- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
02-CLI-Based Configuration Cautions and Guidelines | 61.75 KB |
CLI-based configuration cautions and guidelines
Introduction
This guide contains important information that if not understood or followed can result in undesirable situations, including:
· Unexpected shutdown or reboot of devices or cards.
· Service anomalies or interruption.
· Loss of data, configuration, or important files.
· User login failure or unexpected logoff.
Only trained and qualified personnel are allowed to do the configuration tasks described in this guide.
Before you configure your device, read the information in this document carefully.
Configuration cautions and guidelines
Feature |
Command |
Description |
Usage guidelines |
Login management |
authentication-mode |
Sets the authentication mode for a user line. |
When the authentication mode is none, a user can log in without authentication. To improve device security, use the password or scheme authentication mode. An authentication mode change does not take effect on the current session. It takes effect on subsequent login sessions. |
Login management |
auto-execute command |
Specifies the command to be automatically executed for a login user. |
After configuring this command for a user line, you might be unable to access the CLI through the user line. Please use it with caution. |
RBAC |
interface policy deny |
Enters interface policy view of a user role. |
This command denies the access of the user role to any interfaces if the permit interface command is not configured. To restrict the interface access of a user role to a set of interfaces, configure the permit interface command. |
RBAC |
vlan policy deny |
Enters VLAN policy view of a user role. |
This command denies the access of the user role to any VLANs if no VLANs are specified by using the permit vlan command. To restrict the VLAN access of a user role to a set of VLANs, configure the permit vlan command. |
FTP and TFTP |
delete |
Permanently deletes a file from the FTP server. |
Make sure the file to delete is not in use before executing this command. |
FTP and TFTP |
rmdir |
Permanently deletes a directory from the FTP server. |
Make sure the directory to delete is not in use before executing this command. |
File system management |
delete [ /unreserved ] file |
Deletes a file. |
The delete /unreserved file command deletes a file permanently. The file cannot be restored. |
File system management |
format |
Formats a file system. |
Formatting a file system permanently deletes all files in the file system. If a startup configuration file exists in the file system, back up the file if necessary. |
File system management |
reset recycle-bin |
Deletes files from the recycle bin. |
A file moved to the recycle bin can be restored, but a permanently deleted file cannot. Make sure the files in the recycle bin will not be used any more before you execute this command. |
File system management |
rmdir |
Deletes a directory. |
To delete a directory, you must delete all files and subdirectories in the directory permanently or move them to the recycle bin. If you move them to the recycle bin, executing the rmdir command permanently deletes them. Make sure the files and subdirectories in the directory will not be used any more before you execute this command. |
Configuration file management |
configuration replace file |
Rolls the running configuration back by using a local replacement configuration file. |
Configuration rollback allows you to replace the running configuration with the configuration in a replacement configuration file without rebooting the device. A configuration rollback might cause service disruption. |
Configuration file management |
reset saved-configuration |
Deletes a next-startup configuration file. |
This command permanently deletes the specified next-startup configuration file from the device. |
Configuration file management |
save |
Saves the running configuration to a configuration file. |
If the file specified for this command already exists, the system prompts you to confirm whether to overwrite the file. |
Device management |
clock datetime |
Sets the system time. |
Use this command with caution. Changing the system time affects operations and features that are time sensitive or require time synchronization, such as task scheduling, log output, and statistics collection. |
Device management |
reboot |
Reboots the device. |
A reboot might interrupt network services. Use the force keyword only when the device fails or a reboot command without the force keyword cannot perform a reboot correctly. A reboot command with the force keyword might result in file system corruption, because it does not perform data protection. |
Device management |
restore factory-default |
Restores the factory-default configuration for the device. |
Use this command with caution. |
IRF |
undo port group interface |
Removes the binding of a physical interface and an IRF port. |
Use this command with caution. If the physical interface is the only up member interface of the IRF port, the IRF fabric will split after you remove the binding. |
IRF |
irf mac-address persistent |
Configures IRF bridge MAC persistence. |
IRF bridge MAC address change causes transient traffic disruption. Use this command with caution. |
IRF |
irf member renumber |
Changes the member ID of an IRF member device. |
IRF member ID change can invalidate member ID-related settings, including interface and file path settings, and cause data loss. Make sure you fully understand its impact on your live network. |
IRF |
undo irf member stack enable |
Disables an IRF member device from receiving or sending IRF control packets. |
The removed member device still operates in IRF mode and runs the original IRF settings. However, it does not send or receive IRF control packets. |
Common interface settings |
default |
Restores the default settings for an interface. |
The default command might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it in a live network. |
Common interface settings |
shutdown |
Shuts down an interface. |
Use this command with caution. This command disables the interface from forwarding or receiving traffic. |
Ethernet interface |
port link-mode |
Changes the link mode of an Ethernet interface. |
Changing the link mode of an Ethernet interface also restores all commands (except shutdown and combo enable) on the Ethernet interface to their defaults in the new link mode. |
ARP |
reset arp |
Clears ARP entries from the ARP table. |
This command might increase the latency to send external traffic to users on LANs attached to the device. |
DHCP |
dhcp snooping deny |
Configures a port to block incoming DHCP requests. |
This command prevents the DHCP clients connected to the port from obtaining an IP address. Use this command on an interface only if no DHCP clients are attached to the interface. |
DHCPv6 |
ipv6 dhcp snooping deny |
Configures a port to block incoming DHCPv6 requests. |
This command prevents the DHCPv6 clients connected to the port from obtaining an IPv6 address or prefix. Use this command on an interface only if no DHCPv6 clients are attached to the interface. |
Static routing |
delete static-routes all |
Deletes all static routes. |
Use this command with caution. This command might cause forwarding failure. |
IPv6 static routing |
delete ipv6 static-routes all |
Deletes all IPv6 static routes. |
Use this command with caution. This command might cause packet forwarding failure. |
ARP attack protection |
arp scan |
Triggers an ARP scanning in an address range. |
ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated. |
Portal |
portal authorization strict-checking |
Enables strict checking on portal authorization information. |
You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails. An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed. |
Portal |
portal user-dhcp-only |
Allows only users with DHCP-assigned IP addresses to pass portal authentication. |
With this feature enabled, users with static IP addresses cannot pass portal authentication to come online. In an AC+fit network, this command takes effect only when the AC acts as a DHCP server. To ensure that IPv6 users can pass portal authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices. |
SSH |
ssh server port |
Specifies the SSH service port. |
If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server. If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024. |
AP management |
undo wlan detect-anomaly enable |
Disables service anomaly detection. |
With this feature disabled, the AC cannot restart automatically if a service exception occurs. As a best practice, do not disable this feature. |
AP management |
undo wlan enable |
Disables the WLAN function. |
Disabling the WLAN function logs off all online APs. Please use this feature with caution. |
DPI engine |
inspect bypass |
Disables the DPI engine. |
Disabling the DPI engine might cause interruption of services using DPI profiles, such as security policy and application-based load balancing. |
DPI engine |
inspect activate |
Activates the policy and rule configurations for DPI service modules. |
This command stops DPI processing temporarily, which might cause interruption of services using DPI profiles, such as security policy and application-based load balancing. |