Download

Title	Size	Downloads
IPE_files(NSQM5SUP08A1_NSQM5SUP16A1).zip	197.73 MB
IPE_files(NSQM5FWEMPA1).zip	216.21 MB
H3C_SECPATH9000EM-BLADEFWM9000E-CMW710-F9071P3401_Release_Notes.pdf	1.21 MB
BIN_files(NSQM5SUP08A1_NSQM5SUP16A1).zip	197.72 MB
BIN_files(NSQM5FWEMPA1).zip	216.20 MB


H3C SECPATH9000EM-BLADEFWM9000E-CMW710-F9071P3401
Release Notes

Contents

Introduction· 1

Version information· 1

Version number 1

Version history· 1

Hardware and software compatibility matrix· 1

Upgrade restrictions and guidelines· 6

Hardware feature updates· 6

F9071P3401· 6

Software feature and command updates· 6

MIB updates· 6

Operation changes· 7

F9071P3401· 7

Restrictions and cautions· 7

Restrictions· 7

RBM·· 7

IRF· 11

NAT service and traffic redirecting· 12

User-defined contexts· 14

Non-default vSystems· 14

Attack defense· 14

Policies· 14

DPI services· 15

Redundancy groups and failover groups· 16

Forwarding· 17

Interface modules· 18

Registering and installing licenses· 21

Open problems and workarounds· 21

List of resolved problems· 21

Resolved problems in R9071P3401· 21

Resolved problems in R9671P34· 22

Resolved problems in R9671P30· 23

Resolved problems in R9671P29· 23

Resolved problems in R9671P2701· 25

Resolved problems in R9671P2402· 25

Resolved problems in F9071P23· 25

Troubleshooting resources· 27

Introduction

This document describes the features, restrictions and guidelines, open problems, and workarounds for version F9071P34. Before you use this version on a live network, back up the configuration and test the version to avoid software upgrade affecting your live network.

Use this document in conjunction with H3C SECPATH9000EM-BLADEFWM9000E-CMW710-F9071P3401 Release Notes (Software Feature Changes) and the documents listed in "Related documentation."

Version information

Version number

Comware software, Version 7.1.064, Feature 9071P3401

Note: You can see the version number with the display version command in any view. Please see Note①.

Version history

Table 1 Version history

Version number	Last version	Release date	Release type	Remarks
R9071P3401	R9071P34	2024-09-27	Release	Annual derivative release for FOA in the financial industry.
R9071P34	R9071P30	2024-08-30	Release	Annual derivative release.
R9071P30	R9071P29	2024-04-26	Release	Released for technical support.
R9071P29	R9071P2701	2024-03-26	Release	Released for technical support.
R9071P2701	R9071P2402	2023-01-13	Release	Released for technical support.
R9071P2402	F9071P23	2023-07-30	Release	Released for technical support.
F9071P23	F9071P21	2023-06-30	Feature	Released for technical support.

Hardware and software compatibility matrix

CAUTION:

To avoid an upgrade failure, use Table 2 to verify the hardware and software compatibility before performing an upgrade.

Table 2 Hardware and software compatibility matrix

Item	Specifications
Hardware platform	M9000-AI-E8, M9000-AI-E16
Memory	MPU: 8 GB SecBlade module: 64 GB
Storage	MPU: 1 GB SecBlade module: 8 GB
BootWare version	E8 MPU: 158 E16 MPU: 158 SecBlade module: 1.02 (Note: Execute the display version command in any view to view the version information. Please see Note②)
Software images and their MD5 checksums	IPE files: SECPATH9000EM-CMW710-R9071P3401.ipe：a28ca91a04179f141c89f4305435ae79 BLADEFWM9000E-CMW710-R9071P3401.ipe：d5ca36297e6eaa7817b1be462c03dc68 BIN files: M9000E-CMW710-BOOT-R9071P3401.bin：5369eb2a0c5c4da0587cba1cfbec3535 M9000E-CMW710-SYSTEM-R9071P3401.bin：a66158d35ed22871f6859734ae14c682 BLADE4FWM9000-E-CMW710-BOOT-R9071P3401.bin：05fb12e575f966e34c7a81437d864fa4 BLADE4FWM9000-E-CMW710-SYSTEM-R9071P3401.bin：16db7aad2e1bff63c96d62f83b79f4d4
iMC version	iMC PLAT 7.3 (E0705P12) (integrated with iMC-DM) iMC-EAD iMC EAD 7.3 (E0611P10) iMC-EIA(TAM) iMC EIA 7.3 (E0611P13) iMC-EIA(UAM) iMC EIA 7.3 (E0611P13) iMC PLAT 7.3 (E0705P12) (integrated with iMC-Icc) iMC-IVM iMC IVM 7.3 (E0506) iMC-MVM iMC MVM 7.3 (E0510) iMC-NTA iMC NTA 7.3 (E0707L06) iMC-PLAT iMC PLAT 7.3 (E0705P12) iMC-QoSM iMC QoSM 7.3 (E0505P01) iMC-SHM iMC SHM 7.3 (E0707L06) iMC-SSM(SSM) iMC SSM 7.3 (E0506H01) iMC-UBA UCenter E0707L06 iMC-VLAN iMC PLAT 7.3 (E0705P12)
iNode version	iNode PC 7.3 (E0585)
ADDC version	ADDC6.0 E6103
ADNET-FCAPS version	ADNET-FCAPS E0709
AOM version	AOM E0706P01
ADE companion version	BLADEADEM9000AD-CMW710-F9071P08 or later, supported only by M9000-AI-E8 devices
Remarks	N/A

Sample: To display the host software and BootWare version of M9000-AI-E8, perform the following:

RBM_P[E8-1]dis version

H3C Comware Software, Version 7.1.064, Feature 9071P3401

H3C SecPath M9000-AI-E8 uptime is 0 weeks, 1 day, 6 hours, 23 minutes

Last reboot reason : User reboot

Boot image: flash:/M9000E-CMW710-BOOT-R9071P3401.bin

Boot image version: 7.1.064, Feature 9071P3401

Compiled Jun 12 2023 15:00:00

System image: flash:/M9000E-CMW710-SYSTEM-R9071P3401.bin

System image version: 7.1.064, Feature 9071P3401

Compiled Jun 12 2023 15:00:00

LPU 1:

Uptime is 0 weeks,0 days,9 hours,13 minutes

H3C SecPath M9000-AI-E8 LPU with 1 ARM Processor

BOARD TYPE: NSQM5MBSHA1

DRAM: 2048M bytes

PCB 1 Version: VER.A

SUBCARD 1 PCB Version:VER.A

SUBCARD 2 PCB Version:VER.A

Bootrom Version: 100

CPLD 1 Version: 002

SUBCARD 1 CPLD Version:002

SUBCARD 2 CPLD Version:002

Release Version: H3C SecPath M9000-AI-E8-9071P3401

Patch Version : None

Reboot Cause : UserReboot

PowChip Version: 001

SLOT 1 CPU 1

CPU type: Multi-core CPU

DDR4 : 32752M bytes

FLASH: 7296M bytes

Board PCB Version: Ver.A

CPLD Version: 2.0

Release Version: SecBlade FW Enhanced-9071P3401

Basic BootWare Version:1.04

Extend BootWare Version:1.04

SLOT 1 CPU 2

CPU type: Multi-core CPU

DDR4 : 32752M bytes

FLASH: 7296M bytes

Board PCB Version: Ver.A

CPLD Version: 2.0

Release Version: SecBlade FW Enhanced-9071P3401

Basic BootWare Version:1.04

Extend BootWare Version:1.04

SLOT 1 CPU 3

CPU type: Multi-core CPU

DDR4 : 32752M bytes

FLASH: 7296M bytes

Board PCB Version: Ver.A

CPLD Version: 2.0

Release Version: SecBlade FW Enhanced-9071P3401

Basic BootWare Version:1.04

Extend BootWare Version:1.04

SLOT 1 CPU 4

CPU type: Multi-core CPU

DDR4 : 32752M bytes

FLASH: 7296M bytes

Board PCB Version: Ver.A

CPLD Version: 2.0

Release Version: SecBlade FW Enhanced-9071P3401

Basic BootWare Version:1.04

Extend BootWare Version:1.04

LPU 2:

