protocol: Specifies the protocol used to download a file:

·     ftp—Uses FTP.

·     tftp—Uses TFTP.

·     http—Uses HTTP.

host: Specifies the IP address of the remote server.

source: Specifies the name of the file to be downloaded from the remote server.

dest: Specifies a name for the downloaded file.

vrf: Specifies the VPN instance to which the remote server belongs. This argument is a case-sensitive string of 1 to 31 characters. If the server belongs to the public network, do not specify this argument. Support for this argument depends on the device model.

login_timeout: Specifies the timeout for the operation, in seconds. The default is 10.

user: Specifies the username for logging in to the server.

password: Specifies the login password.

Returns

Transfer object

Examples

# Download file test.cfg from TFTP server 192.168.1.26.

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import comware

>>> comware.Transfer('tftp', '192.168.1.26', 'test.cfg', 'flash:/test.cfg', user='', password='')

Sample output

<comware.Transfer object at 0xb7f700e0>

get_error

Use get_error to get the error information from the download operation.

Syntax

Transfer.get_error()

Returns

Error information (if there is no error information, None is returned)

Examples

# Download file test.cfg from TFTP server 1.1.1.1 and get the error information from the operation.

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import comware

>>> c = comware.Transfer('tftp', '1.1.1.1', 'test.cfg', 'flash:/test.cfg', user='', password='')

>>> c.get_error()

Sample output

“Couldn’t connect to server”

API get_self_slot

get_self_slot

Use get_self_slot to get the member ID of the master device.

Syntax

get_self_slot()

Returns

A list object in the format of [-1,slot-number]. The slot-number indicates the member ID of the master device.

Examples

# Get the member ID of the master device.

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import comware

>>> comware.get_self_slot()

Sample output

[-1,1]

API get_standby_slot

get_standby_slot

Use get_standby_slot to get the member IDs of the subordinate devices.

Syntax

get_standby_slot()

Returns

A list object in one of the following formats:

·     [ ]—The IRF fabric does not have a subordinate device.

·     [[-1,slot-number]]—The IRF fabric has only one subordinate device.

·     [[-1,slot-number1],[-1,slot-number2],...]—The IRF fabric has multiple subordinate devices.

The slot-number arguments indicate the member IDs of the subordinate devices.

Examples

# Get the member IDs of the subordinate devices.

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import comware

>>> comware.get_standby_slot()

Sample output

[]

API get_slot_range

get_slot_range

Use get_slot_range to get the supported IRF member ID range.

Syntax

get_slot_range()

Returns

A dictionary object in the format of {'MaxSlot': max-slot-number, 'MinSlot': min-slot-number }. The max-slot-number argument indicates the maximum member ID. The min-slot-number argument indicates the minimum member ID.

Examples

# Get the supported IRF member ID range.

<Sysname> python

Python 2.7.3 (default)

[GCC 4.4.1] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import comware

>>> comware. get_slot_range()

Sample output

{'MaxSlot': 4, 'MinSlot': 1}


Managing licenses

Overview

License-based features require a license to run on your device. To use a license-based feature, you must purchase a license or obtain a free trial license.

License types

The following types of licenses are available depending on validity period:

·     Permanent—A permanent license is always valid and never expires.

·     Days restricted—A license valid for a limited period in days, for example, 30 days.

Trial licenses are typically days restricted.

The following types of licenses are available depending on locking method:

·     Device lockedA license can be installed only on the DID-specific device. The license takes effect on any MPU in the device even after an MPU replacement. The device supports this locking method.

·     MPU lockedA license can be installed only on the DID-specific MPU. The license takes effect on the MPU even after the MPU is moved to a different device.

License pool

The following matrix shows hardware compatibility with license pool:

 

Hardware series

Model

License pool compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

No

WX3800H series

WX3810H

WX3840H

Yes

WX5800H series

WX5860H

Yes

 

Understanding the license pool

An IRF fabric provides the license pool feature when the fabric meets the following requirements:

·     Member ACs are of the same model.

·     The ACs form the N + 1 or N + M backup mode.

·     Licenses are installed on the master ACs.

The license pool enables backup ACs to use the licenses of a master AC that goes down for a maximum of 30 days. In the N + 1 or N + M backup mode, you need to purchase licenses only for the mater ACs, which saves customer investment. For example, in a 3 + 1 backup structure, you need to purchase and install licenses only for the three mater ACs. When a master AC goes down, the backup AC takes over and uses the licenses of the master AC to provide services.

Calculating the total number of licensed APs in a license pool

The license pool capacity determines the number of APs that can be connected to the ACs. The number of APs allowed in the license pool are affected by the following factors:

·     Number of member devices supported in an IRF fabric. For information about hardware compatibility for IRF, see Table 14.

·     Number of licensed APs supported by each IRF member device in the IRF fabric.

Table 14 Hardware compatibility for IRF

Hardware series

Model

IRF compatibility

Maximum number of IRF member devices

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

No

N/A

WX3800H series

WX3810H

WX3840H

Yes

2

WX5800H series

WX5860H

Yes

4

 

The total number of licensed APs in a license pool is the sum of licensed APs supported by each IRF member device. For example, ACs A, B, C, D form an IRF fabric. The number of licensed APs on the ACs A, B, C, and D are a, b, c, and d, respectively.

The total number of licensed APs in the license pool = sum(a,b,c,d) = a + b + c + d.

Compatibility information

Feature and hardware compatibility

The following matrix shows hardware compatibility with license management:

 

Hardware series

Model

License management compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

No:

·     WX1804H

·     WX1810H

·     WX1820H

Yes: WX1840H

WX3800H series

WX3820H

WX3840H

Yes

WX5800H series

WX5860H

Yes

 

Command and hardware compatibility

WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Restrictions and guidelines

General restrictions and guidelines

When you manage licenses, follow the general restrictions and guidelines:

·     Make sure you have purchased an upgrade license for add-on nodes, add-on features, or time extension.

·     Use the display license feature command to identify license-based features and their licensing information.

·     After you execute the display license command, it will take certain time for the device to output detailed license information depending on the device load.

·     Make sure no one else is performing license management tasks on the device you are working with.

·     When installing a license, the system also searches the storage media for a matching feature package. When it finds a matching package, it stops searching and installs the package.

·     When uninstalling a license, the system checks whether the feature package for the license is running. If it is running, the system uninstalls the package automatically.

·     If you cannot obtain or re-register the activation file due to problems such as operating system and browser errors, contact H3C Support.

Licenses for different device types

When you register and install licenses, follow the restrictions and guidelines:

·     License registration requires a license key, hardware SN, and DID. This information is device specific. A registered license takes effect on the entire device.

·     For a license-based feature to run correctly on an IRF fabric:

?     Install one license for the feature on each member in the fabric. The license takes effect on each member device, and it is effective even after the member device joins another IRF fabric.

?     Make sure the licenses installed on the members are the same.

License file safety

When you manage licenses, follow these restrictions and guidelines for license file safety:

·     Save and back up the obtained activation file in case of loss.

·     If you use FTP to transfer the .id file and the activation file, use the Binary mode.

·     Do not open and edit the .id file or activation file to avoid file corruption.

·     Do not modify the name of the .id file or activation file to avoid licensing error.

·     Do not delete or move files in the flash:/license directory on a device. The license management feature uses this directory for license management. An incorrect file operation can cause problems. For example, if you delete an activation file that is usable or in use, the related feature will not function correctly. If a file is missing or corrupted, copy the activation file to the directory to recover the license. If the state of the recovered license is In use, but not all licensed features can function, reboot the device. To verify the license state, use the display license command.

Licensing procedure summary

Tasks at a glance

Remarks

Registering licenses:

·     Registering licenses for the first time—Registers a license for a device that has never been activated.

·     Registering upgrade licenses—Registers a license for add-on nodes, add-on features, or time extension.

H3C website provides the license registration function.

Installing an activation file

N/A

Transferring a license

N/A

Compressing the license storage

N/A

 

Figure 36 describes the license registration and activation procedure.

Figure 36 Licensing procedure summary

 

Registering licenses

Registering licenses for the first time

1.     Visit the H3C website at http://www.h3c.com/en/Support/Online_Help/License_Service/. Select First-Time Registration.

Figure 37 Registering a license for the first time

 

2.     Select WLAN_H3C WLAN AC V7 from the Product category dropdown list, and click Submit.

Figure 38 Selecting a product category for activation file licensing

 

If you do not know the product category, enter the license key in the text box, and click Submit. The product category is automatically displayed.

3.     Enter the license, device, and contact information, select I accept all terms of H3C Legal Statement, and click Get activation key or file.

Figure 39 Entering the information for activation file licensing

 

Table 15 Field description

Item

Description

Remarks

License key

Enter the license key provided on the paper license.

Required.

H3C device S/N

Enter the device serial number, a string of 20 characters.

You can use the display license device-id command on the device to display the device serial number.

Required.

Device information file

Upload the device DID file.

You can use the display license device-id command on the device to display the file path and use FTP or TFTP to download the DID file to the device.

Required.

Customer company/organization

Enter the name of the company or organization that uses the device.

Required.

Company/organization

Enter your company or organization name.

Required.

First name

Enter your first name.

Required.

Last name

Enter your last name.

Optional.

Phone number

Enter your phone number.

Required.

Email address

Enter your email address.

H3C will send a copy of the activation file or key to your email box in addition to providing a link to the activation file on the registration result page.

Required.

Zip code

Enter the zip code of your region.

Optional.

Address

Enter your address.

Optional.

Project name

Enter the name of the project that uses the device.

Optional.

