Login
- Table of Contents
01-Text
Download Book (1.98 MB)Entering system view from user view
Returning to the upper-level view from any view
Using the undo form of a command
Entering a text or string type value for an argument
Configuring and using command aliases
Configuring and using command hotkeys
Enabling redisplaying entered-but-not-submitted commands
Understanding command-line error messages
Using the command history feature
Repeating commands in the command history buffer for a line
Pausing between screens of output
Numbering each output line from a display command
Filtering the output from a display command
Saving the output from a display command to a file
Viewing and managing the output from a display command effectively
Saving the running configuration
Configuration restrictions and guidelines
Configuring resource access policies
Configuring the user role interface policy
Configuring the user role VLAN policy
Configuring the user role VPN instance policy
Enabling the default user role feature
Assigning user roles to remote AAA authentication users
Assigning user roles to local AAA authentication users
Assigning user roles to non-AAA authentication users on user lines
Configuring temporary user role authorization
Configuring user role authentication
Obtaining temporary user role authorization
Displaying and maintaining RBAC settings
RBAC configuration example for local AAA authentication users
RBAC configuration example for RADIUS authentication users
RBAC temporary user role authorization configuration example (HWTACACS authentication)
RBAC temporary user role authorization configuration example (RADIUS authentication)
Local users have more access permissions than intended
Login attempts by RADIUS users always fail
Using the console port for the first device access
Configuring local console login
Disabling authentication for console login
Configuring password authentication for console login
Configuring scheme authentication for console login
Configuring common AUX line settings
Configuring the device as a Telnet server
Using the device to log in to a Telnet server
Configuring the device as an SSH server
Using the device to log in to an SSH server
Displaying and maintaining CLI login
Accessing the device through SNMP
Configuring RESTful access over HTTP
Configuring RESTful access over HTTPS
Controlling user access to the device
Controlling Telnet and SSH logins
Configuring command authorization
Configuring command accounting
Using the device as an FTP server
Configuring authentication and authorization
Manually releasing FTP connections
Displaying and maintaining the FTP server
FTP server configuration example (in standalone mode)
FTP server configuration example (in IRF mode)
Using the device as an FTP client
Establishing an FTP connection
Managing directories on the FTP server
Working with files on the FTP server
Changing to another user account
Maintaining and troubleshooting the FTP connection
Terminating the FTP connection
Displaying command help information
Displaying and maintaining the FTP client
FTP client configuration example (in standalone mode)
FTP client configuration example (in IRF mode)
Configuring the device as an IPv4 TFTP client
Configuring the device as an IPv6 TFTP client
Specifying a directory name or file name
File system management restrictions and guidelines
Managing storage media and file systems
Mounting or unmounting a file system
Displaying directory information
Displaying the working directory
Changing the working directory
Archiving/extracting directories
Setting the operation mode for directories·
Displaying the contents of a text file
Compressing/decompressing a file
Deleting files from the recycle bin
Setting the operation mode for files
Next-startup configuration file redundancy
Startup configuration file selection
Configuration file content organization and format
Enabling configuration encryption
Comparing configurations for their differences
Saving the running configuration
Using different methods to save the running configuration
Configuring configuration commit delay
Specifying a next-startup configuration file
Backing up the main next-startup configuration file to a TFTP server
Restoring the main next-startup configuration file from a TFTP server
Deleting a next-startup configuration file
Displaying and maintaining configuration files
Software file naming conventions
Comware image redundancy and loading procedure
Upgrade restrictions and guidelines
Preloading the BootWare image to BootWare (in standalone mode)
Preloading the BootWare image to BootWare (in IRF mode)
Specifying startup images and completing the upgrade (in standalone mode)
Specifying startup images and completing the upgrade (in IRF mode)
Restoring or downgrading the BootWare image
Enabling software synchronization from the active MPU to the standby MPU at startup
Displaying and maintaining software image settings
Software upgrade example (in standalone mode)
Software upgrade example (in IRF mode)
Identifying availability of ISSU and licensing requirements
Verifying the device operating status
Determining the upgrade procedure
Adjusting and saving the running configuration
Logging in to the device through the console port
Performing an ISSU by using issu commands·
Performing a compatible upgrade
Performing an incompatible upgrade·
Performing an ISSU by using install commands
Installing or upgrading software images
Rolling back the running software images
Aborting a software activate/deactivate operation
Deleting inactive software images
Displaying and maintaining ISSU
Example of using issu commands for ISSU
Example of using install commands for software patching
Enabling displaying the copyright statement
Setting the system operating mode
Rebooting devices immediately from the CLI
Schedule configuration example
Disabling password recovery capability·
Disabling BootWare menu access
Setting the port status detection timer
Setting memory alarm thresholds
Configuring the temperature alarm thresholds
Configuring hardware failure detection and protection
Verifying and diagnosing transceiver modules
Diagnosing transceiver modules·
Restoring the factory-default configuration
Displaying and maintaining device management configuration
Using Tcl to configure the device·
Executing Comware commands in Tcl configuration view
Importing and using the Comware 7 extended Python API
Comware 7 extended Python API functions·
General restrictions and guidelines
Licenses for different device types
Compressing the license storage
Registering and activating a license·
Displaying and maintaining licenses·
Displaying and maintaining preprovisioned settings
Using server-based automatic configuration
Server-based automatic configuration task list
Preparing the files for automatic configuration
Preparing the interface used for automatic configuration
Starting and completing automatic configuration
Server-based automatic configuration examples
Automatic configuration using TFTP server
Automatic configuration using HTTP server and Tcl script
Automatic configuration using HTTP server and Python script
Using the CLI
At the command-line interface (CLI), you can enter text commands to configure, manage, and monitor the device. The following text is displayed when you access the CLI:
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Sysname>
You can use different methods to log in to the CLI, including through the console port, Telnet, and SSH. For more information about login methods, see "Login overview."
CLI views
Commands are grouped in different views by feature. To use a command, you must enter its view.
CLI views are hierarchically organized, as shown in Figure 1. Each view has a unique prompt, from which you can identify where you are and what you can do. For example, the prompt [Sysname-vlan100] shows that you are in VLAN 100 view and can configure attributes for that VLAN.
You are placed in user view immediately after you log in to the CLI. The user view prompt is <Device-name>, where Device-name indicates the device name. The device name is Sysname by default. You can change it by using the sysname command.
In user view, you can perform the following tasks:
· Perform basic operations including display, debug, file management, FTP, Telnet, clock setting, and reboot.
· Enter system view. The system view prompt is [Device-name].
In system view, you can perform the following tasks:
· Configure settings that affect the device as a whole, such as the daylight saving time, banners, and hotkeys.
· Enter different feature views.
For example, you can perform the following tasks:
? Enter interface view to configure interface parameters.
? Enter VLAN view to add ports to the VLAN.
? Enter user line view to configure login user attributes.
A feature view might have child views. For example, NQA operation view has the child view HTTP operation view.
To display all commands available in a view, enter a question mark (?) at the view prompt.
Entering system view from user view
|
Task |
Command |
|
Enter system view. |
system-view |
Returning to the upper-level view from any view
|
Task |
Command |
|
Return to the upper-level view from any view. |
quit |
Executing the quit command in user view terminates your connection to the device.
In public key view, use the peer-public-key end command to return to system view.
Returning to user view
To return directly to user view from any other view, use the return command or press Ctrl+Z.
|
Task |
Command |
|
Return directly to user view. |
return |
Accessing the CLI online help
The CLI online help is context sensitive. Enter a question mark at any prompt or in any position of a command to display all available options.
To access the CLI online help, use one of the following methods:
· Enter a question mark at a view prompt to display the first keyword of every command available in the view. For example:
User view commands:
archive Archive configuration
arp Address Resolution Protocol (ARP) module
backup Backup operation
...
· Enter a space and a question mark after a command keyword to display all available keywords and arguments.
? If the question mark is in the place of a keyword, the CLI displays all possible keywords, each with a brief description. For example:
<Sysname> terminal ?
debugging Enable to display debugging logs on the current terminal
logging Display logs on the current terminal
monitor Enable to display logs on the current terminal
? If the question mark is in the place of an argument, the CLI displays the description for the argument. For example:
<Sysname> system-view
[Sysname] interface vlan-interface ?
<1-4094> Vlan-interface interface number
[Sysname] interface vlan-interface 1 ?
<cr>
[Sysname] interface vlan-interface 1
<1-4094> is the value range for the argument. <cr> indicates that the command is complete and you can press Enter to execute the command.
· Enter an incomplete keyword string followed by a question mark to display all keywords starting with that string. The CLI also displays the descriptions for the keywords. For example:
<Sysname> f?
fdisk Partition a storage medium
fixdisk Check and repair a storage medium
format Format a storage medium
free Release a line
ftp Open an FTP connection
<Sysname> display ftp?
ftp FTP module
ftp-server FTP server information
ftp-user FTP user information
Using the undo form of a command
Most configuration commands have an undo form for the following tasks:
· Canceling a configuration.
· Restoring the default.
· Disabling a feature.
For example, the info-center enable command enables the information center. The undo info-center enable command disables the information center.
Entering a command
When you enter a command, you can perform the following tasks:
· Use keys or hotkeys to edit the command line.
· Use abbreviated keywords or keyword aliases.
Editing a command line
To edit a command line, use the keys listed in Table 1 or the hotkeys listed in Table 4. When you are finished, you can press Enter to execute the command.
Table 1 Command line editing keys
|
Keys |
Function |
|
Common keys |
If the edit buffer is not full, pressing a common key inserts a character at the cursor and moves the cursor to the right. The edit buffer can store up to 511 characters. Unless the buffer is full, all common characters that you enter before pressing Enter are saved in the edit buffer. |
|
Backspace |
Deletes the character to the left of the cursor and moves the cursor back one character. |
|
Left arrow key (←) |
Moves the cursor one character to the left. |
|
Right arrow key (→) |
Moves the cursor one character to the right. |
|
Up arrow key (↑) |
Displays the previous command in the command history buffer. |
|
Down arrow key (↓) |
Displays the next command in the command history buffer. |
|
Tab |
If you press Tab after typing part of a keyword, the system automatically completes the keyword. · If a unique match is found, the system displays the complete keyword. · If there is more than one match, press Tab multiple times to pick the keyword you want to enter. · If there is no match, the system does not modify what you entered but displays it again in the next line. |
The total length of a command line cannot exceed 512 characters, including spaces and special characters.
The device supports the following special commands:
· #–Used by the system in a configuration file as separators for adjacent sections.
· version–Used by the system in a configuration file to indicate the software version information. For example, version 7.1. xxx , Release xxx .
These commands are special because of the following reasons:
· These commands are not intended for you to use at the CLI.
· You can enter these commands in any view, or enter any values for them. For example, you can enter # abc or version abc. However, the settings do not take effect.
· The device does not provide any online help information for these commands.
Entering a text or string type value for an argument
A text type argument value can contain printable characters except a question mark (?).
A string type argument value can contain any printable characters except for the following characters:
· Question mark (?).
· Quotation mark (").
· Backward slash (\).
· Space.
A specific argument might have more requirements. For more information, see the relevant command reference.
To enter a printable character, you can enter the character or its ASCII code in the range of 32 to 126.
Entering an interface type
You can enter an interface type in one of the following formats:
· Full spelling of the interface type.
· An abbreviation that uniquely identifies the interface type.
· Acronym of the interface type.
For a command line, all interface types are case insensitive. Table 2 shows the full spellings and acronyms of interface types.
For example, to use the interface command to enter the view of interface HundredGigE 1/0/1, you can enter the command line in the following formats:
· interface hundredgige 1/0/1
· interface h 1/0/1
· interface hge 1/0/1
Spaces between the interface types and interfaces are not required.
Table 2 Full spellings and acronyms of interface types
|
Full spelling |
Acronym |
|
Bridge-Aggregation |
BAGG |
|
FortyGigE |
FGE |
|
GigabitEthernet |
GE |
|
HundredGigE |
HGE |
|
InLoopBack |
InLoop |
|
LoopBack |
Loop |
|
M-GigabitEthernet |
MGE |
|
Multicast Tunnel |
MTunnel |
|
NULL |
NULL |
|
Register-Tunnel |
REG |
|
Route-Aggregation |
RAGG |
|
Ten-GigabitEthernet |
XGE |
|
Tunnel |
Tun |
|
Vfc |
Vfc |
|
Vsi-interface |
Vsi |
|
Vlan-interface |
Vlan-int |
Abbreviating commands
You can enter a command line quickly by entering incomplete keywords that uniquely identify the complete command. In user view, for example, commands starting with an s include startup saved-configuration and system-view. To enter the command system-view, you only need to type sy. To enter the command startup saved-configuration, type st s.
You can also press Tab to complete an incomplete keyword.
Configuring and using command aliases
You can configure one or more aliases for a command or the starting keywords of commands. Then, you can use the aliases to execute the command or commands. If the command or commands have undo forms, you can also use the aliases to execute the undo command or commands.
For example, if you configure the alias shiprt for display ip routing-table, you can enter shiprt to execute the display ip routing-table command. If you configure the alias ship for display ip, you can use ship to execute all commands starting with display ip:
· Enter ship routing-table to execute the display ip routing-table command.
· Enter ship interface to execute the display ip interface command.
Usage guidelines
After you successfully execute a command by using an alias, the system saves the command, instead of the alias, to the running configuration.
The command string represented by an alias can include a maximum of nine parameters. Each parameter starts with the dollar sign ($) and a sequence number in the range of 1 to 9. For example, you can configure the alias shinc for the display $1 | include $2 command. Then, you can enter shinc hotkey CTRL_C to execute the display hotkey | include CTRL_C command.
To use an alias for a command that has parameters, you must specify a value for each parameter. If you fail to do so, the system informs you that the command is incomplete and displays the command string represented by the alias.
The device has a set of system-defined command aliases, as listed in Table 3. System-defined command aliases cannot be deleted.
Table 3 System-defined command aliases
|
Command alias |
Command or command keyword |
|
access-list |
acl |
|
end |
return |
|
erase |
delete |
|
exit |
quit |
|
hostname |
sysname |
|
logging |
info-center |
|
no |
undo |
|
show |
display |
|
write |
save |
Configuration procedure
To configure a command alias:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a command alias. |
alias alias command |
By default, the device has a set of command aliases, as listed in Table 3. |
|
3. (Optional.) Display command aliases. |
display alias [ alias ] |
This command is available in any view. |
Configuring and using command hotkeys
The system defines the hotkeys shown in Table 4 and provides a set of configurable command hotkeys. Pressing a command hotkey is the same as entering a command.
If a hotkey is also defined by the terminal software you are using to interact with the device, the terminal software definition takes effect.
To configure a command hotkey:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Assign a command to a configurable command hotkey. |
hotkey { ctrl_g | ctrl_l | ctrl_o | ctrl_t | ctrl_u } command |
The following are the defaults: · Ctrl+G is assigned the display current-configuration command. · Ctrl+L is assigned the display ip routing-table command. · Ctrl+O is assigned the undo debugging all command. · No command is assigned to Ctrl+T or Ctrl+U. |
|
3. (Optional.) Display hotkeys. |
display hotkey |
This command is available in any view. |
Table 4 System-reserved hotkeys
|
Hotkey |
Function |
|
Ctrl+A |
Moves the cursor to the beginning of a line. |
|
Ctrl+B |
Moves the cursor one character to the left. |
|
Ctrl+C |
Stops the current command. |
|
Ctrl+D |
Deletes the character at the cursor. |
|
Ctrl+E |
Moves the cursor to the end of a line. |
|
Ctrl+F |
Moves the cursor one character to the right. |
|
Ctrl+H |
Deletes the character to the left of the cursor. |
|
Ctrl+K |
Aborts the connection request. |
|
Ctrl+N |
Displays the next command in the history buffer. |
|
Ctrl+P |
Displays the previous command in the history buffer. |
|
Ctrl+R |
Redisplays the current line. |
|
Ctrl+V |
Pastes text from the clipboard. |
|
Ctrl+W |
Deletes the word to the left of the cursor. |
|
Ctrl+X |
Deletes all characters to the left of the cursor. |
|
Ctrl+Y |
Deletes all characters from the cursor to the end of the line. |
|
Ctrl+Z |
Returns to user view. |
|
Ctrl+] |
Terminates the current connection. |
|
Esc+B |
Moves the cursor back one word. |
|
Esc+D |
Deletes all characters from the cursor to the end of the word. |
|
Esc+F |
Moves the cursor forward one word. |
|
Esc+N |
Moves the cursor down one line. You can use this hotkey before pressing Enter. |
|
Esc+P |
Moves the cursor up one line. You can use this hotkey before pressing Enter. |
|
Esc+< |
Moves the cursor to the beginning of the clipboard. |
|
Esc+> |
Moves the cursor to the end of the clipboard. |
Enabling redisplaying entered-but-not-submitted commands
Your input might be interrupted by system information output. If redisplaying entered-but-not-submitted commands is enabled, the system redisplays your input after finishing the output. You can then continue entering the command line.
To enable redisplaying entered-but-not-submitted commands:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable redisplaying entered-but-not-submitted commands. |
info-center synchronous |
By default, the system does not redisplay entered-but-not-submitted commands. For more information about this command, see Network Management and Monitoring Command Reference. |
Understanding command-line error messages
After you press Enter to submit a command, the command line interpreter examines the command syntax.
· If the command passes syntax check, the CLI executes the command.
· If the command fails syntax check, the CLI displays an error message.
Table 5 Common command-line error messages
|
Error message |
Cause |
|
% Unrecognized command found at '^' position. |
The keyword in the marked position is invalid. |
|
% Incomplete command found at '^' position. |
One or more required keywords or arguments are missing. |
|
% Ambiguous command found at '^' position. |
The entered character sequence matches more than one command. |
|
% Too many parameters. |
The entered character sequence contains excessive keywords or arguments. |
|
% Wrong parameter found at '^' position. |
The argument in the marked position is invalid. |
Using the command history feature
The system automatically saves commands successfully executed by a login user to the following two command history buffers:
· Command history buffer for the user line.
· Command history buffer for all user lines.
Table 6 Comparison between the two types of command history buffers
|
Item |
Command history buffer for a user line |
Command history buffer for all user lines |
|
What kind of commands are saved in the buffer? |
Commands successfully executed by the current user of the user line. |
Commands successfully executed by all login users. |
|
Cleared when the user logs out? |
Yes. |
No. |
|
How to view buffered commands? |
Use the display history-command command. |
Use the display history-command all command. |
|
How to recall a buffered command? |
· (Method 1.) Navigate to the command in the buffer and press Enter. · (Method 2.) Use the repeat command. For more information, see "Repeating commands in the command history buffer for a line." |
You cannot recall buffered commands. |
|
How to set the buffer size? |
Use the history-command max-size size-value command in user line view to set the buffer size. By default, the buffer can store up to 10 commands. |
You cannot set the buffer size. The buffer can store up to 1024 commands. |
|
How to disable the buffer? |
Setting the buffer size to 0 disables the buffer. |
You cannot disable the buffer. |
Command buffering rules
The system follows these rules when buffering commands:
· If you use incomplete keywords when entering a command, the system buffers the command in the exact form that you used.
· If you use an alias when entering a command, the system transforms the alias to the represented command or command keywords before buffering the command.
· If you enter a command in the same format multiple times in succession, the system buffers the command only once. If you enter a command in different formats multiple times, the system buffers each command format. For example, display cu and display current-configuration are buffered as two entries but successive repetitions of display cu create only one entry.
· To buffer a new command when a buffer is full, the system deletes the oldest command entry in the buffer.
Repeating commands in the command history buffer for a line
You can recall and execute commands in the command history buffer for the current user line multiple times.
To repeat commands in the command history buffer for the current user line:
|
Task |
Command |
Remarks |
|
Repeat commands in the command history buffer for the current CLI session. |
repeat [ number ] [ count times ] [ delay seconds ] |
This command is available in any view. However, to repeat a command, you must first enter the view for the command. To repeat multiple commands, you must first enter the view for the first command. This command executes commands in the order they were executed. The system waits for your interaction when it repeats an interactive command. |
Controlling the CLI output
This section describes the CLI output control features that help you identify the desired output.
Pausing between screens of output
By default, the system automatically pauses after displaying a maximum of 24 lines if the output is too long to fit on one screen. You can change the limit by using the screen-length screen-length command. For more information about this command, see Fundamentals Command Reference.
At a pause, the system displays ----more----. You can use the keys described in "Output controlling keys" to display more information or stop the display.
You can also disable pausing between screens of output for the current session. Then, all output is displayed at one time and the screen is refreshed continuously until the final screen is displayed.
Output controlling keys
|
Keys |
Function |
|
Space |
Displays the next screen. |
|
Enter |
Displays the next line. |
|
Ctrl+C |
Stops the display and cancels the command execution. |
|
<PageUp> |
Displays the previous page. |
|
<PageDown> |
Displays the next page. |
Disabling pausing between screens of output
To disable pausing between screens of output, execute the following command in user view:
|
Task |
Command |
Remarks |
|
Disable pausing between screens of output for the current CLI session. |
screen-length disable |
By default, a CLI session uses the screen-length screen-length command settings in user line view. This command is a one-time command and takes effect only for the current CLI session. |
Numbering each output line from a display command
You can use the | by-linenum option to prefix each display command output line with a number for easy identification.
Each line number is displayed as a 5-character string and might be followed by a colon (:) or hyphen (-). If you specify both | by-linenum and | begin regular-expression for a display command, a hyphen is displayed for all lines that do not match the regular expression.
To number each output line from a display command:
|
Task |
Command |
|
Number each output line from a display command. |
display command | by-linenum |
For example:
# Display information about VLAN 999, numbering each output line.
<Sysname> display vlan 999 | by-linenum
1: VLAN ID: 999
2: VLAN type: Static
3: Route interface: Not configured
4: Description: VLAN 0999
5: Name: VLAN 0999
6: Tagged ports: None
7: Untagged ports: None
8:
Filtering the output from a display command
You can use the | { begin | exclude | include } regular-expression option to filter the display command output.
· begin—Displays the first line matching the specified regular expression and all subsequent lines.
· exclude—Displays all lines not matching the specified regular expression.
· include—Displays all lines matching the specified regular expression.
· regular-expression—A case-sensitive string of 1 to 256 characters, which can contain the special characters described in Table 7.
The required filtering time increases with the complexity of the regular expression. To abort the filtering process, press Ctrl+C.
Table 7 Special characters supported in a regular expression
|
Characters |
Meaning |
Examples |
|
^ |
Matches the beginning of a line. |
"^u" matches all lines beginning with "u". A line beginning with "Au" is not matched. |
|
$ |
Matches the end of a line. |
"u$" matches all lines ending with "u". A line ending with "uA" is not matched. |
|
. (period) |
Matches any single character. |
".s" matches "as" and "bs". |
|
* |
Matches the preceding character or string zero, one, or multiple times. |
"zo*" matches "z" and "zoo", and "(zo)*" matches "zo" and "zozo". |
|
+ |
Matches the preceding character or string one or multiple times. |
"zo+" matches "zo" and "zoo", but not "z". |
|
| |
Matches the preceding or succeeding string. |
"def|int" matches a line containing "def" or "int". |
|
( ) |
Matches the string in the parentheses, usually used together with the plus sign (+) or asterisk sign (*). |
"(123A)" matches "123A". "408(12)+" matches "40812" and "408121212", but not "408". |
|
\N |
Matches the preceding strings in parentheses, with the Nth string repeated once. |
"(string)\1" matches a string containing "stringstring". "(string1)(string2)\2" matches a string containing "string1string2string2". "(string1)(string2)\1\2" matches a string containing " string1string2string1string2". |
|
[ ] |
Matches a single character in the brackets. |
"[16A]" matches a string containing 1, 6, or A; "[1-36A]" matches a string containing 1, 2, 3, 6, or A (- is a hyphen). To match the character "]", put it immediately after "[", for example, []abc]. There is no such limit on "[". |
|
[^] |
Matches a single character that is not in the brackets. |
"[^16A]" matches a string that contains one or more characters except for 1, 6, or A, such as "abc". A match can also contain 1, 6, or A (such as "m16"), but it cannot contain these three characters only (such as 1, 16, or 16A). |
|
{n} |
Matches the preceding character n times. The number n must be a nonnegative integer. |
"o{2}" matches "food", but not "Bob". |
|
{n,} |
Matches the preceding character n times or more. The number n must be a nonnegative integer. |
"o{2,}" matches "foooood", but not "Bob". |
|
{n,m} |
Matches the preceding character n to m times or more. The numbers n and m must be nonnegative integers and n cannot be greater than m. |
" o{1,3}" matches "fod", "food", and "foooood", but not "fd". |
|
\< |
Matches a string that starts with the pattern following \<. A string that contains the pattern is also a match if the characters preceding the pattern are not digits, letters, or underscores. |
"\<do" matches "domain" and "doa". |
|
\> |
Matches a string that ends with the pattern preceding \>. A string that contains the pattern is also a match if the characters following the pattern are not digits, letters, or underscores. |
"do\>" matches "undo" and "cdo". |
|
\b |
Matches a word that starts with the pattern following \b or ends with the pattern preceding \b. |
"er\b" matches "never", but not "verb" or "erase". "\ber" matches "erase", but not "verb" or "never". |
|
\B |
Matches a word that contains the pattern but does not start or end with the pattern. |
"er\B" matches "verb", but not "never" or "erase". |
|
\w |
Same as [A-Za-z0-9_], matches a digit, letter, or underscore. |
"v\w" matches "vlan" and "service". |
|
\W |
Same as [^A-Za-z0-9_], matches a character that is not a digit, letter, or underscore. |
"\Wa" matches "-a", but not "2a" or "ba". |
|
\ |
Escape character. If a special character listed in this table follows \, the specific meaning of the character is removed. |
"\\" matches a string containing "\", "\^" matches a string containing "^", and "\\b" matches a string containing "\b". |
For example:
# Display the running configuration, starting from the first configuration line that contains line.
<Sysname> display current-configuration | begin line
line class aux
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
authentication-mode none
user-role network-admin
user-role network-operator
#
...
# Display brief information about interfaces in up state.
<Sysname> display interface brief | exclude DOWN
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
InLoop0 UP UP(s) --
NULL0 UP UP(s) --
Vlan1 UP UP 192.168.1.83
Brief information on interfaces in bridge mode:
Link: ADM - administratively down; Stby - standby
Speed: (a) - auto
Duplex: (a)/A - auto; H - half; F - full
Type: A - access; T - trunk; H - hybrid
Interface Link Speed Duplex Type PVID Description
HGE1/0/1 UP 100G(a) F(a) A 1
# Display SNMP-related running configuration lines.
<Sysname> display current-configuration | include snmp
snmp-agent
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 192.168.1.26 params securityname public
Saving the output from a display command to a file
A display command shows certain configuration and operation information of the device. Its output might vary over time or with user configuration or operation. You can save the output to a file for future retrieval or troubleshooting.
Use one of the following methods to save the output from a display command:
· Save the output to a separate file. Use this method if you want to use one file for a single display command.
· Append the output to the end of a file. Use this method if you want to use one file for multiple display commands.
To save the output from a display command to a file, use one of the following commands in any view:
|
Task |
Command |
|
Save the output from a display command to a separate file. |
display command > filename |
|
Append the output from a display command to the end of a file. |
display command >> filename |
For example:
# Save the VLAN 1 settings to a separate file named vlan.txt.
<Sysname> display vlan 1 > vlan.txt
# Verify that the VLAN 1 settings are saved to the file vlan.txt.
<Sysname> more vlan.txt
VLAN ID: 1
VLAN type: Static
Route interface: Not configured
Description: VLAN 0001
Name: VLAN 0001
Tagged ports: None
Untagged ports: None
# Append the VLAN 999 settings to the end of the file vlan.txt.
<Sysname> display vlan 999 >> vlan.txt
# Verify that the VLAN 999 settings are appended to the end of the file vlan.txt.
<Sysname> more vlan.txt
VLAN ID: 1
VLAN type: Static
Route interface: Not configured
Description: VLAN 0001
Name: VLAN 0001
Tagged ports: None
Untagged ports: None
VLAN ID: 999
VLAN type: Static
Route interface: Configured
IP address: 192.168.2.1
Subnet mask: 255.255.255.0
Description: For LAN Access
Name: VLAN 0999
Tagged ports: None
Untagged ports: None
Viewing and managing the output from a display command effectively
You can use the following methods in combination to filter and manage the output from a display command:
· Numbering each output line from a display command
· Filtering the output from a display command
· Saving the output from a display command to a file
To use multiple measures to view and manage the output from a display command effectively, execute the following command in any view:
|
Task |
Command |
|
View and manage the output from a display command effectively. |
display command [ | [ by-linenum ] { begin | exclude | include } regular-expression ] [ > filename | >> filename ] |
For example:
# Save the running configuration to a separate file named test.txt, with each line numbered.
<Sysname> display current-configuration | by-linenum > test.txt
# Append lines including snmp in the running configuration to the file test.txt.
<Sysname> display current-configuration | include snmp >> test.txt
# Display the first line that begins with user-group in the running configuration and all the following lines.
<Sysname> display current-configuration | by-linenum begin user-group
114: user-group system
115- #
116- return
// The colon (:) following a line number indicates that the line contains the string user-group. The hyphen (-) following a line number indicates that the line does not contain the string user-group.
Saving the running configuration
To make your configuration take effect after a reboot, save the running configuration to a configuration file by using the save command in any view. This command saves all commands that have been successfully executed, except for the one-time commands. Typical one-time commands include display commands used for displaying information and reset commands used for clearing information.
For more information about the save command, see Fundamentals Command Reference.
Configuring RBAC
Overview
Role-based access control (RBAC) controls user access to items and system resources based on user roles. In this chapter, items include commands, XML elements, and MIB nodes, and system resources include interfaces, VLANs, and VPN instances.
RBAC assigns access permissions to user roles that are created for different job functions. Users are given permission to access a set of items and resources based on the users' user roles. Because user roles are static in contrast to users, separating permissions from users enables simple permission authorization management. You only need to change the user role permissions, remove user roles, or assign new user roles in case of user changes. For example, you can change the user role permissions or assign new user roles to change the job responsibilities of a user.
Permission assignment
Use the following methods to assign permissions to a user role:
· Define a set of rules to determine accessible or inaccessible items for the user role. (See "User role rules.")
· Configure resource access policies to specify which resources are accessible to the user role. (See "Resource access policies.")
To use a command related to a system resource, a user role must have access to both the command and the resource.
For example, a user role has access to the vlan command and access only to VLAN 10. When the user role is assigned, you can use the vlan command to create VLAN 10 and enter its view. However, you cannot create any other VLANs. If the user role has access to VLAN 10 but does not have access to the vlan command, you cannot use the command to enter the view of VLAN 10.
When a user logs in to the device with any user role and enters <?> in a view, help information is displayed for the system-defined command aliases in the view. However, the user might not have the permission to access the command aliases. Whether the user can access the command aliases depends on the user role's permission to the commands corresponding to the aliases. For information about command aliases, see "Using the CLI."
A user that logs in to the device with any user role has access to the system-view, quit, and exit commands.
User role rules
User role rules permit or deny access to commands, XML elements, or MIB nodes. You can define the following types of rules for different access control granularities:
· Command rule—Controls access to a command or a set of commands that match a regular expression.
· Feature rule—Controls access to the commands of a feature by command type.
· Feature group rule—Controls access to the commands of features in a feature group by command type.
· XML element rule—Controls access to XML elements used for configuring the device.
· OID rule—Controls SNMP access to a MIB node and its child nodes. An OID is a dotted numeric string that uniquely identifies the path from the root node to a leaf node.
The commands, XML elements, and MIB nodes are controlled based on the following types:
· Read—Commands, XML elements, or MIB nodes that display configuration and maintenance information. For example, the display commands and the dir command.
· Write—Commands, XML elements, or MIB nodes that configure the features in the system. For example, the info-center enable command and the debugging command.
· Execute—Commands, XML elements, or MIB nodes that execute specific functions. For example, the ping command and the ftp command.
A user role can access the set of permitted commands, XML elements, and MIB nodes specified in the user role rules. The user role rules include predefined (identified by sys-n) and user-defined user role rules. For more information about the user role rule priority, see "Configuring user role rules."
Resource access policies
Resource access policies control access of a user role to system resources and include the following types:
· Interface policy—Controls access to interfaces.
· VLAN policy—Controls access to VLANs.
· VPN instance policy—Controls access to VPN instances.
Resource access policies do not control access to the interface, VLAN, or VPN instance options in the display commands. You can specify these options in the display commands if the options are permitted by any user role rule.
Predefined user roles
The system provides predefined user roles. These user roles have access to all system resources (interfaces, VLANs, and VPN instances). However, their access permissions differ, as shown in Table 8.
Among all of the predefined user roles, only network-admin and level-15 can perform the following tasks:
· Access the RBAC feature.
· Change the settings in user line view, including user-role, authentication-mode, protocol inbound, and set authentication password.
· Create, modify, and delete local users and local user groups. The other user roles can only modify their own passwords if they have permissions to configure local users and local user groups.
Table 8 Predefined roles and permissions matrix
|
User role name |
Permissions |
|
network-admin |
Accesses all features and resources in the system, except for the display security-logfile summary, info-center security-logfile directory, and security-logfile save commands. |
|
network-operator |
· Accesses the display commands for features and resources in the system. To display all accessible commands of the user role, use the display role command. · Enables local authentication login users to change their own passwords. · Accesses the command used for entering XML view. · Accesses all read-type XML elements. · Accesses all read-type MIB nodes. |
|
level-n (n = 0 to 15) |
· level-0—Has access to diagnostic commands, including ping, tracert, ssh2, telnet, and super. Level-0 access rights are configurable. · level-1—Has access to the display commands of all features and resources in the system except for display history-command all. The level-1 user role also has all access rights of the level-0 user role. Level-1 access rights are configurable. · level-2 to level-8, and level-10 to level-14—Have no access rights by default. Access rights are configurable. · level-9—Has access to most of the features and resources in the system. If you are logged in with a local user account that has a level-9 user role, you can change the password in the local user account. The following are the major features and commands that the level-9 user role cannot access: ? RBAC non-debugging commands. ? Local users. ? File management. ? Device management. ? The display history-command all command. · level-15—Has the same rights as network-admin. |
|
security-audit |
Security log manager. The user role has the following access rights to security log files: · Accesses the commands for displaying and maintaining security log files (for example, the dir, display security-logfile summary, and more commands). · Accesses the commands for managing security log files and security log file system (for example, the info-center security-logfile directory, mkdir, and security-logfile save commands). For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see "Managing file systems."
Only the security-audit user role has access to security log files. You cannot assign the security-audit user role to non-AAA authentication users. |
User role assignment
You assign access rights to a user by assigning a minimum of one user role. The user can use the collection of items and resources accessible to all user roles assigned to the user. For example, you can access any interface to use the qos apply policy command if you are assigned the following user roles:
· User role A denies access to the qos apply policy command and permits access only to interface HundredGigE 1/0/1.
· User role B permits access to the qos apply policy command and all interfaces.
Depending on the authentication method, user role assignment has the following methods:
· AAA authorization—If scheme authentication is used, the AAA module handles user role assignment.
? If the user passes local authorization, the device assigns the user roles specified in the local user account.
? If the user passes remote authorization, the remote AAA server assigns the user roles specified on the server. The AAA server can be a RADIUS or HWTACACS server.
· Non-AAA authorization—When the user accesses the device without authentication or by passing password authentication on a user line, the device assigns user roles specified on the user line. This method also applies to SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective device management user accounts.
For more information about AAA and SSH, see Security Configuration Guide. For more information about user lines, see "Login overview" and "Configuring CLI login."
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Configuration task list
|
Tasks at a glance |
|
(Required.) Creating a user role |
|
(Required.) Configuring user role rules |
|
(Optional.) Configuring a feature group |
|
(Required.) Configuring resource access policies: · Configuring the user role interface policy |
|
(Optional.) Assigning user roles |
|
(Optional.) Configuring temporary user role authorization |
Creating a user role
In addition to the predefined user roles, you can create a maximum of 64 custom user roles for granular access control.
To create a user role:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a user role and enter its view. |
role name role-name |
By default, the system has the following predefined user roles: · network-admin. · network-operator. · level-n (where n equals an integer in the range of 0 to 15). · security-audit. Among these user roles, only the permissions and descriptions of the level-0 to level-14 user roles are configurable. |
|
3. (Optional.) Configure a description for the user role. |
description text |
By default, a user role does not have a description. |
Configuring user role rules
You can configure user role rules to permit or deny the access of a user role to specific commands, XML elements, and MIB nodes.
Configuration restrictions and guidelines
When you configure RBAC user role rules, follow these restrictions and guidelines:
· You can configure a maximum of 256 user-defined rules for a user role. The total number of user-defined user role rules cannot exceed 1024.
· Any rule modification, addition, or removal for a user role takes effect only on users who are logged in with the user role after the change.
The following guidelines apply to non-OID rules:
· If two user-defined rules of the same type conflict, the rule with the higher ID takes effect. For example, a user role can use the tracert command but not the ping command if the user role contains rules configured by using the following commands:
? rule 1 permit command ping
? rule 2 permit command tracert
? rule 3 deny command ping
· If a predefined user role rule and a user-defined user role rule conflict, the user-defined user role rule takes effect.
The following guidelines apply to OID rules:
· The system compares an OID with the OIDs specified in user role rules, and it uses the longest match principle to select a rule for the OID. For example, a user role cannot access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:
? rule 1 permit read write oid 1.3.6
? rule 2 deny read write oid 1.3.6.1.4.1
? rule 3 permit read write oid 1.3.6.1.4
· If the same OID is specified in multiple rules, the rule with the higher ID takes effect. For example, a user role can access the MIB node with OID 1.3.6.1.4.1.25506.141.3.0.1 if the user role contains rules configured by using the following commands:
? rule 1 permit read write oid 1.3.6
? rule 2 deny read write oid 1.3.6.1.4.1
? rule 3 permit read write oid 1.3.6.1.4.1
Configuration procedure
To configure rules for a user role:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user role view. |
role name role-name |
N/A |
|
3. Configure rules for the user role. |
·
Configure a command rule: ·
Configure a feature rule: ·
Configure a feature group rule: ·
Configure an XML element rule: ·
Configure an OID rule: |
By default, a user-defined user role does not have any rule or access to any command, XML element, or MIB node. Repeat this step to add a maximum of 256 rules to the user role.
When you configure feature rules, you can specify only features available in the system. Enter feature names the same as the feature names are displayed, including the case. |
Configuring a feature group
Use feature groups to bulk assign command access permissions to sets of features. In addition to the predefined feature groups, you can create a maximum of 64 custom feature groups and assign a feature to multiple feature groups.
To configure a feature group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a feature group and enter its view. |
role feature-group name feature-group-name |
By default, the system has the following predefined feature groups: · L2—Includes all Layer 2 commands. · L3—Includes all Layer 3 commands. These two groups are not user configurable. |
|
3. Add a feature to the feature group. |
feature feature-name |
By default, a feature group does not have any feature. Repeat this step to add multiple features to the feature group.
