Login
- Table of Contents
-
- H3C Comware 7 Security Products Safety & Configuration Cautions and Guidelines-6W100
- 00-Preface
- 01-Hardware Safety Guidelines
- 02-CLI-based configuration cautions and guidelines
- 03-Web-Based Configuration Cautions and Guidelines
- 04-Web-Based Configuration Cautions and Guidelines
- 05-Web-Based Configuration Cautions and Guidelines
- 06-Web-Based Configuration Cautions and Guidelines
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-CLI-based configuration cautions and guidelines | 79.31 KB |
CLI-based configuration cautions and guidelines
Introduction
This guide contains important information that if not understood or followed can result in undesirable situations, including:
· Unexpected shutdown or reboot of devices or cards.
· Service anomalies or interruption.
· Loss of data, configuration, or important files.
· User login failure or unexpected logoff.
Only trained and qualified personnel are allowed to do the configuration tasks described in this guide.
Before you configure your device, read the information in this document carefully.
Configuration cautions and guidelines
Feature |
Command |
Description |
Usage guidelines |
|
Login management |
authentication-mode |
Sets the authentication mode for a user line. |
When the authentication mode is none, a user can log in without authentication. To improve device security, use the password or scheme authentication mode. An authentication mode change does not take effect on the current session. It takes effect on subsequent login sessions. |
|
Login management |
auto-execute command |
Specifies the command to be automatically executed for a login user. |
After configuring this command for a user line, you might be unable to access the CLI through the user line. Please use it with caution. |
|
RBAC |
interface policy deny |
Enters interface policy view of a user role. |
This command denies the access of the user role to any interfaces if the permit interface command is not configured. To restrict the interface access of a user role to a set of interfaces, configure the permit interface command. |
|
RBAC |
security-zone policy deny |
Enters security zone policy view of a user role. |
This command denies the access of the user role to any security zones if no security zones are specified by using the permit security-zone command. To restrict the security zone access of a user role to a set of security zones, configure the permit security-zone command. |
|
RBAC |
vlan policy deny |
Enters VLAN policy view of a user role. |
This command denies the access of the user role to any VLANs if no VLANs are specified by using the permit vlan command. To restrict the VLAN access of a user role to a set of VLANs, configure the permit vlan command. |
|
RBAC |
vpn-instance policy deny |
Enters VPN instance policy view of a user role. |
This command denies the access of the user role to any VPN instances if no VPN instances are specified by using the permit vpn-instance command. To restrict the VPN instance access of a user role to a set of VPN instances, configure the permit vpn-instance command. |
|
FTP and TFTP |
delete |
Permanently deletes a file from the FTP server. |
Make sure the file to delete is not in use before executing this command. |
|
FTP and TFTP |
rmdir |
Permanently deletes a directory from the FTP server. |
Make sure the directory to delete is not in use before executing this command. |
|
File system management |
delete [ /unreserved ] file |
Deletes a file. |
The delete /unreserved file command deletes a file permanently. The file cannot be restored. The delete file command (without /unreserved) moves a file to the recycle bin unless it is executed on the default MDC to delete a file from a non-default MDC. |
|
File system management |
format |
Formats a file system. |
Formatting a file system permanently deletes all files in the file system. If a startup configuration file exists in the file system, back up the file if necessary. |
|
File system management |
reset recycle-bin |
Deletes files from the recycle bin. |
A file moved to the recycle bin can be restored, but a permanently deleted file cannot. Make sure the files in the recycle bin will not be used any more before you execute this command. |
|
File system management |
rmdir |
Deletes a directory. |
To delete a directory, you must delete all files and subdirectories in the directory permanently or move them to the recycle bin. If you move them to the recycle bin, executing the rmdir command permanently deletes them. Make sure the files and subdirectories in the directory will not be used any more before you execute this command. |
|
Configuration file management |
configuration replace file |
Rolls the running configuration back by using a local replacement configuration file. |
Configuration rollback allows you to replace the running configuration with the configuration in a replacement configuration file without rebooting the device. A configuration rollback might cause service disruption. |
|
Configuration file management |
configuration replace server file |
Enables remote configuration rollback. |
This command enables the device to download the replacement configuration file from the remote rollback server and roll back the running configuration immediately or schedule a rollback for a future date and time. A configuration rollback might cause service disruption. |
|
Configuration file management |
reset saved-configuration |
Deletes a next-startup configuration file. |
This command permanently deletes the specified next-startup configuration file from the device. |
|
Configuration file management |
save |
Saves the running configuration to a configuration file. |
If the file specified for this command already exists, the system prompts you to confirm whether to overwrite the file. |
|
ISSU |
issu commit |
Completes an ISSU upgrade to a compatible version. |
This command ends the ISSU process. When this command is completed, the ISSU status changes to Init and the ISSU process cannot be rolled back. |
|
ISSU |
reset install rollback oldest |
Clears ISSU rollback points. |