Verify code

Enter the code literally as is displayed on the image to the right of the text box.

Required.

 

4.     Click the .ak link to save the activation file when the registration success message appears. Unzip the file and follow the procedures described in "Installing an activation file" to activate the license on your device.

Figure 40 Registration success for activation file licensing

 

Registering upgrade licenses

1.     Visit the H3C website at http://www.h3c.com/en/Support/Online_Help/License_Service/. Select Register Upgraded Licenses.

Figure 41 Registering an upgrade license

 

2.     Select WLAN_H3C WLAN AC V7 from the Product category dropdown list.

Figure 42 Selecting a product category for activation file licensing

 

If you do not know the product category, enter the license key in the text box, and click Submit. The product category is automatically displayed.

3.     Enter the device information and click Submit.

Figure 43 Entering the device information for activation file licensing

 

Table 16 Field description

Item

Description

Remarks

H3C device S/N

Enter the device serial number, a string of 20 characters.

You can use the display license device-id command to display the device serial number.

Required.

Device information file

Upload the device DID file.

You can use the display license device-id command to display the file path and use FTP or TFTP to download the DID file to the device.

Required.

 

4.     On the page that appears, enter the license, and contact information, select I accept all terms of H3C Legal Statement, and click Get activation key or file.

Figure 44 Entering the information for license upgrade

 

Table 17 Configuration items

Item

Description

Remarks

License key

Enter the license key provided on the paper license.

Required.

Customer company/organization

Enter the name of the company or organization that uses the device.

Required.

Company/organization

Enter your company or organization name.

Required.

First name

Enter your first name.

Required.

Last name

Enter your last name.

Optional.

Phone number

Enter your phone number.

Required.

Email address

Enter your email address.

H3C will send a copy of the activation file or key to your email box in addition to providing a link to the activation file on the registration result page.

Required.

Zip code

Enter the zip code of your region.

Optional.

Address

Enter your address.

Optional.

Project name

Enter the name of the project that uses the device.

Optional.

Verify code

Enter the code literally as is displayed on the image to the right of the text box.

Required.

 

5.     Click the .ak link to save the activation file when the registration success message appears. Unzip the file and follow the procedures described in "Installing an activation file" to activate the license on your device.

Figure 45 Registration success activation file licensing

 

Installing an activation file

Step

Command

1.     Upload the activation file to the storage media of the device through FTP or TFTP.

N/A

2.     Enter system view.

system-view

3.     Install the activation file.

license activation-file install file-name slot slot-number

 

Transferring a license

You can transfer a license from one device to another if its activation file has not expired. If the activation file has expired, the license is not transferrable.

To transfer a license:

 

Step

Command

Remarks

1.     Enter system view on the source device.

system-view

N/A

2.     Uninstall an activation file.

license activation-file uninstall file-name slot slot-number

When an activation file is uninstalled, the system creates an Uninstall file. This file is required when you register the license for the target device.

The uninstallation action does not delete license data from the license storage area. To free storage space, you must compress the license storage (see "Compressing the license storage").

3.     Obtain the Uninstall key of the source device.

display license

N/A

4.     Use the Uninstall key to uninstall the license from the source device on the H3C website.

N/A

N/A

5.     Access the target device and display the SN string and the DID's .id file path.

display license device-id

N/A

6.     Use FTP or TFTP to transfer the .id file to the PC.

N/A

N/A

7.     Access http://www.h3c.com.hk/Technical_Support___Documents/Product_Licensing/, and use the target device's SN and DID information and the source device's Uninstall key to generate a new activation file.

N/A

See "Registering licenses."

8.     Download the new activation file to the target device.

N/A

N/A

9.     Install the new activation file on the target device.

N/A

See "Installing an activation file."

 

Compressing the license storage

CAUTION:

The DID changes each time the license storage is compressed. Before performing a compression, make sure all activation files generated based on the old DID have been installed. They cannot be installed after the compression.

 

If the license storage area is not sufficient for installing new licenses, compress the license storage. This action deletes expired licenses and uninstalled licenses.

To compress the license storage:

 

Step

Command

1.     Enter system view.

system-view

2.     Compress the license storage.

license compress slot slot-number

 

Displaying and maintaining licenses

Execute display commands in any view.

 

Task

Command

Display the SN and DID of the device.

display license device-id slot slot-number

Display detailed license information.

display license [ activation-file ] slot slot-number

Display brief feature license information.

display license feature

 


Using automatic configuration

Overview

With the automatic configuration feature, the device can automatically obtain a set of configuration settings when it starts up without a configuration file. This feature simplifies network configuration and maintenance.

As shown in Figure 46, automatic configuration requires the following servers:

·     DHCP server.

·     File server (TFTP or HTTP server).

·     (Optional.) DNS server.

Figure 46 Automatic configuration network diagram

 

Automatic configuration task list

Tasks at a glance

(Required.) Configuring the file server

(Required.) Preparing the files for automatic configuration

(Required.) Configuring the DHCP server

(Optional.) Configuring the DNS server

(Optional.) Configuring the gateway

(Required.) Preparing the interface used for automatic configuration

(Required.) Starting and completing automatic configuration

 

Configuring the file server

For devices to obtain configuration information from a TFTP server, start TFTP service on the file server.

For devices to obtain configuration information from an HTTP server, start HTTP service on the file server.

Preparing the files for automatic configuration

The device can use a script file or configuration file for automatic configuration.

·     For devices to use configuration files for automatic configuration, you must create and save the configuration files to the file server as described in "Configuration files." If you do not configure the DHCP server to assign configuration file names, you must also create a host name file on the TFTP server.

·     For devices to use script files for automatic configuration, you must create and save the script files to the file server as described in "Script files."

Host name file

The host name file contains host name-IP address mappings and must be named network.cfg.

All mapping entries in the host name file must use the ip host host-name ip-address format. Each mapping entry must reside on a separate line. For example:

ip host host1 101.101.101.101

ip host host2 101.101.101.102

ip host client1 101.101.101.103

ip host client2 101.101.101.104

Configuration files

To prepare configuration files:

·     For devices that require different configurations, perform the following tasks:

?     Determine the name for each device's configuration file.

The configuration file names must use the extension .cfg. For simple file name identification, use configuration file names that do not contain spaces.

?     Use the file names to save the configuration files for the devices to the file server.

·     For devices that share all or some configurations, save the common configurations to a .cfg file on the file server.

·     If a TFTP file server is used, you can save a default configuration file named device.cfg on the server. This file contains only common configurations that devices use to start up. This file is assigned to a device only when the device does not have other configuration files to use.

During the automatic configuration process, a device first tries to obtain a configuration file dedicated for it. If no dedicated configuration file is found, the device tries to obtain the common configuration file. If no common configuration file is found when a TFTP file server is used, the device obtains and uses the default configuration file.

Script files

Script files can be used for automatic software upgrade and automatic configuration. The device supports Python scripts (.py files) and Tcl scripts (.tcl files). For more information about Python and Tcl scripts, see "Using Python" and "Using Tcl."

To prepare script files:

·     For devices that share all or some configurations, create a script file that contains the common configurations.

·     For the other devices, create a separate script file for each of them.

Configuring the DHCP server

The DHCP server assigns the following items to devices that need to be automatically configured:

·     IP addresses.

·     Paths of the configuration files or scripts.

Configuration guidelines

When you configure the DHCP server, follow these guidelines:

·     For devices for which you have prepared different configuration files, perform the following tasks for each of the devices on the DHCP server:

?     Create a DHCP address pool.

?     Configure a static address binding.

?     Specify a configuration file or script file.

Because an address pool can use only one configuration file, you can specify only one static address binding for an address pool.

·     For devices for which you have prepared the same configuration file, use either of the following methods:

?     Method 1:

-     Create a DHCP address pool for the devices.

-     Configure a static address binding for each of the devices in the address pool.

-     Specify the configuration file for the devices.

?     Method 2:

-     Create a DHCP address pool for the devices.

-     Specify the subnet for dynamic allocation.

-     Specify the TFTP server.

-     Specify the configuration file for the devices.

·     If all devices on a subnet share the same configuration file or script file, perform the following tasks on the DHCP server:

?     Configure dynamic address allocation.

?     Specify the configuration file or script file for the devices.

The configuration file can contain only the common settings for the devices. You can provide a method for the device administrators to change the configurations after their devices start up.

Configuring the DHCP server when an HTTP file server is used

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable DHCP.

dhcp enable

By default, DHCP is disabled.

3.     Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool is created.

4.     Configure the address pool.

·     (Method 1.) Specify the primary subnet for the address pool:
network
network-address [ mask-length | mask mask ]

·     (Method 2.) Configure a static binding:
static-bind ip-address
ip-address [ mask-length | mask mask ] { client-identifier client-identifier | hardware-address hardware-address [ ethernet | token-ring ] }

Use either or both methods.

By default, no primary subnet or static binding is configured.

You can add multiple static bindings.

One IP address can be bound to only one client. To change the binding for a DHCP client, you must remove the binding and reconfigure a binding.

5.     Specify the URL of the configuration file or script file.

bootfile-name url

By default, no configuration or script file URL is specified.

 

Configuring the DHCP server when a TFTP file server is used

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable DHCP.

dhcp enable

By default, DHCP is disabled.

3.     Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP address pool is created.

4.     Configure the address pool.

·     (Method 1.) Specify the primary subnet for the address pool:
network
network-address [ mask-length | mask mask ]

·     (Method 2.) Configure a static binding:
static-bind ip-address
ip-address [ mask-length | mask mask ] { client-identifier client-identifier | hardware-address hardware-address [ ethernet | token-ring ] }

Use either or both methods.