You can specify only features available in the system. Enter feature names the same as the feature names are displayed, including the case. |
Configuring resource access policies
Every user role has one interface policy, VLAN policy, and VPN instance policy. By default, these policies permit a user role to access any interface, VLAN, and VPN instance. You can configure the policies of a user-defined user role or a predefined level-n user role to limit its access to interfaces, VLANs, and VPN instances. The policy configuration takes effect only on users who are logged in with the user role after the configuration.
Configuring the user role interface policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user role view. |
role name role-name |
N/A |
|
3. Enter user role interface policy view. |
interface policy deny |
By default, the interface policy of the user role permits access to all interfaces. This command denies the access of the user role to all interfaces if the permit interface command is not configured. |
|
4. (Optional.) Specify a list of interfaces accessible to the user role. |
permit interface interface-list |
By default, no accessible interfaces are configured in user role interface policy view. Repeat this step to add multiple accessible interfaces. |
Configuring the user role VLAN policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user role view. |
role name role-name |
N/A |
|
3. Enter user role VLAN policy view. |
vlan policy deny |
By default, the VLAN policy of the user role permits access to all VLANs. This command denies the access of the user role to all VLANs if the permit vlan command is not configured. |
|
4. (Optional.) Specify a list of VLANs accessible to the user role. |
permit vlan vlan-id-list |
By default, no accessible VLANs are configured in user role VLAN policy view. Repeat this step to add multiple accessible VLANs. |
Configuring the user role VPN instance policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user role view. |
role name role-name |
N/A |
|
3. Enter user role VPN instance policy view. |
vpn-instance policy deny |
By default, the VPN instance policy of the user role permits access to all VPN instances. This command denies the access of the user role to all VPN instances if the permit vpn-instance command is not configured. |
|
4. (Optional.) Specify a list of VPN instances accessible to the user role. |
permit vpn-instance vpn-instance-name&<1-10> |
By default, no accessible VPN instances are configured in user role VPN instance policy view. Repeat this step to add multiple accessible VPN instances. |
Assigning user roles
To control user access to the system, you must assign a minimum of one user role. Make sure a minimum of one user role among the user roles assigned by the server exists on the device. User role assignment procedure varies for remote AAA authentication users, local AAA authentication users, and non-AAA authentication users (see "User role assignment"). For more information about AAA authentication, see Security Configuration Guide.
Enabling the default user role feature
The default user role feature assigns the default user role to AAA-authenticated users if the authentication server (local or remote) does not assign any user roles to the users. These users are allowed to access the system with the default user role.
You can specify any user role existing in the system as the default user role.
To enable the default user role feature for AAA authentication users:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the default user role feature. |
role default-role enable [ role-name ] |
By default, the default user role feature is disabled. If you do not specify a user role, the default user role is network-operator. If the none authorization method is used for local users, you must enable the default user role feature. |
Assigning user roles to remote AAA authentication users
For remote AAA authentication users, user roles are configured on the remote authentication server. For information about configuring user roles for RADIUS users, see the RADIUS server documentation. For HWTACACS users, the role configuration must use the roles="role-1 role-2 … role-n" format, where user roles are space separated. For example, configure roles="level-0 level-1 level-2" to assign level-0, level-1, and level-2 to an HWTACACS user.
If the AAA server assigns the security-audit user role and other user roles to the same user, only the security-audit user role takes effect.
Assigning user roles to local AAA authentication users
Configure user roles for local AAA authentication users in their local user accounts. Every local user has a default user role. If this default user role is not suitable, remove it.
If a local user is the only user with the security-audit user role, the user cannot be deleted.
The security-audit user role is mutually exclusive with other user roles.
· When you assign the security-audit user role to a local user, the system requests confirmation to remove all the other user roles from the user.
· When you assign the other user roles to a local user who has the security-audit user role, the system requests confirmation to remove the security-audit role from the user.
To assign a user role to a local user:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a local user and enterits view. |
local-user user-name class { manage | network } |
N/A |
|
3. Authorize the user to have a user role. |
authorization-attribute user-role role-name |
Repeat this step to assign a maximum of 64 user roles to the user. By default, the network-operator user role is assigned to local users created by a network-admin or level-15 user. |
Assigning user roles to non-AAA authentication users on user lines
Specify user roles for the following two types of login users on the user lines:
· Users who use password authentication or no authentication.
· SSH clients that use publickey or password-publickey authentication. User roles assigned to these SSH clients are specified in their respective device management user accounts.
For more information about user lines, see "Login overview" and "Configuring CLI login." For more information about SSH, see Security Configuration Guide.
To assign a user role to non-AAA authentication users on a user line:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user line view or user line class view. |
·
Enter user line view: ·
Enter user line class view: |
For information about the priority order and application scope of the settings in user line view and user line class view, see "Configuring CLI login." |
|
3. Specify a user role on the user line. |
user-role role-name |
Repeat this step to specify a maximum of 64 user roles on a user line. By default, the network-admin user role is specified on the AUX user line, and the network-operator user role is specified on any other user line. The device cannot assign the security-audit user role to non-AAA authentication users. |
Configuring temporary user role authorization
Temporary user role authorization allows you to obtain another user role without reconnecting to the device. This feature is useful when you want to use a user role temporarily to configure a feature.
Temporary user role authorization is effective only on the current login. This feature does not change the user role settings in the user account that you have been logged in with. The next time you are logged in with the user account, the original user role settings take effect.
Configuration guidelines
When you configure temporary user role authorization, follow these guidelines:
· To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. Table 9 describes the available authentication modes and configuration requirements.
· If HWTACACS authentication is used, the following rules apply:
? The device uses the entered username and password to request role authentication, and it sends the username to the server in the username or username@domain-name format. Whether the domain name is included in the username depends on the user-name-format command in the HWTACACS scheme.
? To obtain a level-n user role, the user account on the server must have the target user role level or a level higher than the target user role. A user account that obtains the level-n user role can obtain any user role among level-0 through level-n.
? To obtain a non-level-n user role, make sure the user account on the server meets the following requirements:
- The account has a user privilege level.
- The HWTACACS custom attribute is configured for the account in the form of allowed-roles="role". The variable role represents the target user role.
· If RADIUS authentication is used, the following rules apply:
? The device does not use the username you enter to request user role authentication. It uses a username in the $enabn$ format. The variable n represents a user role level, and a domain name is not included in the username. You can always pass user role authentication when the password is correct.
? To obtain a level-n user role, you must create a user account for the level-n user role in the $enabn$ format on the RADIUS server. The variable n represents the target user role level. For example, to obtain the authorization of the level-3 user role, you can enter any username. The device uses the username $enab3$ to request user role authentication from the server.
? To obtain a non-level-n user role, you must perform the following tasks:
- Create the user account $enab0$ on the server.
- Configure the cisco-av-pair attribute for the account in the form of allowed-roles="role". The variable role represents the target user role.
· The device selects an authentication domain for user role authentication in the following order:
d. The ISP domain included in the entered username.
e. The default ISP domain.
· If you execute the quit command after obtaining user role authorization, you are logged out of the device.
Table 9 User role authentication modes
|
Keywords |
Authentication mode |
Description |
|
local |
Local password authentication only (local-only) |
The device uses the locally configured password for authentication. If no local password is configured for a user role in this mode, an AUX user can obtain the user role by either entering a string or not entering anything. |
|
scheme |
Remote AAA authentication through HWTACACS or RADIUS (remote-only) |
The device sends the username and password to the HWTACACS or RADIUS server for remote authentication. To use this mode, you must perform the following configuration tasks: · Configure the required HWTACACS or RADIUS scheme, and configure the ISP domain to use the scheme for the user. For more information, see Security Configuration Guide. · Add the user account and password on the HWTACACS or RADIUS server. |
|
local scheme |
Local password authentication first, and then remote AAA authentication (local-then-remote) |
Local password authentication is performed first. If no local password is configured for the user role in this mode: · The device performs remote AAA authentication for VTY users. · An AUX user can obtain another user role by either entering a string or not entering anything. |
|
scheme local |
Remote AAA authentication first, and then local password authentication (remote-then-local) |
Remote AAA authentication is performed first. Local password authentication is performed in either of the following situations: · The HWTACACS or RADIUS server does not respond. · The remote AAA configuration on the device is invalid. |
Configuring user role authentication
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set an authentication mode. |
super authentication-mode { local | scheme } * |
By default, local-only authentication applies. |
|
3. (Optional.) Specify the default target user role for temporary user role authorization. |
super default role role-name |
By default, the default target user role is network-admin. |
|
4. Set a local authentication password for a user role. |
·
In non-FIPS mode: ·
In FIPS mode: |
Use this step for local password authentication. By default, no password is set. If you do not specify the role role-name option, the command sets a password for the default target user role. |
Obtaining temporary user role authorization
Perform the following task in user view:
|
Task |
Command |
Remarks |
|
Obtain the temporary authorization to use a user role. |
super [ role-name ] |
If you do not specify the role-name argument, you obtain the default target user role for temporary user role authorization. The operation fails after three consecutive unsuccessful password attempts. The user role must have the permission to execute the super command to obtain temporary user role authorization. |
Displaying and maintaining RBAC settings
Execute display commands in any view.
|
Task |
Command |
|
Display user role information. |
display role [ name role-name ] |
|
Display user role feature information. |
display role feature [ name feature-name | verbose ] |
|
Display user role feature group information. |
display role feature-group [ name feature-group-name ] [ verbose ] |
RBAC configuration examples
RBAC configuration example for local AAA authentication users
Network requirements
As shown in Figure 2, the switch performs local AAA authentication for the Telnet user. The user account for the Telnet user is user1@bbb, which is assigned user role role1.
Configure role1 to have the following permissions:
· Execute the read commands of any feature.
· Configure VLANs 10 to 20. Access to any other VLANs is denied.
Configuration procedure
# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Enable the Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Enable local authentication and authorization for ISP domain bbb.
[Switch] domain bbb
[Switch-isp-bbb] authentication login local
[Switch-isp-bbb] authorization login local
[Switch-isp-bbb] quit
# Create user role role1.
[Switch] role name role1
# Configure rule 1 to permit the user role to access the read commands of all features.
[Switch-role-role1] rule 1 permit read feature
# Configure rule 2 to permit the user role to create VLANs and access commands in VLAN view.
[Switch-role-role1] rule 2 permit command system-view ; vlan *
# Change the VLAN policy to permit the user role to configure only VLANs 10 to 20.
[Switch-role-role1] vlan policy deny
[Switch-role-role1-vlanpolicy] permit vlan 10 to 20
[Switch-role-role1-vlanpolicy] quit
[Switch-role-role1] quit
# Create a device management user named user1 and enter local user view.
[Switch] local-user user1 class manage
# Set a plaintext password of aabbcc for the user.
[Switch-luser-manage-user1] password simple aabbcc
# Set the service type to Telnet.
[Switch-luser-manage-user1] service-type telnet
# Assign role1 to the user.
[Switch-luser-manage-user1] authorization-attribute user-role role1
# Remove the default user role (network-operator) from the user. This operation ensures that the user has only the permissions of role1.
[Switch-luser-manage-user1] undo authorization-attribute user-role network-operator
[Switch-luser-manage-user1] quit
Verifying the configuration
# Telnet to the switch, and enter the username and password to access the switch. (Details not shown.)
# Verify that you can create VLANs 10 to 20. This example uses VLAN 10.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
# Verify that you cannot create any VLAN other than VLANs 10 to 20. This example uses VLAN 30.
[Switch] vlan 30
Permission denied.
# Verify that you can use all read commands of any feature. This example uses display clock.
[Switch] display clock
09:31:56 UTC Sat 01/01/2011
[Switch] quit
# Verify that you cannot use the write or execute commands of any feature.
<Switch> debugging role all
Permission denied.
<Switch> ping 192.168.1.58
Permission denied.
RBAC configuration example for RADIUS authentication users
Network requirements
As shown in Figure 3, the switch uses the FreeRADIUS server to provide AAA service for login users, including the Telnet user. The user account for the Telnet user is hello@bbb, which is assigned user role role2.
User role role2 has the following permissions:
· Use all commands in ISP domain view.
· Use the read and write commands of the arp and radius features.
· Cannot access the read commands of the acl feature.
· Configure VLANs 1 to 20 and interfaces HundredGigE 1/0/1 to HundredGigE 1/0/4. Access to any other VLANs and interfaces is denied.
The switch and the FreeRADIUS server use a shared key of expert and authentication port 1812. The switch delivers usernames with their domain names to the server.
Configuration procedure
Make sure the settings on the switch and the RADIUS server match.
1. Configure the switch:
# Assign VLAN-interface 2 an IP address from the same subnet as the Telnet user.
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Assign VLAN-interface 3 an IP address from the same subnet as the RADIUS server.
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Switch-Vlan-interface3] quit
# Enable the Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Create RADIUS scheme rad and enter RADIUS scheme view.
[Switch] radius scheme rad
# Specify the primary server address and the service port in the scheme.
[Switch-radius-rad] primary authentication 10.1.1.1 1812
# Set the shared key to expert in the scheme for the switch to authenticate to the server.
[Switch-radius-rad] key authentication simple expert
[Switch-radius-rad] quit
# Specify scheme rad as the authentication and authorization schemes for ISP domain bbb.
|
|
IMPORTANT: Because RADIUS user authorization information is piggybacked in authentication responses, the authentication and authorization methods must use the same RADIUS scheme. |
[Switch] domain bbb
[Switch-isp-bbb] authentication login radius-scheme rad
[Switch-isp-bbb] authorization login radius-scheme rad
[Switch-isp-bbb] quit
# Create feature group fgroup1.
[Switch] role feature-group name fgroup1
# Add the arp and radius features to the feature group.
[Switch-featuregrp-fgroup1] feature arp
[Switch-featuregrp-fgroup1] feature radius
[Switch-featuregrp-fgroup1] quit
# Create user role role2.
[Switch] role name role2
# Configure rule 1 to permit the user role to use all commands available in ISP domain view.
[Switch-role-role2] rule 1 permit command system-view ; domain *
# Configure rule 2 to permit the user role to use the read and write commands of all features in fgroup1.
[Switch-role-role2] rule 2 permit read write feature-group fgroup1
# Configure rule 3 to disable access to the read commands of the acl feature.
[Switch-role-role2] rule 3 deny read feature acl
# Configure rule 4 to permit the user role to create VLANs and use all commands available in VLAN view.
[Switch-role-role2] rule 4 permit command system-view ; vlan *
# Configure rule 5 to permit the user role to enter interface view and use all commands available in interface view.
[Switch-role-role2] rule 5 permit command system-view ; interface *
# Configure the user role VLAN policy to disable configuration of any VLAN except VLANs 1 to 20.
[Switch-role-role2] vlan policy deny
[Switch-role-role2-vlanpolicy] permit vlan 1 to 20
[Switch-role-role2-vlanpolicy] quit
# Configure the user role interface policy to disable configuration of any interface except HundredGigE 1/0/1 to HundredGigE 1/0/4.
[Switch-role-role2] interface policy deny
[Switch-role-role2-ifpolicy] permit interface hundredgige 1/0/1 to hundredgige 1/0/4
[Switch-role-role2-ifpolicy] quit
[Switch-role-role2] quit
2. Configure the RADIUS server:
# Add either of the user role attributes to the dictionary file of the FreeRADIUS server.
Cisco-AVPair = "shell:roles=\"role2\""
Cisco-AVPair = "shell:roles*\"role2\""
# Configure the settings required for the FreeRADIUS server to communicate with the switch. (Details not shown.)
Verifying the configuration
# Telnet to the switch, and enter the username and password to access the switch. (Details not shown.)
# Verify that you can use all commands available in ISP domain view.
<Switch> system-view
[Switch] domain abc
[Switch-isp-abc] authentication login radius-scheme abc
[Switch-isp-abc] quit
# Verify that you can use all read and write commands of the radius and arp features. This example uses radius.
[Switch] radius scheme rad
[Switch-radius-rad] primary authentication 2.2.2.2
[Switch-radius-rad] display radius scheme rad
…
Output of the RADIUS scheme is omitted.
# Verify that you cannot configure any VLAN except VLANs 1 to 20. This example uses VLAN 10 and VLAN 30.
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] vlan 30
Permission denied.
# Verify that you cannot configure any interface except HundredGigE 1/0/1 to HundredGigE 1/0/4. This example uses HundredGigE 1/0/2 and HundredGigE 1/0/5.
[Switch] vlan 10
[Switch-vlan10] port hundredgige 1/0/2
[Switch-vlan10] port hundredgige 1/0/5
Permission denied.
RBAC temporary user role authorization configuration example (HWTACACS authentication)
Network requirements
As shown in Figure 4, the switch uses local authentication for login users, including the Telnet user. The user account for the Telnet user test@bbb, which is assigned user role level-0.
Configure the remote-then-local authentication mode for temporary user role authorization. The switch uses the HWTACACS server to provide authentication for changing the user role among level-0 through level-3 or changing the user role to network-admin. If the AAA configuration is invalid or the HWTACACS server does not respond, the switch performs local authentication.
Configuration procedure
1. Configure the switch:
# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Assign an IP address to VLAN-interface 3 (the interface connected to the HWTACACS server).
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Switch-Vlan-interface3] quit
# Enable the Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Enable remote-then-local authentication for temporary user role authorization.
[Switch] super authentication-mode scheme local
# Create HWTACACS scheme hwtac and enter HWTACACS scheme view.
[Switch] hwtacacs scheme hwtac
# Specify the primary authentication server address and the service port in the scheme.
[Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49
# Set the shared key to expert in the scheme for the switch to authenticate to the server.
[Switch-hwtacacs-hwtac] key authentication simple expert
# Exclude ISP domain names from the usernames sent to the HWTACACS server.
[Switch-hwtacacs-hwtac] user-name-format without-domain
[Switch-hwtacacs-hwtac] quit
# Create ISP domain bbb and enter ISP domain view.
[Switch] domain bbb
# Configure ISP domain bbb to use local authentication for login users.
[Switch-isp-bbb] authentication login local
# Configure ISP domain bbb to use local authorization for login users.
[Switch-isp-bbb] authorization login local
# Apply HWTACACS scheme hwtac to the ISP domain for user role authentication.
[Switch-isp-bbb] authentication super hwtacacs-scheme hwtac
[Switch-isp-bbb] quit
# Create a device management user named test and enter local user view.
[Switch] local-user test class manage
# Set the user service type to Telnet.
[Switch-luser-manage-test] service-type telnet
# Set the user password to aabbcc.
[Switch-luser-manage-test] password simple aabbcc
# Assign level-0 to the user.
[Switch-luser-manage-test] authorization-attribute user-role level-0
# Remove the default user role (network-operator).
[Switch-luser-manage-test] undo authorization-attribute user-role network-operator
[Switch-luser-manage-test] quit
# Set the local authentication password to 654321 for user role level-3.
[Switch] super password role level-3 simple 654321
[Switch] quit
# Set the local authentication password to 654321 for user role network-admin.
[Switch] super password role network-admin simple 654321
[Switch] quit
2. Configure the HWTACACS server:
This example uses ACSv4.0.
d. Access the User Setup page.
e. Add a user account named test. (Details not shown.)
f. In the Advanced TACACS+ Settings area, configure the following parameters:
- Select Level 3 for the Max Privilege for any AAA Client option.
If the target user role is only network-admin for temporary user role authorization, you can select any level for the option.
- Select the Use separate password option, and specify enabpass as the password.
Figure 5 Configuring advanced TACACS+ settings
d. Select Shell (exec) and Custom attributes, and enter allowed-roles="network-admin" in the Custom attributes field.
Use a blank space to separate the allowed roles.
Figure 6 Configuring custom attributes for the Telnet user
Verifying the configuration
1. Telnet to the switch, and enter username test@bbb and password aabbcc to access the switch. Verify that you have access to diagnostic commands.
<Switch> telnet 192.168.1.70
Trying 192.168.1.70 ...
Press CTRL+K to abort
Connected to 192.168.1.59 ...
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: test@bbb
Password:
<Switch>?
User view commands:
ping Ping function
quit Exit from current command view
ssh2 Establish a secure shell client connection
super Switch to a user role
system-view Enter the System View
telnet Establish a telnet connection
tracert Tracert function
<Switch>
2. Verify that you can obtain the level-3 user role:
# Use the super password to obtain the level-3 user role. When the system prompts for a username and password, enter username test@bbb and password enabpass.
<Switch> super level-3
Username: test@bbb
Password:
The following output shows that you have obtained the level-3 user role.
User privilege role is level-3, and only those commands that authorized to the role can be used.
# If the ACS server does not respond, enter local authentication password 654321 at the prompt.
Invalid configuration or no response from the authentication server.
Change authentication mode to local.
Password:
User privilege role is level-3, and only those commands that authorized to the role can be used.
The output shows that you have obtained the level-3 user role.
3. Use the method in step 2 to verify that you can obtain the level-0, level-1, level-2, and network-admin user roles. (Details not shown.)
RBAC temporary user role authorization configuration example (RADIUS authentication)
Network requirements
As shown in Figure 7, the switch uses local authentication for login users, including the Telnet user. The user account for the Telnet user is test@bbb, which is assigned user role level-0.
Configure the remote-then-local authentication mode for temporary user role authorization. The switch uses the RADIUS server to provide authentication for the network-admin user role. If the AAA configuration is invalid or the RADIUS server does not respond, the switch performs local authentication.
Configuration procedure
1. Configure the switch:
# Assign an IP address to VLAN-interface 2 (the interface connected to the Telnet user).
<Switch> system-view
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0
[Switch-Vlan-interface2] quit
# Assign an IP address to VLAN-interface 3 (the interface connected to the RADIUS server).
[Switch] interface vlan-interface 3
[Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0
[Switch-Vlan-interface3] quit
# Enable the Telnet server.
[Switch] telnet server enable
# Enable scheme authentication on the user lines for Telnet users.
[Switch] line vty 0 63
[Switch-line-vty0-63] authentication-mode scheme
[Switch-line-vty0-63] quit
# Enable remote-then-local authentication for temporary user role authorization.
[Switch] super authentication-mode scheme local
# Create RADIUS scheme radius and enter RADIUS scheme view.
[Switch] radius scheme radius
# Specify the primary authentication server address and the shared key in the scheme for secure communication between the switch and the server.
[Switch-radius-radius] primary authentication 10.1.1.1 key simple expert
# Exclude ISP domain names from the usernames sent to the RADIUS server.
[Switch-radius-radius] user-name-format without-domain
[Switch-radius-radius] quit
# Create ISP domain bbb and enter ISP domain view.
[Switch] domain bbb
# Configure ISP domain bbb to use local authentication for login users.
[Switch-isp-bbb] authentication login local
# Configure ISP domain bbb to use local authorization for login users.
[Switch-isp-bbb] authorization login local
# Apply RADIUS scheme radius to the ISP domain for user role authentication.
[Switch-isp-bbb] authentication super radius-scheme radius
[Switch-isp-bbb] quit
# Create a device management user named test and enter local user view.
[Switch] local-user test class manage
# Set the user service type to Telnet.
[Switch-luser-manage-test] service-type telnet
# Set the user password to aabbcc.
[Switch-luser-manage-test] password simple aabbcc
# Assign level-0 to the user.
[Switch-luser-manage-test] authorization-attribute user-role level-0
# Remove the default user role (network-operator).
[Switch-luser-manage-test] undo authorization-attribute user-role network-operator
[Switch-luser-manage-test] quit
# Set the local authentication password to abcdef654321 for user role network-admin.
[Switch] super password role network-admin simple abcdef654321
[Switch] quit
2. Configure the RADIUS server:
This example uses ACSv4.2.
d. Add a user account named $enab0$ and set the password to 123456. (Details not shown.)
e. Access the Cisco IOS/PIX 6.x RADIUS Attributes page.
f. Configure the cisco-av-pair attribute, as shown in Figure 8.
Figure 8 Configuring the cisco-av-pair attribute
Verifying the configuration
1. Telnet to the switch, and enter username test@bbb and password aabbcc to access the switch. Verify that you have access to diagnostic commands.
<Switch> telnet 192.168.1.70
Trying 192.168.1.70 ...
Press CTRL+K to abort
Connected to 192.168.1.59 ...
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: test@bbb
Password:
<Switch>?
User view commands:
ping Ping function
quit Exit from current command view
ssh2 Establish a secure shell client connection
super Switch to a user role
system-view Enter the System View
telnet Establish a telnet connection
tracert Tracert function
<switch>
2. Verify that you can obtain the network-admin user role:
# Use the super password to obtain the network-admin user role. When the system prompts for a username and password, enter username test@bbb and password 123456.
<Switch> super network-admin
Username: test@bbb
Password:
The following output shows that you have obtained the network-admin user role.
User privilege role is network-admin, and only those commands that authorized to the role can be used.
# If the ACS server does not respond, enter local authentication password abcdef654321 at the prompt.
Invalid configuration or no response from the authentication server.
Change authentication mode to local.
Password:
User privilege role is network-admin, and only those commands that authorized to the role can be used.
The output shows that you have obtained the network-admin user role.
Troubleshooting RBAC
This section describes several typical RBAC issues and their solutions.
Local users have more access permissions than intended
Symptom
A local user can use more commands than should be permitted by the assigned user roles.
Analysis
The local user might have been assigned to user roles without your knowledge. For example, the local user is automatically assigned the default user role when you create the user.
Solution
To resolve the issue:
1. Use the display local-user command to examine the local user accounts for undesirable user roles, and remove them.
2. If the issue persists, contact H3C Support.
Login attempts by RADIUS users always fail
Symptom
Attempts by a RADIUS user to log in to the network access device always fail, even though the following conditions exist:
· The network access device and the RADIUS server can communicate with one another.
· All AAA settings are correct.
Analysis
RBAC requires that a login user have a minimum of one user role. If the RADIUS server does not authorize the login user to use any user role, the user cannot log in to the device.
Solution
To resolve the issue:
1. Use one of the following methods:
? Configure the role default-role enable command. A RADIUS user can log in with the default user role when no user role is assigned by the RADIUS server.
? Add the user role authorization attributes on the RADIUS server.
2. If the issue persists, contact H3C Support.
Login overview
The first time you access the device, you can only log in to the CLI through the console port. After login, you can change console login parameters or configure other access methods, including Telnet, SSH, SNMP, and RESTful.
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Telnet is not supported in FIPS mode.
Table 10 Login methods at a glance
|
Login method |
Default settings and minimum configuration requirements |
Login configuration |
|
CLI login: |
|
|
|
· Local console login |
By default, local console login is enabled and does not require authentication. The default user role is network-admin. To improve device security, configure password or scheme authentication for the AUX line immediately after you log in to the device for the first time. |
|
|
· Telnet login |
By default, Telnet login is disabled. To enable Telnet login, perform the following tasks: · Enable the Telnet server feature. · Assign an IP address to a Layer 3 interface and make sure the interface and the Telnet client can reach each other. · Configure an authentication mode for VTY login users. By default, password authentication is used but no password is configured. · Assign a user role to VTY login users. By default, a VTY login user is assigned the network-operator user role. |
|
|
· SSH login |
By default, SSH login is disabled. To enable SSH login, perform the following tasks: · Enable the SSH server feature and configure SSH attributes. · Assign an IP address to a Layer 3 interface. Make sure the interface and the SSH client can reach each other. · Configure scheme authentication for VTY login users. By default, password authentication is used. · Assign a user role to VTY login users. By default, a VTY login user is assigned the network-operator user role. |
|
|
SNMP access |
By default, SNMP access is disabled. To enable SNMP access, perform the following tasks: · Assign an IP address to a Layer 3 interface. Make sure the interface and the NMS can reach each other. · Configure SNMP basic parameters. |
|
|
RESTful access |
By default, RESTful access is disabled. To enable RESTful access, perform the following tasks: · Assign an IP address to a Layer 3 interface. Make sure the interface and the RESTful access user's host can reach each other. · Enable RESTful access over HTTP or RESTful access over HTTPS. · Configure a local user account for RESTful access and assign a user role to the account. By default, the network-operator user role is assigned to the account. · Assign HTTP or HTTPS service to the user. By default, no service type is assigned to a local user. |
Using the console port for the first device access
The first time you access the device, you can only log in to the CLI through the console port.
To log in through the console port, prepare a console terminal, for example, a PC. Make sure the console terminal has a terminal emulation program, such as HyperTerminal or PuTTY. For information about how to use terminal emulation programs, see the programs' user guides.
To log in through the console port:
1. Connect the DB-9 female connector of the console cable to the serial port of the PC.
2. Identify the console port of the device carefully and connect the RJ-45 connector of the console cable to the console port.
|
|
IMPORTANT: The serial ports on PCs do not support hot swapping. To connect a PC to an operating device, first connect the PC end. To disconnect a PC from an operating device, first disconnect the device end. |
Figure 9 Connecting a terminal to the console port
3. If the PC is off, turn on the PC.
4. On the PC, launch the terminal emulation program, and create a connection that uses the serial port connected to the device. Set the port properties so the port properties match the following console port default settings:
? Bits per second—9600 bps.
? Flow control—None.
? Parity—None.
? Stop bits—1.
? Data bits—8.
5. Power on the device and press Enter as prompted.
The default user view prompt <H3C> appears. You can enter commands to configure or manage the device. To get help, enter ?.
Configuring CLI login
By default, you can log in to the CLI through the console port. After you log in, you can configure other CLI login methods, including Telnet and SSH.
To prevent illegal access to the CLI and control user behavior, perform the following tasks as required:
· Configure login authentication.
· Assign user roles.
· Configure command authorization and command accounting.
· Use ACLs to filter unauthorized logins.
This chapter describes how to configure and use CLI login methods, including login authentication, user roles, and common user line settings. For more information about command authorization, command accounting, and unauthorized access filtering, see "Controlling user access to the device."
CLI overview
User lines
The device uses user lines (also called user interfaces) to manage CLI sessions and monitor user behavior. For a user line, you can configure access control settings, including the login authentication method and user roles.
The device supports the user lines listed in Table 11. Different user lines require different login methods.
Table 11 CLI login method and user line matrix
|
User line |
Login method |
|
AUX line |
Console port. |
|
Virtual type terminal (VTY) line |
Telnet or SSH. |
User line numbering
Every user line has an absolute number and a relative number.
An absolute number uniquely identifies a user line among all user lines. The user lines are numbered starting from 0 and incrementing by 1, in the sequence of console, TTY, AUX, and VTY lines. You can use the display line command without any parameters to view supported user lines and their absolute numbers.
A relative number uniquely identifies a user line among all user lines of the same type. The number format is user line type + number. TTY lines are numbered starting from 1 and incrementing by 1. All other types of user lines are numbered starting from 0 and incrementing by 1. For example, the first VTY line is VTY 0.
User line assignment
The device assigns user lines to CLI login users depending on their login methods, as shown in Table 11. When a user logs in, the device checks the idle user lines for the login method, and assigns the lowest numbered user line to the user. For example, four VTY lines (0 to 3) are configured, of which VTY 0 and VTY 3 are idle. When a user Telnets to the device, the device assigns VTY 0 to the user.
Each user line can be assigned only to one user at a time. If no user line is available, a CLI login attempt will be rejected.
Login authentication modes
You can configure login authentication to prevent illegal access to the device CLI.
In non-FIPS mode, the device supports the following login authentication modes:
· None—Disables authentication. This mode allows access without authentication and is insecure.
· Password—Requires password authentication. A user must provide the correct password at login.
· Scheme—Uses the AAA module to provide local or remote login authentication. A user must provide the correct username and password at login.
In FIPS mode, the device supports only the scheme authentication mode.
Different login authentication modes require different user line configurations, as shown in Table 12.
Table 12 Configuration required for different login authentication modes
|
Authentication mode |
Configuration tasks |
|
|
None |
Set the authentication mode to none. |
|
|
Password |
1. Set the authentication mode to password. 2. Set a password. |
|
|
Scheme |
1. Set the authentication mode to scheme. 2. Configure login authentication methods in ISP domain view. For more information, see Security Configuration Guide. |
|
User roles
A user is assigned user roles at login. The user roles control the commands available for the user. For more information about user roles, see "Configuring RBAC."
The device assigns user roles based on the login authentication mode and user type.
· In none or password authentication mode, the device assigns the user roles specified for the user line.
· In scheme authentication mode, the device uses the following rules to assign user roles:
? For an SSH login user who uses publickey or password-publickey authentication, the device assigns the user roles specified for the local device management user with the same name.
? For other users, the device assigns user roles according to the user role configuration of the AAA module. If the AAA server does not assign any user roles and the default user role feature is disabled, a remote AAA authentication user cannot log in.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Telnet login is not supported in FIPS mode.
Configuring local console login
You can connect a terminal to the console port of the device to log in and manage the device, as shown in Figure 10. For the login procedure, see "Using the console port for the first device access."
Figure 10 Logging in through the console port
By default, console login is enabled both locally and remotely and it does not require authentication. The default user role is network-admin. To improve device security, configure password or scheme authentication for the AUX line immediately after you log in to the device for the first time.
To configure console login, perform the following tasks:
|
Tasks at a glance |
Remarks |
|
(Required.) Perform one of the following tasks: · Disabling authentication for console login |
In FIPS mode, only the scheme authentication mode is supported. |
|
(Optional.) Configuring common AUX line settings |
N/A |
Console login configuration changes do not take effect for current online users. They take effect only for new login users.
Disabling authentication for console login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter AUX line view or class view. |
·
Enter AUX line view: ·
Enter AUX line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Disable authentication. |
authentication-mode none |
In non-FIPS mode, authentication is disabled for the AUX line by default. In FIPS mode, scheme authentication is enabled for the AUX line by default. |
|
4. Assign a user role. |
user-role role-name |
By default, an AUX line user is assigned the network-admin user role. |
After you finish this configuration task, a user can log in through the console port without authentication.
Configuring password authentication for console login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter AUX line view or class view. |
·
Enter AUX line view: ·
Enter AUX line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable password authentication. |
authentication-mode password |
In non-FIPS mode, authentication is disabled for the AUX line by default. In FIPS mode, scheme authentication is enabled by default. |
|
4. Set a password. |
set authentication password { hash | simple } password |
By default, no password is set. |
|
5. Assign a user role. |
user-role role-name |
By default, an AUX line user is assigned the network-admin user role. |
After you finish this configuration task, a user must provide the configured password when logging in through the console port.
Configuring scheme authentication for console login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter AUX line view or class view. |
·
Enter AUX line view: ·
Enter AUX line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, authentication is disabled for the AUX line by default. In FIPS mode, scheme authentication is enabled by default. |
To use scheme authentication, you must also perform the following tasks:
· Configure login authentication methods in ISP domain view.
· For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.
· For local authentication, create a local user account and configure the relevant attributes.
For more information, see Security Configuration Guide.
After you finish this configuration task, a user must provide the configured username and password when logging in through the console port.
Configuring common AUX line settings
Some common settings for an AUX line take effect immediately and can interrupt the current session. Use a login method different from console login to log in to the device before you change AUX line settings.
After you change AUX line settings, adjust the settings on the configuration terminal accordingly for a successful login.
To configure common settings for an AUX line:
|
Step |
Command |
|
|
N/A |
||
|
2. Enter AUX line view or class view. |
·
Enter AUX line view: ·
Enter AUX line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Set the transmission rate. |
speed speed-value |
By default, the transmission rate is 9600 bps. This command is not available in AUX line class view. |
|
4. Specify the parity. |
parity { even | mark | none | odd | space } |
By default, a user line does not use parity. This command is not available in AUX line class view. |
|
5. Specify the number of stop bits for a character. |
stopbits { 1 | 1.5 | 2 } |
The default is 1. Stop bits indicate the end of a character. The more the stop bits, the slower the transmission. This command is not available in AUX line class view. |
|
6. Specify the number of data bits for a character. |
databits { 5 | 6 | 7 | 8 } |
The default is 8. Configure this command depending on the character coding type. For example, set the number of data bits to 7 for standard ASCII characters. Set the number of data bits to 8 for extended ASCII characters. This command is not available in AUX line class view. |
|
7. Specify the terminal session activation key. |
activation-key character |
|
|
8. Specify the escape key. |
escape-key { character | default } |
|
|
9. Set the user line locking key. |
lock-key key-string |
By default, no user line locking key is set. |
|
10. Configure the flow control mode. |
flow-control { hardware | none | software } |
By default, the flow control mode is none. This command is not available in AUX line class view. |
|
11. Specify the terminal display type. |
terminal type { ansi | vt100 } |
By default, the terminal display type is ANSI. The device supports ANSI and VT100 terminal display types. As a best practice, specify VT100 type on both the device and the configuration terminal. If either side uses the ANSI type, a display problem might occur when a command line has more than 80 characters. For example, a cursor positioning error might occur. |
|
12. Set the maximum number of lines of command output to send to the terminal at a time. |
screen-length screen-length |
By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled. To disable pausing between screens of output, set the value to 0. |
|
13. Set the size for the command history buffer. |
history-command max-size value |
|
|
idle-timeout minutes [ seconds ] |
By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out. |
|
|
15. Specify the command to be automatically executed for login users on the lines. |
auto-execute command command |
By default, no command is specified for auto execution. The device will automatically execute the specified command when a user logs in through the user line, and close the user connection after the command is executed. This command is not available in AUX line view or AUX line class view. |
|
16. Enable the terminal service. |
shell |
Be default, the terminal service is enabled on all user lines. The undo shell command is not available in AUX line view. |
Configuring Telnet login
The device can act as a Telnet server to allow Telnet login, or as a Telnet client to Telnet to other devices.
By default, Telnet login is disabled on the device. To configure Telnet login, you must first log in to the device through any other method.
|
|
NOTE: Telnet login is not supported in FIPS mode. |
Configuring the device as a Telnet server
|
Tasks at a glance |
|
(Required.) Enabling Telnet server |
|
(Required.) Perform one of the following tasks: · Disabling authentication for Telnet login |
|
(Optional.) Setting the maximum number of concurrent Telnet users |
|
(Optional.) Setting the DSCP value for outgoing Telnet packets |
|
(Optional.) Configuring common VTY line settings |
Telnet login configuration changes do not take effect for current online users. They take effect only for new login users.
Enabling Telnet server
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the Telnet server. |
telnet server enable |
By default, the Telnet server is disabled. |
Disabling authentication for Telnet login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY line view or class view. |
·
Enter VTY line view: ·
Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Disable authentication. |
authentication-mode none |
In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
4. (Optional.) Assign a user role. |
user-role role-name |
By default, a VTY line user is assigned the network-operator user role. |
After you finish this configuration task, a user can Telnet to the device without authentication, as shown in the following example:
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<H3C>
If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.
Configuring password authentication for Telnet login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY line view or class view. |
·
Enter VTY line view: ·
Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable password authentication. |
authentication-mode password |
In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
4. Set a password. |
set authentication password { hash | simple } password |
By default, no password is set. |
|
5. (Optional.) Assign a user role. |
user-role role-name |
By default, a VTY line user is assigned the network-operator user role. |
After you finish this configuration task, a user must provide the configured password when Telnetting to the device, as shown in the following example:
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Password:
<H3C>
If the maximum number of login users has been reached, the login attempt fails and the message "All user lines are used, please try later!" appears.
Configuring scheme authentication for Telnet login
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY line view or class view. |
·
Enter VTY line view: ·
Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, password authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
To use scheme authentication, you must also perform the following tasks:
· Configure login authentication methods in ISP domain view.