Uptime is 0 weeks,0 days,9 hours,13 minutes

H3C SecPath M9000-AI-E8 LPU with 1 ARM Processor

BOARD TYPE: NSQM5MBSHA1

DRAM: 2048M bytes

PCB 1 Version: VER.A

SUBCARD 2 PCB Version:VER.A

Bootrom Version: 100

CPLD 1 Version: 002

SUBCARD 2 CPLD Version:002

Release Version: H3C SecPath M9000-AI-E8-9071P3401

Patch Version : None

Reboot Cause : UserReboot

PowChip Version: 001

SLOT 2 CPU 3

CPU type: Multi-core CPU

DDR4 : 32752M bytes

FLASH: 7296M bytes

Board PCB Version: Ver.A

CPLD Version: 2.0

Release Version: SecBlade FW Enhanced-9071P3401

Basic BootWare Version:1.04

Extend BootWare Version:1.04

SLOT 2 CPU 4

CPU type: Multi-core CPU

DDR4 : 32752M bytes

FLASH: 7296M bytes

Board PCB Version: Ver.A

CPLD Version: 2.0

Release Version: SecBlade FW Enhanced-9071P3401

Basic BootWare Version:1.04

Extend BootWare Version:1.04

LPU 3:

Uptime is 0 weeks,0 days,9 hours,13 minutes

H3C SecPath M9000-AI-E8 LPU with 1 ARM Processor

BOARD TYPE: NSQM5MBSHA1

DRAM: 2048M bytes

PCB 1 Version: VER.A

SUBCARD 1 PCB Version:VER.A

Bootrom Version: 100

CPLD 1 Version: 002

SUBCARD 1 CPLD Version:001

Release Version: H3C SecPath M9000-AI-E8-9071P3401

Patch Version : None

Reboot Cause : UserReboot

PowChip Version: 001

MPU(M) 4:

Uptime is 0 weeks,0 days,9 hours,16 minutes

H3C SecPath M9000-AI-E8 MPU(M) with 1 XLP316 Processor

BOARD TYPE: NSQM5SUP08A1

DRAM: 8192M bytes

FLASH: 1024M bytes

PCB 1 Version: VER.A

Bootrom Version: 158

CPLD 1 Version: 003

CPLD 2 Version: 001

Release Version: H3C SecPath M9000-AI-E8-9071P3401

Patch Version : None

Reboot Cause : UserReboot

MPU(S) 5:

Uptime is 0 weeks,0 days,9 hours,16 minutes

H3C SecPath M9000-AI-E8 MPU(S) with 1 XLP316 Processor

BOARD TYPE: NSQM5SUP08A1

DRAM: 8192M bytes

FLASH: 1024M bytes

PCB 1 Version: VER.A

Bootrom Version: 158

CPLD 1 Version: 003

CPLD 2 Version: 001

Release Version: H3C SecPath M9000-AI-E8-9071P3401

Patch Version : None

Reboot Cause : UserReboot

NPU 6:

Upgrade restrictions and guidelines

· During the upgrade to R9071P34, the BootWare will be automatically upgraded to version 1.05. During BootWare upgrade, do not reboot, remove, or insert a subcard.

· The vCPU monitoring command on an M9KE service module does not monitor the interrupted core vCPU3. After the upgrade, you must reconfigure monitoring the concerned cores.

· Do not save the configuration if the IRF fabric splits during the upgrade process. If you do that, the configuration of the original dual-device IRF fabric will be lost.

· SecPath M9000-AI-E8 and SecPath M9000-AI-E16 devices do not support ISSU.

· If SSL VPN is configured on the device and the iNode version is earlier than E0570, you must also upgrade the iNode to a later version.

Hardware feature updates

F9071P3401

None.

Software feature and command updates

For more information about the software feature and command update history, see H3C SECPATH9000EM-BLADEFWM9000E-CMW710-F9071P3401 Release Notes (Software Feature Changes).

MIB updates

Table 3 MIB updates

Item	MIB file	Module	Description
R9071P3401
New	None	None	None
Modified	None	None	None
R9071P34
New	None	None	None
Modified	None	None	None
R9071P29
New	None	None	None
Modified	None	None	None
R9071P2701
New	None	None	None
Modified	None	None	None
R9071P2402
New	None	None	None
Modified	None	None	None
F9071P23
New	None	None	None
Modified	None	None	None

Operation changes

F9071P3401

None.

Restrictions and cautions

Before performing an upgrade, see H3C SECPATH9000EM-BLADEFWM9000E-CMW710-F9071P3401 Release Notes (Software Feature Changes) and related documentation to see the software feature changes and evaluate the influence on the service.

NOTE:

SecBlade modules refer to NS-FWEMPA1 and NS-AFC2000EMPA1 service modules.

Restrictions

RBM

· RBM stateful failover requirements:

¡ RBM stateful failover is mutually exclusive with IRF stateful failover.

¡ The two devices forming a stateful failover system must be the same in the model, and the types, numbers, and locations of cards installed.

¡ The two devices must be the same in the following aspects: system software version, system patch version, dynamically loaded component packages, signature library version, hash selection CPU mode, and hash factors.

¡ Firewall interfaces on the two devices must be the same in type, number, and link layer protocol type. If logical interfaces are involved, their interface number and member interface numbers must also be the same.

¡ If the service interfaces of a firewall operate at Layer 2, you must configure the service interfaces to operate in bridge mode as Layer 2 interfaces and assign them to the same VLAN.

¡ If the service interfaces of a firewall operate at Layer 3, the IP addresses of the service interfaces must be fixed. Therefore, the stateful failover feature cannot be used together with features that automatically obtain IP addresses, for example, PPPoE dialup and DHCP client.

¡ The configuration synchronization function takes effect on the primary device. More specially, the commands executed on the configured primary device can be synchronized to the configured secondary device, and the commands executed on the configured secondary device cannot be synchronized to the configured primary device. Therefore, execute related configuration commands on the configured primary device.

¡ On an RBM network, for special requirements (the log host or other configurations that are synchronized by default but must be different on the two devices), when the active MPU is rebooted on a chassis or the whole chassis is rebooted, you must manually adjust the configurations.

· During the system software upgrade or rollback process, the two devices can run different system software versions temporarily (R9153P24 and later, and exception branches are completely compatible with only R9153P1214).

· RBM channel requirements:

¡ The HA channel interfaces are only used to transmit stateful failover-related packets, for example, heartbeat packets and backup packets. You cannot configure VRRP on HA channel interfaces, or redirect service packets to HA channel interfaces.

¡ Additionally, as a best practice, bind multiple physical interfaces into an aggregate interface, and use the aggregate interface as the heartbeat interface. In this way, you can improve the link reliability and increase the backup channel bandwidth.

¡ To successfully send the HA configuration backup packets and service entry backup packets, make sure the MTU of the interfaces is 1500 (the default value).

¡ RBM management channels cannot be bound to VPN instances.

¡ When you convert an IRF fabric to a dual-active RBM+track interface network, follow these restrictions and guidelines: After you convert the IRF standby device to an RBM device, bring up the RBM channel interfaces, wait for 10 minutes, and then connect uplink and downlink service interfaces.