By default, no primary subnet or static binding is configured.

You can add multiple static bindings.

One IP address can be bound to only one client. To change the binding for a DHCP client, you must remove the binding and reconfigure a binding.

5.     Specify a TFTP server.

·     (Method 1.) Specify the IP address of the TFTP server:
tftp-server ip-address
ip-address

·     (Method 2.) Specify the name of the TFTP server:
tftp-server domain-name
domain-name

Use either or both methods.

By default, no TFTP server is specified.

If you specify a TFTP server by its name, a DNS server is required on the network.

6.     Specify the configuration file name.

bootfile-name bootfile-name

By default, no configuration file name is specified.

 

Configuring the DNS server

A DNS server is required in the following situations:

·     The TFTP server does not have a host name file. However, devices need to perform the following operations:

?     Use their IP addresses to obtain their host names.

?     Obtain configuration files named in the host name.cfg format from the TFTP server.

·     The DHCP server assigns the TFTP server domain name through the DHCP reply message. Devices must use the domain name to obtain the IP address of the TFTP server.

Configuring the gateway

If the devices to be automatically configured and the servers for automatic configuration reside in different network segments, you must perform the following tasks:

·     Deploy a gateway and make sure the devices can communicate with the servers.

·     Configure the DHCP relay agent feature on the gateway.

Preparing the interface used for automatic configuration

The device uses the following steps to select the interface for automatic configuration:

1.     Identifies the status of the management Ethernet interface at Layer 2. If the status is up, the device uses the management Ethernet interface.

2.     Identifies the status of Layer 2 Ethernet interfaces. If one or more Layer 2 Ethernet interfaces are in up state, the device uses the VLAN interface of the default VLAN.

3.     Sorts all Layer 3 Ethernet interfaces in up state first in lexicographical order of interface types and then in ascending order of interface numbers. Uses the interface with the smallest interface number among the interfaces of the first interface type.

4.     If no Layer 3 Ethernet interfaces are in up state, the device waits 30 seconds and goes to step 1 to try again.

For fast automatic device configuration, connect only the management Ethernet interface on each device to the network.

Starting and completing automatic configuration

1.     Power on the devices to be automatically configured.

If a device does not find a next-start configuration file locally, it starts the automatic configuration process to obtain a configuration file.

?     If the device obtains a configuration file and executes the file successfully, the automatic configuration process ends.

?     If one attempt fails, the device tries again until the maximum number of attempts is reached. To stop the process, press Ctrl+C or Ctrl+D.

If the device fails to obtain a configuration file, the device starts up without loading any configuration.

2.     Use the save command to save the running configuration.

The device does not save the obtained configuration file locally. If you do not save the running configuration, the device must use the automatic configuration feature again after a reboot.

For more information about the save command, see Fundamentals Command Reference.

Automatic configuration examples

Automatic configuration using TFTP server

Network requirements

As shown in Figure 47, the AC does not have a configuration file.

Configure the servers so the AC can obtain a configuration file to complete the following configuration tasks:

·     Enable the administrator of the AC to Telnet to and manage the AC.

·     Require the administrator to enter the correct username and password at login.

Figure 47 Network diagram

 

Configuration procedure

1.     Configure the DHCP server:

# Enable DHCP.

<RouterA> system-view

[RouterA] dhcp enable

# Configure address pool 1 to assign IP addresses on the 192.168.1.0/24 subnet to clients. Specify the TFTP server and configuration file name for the clients.

[RouterA] dhcp server ip-pool 1

[RouterA-dhcp-pool-1] network 192.168.1.0 24

[RouterA-dhcp-pool-1] tftp-server ip-address 192.168.1.40

[RouterA-dhcp-pool-1] bootfile-name device.cfg

2.     Configure the TFTP server:

# On the TFTP server, create the device.cfg configuration file.

#

telnet server enable

#

local-user user

password simple abcabc

service-type telnet

quit

#

user-interface vty 0 4

authentication-mode scheme

user-role network-admin

quit

#

interface gigabitethernet 1/0/1

port link-mode route

ip address dhcp-alloc

return

# Start TFTP service software. (Details not shown.)

Verifying the configuration

1.     Power on the AC.

2.     After the AC starts up, display assigned IP addresses on Router A.

<RouterA> display dhcp server ip-in-use

IP address       Client identifier/    Lease expiration      Type

                 Hardware address

192.168.1.2      0030-3030-632e-3239-  Dec 12 17:41:15 2013  Auto(C)

                 3035-2e36-3736-622d-

                 4574-6830-2f30-2f32

3.     Telnet to 192.168.1.2 from Router A.

<RouterA> telnet 192.168.1.2

4.     Enter the user username and abcabc password as prompted. (Details not shown.)

You are logged in to the AC.

Automatic configuration using HTTP server and Tcl script

Network requirements

As shown in Figure 48, the AC does not have a configuration file.

Configure the servers so the AC can obtain a Tcl script to complete the following configuration tasks:

·     Enable the administrator to Telnet to the AC to manage the AC.

·     Require the administrator to enter the correct username and password at login.

Figure 48 Network diagram

 

Configuration procedure

1.     Configure the DHCP server:

# Enable DHCP.

<RouterA> system-view

[RouterA] dhcp enable

# Configure address pool 1 to assign IP addresses on the 192.168.1.0/24 subnet to clients.

[RouterA] dhcp server ip-pool 1

[RouterA-dhcp-pool-1] network 192.168.1.0 24

# Specify the URL of the script file for the AC.

[RouterA-dhcp-pool-1] bootfile-name http://192.168.1.40/device.tcl

2.     Configure the HTTP server:

# Create the device.tcl configuration file on the HTTP server.

return

system-view

telnet server enable

local-user user

password simple abcabc

service-type telnet

quit

user-interface vty 0 4

authentication-mode scheme

user-role network-admin

quit

 

interface gigabitethernet 1/0/1

port link-mode route

ip address dhcp-alloc

return

# Start HTTP service software and enable HTTP service. (Details not shown.)

Verifying the configuration

1.     Power on the AC.

2.     After the AC starts up, display assigned IP addresses on Router A.

<RouterA> display dhcp server ip-in-use

IP address       Client identifier/    Lease expiration      Type

                 Hardware address

192.168.1.2      0030-3030-632e-3239-  Dec 12 17:41:15 2013  Auto(C)

                 3035-2e36-3736-622d-

                 4574-6830-2f30-2f32

3.     Telnet to 192.168.1.2 from Router A.

<RouterA> telnet 192.168.1.2

4.     Enter the user username and abcabc password as prompted. (Details not shown.)

You are logged in to the AC.

Automatic configuration using HTTP server and Python script

Network requirements

As shown in Figure 49, the AC does not have a configuration file.

Configure the servers so the AC can obtain a Python script to complete the following configuration tasks:

·     Enable the administrator to Telnet to the AC to manage the AC.

·     Require the administrator to enter the correct username and password at login.

Figure 49 Network diagram

 

Configuration procedure

1.     Configure the DHCP server:

# Enable DHCP.

<RouterA> system-view

[RouterA] dhcp enable

# Configure address pool 1 to assign IP addresses on the subnet 192.168.1.0/24 to clients.

[RouterA] dhcp server ip-pool 1

[RouterA-dhcp-pool-1] network 192.168.1.0 24

# Specify the URL of the script file for the AC.

[RouterA-dhcp-pool-1] bootfile-name http://192.168.1.40/device.py

2.     Configure the HTTP server:

# Create the device.py configuration file on the HTTP server.

#!usr/bin/python

 

import comware

comware.CLI(‘system-view ;telnet server enable ;local-user user ;password simple abcabc ;service-type telnet ;quit ;user-interface vty 0 4 ;authentication-mode scheme ;user-role network-admin ;quit ;interface gigabitethernet 1/0/1 ;port link-mode route ;ip address dhcp-alloc ;return’)

# Start HTTP service software and enable HTTP service. (Details not shown.)

Verifying the configuration

1.     Power on the AC.

2.     After the AC starts up, display assigned IP addresses on Router A.

<RouterA> display dhcp server ip-in-use

IP address       Client identifier/    Lease expiration      Type

                 Hardware address

192.168.1.2      0030-3030-632e-3239-  Dec 12 17:41:15 2013  Auto(C)

                 3035-2e36-3736-622d-

                 4574-6830-2f30-2f32

3.     Telnet to 192.168.1.2 from Router A.

<RouterA> telnet 192.168.1.2

4.     Enter the user username and abcabc password as prompted. (Details not shown.)

You are logged in to the AC.