· For remote authentication, configure a RADIUS, HWTACACS, or LDAP scheme.
· For local authentication, create a local user account and configure the relevant attributes.
For more information, see Security Configuration Guide.
After you finish this configuration task, a user must provide the configured username and password when Telnetting to the device, as shown in the following example:
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: admin
Password:
<H3C>
If the maximum number of login users has been reached, the login attempt fails and the message "All lines are used, please try later!" appears.
Setting the maximum number of concurrent Telnet users
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the maximum number of concurrent Telnet users. |
aaa session-limit telnet max-sessions |
The default is 32. Changing this setting does not affect users who are currently online. If the new limit is less than the number of online Telnet users, no additional users can Telnet in until the number drops below the new limit. For more information about this command, see Security Command Reference. |
Setting the DSCP value for outgoing Telnet packets
The DSCP value is carried in the ToS or Traffic class field of an IP or IPv6 packet to indicate the transmission priority of the packet.
To set the DSCP value for outgoing Telnet packets:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the DSCP value for outgoing Telnet packets. |
·
For a Telnet server running IPv4: ·
For a Telnet server running IPv6: |
By default, the DSCP value is 48. |
Configuring common VTY line settings
For a VTY line, you can specify a command that is to be automatically executed when a user logs in. After executing the specified command, the system automatically disconnects the Telnet session. Typically, you configure the auto-execute command telnet X.X.X.X command on the device so the device redirects a Telnet user to the host at X.X.X.X. The connection to the current device is closed when the user terminates the Telnet connection to X.X.X.X.
To configure common settings for VTY lines:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY line view or class view. |
·
Enter VTY line view: ·
Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable the terminal service. |
shell |
By default, the terminal service is enabled on all user lines. |
|
4. Specify the supported protocols. |
protocol inbound { all | ssh | telnet } |
By default, both Telnet and SSH are supported. A protocol change does not take effect for current online users. It takes effect only for new login users. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
5. Specify the shortcut key for terminating a task. |
escape-key { character | default } |
The default setting is Ctrl+C. |
|
6. Set the user line locking key. |
lock-key key-string |
By default, no user line locking key is set. |
|
7. Specify the terminal display type. |
terminal type { ansi | vt100 } |
The default terminal display type is ANSI. |
|
8. Set the maximum number of lines of command output to send to the terminal at a time. |
screen-length screen-length |
By default, the device sends up to 24 lines to the terminal at a time when pausing between screens of output is enabled. To disable pausing between screens of output, set the value to 0. |
|
9. Set the size for the command history buffer. |
history-command max-size value |
The default size is 10 history commands. |
|
10. Set the CLI connection idle-timeout timer. |
idle-timeout minutes [ seconds ] |
By default, the CLI connection idle-timeout timer is 10 minutes. If no interaction occurs between the device and the user within the idle-timeout interval, the system automatically terminates the user connection on the user line. If you set the timeout timer to 0, the connection will not be aged out. |
|
11. Specify the command to be automatically executed for login users on the user lines. |
auto-execute command command |
By default, no command is specified for auto execution.
Before you configure this command and save the configuration, make sure you can access the CLI to modify the configuration through other VTY user lines or AUX user lines. |
Using the device to log in to a Telnet server
You can use the device as a Telnet client to log in to a Telnet server. If the server is located in a different subnet than the client, make sure the two devices can reach each other.
Figure 11 Telnetting from the device to a Telnet server
To use the device to log in to a Telnet server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Specify the source IPv4 address or source interface for outgoing Telnet packets. |
telnet client source { interface interface-type interface-number | ip ip-address } |
By default, no source IPv4 address or source interface is specified. The device uses the primary IPv4 address of the output interface as the source address for outgoing Telnet packets. |
|
3. Exit to user view. |
quit |
N/A |
|
4. Use the device to log in to a Telnet server. |
·
Log in to an IPv4 Telnet server: ·
Log in to an IPv6 Telnet server: |
N/A |
Configuring SSH login
SSH offers a secure method to remote login. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plaintext password interception. For more information, see Security Configuration Guide.
The device can act as an SSH server to allow Telnet login, or as an SSH client to log in to an SSH server.
By default, SSH login is disabled on the device. To configure SSH login, you must first log in to the device through any other method.
Configuring the device as an SSH server
This section provides the SSH server configuration procedure used when the SSH client authentication method is password. For more information about SSH and publickey authentication configuration, see Security Configuration Guide.
To configure the device as an SSH server:
|
Step |
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
|
2. Create local key pairs. |
·
In non-FIPS mode: ·
In FIPS mode: |
By default, no local key pairs are created. |
|
|
3. Enable the Stelnet server. |
ssh server enable |
By default, the Stelnet server is disabled. |
|
|
4. (Optional.) Create an SSH user and specify the authentication mode. |
·
In non-FIPS mode: ·
In FIPS mode: |
By default, no SSH user is configured on the device. |
|
|
5. Enter VTY line view or class view. |
·
Enter VTY line view: ·
Enter VTY line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
|
6. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled for VTY lines by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
|
7. (Optional.) Specify the protocols for the user lines to support. |
·
In non-FIPS mode: ·
In FIPS mode: |
In non-FIPS mode, both Telnet and SSH are supported by default. In FIPS mode, SSH is supported by default. A protocol change does not take effect for current online users. It takes effect only for new login users. In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
|
8. Exit to system view. |
quit |
N/A |
|
|
9. (Optional.) Configure common settings for VTY lines. |
N/A |
|
|
|
10. (Optional.) Set the maximum number of concurrent SSH users. |
aaa session-limit ssh max-sessions |
The default is 32. Changing this setting does not affect users who are currently online. If the new limit is less than the number of online SSH users, no additional SSH users can log in until the number drops below the new limit. For more information about this command, see Security Command Reference. |
|
Using the device to log in to an SSH server
You can use the device as an SSH client to log in to an SSH server. If the server is located in a different subnet than the client, make sure the two devices can reach each other.
Figure 12 Logging in to an SSH server from the device
Perform the following tasks in user view:
|
Task |
Command |
|
Log in to an IPv4 SSH server. |
ssh2 server |
|
Log in to an IPv6 SSH server. |
ssh2 ipv6 server |
To work with the SSH server, you might need to specify a set of parameters. For more information, see Security Configuration Guide.
Displaying and maintaining CLI login
Execute display commands in any view.
|
Task |
Command |
Remarks |
|
Display online CLI users. |
display users [ all ] |
N/A |
|
Display user line information. |
display line [ num1 | { aux | vty } num2 ] [ summary ] |
N/A |
|
Display the packet source setting for the Telnet client. |
display telnet client |
N/A |
|
Release a user line. |
free line { num1 | { aux | vty } num2 } |
Multiple users can log in to the device to simultaneously configure the device. When necessary, you can execute this command to release some connections. You cannot use this command to release the connection you are using. This command is available in user view. |
|
Lock the current user line and set the password for unlocking the line. |
lock |
By default, the system does not lock any user lines. This command is not supported in FIPS mode. This command is available in user view. |
|
Lock the current user line and enable unlocking authentication. |
lock reauthentication |
By default, the system does not lock any user lines or initiate reauthentication. To unlock the locked user line, you must press Enter and provide the login password to pass reauthentication. This command is available in any view. |
|
Send messages to user lines. |
send { all | num1 | { aux | vty } num2 } |
This command is available in user view. |
Accessing the device through SNMP
You can run SNMP on an NMS to access the device MIB and perform Get and Set operations to manage and monitor the device.
The device supports SNMPv1, SNMPv2c, and SNMPv3, and can cooperate with various network management software products. However, the device and the NMS must use the same SNMP version.
By default, SNMP access is disabled. To configure SNMP access, you must first log in to the device through any other method.
For more information about SNMP, see Network Management and Monitoring Configuration Guide.
Configuring RESTful access
The device provides the Representational State Transfer application programming interface (RESTful API). Based on this API, you can use programming languages such as Python, Ruby, or Java to write programs to perform the following tasks:
· Send RESTful requests to the device to pass authentication.
· Use RESTful API operations to configure and manage the device. RESTful API operations include Get, Put, Post, and Delete.
The device supports using HTTP or HTTPS to transfer RESTful packets.
RESTful access is disabled by default. To configure RESTful access, you must first log in through the console port.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
RESTful access over HTTP is not supported in FIPS mode.
Configuring RESTful access over HTTP
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable RESTful access over HTTP. |
restful http enable |
By default, RESTful access over HTTP is disabled. |
|
3. Create a local user and enter local user view. |
local-user user-name [ class manage ] |
By default, no local user is configured. |
|
4. Configure a password for the local user. |
password [ { hash | simple } password ] |
The password is saved in hashed form. By default, no password is configured for a local user. |
|
5. (Optional.) Assign a user role to the local user. |
authorization-attribute user-role user-role |
The default user role is network-operator for a RESTful access user. |
|
6. Specify the HTTP service for the local user. |
service-type http |
By default, no service type is specified for a local user. |
Configuring RESTful access over HTTPS
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable RESTful access over HTTPS. |
restful https enable |
By default, RESTful access over HTTPS is disabled. |
|
3. Create a local user and enter local user view. |
local-user user-name [ class manage ] |
By default, no local user is configured. |
|
4. Configure a password for the local user. |
·
In non-FIPS mode: ·
In FIPS mode: |
The password is saved in hashed form. By default, no password is configured for a local user. |
|
5. (Optional.) Assign a user role to the local user. |
authorization-attribute user-role user-role |
The default user role is network-operator for a RESTful access user. |
|
6. Specify the HTTPS service for the local user. |
service-type https |
By default, no service type is specified for a local user. |
Controlling user access to the device
Use ACLs to prevent unauthorized access, and configure command authorization and accounting to monitor and control user behavior. For more information about ACLs, see ACL and QoS Configuration Guide.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Telnet is not supported in FIPS mode.
Controlling Telnet and SSH logins
Use different types of ACLs to filter Telnet and SSH logins by different match criteria:
· Basic ACL (2000 to 2999)—Source IP address.
· Advanced ACL (3000 to 3999)—Source IP address and destination IP address.
· Ethernet frame header ACL (4000 to 4999)—Source MAC address.
If an applied ACL does not exist or does not have any rules, no user login restriction is applied. If the ACL exists and has rules, only users permitted by the ACL can access the device through Telnet or SSH.
Configuration procedures
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply an ACL to filter Telnet logins. |
· telnet server acl [ mac ] acl-number · telnet server ipv6 acl [ ipv6 | mac ] acl-number |
By default, no ACL is used to filter Telnet logins. |
To control SSH logins:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply an ACL to filter SSH logins. |
· ssh server acl [ mac ] acl-number · ssh server ipv6 acl [ ipv6 | mac ] acl-number |
By default, no ACL is used to filter SSH logins. For more information about these two commands, see Security Command Reference. |
Configuration example
Network requirements
As shown in Figure 14, the device is a Telnet server.
Configure the device to permit only Telnet packets sourced from Host A and Host B.
Configuration procedure
# Configure an ACL to permit packets sourced from Host A and Host B.
<Sysname> system-view
[Sysname] acl basic 2000 match-order config
[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-ipv4-basic-2000] quit
# Apply the ACL to filter Telnet logins.
[Sysname] telnet server acl 2000
Controlling SNMP access
Use a basic ACL (2000 to 2999) to control SNMP access by source IP address. To access the requested MIB view, an NMS must use a source IP address permitted by the ACL. If the ACL does not exist or does not have any rules, no user login restriction is applied.
Configuration procedure
To control SNMPv1 or SNMPv2c access:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the SNMP access right. |
· (Method 1.) Create an SNMP community and specify ACLs for the community: ? In
VACM mode: ? In
RBAC mode: · (Method 2.) Create an SNMPv1/v2c group and add a user to the group, specifying ACLs for the group and user: a. snmp-agent group { v1 | v2c } group-name [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] * b. snmp-agent usm-user { v1 | v2c } user-name group-name [ acl { ipv4-acl-number | name ipv4-acl-name } | acl ipv6 { ipv6-acl-number | name ipv6-acl-name } ] * |
For more information about SNMP, see Network Management and Monitoring Configuration Guide. |
To control SNMPv3 access:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an SNMPv3 group, specifying ACLs for the group. |
In non-FIPS mode: In FIPS mode: |
N/A |
|
3. Create an SNMPv3 user, specifying ACLs for the user. |
In non-FIPS mode: ·
In VACM mode: ·
In RBAC mode: In FIPS mode: ·
In VACM mode: ·
In RBAC mode: |
For more information about SNMP, see Network Management and Monitoring Configuration Guide. |
Configuration example
Network requirements
As shown in Figure 15, the device is running SNMP.
Configure the device to allow Host A and Host B to access the device through SNMP.
Configuration procedure
# Create an ACL to permit packets sourced from Host A and Host B.
<Sysname> system-view
[Sysname] acl basic 2000 match-order config
[Sysname-acl-ipv4-basic-2000] rule 1 permit source 10.110.100.52 0
[Sysname-acl-ipv4-basic-2000] rule 2 permit source 10.110.100.46 0
[Sysname-acl-ipv4-basic-2000] quit
# Associate the ACL with the SNMP community and the SNMP group.
[Sysname] snmp-agent community read aaa acl 2000
[Sysname] snmp-agent group v2c groupa acl 2000
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000
Configuring command authorization
By default, commands available for a user depend only on the user's user roles. When the authentication mode is scheme, you can configure the command authorization feature to further control access to commands.
After you enable command authorization, a user can use only commands that are permitted by both the AAA scheme and user roles.
The command authorization method can be different from the user login authorization method.
This section provides the procedure for configuring command authorization. To make the command authorization feature take effect, you must configure a command authorization method in ISP domain view. For more information, see Security Configuration Guide.
Configuration procedure
To configure command authorization:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user line view or user line class view. |
·
Enter user line view: ·
Enter user line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, authentication is disabled for AUX lines, and password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
4. Enable command authorization. |
command authorization |
By default, command authorization is disabled, and the commands available for a user only depend on the user role. If the command authorization command is configured in user line class view, command authorization is enabled on all user lines in the class. You cannot configure the undo command authorization command in the view of a user line in the class. |
Configuration example
Network requirements
As shown in Figure 16, Host A needs to log in to the device to manage the device.
Configure the device to perform the following operations:
· Allow Host A to Telnet in after authentication.
· Use the HWTACACS server to control the commands that the user can execute.
· If the HWTACACS server is not available, use local authorization.
Configuration procedure
# Assign IP addresses to relevant interfaces. Make sure the device and the HWTACACS server can reach each other. Make sure the device and Host A can reach each other. (Details not shown.)
# Enable the Telnet server.
<Device> system-view
[Device] telnet server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
# Enable command authorization for the user lines.
[Device-line-vty0-63] command authorization
[Device-line-vty0-63] quit
# Create HWTACACS scheme tac.
[Device] hwtacacs scheme tac
# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for authentication and authorization.
[Device-hwtacacs-tac] primary authentication 192.168.2.20 49
[Device-hwtacacs-tac] primary authorization 192.168.2.20 49
# Set the shared keys to expert.
[Device-hwtacacs-tac] key authentication simple expert
[Device-hwtacacs-tac] key authorization simple expert
# Remove domain names from usernames sent to the HWTACACS server.
[Device-hwtacacs-tac] user-name-format without-domain
[Device-hwtacacs-tac] quit
# Configure the system-defined domain (system).
[Device] domain system
# Use HWTACACS scheme tac for login user authentication and command authorization. Use local authentication and local authorization as the backup method.
[Device-isp-system] authentication login hwtacacs-scheme tac local
[Device-isp-system] authorization command hwtacacs-scheme tac local
[Device-isp-system] quit
# Create local user monitor. Set the simple password to 123, the service type to Telnet, and the default user role to level-1.
[Device] local-user monitor
[Device-luser-manage-monitor] password simple 123
[Device-luser-manage-monitor] service-type telnet
[Device-luser-manage-monitor] authorization-attribute user-role level-1
Configuring command accounting
Command accounting uses the HWTACACS server to record all executed commands to monitor user behavior on the device.
If command accounting is enabled but command authorization is not, every executed command is recorded. If both command accounting and command authorization are enabled, only authorized commands that are executed are recorded.
The command accounting method can be the same as or different from the command authorization method and user login authorization method.
This section provides only the procedure for configuring command accounting. To make the command accounting feature take effect, you must configure a command accounting method in ISP domain view. For more information, see Security Configuration Guide.
Configuration procedure
To configure command accounting:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter user line view or user line class view. |
·
Enter user line view: ·
Enter user line class view: |
A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class. A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view. A setting in user line class view does not take effect for current online users. It takes effect only for new login users. |
|
3. Enable scheme authentication. |
authentication-mode scheme |
In non-FIPS mode, authentication is disabled for AUX lines, and password authentication is enabled for VTY lines by default. In FIPS mode, scheme authentication is enabled by default. In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view. |
|
4. Enable command accounting. |
command accounting |
By default, command accounting is disabled. The accounting server does not record the commands executed by users. If the command accounting command is configured in user line class view, command accounting is enabled on all user lines in the class. You cannot configure the undo command accounting command in the view of a user line in the class. |
Configuration example
Network requirements
As shown in Figure 17, users need to log in to the device to manage the device.
Configure the device to send commands executed by users to the HWTACACS server to monitor and control user operations on the device.
Configuration procedure
# Enable the Telnet server.
<Device> system-view
[Device] telnet server enable
# Enable command accounting for user line AUX 0.
[Device] line aux 0
[Device-line-aux0] command accounting
[Device-line-aux0] quit
# Enable command accounting for user lines VTY 0 through VTY 63.
[Device] line vty 0 63
[Device-line-vty0-63] command accounting
[Device-line-vty0-63] quit
# Create HWTACACS scheme tac.
[Device] hwtacacs scheme tac
# Configure the scheme to use the HWTACACS server at 192.168.2.20:49 for accounting.
[Device-hwtacacs-tac] primary accounting 192.168.2.20 49
# Set the shared key to expert.
[Device-hwtacacs-tac] key accounting simple expert
# Remove domain names from usernames sent to the HWTACACS server.
[Device-hwtacacs-tac] user-name-format without-domain
[Device-hwtacacs-tac] quit
# Configure the system-defined domain (system) to use the HWTACACS scheme for command accounting.
[Device] domain system
[Device-isp-system] accounting command hwtacacs-scheme tac
[Device-isp-system] quit
Configuring FTP
File Transfer Protocol (FTP) is an application layer protocol for transferring files from one host to another over an IP network, as shown in Figure 18. It uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959.
FTP is based on the client/server model. The device can act as the FTP server or FTP client. Make sure the FTP server and the FTP client can reach each other before establishing the FTP connection.
Figure 18 FTP application scenario
FTP supports the following transfer modes:
· Binary mode—Used to non-text files, such as .app, .bin, and .btm files.
· ASCII mode—Used to transfer text files, such as .txt, .bat, and .cfg files.
When the device acts as the FTP client, you can set the transfer mode (binary by default). When the device acts as the FTP server, the transfer mode is determined by the FTP client.
FTP can operate in either of the following modes:
· Active mode (PORT)—The FTP server initiates the TCP connection. This mode is not suitable when the FTP client is behind a firewall, for example, when the FTP client resides in a private network.
· Passive mode (PASV)—The FTP client initiates the TCP connection. This mode is not suitable when the server does not allow the client to use a random unprivileged port greater than 1024.
FTP operation mode varies depending on the FTP client program.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
FTP is not supported in FIPS mode.
Using the device as an FTP server
To use the device as an FTP server, you must enable the FTP server and configure authentication and authorization on the device. Other commands are optional.
Configuring basic parameters
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the FTP server. |
ftp server enable |
By default, the FTP server is disabled. |
|
3. (Optional.) Use an ACL to control access to the FTP server. |
ftp server acl { ipv4-acl-number | ipv6 ipv6-acl-number } |
By default, no ACL is used for access control. |
|
ftp timeout minutes |
By default, the FTP connection idle-timeout timer is 30 minutes. If no data transfer occurs on an FTP connection within the idle-timeout interval, the FTP server closes the FTP connection to release resources. |
|
|
5. (Optional.) Set the DSCP value for outgoing FTP packets. |
·
For an IPv4 FTP server: ·
For an IPv6 FTP server: |
By default, the DSCP value is 0. |
|
6. (Optional.) Set the maximum number of concurrent FTP users. |
aaa session-limit ftp max-sessions |
By default, the maximum number of concurrent FTP users is 32. Changing this setting does not affect users who are currently online. If the new list is less than the number of online FTP users, no additional FTP users can log in until the number drops below the new limit. For more information about this command, see Security Command Reference. |
Configuring authentication and authorization
Perform this task on the FTP server to authenticate FTP clients and set the authorized directories that authenticated clients can access.
The following authentication modes are available:
· Local authentication—The device looks up the client's username and password in the local user account database. If a match is found, authentication succeeds.
· Remote authentication—The device sends the client's username and password to a remote authentication server for authentication. The user account is configured on the remote authentication server rather than the device.
The following authorization modes are available:
· Local authorization—The device assigns authorized directories to FTP clients based on the locally configured authorization attributes.
· Remote authorization—A remote authorization server assigns authorized directories on the device to FTP clients.
For information about configuring authentication and authorization, see Security Configuration Guide.
Manually releasing FTP connections
Execute the following commands in user view.
|
Task |
Command |
|
Manually release FTP connections. |
·
Release the FTP connection established by
using a specific user account: ·
Release the FTP connection to a
specific IP address: |
Displaying and maintaining the FTP server
Execute display commands in any view.
|
Task |
Command |
|
Display FTP server configuration and status information. |
display ftp-server |
|
Display detailed information about online FTP users. |
display ftp-user |
FTP server configuration example (in standalone mode)
Network requirements
· Configure the device as an FTP server.
· Create a local user account named abc on the FTP server. Set the password to 123456.
· Use the user account to log in to the FTP server from the FTP client.
· Upload the temp.bin file from the FTP client to the FTP server.
· Download configuration file startup.cfg from the FTP server to the FTP client for backup.
Configuration procedure
1. Configure IP addresses as shown in Figure 19. Make sure the device and PC can reach other. (Details not shown.)
2. Configure the device (FTP server):
# Create a local user named abc. Set the password to 123456.
<Sysname> system-view
[Sysname] local-user abc class manage
[Sysname-luser-abc] password simple 123456
# Assign the network-admin user role to the user. Set the working directory to the root directory of the flash memory on the active MPU. (To set the working directory to the root directory of the flash memory on the standby MPU, you must include the slot number in the directory path.)
[Sysname-luser-abc] authorization-attribute user-role network-admin work-directory flash:/
# Assign the service type FTP to the user.
[Sysname-luser-abc] service-type ftp
[Sysname-luser-abc] quit
# Enable the FTP server.
[Sysname] ftp server enable
[Sysname] quit
# Examine the storage space for space insufficiency and delete unused files for more free space.
<Sysname> dir
Directory of flash:
0 -rw- 0 Sep 27 2010 14:43:34 kernel.bin
1 -rw- 0 Sep 27 2010 14:43:34 base.bin
2 drw- - Jun 29 2011 18:30:38 logfile
3 drw- - Jun 21 2011 14:51:38 diagfile
4 drw- - Jun 21 2011 14:51:38 seclog
5 -rw- 2943 Jul 02 2011 08:03:08 startup.cfg
6 -rw- 63901 Jul 02 2011 08:03:08 startup.mdb
7 -rw- 716 Jun 21 2011 14:58:02 hostkey
8 -rw- 572 Jun 21 2011 14:58:02 serverkey
9 -rw- 6541264 Aug 04 2011 20:40:49 backup.bin
473664 KB total (467080 KB free)
<Sysname> delete /unreserved flash:/backup.bin
3. Perform FTP operations from the PC (FTP client):
# Log in to the FTP server at 1.1.1.1 using username abc and password 123456.
c:\> ftp 1.1.1.1
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):abc
331 Password required for abc.
Password:
230 User logged in.
# Use the ASCII mode to download configuration file startup.cfg from the device to the PC for backup.
ftp> ascii
200 TYPE is now ASCII
ftp> get startup.cfg back-startup.cfg
# Use the binary mode to upload the file temp.bin from the PC to the root directory of the flash memory on the active MPU.
ftp> binary
200 TYPE is now 8-bit binary
ftp> put temp.bin
# Exit FTP.
ftp> bye
FTP server configuration example (in IRF mode)
Network requirements
· Configure the IRF fabric as an FTP server.
· Create a local user account named abc on the FTP server. Set the password to 123456.
· Use the user account to log in to the FTP server from the FTP client.
· Upload the temp.bin file from the FTP client to the FTP server.
· Download configuration file config.cfg from the FTP server to the FTP client for backup.
Configuration procedure
1. Configure IP addresses as shown in Figure 20. Make sure the IRF fabric and the PC can reach each other. (Details not shown.)
2. Configure the FTP server:
# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)
# Create a local user named abc. Set the password to 123456.
<Sysname> system-view
[Sysname] local-user abc class manage
[Sysname-luser-abc] password simple 123456
# Assign the network-admin user role to the user. Set the working directory to the root directory of the flash memory on the global active MPU. (To set the working directory to the root directory of the flash memory on a global standby MPU, you must include the chassis and slot numbers in the directory path.)
[Sysname-luser-abc] authorization-attribute user-role network-admin work-directory flash:/
# Assign the service type FTP to the user.
[Sysname-luser-abc] service-type ftp
[Sysname-luser-abc] quit
# Enable the FTP server.
[Sysname] ftp server enable
[Sysname] quit
3. Perform FTP operations from the FTP client:
# Log in to the FTP server at 1.1.1.1 using username abc and password 123456.
c:\> ftp 1.1.1.1
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):abc
331 Password required for abc.
Password:
230 User logged in.
# Use the ASCII mode to download configuration file config.cfg from the server to the client for backup.
ftp> ascii
200 TYPE is now ASCII
ftp> get config.cfg back-config.cfg
# Use the binary mode to upload the temp.bin file to the root directory of the flash memory on the global active MPU.
ftp> binary
200 TYPE is now 8-bit binary
ftp> put temp.bin
# Exit FTP.
ftp> bye
Using the device as an FTP client
Establishing an FTP connection
To access an FTP server, you must establish a connection from the FTP client to the FTP server.
To establish an IPv4 FTP connection:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Specify a source IP address for outgoing FTP packets. |
ftp client source { interface interface-type interface-number | ip source-ip-address } |
By default, no source IP address is specified. The device uses the primary IP address of the output interface as the source IP address. |
|
3. Return to user view. |
quit |
N/A |
|
4. Log in to the FTP server. |
·
(Method 1.) Log in to the FTP server
from user view: · (Method 2.) Log in to the FTP server from FTP client view: a. Enter FTP client view: b.
Log in to the FTP server: |
The source IP address specified in the ftp command takes precedence over the one set by the ftp client source command. |
To establish an IPv6 FTP connection:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Specify the source IPv6 address for FTP packets sent by the FTP client. |
ftp client ipv6 source { interface interface-type interface-number | ipv6 source-ipv6-address } |
By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484. |
|
3. Return to user view. |
quit |
N/A |
|
4. Log in to the FTP server. |
·
(Method 1.) Log in to the FTP server from user
view: · (Method 2.) Log in to the FTP server from FTP client view: a. Enter FTP client view: b. Log in to the FTP server: |
The source IP address specified in the ftp ipv6 command takes precedence over the one set by the ftp client ipv6 source command. |
Managing directories on the FTP server
Perform the following tasks in FTP client view:
|
Task |
Command |
|
Display directory and file information on the FTP server. |
·
Display the detailed information of a directory
or file on the FTP server: ·
Display the name of a directory or file on the
FTP server: |
|
Change the working directory on the FTP server. |
cd { directory | .. | / } |
|
Return to the upper level directory on the FTP server. |
cdup |
|
Display the working directory that is being accessed. |
pwd |
|
Create a directory on the FTP server. |
mkdir directory |
|
Delete a directory from the remote FTP server. |
rmdir directory |
Working with files on the FTP server
After you log in to the server, you can upload a file to or download a file from the authorized directory by following these steps:
1. Use the dir or ls command to display the directory and location of the file on the FTP server.
2. Delete unused files to get more free storage space.
3. Set the file transfer mode to ASCII for text files or to binary for non-text files.
4. Use the lcd command to change the local working directory of the FTP client. You can upload the file or save the downloaded file in this directory.
5. Upload or download the file.
To work with files on an FTP server, execute the following commands in FTP client view:
|
Task |
Command |
Remarks |
|
Display directory or file information on the FTP server. |
·
Display the detailed information of a
directory or file on the FTP server: ·
Display the name of a directory or file on the
FTP server: |
N/A |
|
Delete a file from the FTP server permanently. |
delete remotefile |
N/A |
|
Set the file transfer mode. |
·
Set the file transfer mode to ASCII: ·
Set the file transfer mode to binary: |
The default file transfer mode is binary. |
|
Change the FTP operation mode. |
passive |
The default mode is passive. |
|
Display or change the local working directory of the FTP client. |
lcd [ directory | / ] |
N/A |
|
Upload a file to the FTP server. |
put localfile [ remotefile ] |
N/A |
|
Download a file from the FTP server. |
get remotefile [ localfile ] |
N/A |
|
Add the content of a file on the FTP client to a file on the FTP server. |
append localfile [ remotefile ] |
N/A |
|
Specify the retransmit marker. |
restart marker |
Use this command together with the put, get, or append command. |
|
Update the local file. |
newer remotefile |
N/A |
|
Get the missing part of a file. |
reget remotefile [ localfile ] |
N/A |
|
Rename the file. |
rename [ oldfilename [ newfilename ] ] |
N/A |
Changing to another user account
After you log in to the FTP server, you can initiate an FTP authentication to change to a new account. By changing to a new account, you can get a different privilege without re-establishing the FTP connection.
For successful account change, you must enter the new username and password correctly. A wrong username or password can cause the FTP connection to be disconnected.
To change to another user account, execute the following command in user view:
|
Task |
Command |
|
Initiate an FTP authentication on the current FTP connection. |
user username [ password ] |
Maintaining and troubleshooting the FTP connection
Perform the following tasks in FTP client view:
|
Task |
Command |
Remarks |
|
Display FTP commands on the FTP server. |
rhelp |
N/A |
|
Display FTP commands help information on the FTP server. |
rhelp protocol-command |
N/A |
|
Display FTP server status. |
rstatus |
N/A |
|
Display detailed information about a directory or file on the FTP server. |
rstatus remotefile |
N/A |
|
Display FTP connection status. |
status |
N/A |
|
Display the system information of the FTP server. |
system |
N/A |
|
Enable or disable FTP operation information display. |
verbose |
By default, this function is enabled. |
|
Enable or disable FTP client debugging. |
debug |
By default, FTP client debugging is disabled. |
|
Clear the reply information in the buffer. |
reset |
N/A |
Terminating the FTP connection
Execute one of the following commands in FTP client view:
|
Task |
Command |
|
Terminate the connection to the FTP server without exiting FTP client view. |
· disconnect · close |
|
Terminate the connection to the FTP server and return to user view. |
· bye · quit |
Displaying command help information
Execute one of the following commands in FTP client view:
|
Task |
Command |
|
Display command help information. |
· help [ command-name ] · ? [ command-name ] |
Displaying and maintaining the FTP client
Execute the display command in any view.
|
Task |
Command |
|
Display source IP address information on the FTP client. |
display ftp client source |
FTP client configuration example (in standalone mode)
Network requirements
As shown in Figure 21, the PC is acting as an FTP server. A user account with username abc and password 123456 has been created on the PC.
· Use the device as an FTP client to log in to the FTP server.
· Download the temp.bin file from the PC to the device.
· Upload configuration file startup.cfg from the device to the PC for backup.
Configuration procedure
# Configure IP addresses as shown in Figure 21. Make sure the device and PC can reach each other. (Details not shown.)
# Examine the storage space of the device. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)
# Log in to the FTP server at 10.1.1.1 using username abc and password 123456.
<Sysname> ftp 10.1.1.1
Press CTRL+C to abort.
Connected to 10.1.1.1 (10.1.1.1).
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User (10.1.1.1:(none)): abc
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is MSDOS.
ftp>
# Set the file transfer mode to binary.
ftp> binary
200 TYPE is now 8-bit binary
# Download the temp.bin file from the PC to the root directory of the flash memory on the active MPU.
ftp> get temp.bin
local: temp.bin remote: temp.bin
150 Connecting to port 47457
226 File successfully transferred
23951480 bytes received in 95.399 seconds (251.0 kbyte/s)
# Download the temp.bin file from the PC to the root directory of the flash memory on the standby MPU (in slot 1).
ftp> get temp.bin slot1#flash:/temp.bin
# Use the ASCII mode to upload configuration file startup.cfg from the device to the PC for backup.
ftp> ascii
200 TYPE is now ASCII
ftp> put startup.cfg back-startup.cfg
local: startup.cfg remote: back-startup.cfg
150 Connecting to port 47461
226 File successfully transferred
3494 bytes sent in 5.646 seconds (618.00 kbyte/s)
ftp> bye
221-Goodbye. You uploaded 2 and downloaded 2 kbytes.
221 Logout.
<Sysname>
FTP client configuration example (in IRF mode)
Network requirements
As shown in Figure 22, the PC is acting as an FTP server. A user account with username abc and password 123456 has been created on the PC.
· Use the IRF fabric as an FTP client to log in to the FTP server.
· Download the temp.bin file from the FTP server to the FTP client.
· Upload configuration file config.cfg from the FTP client to the FTP server for backup.
Configuration procedure
# Configure IP addresses as shown in Figure 22. Make sure the IRF fabric and PC can reach each other. (Details not shown.)
# Examine the storage space on the member devices. If the free space is insufficient, use the delete/unreserved file-url command to delete unused files. (Details not shown.)
# Log in to the FTP server using username abc and password 123456.
<Sysname> ftp 10.1.1.1
Press CTRL+C to abort.
Connected to 10.1.1.1 (10.1.1.1).
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User (10.1.1.1:(none)): abc
331 Give me your password, please
Password:
230 Logged in successfully
Remote system type is MSDOS.
ftp>
# Set the file transfer mode to binary.
ftp> binary
200 TYPE is now 8-bit binary
# Download the temp.bin file from the PC to the root directory of the flash memory on the global active MPU.
ftp> get temp.bin
local: temp.bin remote: temp.bin
150 Connecting to port 47457
226 File successfully transferred
23951480 bytes received in 95.399 seconds (251.0 kbyte/s)
# Download the temp.bin file from the PC to the root directory of the flash memory on the global standby MPUs.
ftp> get temp.bin chassis1#slot1#flash:/temp.bin
ftp> get temp.bin chassis2#slot0#flash:/temp.bin
ftp> get temp.bin chassis2#slot1#flash:/temp.bin
# Use the ASCII mode to upload configuration file config.cfg from the IRF fabric to the PC for backup.
ftp> ascii
200 TYPE is now ASCII
ftp> put config.cfg back-config.cfg
local: config.cfg remote: back-config.cfg
150 Connecting to port 47461
226 File successfully transferred
3494 bytes sent in 5.646 seconds (618.00 kbyte/s)
ftp> bye
221-Goodbye. You uploaded 2 and downloaded 2 kbytes.
221 Logout.
<Sysname>
Configuring TFTP
Trivial File Transfer Protocol (TFTP) is a simplified version of FTP for file transfer over secure reliable networks. TFTP uses UDP port 69 for data transmission. In contrast to TCP-based FTP, TFTP does not require authentication or complex message exchanges, and is easier to deploy. TFTP is suited for reliable network environments.
As shown in Figure 23, the device can only act as a TFTP client. You can upload a file from the device to the TFTP server or download a file from the TFTP server to the device. If you download a file with a file name that exists in the target directory, the device deletes the existing file and saves the new one. If file download fails due to network disconnection or other reasons, the original file cannot be restored. Therefore, use a nonexistent file name instead.
Figure 23 TFTP application scenario
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
TFTP is not supported in FIPS mode.
Configuring the device as an IPv4 TFTP client
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Use an ACL to control the client's access to TFTP servers. |
tftp-server acl acl-number |
By default, no ACL is used for access control. |
|
3. Specify the source IP address for TFTP packets sent by the TFTP client. |
tftp client source { interface interface-type interface-number | ip source-ip-address } |
By default, no source IP address is specified. The device uses the primary IP address of the output interface as the source IP address. |
|
4. Return to user view. |
quit |
N/A |
|
5. Download or upload a file in an IPv4 network. |
tftp tftp-server { get | put | sget } source-filename [ destination-filename ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value | source { interface interface-type interface-number | ip source-ip-address } ] * |
The source IP address specified in this command takes precedence over the one set by the tftp client source command. Use this command in user view. |
Configuring the device as an IPv6 TFTP client
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Use an ACL to control the client's access to TFTP servers. |
tftp-server ipv6 acl ipv6-acl-number |
By default, no ACL is used for access control. |
|
3. Specify the source IPv6 address for TFTP packets sent by the TFTP client. |
tftp client ipv6 source { interface interface-type interface-number | ipv6 source-ipv6-address } |
By default, no source IPv6 address is specified. The source address is automatically selected as defined in RFC 3484. |
|
4. Return to user view. |
quit |
N/A |
|
5. Download or upload a file in an IPv6 network. |
tftp ipv6 tftp-server [ -i interface-type interface-number ] { get | put | sget } source-filename [ destination-filename ] [ vpn-instance vpn-instance-name ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 source-ipv6-address } ] * |
The source IP address specified in this command takes precedence over the one set by the tftp client ipv6 source command. Use this command in user view. |
Managing file systems
Overview
File systems
The device supports the following storage media:
· Flash memory.
· Hot-swappable storage medium USB disk.
The flash memory has one file system.
Each storage medium has one file system.
The USB disk can be partitioned. An unpartitioned USB disk has one file system. A partitioned USB disk has one file system on each partition.
File system naming conventions
The name of the file system on a flash memory has the following parts:
· File system location. For more information, see "File system location".
· Storage medium type flash.
· Colon (:).
The name of a file system on a USB disk has the following parts:
· File system location. For more information, see "File system location".
· Storage medium type usb.
· Sequence number, a lower-case English letter such as a, b, or c.
· Partition number, a digit that starts at 0 and increments by 1. If the USB disk is not partitioned, the system determines that the USB disk has one partition.
· Colon (:).
For example, the file system on the first partition of the first USB disk is named usba0:.
|
|
IMPORTANT: File system names are case sensitive and must be entered in lower case. |
File system location
(In standalone mode.) To identify a file system on the active MPU, you do not need to specify the file system location. To identify a file system on the standby MPU, you must specify the file system location in the slotn# format. The n argument represents the slot number of the standby MPU. For example, the location is slot1# for a file system that resides on the standby MPU in slot 1.
(In IRF mode.) To identify a file system on the global active MPU, you do not need to specify the file system location. To identify a file system on a global standby MPU, you must specify the file system location in the chassism#slotn# format. The m argument represents the IRF member ID of the member device. The n argument represents the slot number of a global standby MPU. For example, the location is chassis2#slot1# for a file system that resides on the MPU in slot 1 of member device 2.
Default file system
You are working with the default file system by default after you log in. To specify a file or directory on the default file system, you do not need to specify the file system name. For example, you do not need to specify any location information if you want to save the running configuration to the root directory of the default file system.