¡ On a network with symmetric traffic, the RBM data channel bandwidth depends on the number of service modules and the total session setup rate. As a best practice, configure the channel bandwidth as (N+3)*10-GE interfaces, where N is the number of service modules.

¡ On a network with asymmetric dual-host traffic, the RBM data channel bandwidth depends on not only the number of service modules and the total session setup rate, but also the information to be exchanged between the primary and secondary hosts for the service. For example, if the DPI service is enabled, the DPI service needs to synchronize the data of each packet to the secondary host on a network with asymmetric dual-host traffic. In the extreme conditions, make sure the heartbeat interface bandwidth is consistent with the bandwidth for the uplink service traffic and downlink service traffic.

· On an RBM network, for special requirements (the log host or other configurations that are synchronized by default but must be different on the two devices), when the active MPU is rebooted on a chassis or the whole chassis is rebooted, you must manually adjust the configurations.

· Collaboration with NAT

¡ On the RBM stateful failover network, NAT address pool probe is not supported.

¡ In the load sharing scenario for the RBM stateful failover network, when the NAT mode is PAT, you must execute the nat remote-backup port-alloc primary command on one host and execute the nat remote-backup port-alloc secondary command on the other host to equally divide the port resources in the address pool for the two devices to avoid port conflicts in the NAT address pool. When the NAT mode is NO_PAT, you must use two address pools. If you use only one address pool, resource allocation conflicts will occur.

¡ In the RBM stateful failover scenario, the NAT address pool cannot contain IP addresses of interfaces on the primary and secondary hosts. If the NAT address pool contains IP addresses of these interfaces, when an uplink device requests the ARP entry of an IP address in the address pool, both the primary host and secondary host respond, causing ARP conflicts. In a NAT policy, make sure the source or destination addresses do not contain the heartbeat interface IP address. Otherwise, the heartbeat link communication will fail because NAT is performed for heartbeat packets. On an RBM stateful failover network, if you use different address pools, the primary host and secondary host select which address pool to use by 5-tuple. If a 5-tuple cannot uniquely identify a host, you must use the interface splitting function.

¡ On an RBM stateful failover network in load sharing mode, address pools do not support the EIM mode. On an RBM stateful failover network, the easy IP mode is not supported.

¡ In the NAT traffic redirection scenario, if an LPU is restarted or installed, bulk configuration backup must be performed on the device configured with the primary RBM role to ensure flow entry consistency on the primary and secondary devices. More specifically, follow these restrictions and guidelines:

- On an RBM primary/secondary network, after an LPU is restarted on the secondary device, you must manually perform bulk configuration backup on the primary device.

- On an RBM primary/secondary network, after an LPU is restarted on the primary device, you must manually perform bulk configuration backup on the primary device before traffic is switched back to the primary device. In this case, some services might be interrupted on the secondary device.

- On an RBM dual-primary network, after an LPU is restarted on the secondary device, you must manually perform bulk configuration backup on the primary device before the secondary device is restored to dual-primary.

- On an RBM dual-primary network, after an LPU is restarted on the primary device, you must manually perform bulk configuration backup on the primary device before the primary device is restored to dual-primary. In this case, some services might be interrupted on the secondary device.

- When LPUs or interface cards are expanded on an RBM primary/secondary network or dual-primary network, you must expand them first on the primary device and then on the secondary device. After the expanded LPUs are restarted on the secondary device, you must manually perform bulk configuration backup on the primary device.

· Do not use dual-active mode in DPI scenarios, because the detection rate will be reduced in dual-active mode.

· RBM cannot be used with AFT prefix-based traffic redirection.

· RBM can transparently transmit fragments only by using Layer 3 forwarding or Layer 2 inline forwarding.

· The RBM stateful failover feature supports vSystems.

¡ In a non-default vSystem, the configuration is inherited from the default vSystem, you can view the RBM state, but you cannot change the configuration.

¡ The VRRP role in a vSystem is the same as that in the default vSystem.

¡ When you configure VRRP for different subinterfaces on the same main interface and configure one subinterface as VRRP master and another as VRRP backup, assign unique VRIDs to the subinterfaces.

¡ On an RBM stateful network collaborating with VRRP or routing and tracking interfaces, the vSystems share an interface, and the interface is tracked in the default vSystem.

¡ In the RBM+shared context environment, creating or deleting interfaces on the controller will cause RBM flapping, and this issue is to be resolved through optimizing the security controller.

¡ An RBM network cannot collaborate with services in a custom engine group.

¡ With RBM configuration synchronization enabled, make sure the ID of an interface to be assigned to or deleted from a context is not adjacent to existing interface IDs. If interface ID adjacency is required, configure the secondary device prior to the primary device.

¡ If you track interfaces for RBM and the outgoing interface for static routes is an aggregate interface, use dynamic aggregation, and use the lacp default-selected-port disable command to disable the default selection feature of dynamic aggregation.

· Other restrictions on RBM

¡ Make sure the interval between executing the switchover request command on an RBM network is longer than one minute. Otherwise, the route convergence is slow.

¡ In the DPI scenario, as a best practice, do not deploy the dual-active mode, which will reduce the detection ratio.

¡ The RBM network cannot be used together with the AFT prefix traffic redirection.

¡ On an RBM network, the transparent fragment forwarding function supports only pure Layer 3 forwarding and inline Layer 2 forwarding.

¡ An RBM dual-active network does not support the uplink/downlink per-packet mode (dual active dual uplink).

¡ In RBM dual-active mode, first execute the backup-mode dual-active command on the member device with the smaller local IP address, and then execute the command on the member device with the larger local IP address. Otherwise, the member device with the larger local IP address cannot transit to active state without a fallback time configured.

¡ If you track interfaces for RBM, you cannot configure other module collaborations for RBM, such as tracked VLANs, VRRP, track entries, and link cost adjustment.

¡ When RBM tracks interfaces, connect the uplink and downlink service interfaces 10 minutes after the RBM channel is connected.

¡ If you track interfaces for RBM, after a simultaneous failure is recovered, wait for a delay-time or 500 seconds for the service to resume.

¡ You can only configure up to 16 tracked VLANs.

¡ If the device configuration file is large and has multiple CPUs, set the RBM switchback time to at least 30 minutes.

¡ On a dual-active hot backup system with asymmetric traffic, as the primary and secondary status machines are incomplete, the FIN aging time is set to 30 seconds by default, which creates a concurrent traffic size equal to the product of 30 and the session creation rate and consumes additional memory. If the concurrent traffic size exceeds 20 million, set the FIN aging time to 15 seconds.

¡ When RBM collaborates with VRRP, permit VRRP announcement messages (service vrrp) in the security policies.

¡ When RBM collaborates with VRRP, do not configure VRRP directly on a physical interface. Otherwise, when the related interface module of the primary member device restarts, the RBM role will be downgraded to secondary, followed by the restart of the switchback timer, resulting in abnormal RBM switchback after the timer expires.

¡ If you configure RBM active/standby mode with tracked VLANs, to achieve fast traffic switchovers, disable spanning tree on the upstream and downstream switches. Inline forwarding is not supported if tracked VLAN configuration exists.

¡ If RBM collaborates with dynamic routing protocols such as IS-IS and OSPF, the narrow mode of IS-IS (wide mode is not affected) does not support the redistribution of level-1, level-1-2, or level-2 direct routes. For OSPF, type 2 routes cannot be redistributed into the routing table. RBM cannot adjust the cost value of these route types on the secondary device, which will affect forwarding of the reverse traffic. The adjusted cost value cannot be too large. For example, the cost value for IS-IS cannot exceed 0xFE000000, and the cost value for OSPF cannot exceed 16777215. Otherwise, IPv6 routes cannot be advertised.