A

AAA

RBAC AAA authorization, 18

RBAC default user role, 23

RBAC local AAA authentication user configuration, 27

RBAC non-AAA authorization, 18

RBAC user role local AAA authentication, 23

RBAC user role non-AAA authentication, 24

RBAC user role remote AAA authentication, 23

abbreviating CLI command, 5

accessing

CLI online help, 2

login management SNMP device access, 62

accounting

login management command accounting, 72, 73

login management user device access control, 65

ACL

login management command authorization, 69, 70

login management login control (Telnet), 65

login management login control (Telnet, SSH), 65

login management SNMP access control, 67, 69

login management user device access control, 65

activation file

license management installation, 153

active

FTP active (PORT) operating mode, 75

alias (CLI command), 5

API

extended Python API, 139

extended Python API functions, 139

archiving

configuration archive, 102

configuration archive parameters, 102

configuration archiving (automatic), 103

file, 93, 95

running configuration (manual), 104

argument (CLI string/text type), 4

ASCII transfer mode, 75

assigning

login management CLI user line assignment, 42

RBAC local AAA authentication user role, 23

RBAC non-AAA authentication user role, 24

RBAC permission assignment, 16

RBAC remote AAA authentication user role, 23

RBAC user role, 22

RBAC user role assignment, 18

authenticating

FTP basic server authentication, 76

login management CLI console authentication, 44

login management CLI console password authentication, 44

login management CLI console scheme authentication, 45

login management CLI none authentication mode, 43

login management CLI password authentication mode, 43

login management CLI scheme authentication mode, 43

login management Telnet login authentication disable, 48

login management Telnet login password authentication, 48

login management Telnet login scheme authentication, 49

RBAC local AAA authentication user configuration, 27

RBAC RADIUS authentication user configuration, 29

RBAC temporary user role authorization (HWTACACS authentication), 31

RBAC temporary user role authorization (RADIUS authentication), 35

RBAC user role authentication, 26

RBAC user role local AAA authentication, 23

RBAC user role remote AAA authentication, 23

authorizing

FTP basic server authorization, 76

login management command authorization, 69, 70

login management user device access control, 65

RBAC temporary user role authorization, 24

auto

automatic configuration archiving, 103

configuration. See automatic configuration

automatic configuration

DHCP server, 157

DHCP server configuration restrictions (server-based), 157

DNS server, 159

file preparation, 156

file server configuration, 156

gateway configuration, 159

HTTP server+Python script, 163

HTTP server+Tcl script, 161

start, 159

B

backing up

main next-startup configuration file, 105

software upgrade backup image set, 108

banner

configuration, 119, 120

legal type, 119

login type, 119

MOTD type, 119

multiple-line input method, 120

shell type, 119

single-line input method, 120

binary transfer mode, 75

boot loader

software upgrade startup image file specification (IRF-capable devices), 113

software upgrade startup image file specification (IRF-incapable devices), 112

startup image specification, 112

Boot ROM

Boot ROM image preload, 111

software upgrade image downgrade, 114

software upgrade image preload to Boot ROM (IRF-incapable devices), 111

software upgrade image restore, 114

software upgrade image type, 108, 108

software upgrade methods, 110

software upgrade preparation, 111

software upgrade startup image file specification (IRF-capable devices), 113

software upgrade startup image file specification (IRF-incapable devices), 112

software upgrade system startup, 109

startup image specification, 112

buffering

CLI command history buffering rules, 9

CLI history buffered commands, 9

C

calculating

AP number, 145

file digest, 96

changing

file system current working directory, 93

FTP user account, 82

CLI

command abbreviation, 5

command alias configuration, 5

command alias use, 5

command entry, 3

command history buffered commands, 9

command history buffering rules, 9

command history function use, 8

command hotkey configuration, 6

command hotkey use, 6

command line editing, 3

command redisplay, 8

command-line error message, 8

console authentication, 44

console common line settings, 45

console password authentication, 44

console port login, 41

console scheme authentication, 45

device reboot (CLI), 121

device reboot (scheduled), 121

display command output filtering, 11

display command output line numbering, 10

display command output management, 14

display command output save to file, 13

display command output viewing, 14

interface type value, 5

local console port login, 43

login authentication modes, 43

login configuration, 42

login display, 54

login maintain, 54

login management overview, 39

online help access, 2

output control, 10

output control keys, 10

running configuration save, 15

software upgrade, 108

string/text type argument value, 4

system view entry from user view, 2

undo command form, 3

upper-level view return, 2

use, 1

user lines, 42

user roles, 43

user view return, 2

view hierarchy, 1

client

FTP client configuration, 84, 85

IPv4 TFTP client configuration, 87

IPv6 TFTP client configuration, 87

command

CLI command abbreviation, 5

CLI command alias configuration, 5

CLI command alias use, 5

CLI command entry, 3

CLI command history buffered commands, 9

CLI command history buffering rules, 9

CLI command history function use, 8

CLI command hotkey configuration, 6

CLI command hotkey use, 6

CLI command line editing, 3

CLI command redisplay, 8

CLI interface type value, 5

CLI string/text type argument value, 4

CLI undo command form, 3

line interface. Use CLI

login management command accounting, 72, 73

login management command authorization, 69, 70

Tcl, 135

comparing

configuration difference, 100

completing

software upgrade, 112

software upgrade (IRF-capable devices), 113

software upgrade (IRF-incapable devices), 112

compressing

file, 95

license management storage, 154

Comware

software upgrade Boot image type, 108

software upgrade feature image, 108

software upgrade image loading, 108

software upgrade image redundancy, 108

software upgrade image type, 108

software upgrade patch image, 108

software upgrade system image type, 108

configuration file

compatibility information, 99

configuration archive, 102

configuration archive parameters, 102

configuration archiving (automatic), 103

configuration comparison, 100

configuration difference displaying, 100

configuration rollback, 102

content organization, 99

device configuration types, 98

displaying, 107

encryption enable, 99

file formats, 99

format, 99

main next-startup configuration file backup, 105

main next-startup configuration file restoration, 106

management, 98

next-startup configuration file, 105

next-startup file delete, 106

next-startup file redundancy, 98

rollback, 104

running configuration archiving (manual), 104

running configuration save, 100, 101

startup file selection, 99

configuring

automatic configuration, 155, 160, 160, 161

automatic configuration (HTTP server+Python script), 163

automatic configuration DHCP server, 157

automatic configuration DNS server, 159

CLI command alias, 5

CLI command hotkey, 6

configuration rollback, 102

device as IPv4 TFTP client, 87

device as IPv6 TFTP client, 87

device banner, 119, 120

device management, 117, 117

device name, 117

device system time, 117

device temperature alarm threshold, 132

FTP, 75

FTP basic server parameters, 75

FTP client, 84, 85

FTP server, 77, 78

FTP server authentication, 76

FTP server authorization, 76

login management CLI console common line settings, 45

login management CLI console password authentication, 44

login management CLI console scheme authentication, 45

login management CLI local console port login, 43

login management command accounting, 72, 73

login management command authorization, 69, 70

login management RESTful access (HTTP), 63

login management RESTful access (HTTPS), 63

login management SNMP access control, 69

login management SSH device as server login, 52

login management SSH login, 52

login management Telnet common VTY line settings, 50

login management Telnet device as server, 47

login management Telnet login password authentication, 48

login management Telnet login scheme authentication, 49

login management Web login, 55, 58, 63

login management Web login (HTTP), 55, 58

login management Web login (HTTPS), 56, 59

login management Web login control (source IP-based), 66

RBAC, 16, 19, 27

RBAC feature group, 21

RBAC for RADIUS authentication user, 29

RBAC local AAA authentication user, 27

RBAC resource access policies, 21

RBAC temporary user role authorization, 24

RBAC temporary user role authorization (HWTACACS authentication), 31

RBAC temporary user role authorization (RADIUS authentication), 35

RBAC user role authentication, 26

RBAC user role interface policy, 22

RBAC user role rules, 20

RBAC user role VLAN policy, 22

TFTP, 87

console

login management CLI console authentication, 44

login management CLI console common line settings, 45

login management CLI console password authentication, 44

login management CLI console scheme authentication, 45

login management CLI local console port login, 43

login management console port login, 41

login management overview, 39

content

configuration comparison, 100

configuration file organization, 99

controlling

CLI output, 10

CLI output control keys, 10

login management login (Telnet), 65

login management logins (Telnet, SSH), 65

login management SNMP access, 67

login management user device access, 65

login management Web login, 67

login management Web logins, 66

RBAC configuration, 16, 19

copying

file, 95

copyright statement display, 119

creating

file system directory, 93, 93

RBAC user role, 19

current working directory

change, 93

display, 93

D

days-restricted license, 144

decompressing

file, 95

default

device factory-default configuration restore, 133

RBAC default user role, 23

deleting

file, 96

next-startup configuration file, 106

recycle bin file, 96

detecting

device port status detection timer, 129

device

automatic configuration, 155, 155, 160, 160

automatic configuration (HTTP server+Python script), 163

automatic configuration (HTTP server+Tcl script), 161

automatic configuration DHCP server, 157

automatic configuration DNS server, 159

automatic configuration file preparation, 156

automatic configuration start, 159

CLI command history buffered commands, 9

CLI command history function use, 8

CLI command redisplay, 8

CLI display command output filtering, 11

CLI display command output line numbering, 10

CLI display command output management, 14

CLI display command output save to file, 13

CLI display command output viewing, 14

CLI output control, 10, 10

CLI running configuration save, 15

CLI system view entry from user view, 2

CLI upper-level view return, 2

CLI use, 1

CLI user view return, 2

configuration types, 98

factory default configuration, 98

file system management, 89