Directories
Directories in a file system are structured in a tree form.
Root directory
The root directory is represented by a forwarding slash (/). For example, flash:/ represents the root directory of the flash memory.
Working directory
The working directory is also called the current directory.
(In standalone mode.) The default working directory is the root directory of the flash memory on the active MPU.
(In IRF mode.) The default working directory is the root directory of the flash memory on the global active MPU.
Directory naming conventions
When you specify a name for a directory, follow these conventions:
· A directory name can contain letters, digits, and special characters.
· A directory whose name starts with a dot character (.) is a hidden directory. To prevent the system from hiding a directory, make sure the directory name does not start with a dot character.
Commonly used directories
The device has some factory-default directories. The system automatically creates directories during operation. These directories include:
· diagfile—Stores diagnostic information files.
· license—Stores license files.
· logfile—Stores log files.
· seclog—Stores security log files.
· versionInfo—Stores software version information files.
Files
File naming conventions
When you specify a name for a file, follow these conventions:
· A file name can contain letters, digits, and special characters.
· A file whose name starts with a dot character (.) is a hidden file. To prevent the system from hiding a file, make sure the file name does not start with a dot character.
Common file types
The device is shipped with some files. The system automatically creates files during operation. The types of these files include:
· .ipe file—Compressed software image package file.
· .bin file—Software image file.
· .cfg file—Configuration file.
· .mdb file—Binary configuration file.
· .log file—Log file.
Specifying a directory name or file name
Specifying a directory name
To specify a directory, you can use the absolute path or a relative path. For example, the working directory is flash:/. To specify the test2 directory in Figure 24, you can use the following methods:
· flash:/test/test1/test2 (absolute path)
· flash:/test/test1/test2/ (absolute path)
· test/test1/test2 (relative path)
· test/test1/test2/ (relative path)
Figure 24 Sample directory hierarchy
Specifying a file name
To specify a file, use the following methods:
· Enter the absolute path of the file and the file name in the format of filesystem/directory1/directory2/…/directoryn/filename, where directoryn is the directory in which the file resides.
· Enter the relative path of the file and the file name.
For example, the working directory is flash:/. The samplefile.cfg file is in the test2 directory shown in Figure 24. To specify the file, you can use the following methods:
· flash:/test/test1/test2/samplefile.cfg
· test/test1/test2/samplefile.cfg
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
File system management restrictions and guidelines
To avoid file system corruption, do not perform the following tasks during file system management:
· Install or remove storage media.
· Install or remove cards.
· (In standalone mode.) Perform an active/standby switchover.
· (In IRF mode.) Perform a switchover between the global active MPU and a global standby MPU.
If you remove a storage medium while a directory or file on the medium is being accessed, the device might not recognize the medium when you reinstall it. To reinstall this kind of storage medium, perform one of the following tasks:
· If you were accessing a directory on the storage medium, change the working directory.
· If you were accessing a file on the storage medium, close the file.
· If another administrator was accessing the storage medium, unmount all file systems on the storage medium.
Make sure a USB disk is not write protected before an operation that requires the write right on the disk.
You cannot access a storage medium that is being partitioned, or a file system that is being formatted or repaired.
Before managing file systems, directories, and files, make sure you know the possible impact.
Managing storage media and file systems
Partitioning a storage medium
A storage medium can be divided into logical devices called partitions. Operations on one partition do not affect the other partitions.
Restrictions and guidelines
The flash memory does not support partitioning.
A partition must have a minimum of 32 MB of storage space.
The actual partition size and the specified partition size might have a difference of less than 5% of the storage medium's total size.
Before partitioning a storage medium, perform the following tasks:
· Back up the files in the storage medium. The partition operation clears all data on the medium.
· To partition a storage medium, make sure the disk is not write protected. If the disk is write protected, the partition operation will fail, and you must remount or reinstall the disk to restore access to the storage medium.
· Make sure no other users are accessing the medium.
Configuration procedure
Perform this task in user view.
|
Task |
Command |
Remarks |
|
Partition a storage medium. |
fdisk medium [ partition-number ] |
To partition a storage medium evenly, specify the partition-number argument. To customize the sizes of partitions, do not specify the partition-number argument. The command will require you to specify a size for each partition. |
Mounting or unmounting a file system
Generally, file systems on a hot-swappable storage medium are automatically mounted when the storage medium is connected to the device. If the system cannot recognize a file system, you must mount the file system before you can access it.
To remove a hot-swappable storage medium from the device, you must first unmount all file systems on the storage medium to disconnect the medium from the device. Removing a connected hot-swappable storage medium might damage files on the storage medium or even the storage medium itself.
To use an unmounted file system, you must mount the file system again.
Restrictions and guidelines
You can mount or unmount a file system only when no other users are accessing the file system.
To prevent a USB disk and the USB interface from being damaged, make sure the following requirements are met before unmounting file systems on the USB disk:
· The system has recognized the USB disk.
· The USB disk LED is not blinking.
Configuration procedure
Perform one of the following tasks in user view as appropriate:
|
Task |
Command |
|
Mount a file system. |
mount filesystem |
|
Unmount a file system. |
umount filesystem |
Formatting a file system
|
|
CAUTION: Formatting a file system permanently deletes all files and directories in the file system. You cannot restore the deleted files or directories. |
You can format a file system only when no other users are accessing the file system.
Perform this task in user view.
|
Task |
Command |
|
Format a file system. |
format filesystem |
Repairing a file system
If part of a file system is inaccessible, use this task to examine and repair the file system.
You can repair a file system only when no other users are accessing the file system.
Perform this task in user view.
|
Task |
Command |
|
Repair a file system. |
fixdisk filesystem |
Managing directories
Displaying directory information
Perform this task in user view.
|
Task |
Command |
|
Display directory or file information. |
dir [ /all ] [ file | directory | /all-filesystems ] |
Displaying the working directory
Perform this task in user view.
|
Task |
Command |
|
Display the working directory. |
pwd |
Changing the working directory
Perform this task in user view.
|
Task |
Command |
|
Change the working directory. |
cd { directory | .. } |
Creating a directory
Perform this task in user view.
|
Task |
Command |
|
Create a directory. |
mkdir directory |
Renaming a directory
Perform this task in user view.
|
Task |
Command |
|
Rename a directory. |
rename source-directory dest-directory |
Archiving/extracting directories
When you archive or extract directories or display archived directories, files in the directories are also archived, extracted, or displayed.
Perform the following tasks in user view:
|
Task |
Command |
|
Archive directories. |
tar create [ gz ] archive-file dest-file [ verbose ] source source-directory &<1-5> |
|
Extract directories. |
tar extract archive-file file [ verbose ] [ screen | to directory ] |
|
Display archived directories. |
tar list archive-file file |
Deleting a directory
To delete a directory, you must delete all files and subdirectories in the directory. To delete a file, use the delete command. To delete a subdirectory, use the rmdir command.
Deleting a directory permanently deletes all its files in the recycle bin, if any.
Perform this task in user view.
|
Task |
Command |
|
Delete a directory. |
rmdir directory |
Setting the operation mode for directories
The device supports the following directory operation modes:
· alert—The system prompts for confirmation when your operation might cause problems such as data loss. This mode provides an opportunity to cancel a disruptive operation.
· quiet—The system does not prompt for confirmation.
To set the operation mode for directories:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the operation mode for directories. |
file prompt { alert | quiet } |
The default mode is alert. This command also sets the operation mode for files. |
Managing files
You can create a file by copying a file, downloading a file, or using the save command. For more information about downloading a file, see "Configuring FTP" and "Configuring TFTP." For more information about the save command, see Fundamentals Command Reference.
Displaying file information
Perform this task in user view.
|
Task |
Command |
|
Display directory or file information. |
dir [ /all ] [ file | directory | /all-filesystems ] |
Displaying the contents of a text file
Perform this task in user view.
|
Task |
Command |
|
Display the contents of a text file. |
more file |
Renaming a file
Perform this task in user view.
|
Task |
Command |
|
Rename a file. |
rename source-file dest-file |
Copying a file
Perform this task in user view.
|
Task |
Command |
|
Copy a file. |
copy source-file { dest-file | dest-directory } |
Moving a file
Perform this task in user view.
|
Task |
Command |
|
Move a file. |
move source-file { dest-file | dest-directory } |
Compressing/decompressing a file
Perform the following tasks in user view:
|
Task |
Command |
|
Compress a file. |
gzip file |
|
Decompress a file. |
gunzip file |
Archiving/extracting files
Perform the following tasks in user view:
|
Task |
Command |
|
Archive files. |
tar create [ gz ] archive-file dest-file [ verbose ] source source-file &<1-5> |
|
Extract files. |
tar extract archive-file file [ verbose ] [ screen | to directory ] |
|
Display the names of archived files. |
tar list archive-file file |
Deleting/restoring a file
You can delete a file permanently or move it to the recycle bin. A file moved to the recycle bin can be restored, but a permanently deleted file cannot.
Files in the recycle bin occupy storage space. To save storage space, periodically empty the recycle bin by using the reset recycle-bin command.
Perform the following tasks in user view:
|
Task |
Command |
|
Delete a file by moving it to the recycle bin. |
delete file |
|
Restore a file from the recycle bin. |
undelete file |
|
Delete a file permanently. |
delete /unreserved file |
|
|
IMPORTANT: Do not use the delete command to delete files from the recycle bin. To delete files from the recycle bin, use the reset recycle-bin command. |
Deleting files from the recycle bin
Each file system has a recycle bin of its own. A recycle bin is a folder named .trash in the root directory of a file system.
To view which files or directories are in a recycle bin, use either of the following methods:
· Access the file system and execute the dir/all .trash command.
· Execute the cd .trash command to enter the recycle bin folder and then execute the dir command.
To delete files from a recycle bin, perform the following task in user view:
|
Task |
Command |
|
Delete files from the recycle bin. |
reset recycle-bin [ /force ] |
Calculating the file digest
File digests are used to verify file integrity.
Use the following commands in user view:
|
Task |
Command |
|
Calculate the digest of a file by using the SHA-256 algorithm. |
sha256sum file |
|
Calculate the digest of a file by using the MD5 algorithm. |
md5sum file |
Setting the operation mode for files
The device supports the following file operation modes:
· alert—The system prompts for confirmation when your operation might cause problems such as file corruption or data loss. This mode provides an opportunity to cancel a disruptive operation.
· quiet—The system does not prompt for confirmation.
To set the operation mode for files:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the operation mode for files. |
file prompt { alert | quiet } |
The default mode is alert. This command also sets the operation mode for directories. |
Managing configuration files
Overview
You can manage configuration files from the CLI or the BootWare menu. The following information explains how to manage configuration files from the CLI.
A configuration file saves a set of commands for configuring software features on the device. You can save any configuration to a configuration file so the configuration can survive a reboot. You can also back up configuration files to a host for future use.
Configuration types
Factory defaults
The device is shipped with some basic settings called factory defaults. These default settings ensure that the device can start up and run correctly when it does not have a startup configuration file or when the configuration file is corrupt.
Factory defaults can be customized and might differ from the default settings of commands.
To display factory defaults, use the display default-configuration command.
Startup configuration
The device uses startup configuration to configure software features during startup. After the device starts up, you can specify the configuration file to be loaded at the next startup. This configuration file is called the next-startup configuration file. The configuration file that has been loaded is called the current startup configuration file.
If no next-startup configuration file exists, the device starts up with the factory defaults.
You can display the startup configuration by using one of the following methods:
· Execute the display startup command. To display detailed file contents, use the more command.
· After the device reboots, execute the display current-configuration command before making any configuration changes.
Running configuration
The running configuration includes unchanged startup settings and new settings. The running configuration is stored in memory and is cleared at a device reboot or power off. To use the running configuration after a power cycling or reboot, save it to a configuration file.
To display the running configuration, use the display current-configuration command.
Next-startup configuration file redundancy
You can specify one main next-startup configuration file and one backup next-startup configuration file for redundancy.
At startup, the device tries to load the startup configuration in the following order:
1. The main next-startup configuration file.
2. The backup next-startup configuration file if the main next-startup configuration file does not exist or is corrupt.
3. The factory defaults if the backup configuration file is unavailable.
Configuration file formats
Configuration files you specify for saving configuration must use the .cfg extension. A .cfg configuration file is a human-readable text file and its contents can be displayed by using the more command. When you save configuration to a .cfg file, the device automatically saves the configuration to an .mdb user-inaccessible binary file that has the same name as the .cfg file. The device loads an .mdb file faster than loading a .cfg file.
Startup configuration file selection
At startup, the device uses the following procedure to identify the configuration file to load:
1. The device searches for a valid .cfg next-startup configuration file.
2. If one is found, the device searches for an .mdb file that has the same name and content as the .cfg file.
3. If a matching .mdb file is found, the device starts up with the .mdb file. If none is found, the device starts up with the .cfg file.
Unless otherwise stated, the term "configuration file" in this document refers to a .cfg configuration file.
Configuration file content organization and format
|
|
IMPORTANT: To run on the device, a configuration file must meet the content and format requirements. To ensure a successful configuration load at startup, use a configuration file created on the device. If you edit the configuration file, make sure all edits are compliant with the requirements. |
A configuration file must meet the following requirements:
· All commands are saved in their complete form.
· Commands are sorted into sections by different command views, including system view, interface views, protocol views, and user line views.
· Two adjacent sections are separated by a pound sign (#).
· The configuration file ends with the word return.
The following is a sample configuration file excerpt:
#
local-user root class manage
password hash $h$6$Twd73mLrN8O2vvD5$Cz1vgdpR4KoTiRQNE9pg33gU14Br2p1VguczLSVyJLO2huV5Syx/LfDIf8ROLtVErJ/C31oq2rFtmNuyZf4STw==
service-type ssh telnet terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
interface Vlan-interface1
ip address 192.168.1.84 255.255.255.0
#
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
Enabling configuration encryption
|
|
IMPORTANT: Any devices running Comware 7 software can decrypt the encrypted configuration files. To prevent an encrypted file from being decoded by unauthorized users, make sure the file is accessible only to authorized users. You cannot use the more command to view the contents of an encrypted configuration file. |
Configuration encryption enables the device to encrypt a startup configuration file automatically when it saves the running configuration. All devices running Comware 7 software use the same method to encrypt configuration files.
To enable configuration encryption:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable configuration encryption. |
configuration encrypt { private-key | public-key } |
By default, configuration encryption is disabled. Configuration is saved unencrypted. |
Comparing configurations for their differences
You can compare configuration files or compare a configuration file with the running configuration for their differences.
If you specify the next-startup configuration for a comparison, the system selects the next-startup configuration file to be compared with in the following order:
1. The main next-startup configuration file.
2. The backup next-startup configuration file if the main next-startup configuration file is unavailable, for example, the configuration file does not exist or is corrupt.
If both configuration files are unavailable, the system displays a message indicating that no next-startup configuration files exist.
To compare configurations for their differences in any view:
|
Task |
Command |
|
Display the differences that a configuration file, the running configuration, or the next-startup configuration has as compared with the specified source configuration file. |
display diff configfile file-name-s { configfile file-name-d | current-configuration | startup-configuration } |
|
Display the differences that a configuration file or the next-startup configuration has as compared with the running configuration. |
display diff current-configuration { configfile file-name-d | startup-configuration } |
|
Display the differences that a configuration file has as compared with the next-startup configuration. |
display diff startup-configuration configfile file-name-d |
|
Display the differences that the running configuration has as compared with the next-startup configuration. |
·
Method 1: ·
Method 2: |
Saving the running configuration
Restrictions and guidelines
When a card is removed from the system, its settings are retained in memory but removed from the running configuration on the device. Saving the running configuration before installing the replacement card will remove the card's settings from the next-startup configuration file.
If you have saved the running configuration after removing a card, perform the following steps to restore the card settings to the next-startup configuration file:
1. Install the replacement card.
2. After the replacement card comes online, execute the display current-configuration command to verify that the card's settings have been automatically restored from memory to the running configuration.
3. Save the running configuration to the next-startup configuration file.
|
|
IMPORTANT: To ensure a successful configuration restoration, make sure the system has not rebooted after the card was removed. |
When an IRF member device splits from the IRF fabric, its settings are retained in memory but removed from the running configuration on the IRF fabric. Saving the running configuration before the IRF fabric recovers will remove the member device's settings from the next-startup configuration file.
If you have saved the running configuration before the member device rejoins the IRF fabric, perform the following steps to restore the member device settings to the next-startup configuration file:
1. Resolve the split issue.
4. Reboot the member device to rejoin the IRF fabric.
5. After the member device rejoins the IRF fabric, execute the display current-configuration command to verify that the member device's settings have been restored from memory to the running configuration.
6. Save the running configuration to the next-startup configuration file on the IRF fabric.
|
|
IMPORTANT: To ensure a successful configuration restoration, make sure the IRF fabric has not rebooted after the member device left. |
Using different methods to save the running configuration
When you save the running configuration to a configuration file, you can specify the file as a next-startup configuration file.
If you are specifying the file as a next-startup configuration file, use one of the following methods to save the configuration:
· Fast mode—Use the save command without the safely keyword. In this mode, the device directly overwrites the target next-startup configuration file. If a reboot or power failure occurs during this process, the next-startup configuration file is lost. You must specify a new startup configuration file after the device reboots (see "Specifying a next-startup configuration file").
· Safe mode—Use the save command with the safely keyword. Safe mode is slower than fast mode, but more secure. In safe mode, the system saves the configuration in a temporary file and starts overwriting the target next-startup configuration file after the save operation is complete. If a reboot or power failure occurs during the save operation, the next-startup configuration file is still retained.
Use the safe mode if the power source is not reliable or you are remotely configuring the device.
(In standalone mode.) To save the running configuration, perform one of the following tasks in any view:
|
Task |
Command |
Remarks |
|
Save the running configuration to a configuration file without specifying the file as a next-startup configuration file. |
save file-url [ all | slot slot-number ] |
N/A |
|
Save the running configuration to a configuration file and specify the file as a next-startup configuration file. |
save [ safely ] [ backup | main ] [ force ] [ changed ] |
Make sure you save the configuration to a file in the root directory of the flash memory. This command saves the configuration to both the active and standby MPUs. As a best practice, specify the safely keyword for reliable configuration saving. If you specify only the safely keyword, the command saves the configuration to the main startup configuration file. If the force keyword is specified, the command saves the configuration to the existing next-startup configuration file. If the force keyword is not specified, the command allows you to specify a new next-startup configuration file. |
(In IRF mode.) To save the running configuration, perform one of the following tasks in any view:
|
Task |
Command |
Remarks |
|
Save the running configuration to a configuration file without specifying the file as a next-startup configuration file. |
save file-url [ all | chassis chassis-number slot slot-number ] |
N/A |
|
Save the running configuration to a configuration file and specify the file as a startup configuration file. |
save [ safely ] [ backup | main ] [ force ] [ changed ] |
Make sure you save the configuration to a file in the root directory of the flash memory. This command saves the configuration to all MPUs in the IRF fabric. As a best practice, specify the safely keyword for reliable configuration saving. If you specify only the safely keyword, the command saves the configuration to the main startup configuration file. If the force keyword is specified, the command saves the configuration to the existing next-startup configuration file. If the force keyword is not specified, the command allows you to specify a new next-startup configuration file. |
Configuring configuration commit delay
This feature enables the system to automatically remove the settings you made during a configuration commit delay interval if you have not manually committed them.
You specify the configuration commit delay interval by using the configuration commit delay timer. Any settings made during the delay interval will be automatically removed if you have not manually committed them before the timer expires.
This feature prevents a misconfiguration from causing the inability to access the device and is especially useful when you configure the device remotely.
When you use this feature, follow these restrictions and guidelines:
· In a multi-user context, make sure no one else is configuring the device.
· You cannot perform any operations during the configuration rollback.
· The configuration commit delay feature is a one-time setting. The feature is disabled when the commit delay timer expires or after a manual commit is performed.
· You can reconfigure the configuration commit delay timer before it expires to shorten or extend the commit delay interval. The settings made during the delay interval will be removed if you have not committed them before the new timer expires.
To configure the configuration commit delay feature:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Start the commit delay timer. |
configuration commit delay delay-time |
|
3. (Optional.) Commit the settings configured after the commit delay timer started. |
configuration commit |
Specifying a next-startup configuration file
|
|
CAUTION: (In IRF mode.) Using the undo startup saved-configuration command can cause an IRF split after the IRF fabric or an IRF member reboots. |
You can specify a .cfg file as a next-startup configuration file when you execute the save [ safely ] [ backup | main ] [ force ] command.
Alternatively, you can execute the startup saved-configuration cfgfile [ backup | main ] command to specify a .cfg configuration file as the main or backup next-startup configuration file.
When you perform this task, follow these restrictions and guidelines:
· (In standalone mode.) Make sure the specified configuration file is valid and has been saved to the root directory of a storage medium on both the active and standby MPUs.
· (In IRF mode.) Make sure the specified configuration file is valid and has been saved to the root directory of a storage medium on each MPU in the IRF fabric.
· Make sure you save the file on the same type of storage medium across all MPUs.
· If the startup configuration file is on a USB disk, do not remove the USB disk during the startup process. If you remove the USB disk, one of the following events will occur:
? In standalone mode, the device will start up with the factory defaults.
? In IRF mode, the device will leave the IRF fabric at startup and run the factory defaults.
· As a best practice, specify different files as the main and backup next-startup configuration files.
· The undo startup saved-configuration command changes the attribute of the main or backup next-startup configuration file to NULL instead of deleting the file.
To specify a next-startup configuration file, perform the following task in user view:
|
Task |
Command |
Remarks |
|
Specify a next-startup configuration file. |
startup saved-configuration cfgfile [ backup | main ] |
By default, no next-startup configuration files are specified. If you do not specify the backup or main keyword, this command specifies the configuration file as the main next-startup configuration file. Use the display startup command and the display saved-configuration command in any view to verify the configuration. |
Backing up the main next-startup configuration file to a TFTP server
Before performing this task, make sure the following requirements are met:
· The server is reachable.
· The server is enabled with TFTP service.
· You have read and write permissions to the server.
To back up the main next-startup configuration file to a TFTP server:
|
Step |
Command |
Remarks |
|
1. (Optional.) Verify that a next-startup configuration file has been specified in user view. |
display startup |
If no next-startup configuration file has been specified or the specified configuration file does not exist, the backup operation will fail. |
|
2. Back up the next-startup configuration file to a TFTP server in user view. |
backup startup-configuration to { ipv4-server | ipv6 ipv6-server } [ dest-filename ] [ vpn-instance vpn-instance-name ] |
This command is not supported in FIPS mode. |
Restoring the main next-startup configuration file from a TFTP server
Perform this task to download a configuration file to the device from a TFTP server and specify the file as the main next-startup configuration file.
Before restoring the main next-startup configuration file, make sure the following requirements are met:
· The server is reachable.
· The server is enabled with TFTP service.
· You have read and write permissions to the server.
To restore the main next-startup configuration file from a TFTP server:
|
Step |
Command |
Remarks |
|
1. Restore the main next-startup configuration file from a TFTP server in user view. |
restore startup-configuration from { ipv4-server | ipv6 ipv6-server } src-filename [ vpn-instance vpn-instance-name ] |
This command is not supported in FIPS mode. |
|
2. (Optional.) Verify that the specified configuration file has been set as the main next-startup configuration file. |
display startup display saved-configuration |
N/A |
Deleting a next-startup configuration file
|
|
CAUTION: (In standalone mode.) This task permanently deletes a next-startup configuration file from the device. (In IRF mode.) This task permanently deletes a next-startup configuration file from all member devices. |
You can perform this task to delete a next-startup configuration file.
If both the main and backup next-startup configuration files are deleted, the device uses the factory defaults at the next startup.
To delete a file that is set as both main and backup next-startup configuration files, you must execute both the reset saved-configuration backup command and the reset saved-configuration main command. Using only one of the commands removes the specified file attribute instead of deleting the file.
For example, if the reset saved-configuration backup command is executed, the backup next-startup configuration file setting is set to NULL. However, the file is still used as the main file. To delete the file, you must also execute the reset saved-configuration main command.
Perform the following task in user view:
|
Task |
Command |
Remarks |
|
Delete a next-startup configuration file. |
reset saved-configuration [ backup | main ] |
If you do not specify the backup or main keyword, this command deletes the main next-startup configuration file. |
Displaying and maintaining configuration files
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the running configuration. |
display current-configuration [ configuration [ module-name ] | interface [ interface-type [ interface-number ] ] ] |
|
Display the differences that the running configuration has as compared with the next-startup configuration. |
display current-configuration diff |
|
Display the factory defaults. |
display default-configuration |
|
Display the differences between configurations. |
· display diff configfile file-name-s { configfile file-name-d | current-configuration | startup-configuration } · display diff current-configuration { configfile file-name-d | startup-configuration } · display diff startup-configuration { configfile file-name-d | current-configuration } |
|
Display the contents of the configuration file for the next system startup. |
display saved-configuration |
|
Display the names of the configuration files for this startup and the next startup. |
display startup |
|
Display the valid configuration in the current view. |
display this |
|
Delete a next-startup configuration file. |
reset saved-configuration [ backup | main ] |
Upgrading software
Overview
Software upgrade enables you to upgrade software and fix bugs. This chapter describes types of software and methods to upgrade software from the CLI. For a comparison of all software upgrade methods, see "Upgrade methods."
When you upgrade software, you do not need to upgrade MPUs and interface modules separately. The software images are integrated for MPUs and interface modules. The interface modules upgrade automatically when you upgrade MPUs.
Software types
The following software types are available:
· BootWare image—Also called a Boot ROM image. This image is a .bin file that contains a basic segment and an extended segment. The basic segment is the minimum code that bootstraps the system. The extended segment enables hardware initialization and provides system management menus. You can use these menus to load software and the startup configuration file or manage files when the device cannot start up correctly.
· Comware image—Includes the following image subcategories:
? Boot image—A .bin file that contains the Linux operating system kernel. It provides process management, memory management, and file system management.
? System image—A .bin file that contains the Comware kernel and standard features, including device management, interface management, configuration management, and routing.
Comware images that have been loaded are called current software images. Comware images specified to load at the next startup are called startup software images.
BootWare image, boot image, and system image are required for an MPU to operate. These images might be released separately or as a whole in one .ipe package file. If an .ipe file is used, the system decompresses the file automatically, loads the .bin images and sets them as startup software images. Typically, the BootWare and startup software images for the device are released in an .ipe file named main.ipe.
Software file naming conventions
Software image file names use the chassis-comware version-image type-release format, for example, S12500X-AF-CMW710-BOOT-E2606.bin and S12500X-AF-CMW710-SYSTEM-E2606.bin. This document uses boot.bin and system.bin as boot and system image file names.
Comware image redundancy and loading procedure
You can specify two lists of Comware software images: one main and one backup.
The system always attempts to start up with the main images. If any main image does not exist or is invalid, the system tries the backup images. Figure 25 shows the entire Comware image loading procedure.
If both the main and backup boot images are nonexistent or invalid, access the BootWare menu during the system startup to upgrade software.
Figure 25 Comware image loading procedure
System startup process
Upon power-on, the BootWare image runs to initialize hardware, and then the startup software images run to start up the entire system, as shown in Figure 26.
Figure 26 System startup process
Upgrade methods
|
Upgrading method |
Software types |
Remarks |
|
Upgrading from the CLI by using the boot-loader file command |
· BootWare image · Comware images |
This method is disruptive. You must reboot the entire device to complete the upgrade. |
|
Performing an ISSU |
Comware images |
The ISSU method enables a software upgrade without service interruption. Use this method for an IRF fabric or MPU-redundant device. For more information about ISSU, see "Performing an ISSU." |
|
Upgrading from the BootWare menu |
· BootWare image · Comware software images |
Use this method when the device cannot start up correctly. To use this method, first connect to the console port and power cycle the device. Then press Ctrl+B at prompt to access the BootWare menu. For more information about upgrading software from the BootWare menu, see the release notes for the software version.
Upgrade an IRF fabric from the CLI instead of the BootWare menu, if possible. The BootWare menu method increases the service downtime, because it requires that you upgrade the member devices one by one. |
This chapter only covers upgrading software from the CLI by using the boot-loader file command.
Upgrade restrictions and guidelines
The device can start up from the built-in flash memory or the USB disk. As a best practice, store the startup images in the built-in flash memory. If you store the startup images on the USB disk, do not remove the USB disk during the startup process.
Preparing for the upgrade
1. Use the display version command to verify the current BootWare image version and startup software version.
2. Use the release notes for the upgrade software version to evaluate the upgrade impact on your network and verify the following items:
? Software and hardware compatibility.
? Version and size of the upgrade software.
? Compatibility of the upgrade software with the current BootWare image and startup software image.
3. Use the release notes to verify whether the software images require a license. If licenses are required, register and activate licenses for each license-based software image. For more information about licensing, see "Managing licenses."
4. Use the dir command to verify that every MPU has sufficient storage space for the upgrade images. If the storage space is not sufficient, delete unused files by using the delete command. For more information, see "Managing file systems."
5. Use FTP or TFTP to transfer the upgrade image file to the root directory of any file system. For more information about FTP and TFTP, see "Configuring FTP" or "Configuring TFTP." For more information about file systems, see "Managing file systems."
Upgrade task list
|
Tasks at a glance |
Remarks |
|
(Optional.) Preloading the BootWare image to BootWare (in standalone mode) (Optional.) Preloading the BootWare image to BootWare (in IRF mode) |
If a BootWare upgrade is required, you can perform this task to shorten the subsequent upgrade time. This task helps avoid upgrade problems caused by unexpected electricity failure. If you skip this task, the device upgrades the BootWare automatically when it upgrades the startup software images. The BootWare image preloaded into the BootWare takes effect only after you reboot the device. |
|
(Required.) Specifying startup images and completing the upgrade (in standalone mode) (Required.) Specifying startup images and completing the upgrade (in IRF mode) |
N/A |
|
(Optional.) Restoring or downgrading the BootWare image |
N/A |
|
(Optional.) Enabling software synchronization from the active MPU to the standby MPU at startup |
By default, software synchronization is enabled. This feature enables automatic software synchronization when the device operates in standalone mode. With software synchronization, you do not need to manually upgrade the standby MPU. To synchronize software from the global active MPU to other MPUs on an IRF fabric, use the irf auto-update enable command. |
Preloading the BootWare image to BootWare (in standalone mode)
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Enable BootWare image validity check. |
bootrom-update security-check enable |
By default, this feature is enabled. This feature examines BootWare images for file type errors, file corruption, and hardware incompatibility. As a best practice, enable it to ensure a successful upgrade. |
|
3. Return to user view. |
quit |
N/A |
|
4. (Optional.) Back up the current BootWare image in the Normal area of BootWare. |
bootrom backup slot slot-number-list |
This command backs up the BootWare image to the Backup area of BootWare for a future version rollback or image restoration. |
|
5. Load the upgrade BootWare image to the Normal area of BootWare. |
bootrom update file file slot slot-number-list |
Specify the downloaded software image file for the file argument. The new BootWare image takes effect at a reboot. |
Preloading the BootWare image to BootWare (in IRF mode)
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Enable BootWare image validity check. |
bootrom-update security-check enable |
By default, this feature is enabled. This feature examines the image for wrong file type, file corruption, and hardware incompatibility. As a best practice, enable it to ensure a successful upgrade. |
|
3. Return to user view. |
quit |
N/A |
|
4. (Optional.) Back up the current BootWare image in the Normal area of BootWare. |
bootrom backup chassis chassis-number slot slot-number-list |
This command backs up the BootWare image to the Backup area of BootWare for a future version rollback or image restoration. |
|
5. Load the upgrade BootWare image to the Normal area of BootWare. |
bootrom update file file chassis chassis-number slot slot-number-list |
Specify the downloaded software image file for the file argument. The new BootWare image takes effect at a reboot. |
Specifying startup images and completing the upgrade (in standalone mode)
Perform this task in user view.
To specify the startup image file and complete the upgrade:
|
Step |
Command |
Remarks |
|
1. Specify main or backup startup images for the active MPU. |
·
Use an .ipe file for upgrade: ·
Use .bin files for upgrade: |
Upgrade files must be saved in the root directory of a file system on an MPU. |
|
2. Specify main or backup startup images for the standby MPU. |
· Method 1: ? Use an .ipe file for upgrade: ? Use
.bin files for upgrade: ·
Method 2: ·
Method 3: |
When you use method 2, make sure you understand the following requirements and upgrade results: · If an ISSU upgrade has been performed, use the install commit command to update the main startup images on the active MPU before software synchronization. The command ensures startup image consistency between the active MPU and the standby MPU. · If the active MPU started up with main startup images, its main startup images are synchronized to the standby MPU. This synchronization occurs regardless of whether any change has occurred to this set of startup images. · If the active MPU started up with backup startup images, its backup startup images are synchronized to the standby MPU. This synchronization occurs regardless of whether any change has occurred to this set of startup images. · Startup image synchronization will fail if any software image being synchronized is corrupted or is not available. |
|
3. Save the running configuration. |
save |
This step ensures that any configuration you have made can survive a reboot. |
|
4. Reboot the device. |
reboot |
At startup, the MPUs read the preloaded BootWare image to RAM, and load the startup images. |
|
5. (Optional.) Verify the software image settings. |
display boot-loader [ slot slot-number ] |
Verify that the current software images are the same as the startup software images. |
Specifying startup images and completing the upgrade (in IRF mode)
Perform this task in user view.
To specify the startup image file and complete the upgrade:
|
Step |
Command |
Remarks |
|
1. Specify main or backup startup images for the global active MPU. |
·
Use an .ipe file for upgrade: ·
Use .bin files for upgrade: |
Upgrade files must be saved in the root directory of a file system on an MPU in the IRF fabric. |
|
2. Specify the main startup images for each standby MPU in the IRF fabric. |
· Method 1: ? Use
an .ipe file for upgrade: ? Use
.bin files for upgrade: ·
Method 2: |
Skip this step if you have only one single-MPU device. When you use the boot-loader update command, make sure you understand the following requirements and upgrade results: · If an ISSU upgrade has been performed, use the install commit command to update the main startup images on the active MPU before software synchronization. The command ensures startup image consistency between the active MPU and the standby MPU. · The boot-loader update command uses the main or backup startup image list for synchronization, instead of the current software images list. ? The main images list is used if the global active MPU started up with the main startup images. ? The backup image list is used if the global active MPU started up with the backup startup images. Startup image synchronization will fail if any software image being synchronized is corrupted or is not available. |
|
3. Save the running configuration. |
save |
This step ensures that any configuration you have made can survive a reboot. |
|
4. Reboot the IRF fabric. |
reboot |
At startup, the MPUs read the preloaded BootWare image to RAM, and load the startup images. |
|
5. (Optional.) Verify the software image settings. |
display boot-loader [ chassis chassis-number [ slot slot-number ] ] |
Verify that the current software images are the same as the startup software images. |
Restoring or downgrading the BootWare image
To restore or downgrade the BootWare image for an MPU or interface module, make sure you have used the bootrom backup command or the bootrom read command to back up the image to the Backup area of BootWare or the flash memory. The bootrom read command creates two BootWare image files on the flash memory: basicbtm.bin for the basic segment and extendbtm.bin for the extended section.
Before performing a downgrade, also verify software compatibility.
Perform the following task in user view to restore or downgrade the BootWare image:
|
Step |
Command |
Remarks |
|
1. Replace the BootWare image in the Normal area of BootWare. |
In standalone mode: ·
Use the BootWare image in the Backup area of
BootWare for a replacement: ·
Use the BootWare image in a file system for a
replacement: In IRF mode: ·
Use the BootWare image in the Backup area of
BootWare for a replacement: ·
Use the BootWare image in a file system for a
replacement: |
Use either command, depending on the location of the backup BootWare image. |
|
2. Reboot the device. |
reboot |
At startup, the system runs the new BootWare image to complete the restoration or downgrade. |
Enabling software synchronization from the active MPU to the standby MPU at startup
This feature is available only when the device is operating in standalone mode. To synchronize software from the global active MPU to other MPUs on an IRF fabric, use the irf auto-update enable command. For more information about software auto-update, see Virtual Technologies Configuration Guide.
When the standby MPU starts up, this feature examines its startup software images for version inconsistency with the current software images on the active MPU.
If the software versions are different, the standby MPU performs the following operations:
1. Copies the current software images of the active MPU.
2. Specifies the images as startup software images.
3. Reboots with these images.
|
|
IMPORTANT: To ensure a successful synchronization in a multiuser environment, prevent users from rebooting or swapping MPUs during the software synchronization process. You can configure the information center to output the synchronization status to configuration terminals (see Network Management and Monitoring Configuration Guide). |
To enable software synchronization from the active MPU to the standby MPU at startup:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable startup software version check for the standby MPU. |
undo version check ignore |
By default, startup software version check is enabled. |
|
3. Enable software auto-update for the standby MPU. |
version auto-update enable |
By default, software version auto-update is enabled. |
Displaying and maintaining software image settings
Execute display commands in any view.
|
Task |
Command |
|
(In standalone mode.) Display current software images and startup software images. |
display boot-loader [ slot slot-number ] |
|
(In IRF mode.) Display current software images and startup software images. |
display boot-loader [ chassis chassis-number [ slot slot-number ] ] |
Software upgrade examples
Software upgrade example (in standalone mode)
Network requirements
As shown in Figure 27, the device has two MPUs: one active MPU in slot 0 and one standby MPU in slot 1.
Use the file startup-a2105.ipe to upgrade software images for the device.
Configuration procedure
# Configure IP addresses and routes. Make sure the device and the TFTP server can reach each other. (Details not shown.)
# Configure TFTP settings on both the device and the TFTP server. (Details not shown.)
# Display information about the current software images.
<Sysname> display version
# Back up the current software images.
<Sysname> copy boot.bin boot_backup.bin
<Sysname> copy system.bin system_backup.bin
# Specify boot_backup.bin and system_backup.bin as the backup startup image files for both MPUs.
<Sysname> boot-loader file boot flash:/boot_backup.bin system flash:/system_backup.bin slot 0 backup
<Sysname> boot-loader file boot flash:/boot_backup.bin system flash:/system_backup.bin slot 1 backup
# Use TFTP to download the startup-a2105.ipe image file from the TFTP server to the root directory of the flash memory on the active MPU.
<Sysname> tftp 2.2.2.2 get startup-a2105.ipe
# Specify startup-a2105.ipe as the main startup image file for both MPUs.
<Sysname> boot-loader file flash:/startup-a2105.ipe slot 0 main
<Sysname> boot-loader file flash:/startup-a2105.ipe slot 1 main
# Verify the startup image settings.
<Sysname> display boot-loader
# Reboot the device to complete the upgrade.
<Sysname> reboot
# Verify that the device is running the correct software.
<Sysname> display version
Software upgrade example (in IRF mode)
Network requirements
As shown in Figure 28, use the file startup-a2105.ipe to upgrade software images for the IRF fabric.
Each IRF member device has two MPUs: one in slot 0 and one in slot 1. The global active MPU is in slot 0 on the master device.