This command clears the specified rollback point and all rollback points older than the specified rollback point. |
|
Device management |
reboot |
Reboots the device. |
A reboot might interrupt network services. Use the force keyword only when the device fails or a reboot command without the force keyword cannot perform a reboot correctly. A reboot command with the force keyword might result in file system corruption, because it does not perform data protection. |
|
Device management |
restore factory-default |
Restores the factory-default configuration for the device. |
Use this command with caution. This command is disruptive. It clears the running configuration and data and deletes all files except .bin files and license files. The operation cannot be reverted. Use this command only when you cannot troubleshoot the device by using other methods, or when you want to use the device in a different scenario. |
|
IRF |
undo chassis convert mode |
Restores the standalone mode of a member device in an IRF fabric. |
Read the virtual technologies or IRF configuration guide for restrictions and guidelines before restore the standalone mode of a member device. This operation removes the member device from the IRF fabric. IP or bridge MAC conflict might occur after a member device is removed from an IRF fabric and operate as a standalone device on the network. You must change the IP address or bridge MAC settings to remove the conflict. |
|
IRF |
irf mac-address persistent |
Configures IRF bridge MAC persistence. |
IRF bridge MAC address change causes transient traffic disruption. Use this command with caution. |
|
IRF |
irf member renumber |
Changes the member ID of an IRF member device. |
IRF member ID change can invalidate member ID-related settings, including interface and file path settings, and cause data loss. Make sure you fully understand its impact on your live network. |
|
IRF (start topology) |
undo chassis convert mode |
Restores the standalone mode. |
Read the virtual technologies or IRF configuration guide for restrictions and guidelines before restore the standalone mode of a member device. This operation removes the member device from the IRF fabric. IP or bridge MAC conflict might occur after a member device is removed from an IRF fabric and operate as a standalone device on the network. You must change the IP address or bridge MAC settings to remove the conflict. |
|
IRF (start topology) |
irf mac-address persistent |
Configures IRF bridge MAC persistence. |
IRF bridge MAC address change causes transient traffic disruption. Use this command with caution. |
|
IRF (start topology) |
irf member renumber |
Changes the member ID of an IRF member device. |
IRF member ID change can invalidate member ID-related settings, including interface and file path settings, and cause data loss. Make sure you fully understand its impact on your live network. |
|
IRF (start topology) |
undo irf member stack enable |
Disables multimember stacking capability for an IRF member device. |
If multimember stacking capability is disabled for a device, the device cannot join an IRF fabric that contains other devices. |
|
Context |
undo context start |
Stops a context. |
Stop a context with caution. Stopping a context stops all services on the context and logs out all users on the context. To avoid configuration data loss, save the running configuration of a context before you stop the context. |
|
Context |
location blade-controller |
Adds a security engine to a security engine group. |
For the device to correctly process services, make sure the default security engine group has a minimum of one security engine. |
|
Common interface settings |
default |
Restores the default settings for an interface. |
The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it in a live network. |
|
Common interface settings |
shutdown |
Shuts down an interface. |
Use this command with caution. This command disables the interface from forwarding or receiving traffic. |
|
Ethernet interface |
port link-mode |
Changes the link mode of an Ethernet interface. |
Changing the link mode of an Ethernet interface also restores all commands (except shutdown and combo enable) on the Ethernet interface to their defaults in the new link mode. |
|
Ethernet interface, FC and FCoE |
port-type fc |
Switches the interface type between Layer 2 Ethernet and FC. |
This command removes the original interface, and then creates the target interface with the same number as the original interface. All commands on the original interface will be restored to their defaults on the new interface. |
|
3G and 4G modem management |
modem reboot |
Reboots a 3G/4G modem. |
Executing this command disconnects the 3G or 4G modem connection that has been established on the user line. |
|
ARP |
reset arp |
Clears ARP entries from the ARP table. |
This command might increase the latency to send external traffic to users on LANs attached to the device. |
|
NAT |
reset nat dynamic-load-balance |
Redistributes the dynamic NAT load on security engines. |
Use this command with caution because the command execution will cause a temporary traffic interruption. |
|
NAT |
reset nat static-load-balance |
Redistributes the static NAT load on security engines. |
Use this command with caution. This command will cause a temporary traffic interruption. |
|
ADVPN |
reset vam server address-map |
Clears IPv4 private-public address mapping information for VAM clients registered with the VAM server. |
Executing this command also clears IPv4 private network information for the private IPv4 addresses. Then, the system sends an error notification to VAM clients that have registered the private IPv4 addresses and logs off the clients. |
|
ADVPN |
reset vam server ipv6 address-map |
Clears IPv6 private-public address mapping information for VAM clients registered with the VAM server. |
Executing this command also clears IPv6 private network information for the private IPv6 addresses. Then, the system sends an error notification to VAM clients that have registered the private IPv6 addresses and logs off the clients. |
|
ADVPN |
reset vam client fsm |
Resets FSMs for VAM clients. |