file system storage media format, 92

FTP basic server parameters configuration, 75

FTP client, 80

FTP client configuration, 84, 85

FTP client connection establishment, 80

FTP command help information display, 83

FTP configuration, 75

FTP connection termination, 83

FTP connection troubleshooting, 82

FTP server, 75

FTP server authentication, 76

FTP server authorization, 76

FTP server configuration, 77, 78

FTP server connection release (manual), 77

FTP server directory management, 81

FTP server files, 81

FTP user account change, 82

IPv4 TFTP client configuration, 87

IPv6 TFTP client configuration, 87

license management, 144

license management (device locked), 144

license management installation (activation file), 153

license management registration, 147

license management storage compression, 154

license management transfer, 153

license registration for first time, 147

login management SNMP device access, 62

login management SSH device as server login configuration, 52

login management SSH server device login, 53

login management Telnet device as server, 47

login management Telnet server device login, 51

RBAC configuration, 16, 19, 27

RBAC feature group configuration, 21

RBAC local AAA authentication user configuration, 27

RBAC permission assignment, 16

RBAC RADIUS authentication user configuration, 29

RBAC resource access policies, 21

RBAC temporary user role authorization, 24, 26

RBAC temporary user role authorization (HWTACACS authentication), 31

RBAC temporary user role authorization (RADIUS authentication), 35

RBAC user role assignment, 18, 22

RBAC user role authentication, 26

RBAC user role creation, 19

RBAC user role interface policy, 22

RBAC user role local AAA authentication, 23

RBAC user role non-AAA authentication, 24

RBAC user role remote AAA authentication, 23

RBAC user role rule configuration, 20

RBAC user role VLAN policy, 22

running configuration, 98

software upgrade, 108

software upgrade parent device tasks, 111

software upgrade system startup, 109

startup configuration, 98

TFTP configuration, 87

upgrade license registration, 150

device management

banner configuration, 119, 120

banner input methods, 120

banner types, 119

configuration, 117, 117

configuration display, 134

configuration maintain, 134

copyright statement display, 119

CPU usage monitoring, 130

device name configuration, 117

device reboot, 121

device reboot (CLI), 121

device reboot (scheduled), 121

factory-default configuration restore, 133

license pool management, 144

memory alarm thresholds, 130

password recovery capability disable, 129

port status detection timer, 129

system time configuration, 117

task scheduling, 122, 124

task scheduling restrictions, 122

temperature alarm threshold, 132

transceiver module diagnosis, 132, 133

transceiver module verification, 132, 132

DHCP

automatic configuration, 155, 160, 160

automatic configuration (HTTP server+Python script), 163

automatic configuration (HTTP server+Tcl script), 161

automatic configuration DHCP server, 157

automatic configuration start, 159

diagnosing

device transceiver modules, 132, 133

digest

file system file digest calculation, 96

directory

file system current working directory change, 93

file system current working directory display, 93

file system directory creation, 93, 93

file system directory information display, 92

file system directory management, 92

file system directory removal, 94

file system management, 89

FTP server directory management, 81

disabling

CLI output screen pausing, 10

device password recovery capability, 129

login management CLI console authentication, 44

login management Telnet login authentication, 48

displaying

configuration difference, 100

configuration files, 107

device copyright statement, 119

device management configuration, 134

file system current working directory display, 93

file system directory information, 92

file system file information, 94

file system text file content, 94

FTP client, 83

FTP command help information, 83

FTP server, 77

license, 154

login management CLI login, 54

login management Web login, 58

RBAC settings, 26

software upgrade image settings, 114

DNS

automatic configuration, 155

automatic configuration DNS server, 159

automatic configuration start, 159

downgrading

software upgrade Boot ROM image, 114

DSCP

login management Telnet packet DSCP value, 49

E

editing CLI command line, 3

enabling

CLI command redisplay, 8

configuration archiving (automatic), 103

configuration encryption, 99

device copyright statement display, 119

login management Telnet server, 48

RBAC default user role, 23

entering

CLI command, 3

CLI entered-but-not-submitted command redisplay, 8

CLI interface type, 5

CLI string/text type argument value, 4

CLI system view from user view, 2

error

CLI command line error message, 8

establishing

FTP client connection, 80

extracting

file, 93, 95

F

factory default device configuration, 98

fast saving running configuration, 100, 101

feature

license management, 144

file

archiving, 93, 95

automatic configuration file server configuration, 156

compression, 95

configuration difference, 100

configuration file content, 99

configuration file format, 99

configuration file formats, 99

configuration file management, 98

copying, 95

decompression, 95

deletion, 96

device configuration startup file selection, 99

digest calculation, 96

extracting, 93, 95

file system management, 94

FTP server files, 81

information display, 94

license management license registration for first time, 147

license management registration, 147

license management transfer, 153

main next-startup configuration file backup, 105

main next-startup configuration file restoration, 106

moving, 95

next-startup configuration file, 105

next-startup configuration file redundancy, 98

recycle bin file deletion, 96

renaming, 95

restoration, 96

software upgrade file naming, 108

system. See file system

text content display, 94

upgrade license registration, 150

file system

current working directory change, 93

current working directory display, 93

directory creation, 93, 93

directory information display, 92

directory management, 92

directory removal, 94

file archiving, 93, 95

file compression, 95

file copy, 95

file decompression, 95

file deletion, 96

file digest calculation, 96

file extracting, 93, 95

file information display, 94

file management, 94

file move, 95

file rename, 95

file restoration, 96

file/folder operation mode, 94, 96

management, 89

recycle bin file deletion, 96

storage media format, 92

text file content display, 94

File Transfer Protocol. Use FTP

filtering

CLI display command output, 11

format

configuration file, 99, 99

formatting

file system storage media, 92

FTP

automatic configuration file server configuration, 156

basic server parameters configuration, 75

client configuration, 84, 85

client connection establishment, 80

client display, 83

command help information display, 83

configuration, 75

connection maintenance, 82

connection termination, 83

device as client, 80

device as server, 75

IPv4 TFTP client configuration, 87

IPv6 TFTP client configuration, 87

local server authentication, 76

local server authorization, 76

remote server authentication, 76

remote server authorization, 76

server configuration, 77, 78

server connection release (manual), 77

server directory management, 81

server display, 77

server files, 81

TFTP configuration, 87

troubleshooting connection, 82

user account change, 82

G

gateway

automatic configuration, 159

group

RBAC feature group configuration, 21

H

history

CLI history buffered commands, 9

CLI history function, 8

hotkey (CLI command), 6

HTTP

automatic configuration (HTTP server+Python script), 163

automatic configuration (HTTP server+Tcl script), 161

login management RESTful access, 63

login management Web login, 55, 58

login management Web login (HTTPS), 59

login management Web login configuration, 55, 58, 63

HTTPS

login management RESTful access, 63, 63

login management Web login, 56, 59

login management Web login (HTTP), 55, 58

login management Web login configuration, 55, 58, 63

HWTACACS

login management command accounting, 72, 73

RBAC temporary user role authorization, 31

I

identifying

login management CLI user line, 42

image

software upgrade Boot ROM image downgrade, 114

software upgrade Boot ROM image restore, 114

software upgrade Boot ROM image type, 108

software upgrade Comware Boot image type, 108

software upgrade Comware image loading, 108

software upgrade Comware image redundancy, 108

software upgrade Comware image type, 108

software upgrade Comware system image type, 108

software upgrade startup image file specification (IRF-capable devices), 113

software upgrade startup image file specification (IRF-incapable devices), 112

startup image specification, 112

Import

extended Pythond API, 139

installing

activation file, 153

interface, 39, See also line

RBAC interface access policy, 17

IP

FTP configuration, 75

TFTP configuration, 87

IPv4

FTP client connection establishment, 80

TFTP client configuration, 87

IPv6

FTP client connection establishment, 80

TFTP client configuration, 87

IRF

Boot ROM image preload, 111, 111

FTP client configuration, 85

FTP server configuration, 78

license pool management, 144

software upgrade completion (IRF-capable devices), 113

software upgrade startup image file specification (IRF-capable devices), 113

K

key

CLI command hotkey, 6

license management transfer, 153

L

legal banner type, 119

license

AP number calculation, 145

license pool management, 144

license management

days-restricted license, 144

device locked license, 144

feature use, 144

installation (activation file), 153

license display, 154

license pool management, 144

MPU locked license, 144

permanent license, 144

procedure, 147

registering license for first time, 147

registering upgrade license, 150

registration, 147

restrictions, 146

storage compression, 154

transfer, 153

license pool

AP number calculation, 145

line

login management CLI console common line settings, 45

login management CLI user line, 42

login management CLI user line assignment, 42

login management CLI user line identification, 42

login management Telnet VTY common line settings, 50

local

RBAC local AAA authentication user configuration, 27

RBAC user role local AAA authentication, 23

logging in

login management CLI console authentication, 44

login management CLI console common line settings, 45

login management CLI console password authentication, 44

login management CLI console scheme authentication, 45

login management CLI local console port login, 43

login management CLI login authentication modes, 43

login management CLI login configuration, 42

login management CLI user lines, 42

login management CLI user roles, 43

login management console port login, 41

login management RESTful access (HTTP), 63

login management RESTful access (HTTPS), 63

login management SSH device as server login configuration, 52

login management SSH login, 52

login management SSH server device login, 53

login management Telnet device as server, 47

login management Telnet login password authentication, 48

login management Telnet login scheme authentication, 49

login management Telnet server device login, 51