Configuration procedure
# Configure IP addresses and routes. Make sure the device and the TFTP server can reach each other. (Details not shown.)
# Configure TFTP settings on both the device and the TFTP server. (Details not shown.)
# Display information about the current software images.
<Sysname> display version
# Back up the current software images.
<Sysname> copy boot.bin boot_backup.bin
<Sysname> copy system.bin system_backup.bin
# Specify boot_backup.bin and system_backup.bin as the backup startup image files for all MPUs.
<Sysname> boot-loader file boot flash:/boot_backup.bin system flash:/system_backup.bin chassis 1 slot 0 backup
<Sysname> boot-loader file boot flash:/boot_backup.bin system flash:/system_backup.bin chassis 1 slot 1 backup
<Sysname> boot-loader file boot flash:/boot_backup.bin system flash:/system_backup.bin chassis 2 slot 0 backup
<Sysname> boot-loader file boot flash:/boot_backup.bin system flash:/system_backup.bin chassis 2 slot 1 backup
# Use TFTP to download the startup-a2105.ipe image file from the TFTP server to the root directory of the flash memory on the global active MPU.
<Sysname> tftp 2.2.2.2 get startup-a2105.ipe
# Specify startup-a2105.ipe as the main startup image file for all MPUs.
<Sysname> boot-loader file flash:/startup-a2105.ipe chassis 1 slot 0 main
<Sysname> boot-loader file flash:/startup-a2105.ipe chassis 1 slot 1 main
<Sysname> boot-loader file flash:/startup-a2105.ipe chassis 2 slot 0 main
<Sysname> boot-loader file flash:/startup-a2105.ipe chassis 2 slot 1 main
# Verify the startup image settings.
<Sysname> display boot-loader
# Reboot the IRF fabric to complete the upgrade.
<Sysname> reboot
# Verify that the IRF fabric is running the correct software.
<Sysname> display version
Performing an ISSU
Unless otherwise stated, the term "upgrade" refers to both software upgrade and downgrade in ISSU.
Overview
The In-Service Software Upgrade (ISSU) feature upgrades the Comware software with a minimum amount of downtime.
ISSU is implemented on the basis of the following design advantages:
· Separation of images—Device software is segmented into boot and system images. The images can be upgraded individually.
· Support for hotfix—Patch images are available to fix system bugs without a system reboot.
· Hardware redundancy—On a dual-MPU device or a multichassis IRF fabric, one MPU or member device can be upgraded while other MPUs or member devices are providing services.
For more information about images, see "Upgrading software."
ISSU applies only to dual-member IRF fabrics. When you upgrade the master device, the subordinate member takes over for service continuity.
Read the software release notes to identify support of the device for ISSU between the current software version and the new software version.
ISSU methods
ISSU methods are automatically determined depending on the compatibility between software versions.
ISSU supports the following upgrade types:
· Compatible upgrade—The running software version is compatible with the new software version. This upgrade type supports the ISSU methods in Table 13.
· Incompatible upgrade—The running software version is incompatible with the new software version. The two versions cannot run concurrently.
This upgrade type supports only one upgrade method (also called incompatible upgrade). This method requires a cold reboot to upgrade both control and data planes. Incompatible upgrade disrupts service if hardware redundancy is not available.
For information about identifying the ISSU method, see "Identifying the ISSU method."
Table 13 ISSU methods for compatible upgrade
|
ISSU method |
Description |
|
Incremental upgrade: · Service Upgrade · File Upgrade |
Upgrades only user mode processes that have differences between the new and old software versions. Backup processes and a main/backup process switchover are required for service continuity. · Service upgrade—Upgrades service features. The upgrade does not affect the operation of the features that are not being upgraded. · File upgrade—Upgrades hidden system program files. The system can provide services during the upgrade. |
|
Reboot |
The Reboot method disrupts service if hardware redundancy (MPU-, switching fabric-, or device-level) is not available. As a best practice, schedule the downtime carefully to minimize the upgrade impact on the services. The Reboot method reboots MPUs to complete the software upgrade. While one MPU is rebooting, the other MPUs can provide services. |
ISSU commands
ISSU includes the install and issu command sets. After you identify the recommended ISSU method, use Table 14 to choose the command set you want to use.
Table 14 Command set comparison
|
Item |
issu commands |
install commands |
|
Upgrade types |
· Compatible. · Incompatible. |
Compatible. |
|
Patch install/uninstall |
Not supported. |
Supported. |
|
Impact on the system |
Large. |
Small. |
|
Technical skill requirements |
Low. As a best practice, use this command set. |
High. Administrators must have extensive system knowledge and understand the impact of each upgrade task on the network. |
Preparing for ISSU
To perform a successful ISSU, make sure all the preparation requirements are met.
Identifying availability of ISSU and licensing requirements
Read the software release notes to identify the following items:
· Support of the device for ISSU between the current software version and the new software version.
· Licensing requirements for the upgrade software images.
If the upgrade software images require licenses, make sure the device has the required licenses before ISSU. For more information about license installation, see "Managing licenses."
Verifying the device operating status
Use the display device command to verify that no member devices are in Fault state.
Preparing the upgrade images
1. Use the dir command to verify that sufficient storage space is available for the upgrade images. If the storage space is not sufficient, delete unused files by using the delete /unreserved file-url command. If the files to be deleted will be used, back up the files before deleting them. You will be unable to restore a deleted file if the /unreserved keyword is used. For more information, see "Managing file systems."
|
|
NOTE: Make sure all MPUs have sufficient storage space for the upgrade image. |
2. Use FTP or TFTP to transfer upgrade image files (in .bin or .ipe) to the root directory of a file system on the active MPU (in standalone mode) or global active MPU (in IRF mode).
Identifying the ISSU method
1. Execute the display version comp-matrix file command to display the upgrade image version compatibility information.
2. Check the Version compatibility list field.
? If the running software version is in the list, a compatible upgrade is required.
? If the running software version is not in the list, an incompatible upgrade is required.
3. Identify the recommended ISSU method.
? If a compatible upgrade is required, check the Upgrade Way field to identify the recommended ISSU method.
? If an incompatible upgrade is required, check the end of command output for the Incompatible upgrade string.
Verifying feature status
For service continuity during ISSU, configure the following feature settings:
|
Feature |
Setting requirements |
|
GR/NSR |
Enable GR or NSR for protocols including OSPF, ISIS, BGP, and FSPF. |
|
BFD |
Disable BFD for protocols including OSPF, ISIS, RIP, BGP, VRRP, and NQA. |
|
Ethernet link aggregation |
Use the long LACP timeout interval (the lacp period short command is not configured) on all member ports in dynamic aggregation groups. |
|
IRF |
Configure IRF bridge MAC persistence as follows: · Compatible upgrade—Configure the irf mac-address persistent always command. · Incompatible upgrade—Configure the irf mac-address persistent always command if the bridge MAC address is the MAC address of the device for which you want to execute the issu load command. |
Determining the upgrade procedure
1. Use Table 14 to choose an upgrade command set, depending on the ISSU method.
2. Identify the hardware redundancy condition. ISSU can maintain service continuity only when the IRF fabric has multiple MPUs.
|
|
IMPORTANT: If hardware redundancy is not available, service discontinuity is not avoidable. Make sure you understand the impact of the upgrade on the network. |
3. Choose the correct procedure from the procedures described in "Performing an ISSU by using issu commands" or "Performing an ISSU by using install commands."
Understanding ISSU guidelines
|
|
IMPORTANT: · For a successful ISSU, you must remove all commands that the new version does not support and save the running configuration. To identify the feature changes between the current version and the new version, read the release notes for the device. · To ensure correct system operation, you must remove the commands configured for features to be uninstalled and save the running configuration before uninstalling the features. |
During an ISSU, use the following guidelines:
· In a multiuser environment, make sure no other administrators access the device while you are performing the ISSU.
· Do not perform any of the following tasks during an ISSU:
? Reboot, add, or remove modules.
? Execute commands that are irrelevant to the ISSU.
? Modify, delete, or rename image files.
· You cannot use both install and issu commands for an ISSU. However, you can use display issu commands with both command sets. For more information, see "Displaying and maintaining ISSU."
· You do not need to upgrade interface modules or switching fabric modules separately. They are upgraded automatically when MPUs are upgraded.
· Before executing the following commands, use the display system stable state command to verify that the system is stable:
? issu commands—issu load, issu run switchover, and issu commit.
? install commands—install activate and install deactivate.
If the System State field displays Stable, the system is stable.
· You may use issu commands to upgrade all or some of the software images. If you are upgrading only some of the images, make sure the new images are compatible with the images that are not to be upgraded. The upgrade will fail if a conflict exists.
After an ISSU, you must log in to the device again before you can configure the device.
Adjusting and saving the running configuration
1. Remove all commands that the new software version does not support from the running configuration. To identify all feature changes between the current version and the new version, read the release notes for the device.
2. To uninstall a feature image, remove the commands configured for the feature.
3. Use the save command to save the running configuration.
Logging in to the device through the console port
Log in to the device through the console port after you finish all the preparation tasks and read all the ISSU guidelines. If you use Telnet or SSH, you might be disconnected from the device before the ISSU is completed.
Performing an ISSU by using issu commands
Always start ISSU with a subordinate member.
Performing a compatible upgrade
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Set the automatic rollback timer. |
issu rollback-timer minutes |
By default, the automatic rollback timer is set to 45 minutes. This timer starts when you execute the issu run switchover command. If you do not execute the issu accept or issu commit command before this timer expires, the system automatically rolls back to the original software images. |
|
3. Return to user view. |
quit |
N/A |
|
4. Verify that the system is stable. |
display system stable state |
The system is stable if the System State field displays Stable. For a successful ISSU, you must make sure the system is stable before you proceed to the next step. |
|
5. Load the upgrade images as main startup software images on subordinate members. |
·
Use .bin files: ·
Use an .ipe file: |
Specify the member ID of a subordinate member for the chassis-number argument. Every time you use this command, first execute the display system stable state command to verify system stability. |
|
6. Verify that the system is stable. |
display system stable state |
The system is stable if the System State field displays Stable. For a successful ISSU, you must make sure the system is stable before you proceed to the next step. |
|
7. Perform an ISSU switchover. |
issu run switchover |
N/A |
|
8. (Optional.) Accept the upgrade and delete the automatic rollback timer. |
issu accept |
N/A |
|
9. Verify that the system is stable. |
display system stable state |
The system is stable if the System State field displays Stable. For a successful ISSU, you must make sure the system is stable before you proceed to the next step. |
|
10. Upgrade the remaining members to complete the ISSU. |
issu commit chassis chassis-number |
Repeat step 11 and this step to upgrade the remaining members one by one, including the original master.
After executing the command for one member, you must wait for the member to restart and join the IRF fabric before you execute the command for another member. To manually roll back to the original software images during this ISSU process, use the issu rollback command. For more information about rollback, see Fundamentals Command Reference. |
|
11. Verify that the ISSU is finished. |
display issu state |
If the ISSU state field displays Init, the ISSU is finished. |
Performing an incompatible upgrade
Perform this task in user view.
|
Step |
Command |
Remarks |
|
1. Verify that the system is stable. |
display system stable state |
The system is stable if the System State field displays Stable. For a successful ISSU, you must make sure the system is stable before you proceed to the next step. |
|
2. Load the upgrade images as main startup software images on subordinate members. |
·
Use .bin files: ·
Use an .ipe file: |
Because incompatible versions cannot run simultaneously, the upgraded subordinate devices will be isolated and cannot forward traffic until a master/subordinate switchover occurs. Specify the member ID of a subordinate member for the chassis-number argument. |
|
3. Verify that the system is stable. |
display system stable state |
The system is stable if the System State field displays Stable. For a successful ISSU, you must make sure the system is stable before you proceed to the next step. |
|
4. Perform an ISSU switchover to complete the ISSU process. |
issu run switchover |
To roll back to the original software images during this ISSU process, use the issu rollback command. This ISSU process does not support automatic rollback. For more information about rollback, see Fundamentals Command Reference. |
Performing an ISSU by using install commands
ISSU task list
|
Tasks at a glance |
Remarks |
|
(Optional.) Decompressing an .ipe file |
To use install commands for upgrade, you must use .bin image files. If the upgrade file is an .ipe file, perform this task before you use install commands for upgrade. |
|
(Required.) Perform one of the following tasks to update software: · Installing or upgrading software images |
Perform an activate operation to install new images or upgrade existing images. Perform a deactivate operation to uninstall patch images. An image is added to or removed from the current software image list when it is activated or deactivated. |
|
(Optional.) Rolling back the running software images |
Perform this task to roll back running software image status after activate or deactivate operations. A commit operation deletes all rollback points. You can perform this task only before software changes are committed. |
|
(Optional.) Aborting a software activate/deactivate operation |
You can perform this task while an image is being activated or deactivated. |
|
(Optional.) Committing software changes |
This task updates the main startup image list with the changes. Perform this task to make sure all software changes take effect after a reboot. |
|
(Optional.) Verifying software images |
Perform this task to verify that the software changes are correct. |
|
(Optional.) Deleting inactive software images |
Perform this task to delete images |
Decompressing an .ipe file
Perform this task in user view.
|
Step |
Command |
|
1. (Optional.) Identify images that are included in the .ipe file. |
display install ipe-info |
|
2. Decompress the .ipe file. |
install add ipe-filename filesystem |
Installing or upgrading software images
When you activate images, activate all the images on one slot before moving to the next slot.
To activate an image, you must begin with the master device. On a member device, you must begin with the active MPU.
When you activate images on an active MPU, the system automatically activates the images on the interface modules and switching fabric modules. You do not need to activate the images on the interface modules and switching fabric modules separately.
Installing or upgrading boot and system images
Perform this task in user view.
|
Step |
Command |
Remarks |
|
1. Verify that the system is stable. |
display system stable state |
The system is stable if the System State field displays Stable. For a successful ISSU, you must make sure the system is stable before you proceed to the next step. |
|
2. (Optional.) Identify the recommended ISSU method and the possible impact of the upgrade. |
iinstall activate { boot filename | system filename } * chassis chassis-number slot slot-number test |
N/A |
|
3. Activate images. |
install activate { boot filename | system filename } * chassis chassis-number slot slot-number |
N/A |
Installing patch images
If a system image has multiple versions of patch images, you only need to install the latest version. You do not need to uninstall older patch images before you install a new patch image.
Perform this task in user view.
|
Step |
Command |
Remarks |
|
1. Verify that the system is stable. |
display system stable state |
The system is stable if the System State field displays Stable. For a successful installation, you must make sure the system is stable before you proceed to the next step. |
|
2. Activate patch images. |
install activate patch filename { all | chassis chassis-number slot slot-number } |
N/A |
Uninstalling patch images
You can uninstall only patch images.
The uninstall operation only removes images from the current software image list. For the change to take effect after a reboot, you must perform a commit operation to remove the images from the main startup image list.
Uninstalled images are still stored on the storage medium. To permanently delete the images, execute the install remove command. For more information, see "Deleting inactive software images."
Perform this task in user view.
|
Step |
Command |
Remarks |
|
1. Verify that the system is stable. |
display system stable state |
The system is stable if the System State field displays Stable. For a successful uninstallation, you must make sure the system is stable before you proceed to the next step. |
|
2. Deactivate patch images. |
install deactivate patch filename chassis chassis-number slot slot-number |
N/A |
Rolling back the running software images
For each service or file upgrade performed through an activate or deactivate operation, the system creates a rollback point. A maximum of 50 rollback points are available for service and file upgrades. The earliest rollback point is removed if this limit has been reached when a rollback point is created.
After a reboot upgrade is performed, the system creates a rollback point. You can roll back the running software images to the status before any activate or deactivate operations are performed.
A patch image activate or deactivate operation does not support rollback.
For a rollback to take effect after a reboot, you must perform a commit operation to update the main startup software image list.
After a commit operation is performed, you cannot perform a rollback.
To roll back the software, execute the following commands in user view:
|
Step |
Command |
|
1. (Optional.) Display available rollback points. |
display install rollback |
|
2. Roll back the software. |
install rollback to { point-id | original } |
Aborting a software activate/deactivate operation
This task is available only for service upgrade or file upgrade performed through an activate or deactivate operation. After the operation is aborted, the system runs with the software images that it was running with before the operation.
|
Task |
Command |
|
Abort a software activate/deactivate operation. |
· Method 1: Press Ctrl+C while a software image is being activated or deactivated. ·
Method 2: Abort a software
activate/deactivate operation in user view. |
Committing software changes
When you activate or deactivate images, the main startup image list does not update with the changes. The software changes are lost at reboot. For the changes to take effect after a reboot, you must commit the changes.
Perform this task in user view.
|
Task |
Command |
Remarks |
|
Commit the software changes. |
install commit |
This command commits all software changes. |
Verifying software images
Perform this task to verify the following items:
· Integrity—Verify that the boot and system images are integral.
· Consistency—Verify that the same active images are running across the entire system.
· Software commit status—Verify that the active images are committed as needed.
If an image is not integral, consistent, or committed, use the install activate, install deactivate, and install commit commands as appropriate to resolve the issue.
Perform this task in user view.
|
Task |
Command |
|
Verify software images. |
install verify |
Deleting inactive software images
This task delete image files permanently. You cannot use the install rollback to command to revert the operation, or use the install abort command to abort the operation.
Perform this task in user view.
|
Task |
Command |
|
Delete an inactive software image file. |
install remove [ chassis chassis-number slot slot-number ] { filename | inactive } |
Displaying and maintaining ISSU
Unless otherwise stated, the display and reset commands can be used during an ISSU, regardless of whether the install or issu commands are used.
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
Remarks |
|
Display active software images. |
display install active [ chassis chassis-number slot slot-number ] [ verbose ] |
N/A |
|
Display backup startup software images. |
display install backup [ chassis chassis-number slot slot-number ] [ verbose ] |
N/A |
|
Display main startup software images. |
display install committed [ chassis chassis-number slot slot-number ] [ verbose ] |
N/A |
|
Display inactive software images. |
display install inactive [ chassis chassis-number slot slot-number ] [ verbose ] |
N/A |
|
Display the software images included in an .ipe file. |
display install ipe-info ipe-filename |
N/A |
|
Display ongoing ISSU activate, deactivate, and rollback operations. |
display install job |
N/A |
|
Display ISSU log entries. |
display install log [ log-id ] [ verbose ] |
N/A |
|
Display software image file information. |
display install package { filename | all } [ verbose ] |
N/A |
|
Display rollback point information. |
display install rollback [ point-id ] |
The system does not record rollback points during an ISSU that uses issu commands. |
|
Display the software image file that includes a specific component or file. |
display install which { component name | file filename } [ chassis chassis-number slot slot-number ] |
N/A |
|
Display automatic rollback timer information. |
display issu rollback-timer |
N/A |
|
Display ISSU status information. |
display issu state |
This command applies only to an ISSU that uses issu commands. |
|
Display version compatibility information and identify the upgrade method. |
display version comp-matrix |
N/A |
|
Clear ISSU log entries. |
reset install log-history oldest log-number |
N/A |
|
Clear ISSU rollback points. |
reset install rollback oldest point-id |
N/A |
Example of using issu commands for ISSU
Upgrade requirements
As shown in Figure 29, the IRF fabric has two members. Each member has one active MPU (slot 0) and one standby MPU (slot 1).
Upgrade the boot image and system image from T0001015 to T0001016.
Upgrade procedure
# Download the image file that contains the T0001016 boot image and system image from the TFTP server.
<Sysname> tftp 2.2.2.2 get version-t0001016.ipe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 256k 100 256k 0 0 764k 0 --:--:-- --:--:-- --:--:-- 810k
# Display active software images.
<Sysname> display install active
Active packages on chassis 1 slot 0:
flash:/boot-t0001015.bin
flash:/system-t0001015.bin
Active packages on chassis 1 slot 1:
flash:/boot-t0001015.bin
flash:/system-t0001015.bin
Active packages on chassis 2 slot 0:
flash:/boot-t0001015.bin
flash:/system-t0001015.bin
Active packages on chassis 2 slot 1:
flash:/boot-t0001015.bin
flash:/system-t0001015.bin
# Upgrade the boot image and system image on the subordinate member. After the upgrade, the subordinate member will leave the original IRF fabric and form a new IRF fabric by itself.
<Sysname> issu load file ipe flash:/version-t0001016.ipe chassis 2
This operation will delete the rollback point information for the previous upgrade and maybe get unsaved configuration lost. Continue? [Y/N]:y
Verifying image file flash:/version-t0001016.ipe on slot 0.................Done.
Decompressing file BOOT-T0001016.bin to flash:/BOOT-T0001016.bin.............Done.
Decompressing file SYSTEM-T0001016.bin to flash:/SYSTEM-T0001016.bin...........Done.
Decompression completed.
Do you want to delete flash:/version-t0001016.ipe now? [Y/N]:n
Upgrade summary according to following table:
flash:/BOOT-T0001016.bin
Running Version New Version
Test 0001015 Test 0001016
flash:/SYSTEM-T0001016.bin
Running Version New Version
Test 0001015 Test 0001016
Chassis Slot Upgrade Way
2 0 Reboot
2 1 Reboot
Upgrading software images to compatible versions. Continue? [Y/N]:y
# Perform an ISSU switchover.
<Sysname> issu run switchover
Upgrade summary according to following table:
flash:/BOOT-T0001016.bin
Running Version New Version
Test 0001015 Test 0001016
flash:/SYSTEM-T0001016.bin
Running Version New Version
Test 0001015 Test 0001016
Chassis Slot Switchover Way
2 0 Global active standby MPU switchover
Upgrading software images to compatible versions. Continue? [Y/N]:y
# Upgrade the boot image and system image on the original master.
<Sysname> issu commit chassis 1
flash:/BOOT-t0001016.bin
Running Version New Version
Test 0001015 Test 0001016
flash:/SYSTEM-t0001016.bin
Running Version New Version
Test 0001015 Test 0001016
Chassis Slot Upgrade Way
1 0 Reboot
1 1 Reboot
Upgrading software images to compatible versions. Continue? [Y/N]:y
# Verify that both members are running the new boot image and system image.
<Sysname> display install active
Active packages on chassis 1 slot 0:
flash:/boot-t0001016.bin
flash:/system-t0001016.bin
Active packages on chassis 1 slot 1:
flash:/boot-t0001016.bin
flash:/system-t0001016.bin
Active packages on chassis 2 slot 0:
flash:/boot-t0001016.bin
flash:/system-t0001016.bin
Active packages on chassis 2 slot 1:
flash:/boot-t0001016.bin
flash:/system-t0001016.bin
Example of using install commands for software patching
Upgrade requirements
As shown in Figure 30, the IRF fabric has two members. Each member has one active MPU (slot 0) and one standby MPU (slot 1).
Patch the software to fix bugs.
Upgrade procedure
# Download the patch image files from the TFTP server.
<Sysname> tftp 2.2.2.2 get system-patch.bin
<Sysname> tftp 2.2.2.2 get boot-patch.bin.
# Display active software images.
<Sysname> display install active
Active packages on chassis 1 slot 0:
flash:/boot.bin
flash:/system.bin
Active packages on chassis 1 slot 1:
flash:/boot.bin
flash:/system.bin
Active packages on chassis 2 slot 0:
flash:/boot.bin
flash:/system.bin
Active packages on chassis 2 slot 1:
flash:/boot.bin
flash:/system.bin
# Activate the patch images on all MPUs.
<Sysname> install activate patch flash:/boot-patch.bin chassis 1 slot 0
<Sysname> install activate patch flash:/system-patch.bin chassis 1 slot 0
<Sysname> install activate patch flash:/boot-patch.bin chassis 1 slot 1
<Sysname> install activate patch flash:/system-patch.bin chassis 1 slot 1
<Sysname> install activate patch flash:/boot-patch.bin chassis 2 slot 0
<Sysname> install activate patch flash:/system-patch.bin chassis 2 slot 0
<Sysname> install activate patch flash:/boot-patch.bin chassis 2 slot 1
<Sysname> install activate patch flash:/system-patch.bin chassis 2 slot 1
# Verify that the patch image has been activated.
<Sysname> display install active
Active packages on chassis 1 slot 0:
flash:/boot.bin
flash:/system.bin
flash:/boot-patch.bin
flash:/system-patch.bin
Active packages on chassis 1 slot 1:
flash:/boot.bin
flash:/system.bin
flash:/boot-patch.bin
flash:/system-patch.bin
Active packages on chassis 2 slot 0:
flash:/boot.bin
flash:/system.bin
flash:/boot-patch.bin
flash:/system-patch.bin
Active packages on chassis 2 slot 1:
flash:/boot.bin
flash:/system.bin
flash:/boot-patch.bin
flash:/system-patch.bin
# Commit the software changes.
<Sysname> install commit
# Display main startup software images.
<Sysname> display install committed
Committed packages on chassis 1 slot 0:
flash:/boot.bin
flash:/system.bin
flash:/boot-patch.bin
flash:/system-patch.bin
Committed packages on chassis 1 slot 1:
flash:/boot.bin
flash:/system.bin
flash:/boot-patch.bin
flash:/system-patch.bin
<Sysname> display install committed
Committed packages on chassis 2 slot 0:
flash:/boot.bin
flash:/system.bin
flash:/boot-patch.bin
flash:/system-patch.bin
Committed packages on chassis 2 slot 1:
flash:/boot.bin
flash:/system.bin
flash:/boot-patch.bin
flash:/system-patch.bin
Managing the device
This chapter describes how to configure basic device parameters and manage the device.
You can perform the configuration tasks in this chapter in any order.
Configuring the device name
A device name (also called hostname) identifies a device in a network and is used in CLI view prompts. For example, if the device name is Sysname, the user view prompt is <Sysname>.
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the device name. |
sysname sysname |
The default device name is H3C. |
Configuring the system time
Correct system time is essential to network management and communication. Configure the system time correctly before you run the device on the network.
The device can use the locally set system time, or obtain the UTC time from an NTP source and calculate the system time.
· When using the locally set system time, the device uses the clock signals generated by its built-in crystal oscillator to maintain the system time.
· After obtaining the UTC time from an NTP source, the device uses the UTC time, time zone, and daylight saving time to calculate the system time. Then, the device periodically synchronizes its UTC time and recalculates the system time. For more information about NTP configuration, see Network Management and Monitoring Configuration Guide.
The system time calculated by using the UTC time from an NTP time source is more precise.
To configure the device to use the local system time:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the system time source. |
clock protocol none |
By default, the device uses the NTP time source. |
|
3. Return to user view. |
quit |
N/A |
|
4. Set the local system time. |
clock datetime time date |
N/A |
|
5. Enter system view. |
system-view |
N/A |
|
6. Set the time zone. |
clock timezone zone-name { add | minus } zone-offset |
By default, the system uses Greenwich Mean Time time zone. After a time zone change, the device recalculates the system time. To view the system time, use the display clock command. This setting must be consistent with the time zone of the place where the device resides. |
|
7. (Optional.) Set the daylight saving time. |
clock summer-time name start-time start-date end-time end-date add-time |
By default, the daylight saving time is not set. After you set the daylight saving time, the device recalculates the system time. To view the system time, use the display clock command. The settings must be consistent with the daylight saving time parameters of the place where the device resides. |
To configure the device to obtain the UTC time from a time source and calculate the system time:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the system time source. |
undo clock protocol |
By default, the device uses the NTP time source. |
|
3. Set the time zone. |
clock timezone zone-name { add | minus } zone-offset |
By default, the time zone is not set. After you set the time zone, the device recalculates the system time. To view the system time, use the display clock command. This setting must be consistent with the time zone of the place where the device resides. |
|
4. (Optional.) Set the daylight saving time. |
clock summer-time name start-time start-date end-time end-date add-time |
By default, the daylight saving time is not set. After you set the daylight saving time, the device recalculates the system time. To view the system time, use the display clock command. The settings must be consistent with the daylight saving time parameters of the place where the device resides. |
Enabling displaying the copyright statement
This feature enables the device to display the copyright statement in the following situations:
· When a Telnet or SSH user logs in.
· When a console user quits user view. This is because the device automatically tries to restart the user session.
The following is a sample copyright statement:
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
To enable displaying the copyright statement:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable displaying the copyright statement. |
copyright-info enable |
By default, this function is enabled. |
Configuring banners
Banners are messages that the system displays when a user logs in.
Banner types
The system supports the following banners:
· Legal banner—Appears after the copyright statement. To continue login, the user must enter Y or press Enter. To quit the process, the user must enter N. Y and N are case insensitive.
· Message of the Day (MOTD) banner—Appears after the legal banner and before the login banner.
· Login banner—Appears only when password or scheme authentication is configured.
· Shell banner—Appears for a login user when the user enters user view.
The system displays the banners in the following order: legal banner, MOTD banner, login banner, and shell banner.
Banner input methods
You can configure a banner by using one of the following methods:
· Input the entire command line in a single line.
The entire command line, including the command keywords, the banner, and the delimiters, can have a maximum of 511 characters. The delimiters for the banner can be any printable character but must be the same. You cannot press Enter before you input the end delimiter.
For example, you can configure the shell banner "Have a nice day." as follows:
<System> system-view
[System] header shell %Have a nice day.%
· Input the command line in multiple lines.
The banner can contain carriage returns. A carriage return is counted as two characters.
To input a banner configuration command line in multiple lines, use one of the following methods:
? Press Enter after the final command keyword, type the banner, and end the final line with the delimiter character %. The banner plus the delimiter can have a maximum of 1999 characters.
For example, you can configure the banner "Have a nice day." as follows:
<System> system-view
[System] header shell
Please input banner content, and quit with the character '%'.
Have a nice day.%
? After you type the final command keyword, type any printable character as the start delimiter for the banner and press Enter. Then, type the banner and end the final line with the same delimiter. The banner plus the end delimiter can have a maximum of 1999 characters.
For example, you can configure the banner "Have a nice day." as follows:
<System> system-view
[System] header shell A
Please input banner content, and quit with the character 'A'.
Have a nice day.A
? After you type the final command keyword, type the start delimiter and part of the banner. Make sure the final character of the final string is different from the start delimiter. Then, press Enter, type the rest of the banner, and end the final line with the same delimiter. The banner plus the start and end delimiters can have a maximum of 2002 characters.
For example, you can configure the banner "Have a nice day." as follows:
<System> system-view
[System] header shell AHave a nice day.
Please input banner content, and quit with the character 'A'.
A
Configuration procedure
To configure banners:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the legal banner. |
header legal text |
By default, no legal banner is configured. |
|
3. Configure the MOTD banner. |
header motd text |
By default, no MOTD banner is configured. |
|
4. Configure the login banner. |
header login text |
By default, no login banner is configured. |
|
5. Configure the shell banner. |
header shell text |
By default, no shell banner is configured. |
Setting the system operating mode
The device can operate in several modes. The differences lie in support for the VXLAN, FCoE, SPBM, service chain, and tunneling features.
The operating modes include:
· advance—Advanced mode, in which FCoE, tunneling, and partial functionality of VXLAN are supported.
· bridgee—Enhanced Layer 2 mode, in which SPBM and service chain are supported. SPBM is supported only in this mode.
· standard—Standard mode, in which VXLAN, service chain, and tunneling are supported. This mode is the most commonly used mode.
To set the system operating mode:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the system operating mode. |
system-working-mode { advance | bridgee | standard } |
By default, the device operates in standard mode. Change to the operating mode takes effect after a system reboot. |
Rebooting the device
|
|
CAUTION: · A device reboot might interrupt network services. · To avoid configuration loss, use the save command to save the running configuration before a reboot. For more information about the save command, see Fundamentals Command Reference. · Before a reboot, use the display startup and display boot-loader commands to verify that the startup configuration file and startup software images are correctly specified. If a startup configuration file or software image problem exists, the device cannot start up correctly. For more information about the two display commands, see Fundamentals Command Reference. |
The following device reboot methods are available:
· Schedule a reboot at the CLI, so the device automatically reboots at the specified time or after the specified period of time.
· Immediately reboot the device at the CLI.
During the reboot process, the device performs the following operations:
d. Resets all of its chips.
e. Uses the BootWare to verify the startup software package, decompress the package, and load the images.
f. Initializes the system.
· Power off and then power on the device. This method might cause data loss, and is the least-preferred method.
Using the CLI, you can reboot the device from a remote host.
For data security, the device does not reboot while it is performing file operations.
Rebooting devices immediately from the CLI
Execute one of the following commands as appropriate in user view:
|
Task |
Command |
|
Reboot the device. |
In standalone mode: In IRF mode: |
Scheduling a device reboot
The device supports only one device reboot schedule. If you execute the scheduler reboot at or scheduler reboot delay command multiple times or execute both commands, the most recent configuration takes effect.
(In standalone mode.) The automatic reboot configuration is canceled if an active/standby switchover occurs.
(In IRF mode.) The automatic reboot configuration is effective on all member devices. It will be canceled if a switchover between the global active MPU and a global standby MPU occurs.
To schedule a reboot, execute one of the following commands in user view:
|
Task |
Command |
Remarks |
|
Specify the reboot date and time. |
scheduler reboot at time [ date ] |
By default, no reboot date or time is specified. |
|
Specify the reboot delay time. |
scheduler reboot delay time |
By default, no reboot delay time is specified. |
Scheduling a task
You can schedule the device to automatically execute a command or a set of commands without administrative interference.
You can configure a periodic schedule or a non-periodic schedule. A non-periodic schedule is not saved to the configuration file and is lost when the device reboots. A periodic schedule is saved to the startup configuration file and is automatically executed periodically.
Configuration guidelines
Follow these guidelines when you schedule a task:
· The default system time is always restored at reboot. To make sure a task schedule can be executed as expected, reconfigure the system time or configure NTP after you reboot the device. For more information about NTP, see Network Management and Monitoring Configuration Guide.
· To assign a command (command A) to a job, you must first assign the job the command or commands for entering the view of command A.
· Make sure all commands in a schedule are compliant to the command syntax. The system does not check the syntax when you assign a command to a job.
· A schedule cannot contain any one of these commands: telnet, ftp, ssh2, and monitor process.
· A schedule does not support user interaction. If a command requires a yes or no answer, the system always assumes that a Y or Yes is entered. If a command requires a character string input, the system assumes that either the default character string (if any) or a null string is entered.
· A schedule is executed in the background, and no output (except for logs, traps, and debug information) is displayed for the schedule.
Configuration procedure
To configure a non-periodic schedule for the device:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a job. |
scheduler job job-name |
By default, no job exists. |
|
3. Assign a command to the job. |
command id command |
By default, no command is assigned to a job. A command with a smaller ID is executed first. |
|
4. Exit to system view. |
quit |
N/A |
|
5. Create a schedule. |
scheduler schedule schedule-name |
By default, no schedule exists. |
|
6. Assign a job to a schedule. |
job job-name |
By default, no job is assigned to a schedule. You can assign multiple jobs to a schedule. The jobs will be executed concurrently. |
|
7. Assign user roles to the schedule. |
user-role role-name |
By default, a schedule has the user role of the schedule creator. You can assign up to 64 user roles to a schedule. A command in a schedule can be executed if it is permitted by one or more user roles of the schedule. |
|
8. Specify an execution time table for the non-periodic schedule. |
·
Specify the execution date and time: ·
Specify the execution days and time: ·
Specify the execution delay time: |
By default, no execution time is specified for a schedule. Executing commands clock datetime, clock summer-time, and clock timezone does not change the execution time table that is already configured for a schedule. |
To configure a periodic schedule for the device:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a job. |
scheduler job job-name |
By default, no job exists. |
|
3. Assign a command to the job. |
command id command |
By default, no command is assigned to a job. A job with a smaller ID is executed first. |
|
4. Exit to system view. |
quit |
N/A |
|
5. Create a schedule. |
scheduler schedule schedule-name |
By default, no schedule exists. |
|
6. Assign a job to a schedule. |
job job-name |
By default, no job is assigned to a schedule. You can assign multiple jobs to a schedule. The jobs will be executed concurrently. |
|
7. Assign user roles to the schedule. |
user-role role-name |
By default, a schedule has the user role of the schedule creator. You can assign up to 64 user roles to a schedule. A command in a schedule can be executed if it is permitted by one or more user roles of the schedule. |
|
8. Specify an execution time table for the periodic schedule. |
·
Execute the schedule at an interval from the
specified time on: ·
Execute the schedule at the specified
time on every specified day in a month or week: |
By default, no execution time is specified for a schedule. Executing commands clock datetime, clock summer-time, and clock timezone does not change the execution time table that is already configured for a schedule. |
Schedule configuration example
Network requirements
As shown in Figure 31, two interfaces of the device are connected to users.
To save energy, configure the device to perform the following operations:
· Enable the interfaces at 8:00 a.m. every Monday through Friday.
· Disable the interfaces at 18:00 every Monday through Friday.
Scheduling procedure
# Enter system view.
<Sysname> system-view
# Configure a job for disabling interface HundredGigE 1/0/1.
[Sysname] scheduler job shutdown-HundredGigE1/0/1
[Sysname-job-shutdown-HundredGigE1/0/1] command 1 system-view
[Sysname-job-shutdown-HundredGigE1/0/1] command 2 interface hundredgige 1/0/1
[Sysname-job-shutdown-HundredGigE1/0/1] command 3 shutdown
[Sysname-job-shutdown-HundredGigE1/0/1] quit
# Configure a job for enabling interface HundredGigE 1/0/1.
[Sysname] scheduler job start-HundredGigE1/0/1
[Sysname-job-start-HundredGigE1/0/1] command 1 system-view
[Sysname-job-start-HundredGigE1/0/1] command 2 interface hundredgige 1/0/1
[Sysname-job-start-HundredGigE1/0/1] command 3 undo shutdown
[Sysname-job-start-HundredGigE1/0/1] quit
# Configure a job for disabling interface HundredGigE 1/0/2.
[Sysname] scheduler job shutdown-HundredGigE1/0/2
[Sysname-job-shutdown-HundredGigE1/0/2] command 1 system-view
[Sysname-job-shutdown-HundredGigE1/0/2] command 2 interface hundredgige 1/0/2
[Sysname-job-shutdown-HundredGigE1/0/2] command 3 shutdown
[Sysname-job-shutdown-HundredGigE1/0/2] quit
# Configure a job for enabling interface HundredGigE 1/0/2.
[Sysname] scheduler job start-HundredGigE1/0/2
[Sysname-job-start-HundredGigE1/0/2] command 1 system-view
[Sysname-job-start-HundredGigE1/0/2] command 2 interface hundredgige 1/0/2
[Sysname-job-start-HundredGigE1/0/2] command 3 undo shutdown
[Sysname-job-start-HundredGigE1/0/2] quit
# Configure a periodic schedule for enabling the interfaces at 8:00 a.m. every Monday through Friday.
[Sysname] scheduler schedule START-pc1/pc2
[Sysname-schedule-START-pc1/pc2] job start-HundredGigE1/0/1
[Sysname-schedule-START-pc1/pc2] job start-HundredGigE1/0/2
[Sysname-schedule-START-pc1/pc2] time repeating at 8:00 week-day mon tue wed thu fri
[Sysname-schedule-START-pc1/pc2] quit
# Configure a periodic schedule for disabling the interfaces at 18:00 every Monday through Friday.
[Sysname] scheduler schedule STOP-pc1/pc2
[Sysname-schedule-STOP-pc1/pc2] job shutdown-HundredGigE1/0/1
[Sysname-schedule-STOP-pc1/pc2] job shutdown-HundredGigE1/0/2
[Sysname-schedule-STOP-pc1/pc2] time repeating at 18:00 week-day mon tue wed thu fri
[Sysname-schedule-STOP-pc1/pc2] quit
Verifying the scheduling
# Display the configuration information of all jobs.
[Sysname] display scheduler job
Job name: shutdown-HundredGigE1/0/1
system-view
interface hundredgige 1/0/1
shutdown
Job name: shutdown-HundredGigE1/0/2
system-view
interface hundredgige 1/0/2
shutdown
Job name: start-HundredGigE1/0/1
system-view
interface hundredgige 1/0/1
undo shutdown
Job name: start-HundredGigE1/0/2
system-view
interface hundredgige 1/0/2
undo shutdown
# Display the schedule information.
[Sysname] display scheduler schedule
Schedule name : START-pc1/pc2
Schedule type : Run on every Mon Tue Wed Thu Fri at 08:00:00
Start time : Wed Sep 28 08:00:00 2011
Last execution time : Wed Sep 28 08:00:00 2011
Last completion time : Wed Sep 28 08:00:03 2011
Execution counts : 1
-----------------------------------------------------------------------
Job name Last execution status
start-HundredGigE1/0/1 Successful
start-HundredGigE1/0/2 Successful
Schedule name : STOP-pc1/pc2
Schedule type : Run on every Mon Tue Wed Thu Fri at 18:00:00
Start time : Wed Sep 28 18:00:00 2011
Last execution time : Wed Sep 28 18:00:00 2011
Last completion time : Wed Sep 28 18:00:01 2011
Execution counts : 1
-----------------------------------------------------------------------
Job name Last execution status
shutdown-HundredGigE1/0/1 Successful
shutdown-HundredGigE1/0/2 Successful
# Display schedule log information.
[Sysname] display scheduler logfile
Job name : start-HundredGigE1/0/1
Schedule name : START-pc1/pc2
Execution time : Wed Sep 28 08:00:00 2011
Completion time : Wed Sep 28 08:00:02 2011
--------------------------------- Job output -----------------------------------
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1]undo shutdown
Job name : start-HundredGigE1/0/2
Schedule name : START-pc1/pc2
Execution time : Wed Sep 28 08:00:00 2011
Completion time : Wed Sep 28 08:00:02 2011
--------------------------------- Job output -----------------------------------
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]interface hundredgige 1/0/2.