¡ Because the primary and secondary state machines are incomplete on an RBM network with asymmetric dual-host traffic, the FIN connection aging time is 30 seconds by default, which increases the concurrent connections by 30*connection setup rate and consumes more memory. If the number of concurrent connections exceeds 20 million, as a best practice, set the FIN connection aging time to 15 seconds on an asymmetric RBM network.

¡ RBM cannot synchronize the step configuration in ACLs. As a best practice, use the default step value.

¡ If you configure the RBM local and remote IPv6 addresses as mapped addresses, the RBM process will exit unexpectedly on a delete or refresh operation.

¡ Do not use 60066 as the destination port of RBM.

¡ Deleting a context does not trigger RBM role re-election.

¡ RBM does not guarantee AVC rule consistency in real time if the primary and secondary devices use AVC rules with the same ID and different names, or different IDs and same name. As a best practice, configure AVC rules on the primary device.

¡ In RBM dual-active mode, disable the deny session feature. If asymmetric traffic exists, return traffic might arrive at the secondary device before sessions or relation entries are backed up to the secondary device. As a result, the return traffic will match deny sessions and be dropped.

¡ After an RBM switchover, RBM will notify the BGP module to send out the changed cost value. If the peer route update interval is not configured, the default interval for EBGP is 30 seconds and 15 seconds for IGBP. After the BGP module sends an update message for the same route, it waits for another 30 seconds before sending a new update message. Therefore, make sure that the interval is greater than the BGP route update cycle if RBM switchover is performed manually.

¡ In an environment with RBM dual-active mode, session redirection, and asymmetric traffic, UDP packets might be sent to one chassis and the return packets are sent to the other chassis. On the former chassis, the session will not match traffic for a long period of time. After 30 seconds, the session will age out. In this case, only the latter chassis forwards traffic and services might be affected. This issue does not occur for TCP traffic.

¡ In RBM active/standby mode with contexts configured, if interface failure triggers RBM switchover on one chassis, the primary engine reboots on the other chassis. This is because the RBM process for contexts runs on the primary engine. In this cause, transient flapping occurs on the RBM link.

IRF

· You must use transceiver modules and fibers for IRF links. The IRF physical interfaces must operate at 10 Gbps, 40 Gbps, or 100 Gbps.

· You can bind a maximum of 16 physical interfaces to an IRF port.

· In IRF mode, the IRF bridge MAC address of an IRF fabric does not change even after the address owner leaves the IRF fabric.

· The physical interfaces on an interface module are grouped by interface number in order, starting from 1. Each group contains four physical interfaces. When you use the physical interfaces in a group for IRF links, follow these restrictions and guidelines:

¡ If you use one physical interface in a group as an IRF physical interface, the remaining physical interfaces in the group can only act as IRF physical interfaces. You cannot use them for any other purposes. To use a physical interface in a group for any purpose other than IRF physical interfaces, do not bind any of the interfaces in the group to an IRF port.

¡ You must shut down all physical interfaces in a group before you can assign or remove any of the interfaces to or from an IRF port. To bring up the interfaces after the assignment or removal is complete, execute the undo shutdown command.

NAT service and traffic redirecting

· The capacity of flow entry learning is limited on each interface module. When the flow table is full, traffic redirecting goes abnormal. Make sure the flow table will not be full after the configuration is deployed. When the ACL resources are insufficient, a serial interface is not responding for a long time if the device deploys a large number of static NAT settings. Because the service module supports a limited number of flow entries, add address ranges with consecutive addresses in the NAT address pool. For example, specify the start IP address as 10.0.0.16 and the end IP address as 10.0.0.31.

· The number of IP addresses in the NAT address pool cannot be less than the value of multiplying the number of failover groups by 2. A failover group can be automatic or manual. The type of the failover groups across the entire device must be the same.

· If QoS traffic redirecting is used to redirect traffic to a Blade card, for successful traffic redirection, redirect the traffic to the automatic failover group instead of redirecting traffic to the card. The failover group, OpenFlow, and Blade card are in descending order of priority.

· The hardware fast forwarding does not support forwarding based on VPN instance. This is because the switching chips on the interface modules are not VPN-aware, and the VPN instance information in OpenFlow entries is not deployed. If VPN instance information is configured in the QoS traffic redirection rule, the QoS rule cannot take effect. A packet arriving at an access port cannot match the VLAN information in the OpenFlow rules that carry VLAN information.

· If NAT is configured on a Reth interface which is assigned to the user-defined context in shared mode, the device cannot issue OpenFlow entries.

· In the software release, the public IP addresses in the static NAT mappings and the IP addresses in the public NAT address pool cannot overlap.

· The NAT address pool members cannot include local interface address or virtual IP address of a VRRP group. In user context, when configuring VRRP groups for the subinterfaces of the same main interface, specify different VRIDs for the VRRP groups.

· NAT ALG does not support ACG translation for fragments. For NAT ALG to function correctly, do not specify the GRE, ICMP, OSPF, TCP, or UDP protocol matching criteria in the ACL rules that are used to identify packet for NAT processing.

· On an M9000, the interfaces with NAT hairpin configured does not deploy traffic redirection rules, therefore, load sharing among multiple Blade cards is not supported. The status of the interface that connects to the public network does not affect NAT hairpin. This is because the source and destination IP address of the packets are translated on the interface connected to the internal network.

· AFT is not supported on VLAN interfaces, subinterfaces, Reth interfaces where a member interface is a subinterface, or interfaces that are assigned to a context in shared mode. If you configure AFT prefix translation, do not configure VPN instances on the interface. On one device, NAT and AFT cannot process the same packet. AFT does not support the previous hop keeping feature.

· NAT66 prefix translation must be used together with QoS policies.

· The device does not deploy flow entries for SSL VPN IP resources. Therefore, configure NAT or a traffic redirecting policy to enable the device to deploy flow entries for SSL VPN IP resources.

· As a best practice, set the aging time for udp-ready no shorter than 3 seconds in the session aging-time state command.

· When both the nat outbound address-group and bfd enable commands are executed on an interface, you must use the nat outbound acl command to perform NAT for only traffic matching the specified ACL and avoid performing NAT for BFD packets.

· After you configure an IPv6-to-IPv4 source address translation policy in a non-default context and inject SIP-UDP traffic, the reverse packets of subsessions are lost because the relation entries and source port translation have exceptions.

· When the ACL resources are insufficient, a serial interface is not responding for a long time if the device deploys a large number of static NAT settings.

· Deleting addresses from an address pool in NO-PAT mode causes NO-PAT entry backup failure, which affects service traffic.

· Disable configuration logging if you configure more than 10000 NAT server mappings.

· If you specify an address object group for NAT configuration, make sure the address object group has only one object and the number of IP addresses in the address object group does not exceed 256. Object groups do not support nesting.

· In a dynamic NAT444 scenario, make sure the port block size is greater than 1.

· When you enable session flow redirection, follow these restrictions and guidelines:

¡ Session flow redirection cannot be applied to scenarios that require encapsulation and decapsulation, for example, IPsec, tunneling (includes GRE, PPPoE, L2TP, IPv6 over IPv4, IPv4 over IPv4, IPv4 over IPv6, IPv6 over IPv6, and ADVPN tunneling), SSL VPN, and MPLS.

¡ IRF does not support dual redundancy groups with dual failover groups.

¡ If you enable session flow redirection and NAT logging, the device generates session logs as follows:

- If you enable NAT session establishment logging, the device generates logs for only forward NAT sessions.

- If you enable active NAT flow logging and NAT session removal logging, the device generates logs for both forward and reverse NAT sessions.