login management Telnet VTY common line settings, 50

login management Web login (HTTP), 55, 58

login management Web login (HTTPS), 56, 59

login management Web login configuration, 55, 58, 63

logging off

login management online Web user, 67

login

device banner login type, 119

login management

CLI configuration, 42

CLI console authentication, 44

CLI console common line settings, 45

CLI console password authentication, 44

CLI console scheme authentication, 45

CLI local console port login, 43

CLI login authentication modes, 43

CLI login display, 54

CLI login maintain, 54

CLI user line assignment, 42

CLI user line identification, 42

CLI user lines, 42

CLI user roles, 43

command accounting, 72, 73

command authorization, 69, 70

console port access, 41

login control (Telnet), 65

login control (Telnet, SSH), 65

overview, 39

RESTful access configuration (HTTP), 63

RESTful access configuration (HTTPS), 63

SNMP access control, 69

SNMP device access, 62

SSH device as server login, 52

SSH login, 52

SSH server device login, 53

Telnet device as server, 47

Telnet login authentication disable, 48

Telnet login password authentication, 48

Telnet login scheme authentication, 49

Telnet packet DSCP value, 49

Telnet server device login, 51

Telnet server enable, 48

Telnet VTY common line settings, 50

user device access control, 65

Web login configuration, 55, 58, 63

Web login configuration (HTTP), 55, 58

Web login configuration (HTTPS), 56, 59

Web login control, 66, 67

Web login control (source IP-based), 66

Web login display, 58

Web login maintain, 58

Web user logoff, 67

M

main

software upgrade image set, 108

maintaining

device management configuration, 134

FTP connection, 82

login management CLI login, 54

login management Web login, 58

RBAC settings, 26

managing

CLI display command output, 14

configuration files, 98

device. See device management

file system, 89

file system directories, 92

file system files, 94

FTP server directories, 81

license management, 144

license pool management, 144

manual

FTP server connection release, 77

memory

device CPU usage monitoring, 130

device memory alarm thresholds, 130

message

CLI command line error message, 8

message-of-the-day (MOTD) banner type, 119

method

device banner multiple-line input, 120

device banner single-line input, 120

MIB

login management SNMP device access, 62

mode

file system file/folder alert operation mode, 94, 96

file system file/folder quiet operation mode, 94, 96

FTP active (PORT) operating mode, 75

FTP ASCII transfer mode, 75

FTP binary transfer mode, 75

FTP passive (PASV) operating mode, 75

login management none CLI authentication, 43

login management password CLI authentication, 43

login management scheme CLI authentication, 43

module

device transceiver module diagnosis, 132, 133

device transceiver module verification, 132, 132

monitoring

device CPU usage, 130

moving

file, 95

MPU

license management (MPU locked), 144

multiple-line banner input method, 120

N

naming

device name configuration, 117

file rename, 95

software upgrade files, 108

network

automatic configuration, 155, 160

automatic configuration (HTTP server+Python script), 163

automatic configuration (HTTP server+Tcl script), 161

automatic configuration DHCP server, 157

automatic configuration DNS server, 159

automatic configuration file preparation, 156

automatic configuration gateway, 159

automatic configuration start, 159

device as FTP client, 80

device as FTP server, 75

device banner configuration, 119

device banner input methods, 120

device banner types, 119

device copyright statement display, 119

device CPU usage monitoring, 130

device factory-default configuration restore, 133

device management task scheduling, 122, 124

device memory alarm thresholds, 130

device name configuration, 117

device password recovery capability disable, 129

device port status detection timer, 129

device reboot, 121

device reboot (CLI), 121

device reboot (scheduled), 121

device system time configuration, 117

device temperature alarm threshold, 132

device transceiver module diagnosis, 132, 133

device transceiver module verification, 132, 132

file system directory management, 92

file system file management, 94

FTP basic server parameters configuration, 75

FTP client configuration, 84, 85

FTP client connection establishment, 80

FTP command help information display, 83

FTP connection termination, 83

FTP connection troubleshooting, 82

FTP server authentication, 76

FTP server authorization, 76

FTP server configuration, 77, 78

FTP server connection release (manual), 77

FTP server directory management, 81

FTP server files, 81

FTP user account change, 82

IPv4 TFTP client configuration, 87

IPv6 TFTP client configuration, 87

login management command accounting, 72, 73

login management command authorization, 69, 70

login management login control (Telnet), 65

login management login control (Telnet, SSH), 65

login management SNMP access control, 67, 69

login management SSH device as server login configuration, 52

login management Telnet device as server, 47

login management Telnet login authentication disable, 48

login management Telnet server enable, 48

login management Web login control, 66, 67

login management Web login control (source IP-based), 66

login management Web user logoff, 67

RBAC default user role, 23

RBAC feature group configuration, 21

RBAC local AAA authentication user configuration, 27

RBAC permission assignment, 16

RBAC RADIUS authentication user configuration, 29

RBAC resource access policies, 21

RBAC temporary user role authorization, 24, 26

RBAC temporary user role authorization (HWTACACS authentication), 31

RBAC temporary user role authorization (RADIUS authentication), 35

RBAC user role assignment, 18, 22

RBAC user role authentication, 26

RBAC user role creation, 19

RBAC user role interface policy, 22

RBAC user role local AAA authentication, 23

RBAC user role non-AAA authentication, 24

RBAC user role remote AAA authentication, 23

RBAC user role rule configuration, 20

RBAC user role VLAN policy, 22

network management

automatic configuration, 155, 160

CLI use, 1

configuration file management, 98

device management, 117, 117

extended Python API, 139

extended Python API functions, 139

extended Python API import, 139

extended Python API use, 139

file system management, 89

FTP configuration, 75

license management, 144

login management overview, 39

login management SNMP device access, 62

login management user device access control, 65

login management Web login, 55, 58, 63

Python, 137

RBAC configuration, 16, 19, 27

software upgrade, 108

software upgrade (IRF-capable devices), 115

software upgrade (IRF-incapable devices), 114

Tcl usage, 135

TFTP configuration, 87

using Python, 137

next-startup configuration file, 98, 106

NMS

login management SNMP device access, 62

non-AAA authentication (RBAC), 24

non-AAA authorization (RBAC), 18

none

login management CLI authentication mode, 43

numbering

CLI display command output lines, 10

O

obtaining

RBAC temporary user role authorization, 26

online

CLI online help access, 2

outputting

CLI display command output filtering, 11

CLI display command output line numbering, 10

CLI display command output management, 14

CLI display command output view, 14

CLI display comment output to file, 13

CLI output control, 10

CLI output control keys, 10

P

parameter

configuration archive parameters, 102

device management, 117

FTP basic server parameters configuration, 75

passive

FTP passive (PASV) operating mode, 75

password

device password recovery capability disable, 129

login management CLI authentication mode, 43

login management CLI console password authentication, 44

login management Telnet login password authentication, 48

login management Telnet login scheme authentication, 49

patch

software upgrade Comware patch image, 108

pausing between CLI output screens, 10

permanent license, 144, 144

permitting

RBAC permission assignment, 16

RBAC user role assignment, 18

policy

RBAC interface access policy, 17

RBAC resource access policies, 21

RBAC user role assignment, 22

RBAC user role interface policy, 22

RBAC user role local AAA authentication, 23

RBAC user role non-AAA authentication, 24

RBAC user role remote AAA authentication, 23

RBAC user role VLAN policy, 22

RBAC VLAN access policy, 17

pool

AP number calculation, 145

port

device status detection timer, 129

preloading

Boot ROM image, 111

software upgrade image to Boot ROM (IRF-incapable devices), 111

preparing

software upgrade, 111

procedure

abbreviating CLI command, 5

accessing CLI online help, 2

archiving file, 93, 95

archiving running configuration (manual), 104

assigning RBAC local AAA authentication user role, 23

assigning RBAC non-AAA authentication user role, 24

assigning RBAC remote AAA authentication user role, 23

assigning RBAC user role, 22

backing up main next-startup configuration file, 105

calculating AP number, 145

calculating file digest, 96

changing current working directory, 93

changing FTP user accounts, 82

completing software upgrade, 112

completing software upgrade (IRF-capable devices), 113

completing software upgrade (IRF-incapable devices), 112

compressing file, 95

compressing license storage, 154

configuring automatic configuration, 155, 160, 161

configuring automatic configuration (HTTP server+Python script), 163

configuring automatic configuration DHCP server, 157

configuring automatic configuration DNS server, 159

configuring automatic configuration gateway, 159

configuring CLI command alias, 5

configuring CLI command hotkey, 6

configuring configuration rollback, 102

configuring device as IPv4 TFTP client, 87

configuring device as IPv6 TFTP client, 87

configuring device banner, 119, 120

configuring device management, 117

configuring device name, 117

configuring device system time, 117

configuring device temperature alarm threshold, 132

configuring FTP basic server parameters, 75

configuring FTP client, 84, 85

configuring FTP server, 77, 78

configuring FTP server local authentication, 76

configuring FTP server local authorization, 76

configuring FTP server remote authentication, 76

configuring FTP server remote authorization, 76

configuring login management CLI console common line settings, 45

configuring login management CLI console password authentication, 44

configuring login management CLI console scheme authentication, 45

configuring login management CLI local console port login, 43

configuring login management command accounting, 72, 73

configuring login management command authorization, 69, 70

configuring login management RESTful access (HTTP), 63

configuring login management RESTful access (HTTPS), 63

configuring login management SNMP access control, 69

configuring login management SSH device as server login, 52

configuring login management SSH login, 52

configuring login management Telnet device as server, 47

configuring login management Telnet login password authentication, 48

configuring login management Telnet login scheme authentication, 49

configuring login management Telnet VTY common line settings, 50

configuring login management Web login (HTTP), 55, 58

configuring login management Web login (HTTPS), 56, 59

configuring RBAC, 19, 27