[Sysname-HundredGigE1/0/2]undo shutdown
Job name : shutdown-HundredGigE1/0/1
Schedule name : STOP-pc1/pc2
Execution time : Wed Sep 28 18:00:00 2011
Completion time : Wed Sep 28 18:00:01 2011
--------------------------------- Job output -----------------------------------
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1]shutdown
Job name : shutdown-HundredGigE1/0/2
Schedule name : STOP-pc1/pc2
Execution time : Wed Sep 28 18:00:00 2011
Completion time : Wed Sep 28 18:00:01 2011
--------------------------------- Job output -----------------------------------
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]interface hundredgige 1/0/2
[Sysname-HundredGigE1/0/2]shutdown
Disabling password recovery capability
Password recovery capability controls console user access to the device configuration and SDRAM from BootWare menus.
If password recovery capability is enabled, a console user can access the device configuration without authentication to configure a new password.
If password recovery capability is disabled, console users must restore the factory-default configuration before they can configure new passwords. Restoring the factory-default configuration deletes the next-startup configuration files.
To enhance system security, disable password recovery capability.
To disable password recovery capability:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Disable password recovery capability. |
undo password-recovery enable |
By default, password recovery capability is enabled. |
Disabling BootWare menu access
By default, anyone can press Ctrl+B during startup to access the BootWare menu, load software, and manage storage media. To prevent unauthorized access, set a BootWare menu password or disable BootWare menu access.
To disable BootWare menu access, execute the following command in user view:
|
Task |
Command |
Remarks |
|
Disable BootWare menu access. |
undo bootrom-access enable |
By default, access to the BootWare menu is enabled. |
Setting the port status detection timer
To set the port status detection timer:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the port status detection timer. |
shutdown-interval time |
The default setting is 30 seconds. |
Monitoring CPU usage
To monitor CPU usage, the device performs the following operations:
· Samples CPU usage at an interval of 1 minute, and compares the sample with the CPU usage threshold. If the sample is greater, the device sends a trap.
· Samples and saves CPU usage at a configurable interval if CPU usage tracking is enabled.
(In standalone mode.) To monitor CPU usage:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the CPU usage threshold. |
monitor cpu-usage threshold cpu-threshold [ slot slot-number [ cpu cpu-number ] ] |
By default, the CPU usage threshold is 99%. |
|
3. Enable CPU usage tracking. |
monitor cpu-usage enable [ slot slot-number [ cpu cpu-number ] ] |
By default, CPU usage tracking is enabled. |
|
4. Set the sampling interval for CPU usage tracking. |
monitor cpu-usage interval interval [ slot slot-number [ cpu cpu-number ] ] |
By default, the sampling interval for CPU usage tracking is 1 minute. |
|
5. Exit to user view. |
quit |
N/A |
|
6. Display CPU usage statistics. |
display cpu-usage [ summary ] [ slot slot-number [ cpu cpu-number ] ] |
This command is available in any view. |
|
7. Display CPU usage monitoring settings. |
display cpu-usage configuration [ slot slot-number [ cpu cpu-number ] ] |
This command is available in any view. |
|
8. Display the historical CPU usage statistics in a coordinate system. |
display cpu-usage history [ job job-id ] [ slot slot-number [ cpu cpu-number ] ] |
This command is available in any view. |
(In IRF mode.) To monitor CPU usage:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the CPU usage threshold. |
monitor cpu-usage threshold cpu-threshold [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
By default, the CPU usage threshold is 99%. |
|
3. Enable CPU usage tracking. |
monitor cpu-usage enable [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
By default, CPU usage tracking is enabled. |
|
4. Set the sampling interval for CPU usage tracking. |
monitor cpu-usage interval interval-value [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
By default, the sampling interval for CPU usage tracking is 1 minute. |
|
5. Exit to user view. |
quit |
N/A |
|
6. Display CPU usage statistics. |
display cpu-usage [ summary ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
This command is available in any view. |
|
7. Display CPU usage monitoring settings. |
display cpu-usage configuration [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
This command is available in any view. |
|
8. Display the historical CPU usage statistics in a coordinate system. |
display cpu-usage history [ job job-id ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
This command is available in any view. |
Setting memory alarm thresholds
To monitor memory usage, the device performs the following operations:
· Samples memory usage at an interval of 1 minute, and compares the sample with the memory usage threshold. If the sample is greater, the device sends a trap.
· Monitors the amount of free memory space in real time. If the amount of free memory space exceeds a free-memory threshold, the system generates an alarm notification and sends it to affected service modules or processes. If the amount of free memory space drops below a free-memory threshold, the system generates an alarm-removed notification and sends it to affected service modules or processes.
As shown in Table 15 and Figure 32, the system supports the following free-memory thresholds:
· Normal state threshold.
· Minor alarm threshold.
· Severe alarm threshold.
· Critical alarm threshold.
Table 15 Memory alarm notifications and memory alarm-removed notifications
|
Notification |
Triggering condition |
Remarks |
|
Minor alarm notification |
The amount of free memory space decreases to or below the minor alarm threshold for the first time. |
After generating and sending a minor alarm notification, the system does not generate and send any additional minor alarm notifications until the first minor alarm is removed. |
|
Severe alarm notification |
The amount of free memory space decreases to or below the severe alarm threshold for the first time. |
After generating and sending a severe alarm notification, the system does not generate and send any additional severe alarm notifications until the first severe alarm is removed. |
|
Critical alarm notification |
The amount of free memory space decreases to or below the critical alarm threshold for the first time. |
After generating and sending a critical alarm notification, the system does not generate and send any additional critical alarm notifications until the first critical alarm is removed. |
|
Critical alarm-removed notification |
The amount of free memory space increases to or above the severe alarm threshold. |
N/A |
|
Severe alarm-removed notification |
The amount of free memory space increases to or above the minor alarm threshold. |
N/A |
|
Minor alarm-removed notification |
The amount of free memory space increases to or above the normal state threshold. |
N/A |
Figure 32 Memory alarm notification and alarm-removed notification
To set memory alarm thresholds:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Set the memory usage threshold. |
In standalone mode: In IRF mode: |
By default, the memory usage threshold is 100%. |
|
3. Set the free-memory thresholds. |
In standalone mode: In IRF mode: |
The default settings are as follows: · Minor alarm threshold—96 MB. · Severe alarm threshold—64 MB. · Critical alarm threshold—48 MB. · Normal state threshold—128 MB. |
Configuring the temperature alarm thresholds
The device monitors its temperature based on the following thresholds:
· Low-temperature threshold.
· High-temperature warning threshold.
· High-temperature alarming threshold.
When the device temperature drops below the low-temperature threshold or reaches the high-temperature warning or alarming threshold, the device performs the following operations to notify you:
· Sends log messages and traps.
· Sets LEDs on the device panel.
To configure the temperature alarm thresholds:
Disabling USB interfaces
You can use USB interfaces to upload or download files. By default, all USB interfaces are enabled. You can disable USB interfaces as needed.
To disable all USB interfaces:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Disable USB interfaces. |
usb disable |
By default, all USB interfaces are enabled. Before using this command, use the umount command to unmount all USB partitions. For more information about this command, see Fundamentals Command Reference. |
Configuring hardware failure detection and protection
The device can automatically detect hardware failures on components, cards, and the forwarding plane, and take actions in response.
The device can take the following actions in response to hardware failures:
· isolate—Performs the following tasks as appropriate to reduce impact from the failures:
? Shuts down the relevant ports.
? Prohibits loading software for the relevant cards.
? Isolates the relevant cards.
? Powers off the relevant cards.
· reset—Restarts the relevant components or cards to recover from failures.
· warning—Sends traps to report the failures.
To specify the actions to be taken in response to hardware failures:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the action to be taken in response to a type of hardware failures. |
hardware-failure-detection { board | chip | forwarding } { off | isolate | reset | warning } |
By default, the system takes the action of warning in response to hardware failures. |
Verifying and diagnosing transceiver modules
Verifying transceiver modules
You can use one of the following methods to verify the genuineness of a transceiver module:
· Display the key parameters of a transceiver module, including its transceiver type, connector type, central wavelength of the transmit laser, transfer distance, and vendor name.
· Display its electronic label. The electronic label is a profile of the transceiver module and contains the permanent configuration, including the serial number, manufacturing date, and vendor name. The data is written to the transceiver module or the device's storage component during debugging or testing of the transceiver module or device.
The device regularly checks transceiver modules for their vendor names. If a transceiver module does not have a vendor name or the vendor name is not H3C, the device repeatedly outputs traps and log messages. For information about logging rules, see Network Management and Monitoring Configuration.
To verify transceiver modules, execute the following commands in any view:
|
Task |
Command |
Remarks |
|
Display the key parameters of transceiver modules. |
display transceiver interface [ interface-type interface-number ] |
N/A |
|
Display the electrical label information of transceiver modules. |
display transceiver manuinfo interface [ interface-type interface-number ] |
This command cannot display information for some transceiver modules. |
Diagnosing transceiver modules
The device provides the alarm and digital diagnosis functions for transceiver modules. When a transceiver module fails or is not operating correctly, you can perform the following tasks:
· Check the alarms that exist on the transceiver module to identify the fault source.
· Examine the key parameters monitored by the digital diagnosis function, including the temperature, voltage, laser bias current, TX power, and RX power.
To diagnose transceiver modules, execute the following commands in any view:
|
Task |
Command |
Remarks |
|
Display transceiver alarms. |
display transceiver alarm interface [ interface-type interface-number ] |
N/A |
|
Display the current values of the digital diagnosis parameters on transceiver modules. |
display transceiver diagnosis interface [ interface-type interface-number ] |
This command cannot display information about some transceiver modules. |
Restoring the factory-default configuration
|
|
CAUTION: This task is disruptive. Use this task only when you cannot troubleshoot the device by using other methods, or you want to use the device in a different scenario. |
To restore the factory-default configuration for the device, execute the following command in user view:
|
Task |
Command |
Remarks |
|
Restore the factory-default configuration for the device. |
restore factory-default |
This command takes effect after a device reboot. |
Displaying and maintaining device management configuration
(In standalone mode.) Execute display commands in any view. Execute the reset scheduler logfile command in user view. Execute the reset version-update-record command in system view.
|
Task |
Command |
|
Display device alarm information. |
display alarm [ slot slot-number ] |
|
Display the BootWare menu access authorization status. |
display bootrom-access |
|
Display the system time, date, time zone, and daylight saving time. |
display clock |
|
Display the copyright statement. |
display copyright |
|
Display current CPU usage statistics. |
display cpu-usage [ slot slot-number [ cpu cpu-number ] ] |
|
Display CPU usage monitoring settings. |
display cpu-usage configuration [ slot slot-number [ cpu cpu-number ] ] |
|
Display historical CPU usage statistics in a coordinate system. |
display cpu-usage history [ job job-id ] [ slot slot-number [ cpu cpu-number ] ] |
|
Display hardware information. |
display device [ flash | usb ] [ slot slot-number | verbose ] |
|
Display electronic label information for the device. |
display device manuinfo [ slot slot-number ] |
|
Display electronic label information for the chassis backplane. |
display device manuinfo chassis-only |
|
Display electronic label information for a fan tray. |
display device manuinfo fan fan-id |
|
Display electronic label information for a power supply. |
display device manuinfo power power-id |
|
Display or save operating information for features and hardware modules. |
display diagnostic-information [ hardware | infrastructure | l2 | l3 | service ] [ key-info ] [ filename ] |
|
Display device temperature information. |
display environment [ slot slot-number ] |
|
Display the operating states of fan trays. |
display fan [ fan-id ] |
|
Display memory usage statistics. |
display memory [ summary ] [ slot slot-number [ cpu cpu-number ] ] |
|
Display memory alarm thresholds and statistics. |
display memory-threshold [ slot slot-number [ cpu cpu-number ] ] |
|
Display power supply information. |
display power [ power-id ] |
|
Display job configuration information. |
display scheduler job [ job-name ] |
|
Display job execution log information. |
display scheduler logfile |
|
Display the automatic reboot schedule. |
display scheduler reboot |
|
Display schedule information. |
display scheduler schedule [ schedule-name ] |
|
Display system stability and status information. |
display system stable state |
|
Display system working mode information. |
display system-working-mode |
|
Display system version information. |
display version |
|
Display startup software image upgrade records. |
display version-update-record |
|
Clear job execution log information. |
reset scheduler logfile |
|
Clear startup software image upgrade records. |
reset version-update-record |
(In IRF mode.) Execute display commands in any view. Execute the reset scheduler logfile command in user view. Execute the reset version-update-record command in system view.
|
Task |
Command |
|
Display device alarm information. |
display alarm [ chassis chassis-number slot slot-number ] |
|
Display the BootWare menu access authorization status. |
display bootrom-access |
|
Display the system time, date, time zone, and daylight saving time. |
display clock |
|
Display the copyright statement. |
display copyright |
|
Display current CPU usage statistics. |
display cpu-usage [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Display CPU usage monitoring settings. |
display cpu-usage configuration [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Display historical CPU usage statistics in a coordinate system. |
display cpu-usage history [ job job-id ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Display hardware information. |
display device [ flash | usb ] [ chassis chassis-number [ slot slot-number ] | verbose ] |
|
Display electronic label information for the device. |
display device manuinfo [ chassis chassis-number [ slot slot-number ] ] |
|
Display electronic label information for a chassis backplane. |
display device manuinfo chassis chassis-number chassis-only |
|
Display electronic label information for a fan tray. |
display device manuinfo chassis chassis-number fan fan-id |
|
Display electronic label information for a power supply. |
display device manuinfo chassis chassis-number power power-id |
|
Display or save operating information for features and hardware modules. |
display diagnostic-information [ hardware | infrastructure | l2 | l3 | service ] [ key-info ] [ filename ] |
|
Display device temperature information. |
display environment [ chassis chassis-number [ slot slot-number ] ] |
|
Display the operating states of fan trays. |
display fan [ chassis chassis-number [ fan-id ] ] |
|
Display memory usage statistics. |
display memory [ summary ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Display memory alarm thresholds and statistics. |
display memory-threshold [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Display power supply information. |
display power [ chassis chassis-number [ power-id ] ] |
|
Display job configuration information. |
display scheduler job [ job-name ] |
|
Display job execution log information. |
display scheduler logfile |
|
Display the automatic reboot schedule. |
display scheduler reboot |
|
Display schedule information. |
display scheduler schedule [ schedule-name ] |
|
Display system stability and status information. |
display system stable state |
|
Display system working mode information. |
display system-working-mode |
|
Display system version information. |
display version |
|
Display startup software image upgrade records. |
display version-update-record |
|
Clear job execution log information. |
reset scheduler logfile |
|
Clear startup software image upgrade records. |
reset version-update-record |
Using Tcl
Comware V7 provides a built-in tool command language (Tcl) interpreter. From user view, you can use the tclsh command to enter Tcl configuration view to execute the following commands:
· All Tcl 8.5 commands.
· Comware commands.
The Tcl configuration view is equivalent to the user view. You can use Comware commands in Tcl configuration view in the same way they are used in user view. For example, you can perform the following tasks:
? Use the system-view command to enter system view to configure features.
? Use the quit command to return to the upper-level view.
Using Tcl to configure the device
When you use Tcl to configure the device, follow these guidelines and restrictions:
· You can apply Tcl environment variables to Comware commands.
· No online help information is provided for Tcl commands.
· You cannot press Tab to complete an abbreviated Tcl command.
· Make sure the Tcl commands can be executed correctly. If a problem occurs when the Tcl commands are being executed, you can terminate the process by closing the connection if you logged in through Telnet or SSH. If you logged in from the console port, you must restart the device. As a best practice, log in through Telnet or SSH.
To use Tcl to configure the device:
|
Task |
Command |
Remarks |
|
Enter Tcl configuration view from user view. |
tclsh |
N/A |
|
Execute a Tcl command. |
Tcl command |
You can use a Comware command to enter a subview under Tcl configuration view to configure the device. |
|
Return from a subview under Tcl configuration view to the upper level view. |
quit |
N/A |
|
Return from a subview under Tcl configuration view to Tcl configuration view. |
Press Ctrl+Z. |
N/A |
|
Return from Tcl configuration view to user view. |
· tclquit · quit |
The tclquit command is available only in Tcl configuration view. |
Executing Comware commands in Tcl configuration view
Follow these restrictions and guidelines when you execute Comware commands in Tcl configuration view:
· For Comware commands, you can enter ? to obtain online help or press Tab to complete an abbreviated command. For more information, see "Using the CLI."
· The cli command is a Tcl command, so you cannot enter ? to obtain online help or press Tab to complete an abbreviated command.
· Successfully executed Comware commands are saved to command history buffers. You can use the upper arrow or lower arrow key to obtain executed commands.
· To execute multiple Comware commands in one operation:
? Enter multiple Comware commands separated by semi-colons to execute the commands in the order they are entered. For example, ospf 100; area 0.
? Specify multiple Comware commands for the cli command, quote them, and separate them by a space and a semicolon. For example, cli "ospf 100 ; area 0".
? Specify one Comware command for each cli command and separate them by a space and a semicolon. For example, cli ospf 100 ; cli area 0.
To execute Comware commands in Tcl configuration view:
|
Step |
Command |
Remarks |
|
1. Enter Tcl configuration view |
tclsh |
N/A |
|
2. Execute Comware commands directly. |
Command |
Use either method. If you execute a Comware command directly, a Tcl command is executed when the Tcl command conflicts with the Comware command. If you execute a Comware command by using the cli command, the Comware command is executed when it conflicts with a Tcl command. |
|
3. Execute Comware commands by using the cli command. |
cli command |
Using Python
Comware 7 provides a built-in Python interpreter that supports the following items:
· Python 2.7 commands.
· Python 2.7 standard API.
· Comware 7 extended API. For more information about the Comware 7 extended API, see "Comware 7 extended Python API."
· Python scripts. You can use a Python script to configure the system.
Entering the Python shell
To use Python commands and APIs, you must enter the Python shell.
To enter the Python shell:
|
Task |
Command |
|
Enter the Python shell from user view. |
python |
Executing a Python script
Execute a Python script in user view.
|
Task |
Command |
|
Execute a Python script. |
python filename |
Exiting the Python shell
Execute this command in the Python shell.
|
Task |
Command |
|
Exit the Python shell. |
exit() |
Python usage example
Network requirements
Use a Python script to perform the following tasks:
· Download configuration files main.cfg and backup.cfg to the device.
· Configure the files as the main and backup configuration files for the next startup.
Figure 33 Network diagram
Usage procedure
# Use a text editor on the PC to configure Python script test.py as follows:
#!usr/bin/python
import comware
comware.Transfer('tftp', '192.168.1.26', 'main.cfg', 'flash:/main.cfg')
comware.Transfer('tftp', '192.168.1.26', 'backup.cfg', 'flash:/backup.cfg')
comware.CLI('startup saved-configuration flash:/main.cfg main ;startup saved-configuration flash:/backup.cfg backup')
# Use TFTP to download the script to the device.
<Sysname> tftp 192.168.1.26 get test.py
# Execute the script.
<Sysname> python flash:/test.py
<Sysname>startup saved-configuration flash:/main.cfg main
Please wait...... Done.
<Sysname>startup saved-configuration flash:/backup.cfg backup
Please wait...... Done.
Verifying the configuration
# Display startup configuration files.
<Sysname> display startup
Current startup saved-configuration file: flash:/startup.cfg
Next main startup saved-configuration file: flash:/main.cfg
Next backup startup saved-configuration file: flash:/backup.cfg
Comware 7 extended Python API
The Comware 7 extended Python API is compatible with the Python syntax.
Importing and using the Comware 7 extended Python API
To use the Comware 7 extended Python API, you must import the API to Python.
Use either of the following methods to import and use the Comware 7 extended Python API:
· Use import comware to import the entire API and use comware.API to execute an API.
For example, to use the extended API Transfer to download file test.cfg from TFTP server 192.168.1.26:
<Sysname> python
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> comware.Transfer('tftp', '192.168.1.26', 'test.cfg', 'flash:/test.cfg', user='', password='')
<comware.Transfer object at 0xb7eab0e0>
· Use from comware import API to import an API and use API to execute the API.
For example, to use the extended API Transfer to download file test.cfg from TFTP server 192.168.1.26:
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from comware import Transfer
>>> Transfer('tftp', '192.168.1.26', 'test.cfg', 'flash:/test.cfg', user='', password='')
<comware.Transfer object at 0xb7e5e0e0>
Comware 7 extended Python API functions
CLI class
CLI
Use CLI to execute Comware 7 CLI commands and create CLI objects.
Syntax
CLI(command=‘’, do_print=True)
Parameters
command: Specifies the commands to be executed. To enter multiple commands, use a space and a semicolon (;) as the delimiter. To enter a command in a view other than user view, you must first enter the commands used to enter the view. For example, you must enter ’system-view ;local-user test class manage’ to execute the local-user test class manage command.
do_print: Specifies whether to output the execution result:
· True—Outputs the execution result. This value is the default.
· False—Does not output the execution result.
Usage guidelines
This API supports only Comware commands. It does not support Linux, Python, or Tcl commands.
Returns
CLI objects
Examples
# Add a local user named test.
<Sysname> python
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> comware.CLI('system-view ;local-user test class manage')
Sample output
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user test class manage
New local user added.
<comware.CLI object at 0xb7f680a0>
get_output
Use get_output to get the output from executed commands.
Syntax
CLI.get_output()
Returns
Output from executed commands
Examples
# Add a local user and get the output from the command.
<Sysname> python
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> c = comware.CLI('system-view ;local-user test class manage', False)
>>> c.get_output()
Sample output
['<Sysname>system-view', 'System View: return to User View with Ctrl+Z.', '[Sysname]local-user test class manage', 'New local user added.']
Transfer class
Transfer
Use Transfer to download a file from a server.
Syntax
Transfer(protocol=‘’, host=‘’, source=‘’, dest=‘’, vrf=‘’,login_timeout=10, user=‘’, password=‘’)
Parameters
protocol: Specifies the protocol used to download a file:
· ftp—Uses FTP.
· tftp—Uses TFTP.
· http—Uses HTTP.
host: Specifies the IP address of the remote server.
source: Specifies the name of the file to be downloaded from the remote server.
dest: Specifies a name for the downloaded file.
vrf: Specifies the MPLS L3VPN instance to which the remote server belongs. This argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the server belongs to the public network, do not specify this argument.
login_timeout: Specifies the timeout for the operation, in seconds. The default is 10.
user: Specifies the username for logging in to the server.
password: Specifies the login password.
Returns
Transfer object
Examples
# Download file test.cfg from TFTP server 192.168.1.26.
<Sysname> python
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> comware.Transfer('tftp', '192.168.1.26', 'test.cfg', 'flash:/test.cfg', user='', password='')
Sample output
<comware.Transfer object at 0xb7f700e0>
get_error
Use get_error to get the error information from the download operation.
Syntax
Transfer.get_error()
Returns
Error information (if there is no error information, None is returned)
Examples
# Download file test.cfg from TFTP server 1.1.1.1 and get the error information from the operation.
<Sysname> python
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> c = comware.Transfer('tftp', '1.1.1.1', 'test.cfg', 'flash:/test.cfg', user='', password='')
>>> c.get_error()
Sample output
“Timeout was reached”
API get_self_slot
get_self_slot
(In standalone mode.) Use get_self_slot to get the slot number of the active MPU.
(In IRF mode.) Use get_self_slot to get the slot number of the global active MPU.
Syntax
get_self_slot()
Returns
(In standalone mode.) A list object in the format of [1,slot-number] . The slot-number indicates the slot number of the active MPU.
(In IRF mode.) A list object in the format of [chassis-number,slot-number]. The chassis-number and slot-number indicate the member ID of the master device and the slot number of the global active MPU on the master device.
Examples
# (In standalone mode.) Get the slot number of the active MPU.
<Sysname> python
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> comware.get_self_slot()
Sample output
[1,0]
API get_standby_slot
get_standby_slot
(In standalone mode.) Use get_standby_slot to get the slot number of the standby MPU.
(In IRF mode.) Use get_standby_slot to get the slot numbers of the global standby MPUs.
Syntax
get_standby_slot()
Returns
(In standalone mode.) A list object in the format of [[-1,slot-number]]. The slot-number indicates the slot number of a standby MPU. If the device does not have a standby MPU, [ ] is returned.
(In IRF mode.) A list object in one of the following formats:
· [ ]—The IRF fabric does not have a global standby MPU.
· [[chassis-number,slot-number]]—The IRF fabric has only one global standby MPU.
· [[chassis-number1,slot-number1],[chassis-number2,slot-number2],…]—The IRF fabric has multiple standby MPUs.
The chassis-number and slot-number arguments indicate the device member IDs and slot numbers of the global standby MPUs.
Examples
# (In standalone mode.) Get the slot number of the standby MPU.
<Sysname> python
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> comware.get_standby_slot()
Sample output
[[-1, 1], [-1, 2]]
API get_slot_range
get_slot_range
Use get_slot_range to get the supported slot number range.
Syntax
get_slot_range()
Returns
A dictionary object in the format of {'MaxSlot': max-slot-number, 'MinSlot': min-slot-number }. The max-slot-number argument indicates the maximum slot number. The min-slot-number argument indicates the minimum slot number.
Examples
# Get the supported slot number range.
<Sysname> python
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> comware. get_slot_range()
Sample output
{'MaxSlot': 447, 'MinSlot': 0}
API get_slot_info
get_slot_info
Use get_slot_info to get information about a module.
Syntax
get_slot_info()
Returns
A dictionary object in the format of {'Slot': slot-number, 'Status': 'status', 'Chassis': chassis-number, 'Role': 'role', 'Cpu': CPU-number }. The slot-number argument indicates the slot number of the module. The status argument indicates the status of the module. The chassis-number argument indicates the member ID of the device. The role argument indicates the role of the module. The CPU-number argument indicates the ID of the main CPU on the module.
Examples
# Get information about a module.
<Sysname> python
Python 2.7.3 (default)
[GCC 4.4.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import comware
>>> comware.get_slot_info(1)
Sample output
{'Slot': 1, 'Status': 'Normal', 'Chassis': 0, 'Role': 'Master', 'Cpu': 0}
Managing licenses
License-based features require a license to run on your device. To use a license-based feature, you must purchase a license.
This chapter describes how to license a feature, transfer a license between devices, remove a license, and manage the license storage space.
License types
The following types of licenses are available depending on validity period:
· Permanent—A permanent license is always valid and never expires.
· Days restricted—A license valid for a limited period in days, for example, 30 days.
Locking methods
The following locking methods are available:
· Device locked—A license can be installed only on the DID-specific device. The license takes effect on any MPU in the device even after an MPU replacement. The device supports this locking method.
· MPU locked—A license can be installed only on the DID-specific MPU. The license takes effect on the MPU even after the MPU is moved to a different device.
Restrictions and guidelines
General restrictions and guidelines
When you manage licenses, follow the general restrictions and guidelines:
· Make sure no one else is performing license management tasks on the device you are working with.
· Expired formal licenses cannot be uninstalled. Expired licenses remain in the license storage area unless you compress the license storage area.
· Licenses cannot be installed if the license storage area is not sufficient. Before registering licenses, use the display license feature command to identify the number of available licenses. Do not register licenses more than the available number.
· When installing a license, the system also searches the storage media for a matching feature package. When it finds a matching package, it stops searching and installs the package.
· When uninstalling a license, the system checks whether the feature package for the license is running. If it is running, the system uninstalls the package automatically.
· If you cannot obtain or re-register the activation file due to problems such as operating system and browser errors, contact H3C Support.
License file safety
When you manage licenses, follow these restrictions and guidelines for license file safety:
· Save and back up the obtained activation file in case of loss.
· If you use FTP to transfer the activation file, use the Binary mode.
· Do not open and edit the activation file to avoid file corruption.
· Do not modify the name of the activation file to avoid licensing error.
· Do not delete or move files in the flash:/license directory on a device. The license management feature uses this directory for license management. An incorrect file operation can cause problems. For example, if you delete an activation file that is usable or in use, the related feature will not function correctly. If a file is missing or corrupted, use the copy command to copy its backup file to the directory to recover the license. If the state of the recovered license is In use but not all licensed features can function, reboot the device. To verify the license state, use the display license command.
Licenses for different device types
(In standalone mode.) License registration requires a license key, hardware SN, and DID. This information is device specific. A registered license takes effect on the entire device.
In IRF mode:
When you register and install licenses, follow these restrictions and guidelines:
· Install one license for the feature on each member in the fabric. Make sure the SN and DID used for registering the feature license matches the current SN and DID of the specified member device.
· Make sure the licenses installed on the members are the same.
· A registered license takes effect on the member device where it is installed, and it is effective even after the member device joins another IRF fabric.
Compressing the license storage
|
|
CAUTION: · Compressing the license storage deletes expired licenses, uninstalled licenses, and Uninstall files. Back up the Uninstall files before you compress the license storage. · The DID changes each time the license storage is compressed. Before performing a compression, make sure all activation files generated based on the old DID have been installed. They cannot be installed after the compression. |
When the value for the Total field equals that of the Usage field from the output of the display license feature command, the license storage area is full. To ensure sufficient storage space for installing new licenses, compress the license storage area.
To compress the license storage:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Compress the license storage. |
In standalone mode: In IRF mode: |
Registering and activating a license
Make sure you have purchased a license for the first registration or an upgrade license for add-on nodes, add-on features, or time extensions.
To register and activate a license:
|
Step |
Command |
|
1. Identify the number of available license storage entries. |
display license feature |
|
2. (Optional.) Compress the license storage if the free license storage is not sufficient for licenses to be activated. |
|
|
3. Obtain the SN and DID on the device. |
display license device-id |
|
4. Identity the license key on your license. |
N/A |
|
5. Access http://www.h3c.com/portal/Technical_Support___Documents/Product_Licensing/, and select Register the First Time or Register Upgrade Licenses from the navigation tree. |
N/A |
|
6. Select the product category and use the license key, SN, and DID to register the license. |
N/A |
|
7. Download the activation file to the device. |
N/A |
|
8. Enter system view. |
system-view |
|
9. Install the activation file. |
In standalone mode: In IRF mode: |
Transferring a license
You can transfer a license from one device to another if its activation file has not expired. If the activation file has expired, the license is not transferrable.
To transfer a license:
|
Step |
Command |
Remarks |
|
1. Enter system view on the source device. |
system-view |
N/A |
|
2. Uninstall the activation file. |
In standalone mode: In IRF mode: |
When an activation file is uninstalled, the system creates an Uninstall file. This file is required when you register the license for the target device. The uninstallation action does not delete license data from the license storage area. To free storage space, you must compress the license storage (see "Compressing the license storage"). |
|
3. Obtain the Uninstall key of the source device. |
display license |
N/A |
|
4. Access the target device and display SN and DID information. |
display license device-id |
N/A |
|
5. Access http://www.h3c.com/portal/Technical_Support___Documents/Product_Licensing/, and use the target device's SN and DID information and the source device's Uninstall key to generate a new activation file. |
N/A |
N/A |
|
6. Download the new activation file to the target device. |
N/A |
N/A |
|
7. Install the activation file on the target device. |
N/A |
Displaying and maintaining licenses
Execute display commands in any view.
|
Task |
Command |
|
(In standalone mode.) Display the SN and DID of the device. |
display license device-id |
|
(In IRF mode.) Display the SN and DID of an IRF member device. |
display license device-id chassis chassis-number |
|
(In standalone mode.) Display detailed license information. |
display license [ activation-file ] |
|
(In IRF mode.) Display detailed license information. |
display license [ activation-file ] [ chassis chassis-number ] |
|
Display brief feature license information. |
display license feature |
Configuring preprovisioning
Preprovisioning allows you to preconfigure offline modules, including interface modules and interfaces on the modules.
You can preprovision a module before installing or attaching the module to the system. The preprovisioned settings are applied when the module comes online. If the module goes offline, the existing preprovisioned settings are retained. You can continue to change the existing settings or add new settings. The final settings are applied when the module comes online again.
You can also preprovision an online module. The model specified for the slot must be the same as the model of the slot.
Enabling preprovisioning
The device automatically creates interfaces when preprovisioning is enabled for a module. The display interface command does not display these interfaces until the module comes online.
After preprovisioning is enabled for a module, you can configure the module. To verify the preprovisioned settings, see "Displaying and maintaining preprovisioned settings." For the preprovisioned settings to survive a reboot, you must use the save command to save the settings to the next-startup configuration file.
When you disable preprovisioning on a slot, the device removes all preprovisioned commands from the slot.
To enable preprovisioning on a slot:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Select the slot to preprovision and enter slot view. |
In standalone mode: In IRF mode: |
N/A |
|
3. Enable preprovisioning on the slot for an interface module. |
provision model model |
By default, preprovisioning is disabled. You must make sure the specified model matches the model of the module you want to preprovision. If the model information does not match, the module cannot come online. |
Displaying and maintaining preprovisioned settings
Execute display commands in any view and the reset command in user view.
|
Task |
Command |
Remarks |
|
Display the preprovisioned commands that were not applied to preprovisioned modules that came online. |
display provision failed-config |
A preprovisioned command cannot be applied if it conflicts with the running configuration. Use this command to verify the application result of preprovisioned commands except for the following commands: · duplex · location · oc-3 · speed · sflow · threshold · using oc-3c To verify the application result of the listed commands, use the display current-configuration command. The display provision failed-config command might display incorrect application results for the listed commands. |
|
Verify that the preprovisioned commands were successfully applied. |
display current-configuration |
N/A |
|
Clear the preprovisioned commands that were not applied to preprovisioned modules that came online. |
reset provision failed-config |
N/A |
Using automatic configuration
Overview
When the device starts up without a valid next-startup configuration file, the device searches the root directory of its default file system for the autocfg.py, autocfg.tcl, and autocfg.cfg files. If any one of the files exists, the device loads the file. If none of the files exists, the device uses the automatic configuration feature to obtain a set of configuration settings. This feature simplifies network configuration and maintenance.
Automatic configuration can be implemented by using a set of servers, including a DHCP server and a file server (HTTP or TFTP server). A DNS server might also be required.
Server-based automatic configuration applies to scenarios that have the following characteristics:
· A number of devices need to be configured.
· The devices to be configured are widely distributed.
· The configuration workload on individual devices is heavy.
Using server-based automatic configuration
As shown in Figure 34, server-based automatic configuration requires the following servers:
· DHCP server.
· File server (TFTP or HTTP server).
· (Optional.) DNS server.
Figure 34 Server-based automatic configuration network diagram
Server-based automatic configuration task list
|
Tasks at a glance |
|
(Required.) Configuring the file server |
|
(Required.) Preparing the files for automatic configuration |
|
(Required.) Configuring the DHCP server |
|
(Optional.) Configuring the DNS server |
|
(Optional.) Configuring the gateway |
|
(Required.) Preparing the interface used for automatic configuration |
|
(Required.) Starting and completing automatic configuration |
Configuring the file server
For devices to obtain configuration information from a TFTP server, start TFTP service on the file server.
For devices to obtain configuration information from an HTTP server, start HTTP service on the file server.
Preparing the files for automatic configuration
The device can use a script file or configuration file for automatic configuration.
· For devices to use configuration files for automatic configuration, you must create and save the configuration files to the file server as described in "Configuration files." If you do not configure the DHCP server to assign configuration file names, you must also create a host name file on the TFTP server.
· For devices to use script files for automatic configuration, you must create and save the script files to the file server as described in "Script files."
Host name file
The host name file contains host name-IP address mappings and must be named network.cfg.
All mapping entries in the host name file must use the ip host host-name ip-address format. Each mapping entry must reside on a separate line. For example:
ip host host1 101.101.101.101
ip host host2 101.101.101.102
ip host client1 101.101.101.103
ip host client2 101.101.101.104
Configuration files
To prepare configuration files:
· For devices that require different configurations, perform the following tasks:
? Determine the name for each device's configuration file.
The configuration file names must use the extension .cfg. For simple file name identification, use configuration file names that do not contain spaces.
? Use the file names to save the configuration files for the devices to the file server.
· For devices that share all or some configurations, save the common configurations to a .cfg file on the file server.
· If a TFTP file server is used, you can save a default configuration file named device.cfg on the server. This file contains only common configurations that devices use to start up. This file is assigned to a device only when the device does not have other configuration files to use.
During the automatic configuration process, a device first tries to obtain a configuration file dedicated for it. If no dedicated configuration file is found, the device tries to obtain the common configuration file. If no common configuration file is found when a TFTP file server is used, the device obtains and uses the default configuration file.
Script files
Script files can be used for automatic software upgrade and automatic configuration. The device supports Python scripts (.py files) and Tcl scripts (.tcl files). For more information about Python and Tcl scripts, see "Using Python" and "Using Tcl."
Make sure all commands in the Tcl scripts are supported, correctly spelled, and are executed in the correct views. If a faulty command cannot be executed and causes the automatic configuration process to be aborted.
To prepare script files:
· For devices that share all or some configurations, create a script file that contains the common configurations.