¡ On networks where session flow redirection is enabled, if EIM PAT is used for address translation, configure the aggregation group to load share packets based on destination IP addresses.

¡ Before you re-enable session flow redirection, you must clear sessions. In scenarios enabled with session flow redirection, you must manually clear sessions when an IRF split or IRF merge occurs or you reinstall or restart a service module. This avoids service interruption.

¡ If you enable session flow redirection, do not configure NAT for services issued by the local device. For example, the local device issues an FTP or ping service and you specify the primary IP address of a non-output interface as the source address and configure NAT for the output interface. Such a scenario is not supported in the current software version.

¡ In the current software version, only the FTP, H323, and SIP-ALG services are supported.

¡ As a best practice, do not enable DPI, because the passthrough performance in DPI scenarios is low.

¡ SSL VPN and two-way proxy services are not supported.

¡ After you enable the session flow redirection and last hop holding features, the last hop backup feature is enabled globally by default. In such a scenario, the last hop holding feature only supports the FTP ALG and RTSP ALG services.

¡ Traffic forwarding based on MPLS static and LDP labels is supported. Steering session traffic to MPLS TE tunnels is not supported.

¡ Make sure the enabling status of the session flow redirection feature is consistent across all contexts (including default and non-default contexts) on the device.

User-defined contexts

· Rebooting a context while a service module is in unstable state might cause exceptions. Before rebooting a context, use the display system stable state command to verify that all service modules are in Stable state.

· The default Blade controller team must contain SecBlade security service modules in normal state. The multicast packets and broadcast packets are redirected to the default controller team. When the default controller team does not contain SecBlade service modules, multicast packets and broadcast packets cannot be processed. When multiple contexts exist on the device, if the security engine group used by contexts have multiple SecBlade service modules, the broadcast and multicast packets will be broadcast among each node, which causes high CPU usage. When contexts use shared interfaces, multicast traffic will be replicated among contexts, which causes high CPU usage.

· When inband management is used, the controller or local manager will be stuck or lose management when the CPU usage is high because the forwarding services are busy.

Non-default vSystems

· The creation or deletion of a non-default vSystem on the device will cause the traffic forwarded through fast forwarding on the device to be forwarded through slow forwarding.

· User logs generated in the current vSystem version have incomplete information displayed due to the addition of VPN and other fields. This issue will be fixed in subsequent versions.

· Non-default vSystems do not support previous hop holding in the current software version.

· Non-default vSystems do not support DPI services in the current software version.

Attack defense

· For an M9000, the global statistics for a service is collected and displayed on a per-engine basis, and the threshold setting is deployed per engine. For example, if you want to limit the number of connections on the device, the threshold is the total number of connection limit divided by the number of engines.

· If a static blacklist entry uses an object group, only IPv4 or IPv6 address object groups can be used.

· Traffic can be forwarded through logic chips when attack defense is enabled. If Layer 7 flood detection, slow attack prevention, single-packet detection, and bidirectional TCP proxy are enabled in an attack defense policy, the device cannot forward traffic through logic chips. If only Layer 4 flood detection, threshold learning, and non-bidirectional TCP proxy are enabled in an attack defense policy, traffic can be forwarded through logic chips.

· After you enable attack defense, attack prevention action changes apply to only newly established traffic and do not take effect on the traffic issued to logic chips.

Policies

· Some configuration entries of interzone policies do not support policy acceleration, which affects the device forwarding performance. As a best practice, preferentially use security policies.

· A security policy and a packet filter can be configured at the same time, but the former has higher priority over the latter.

· An object policy and a packet filter can be configured at the same time, but the former has higher priority over the latter.

· A security policy and an object policy cannot take effect at the same time. If the security-policy disable command is executed, the object policy takes effect. Otherwise, the security policy takes effect.

· If an object policy is enabled with rule matching acceleration, an object policy rule takes effect even if the specified track entry is in Negative state.

· Fast forwarding entries can be created for the following fields in a rule of an ACL used in a packet filter:

¡ Source/Destination IP address

¡ Source/Destination port number

¡ Protocol number

¡ VPN instance

¡ ICMP type

¡ ICMP code

If other fields that do not support fast forwarding are configured in the rule, the matching packets cannot be fast forwarded.

· When acceleration is enabled for a security policy (acceleration is enabled by default) and object policy and a rule references nested service object groups, all source ports and destination ports are ORed. As a result, all traffic is forwarded.

· For the used security zones to take effect, make sure the zone names do not contain hyphens (-).

· URL category alone in a security policy does not support matching acceleration. To achieve acceleration, combine URL category settings with other attributes.

· If you add a new IP address for a domain name specified in a security policy, it takes a few seconds for the IP address change to take effect in security policy-based policy filtering.

· On a device with a large amount of security policy configurations, do not use move rule in security policy view during the restart process of a service module. If you do so, the command execution might get stuck.

· The exclude command is not supported in an address object group if the address object group is used in a security policy rule.

DPI services

· DPI services do not support stateful failover. DPI services cannot inspect packets correctly in a network that has asymmetric traffic.

· After upgrading the software of a DPI service module, do not downgrade its signature library because earlier signature library versions might not be compatible with the software version. For successful signature library upgrade triggered at the CLI, make sure the device port used for the upgrade is not bound to a VPN instance.

· It takes some time for the log and report data of DPI service modules to be displayed on the Web interface. The total size of the log and report data of a DPI service module is limited. When the limit is reached, new data will overwrite the oldest data by default.

· APR cannot recognize the application layer protocol of packets transmitted across VPN instances. Signatures with regular expression-based match patterns in a user-defined NBAR rule cannot match packet data in the raw-body, raw-header, and raw-content fields that are transmitted in different TCP segments. The device starts APR statistics collection for packets after you configure ARP settings on it. However, the APR settings do not take effect on packets already processed by the device so application statistics collected for such packets might not be accurate.

· Disabling the DPI engine on the default context also disables the DPI engine on all non-default contexts.

· The display inspect status command can display the bypass by CPU busy state only on the default context. The bypass by cpu busy state indicates that the DPI engine is disabled because the device's CPU usage threshold is exceeded.

· Deep packet inspection will be suspended in the following situations:

¡ The memory threshold is reached.

¡ The signature library is being upgraded.

¡ The CPU usage is high.

¡ The inspect active command is executed.

¡ The signature library is loaded during the active/standby switchover process.

· Rollback is not supported if the device has DPI-related settings.

· When the file name encoding in packets is a combination of UTF-8 and GB encoding, such as Russian, the NTOP logging might display abnormal results.

· For the device with DPI-related settings, when an MPU or device restarts, the system might occasionally report LIPC alarms on DPI-related processes. This does not affect the system.

Redundancy groups and failover groups

· When you configure redundancy groups and failover groups on a system formed by two M9000-AI-E gateways, make sure the following requirements are met:

¡ The deployment of interface modules and services modules is exactly the same on the gateways, including the module models and slot numbers.

¡ The nodes in a redundancy group each host a member of a failover group, and the failover group member on the high-priority node must be assigned the primary role.

¡ If multiple failover groups exist, their primary members must be on the same chassis.

· If multiple security engine groups exist on a system formed by two M9000-AI-E gateways, configure manual failover groups for all of them or do not configure manual failover groups. If you configure manual failover groups for some of the security engine groups, the NAT configuration of the security engine groups not configured with manual failover groups cannot be issued to the kernel. If you configure manual failure groups, you must assign all security engine groups to the failover groups. Do not use automatic and manual failover groups together. If manual failover groups exist, you must add engine cards to ensure that NAT traffic can be forwarded.