configuring RBAC feature group, 21

configuring RBAC for RADIUS authentication user, 29

configuring RBAC local AAA authentication user, 27

configuring RBAC resource access policies, 21

configuring RBAC temporary user role authorization, 24

configuring RBAC temporary user role authorization (HWTACACS authentication), 31

configuring RBAC temporary user role authorization (RADIUS authentication), 35

configuring RBAC user role authentication, 26

configuring RBAC user role interface policy, 22

configuring RBAC user role rules, 20

configuring RBAC user role VLAN policy, 22

controlling CLI output, 10, 10

controlling login management login (Telnet), 65

controlling login management logins (Telnet, SSH), 65

controlling login management SNMP access, 67

controlling login management Web login, 67

controlling login management Web login (source IP-based), 66

controlling login management Web logins, 66

copying file, 95

creating directory, 93, 93

creating RBAC user role, 19

decompressing file, 95

deleting file, 96

deleting file from recycle bin, 96

deleting next-startup configuration file, 106

diagnosing device transceiver module, 132, 133

disabling CLI console authentication, 44

disabling CLI output screen pausing, 10

disabling device password recovery capability, 129

disabling login management Telnet login authentication, 48

displaying configuration files, 107

displaying current working directory, 93

displaying device management configuration, 134

displaying directory information, 92

displaying file information, 94

displaying FTP client, 83

displaying FTP command help information, 83

displaying FTP server, 77

displaying license, 154

displaying login management CLI login, 54

displaying login management Web login, 58

displaying RBAC settings, 26

displaying software upgrade image settings, 114

displaying text file content, 94

downgrading software upgrade Boot ROM image, 114

editing CLI command line, 3

enabling CLI redisplay of entered-but-not-submitted command, 8

enabling configuration archiving (automatic), 103

enabling configuration encryption, 99

enabling device copyright statement display, 119

enabling login management Telnet server, 48

enabling RBAC default user role, 23

entering CLI command, 3

entering CLI interface type value, 5

entering CLI string/text type argument value, 4

entering CLI system view from user view, 2

entering Python shell, 137

establishing FTP client connection, 80

executing Comware commands in Tcl configuration view, 135

executing Python script, 137

extracting file, 93, 95

filtering CLI display command output, 11

first time license registration, 147

formatting file system storage media, 92

installing activation file, 153

logging in to login management SSH server (device), 53

logging in to login management Telnet server (device), 51

logging off online Web user, 67

maintaining device management configuration, 134

maintaining FTP connection, 82

maintaining login management CLI login, 54

maintaining login management Web login, 58

maintaining RBAC settings, 26

managing CLI display command output, 14

managing file system directories, 92

managing file system files, 94

managing FTP server directories, 81

monitoring device CPU usage, 130

moving file, 95

numbering CLI display command output lines, 10

obtaining RBAC temporary user role authorization, 26

pausing between CLI output screens, 10

preloading Boot ROM image, 111

preloading software upgrade image to Boot ROM (IRF-incapable devices), 111

preparing automatic configuration files, 156

preparing for software upgrade, 111

rebooting device, 121

rebooting device (CLI), 121

rebooting device (scheduled), 121

registering license, 147

registering license for first time, 147

registering upgrade license, 150, 150

releasing FTP server connection manually, 77

removing directory, 94

renaming file, 95

restoring device factory-default configuration, 133

restoring file, 96

restoring main next-startup configuration file, 106

restoring software upgrade Boot ROM image, 114

returning CLI user view, 2

returning to CLI upper-level view, 2

rolling back configuration, 104

saving CLI display command output to file, 13

saving CLI running configuration, 15

saving running configuration, 100, 101

scheduling device management task, 122, 124

setting configuration archive parameters, 102

setting device memory alarm thresholds, 130

setting device port status detection timer, 129

setting file/folder operation mode, 94, 96

setting login management Telnet packet DSCP value, 49

specifying next-startup configuration file, 105

specifying software upgrade startup image file (IRF-capable devices), 113

specifying software upgrade startup image file (IRF-incapable devices), 112

specifying startup image, 112

terminating FTP connection, 83

transferring license, 153

troubleshooting FTP connection, 82

troubleshooting RBAC local user access permissions, 38

troubleshooting RBAC login attempts by RADIUS users fail, 38

understanding CLI command-line error message, 8

upgrading software (IRF-capable devices), 115

upgrading software (IRF-incapable devices), 114

using CLI command alias, 5

using CLI command history buffered commands, 9

using CLI command history function, 8

using CLI command hotkey, 6

using CLI undo command form, 3

using Python, 137

using Tcl to configure the device, 135

verifying device transceiver module, 132, 132

viewing CLI display command output, 14

working with FTP server files, 81

Python

automatic configuration (HTTP server+Python script), 163

Comware V7, 137

extended API, 139

extended API functions, 139

script, 137

shell, 137

using, 137

R

RADIUS

RBAC RADIUS authentication user configuration, 29

RBAC temporary user role authorization, 35

RBAC

AAA authorization, 18

configuration, 16, 19, 27

default user role, 23

feature group configuration, 21

local AAA authentication user configuration, 27

non-AAA authorization, 18

permission assignment, 16

predefined user roles, 17

RADIUS authentication user configuration, 29

resource access policies, 17, 21

rule configuration restrictions, 20

settings display, 26

settings maintain, 26

temporary user role authorization, 26

temporary user role authorization (HWTACACS authentication), 31

temporary user role authorization (RADIUS authentication), 35

temporary user role authorization configuration, 24

temporary user role authorization configuration restrictions, 24

troubleshoot, 38

troubleshoot local user access permissions, 38

troubleshoot login attempts by RADIUS users fail, 38

user role assignment, 18, 22

user role authentication, 26

user role creation, 19

user role interface policy, 22

user role local AAA authentication, 23

user role non-AAA authentication, 24

user role remote AAA authentication, 23

user role rule configuration, 20

user role rules, 16

user role VLAN policy, 22

rebooting

device, 121

device (CLI), 121

device (scheduled), 121

recycle bin

file deletion, 96

redundancy

next-startup configuration file redundancy, 98

registering

first time registration, 147

license, 147

upgrade license, 150

remote

RBAC user role AAA authentication, 23

removing

file system directory, 94

renaming

file, 95

repeating

CLI command history buffered commands, 9

resource

RBAC resource access policies, 21

RESTful

login configuration (HTTP), 63

login configuration (HTTPS), 63

restoring

device factory-default configuration, 133

file, 96

main next-startup configuration file, 106

software upgrade Boot ROM image, 114

restrictions

automatic configuration DHCP server configuration (server-based), 157

days-restricted license, 144

device locked license, 144

device management task scheduling, 122

license management, 146

MPU locked license, 144

permanent license, 144

RBAC rule configuration, 20

RBAC temporary user role authorization configuration, 24

returning

CLI upper-level view, 2

CLI user view, 2

role

RBAC default user role, 23

RBAC predefined user roles, 17

RBAC temporary user role authorization, 24, 26

RBAC user role assignment, 18, 22

RBAC user role authentication, 26

RBAC user role creation, 19

RBAC user role interface policy, 22

RBAC user role local AAA authentication, 23

RBAC user role non-AAA authentication, 24

RBAC user role remote AAA authentication, 23

RBAC user role rule configuration, 20

RBAC user role VLAN policy, 22

role-based access control. Use RBAC

rolling back

configuration, 102, 104

routing

FTP configuration, 75

TFTP configuration, 87, 87

rule

CLI command history buffering rules, 9

RBAC command rule, 16

RBAC feature execute rule, 16

RBAC feature group rule, 16

RBAC feature read rule, 16

RBAC feature write rule, 16

RBAC OID rule, 16

RBAC user role rule configuration, 20

RBAC Web menu rule, 16

RBAC XML element rule, 16

running configuration

archiving, 102

archiving (manual), 104

CLI save, 15

device, 98

rollback, 102

saving (fast mode), 100, 101

saving (safe mode), 100, 101

S

safe saving running configuration, 100, 101

saving

CLI display command output to file, 13

CLI running configuration, 15

running configuration, 100, 101

scheduling

device management task, 122, 124

device reboot (scheduled), 121

scheme

login management CLI authentication mode, 43

login management CLI console common line settings, 45

login management CLI console scheme authentication, 45

script

extended Python API, 139

extended Python API functions, 139

Python, 137

scripting

automatic configuration (HTTP server+Python script), 163

automatic configuration (HTTP server+Tcl script), 161

security

configuration encryption, 99

login management command accounting, 72, 73

login management command authorization, 69, 70

login management login control (Telnet), 65

login management login control (Telnet, SSH), 65

login management SNMP access control, 67, 69

login management user device access control, 65

login management Web login control, 66, 67

login management Web login control (source IP-based), 66

login management Web user logoff, 67

RBAC configuration, 16, 19, 27

RBAC default user role, 23

RBAC feature group configuration, 21

RBAC local AAA authentication user configuration, 27

RBAC permission assignment, 16

RBAC RADIUS authentication user configuration, 29

RBAC resource access policies, 21

RBAC temporary user role authorization, 24, 26

RBAC temporary user role authorization (HWTACACS authentication), 31

RBAC temporary user role authorization (RADIUS authentication), 35

RBAC user role assignment, 18, 22

RBAC user role authentication, 26

RBAC user role creation, 19

RBAC user role interface policy, 22

RBAC user role local AAA authentication, 23

RBAC user role non-AAA authentication, 24

RBAC user role remote AAA authentication, 23

RBAC user role rule configuration, 20

RBAC user role VLAN policy, 22

server

automatic configuration, 155, 160, 160

automatic configuration (HTTP server+Python script), 163

automatic configuration (HTTP server+Tcl script), 161

automatic configuration DHCP server, 157

automatic configuration DNS server, 159

automatic configuration file preparation, 156

automatic configuration file server configuration, 156

automatic configuration gateway, 159

automatic configuration start, 159

FTP server directory management, 81

setting

configuration archive parameters, 102

device memory alarm thresholds, 130