· For the other devices, create a separate script file for each of them.
Configuring the DHCP server
The DHCP server assigns the following items to devices that need to be automatically configured:
· IP addresses.
· Paths of the configuration files or scripts.
Configuration guidelines
When you configure the DHCP server, follow these guidelines:
· For devices for which you have prepared different configuration files, perform the following tasks for each of the devices on the DHCP server:
? Create a DHCP address pool.
? Configure a static address binding.
? Specify a configuration file or script file.
Because an address pool can use only one configuration file, you can specify only one static address binding for an address pool.
· For devices for which you have prepared the same configuration file, use either of the following methods:
? Method 1:
- Create a DHCP address pool for the devices.
- Configure a static address binding for each of the devices in the address pool.
- Specify the configuration file for the devices.
? Method 2:
- Create a DHCP address pool for the devices.
- Specify the subnet for dynamic allocation.
- Specify the TFTP server.
- Specify the configuration file for the devices.
· If all devices on a subnet share the same configuration file or script file, perform the following tasks on the DHCP server:
? Configure dynamic address allocation.
? Specify the configuration file or script file for the devices.
The file can contain only the common settings for the devices. You can provide a method for the device administrators to change the configurations after their devices start up.
Configuring the DHCP server when an HTTP file server is used
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable DHCP. |
dhcp enable |
By default, DHCP is disabled. |
|
3. Create a DHCP address pool and enter its view. |
dhcp server ip-pool pool-name |
By default, no DHCP address pool is created. |
|
4. Configure the address pool. |
·
(Method 1.) Specify the primary subnet for the
address pool: ·
(Method 2.) Configure a static binding: |
Use either or both methods. By default, no primary subnet or static binding is configured. You can add multiple static bindings. One IP address can be bound to only one client. To change the binding for a DHCP client, you must remove the binding and reconfigure a binding. |
|
5. Specify the URL of the configuration file or script file. |
bootfile-name url |
By default, no configuration or script file URL is specified. |
Configuring the DHCP server when a TFTP file server is used
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable DHCP. |
dhcp enable |
By default, DHCP is disabled. |
|
3. Create a DHCP address pool and enter its view. |
dhcp server ip-pool pool-name |
By default, no DHCP address pool is created. |
|
4. Configure the address pool. |
·
(Method 1.) Specify the primary subnet for the
address pool: ·
(Method 2.) Configure a static binding: |
Use either or both methods. By default, no primary subnet or static binding is configured. You can add multiple static bindings. One IP address can be bound to only one client. To change the binding for a DHCP client, you must remove the binding and reconfigure a binding. |
|
5. Specify a TFTP server. |
·
(Method 1.) Specify the IP address of the TFTP
server: ·
(Method 2.) Specify the name of the TFTP
server: |
Use either or both methods. By default, no TFTP server is specified. If you specify a TFTP server by its name, a DNS server is required on the network. |
|
6. Specify the configuration file name or the script file name. |
bootfile-name bootfile-name |
By default, no configuration file name or script file name is specified. |
Configuring the DNS server
A DNS server is required in the following situations:
· The TFTP server does not have a host name file. However, devices need to perform the following operations:
? Use their IP addresses to obtain their host names.
? Obtain configuration files named in the host name.cfg format from the TFTP server.
· The DHCP server assigns the TFTP server domain name through the DHCP reply message. Devices must use the domain name to obtain the IP address of the TFTP server.
Configuring the gateway
If the devices to be automatically configured and the servers for automatic configuration reside in different network segments, you must perform the following tasks:
· Deploy a gateway and make sure the devices can communicate with the servers.
· Configure the DHCP relay agent feature on the gateway.
· Configure the UDP helper feature on the gateway.
When a device sends a request through a broadcast packet to the file server, the UDP helper changes the broadcast packet to a unicast packet and forwards the unicast packet to the file server. For more information about UDP helper, see Layer 3—IP Services Configuration Guide.
Preparing the interface used for automatic configuration
The device uses the following steps to select the interface for automatic configuration:
1. Identifies the status of the management Ethernet interface at Layer 2. If the status is up, the device uses the management Ethernet interface.
2. Identifies the status of Layer 2 Ethernet interfaces. If one or more Layer 2 Ethernet interfaces are in up state, the device uses the VLAN interface of the default VLAN.
3. Sorts all Layer 3 Ethernet interfaces in up state first in lexicographical order of interface types and then in ascending order of interface numbers. Uses the interface with the smallest interface number among the interfaces of the first interface type.
4. If no Layer 3 Ethernet interfaces are in up state, the device waits 30 seconds and goes to step 1 to try again.
For fast automatic device configuration, connect only the management Ethernet interface on each device to the network.
Starting and completing automatic configuration
1. Power on the devices to be automatically configured.
If a device does not find a next-start configuration file locally, it starts the automatic configuration process to obtain a configuration file. If one attempt fails, the device waits 30 seconds and then automatically starts the process again. To stop the process, press Ctrl+C or Ctrl+D.
After obtaining a configuration file, the device automatically executes the configuration file.
2. Use the save command to save the running configuration.
The device does not save the obtained configuration file locally. If you do not save the running configuration, the device must use the automatic configuration feature again after a reboot.
For more information about the save command, see Fundamentals Command Reference.
Server-based automatic configuration examples
Automatic configuration using TFTP server
Network requirements
As shown in Figure 35, two departments of a company are connected to the network through gateways (Switch B and Switch C). Access devices Switch D, Switch E, Switch F, and Switch G do not have a configuration file.
Configure the servers and gateways so the access devices can obtain a configuration file to complete the following configuration tasks:
· Enable administrators of access devices to Telnet to and manage their respective access devices.
· Require administrators to enter their respective usernames and passwords at login.
Configuration procedure
1. Configure the DHCP server:
# Create a VLAN interface and assign an IP address to the interface.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] port hundredgige 1/0/1
[SwitchA-vlan2] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.1.42 24
[SwitchA-Vlan-interface2] quit
# Enable DHCP.
[SwitchA] dhcp enable
# Enable the DHCP server on VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] dhcp select server
[SwitchA-Vlan-interface2] quit
# Configure address pool market to assign IP addresses on the 192.168.2.0/24 subnet to clients in the Marketing department. Specify the TFTP server, gateway, and configuration file name for the clients.
[SwitchA] dhcp server ip-pool market
[SwitchA-dhcp-pool-market] network 192.168.2.0 24
[SwitchA-dhcp-pool-market] tftp-server ip-address 192.168.1.40
[SwitchA-dhcp-pool-market] gateway-list 192.168.2.1
[SwitchA-dhcp-pool-market] bootfile-name market.cfg
[SwitchA-dhcp-pool-market] quit
# Configure address pool rd to assign IP addresses on the 192.168.3.0/24 subnet to clients in the R&D department. Specify the TFTP server, gateway, and configuration file name for the clients.
[SwitchA] dhcp server ip-pool rd
[SwitchA-dhcp-pool-rd] network 192.168.3.0 24
[SwitchA-dhcp-pool-rd] tftp-server ip-address 192.168.1.40
[SwitchA-dhcp-pool-rd] gateway-list 192.168.3.1
[SwitchA-dhcp-pool-rd] bootfile-name rd.cfg
[SwitchA-dhcp-pool-rd] quit
# Configure static routes to the DHCP relay agents.
[SwitchA] ip route-static 192.168.2.0 24 192.168.1.41
[SwitchA] ip route-static 192.168.3.0 24 192.168.1.43
[SwitchA] quit
2. Configure the gateway Switch B:
# Create VLAN interfaces and assign IP addresses to the interfaces.
<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] port hundredgige 1/0/3
[SwitchB-vlan2] quit
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.1.41 24
[SwitchB-Vlan-interface2] quit
[SwitchB] vlan 3
[SwitchB-vlan3] port hundredgige 1/0/1
[SwitchB-vlan3] port hundredgige 1/0/2
[SwitchB-vlan3] quit
[SwitchB] interface vlan-interface 3
[SwitchB-Vlan-interface3] ip address 192.168.2.1 24
[SwitchB-Vlan-interface3] quit
# Enable DHCP.
[SwitchB] dhcp enable
# Enable the DHCP relay agent on VLAN-interface 3.
[SwitchB] interface vlan-interface 3
[SwitchB-Vlan-interface3] dhcp select relay
# Specify the DHCP server address.
[SwitchB-Vlan-interface3] dhcp relay server-address 192.168.1.42
3. Configure the gateway Switch C:
# Create VLAN interfaces and assign IP addresses to the interfaces.
<SwitchC> system-view
[SwitchC] vlan 2
[SwitchC-vlan2] port hundredgige 1/0/3
[SwitchC-vlan2] quit
[SwitchC] interface vlan-interface 2
[SwitchC-Vlan-interface2] ip address 192.168.1.43 24
[SwitchC-Vlan-interface2] quit
[SwitchC] vlan 3
[SwitchC-vlan3] port hundredgige 1/0/1
[SwitchC-vlan3] port hundredgige 1/0/2
[SwitchC-vlan3] quit
[SwitchC] interface vlan-interface 3
[SwitchC-Vlan-interface3] ip address 192.168.3.1 24
[SwitchC-Vlan-interface3] quit
# Enable DHCP.
[SwitchC] dhcp enable
# Enable the DHCP relay agent on VLAN-interface 3.
[SwitchC] interface vlan-interface 3
[SwitchC-Vlan-interface3] dhcp select relay
# Specify the DHCP server address.
[SwitchC-Vlan-interface3] dhcp relay server-address 192.168.1.42
4. Configure the TFTP server:
# On the TFTP server, create a configuration file named market.cfg.
#
sysname Market
#
telnet server enable
#
vlan 3
#
local-user market
password simple market
service-type telnet
quit
#
interface Vlan-interface3
ip address dhcp-alloc
quit
#
interface hundredgige 1/0/1
port access vlan 3
quit
#
user-interface vty 0 63
authentication-mode scheme
user-role network-admin
#
return
# On the TFTP server, create a configuration file named rd.cfg.
#
sysname RD
#
telnet server enable
#
vlan 3
#
local-user rd
password simple rd
service-type telnet
quit
#
interface Vlan-interface3
ip address dhcp-alloc
quit
#
interface hundredgige 1/0/1
port access vlan 3
quit
#
user-interface vty 0 63
authentication-mode scheme
user-role network-admin
#
return
# Start TFTP service software, and specify the folder where the two configuration files reside as the working directory. (Details not shown.)
# Verify that the TFTP server and DHCP relay agents can reach each other. (Details not shown.)
Verifying the configuration
1. Power on Switch D, Switch E, Switch F, and Switch G.
2. After the access devices start up, display assigned IP addresses on Switch A.
<SwitchA> display dhcp server ip-in-use
IP address Client-identifier/ Lease expiration Type
Hardware address
192.168.2.2 3030-3066-2e65-3233- May 6 05:21:25 2013 Auto(C)
642e-3561-6633-2d56-
6c61-6e2d-696e-7465-
7266-6163-6533
192.168.2.3 3030-3066-2e65-3230- May 6 05:22:50 2013 Auto(C)
302e-3232-3033-2d56-
6c61-6e2d-696e-7465-
7266-6163-6533
192.168.3.2 3030-6530-2e66-6330- May 6 05:23:15 2013 Auto(C)
302e-3335-3131-2d56-
6c61-6e2d-696e-7465-
7266-6163-6531
192.168.3.3 3030-6530-2e66-6330- May 6 05:24:10 2013 Auto(C)
302e-3335-3135-2d56-
6c61-6e2d-696e-7465-
7266-6163-6532
3. Telnet to 192.168.2.2 from Switch A.
<SwitchA> telnet 192.168.2.2
4. Enter username market and password market as prompted. (Details not shown.)
You are logged in to Switch D or Switch E.
Automatic configuration using HTTP server and Tcl script
Network requirements
As shown in Figure 36, Switch A does not have a configuration file.
Configure the servers so Switch A can obtain a Tcl script to complete the following configuration tasks:
· Enable the administrator to Telnet to Switch A to manage Switch A.
· Require the administrator to enter the correct username and password at login.
Configuration procedure
1. Configure the DHCP server:
# Enable DHCP.
<DeviceA> system-view
[DeviceA] dhcp enable
# Configure address pool 1 to assign IP addresses on the 192.168.1.0/24 subnet to clients.
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 192.168.1.0 24
# Specify the URL of the script file for the clients.
[DeviceA-dhcp-pool-1] bootfile-name http://192.168.1.40/device.tcl
2. Configure the HTTP server:
# Create a configuration file named device.tcl on the HTTP server.
return
system-view
telnet server enable
local-user user
password simple abcabc
service-type telnet
quit
user-interface vty 0 63
authentication-mode scheme
user-role network-admin
quit
interface Vlan-interface1
port link-mode route
ip address dhcp-alloc
return
# Start HTTP service software and enable HTTP service. (Details not shown.)
Verifying the configuration
1. Power on Switch A.
2. After Switch A starts up, display assigned IP addresses on Device A.
<DeviceA> display dhcp server ip-in-use
IP address Client identifier/ Lease expiration Type
Hardware address
192.168.1.2 0030-3030-632e-3239- Dec 12 17:41:15 2013 Auto(C)
3035-2e36-3736-622d-
4574-6830-2f30-2f32
3. Telnet to 192.168.1.2 from Device A.
<DeviceA> telnet 192.168.1.2
4. Enter username user and password abcabc as prompted. (Details not shown.)
You are logged in to Switch A.
Automatic configuration using HTTP server and Python script
Network requirements
As shown in Figure 37, Switch A does not have a configuration file.
Configure the servers so Switch A can obtain a Python script to complete the following configuration tasks:
· Enable the administrator to Telnet to Switch A to manage Switch A.
· Require the administrator to enter the correct username and password at login.
Configuration procedure
1. Configure the DHCP server:
# Enable DHCP.
<DeviceA> system-view
[DeviceA] dhcp enable
# Configure address pool 1 to assign IP addresses on the 192.168.1.0/24 subnet to clients.
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 192.168.1.0 24
# Specify the URL of the script file for the clients.
[DeviceA-dhcp-pool-1] bootfile-name http://192.168.1.40/device.py
2. Configure the HTTP server:
# Create a configuration file named device.py on the HTTP server.
#!usr/bin/python
import comware
comware.CLI(‘system-view ;telnet server enable ;local-user user ;password simple abcabc ;service-type telnet ;quit ;user-interface vty 0 4 ;authentication-mode scheme ;user-role network-admin ;quit ;interface Vlan-interface1 ;port link-mode route ;ip address dhcp-alloc ;return’)
# Start HTTP service software and enable HTTP service. (Details not shown.)
Verifying the configuration
1. Power on Switch A.
2. After Switch A starts up, display assigned IP addresses on Device A.
<DeviceA> display dhcp server ip-in-use
IP address Client identifier/ Lease expiration Type
Hardware address
192.168.1.2 0030-3030-632e-3239- Dec 12 17:41:15 2013 Auto(C)
3035-2e36-3736-622d-
4574-6830-2f30-2f32
3. Telnet to 192.168.1.2 from Device A.
<DeviceA> telnet 192.168.1.2
4. Enter username user and password abcabc as prompted. (Details not shown.)
You are logged in to Switch A.
Automatic IRF setup
Network requirements
As shown in Figure 38, Switch A and Switch B do not have a configuration file.
Configure the servers so the switches can obtain a Python script to complete their respective configurations and form an IRF fabric.
Configuration procedure
1. Assign IP addresses to the interfaces. Make sure the devices can reach each other. (Details not shown.)
2. Configure the following files on the HTTP server:
|
File |
Content |
Remarks |
|
.cfg configuration file |
Commands required for IRF setup. |
You can create a configuration file by copying and modifying the configuration file of an existing IRF fabric. |
|
sn.txt |
Serial numbers of the member switches. |
Each SN uniquely identifies a switch. These SNs will be used for assigning a unique IRF member ID to each member switch. |
|
(Optional.) .ipe or .bin software image file |
Software images. |
If the member switches are running different software versions, you must prepare the software image file used for software upgrade. |
|
.py Python script file |
Python commands that complete the following tasks: a (Optional.) Verify that the flash memory has sufficient space for the files to be downloaded. b Download the configuration file and sn.txt. c (Optional.) Download the software image file and specify it as the main startup image file. d Resolve sn.txt and assign a unique IRF member ID to each SN. e Specify the configuration file as the main next-startup configuration file. f Reboot the member switches. |
For more information about Python script configuration, see "Using Python." |
3. Configure Device A as the DHCP server:
# Enable DHCP.
<DeviceA> system-view
[DeviceA] dhcp enable
# Configure address pool 1 to assign IP addresses on the 192.168.1.0/24 subnet to clients.
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 192.168.1.0 24
# Specify the URL of the script file for the clients.
[DeviceA-dhcp-pool-1] bootfile-name http://192.168.1.40/device.py
[DeviceA-dhcp-pool-1] quit
# Enable the DHCP server on HundredGigE 1/0/1.
[DeviceA] interface hundredgige 1/0/1
[DeviceA-HundredGigE1/0/1] dhcp select server
[DeviceA-HundredGigE1/0/1] quit
4. Power on Switch A and Switch B.
Switch A and Switch B will obtain the Python script file from the DHCP server and execute the script. After completing the IRF configuration, Switch A and Switch B reboot.
5. After Switch A and Switch B start up again, use a cable to connect Switch A and Switch B through their IRF physical ports.
Switch A and Switch B will elect a master member. The subordinate member will reboot to join the IRF fabric.
Verifying the configuration
# On Switch A, display IRF member devices. You can also use the display irf command on Switch B to display IRF member devices.
<Switch A> display irf
MemberID Slot Role Priority CPU-Mac Description
1 1 Standby 1 00e0-fc0f-8c02 ---
*+2 1 Master 30 00e0-fc0f-8c14 ---
--------------------------------------------------
* indicates the device is the master.
+ indicates the device through which the user logs in.
The Bridge MAC of the IRF is: 000c-1000-1111
Auto upgrade : yes
Mac persistent : always
Domain ID : 0
Auto merge : yes
The output shows that the switches have formed an IRF fabric.
A
AAA
RBAC AAA authorization, 18
RBAC default user role, 23
RBAC local AAA authentication user configuration, 27
RBAC local AAA authentication user role, 24
RBAC non-AAA authentication user role, 24
RBAC non-AAA authorization, 18
RBAC remote AAA authentication user role, 23
abbreviating
CLI command, 5
aborting
ISSU software activate/deactivate operation (install commands), 122
accessing
CLI online help, 2
device BootWare menu access disable, 140
login management SNMP device access, 58
RBAC VPN instance access policy, 17
accounting
login management command accounting, 67, 68
login management user device access control, 61
ACL
login management command authorization, 65, 66
login management login control (Telnet, SSH), 61, 62
login management SNMP access control, 62, 64
login management user device access control, 61
activating
ISSU activate operation (install commands), 122
license, 160
active
FTP active (PORT) operating mode, 70
software upgrade MPU synchronization, 110
adjusting
ISSU running configuration, 117
alias (CLI command), 6
API
Python extended API, 153
Python extended API functions, 153
Python extended API import, 153
archiving
file, 91
file system directory, 89
argument (CLI string/text type), 4
ASCII transfer mode, 70
assigning
login management CLI user line assignment, 43
RBAC local AAA authentication user role, 24
RBAC non-AAA authentication user role, 24
RBAC permission assignment, 16
RBAC remote AAA authentication user role, 23
RBAC user role, 23
RBAC user role assignment, 18
authenticating
FTP basic server authentication, 71
login management CLI console authentication disable, 45
login management CLI console/AUX password authentication, 46
login management CLI console/AUX scheme authentication, 46
login management CLI none authentication mode, 44
login management CLI password authentication mode, 44
login management CLI scheme authentication mode, 44
login management Telnet login authentication disable, 49
login management Telnet login password authentication, 50
login management Telnet login scheme authentication, 51
RBAC local AAA authentication user configuration, 27
RBAC local AAA authentication user role, 24
RBAC RADIUS authentication user configuration, 29
RBAC remote AAA authentication user role, 23
RBAC temporary user role authorization (HWTACACS authentication), 32
RBAC temporary user role authorization (RADIUS authentication), 36
RBAC user role authentication, 26
authorizing
FTP basic server authorization, 71
login management command authorization, 65, 66
login management user device access control, 61
RBAC temporary user role authorization, 25
auto
configuration. See automatic configuration
DHCP server (server-based), 167
DNS server (server-based), 169
file preparation (server-based), 166
file server configuration, 166
gateway configuration (server-based), 169
HTTP server+Python script (on switch), 175
HTTP server+Tcl script (on switch), 174
IRF setup (on switch), 177
server-based, 165
server-based (on switch), 170
server-based use, 165
start (server-based), 169
TFTP server-based (on switch), 170
AUX
console authentication disable, 45
console/AUX common line settings, 47
console/AUX password authentication, 46
console/AUX scheme authentication, 46
login management CLI local console port login, 44
login management overview, 40
B
backing up
main next-startup configuration file, 100
software upgrade backup image set, 103
banner
configuration, 132, 133
incoming type, 132
legal type, 132
login type, 132
MOTD type, 132
multiple-line input method, 132
shell type, 132
single-line input method, 132
binary transfer mode, 70
boot loader
software upgrade startup image file specification (in IRF mode), 108
software upgrade startup image file specification (in standalone mode), 107
BootWare
device menu access disable, 140
software upgrade image downgrade, 109
software upgrade image preload (in IRF mode), 107
software upgrade image preload (in standalone mode), 106
software upgrade image restore, 109
software upgrade image type, 103, 103
software upgrade methods, 105
software upgrade preparation, 105
software upgrade startup image file specification (in IRF mode), 108
software upgrade startup image file specification (in standalone mode), 107
software upgrade system startup, 104
buffering
CLI command history buffering rules, 9
CLI history buffered commands, 10
C
calculating
file digest, 92
changing
file system working directory, 89
FTP user account, 77
command abbreviation, 5
command alias configuration, 6
command alias use, 6
command entry, 3
command history, 9
command history buffered commands, 10
command history buffering rules, 9
command hotkey configuration, 7
command hotkey use, 7
command line editing, 3
command redisplay, 8
command-line error message, 8
console authentication disable, 45
console port login, 42
console/AUX common line settings, 47
console/AUX password authentication, 46
console/AUX scheme authentication, 46
device reboot (CLI), 134
display command output filtering, 11
display command output line numbering, 11
display command output management, 15
display command output save to file, 14
display command output viewing, 15
interface type value, 5
local console port login, 44
login authentication modes, 44
login configuration, 43
login display, 56
login maintain, 56
login management overview, 40
online help access, 2
output control, 10
output control keys, 10
Python extended API functions (CLI class), 153
running configuration save, 15
software upgrade, 103, 106
string/text type argument value, 4
system view entry from user view, 2
undo command form, 3
upper-level view return from any view, 2
use, 1
user lines, 43
user roles, 44
user view return, 2
view hierarchy, 1
client
FTP client configuration (distributed devices in IRF mode), 80
FTP client configuration (distributed devices in standalone mode), 79
IPv4 TFTP client configuration, 82
IPv6 TFTP client configuration, 83
command
CLI command abbreviation, 5
CLI command alias configuration, 6
CLI command alias use, 6
CLI command entry, 3
CLI command history, 9
CLI command history buffered commands, 10
CLI command history buffering rules, 9
CLI command hotkey configuration, 7
CLI command hotkey use, 7
CLI command line editing, 3
CLI command redisplay, 8
CLI interface type value, 5
CLI string/text type argument value, 4
CLI undo command form, 3
command line interface. Use CLI
ISSU command set, 115
ISSU install commands, 119
ISSU performance (issu commands), 117
ISSU upgrade, 114
login management command accounting, 67, 68
login management command authorization, 65, 66
Tcl, 149
commit delay
running configuration, 99
committing
ISSU software changes (install commands), 122
comparing
configuration difference, 96
completing
software upgrade (in IRF mode), 108
software upgrade (in standalone mode), 107
compressing
file, 91
license management storage, 160
Comware
Python extended API, 153
Python extended API functions, 153
Python extended API import, 153
Python language use, 151, 151
software upgrade Boot image type, 103
software upgrade image loading, 103
software upgrade image redundancy, 103
software upgrade image type, 103
software upgrade system image type, 103
Tcl configuration view command execution, 149
configuration file
automatic configuration configuration file (server-based), 166
configuration comparison, 96
configuration difference displaying, 96
content organization, 95
device configuration types, 94
display, 102
encryption enable, 96
file formats, 95
FIPS compliance, 96
format, 95
main next-startup configuration file backup, 100
main next-startup configuration file restoration, 101
maintain, 102
management, 94
next-startup configuration file, 99
next-startup file delete, 101
next-startup file redundancy, 94
running configuration save, 97, 98
running configuration save restrictions, 97
startup file selection, 95
configuring
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (HTTP server+Tcl script)(on switch), 174
automatic configuration (IRF setup)(on switch), 177
automatic configuration (server-based)(on switch), 170
automatic configuration (TFTP server-based)(on switch), 170
automatic configuration DHCP server (HTTP server-based), 168
automatic configuration DHCP server (server-based), 167
automatic configuration DHCP server (TFTP server-based), 168
automatic configuration DNS server (server-based), 169
CLI command alias, 6
CLI command hotkey, 7
configuration commit delay, 99
device as IPv4 TFTP client, 82
device as IPv6 TFTP client, 83
device banner, 132, 133
device hardware failure detection+protection, 145
device hardware failure protection, 145
device management, 130
device name, 130
device system time, 130
device temperature alarm threshold, 144
device with Tcl, 149
FTP, 70
FTP basic server parameters, 70
FTP client (distributed devices in IRF mode), 80
FTP client (distributed devices in standalone mode), 79
FTP server (distributed devices in IRF mode), 73
FTP server (distributed devices in standalone mode), 72
login management CLI configuration, 43
login management CLI console/AUX common line settings, 47
login management CLI console/AUX password authentication, 46
login management CLI console/AUX scheme authentication, 46
login management CLI local console port login, 44
login management command accounting, 67, 68
login management command authorization, 65, 66
login management RESTful access, 59
login management RESTful access (HTTP), 59
login management RESTful access (HTTPS), 59
login management SNMP access control, 64
login management SSH device as server, 55
login management SSH login, 54
login management Telnet common VTY line settings, 52
login management Telnet device as server, 49
login management Telnet login, 49
login management Telnet login password authentication, 50
login management Telnet login scheme authentication, 51
preprovisioning, 163
RBAC, 16, 19, 27
RBAC feature group, 21
RBAC for RADIUS authentication user, 29
RBAC local AAA authentication user, 27
RBAC resource access policies, 21
RBAC temporary user role authorization, 25
RBAC temporary user role authorization (HWTACACS authentication), 32
RBAC temporary user role authorization (RADIUS authentication), 36
RBAC user role authentication, 26
RBAC user role interface policy, 22
RBAC user role rules, 20
RBAC user role VLAN policy, 22
RBAC user role VPN instance policy, 22
software upgrade, 111
TFTP, 82
console
login management CLI console authentication disable, 45
login management CLI console/AUX common line settings, 47
login management CLI console/AUX password authentication, 46
login management CLI console/AUX scheme authentication, 46
login management CLI local console port login, 44
login management console port login, 42
login management overview, 40
content
configuration comparison, 96
configuration file organization, 95
file system text file content display, 91
controlling
CLI output, 10
CLI output control keys, 10
login management logins (Telnet, SSH), 61, 62
login management SNMP access, 62
login management user device access, 61
RBAC configuration, 16, 19
copying
file, 91
copyright statement display, 131
CPU
ISSU command set, 115
ISSU methods, 114
creating
file system directory, 89
RBAC user role, 19
D
days-restricted license, 159
deactivating
ISSU deactivate operation (install commands), 122
decompressing
file, 91
ISSU IPE file (install commands), 120
default
device factory-default configuration restore, 146
file system, 85
RBAC default user role, 23
deleting
file, 92
file system directory, 90
ISSU inactive software image (install commands), 123
next-startup configuration file, 101
recycle bin file, 92
detecting
device hardware failure+protection, 145
device port status detection timer, 141
determining
ISSU upgrade method, 116
device
automatic configuration, 165
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (HTTP server+Tcl script)(on switch), 174
automatic configuration (IRF setup)(on switch), 177
automatic configuration (server-based)(on switch), 170
automatic configuration (TFTP server-based)(on switch), 170
automatic configuration DHCP server (server-based), 167
automatic configuration DNS server (server-based), 169
automatic configuration file preparation (server-based), 166
automatic configuration start (server-based), 169
automatic configuration use (server-based), 165
CLI command history, 9
CLI command history buffered commands, 10
CLI command redisplay, 8
CLI display command output filtering, 11
CLI display command output line numbering, 11
CLI display command output management, 15
CLI display command output save to file, 14
CLI display command output viewing, 15
CLI output control, 10, 10
CLI running configuration save, 15
CLI system view entry from user view, 2
CLI upper-level view return from any view, 2
CLI use, 1
CLI user view return, 2
configuration types, 94
factory default configuration, 94
file system format, 88
file system management, 84
file system mount, 87
file system repair, 88
file system unmount, 87
file system+storage media management, 87
FTP basic server parameters configuration, 70
FTP client, 75
FTP client configuration (distributed devices in IRF mode), 80
FTP client configuration (distributed devices in standalone mode), 79
FTP client connection establishment, 75
FTP command help information display, 78
FTP configuration, 70
FTP connection termination, 78
FTP server, 70
FTP server authentication, 71
FTP server authorization, 71
FTP server configuration (distributed devices in IRF mode), 73
FTP server configuration (distributed devices in standalone mode), 72
FTP server connection release (manual), 71
FTP server directory management, 76
FTP server files, 76
FTP user account change, 77
IPv4 TFTP client configuration, 82
IPv6 TFTP client configuration, 83
ISSU device operating status verification, 115
license file licenses for device types, 160
license management, 159
license management (device locked), 159
license management activation, 160
license management registration, 160
license management storage compression, 160
license management transfer, 161
login management SNMP device access, 58
login management SSH device as server, 55
login management SSH server device login, 56
login management Telnet device as server, 49
login management Telnet server device login, 54
preprovisioning configuration, 163
RBAC configuration, 16, 19, 27
RBAC feature group configuration, 21
RBAC local AAA authentication user configuration, 27
RBAC local AAA authentication user role, 24
RBAC non-AAA authentication user role, 24
RBAC permission assignment, 16
RBAC RADIUS authentication user configuration, 29
RBAC remote AAA authentication user role, 23
RBAC resource access policies, 21
RBAC temporary user role authorization, 25, 27
RBAC temporary user role authorization (HWTACACS authentication), 32
RBAC temporary user role authorization (RADIUS authentication), 36
RBAC user role assignment, 18, 23
RBAC user role authentication, 26
RBAC user role creation, 19
RBAC user role interface policy, 22
RBAC user role rule configuration, 20
RBAC user role VLAN policy, 22
RBAC user role VPN instance policy, 22
running configuration, 94
software upgrade, 103, 106
software upgrade system startup, 104
startup configuration, 94
storage media USB disk partition, 87
Tcl configuration, 149
Tcl configuration view Comware command execution, 149
TFTP configuration, 82
banner configuration, 132, 133
banner input methods, 132
banner types, 132
BootWare menu access disable, 140
configuration, 130
configuration display, 146
configuration maintain, 146
copyright statement display, 131
CPU usage monitoring, 141
device name configuration, 130
device reboot, 134
device reboot (CLI), 134
device reboot (scheduled), 134
factory-default configuration restore, 146
hardware failure detection+protection, 145
memory alarm thresholds, 142
password recovery capability disable, 140
port status detection timer, 141
system operating mode, 133
system time configuration, 130
task scheduling, 135, 137
temperature alarm threshold, 144
transceiver module diagnosis, 145, 146
transceiver module verification, 145, 145
USB interface disable, 144
DHCP
automatic configuration, 165
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (HTTP server+Tcl script)(on switch), 174
automatic configuration (IRF setup)(on switch), 177
automatic configuration (server-based)(on switch), 170
automatic configuration (TFTP server-based)(on switch), 170
automatic configuration DHCP server (HTTP server-based), 168
automatic configuration DHCP server (server-based), 167
automatic configuration DHCP server (TFTP server-based), 168
automatic configuration start (server-based), 169
automatic configuration use (server-based), 165
diagnosing
device transceiver modules, 145, 146
digest
file system file digest calculation, 92
directory
file system, 85
file system common directories, 85
file system directory archive, 89
file system directory creation, 89
file system directory deletion, 90
file system directory extraction, 89
file system directory information display, 89
file system directory management, 89
file system directory naming conventions, 85
file system directory rename, 89
file system management, 84
file system working directory change, 89
file system working directory display, 89
FTP server directory management, 76
disabling
CLI output screen pausing, 10
device BootWare menu access, 140
device password recovery capability, 140
device USB interface, 144
login management CLI console authentication, 45
login management Telnet login authentication, 49
displaying
configuration difference, 96
configuration files, 102
device copyright statement, 131
device management configuration, 146
file system directory information, 89
file system file information, 90
file system text file content, 91
file system working directory display, 89
FTP client, 78
FTP command help information, 78
FTP server, 72
ISSU, 123
license, 162
login management CLI login, 56
preprovisioned settings, 163
RBAC settings, 27
software upgrade image settings, 111
DNS
automatic configuration, 165
automatic configuration DNS server (server-based), 169
automatic configuration start (server-based), 169
automatic configuration use (server-based), 165
downgrading
software upgrade BootWare image, 109
DSCP
login management Telnet packet DSCP value, 52
E
editing CLI command line, 3
enabling
CLI command redisplay, 8
configuration encryption, 96
device copyright statement display, 131
login management Telnet server, 49
preprovisioning, 163
RBAC default user role, 23
software upgrade MPU synchronization, 110
encrypting
configuration encryption, 96
entering
CLI command, 3
CLI entered-but-not-submitted command redisplay, 8
CLI interface type, 5
CLI string/text type argument value, 4
CLI system view from user view, 2
Python shell, 151
error
CLI command line error message, 8
establishing
FTP client connection, 75
executing
Python script, 151
Tcl configuration view Comware command, 149
exiting
Python shell, 151
extracting
file, 91
file system directory, 89
F
factory default device configuration, 94
fast
running configuration fast mode save, 98
fast saving running configuration, 97
feature
license management, 159
file
archiving, 91
automatic configuration configuration file (server-based), 166
automatic configuration file server configuration (server-based), 166
automatic configuration host name file (server-based), 166
automatic configuration script file (server-based), 167
compression, 91
configuration difference, 96
configuration file content, 95
configuration file format, 95
configuration file formats, 95
configuration file management, 94
copying, 91
decompression, 91
deletion, 92
device configuration startup file selection, 95
digest calculation, 92
extraction, 91
file system common file types, 85
file system file naming conventions, 85
file system files, 85
file system management, 90
FTP server files, 76
information display, 90
ISSU IPE file decompression (install commands), 120
license file licenses for device types, 160
license file safety, 159
license management activation, 160
license management registration, 160
license management transfer, 161
main next-startup configuration file backup, 100
main next-startup configuration file restoration, 101
moving, 91
next-startup configuration file, 99
next-startup configuration file redundancy, 94
recycle bin file deletion, 92
renaming, 91
restoration, 92
software upgrade file naming, 103
system. See file system
text content display, 91
common directories, 85
common file types, 85
default, 85
directories, 85
directory archive, 89
directory creation, 89
directory deletion, 90
directory extraction, 89
directory information display, 89
directory management, 89
directory name specification, 86
directory operation mode, 90
directory rename, 89
file archiving, 91
file compression, 91
file copy, 91
file decompression, 91
file deletion, 92
file digest calculation, 92
file extraction, 91
file information display, 90
file management, 90
file move, 91
file name specification, 86
file operation mode, 93
file rename, 91
file restoration, 92
files, 85
FIPS compliance, 86
format, 88
location, 84
management, 84
management restrictions, 86
mount, 87
mount/unmount restrictions, 88
naming conventions, 84
naming conventions (directory), 85
naming conventions (file), 85
recycle bin file deletion, 92
repair, 88
storage media management, 87
storage media restrictions, 87
storage media USB disk partition, 87
text file content display, 91
unmount, 87
working directory change, 89
working directory display, 89
File Transfer Protocol. Use FTP
filtering
CLI display command output, 11
FIPS compliance
configuration file, 96
file system, 86
FTP, 70
login management, 44
login management RESTful, 59
login management user device access control, 61
RBAC, 19
TFTP, 82
format
configuration file, 95, 95
formatting
file system, 88
automatic configuration file server configuration (server-based), 166
basic server parameters configuration, 70
client configuration (distributed devices in IRF mode), 80
client configuration (distributed devices in standalone mode), 79
client connection establishment, 75
client display, 78
command help information display, 78
configuration, 70
connection maintain, 77
connection termination, 78
device as client, 75
device as server, 70
FIPS compliance, 70
IPv4 TFTP client configuration, 82
IPv6 TFTP client configuration, 83
server authentication, 71
server authorization, 71
server configuration (distributed devices in IRF mode), 73
server configuration (distributed devices in standalone mode), 72
server connection release (manual), 71
server directory management, 76
server display, 72
server files, 76
TFTP configuration, 82
troubleshoot connection, 77
user account change, 77
G
gateway
automatic configuration (server-based), 169
get operation
Python extended API functions (get_self_slot), 156
Python extended API functions (get_slot_info), 158
Python extended API functions (get_slot_range), 157
Python extended API functions (get_standby_slot), 156
group
RBAC feature group configuration, 21
H
hardware
device management hardware failure detection+protection, 145
help
CLI online help access, 2
history
CLI history, 9
CLI history buffered commands, 10
host
automatic configuration host name file (server-based), 166
hotkey (CLI command), 7
HTTP
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (HTTP server+Tcl script)(on switch), 174
automatic configuration (IRF setup)(on switch), 177
automatic configuration DHCP server (HTTP server-based), 168
login management RESTful access, 59
HTTPS
login management RESTful access, 59
HWTACACS
login management command accounting, 67, 68
RBAC temporary user role authorization, 32
I
identifying
ISSU availability, 115
ISSU licensing requirements, 115
ISSU method, 116
login management CLI user line, 43
image
ISSU inactive software image deletion (install commands), 123
ISSU patch image (install commands), 121
ISSU software image (install commands), 120
ISSU software image upgrade (install commands), 120
software upgrade BootWare image downgrade, 109
software upgrade BootWare image restore, 109
software upgrade BootWare image type, 103
software upgrade Comware Boot image type, 103
software upgrade Comware image loading, 103
software upgrade Comware image redundancy, 103
software upgrade Comware image type, 103
software upgrade Comware system image type, 103
software upgrade startup image file specification (in IRF mode), 108
software upgrade startup image file specification (in standalone mode), 107
importing
Python extended API, 153
incoming banner type, 132
In-Service Software Upgrade. Use ISSU
ISSU inactive software image deletion, 123
ISSU patch image uninstall, 121
ISSU running software image rollback, 122
ISSU software activate/deactivate, 122
ISSU software changes commit, 122
ISSU software image installation, 120
ISSU software image upgrade, 120
software image verification, 123
installing, 120, See also install commands
ISSU software images (install commands), 120
interface, 40, See also line
interface module
preprovisioning configuration, 163
IP
FTP configuration, 70
FTP server configuration (distributed devices in IRF mode), 73
FTP server configuration (distributed devices in standalone mode), 72
TFTP configuration, 82
IPE file (ISSU), 120
IPv4
FTP client connection establishment, 75
TFTP client configuration, 82
IPv6
FTP client connection establishment, 75
TFTP client configuration, 83
IRF
automatic configuration (IRF setup)(on switch), 177
FTP client configuration (distributed devices in IRF mode), 80
FTP configuration (distributed devices in IRF mode), 73
ISSU (install commands), 119
ISSU install commands, 127
ISSU issu commands, 124
ISSU methods, 114
ISSU software image verification (install commands), 123