· When a card in a failover group reboots or a new card is installed on a system formed by two M9000 gateways, a batch session backup is performed. During session backup, the number of sessions might be different on the two gateways.

· Connection limits are not available on a stateful failover system.

· SecPath M9000-AI-E8 and SecPath M9000-AI-E16 devices do not support hot plugging or redundancy of switching fabric modules. Make sure both switching fabric modules are in place. You cannot power off a switching fabric module at the CLI. Do not plug switching fabric modules in the last two switching fabric module slots. If a switching fabric module fails during the operating process, the traffic that has been processed on the faulty switching fabric module will be affected.

Forwarding

· When tunneling and PBR are configured together, do not redirect the original packets or encapsulated packets to the tunnel interface through PBR. When packets are forwarded by the tunnel interface, they are considered as local packets after tunnel encapsulation. Therefore, they can match PBR and be redirected to the tunnel interface again. Then, packets will be encapsulated by the tunnel again. No matter how many times the packets enter the tunnel, IP forwarding still sends the packets to the tunnel interface according to PBR, and packets are cyclically processed between PBR and tunnel encapsulation. To avoid stack overflow, the tunnel drops packets after performing encapsulation for these packets six times. Eventually, packets fail to be forwarded.

· After the previous IPv4 hop is kept, the source MAC address in the reverse traffic is the destination MAC address of the forward traffic, rather than the MAC address of the device interface. For multichannel protocols, the previous IPv4 hop keeping feature supports only FTP and RTSP. Keeping previous IPv6 hops is not supported.

· When there are multiple egress interfaces, different egress interfaces must be assigned to different security zones. Otherwise, sessions are not deleted when egress interface switchover occurs, which will interrupt services.

· When the default-next-hop command is used in a routing policy, the traffic will not be forwarded through hardware, and the service performance will degrade. Please use the next-hop command.

· The payload header fragmentation, ALG, and IPv6 SCTP forwarding features are not supported by the SCTP protocol.

· In the multicast scenarios, you must execute the context-capability inbound multicast total pps 0 on the physical firewall.

· After you configure inline forwarding, LLDP neighbors on the corresponding interface cannot learn information of the packets because the packets are directly transmitted transparently. Also, do not enable the spanning tree protocols.

· As a best practice, do not use the following match criteria and actions in PBR because PBR cannot generate fast forwarding entries for them, which affects device performance:

¡ The if-match packet-length match criterion

¡ The if-match qos-local-id match criterion

¡ ACL that contains a rule with unconventional 6-tuple match fields

¡ The apply continue action

¡ The apply ip-df action

¡ The apply precedence action

¡ The apply default-next-hop action

¡ The apply default-output-interface action

¡ The apply default-srv6-policy action

¡ The apply access-vpn action with a non-first VPN selected

· Do not use different types of interfaces for inbound and outbound traffic in the same network, for example, Layer 3 interface for inbound traffic and VLAN interface for outbound traffic.

· The throughput limit set in a custom context applies only to traffic of the default vSystem and does not apply to traffic of vSystems created in the context.

· In version 71SP, the command for the last hop backup feature changes to last-hop backup enable and this feature is enabled by default. Comparatively, in version 32/45SP, the command for the last hop backup feature is ip last-hop backup enable. As a result, when the software is upgraded from an earlier version to 71SP, the buildrun for this feature cannot be obtained.

Interface modules

· All physical interfaces of the device are Ethernet interfaces. As a best practice, use the default network type (broadcast) for OSPF.

· When adding interfaces to an aggregation group, add these interfaces one by one rather than in bulk through an interface range.

· Mirroring restrictions and cautions

¡ The high-end security products support flow mirroring, and do not support port mirroring.

¡ The mirroring source ports and mirroring egress ports must be all physical ports.

¡ When a QoS policy is applied to an interface, the enhancement keyword must be specified.

¡ Flow mirroring is performed on interface cards, and does not affect service module performance.

¡ If traffic of multiple interfaces is mirrored to the same physical interface, the physical interface might operate at the full speed and generate back-pressure frames, which causes packet loss. No workaround through software is available for this problem in the current software version.

¡ Due to chip restrictions, you can configure up to four port mirroring configurations totally in the inbound and outbound directions on an interface module.

· 40-GE and 100-GE interfaces cannot be split.

· Subcards do not support hot swapping.

· 10-GE interfaces on an interface module do not support autosensing 1000-Mbps transceiver modules or fiber-to-copper converters. When you use 1000-Mbps transceiver modules or fiber-to-copper converters, as a best practice to prevent the interfaces on both ends from failing to come up, execute commands to configure the 1000 Mbps speed and full duplex mode for the directly connected interface. When a fiber-to-copper converter is installed but no cable is installed in a 10-GE interface on an interface module, the local interface is displayed as up.

· When using the port fec mode command on an interface, follow these restrictions and guidelines:

¡ If you need to replace a transceiver module after enabling FEC on an interface, as a best practice, change the FEC mode to autonegotiation unless you must enable FEC to meet the special requirements. This is because enabling RS-FEC by force on an interface will affect installing other transceiver modules in the interface subsequently. For example, after you enable RS-FEC on an interface, if you replace an ER4-100G transceiver module with an LR4-100G transceiver module for the interface, the interface still acts as when RS-FEC is forcibly enabled. As a result, the LR4-100G transceiver module cannot come up.

¡ When RS-FEC is enabled forcibly on an interface, FEC will restore to the default state after the card is cold/hot reset. In autonegotiation mode, you can re-configure FEC as needed.

Performance

· The DNS aging time is modified to 30 seconds. You can modify the DNS aging time as needed to meet your special requirements.

· On a Blade IV module, when the usage of a single core is high, the performance of the whole device will decrease suddenly. To resolve this issue, exclude the abnormal traffic and block packets dropped by QoS as soon as possible. If you cannot resolve this issue quickly, you can modify the forwarding mode to per-packet forwarding after evaluating the service.

· The control plane rate-limits protocol packets on the local device. When attack packets appear on the live network or a large number of protocol packets are sent to the local device in the cloud multi-tenant scenario, packets will be dropped after they reach the rate limit. By default, the rate limit is 500 for ARP, each routing protocol, DHCP, management protocol to the local device, ICMP, multicast protocol, RADIUS, and VRRP separately, and the rate limit for all the other protocol packets matching the default rule is 1000.

ISSU

SecPath M9000-AI-E8 and SecPath M9000-AI-E16 devices do not support ISSU.

Cautions

· QinQ packets with two layers of VLAN tags are not supported. To use a VLAN interface, make sure the Layer 2 interfaces in the corresponding VLAN are trunk or hybrid ports and receive VLAN-tagged packets. BFD MAD cannot be configured on VLAN interfaces.

· NTP in multicast mode supports only the network segment address with the multicast address 224.0.1.x.

· To log in to the Web interface by using an IE browser, make sure the IE version is 9.0 or later. A feature module cannot be configured both at the CLI and in the Web interface.

· A management interface on an MPU only supports local management and access. You cannot use a management interface on an MPU to send logs or forward traffic. When the device is configured with NAT/ATK/DPI logs, if neither userlog nor customlog is configured, the logs are sent in the syslog format by default, which will cause low sending performance and high CPU usage. Service logs must be configured as fastlog rather than syslog.

· On an MPLS network, when the device acts as a PE, it supports only popping labels.

· Do not apply interface-level MQC traffic redirecting to the physical interfaces of a logical interface (tunnel interface, VLAN interface, Reth interface, physical subinterface, aggregate subinterface, VT interface, or VP interface) or aggregate interfaces. Otherwise, the second traffic redirection on the logical interface fails. You must apply global MQC traffic redirecting.

· SSL VPN cannot configure IPv6 range-related services.