device port status detection timer, 129

file/folder operation mode, 94, 96

login management Telnet packet DSCP value, 49

shell

device banner type, 119

Python, 137

single-line banner input method, 120

SNMP

access control, 67, 69

login management device access, 62

login management overview, 39

SNMPv1

login management SNMP device access, 62

SNMPv2

login management SNMP device access, 62

SNMPv3

login management SNMP device access, 62

software

upgrade. See software upgrade

software upgrade

Boot ROM image downgrade, 114

Boot ROM image preload, 111

Boot ROM image restore, 114

Boot ROM image type, 108

CLI method, 108

completion, 112

completion (IRF-capable devices), 113

completion (IRF-incapable devices), 112

Comware Boot image type, 108

Comware feature image, 108

Comware image loading, 108

Comware image redundancy, 108

Comware image type, 108

Comware patch image, 108

Comware system image type, 108

configuration (IRF-capable devices), 115

configuration (IRF-incapable devices), 114

file naming, 108

image preload to Boot ROM (IRF-incapable devices), 111

image settings display, 114

methods, 110

overview, 108

parent device tasks, 111

startup image file specification (IRF-capable devices), 113

startup image file specification (IRF-incapable devices), 112

startup image specification, 112

system startup, 109

upgrade preparation, 111

specifying

next-startup configuration file, 105

SSH

device as server login configuration, 52

login configuration, 52

login control, 65

login management overview, 39

server device login, 53

starting

automatic configuration, 159

starting up

Boot ROM image preload, 111

device configuration startup file selection, 99

next-startup configuration file, 105, 106

next-startup configuration file redundancy, 98

software upgrade configuration (IRF-capable devices), 115

software upgrade configuration (IRF-incapable devices), 114

software upgrade image preload to Boot ROM (IRF-incapable devices), 111

software upgrade startup image file specification (IRF-capable devices), 113

software upgrade startup image file specification (IRF-incapable devices), 112

software upgrade system startup, 109

startup image specification, 112

startup

device configuration), 98

storage

license management storage compression, 154

storage media

file system management, 89

format, 92

string type argument value (CLI), 4

system

software upgrade Boot ROM image downgrade, 114

software upgrade Boot ROM image restore, 114

software upgrade Comware feature image, 108

software upgrade Comware image loading, 108

software upgrade Comware image redundancy, 108

software upgrade Comware patch image, 108

software upgrade Comware system image type, 108

software upgrade startup process, 109

system administration

automatic configuration, 155, 155, 160, 160

automatic configuration (HTTP server+Python script), 163

automatic configuration (HTTP server+Tcl script), 161

automatic configuration DHCP server, 157

automatic configuration DNS server, 159

automatic configuration file preparation, 156

automatic configuration gateway, 159

automatic configuration start, 159

CLI command abbreviation, 5

CLI command alias configuration, 5

CLI command alias use, 5

CLI command entry, 3

CLI command history buffered commands, 9

CLI command history function use, 8

CLI command hotkey configuration, 6

CLI command hotkey use, 6

CLI command line editing, 3

CLI command redisplay, 8

CLI command-line error message, 8

CLI display command output filtering, 11

CLI display command output line numbering, 10

CLI display command output management, 14

CLI display command output save to file, 13

CLI display command output viewing, 14

CLI interface type value, 5

CLI online help access, 2

CLI output control, 10, 10

CLI running configuration save, 15

CLI string/text type argument value, 4

CLI system view entry from user view, 2

CLI undo command form, 3

CLI upper-level view return, 2

CLI use, 1

CLI user view return, 2

CLI view hierarchy, 1

configuration archive parameters, 102

configuration archiving (automatic), 103

configuration file encryption, 99

configuration file formats, 99

configuration file management, 98

configuration file next-startup file delete, 106

configuration rollback, 102, 104

device banner configuration, 119, 120

device banner input methods, 120

device banner types, 119

device configuration startup file selection, 99

device copyright statement display, 119

device CPU usage monitoring, 130

device factory-default configuration restore, 133

device management, 117, 117

device management task scheduling, 122, 124

device memory alarm thresholds, 130

device name configuration, 117

device password recovery capability disable, 129

device port status detection timer, 129

device reboot, 121

device reboot (CLI), 121

device reboot (scheduled), 121

device system time configuration, 117

device temperature alarm threshold, 132

device transceiver module diagnosis, 132, 133

device transceiver module verification, 132, 132

executing Comware commands, 135

extended Python API, 139

extended Python API functions, 139

extended Python API import, 139

extended Python API use, 139

file system directory management, 92

file system file management, 94

file system management, 89

FTP configuration, 75

login management CLI console authentication, 44

login management CLI console common line settings, 45

login management CLI console password authentication, 44

login management CLI console scheme authentication, 45

login management CLI local console port login, 43

login management CLI login authentication modes, 43

login management CLI login configuration, 42

login management CLI user lines, 42

login management CLI user roles, 43

login management command accounting, 72, 73

login management command authorization, 69, 70

login management console port login, 41

login management login control (Telnet), 65

login management login control (Telnet, SSH), 65

login management overview, 39

login management RESTful access (HTTP), 63

login management RESTful access (HTTPS), 63

login management SNMP access control, 67, 69

login management SSH device as server login configuration, 52

login management SSH login, 52

login management SSH server device login, 53

login management Telnet device as server, 47

login management Telnet login authentication disable, 48

login management Telnet login password authentication, 48

login management Telnet login scheme authentication, 49

login management Telnet packet DSCP value, 49

login management Telnet server device login, 51

login management Telnet server enable, 48

login management Telnet VTY common line settings, 50

login management user device access control, 65

login management Web login (HTTP), 55, 58

login management Web login (HTTPS), 56, 59

login management Web login configuration, 55, 58, 63

login management Web login control, 66, 67

login management Web login control (source IP-based), 66

login management Web user logoff, 67

main next-startup configuration file backup, 105

main next-startup configuration file restoration, 106

next-startup configuration file redundancy, 98

next-startup configuration file specification, 105

Python, 137

Python script execute, 137

Python shell, 137

running configuration archiving (manual), 104

running configuration save, 100

software upgrade, 108

software upgrade completion, 112

software upgrade completion (IRF-capable devices), 113

software upgrade completion (IRF-incapable devices), 112

Tcl usage, 135

TFTP configuration, 87

using Python, 137

Using Tcl, 135

T

task

device management task scheduling, 122, 124

Tcl

automatic configuration (HTTP server+Tcl script), 161

configuring the device, 135

executing Comware commands, 135

use, 135

TCP

device as FTP client, 80

device as FTP server, 75

FTP client connection establishment, 80

FTP configuration, 75

IPv4 TFTP client configuration, 87

IPv6 TFTP client configuration, 87

TFTP configuration, 87

Telnet

device as server configuration, 47

login authentication disable, 48

login control, 65, 65

login management overview, 39

login password authentication, 48

login scheme authentication, 49

packet DSCP value, 49

server device login, 51

server enable, 48

VTY common line settings, 50

temperature

device temperature alarm threshold, 132

terminating

FTP connection, 83

text file content display, 94

text type argument value (CLI), 4

TFTP, 87, See also FTP

automatic configuration, 155, 160, 160

automatic configuration file server configuration, 156

automatic configuration start, 159

configuration, 87

IPv4 client configuration, 87

IPv6 client configuration, 87

threshold

device CPU usage monitoring, 130

device memory alarm thresholds, 130

device temperature threshold alarm, 132

time

device system time configuration, 117

timer

device port status detection, 129

tool command language. Use Tcl

transceiver

device module diagnosis, 132, 133

device module verification, 132, 132

transferring

license, 153

Trivial File Transfer Protocol. Use TFTP

troubleshooting

FTP connection, 82

RBAC, 38

RBAC local user access permissions, 38

RBAC login attempts by RADIUS users fail, 38

U

undo command form (CLI), 3

upgrading

software. See software upgrade

user

interface, 39, See also user line

interface login management Telnet VTY common line settings, 50

login management login control (Telnet), 65

login management login control (Telnet, SSH), 65

login management SNMP access control, 67, 69

login management user device access control, 65

login management Web login control, 66, 67

login management Web login control (source IP-based), 66

login management Web user logoff, 67

user access

RBAC configuration, 16, 19, 27

RBAC feature group configuration, 21

RBAC local AAA authentication user configuration, 27

RBAC permission assignment, 16

RBAC predefined user roles, 17

RBAC RADIUS authentication user configuration, 29

RBAC resource access policies, 21

RBAC temporary user role authorization, 24, 26

RBAC temporary user role authorization (HWTACACS authentication), 31

RBAC temporary user role authorization (RADIUS authentication), 35

RBAC user role assignment, 18, 22

RBAC user role authentication, 26

RBAC user role creation, 19

RBAC user role interface policy, 22

RBAC user role local AAA authentication, 23

RBAC user role non-AAA authentication, 24

RBAC user role remote AAA authentication, 23

RBAC user role rule configuration, 20

RBAC user role rules, 16

RBAC user role VLAN policy, 22

using

automatic configuration, 155

CLI, 1

CLI command alias, 5

CLI command history function, 8

CLI command hotkey, 6

CLI undo command form, 3

device as FTP client, 80

device as FTP server, 75

Extended Python API, 139, 139

Python, 137

Tcl, 135

V

verifying

device transceiver modules, 132, 132

viewing

CLI display command output, 14

CLI upper-level view return, 2

VLAN

RBAC user role VLAN policy, 22

RBAC VLAN access policy, 17

VTY line settings, 50

W

Web

login configuration, 55, 58, 63

login configuration (HTTP), 55, 58

login configuration (HTTPS), 56, 59

login control configuration (source IP-based), 66

login display, 58

login maintain, 58

login management user logoff, 67

user access control, 66, 67

working with

FTP server files, 81

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网