ISSU upgrade, 114
software upgrade BootWare image preload (in IRF mode), 107, 107
software upgrade BootWare image preload (in standalone mode), 106
software upgrade completion (in IRF mode), 108
software upgrade configuration (in IRF mode), 112
software upgrade startup image file specification (in IRF mode), 108
availability, 115
command set, 115
console port login, 117
device operating status, 115
display, 123
feature status verification, 116
inactive software image deletion (install commands), 123
install commands, 119, 127
IPE file decompression (install commands), 120
issu commands, 124
licensing requirements, 115
maintain, 123
method identification, 116
methods, 114
patch image uninstall (install commands), 121
performance (issu commands), 117
running configuration adjustment, 117
running configuration save, 117
running software image rollback (install commands), 122
software activate/deactivate (install commands), 122
software changes commit (install commands), 122
software image (install commands), 120
software image upgrade (install commands), 120
software image verification (install commands), 123
software upgrade BootWare image downgrade, 109
software upgrade BootWare image preload (in IRF mode), 107
software upgrade BootWare image preload (in standalone mode), 106
software upgrade BootWare image restore, 109
software upgrade Comware image method, 105
software upgrade configuration (in IRF mode), 112
software upgrade configuration(in standalone mode), 111
upgrade, 114
upgrade image preparation, 115
upgrade restrictions, 117
K
key
CLI command hotkey, 7
license management activation, 160
license management registration, 160
license management transfer, 161
L
legal banner type, 132
license management
activation, 160
days-restricted license, 159
device locked license, 159
feature use, 159
file safety, 159
license display, 162
licenses for device types, 160
locking methods license, 159
MPU locked license, 159
permanent license, 159
registration, 160
restrictions, 159
storage compression, 160
transfer, 161
licensing
ISSU requirements, 115
login management CLI console/AUX common line settings, 47
login management CLI user line, 43
login management CLI user line assignment, 43
login management CLI user line identification, 43
login management Telnet VTY common line settings, 52
local
FTP server authentication, 71
FTP server authorization, 71
RBAC local AAA authentication user configuration, 27
RBAC local AAA authentication user role, 24
locating
file system, 84
locking methods, 159
logging in
ISSU console port, 117
login management CLI console authentication disable, 45
login management CLI console/AUX common line settings, 47
login management CLI console/AUX password authentication, 46
login management CLI console/AUX scheme authentication, 46
login management CLI local console port login, 44
login management CLI login authentication modes, 44
login management CLI login configuration, 43
login management CLI user lines, 43
login management CLI user roles, 44
login management console port login, 42
login management RESTful access (HTTP), 59
login management RESTful access (HTTPS), 59
login management RESTful access configuration, 59
login management SSH device as server, 55
login management SSH login, 54
login management SSH server device login, 56
login management Telnet concurrent users max, 52
login management Telnet device as server, 49
login management Telnet login, 49
login management Telnet login password authentication, 50
login management Telnet login scheme authentication, 51
login management Telnet server device login, 54
login management Telnet VTY common line settings, 52
login
device banner login type, 132
login management
CLI configuration, 43
CLI console authentication disable, 45
CLI console/AUX common line settings, 47
CLI console/AUX password authentication, 46
CLI console/AUX scheme authentication, 46
CLI local console port login, 44
CLI login authentication modes, 44
CLI login display, 56
CLI login maintain, 56
CLI user line assignment, 43
CLI user line identification, 43
CLI user lines, 43
CLI user roles, 44
command accounting, 67, 68
command authorization, 65, 66
console port access, 42
FIPS compliance, 44
login control (Telnet, SSH), 61, 62
overview, 40
RESTful access configuration, 59
RESTful access configuration (HTTP), 59
RESTful access configuration (HTTPS), 59
SNMP access control, 64
SNMP device access, 58
SSH device as server, 55
SSH login, 54
SSH server device login, 56
Telnet concurrent users max, 52
Telnet device as server, 49
Telnet login, 49
Telnet login authentication disable, 49
Telnet login password authentication, 50
Telnet login scheme authentication, 51
Telnet packet DSCP value, 52
Telnet server device login, 54
Telnet server enable, 49
Telnet VTY common line settings, 52
user device access control, 61
user device access FIPS compliance, 61
M
main
software upgrade image set, 103
maintaining
configuration files, 102
device management configuration, 146
FTP connection, 77
ISSU, 123
login management CLI login, 56
preprovisioned settings, 163
software upgrade image settings, 111
managing
CLI display command output, 15
configuration files, 94
device. See device management
file system, 84
file system directories, 89
file system files, 90
file system+storage media, 87
FTP server directories, 76
license management, 159
manual
FTP server connection release, 71
memory
device CPU usage monitoring, 141
device memory alarm thresholds, 142
message
CLI command line error message, 8
device management message-of-the-day (MOTD) banner type, 132
method
device banner multiple-line input, 132
device banner single-line input, 132
MIB
login management SNMP device access, 58
mode
device system operation, 133
file system directory alert operation, 90
file system directory quiet operation, 90
file system file alert operation, 93
file system file quiet operation, 93
FTP active (PORT) operation, 70
FTP ASCII transfer, 70
FTP binary transfer, 70
FTP passive (PASV) operation, 70
login management none CLI authentication, 44
login management password CLI authentication, 44
login management scheme CLI authentication, 44
module
device transceiver module diagnosis, 145, 146
device transceiver module verification, 145, 145
preprovisioning configuration, 163
monitoring
device CPU usage, 141
mounting
file system, 87
moving
file, 91
MPU
ISSU (install commands), 119
ISSU methods, 114
ISSU upgrade, 114
license management (MPU locked), 159
software upgrade synchronization, 110
multiple-line banner input method, 132
N
naming
device name configuration, 130
file rename, 91
file system directory name specification, 86
file system directory rename, 89
file system file name specification, 86
file system naming conventions, 84
file system naming conventions (directory), 85
file system naming conventions (file), 85
software upgrade files, 103
network
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (HTTP server+Tcl script)(on switch), 174
automatic configuration (IRF setup)(on switch), 177
automatic configuration (TFTP server-based)(on switch), 170
automatic configuration DHCP server (server-based), 167
automatic configuration DNS server (server-based), 169
automatic configuration file preparation (server-based), 166
automatic configuration gateway (server-based), 169
automatic configuration start (server-based), 169
automatic configuration use (server-based), 165
device as FTP client, 75
device as FTP server, 70
device banner configuration, 132
device banner input methods, 132
device banner types, 132
device BootWare menu access disable, 140
device copyright statement display, 131
device CPU usage monitoring, 141
device factory-default configuration restore, 146
device hardware failure detection+protection, 145
device management task scheduling, 135, 137
device memory alarm thresholds, 142
device name configuration, 130
device password recovery capability disable, 140
device port status detection timer, 141
device reboot, 134
device reboot (CLI), 134
device reboot (scheduled), 134
device system operating mode, 133
device system time configuration, 130
device temperature alarm threshold, 144
device transceiver module diagnosis, 145, 146
device transceiver module verification, 145, 145
device USB interface disable, 144
file system, 84
file system directories, 85
file system directory management, 89
file system directory name specification, 86
file system file management, 90
file system file name specification, 86
file system files, 85
file system+storage media management, 87
FTP basic server parameters configuration, 70
FTP client configuration (distributed devices in IRF mode), 80
FTP client configuration (distributed devices in standalone mode), 79
FTP client connection establishment, 75
FTP command help information display, 78
FTP connection termination, 78
FTP server authentication, 71
FTP server authorization, 71
FTP server configuration (distributed devices in IRF mode), 73
FTP server configuration (distributed devices in standalone mode), 72
FTP server connection release (manual), 71
FTP server directory management, 76
FTP server files, 76
FTP user account change, 77
IPv4 TFTP client configuration, 82
IPv6 TFTP client configuration, 83
ISSU (install commands), 119
ISSU availability identification, 115
ISSU command set, 115
ISSU device operating status verification, 115
ISSU feature status verification, 116
ISSU inactive software image deletion (install commands), 123
ISSU IPE file decompression (install commands), 120
ISSU licensing requirements, 115
ISSU method identification, 116
ISSU methods, 114
ISSU patch image (install commands), 121
ISSU performance (issu commands), 117
ISSU running software image rollback (install commands), 122
ISSU software activate/deactivate (install commands), 122
ISSU software changes commit (install commands), 122
ISSU software image (install commands), 120
ISSU software image upgrade (install commands), 120
ISSU software image verification (install commands), 123
ISSU upgrade image preparation, 115
ISSU upgrade method, 116
login management command accounting, 67, 68
login management command authorization, 65, 66
login management login control (Telnet, SSH), 61, 62
login management SNMP access control, 62, 64
login management SSH device as server, 55
login management Telnet device as server, 49
login management Telnet login authentication disable, 49
login management Telnet server enable, 49
preprovisioning enable, 163
Python extended API functions, 153
Python extended API import, 153
RBAC default user role, 23
RBAC feature group configuration, 21
RBAC local AAA authentication user configuration, 27
RBAC local AAA authentication user role, 24
RBAC non-AAA authentication user role, 24
RBAC permission assignment, 16
RBAC RADIUS authentication user configuration, 29
RBAC remote AAA authentication user role, 23
RBAC resource access policies, 21
RBAC temporary user role authorization, 25, 27
RBAC temporary user role authorization (HWTACACS authentication), 32
RBAC temporary user role authorization (RADIUS authentication), 36
RBAC user role assignment, 18, 23
RBAC user role authentication, 26
RBAC user role creation, 19
RBAC user role interface policy, 22
RBAC user role rule configuration, 20
RBAC user role VLAN policy, 22
RBAC user role VPN instance policy, 22
software upgrade, 111
software upgrade (in IRF mode), 112
software upgrade(in standalone mode), 111
troubleshooting FTP connection, 77
network management
automatic configuration, 165
automatic configuration (server-based)(on switch), 170
CLI use, 1
configuration file management, 94
device management, 130
file system management, 84
FTP configuration, 70
ISSU install commands, 127
ISSU issu commands, 124
ISSU upgrade, 114
license management, 159
login management overview, 40
login management RESTful access, 59
login management SNMP device access, 58
login management user device access control, 61
preprovisioning configuration, 163
Python extended API, 153
Python language, 151, 151
RBAC configuration, 16, 19, 27
software upgrade, 103, 106
Tcl usage, 149
TFTP configuration, 82
next-startup configuration file, 94, 101
NMS
login management SNMP device access, 58
non-AAA authentication (RBAC), 24
non-AAA authorization (RBAC), 18
none
login management CLI authentication mode, 44
numbering
CLI display command output lines, 11
O
obtaining
RBAC temporary user role authorization, 27
online
CLI online help access, 2
outputting
CLI display command output filtering, 11
CLI display command output line numbering, 11
CLI display command output management, 15
CLI display command output view, 15
CLI display comment output to file, 14
CLI output control, 10
CLI output control keys, 10
P
parameter
device management, 130
FTP basic server parameters configuration, 70
partitioning
storage media USB disk, 87
passive
FTP passive (PASV) operating mode, 70
password
device password recovery capability disable, 140
login management CLI authentication mode, 44
login management CLI console/AUX password authentication, 46
login management Telnet login password authentication, 50
login management Telnet login scheme authentication, 51
patch
ISSU patch image, 121
pausing between CLI output screens, 10
performing
ISSU (install commands), 119
ISSU (issu commands), 117
ISSU install commands, 127
ISSU issu commands, 124
permanent license, 159, 159
permitting
RBAC permission assignment, 16
RBAC user role assignment, 18
policy
RBAC interface access policy, 17
RBAC local AAA authentication user role, 24
RBAC non-AAA authentication user role, 24
RBAC remote AAA authentication user role, 23
RBAC resource access policies, 21
RBAC user role assignment, 23
RBAC user role interface policy, 22
RBAC user role VLAN policy, 22
RBAC user role VPN instance policy, 22
RBAC VLAN access policy, 17
RBAC VPN instance access policy, 17
port
device status detection timer, 141
preloading
software upgrade BootWare image (in IRF mode), 107
software upgrade BootWare image (in standalone mode), 106
preparing
automatic configuration (interface), 169
ISSU upgrade image, 115
software upgrade, 105
preprovisioning
configuration, 163
enable, 163
settings display, 163
settings maintain, 163
procedure
abbreviating CLI command, 5
aborting ISSU software activate/deactivate (install commands), 122
accessing CLI online help, 2
activating license, 160
archiving file, 91
archiving file system directory, 89
assigning RBAC local AAA authentication user role, 24
assigning RBAC non-AAA authentication user role, 24
assigning RBAC remote AAA authentication user role, 23
assigning RBAC user role, 23
backing up main next-startup configuration file, 100
calculating file digest, 92
changing file system working directory, 89
changing FTP user accounts, 77
committing ISSU software changes (install commands), 122
completing software upgrade (in IRF mode), 108
completing software upgrade (in standalone mode), 107
compressing file, 91
compressing license storage, 160
configuring automatic configuration (HTTP server+Python script)(on switch), 175
configuring automatic configuration (HTTP server+Tcl script)(on switch), 174
configuring automatic configuration (IRF setup)(on switch), 177
configuring automatic configuration (TFTP server-based)(on switch), 170
configuring automatic configuration DHCP server (HTTP server-based), 168
configuring automatic configuration DHCP server (server-based), 167
configuring automatic configuration DHCP server (TFTP server-based), 168
configuring automatic configuration DNS server (server-based), 169
configuring automatic configuration gateway (server-based), 169
configuring CLI command alias, 6
configuring CLI command hotkey, 7
configuring configuration commit delay, 99
configuring device as IPv4 TFTP client, 82
configuring device as IPv6 TFTP client, 83
configuring device banner, 132, 133
configuring device hardware failure detection, 145
configuring device hardware failure protection, 145
configuring device name, 130
configuring device system time, 130
configuring device temperature alarm threshold, 144
configuring device with Tcl, 149
configuring FTP basic server parameters, 70
configuring FTP client (distributed devices in IRF mode), 80
configuring FTP client (distributed devices in standalone mode), 79
configuring FTP server (distributed devices in IRF mode), 73
configuring FTP server (distributed devices in standalone mode), 72
configuring login management CLI console/AUX common line settings, 47
configuring login management CLI console/AUX password authentication, 46
configuring login management CLI console/AUX scheme authentication, 46
configuring login management CLI local console port login, 44
configuring login management command accounting, 67, 68
configuring login management command authorization, 65, 66
configuring login management RESTful access (HTTP), 59
configuring login management RESTful access (HTTPS), 59
configuring login management SNMP access control, 64
configuring login management SSH device as server, 55
configuring login management SSH login, 54
configuring login management Telnet device as server, 49
configuring login management Telnet login, 49
configuring login management Telnet login password authentication, 50
configuring login management Telnet login scheme authentication, 51
configuring login management Telnet VTY common line settings, 52
configuring RBAC, 19
configuring RBAC feature group, 21
configuring RBAC for RADIUS authentication user, 29
configuring RBAC local AAA authentication user, 27
configuring RBAC resource access policies, 21
configuring RBAC temporary user role authorization, 25
configuring RBAC temporary user role authorization (HWTACACS authentication), 32
configuring RBAC temporary user role authorization (RADIUS authentication), 36
configuring RBAC user role authentication, 26
configuring RBAC user role interface policy, 22
configuring RBAC user role rules, 20
configuring RBAC user role VLAN policy, 22
configuring RBAC user role VPN instance policy, 22
configuring software upgrade, 111
controlling CLI output, 10, 10
controlling login management logins (Telnet, SSH), 61, 62
controlling login management SNMP access, 62
copying file, 91
creating file system directory, 89
creating RBAC user role, 19
decompressing file, 91
decompressing ISSU IPE file (install commands), 120
deleting file, 92
deleting file from recycle bin, 92
deleting file system directory, 90
deleting ISSU inactive software image (install commands), 123
deleting next-startup configuration file, 101
determining ISSU upgrade method, 116
diagnosing device transceiver module, 145, 146
disabling CLI console authentication disable, 45
disabling CLI output screen pausing, 10
disabling device BootWare menu access, 140
disabling device password recovery capability, 140
disabling device USB interface, 144
disabling login management Telnet login authentication, 49
displaying configuration files, 102
displaying device management configuration, 146
displaying file information, 90
displaying file system directory information, 89
displaying file system working directory, 89
displaying FTP client, 78
displaying FTP command help information, 78
displaying FTP server, 72
displaying ISSU, 123
displaying license, 162
displaying login management CLI login, 56
displaying preprovisioned settings, 163
displaying RBAC settings, 27
displaying software upgrade image settings, 111
displaying text file content, 91
downgrading software upgrade BootWare image, 109
editing CLI command line, 3
enabling CLI redisplay of entered-but-not-submitted command, 8
enabling configuration encryption, 96
enabling device copyright statement display, 131
enabling login management Telnet server, 49
enabling preprovisioning, 163
enabling RBAC default user role, 23
enabling software upgrade MPU synchronization, 110
entering CLI command, 3
entering CLI interface type value, 5
entering CLI string/text type argument value, 4
entering CLI system view from user view, 2
entering Python shell, 151
establishing FTP client connection, 75
executing Python script, 151
executing Tcl configuration view Comware command, 149
exiting Python shell, 151
extracting file, 91
extracting file system directory, 89
filtering CLI display command output, 11
formatting file system, 88
identifying ISSU method, 116
importing Python extended API, 153
installing ISSU software images (install commands), 120
logging in to login management SSH server (device), 56
logging in to login management Telnet server (device), 54
maintaining configuration files, 102
maintaining device management configuration, 146
maintaining FTP connection, 77
maintaining ISSU, 123
maintaining login management CLI login, 56
maintaining preprovisioned settings, 163
maintaining software upgrade image settings, 111
managing CLI display command output, 15
managing file system directories, 89
managing file system files, 90
managing file system+storage media, 87
managing FTP server directories, 76
monitoring device CPU usage, 141
mounting file system, 87
moving file, 91
numbering CLI display command output lines, 11
obtaining RBAC temporary user role authorization, 27
partitioning USB disk, 87
pausing between CLI output screens, 10
performing ISSU (install commands), 119
performing ISSU (issu commands), 117
preloading software upgrade BootWare image (in IRF mode), 107
preloading software upgrade BootWare image (in standalone mode), 106
preparing automatic configuration (interface), 169
preparing automatic configuration files (server-based), 166
preparing for software upgrade, 105
preparing ISSU upgrade image, 115
rebooting device, 134
rebooting device (CLI), 134
rebooting device (scheduled), 134
registering license, 160
releasing FTP server connection manually, 71
renaming file, 91
renaming file system directory, 89
repairing file system, 88
restoring device factory-default configuration, 146
restoring file, 92
restoring main next-startup configuration file, 101
restoring software upgrade BootWare image, 109
returning CLI user view, 2
returning to CLI upper-level view from any view, 2
rolling back ISSU running software image (install commands), 122
saving CLI display command output to file, 14
saving CLI running configuration, 15
saving running configuration, 97, 98
scheduling device management task, 135, 137
setting device memory alarm thresholds, 142
setting device port status detection timer, 141
setting device system operating mode, 133
setting file operation mode, 93
setting file system directory operation mode, 90
setting login management Telnet concurrent users max, 52
setting login management Telnet packet DSCP value, 52
specifying file system directory name, 86
specifying file system file name, 86
specifying next-startup configuration file, 99
specifying software upgrade startup image file (in IRF mode), 108
specifying software upgrade startup image file (in standalone mode), 107
terminating FTP connection, 78
transferring license, 161
troubleshooting FTP connection, 77
troubleshooting RBAC local user access permissions, 39
troubleshooting RBAC login attempts by RADIUS users fail, 39
understanding CLI command-line error message, 8
uninstalling ISSU patch images (install commands), 121
unmounting file system, 87
upgrading ISSU software images (install commands), 120
upgrading software (in IRF mode), 112
upgrading software(in standalone mode), 111
using automatic configuration (server-based), 165
using CLI command alias, 6
using CLI command history, 9
using CLI command history buffered commands, 10
using CLI command hotkey, 7
using CLI undo command form, 3
using Python language, 151
verifying device transceiver module, 145, 145
verifying ISSU device operating status, 115
verifying ISSU software image (install commands), 123
viewing CLI display command output, 15
working with FTP server files, 76
Python
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (IRF setup)(on switch), 177
extended API, 153
extended API functions, 153
extended API functions (CLI class), 153
extended API functions (get_self_slot), 156
extended API functions (get_slot_info), 158
extended API functions (get_slot_range), 157
extended API functions (get_standby_slot), 156
extended API functions (Transfer class), 155
extended API import, 153
language use, 151, 151
script execution, 151
shell entry, 151
shell exit, 151
R
RADIUS
RBAC RADIUS authentication user configuration, 29
RBAC temporary user role authorization, 36
AAA authorization, 18
configuration, 16, 19, 27
default user role, 23
feature group configuration, 21
FIPS compliance, 19
local AAA authentication user configuration, 27
local AAA authentication user role, 24
non-AAA authentication user role, 24
non-AAA authorization, 18
permission assignment, 16
predefined user roles, 17
RADIUS authentication user configuration, 29
remote AAA authentication user role, 23
resource access policies, 17, 21
rule configuration restrictions, 20
settings display, 27
temporary user role authorization, 27
temporary user role authorization (HWTACACS authentication), 32
temporary user role authorization (RADIUS authentication), 36
temporary user role authorization configuration, 25
troubleshoot, 39
troubleshoot local user access permissions, 39
troubleshoot login attempts by RADIUS users fail, 39
user role assignment, 18, 23
user role authentication, 26
user role creation, 19
user role interface policy, 22
user role rule configuration, 20
user role rules, 16
user role VLAN policy, 22
user role VPN instance policy, 22
rebooting
device, 134
device (CLI), 134
device (scheduled), 134
recycle bin
file deletion, 92
redundancy
next-startup configuration file redundancy, 94
registering
license, 160
remote
FTP server authentication, 71
FTP server authorization, 71
RBAC remote AAA authentication user role, 23
renaming
file, 91
file system directory, 89
repairing
file system, 88
repeating
CLI command history buffered commands, 10
Representational State Transfer API. Use RESTful
resource
RBAC resource access policies, 21
FIPS compliance, 59
login configuration (HTTP), 59
login configuration (HTTPS), 59
login management RESTful access configuration, 59
restoring
device factory-default configuration, 146
file, 92
main next-startup configuration file, 101
software upgrade BootWare image, 109
restrictions
days-restricted license, 159
file system management, 86
file system mount/unmount, 88
file system storage media, 87
ISSU upgrade, 117
license management, 159
permanent license, 159
RBAC rule configuration, 20
running configuration save, 97
software upgrade restrictions, 105
returning
CLI upper-level view from any view, 2
CLI user view, 2
role
login management CLI user roles, 44
RBAC default user role, 23
RBAC local AAA authentication user role, 24
RBAC non-AAA authentication user role, 24
RBAC predefined user roles, 17
RBAC remote AAA authentication user role, 23
RBAC temporary user role authorization, 25, 27
RBAC user role assignment, 18, 23
RBAC user role authentication, 26
RBAC user role creation, 19
RBAC user role interface policy, 22
RBAC user role rule configuration, 20
RBAC user role VLAN policy, 22
RBAC user role VPN instance policy, 22
Role-Based Access Control. Use RBAC
rolling back
ISSU running software image (install commands), 122
root
file system root directory, 85
routing
FTP configuration, 70
FTP server configuration (distributed devices in IRF mode), 73
FTP server configuration (distributed devices in standalone mode), 72
TFTP configuration, 82, 82
rule
CLI command history buffering rules, 9
RBAC command rule, 16
RBAC feature execute rule, 16
RBAC feature group rule, 16
RBAC feature read rule, 16
RBAC feature write rule, 16
RBAC OID rule, 16
RBAC user role rule configuration, 20
RBAC XML element rule, 16
running configuration
CLI save, 15
commit delay, 99
device, 94
saving (fast mode), 97, 98
saving (safe mode), 97, 98
S
safe saving running configuration, 97, 98
safety
license file, 159
saving
CLI display command output to file, 14
CLI running configuration, 15
ISSU running configuration, 117
running configuration, 97, 98
scheduling
device management task, 135, 137
device reboot (scheduled), 134
scheme
login management CLI authentication mode, 44
login management CLI console/AUX scheme authentication, 46
scripting
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (HTTP server+Tcl script)(on switch), 174
automatic configuration script file (server-based), 167
Python extended API, 153
Python extended API functions, 153
Python extended API functions (CLI class), 153
Python extended API functions (get_self_slot), 156
Python extended API functions (get_slot_info), 158
Python extended API functions (get_slot_range), 157
Python extended API functions (get_standby_slot), 156
Python extended API functions (Transfer class), 155
Python extended API import, 153
Python language, 151, 151
Python script execution, 151
security
configuration encryption, 96
device USB interface disable, 144
login management command accounting, 67, 68
login management command authorization, 65, 66
login management login control (Telnet, SSH), 61, 62
login management SNMP access control, 62, 64
login management user device access control, 61
RBAC configuration, 16, 19, 27
RBAC default user role, 23
RBAC feature group configuration, 21
RBAC local AAA authentication user configuration, 27
RBAC local AAA authentication user role, 24
RBAC non-AAA authentication user role, 24
RBAC permission assignment, 16
RBAC RADIUS authentication user configuration, 29
RBAC remote AAA authentication user role, 23
RBAC resource access policies, 21
RBAC temporary user role authorization, 25, 27
RBAC temporary user role authorization (HWTACACS authentication), 32
RBAC temporary user role authorization (RADIUS authentication), 36
RBAC user role assignment, 18, 23
RBAC user role authentication, 26
RBAC user role creation, 19
RBAC user role interface policy, 22
RBAC user role rule configuration, 20
RBAC user role VLAN policy, 22
RBAC user role VPN instance policy, 22
server
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (HTTP server+Tcl script)(on switch), 174
automatic configuration (IRF setup)(on switch), 177
automatic configuration (server-based)(on switch), 170
automatic configuration (TFTP server-based)(on switch), 170
automatic configuration DHCP server (server-based), 167
automatic configuration DNS server (server-based), 169
automatic configuration file preparation (server-based), 166
automatic configuration file server configuration (server-based), 166
automatic configuration gateway (server-based), 169
automatic configuration start (server-based), 169
automatic configuration use (server-based), 165
FTP configuration (distributed devices in IRF mode), 73
FTP configuration (distributed devices in standalone mode), 72
FTP server directory management, 76
setting
device memory alarm thresholds, 142
device port status detection timer, 141
device system operating mode, 133
file operation mode, 93
file system directory operation mode, 90
login management Telnet concurrent users max, 52
login management Telnet packet DSCP value, 52
shell
Python entry, 151
Python exit, 151
shell banner type, 132
single-line banner input method, 132
SNMP
access control, 62, 64
access management overview, 40
login management device access, 58
SNMPv1
login management SNMP device access, 58
SNMPv2
login management SNMP device access, 58
SNMPv3
login management SNMP device access, 58
software
upgrade. See software upgrade
BootWare image downgrade, 109
BootWare image preload (in IRF mode), 107
BootWare image preload (in standalone mode), 106
BootWare image restore, 109
BootWare image type, 103
CLI method, 103, 106
completion (in IRF mode), 108
completion (in standalone mode), 107
Comware Boot image type, 103
Comware image loading, 103
Comware image redundancy, 103
Comware image type, 103
Comware system image type, 103
configuration, 111
configuration (in IRF mode), 112
configuration(in standalone mode), 111
file naming, 103
image settings display, 111
image settings maintain, 111
ISSU, 114
ISSU (install commands), 119
ISSU availability identification, 115
ISSU feature status verification, 116
ISSU inactive software image deletion (install commands), 123
ISSU install commands, 127
ISSU IPE file decompression (install commands), 120
ISSU issu commands, 124
ISSU licensing requirements, 115
ISSU method identification, 116
ISSU performance (issu commands), 117
ISSU running software image rollback (install commands), 122
ISSU software image (install commands), 120
ISSU software image upgrade (install commands), 120
ISSU upgrade image preparation, 115
ISSU upgrade method, 116
methods, 105
MPU synchronization, 110
restrictions, 105
startup image file specification (in IRF mode), 108
startup image file specification (in standalone mode), 107
system startup, 104
specifying
file system directory name, 86
file system file name, 86
next-startup configuration file, 99
SSH
device as server configuration, 55
login configuration, 54
login control, 61, 62
login management overview, 40
server device login, 56
standby
software upgrade MPU synchronization, 110
starting
automatic configuration (server-based), 169
starting up
device configuration startup file selection, 95
next-startup configuration file, 99, 101
next-startup configuration file redundancy, 94
software upgrade BootWare image preload (in IRF mode), 107
software upgrade BootWare image preload (in standalone mode), 106
software upgrade configuration, 111
software upgrade configuration (in IRF mode), 112
software upgrade configuration(in standalone mode), 111
software upgrade MPU synchronization, 110
software upgrade startup image file specification (in IRF mode), 108
software upgrade startup image file specification (in standalone mode), 107
software upgrade system startup, 104
startup
device configuration, 94
storage
license management storage compression, 160
storage media
file system management, 84, 87
USB disk partition, 87
string type argument value (CLI), 4
synchronizing
software upgrade MPU, 110
system
software upgrade BootWare image downgrade, 109
software upgrade BootWare image restore, 109
software upgrade Comware image loading, 103
software upgrade Comware image redundancy, 103
software upgrade Comware system image type, 103
software upgrade startup process, 104
system administration
automatic configuration, 165
automatic configuration (HTTP server+Python script)(on switch), 175
automatic configuration (HTTP server+Tcl script)(on switch), 174
automatic configuration (IRF setup)(on switch), 177
automatic configuration (server-based)(on switch), 170
automatic configuration (TFTP server-based)(on switch), 170
automatic configuration DHCP server (server-based), 167
automatic configuration DNS server (server-based), 169
automatic configuration file preparation (server-based), 166
automatic configuration gateway (server-based), 169
automatic configuration start (server-based), 169
automatic configuration use (server-based), 165
CLI command abbreviation, 5
CLI command alias configuration, 6
CLI command alias use, 6
CLI command entry, 3
CLI command history, 9
CLI command history buffered commands, 10
CLI command hotkey configuration, 7
CLI command hotkey use, 7
CLI command line editing, 3
CLI command redisplay, 8
CLI command-line error message, 8
CLI display command output filtering, 11
CLI display command output line numbering, 11
CLI display command output management, 15
CLI display command output save to file, 14
CLI display command output viewing, 15
CLI interface type value, 5
CLI online help access, 2
CLI output control, 10, 10
CLI running configuration save, 15
CLI string/text type argument value, 4
CLI system view entry from user view, 2
CLI undo command form, 3
CLI upper-level view return from any view, 2
CLI use, 1
CLI user view return, 2
CLI view hierarchy, 1
configuration file encryption, 96
configuration file formats, 95
configuration file management, 94
configuration file next-startup file delete, 101
device banner configuration, 132, 133
device banner input methods, 132
device banner types, 132
device BootWare menu access disable, 140
device configuration startup file selection, 95
device copyright statement display, 131
device CPU usage monitoring, 141
device factory-default configuration restore, 146
device hardware failure detection+protection, 145
device management, 130
device management task scheduling, 135, 137
device memory alarm thresholds, 142
device name configuration, 130
device password recovery capability disable, 140
device port status detection timer, 141
device reboot, 134
device reboot (CLI), 134
device reboot (scheduled), 134
device system operating mode, 133
device system time configuration, 130
device temperature alarm threshold, 144
device transceiver module diagnosis, 145, 146
device transceiver module verification, 145, 145
device USB interface disable, 144
directory system file name specification, 86
file system, 84
file system (default), 85
file system common directories, 85
file system common file types, 85
file system directories, 85
file system directory management, 89
file system file management, 90
file system file name specification, 86
file system files, 85
file system location, 84
file system management, 84
file system naming conventions, 84
file system naming conventions (directory), 85
file system naming conventions (file), 85
file system+storage media management, 87
FTP configuration, 70
FTP server configuration (distributed devices in IRF mode), 73
FTP server configuration (distributed devices in standalone mode), 72
ISSU availability identification, 115
ISSU command set, 115
ISSU device operating status verification, 115
ISSU feature status verification, 116
ISSU inactive software image deletion (install commands), 123
ISSU install commands, 127
ISSU issu commands, 124
ISSU licensing requirements, 115
ISSU method identification, 116
ISSU patch image (install commands), 121
ISSU performance (issu commands), 117
ISSU running software image rollback (install commands), 122
ISSU software activate/deactivate (install commands), 122
ISSU software changes commit (install commands), 122
ISSU software image verification (install commands), 123
ISSU upgrade, 114
ISSU upgrade image preparation, 115
ISSU upgrade method, 116
login management CLI console authentication disable, 45
login management CLI console/AUX common line settings, 47
login management CLI console/AUX password authentication, 46
login management CLI console/AUX scheme authentication, 46
login management CLI local console port login, 44
login management CLI login authentication modes, 44
login management CLI login configuration, 43
login management CLI user lines, 43
login management CLI user roles, 44
login management command accounting, 67, 68
login management command authorization, 65, 66
login management console port login, 42
login management login control (Telnet, SSH), 61, 62
login management overview, 40
login management RESTful access (HTTP), 59
login management RESTful access (HTTPS), 59
login management RESTful access configuration, 59
login management SNMP access control, 62, 64
login management SSH device as server, 55
login management SSH login, 54
login management SSH server device login, 56
login management Telnet concurrent users max, 52
login management Telnet device as server, 49
login management Telnet login, 49
login management Telnet login authentication disable, 49
login management Telnet login password authentication, 50
login management Telnet login scheme authentication, 51
login management Telnet packet DSCP value, 52
login management Telnet server device login, 54
login management Telnet server enable, 49
login management Telnet VTY common line settings, 52
login management user device access control, 61
main next-startup configuration file backup, 100
main next-startup configuration file restoration, 101
next-startup configuration file redundancy, 94
next-startup configuration file specification, 99
preprovisioning configuration, 163
preprovisioning enable, 163
Python extended API, 153
Python extended API functions, 153
Python extended API import, 153
Python language, 151, 151
Python script execution, 151
Python shell entry, 151
Python shell exit, 151
running configuration save, 97
software upgrade, 103, 106
software upgrade completion (in IRF mode), 108
software upgrade completion (in standalone mode), 107
Tcl configuration view Comware command execution, 149
Tcl device configuration, 149
Tcl usage, 149
TFTP configuration, 82
T
task scheduling (device management), 135, 137
automatic configuration (HTTP server+Tcl script)(on switch), 174
configuration view Comware command execution, 149
device configuration, 149
use, 149
TCP
device as FTP client, 75
device as FTP server, 70
FTP client connection establishment, 75
FTP configuration, 70
FTP server configuration (distributed devices in IRF mode), 73
FTP server configuration (distributed devices in standalone mode), 72
IPv4 TFTP client configuration, 82
IPv6 TFTP client configuration, 83
TFTP configuration, 82
Telnet
concurrent users max, 52
device as server configuration, 49
login authentication disable, 49
login configuration, 49
login control, 61, 62
login management overview, 40
login password authentication, 50
login scheme authentication, 51
packet DSCP value, 52
server device login, 54
server enable, 49
VTY common line settings, 52
temperature
device temperature alarm threshold, 144
terminating
FTP connection, 78
text file content display, 91
text type argument value (CLI), 4
automatic configuration, 165
automatic configuration (server-based)(on switch), 170
automatic configuration (TFTP server-based)(on switch), 170
automatic configuration DHCP server (TFTP server-based), 168
automatic configuration file server configuration (server-based), 166
automatic configuration start (server-based), 169
automatic configuration use (server-based), 165
configuration, 82
FIPS compliance, 82
IPv4 client configuration, 82
IPv6 client configuration, 83
threshold
device CPU usage monitoring, 141
device memory alarm thresholds, 142
device temperature threshold alarm, 144
time
device system time configuration, 130
timer
device port status detection, 141
tool command language. Use Tcl
transceiver
device module diagnosis, 145, 146
device module verification, 145, 145
transferring
license, 161
Python extended API functions (Transfer class), 155
Trivial File Transfer Protocol. Use TFTP
troubleshooting
FTP connection, 77
RBAC, 39
RBAC local user access permissions, 39
RBAC login attempts by RADIUS users fail, 39
U
understanding
CLI command-line error message, 8
undo command form (CLI), 3
uninstalling
ISSU patch images (install commands), 121
unmounting
file system, 87
upgrading
ISSU, 114
ISSU software images (install commands), 120
software. See software upgrade
USB
device USB interface disable, 144
disk partitioning, 87
user
FTP user account change, 77
interface, 40, See also user line
interface login management Telnet VTY common line settings, 52
login management CLI user roles, 44
login management login control (Telnet, SSH), 61, 62
login management SNMP access control, 62, 64
login management user device access control, 61
user access
RBAC configuration, 16, 19, 27
RBAC feature group configuration, 21
RBAC local AAA authentication user configuration, 27
RBAC local AAA authentication user role, 24
RBAC non-AAA authentication user role, 24
RBAC permission assignment, 16
RBAC predefined user roles, 17
RBAC RADIUS authentication user configuration, 29
RBAC remote AAA authentication user role, 23
RBAC resource access policies, 21
RBAC temporary user role authorization, 25, 27
RBAC temporary user role authorization (HWTACACS authentication), 32
RBAC temporary user role authorization (RADIUS authentication), 36
RBAC user role assignment, 18, 23
RBAC user role authentication, 26
RBAC user role creation, 19
RBAC user role interface policy, 22
RBAC user role rule configuration, 20
RBAC user role rules, 16
RBAC user role VLAN policy, 22
RBAC user role VPN instance policy, 22
using
automatic configuration, 165
automatic configuration (server-based), 165
CLI, 1
CLI command alias, 6
CLI command history, 9
CLI command hotkey, 7
CLI undo command form, 3
device as FTP client, 75
device as FTP server, 70
Python extended API, 153
Python language, 151, 151
Tcl, 149
V
verifying
device transceiver modules, 145, 145
ISSU device operating status, 115
ISSU feature status, 116
ISSU software image (install commands), 123
viewing
CLI display command output, 15
CLI system view entry from user view, 2
CLI upper-level view return from any view, 2
CLI user view return, 2
CLI view hierarchy, 1
VLAN
RBAC user role VLAN policy, 22
RBAC VLAN access policy, 17
VPN
RBAC user role VPN instance policy, 22
RBAC VPN instance access policy, 17
VTY line settings, 52
W
working
file system working directory, 85
working directory
change, 89
display, 89
working with
FTP server files, 76