After the FSM is reset for a VAM client, the client will immediately try to come online. |
|
ADVPN |
reset vam client ipv6 fsm |
Resets FSMs for IPv6 VAM clients. |
After the FSM is reset for an IPv6 VAM client, the client will immediately try to come online. |
|
Static routing |
delete static-routes all |
Deletes all static routes. |
Use this command with caution. This command might cause forwarding failure. |
|
IPv6 static routing |
delete ipv6 static-routes all |
Deletes all IPv6 static routes. |
Use this command with caution. This command might cause packet forwarding failure. |
|
IS-IS |
network-entity |
Configures the Network Entity Title (NET) for an IS-IS process. |
To avoid data loss, execute the network-entity command after the cost-style and is-level commands if you want to execute these three commands for the same IS-IS process. |
|
BGP |
label-allocation-mode |
Specifies a label allocation mode. |
Use this command with caution. A change to the label allocation mode enables BGP to re-advertise all routes, which will cause service interruption. |
|
BGP |
peer ignore |
Disables BGP session establishment with a peer or peer group. |
If a session has been established to a peer, executing this command for the peer tears down the session and clears all related routing information. If sessions have been established to a peer group, executing this command for the peer group disables the sessions to all peers in the group and clears all related routing information. |
|
BGP |
reset bgp |
Resets BGP sessions for the specified address family. |
This operation breaks down BGP sessions for a short period of time. |
|
BGP |
reset bgp all |
Resets all BGP sessions for all address families. |
This operation breaks down BGP sessions for a short period of time. |
|
IGMP |
igmp version |
Specifies an IGMP version on an interface. |
For IGMP to operate correctly, specify the same IGMP version for all devices on the same subnet. |
|
IGMP |
reset igmp group |
Clears dynamic IGMP multicast group entries. |
This command might interrupt multicast information transmission. |
|
MLD |
mld version |
Specifies an MLD version on an interface. |
For MLD to operate correctly, specify the same MLD version for all devices on the same subnet. |
|
MLD |
reset mld group |
Clears dynamic MLD multicast group entries. |
This command might interrupt IPv6 multicast information transmission. |
|
MPLS L3VPN, MCE |
ip binding vpn-instance |
Associates an interface with a VPN instance. |
This command or its undo form clears the IP address and routing protocol configuration on the interface. |
|
ARP attack protection |
arp scan |
Triggers an ARP scanning in an address range. |
ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated. |
|
Portal |
portal authorization strict-checking |
Enables strict checking on portal authorization information. |
You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails. An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed. |
|
Portal |
portal user-dhcp-only |
Allows only users with DHCP-assigned IP addresses to pass portal authentication. |
With this feature enabled, users with static IP addresses cannot pass portal authentication to come online. In an AC+fit network, this command takes effect only when the AC acts as a DHCP server. To ensure that IPv6 users can pass portal authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices. |
|
SSH |
ssh server port |
Specifies the SSH service port. |
If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server. If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024. |
|
DDoS protection |
anti-ddos detection-mode |
Sets the DDoS attack detection mode. |
The device might fail to identify DDoS attack packets during detection mode switchover. |
|
VRRP |
vrrp vrid shutdown |
Disables an IPv4 VRRP group. |
This command will cause the device to drop packets sent to the IPv4 VRRP group. Use this command only when necessary, for example, for purposes such as testing or troubleshooting. Bring the group up as soon as possible to restore services. |
|
VRRP |
vrrp ipv6 vrid shutdown |
Disables an IPv6 VRRP group. |
With this command configured, packets sent to the IPv6 VRRP group might be discarded. |
|
BFD |
bfd init-fail-timer |
Sets the delay timer for BFD to notify upper-layer protocols of session establishment failures. |
For session establishment failures caused by configuration mismatches at the two ends, this command can cause the upper-layer protocol to act incorrectly. Therefore, use this command with caution. BFD status mismatch and BFD authentication configuration mismatch are examples of configuration mismatches. |
|
Process placement |
placement reoptimize |
Applies configured process placement policies for optimizing process placement. |
After you execute this command, the system bases its placement decisions on the new process placement policies, hardware resources, and locations and states of active processes. If the new location for an active process is different from its current location, a process switchover is triggered. To prevent undesirable situations such as neighbor flapping in routing protocols, make sure backup features such as NSR and GR have been configured for the processes and they are in stable state. |
|
Process monitoring and maintenance |
monitor kernel deadloop action |
Specifies the action to be taken in response to a kernel thread deadloop. |
In most situations, use the default settings. Use this command only under the guidance of H3C Support. Inappropriate configuration can cause system breakdown. As a best practice, leave the default unchanged. |
|
DPI |
inspect bypass |
Disables the DPI engine. |
After you disable the DPI engine, packets will not be processed by DPI. This command can cause temporary service disruptions. As a best practice, execute this command after all DPI service policy and rule configurations are complete. |
|
DPI |
inspect activate |
Activates the policy and rule configurations for DPI service modules. |
This command can cause temporary service disruption. As a best practice, execute this command after all DPI service policy and rule configurations are complete. |