· On the online MAC authentication user list page of the Web interface, the online user information displayed is inaccurate when you configure the list to display 200 entries per page. As a best practice, do not configure the list to display 200 or more entries per page.

· MAC authentication does not support authorization VLAN, authorization ACL, or user profile.

· The default unicast packet drop threshold is 95% in the vCPU. This feature is enabled by default in R9001P3003 and later.

· To fix the CNVD-2019-27331 vulnerability, use the ssl version ssl3.0 tls1.0 disable command to manually disable ssl3.0 and tls1.0.

· To fix the CNVD-2019-38486 vulnerability, use the ssl version ssl3.0 tls1.0 disable command to manually disable ssl3.0 and tls1.0.

· To fix the CVE-2011-1473 vulnerability, use the ssl renegotiation disable command to manually disable renegotiation and then re-enable renegotiation to make related services take effect.

· ARP MAD cannot be enabled on VLAN interface 1.

· To configure ARP MAD, you must enable STP. Additionally, do not delete the Layer 2 aggregate interface used for ARP MAD.

· To reduce load on MPUs, use an interface on an interface module to send traps and disable SNMP notifications for log messages.

· If you want to configure more than 12000 ACL rules in one ACL, decrease the ACL step.

· The management port can send only management logs. Use service ports to send other logs.

· In a NAT server scenario, ICMP error messages might not be matched correctly.

· If the ACL settings on the Web interface cannot be synchronized to the RBM backup host. As a best practice, configure ACL settings from the (CLI).

· After you configure 13000 rules in an ACL, adding an additional rule will take 6 to 7 seconds.

· To perform advanced search for ACLs, use only addresses and wildcards only as a best practice.

· If you configure both contexts and vSystems, do not manually clear session entries.

· If the packet capture automatically stops due to insufficient storage space, you must manually delete the automatically configured QoS policy.

· You can access the police management page without a license, but you cannot perform any configurations on the page.

· A maximum number of 5120 host names can be configured in all address object groups.

· Scanning the controller by using Burp Suite will cause the netconf process to be abnormal.

· In the current software version, user log does not support v5 format.

· SSL VPN-based access to certain websites (such as through WeCom) might fail due to technology differences on the websites and limited scenario coverage of web rewriting. Specific analysis is required by R&D.

· In the current software version, the device cannot perform logical fast forwarding for GRE packets, resulting in high CPU usage on a single core.

· The current software version does not support RBM channel negotiation with IPv6 addresses. Support for IPv6 will be added in the next version.

· Layer 2 ACLs do not support software or hardware acceleration. Configuring too many Layer 2 ACLs will affect device performance.

· The default web interface encoding method is GB18030. As a best practice, make sure the console encoding configuration is consistent with the Web interface encoding configuration to prevent occurrence of garbled characters when Chinese characters or special characters are deployed.

· Executing the display hardware internal network-card command and similar commands on the device to collect underlying hardware information might cause CPU scheduling issues, affecting packet sending and receiving on the control platform and leading to dynamic neighbor flapping. As a best practice, do not execute such commands in the network.

· The context solution is recommended for zero-trust delivery solutions. You need to provide SNs of all the service modules in the controller. If a module is replaced due to hardware failure, update its SN in the controller. To view SN information, use the display device manuinfo command.

· In the current software version, capturing packets in the outbound direction of aggregate interfaces is not supported. You can capture packets only in the inbound direction for aggregate interfaces. This restriction does not apply to physical ports.

· In an unstable environment, a manual card restart might cause service exception. Do not restart cards when the system is not operating stably. Before you restart cards, use display system stable state to verify that all the cards are in stable state.

Licensing

About licensing

To use license-based features, you must purchase licenses from H3C and install the licenses.

For more information about license-based features and supported licenses, see H3C SecPath M9000 Series Products License Matrixes.

Registering and installing licenses

H3C License Management Platform provides product licensing services for H3C customers. You can access this system to obtain an activation file or transfer licenses.

H3C License Management Platform is accessible at http://www.h3c.com/en/License/.

For more information about license registration, activation file installation, and license transfer, see H3C Security Products Licensing Configuration Demonstration Video, H3C Security Products Licensing Configuration Demonstration, H3C Security Products Licensing Configuration Examples, and H3C Security Products Licensing Guide.

H3C provides license-related FAQ. For more information, see H3C Security Products Licensing FAQ.

Open problems and workarounds

202409031630

· Symptom: In an RBM system, DNS snooping entries on the active and standby devices are different.

· Condition: This symptom occurs if a configuration consistency check or bulk synchronization is triggered when a large number of DNS snooping entries is being synchronized

· Workaround: None. As a best practice, perform a configuration consistency check or bulk synchronization during off-peak business hours.

List of resolved problems

Resolved problems in R9071P3401

202409121613

· Symptom: The oms process might get stuck, which blocks the RBM configuration workflow.

· Condition: This symptom occurs if you restart the dpid process when the master device bulk back up a large amount of configuration to the backup device.

202409040014

· Symptom: The DPI process exits unexpectedly.

· Condition: This symptom occurs when you collect diagnostic logs.

202409031623

· Symptom: The motherboard temperature threshold setting does not take effect.

· Condition: This symptom occurs if you manually edit the motherboard temperature threshold setting.

202409090035

· Symptom: You can successful log in through SSH by using a wrong public key.

· Condition: This symptom occurs if you use a public key with the ECDSA algorithm to perform SSH login.

202409120931

· Symptom: When you view the NAT internal server policy, the Web page displays the information slowly.

· Condition: This symptom occurs if you edit the dump size.

202409091750

· Symptom: The interface index is assigned randomly and is inconsistent before and after a reboot.

· Condition: This symptom occurs if the active Phytium ARM MPU is little-endian, while the blade module MIPS is big-endian, and they start with DBM.

Resolved problems in R9671P34

202408070472

· Symptom: The SSL VPN service failed to start up.

· Condition: This symptom might occur if you flow redirection is enabled for SSL VPN IP access.

202407220239

· Symptom: The T9000-E/M9000-E IRF fabric splits.

· Condition: This symptom might occur if the global active MPU restarts.

202407191697

· Symptom: The inspection report of the device contains low temperature alarms.

· Condition: This symptom might occur if you execute the display alarm command to view alarm information.

202406240948

· Symptom: The interface switch module on an IRF member device fails to start up when the member device restarts.

· Condition: This symptom might occur if the interface switch module without IRF physical interfaces attempts to start up on an IRF member device when the member device restarts

202407230625

· Symptom: The security policy configurations between the active and standby devices are inconsistent in an RBM system.

· Condition: This symptom might occur if you first add a security rule on the standby device, and then create another rule with the same name but a different ID on the active device.

202405310137

· Symptom: The configuration inconsistency occurs between the active and standby devices in an RBM system.

· Condition: This symptom might occur if the aft log port-block usage threshold command is executed on the active device.

202407290238

· Symptom: The device is disconnected.

· Condition: This symptom might occur if the dbm process becomes faulty due to device issues.

202408051134

· Symptom: The CPU usage of the MPU is exceptionally high.

· Condition: This symptom might occur if bulk backup is triggered on an RBM-based dual-active network.

Resolved problems in R9671P30

202404011667

· Symptom: Failed to import the SSL VPN GM certificate.

· Condition: This symptom occurs if the CA certificate does not carry an OID.

202404030050

· Symptom: It takes a long time to search for security policies through NETCONF APIs.

· Condition: This symptom occurs if you search for security policies based on non-index columns (for example, VRF).

202404021157

· Symptom: Global NAT rules do not take effect.

· Condition: This symptom might occur if the NAT process restarts.

