H3C WLAN Products Safety & Configuration Cautions and Guidelines-6W100

HomeSupportResource CenterH3C WLAN Products Safety & Configuration Cautions and Guidelines-6W100
02-CLI-Based Configuration Cautions and Guidelines

CLI-based configuration cautions and guidelines

Introduction

This guide contains important information that if not understood or followed can result in undesirable situations, including:

·     Unexpected shutdown or reboot of devices or cards.

·     Service anomalies or interruption.

·     Loss of data, configuration, or important files.

·     User login failure or unexpected logoff.

Only trained and qualified personnel are allowed to do the configuration tasks described in this guide.

Before you configure your device, read the information in this document carefully.

Configuration cautions and guidelines

Feature

Command

Description

Usage guidelines

Login management

authentication-mode

Sets the authentication mode for a user line.

When the authentication mode is none, a user can log in without authentication. To improve device security, use the password or scheme authentication mode.

An authentication mode change does not take effect on the current session. It takes effect on subsequent login sessions.

Login management

auto-execute command

Specifies the command to be automatically executed for a login user.

After configuring this command for a user line, you might be unable to access the CLI through the user line. Please use it with caution.

RBAC

interface policy deny

Enters interface policy view of a user role.

This command denies the access of the user role to any interfaces if the permit interface command is not configured. To restrict the interface access of a user role to a set of interfaces, configure the permit interface command.

RBAC

vlan policy deny

Enters VLAN policy view of a user role.

This command denies the access of the user role to any VLANs if no VLANs are specified by using the permit vlan command. To restrict the VLAN access of a user role to a set of VLANs, configure the permit vlan command.

FTP and TFTP

delete

Permanently deletes a file from the FTP server.

Make sure the file to delete is not in use before executing this command.

FTP and TFTP

rmdir

Permanently deletes a directory from the FTP server.

Make sure the directory to delete is not in use before executing this command.

File system management

delete [ /unreserved ] file

Deletes a file.

The delete /unreserved file command deletes a file permanently. The file cannot be restored.

File system management

format

Formats a file system.

Formatting a file system permanently deletes all files in the file system. If a startup configuration file exists in the file system, back up the file if necessary.

File system management

reset recycle-bin

Deletes files from the recycle bin.

A file moved to the recycle bin can be restored, but a permanently deleted file cannot. Make sure the files in the recycle bin will not be used any more before you execute this command.

File system management

rmdir

Deletes a directory.

To delete a directory, you must delete all files and subdirectories in the directory permanently or move them to the recycle bin. If you move them to the recycle bin, executing the rmdir command permanently deletes them. Make sure the files and subdirectories in the directory will not be used any more before you execute this command.

Configuration file management

configuration replace file

Rolls the running configuration back by using a local replacement configuration file.

Configuration rollback allows you to replace the running configuration with the configuration in a replacement configuration file without rebooting the device. A configuration rollback might cause service disruption.

Configuration file management

reset saved-configuration

Deletes a next-startup configuration file.

This command permanently deletes the specified next-startup configuration file from the device.

Configuration file management

save

Saves the running configuration to a configuration file.

If the file specified for this command already exists, the system prompts you to confirm whether to overwrite the file.

Device management

clock datetime

Sets the system time.

Use this command with caution. Changing the system time affects operations and features that are time sensitive or require time synchronization, such as task scheduling, log output, and statistics collection.

Device management

reboot

Reboots the device.

A reboot might interrupt network services.

Use the force keyword only when the device fails or a reboot command without the force keyword cannot perform a reboot correctly. A reboot command with the force keyword might result in file system corruption, because it does not perform data protection.

Device management

restore factory-default

Restores the factory-default configuration for the device.

Use this command with caution.

IRF

undo port group interface

Removes the binding of a physical interface and an IRF port.

Use this command with caution. If the physical interface is the only up member interface of the IRF port, the IRF fabric will split after you remove the binding.

IRF

irf mac-address persistent

Configures IRF bridge MAC persistence.

IRF bridge MAC address change causes transient traffic disruption. Use this command with caution.

IRF

irf member renumber

Changes the member ID of an IRF member device.

IRF member ID change can invalidate member ID-related settings, including interface and file path settings, and cause data loss. Make sure you fully understand its impact on your live network.

IRF

undo irf member stack enable

Disables an IRF member device from receiving or sending IRF control packets.

The removed member device still operates in IRF mode and runs the original IRF settings. However, it does not send or receive IRF control packets.

Common interface settings

default

Restores the default settings for an interface.

The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it in a live network.

Common interface settings

shutdown

Shuts down an interface.

Use this command with caution. This command disables the interface from forwarding or receiving traffic.

Ethernet interface

port link-mode

Changes the link mode of an Ethernet interface.

Changing the link mode of an Ethernet interface also restores all commands (except shutdown and combo enable) on the Ethernet interface to their defaults in the new link mode.

ARP

reset arp

Clears ARP entries from the ARP table.

This command might increase the latency to send external traffic to users on LANs attached to the device.

DHCP

dhcp snooping deny

Configures a port to block incoming DHCP requests.

This command prevents the DHCP clients connected to the port from obtaining an IP address. Use this command on an interface only if no DHCP clients are attached to the interface.

DHCPv6

ipv6 dhcp snooping deny

Configures a port to block incoming DHCPv6 requests.

This command prevents the DHCPv6 clients connected to the port from obtaining an IPv6 address or prefix. Use this command on an interface only if no DHCPv6 clients are attached to the interface.

Static routing

delete static-routes all

Deletes all static routes.

Use this command with caution. This command might cause forwarding failure.

IPv6 static routing

delete ipv6 static-routes all

Deletes all IPv6 static routes.

Use this command with caution. This command might cause packet forwarding failure.

ARP attack protection

arp scan

Triggers an ARP scanning in an address range.

ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Portal

portal authorization strict-checking

Enables strict checking on portal authorization information.

You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails.

An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed.

Portal

portal user-dhcp-only

Allows only users with DHCP-assigned IP addresses to pass portal authentication.

With this feature enabled, users with static IP addresses cannot pass portal authentication to come online.

In an AC+fit network, this command takes effect only when the AC acts as a DHCP server.

To ensure that IPv6 users can pass portal authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices.

SSH

ssh server port

Specifies the SSH service port.

If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server.

If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024.

AP management

undo wlan detect-anomaly enable

Disables service anomaly detection.

With this feature disabled, the AC cannot restart automatically if a service exception occurs. As a best practice, do not disable this feature.

AP management

undo wlan enable

Disables the WLAN function.

Disabling the WLAN function logs off all online APs. Please use this feature with caution.

DPI engine

inspect bypass

Disables the DPI engine.

Disabling the DPI engine might cause interruption of services using DPI profiles, such as security policy and application-based load balancing.

DPI engine

inspect activate

Activates the policy and rule configurations for DPI service modules.

This command stops DPI processing temporarily, which might cause interruption of services using DPI profiles, such as security policy and application-based load balancing.