202403011259

· Symptom: Batch backup and real-time backup still take effect after you disable automatic RBM configuration backup.

· Condition: This symptom occurs if you disable automatic RBM configuration backup.

202401302010

· Symptom: The service module reports memory threshold alarms.

· Condition: This symptom occurs if a large number of session relation entries age out.

202312011110

· Symptom: A logic forwarding exception has occurred.

· Condition: This symptom occurs if service traffic is encapsulated with GRE and IPsec.

Resolved problems in R9671P29

202402281547

· Symptom: RBM is disconnected for one minute.

· Condition: This symptom occurs when the RBM process is restarted.

202402260888

· Symptom: On an RBM+VRRP network, the NAT service is abnormal.

· Condition: This symptom might occur if the global NAT rule is bound to a VRRP group, and the public IP address is in the same subnet as the client's IP address.

202402060035

· Symptom: The device is unresponsive.

· Condition: This symptom might occur when the device processes abnormal geneve packets.

202401311771

· Symptom: The global NAT configuration does not take effect.

· Condition: This symptom occurs if the global NAT rule references a nested object group.

202401310240

· Symptom: After an endpoint goes offline, the endpoint information remains and cannot be manually or automatically cleared.

· Condition: This symptom might occur when an endpoint goes offline normally.

202401101802

· Symptom: A service module reboots unexpectedly.

· Condition: This symptom might occur if you enable both the deny session and the last hop holding features, and view the fast forwarding table after a deny session is generated.

202401080181

· Symptom: The PPTP service is not available.

· Condition: This symptom might occur if you enable session flow redirection and configure NAT for PPTP.

202312211995

· Symptom: An aggregation member port flaps.

· Condition: This symptom occurs if you configure an LACP short timeout and manually clear session entries by using the reset session table command.

202312210866

· Symptom: Device incorporation status changes.

· Condition: This symptom might occur if you repeatedly log in and out of the firewall.

202312062224

· Symptom: A service module reboots unexpectedly.

· Condition: The symptom might occur if the qos gts command is executed on an interface.

202312051584

· Symptom: RBM switchover is abnormal.

· Condition: This symptom might occur if the device contains multiple service modules and is configured with a custom context, and one of the service modules restarts.

202311130174

· Symptom: Signature library upgrade failed.

· Condition: This symptom might occur if the device contains multiple service modules and a custom context, and the custom context is assigned a custom engine group.

202310190735

· Symptom: OSPF neighbors go down.

· Condition: This symptom occurs if the dns snooping log enable command is executed.

202310161657

· Symptom: The device displays an alarm message of checksum error.

· Condition: This symptom occurs when a Blade6 service module processes UDP packets with a checksum of 0.

Resolved problems in R9671P2701

202312120146

· Symptom: The MPU of the M9000S device reboots unexpectedly.

· Condition: The symptom occurs with a low probability in unspecific conditions.

202312081635

· Symptom: The kernel of the MPU restarts unexpectedly.

· Condition: The symptom occurs with a low probability in unspecific conditions.

202312041331

· Symptom: The traffic statistics of a subinterface are incorrect.

· Condition: This symptom occurs if a subinterface is configured with last hop holding.

202311171869

· Symptom: The device prints an alarm for checksum errors in Layer 4 packets.

· Condition: The symptom occurs when the device processes SIP UDP packets with an all-zero checksum.

202311170129

· Symptom: The device has an NTP vulnerability.

· Condition: This symptom occurs if vulnerabilities are scanned after NTP is configured.

Resolved problems in R9671P2402

202306291652

· Symptom: In RBM active/standby mode, dual active devices appear after the active MPU on the standby device is rebooted.

· Condition: This symptom occurs if the control channel is down.

202306260214

· Symptom: In RBM active/standby mode, the configuration log is incorrect after the default preference of IPv6 static routes is modified, and the static routes cannot be synchronized to the standby device.

· Condition: This symptom occurs if IPv6 static routes carry a preference.

Resolved problems in F9071P23

202306141073

· Symptom: Configuration deployment was slow due to NETCONF connection timeout, and GET requests timed out.

· Condition: This symptom might occur if you create an ACL with the security cloud SDK plugin, and returning the ACL rule ID times out in multiuser concurrency situation.

202306120480

· Symptom: In a network that uses RBM and virtual IP address, after the RBM primary device restarts and connects to the secondary device again, the IPv6 floating address of the two devices are sometimes both in preferred state.

· Condition: This symptom might occur if a virtual IPv6 address is used, and the RBM primary device restarts.

202306080816

· Symptom: Packets with the matching VLAN tag cannot be forwarded correctly.

· Condition: This symptom might occur in the following conditions:

a. Add a Layer 2 aggregate interface and VLAN interface to a user-defined context in shared mode.

b. Delete the context and then create the context again.

c. Send packets with the matching VLAN tag to the physical interface of the aggregate interface.

202306071606

· Symptom: NAT ALG is not performed for RTSP packets. The RTSP video traffic cannot be forwarded.

· Condition: This symptom might occur in the following conditions:

¡ Global NAT is configured to translate destination addresses.

¡ DPI is enabled and detected an appchange event of RTSP and reported the event to the NAT service.

202305310602

· Symptom: Rename bandwidth rule A to B, and then create a new rule. There are residual configurations within the rule and it is experiencing anomalies.

· Condition: This symptom occurs if you rename bandwidth rule A to B, and then create a new rule.

202305261080

· Symptom: The MTU of the SSL VPN AC interface becomes 90 bytes.

· Condition: This symptom occurs if the SSL VPN AC interface and the SSL VPN gateway have the same IP address and you use iNode to log on and log off multiple times.

202305261004

· Symptom: Access the FTP server on the IPv4 network from the IPv6 network. The FTP login succeeds but a data connection cannot be established, leading to FTP access issues.

· Condition: This symptom might occur if the following conditions are met:

¡ VRRP+RBM networking and dual service cards are used.

¡ Configure global NAT64 v6tov4.

¡ Access the FTP server on the IPv4 network from the IPv6 network.

202305251980

· Symptom: In the RBM dual-active scenario, the APT policy is used for file restoration on the primary device. If the device reaches the memory threshold, it stops traffic and waits for memory release. After some time, if a CPU's memory is not released, memory fragmentation occurs. Meanwhile, if a configuration rollback is performed in the environment, the interface management module might get stuck due to inability to obtain contiguous memory, resulting in the printing of numerous LIPC messages and inability to perform operations.

· Condition: This symptom might occur if the business scenario involves sandbox file restoration and packets are sent to the service module until the memory threshold is reached.

202305230766

· Symptom: For command line traversal on the M9KX device with the domestic MPU, the kdb process restarts abnormally on the MPU when you perform command line traversal in interface view.

· Condition: This symptom occurs if you command line traversal on the device.

202305190118

· Symptom: The M9KX device with the domestic MPU restarts when the ip address dhcp-alloc command is executed on the management interface.

· Condition: This symptom occurs if you execute the ip address dhcp-alloc command on the management interface of the domestic MPU on the device.

Troubleshooting resources

To obtain troubleshooting resources for the product:

1. Access Technical Documents at http://www.h3c.com/en/Technical_Documents.

2. Select the device category and model.

3. Select the Maintain or Maintenance menu.

Technical support

To obtain technical assistance, contact H3C by using one of the following methods:

· Email:

[email protected] (countries and regions except Hong Kong, China)

[email protected] (Hong Kong, China)

· Technical support hotline number. To obtain your local technical support hotline number, go to the H3C Service Hotlines website: https://www.h3c.com/en/Support/Online_Help/Service_Hotlines/

To access documentation, go to the H3C website at http://www.h3c.com/en/.

Appendix A Feature list

Hardware features

Table 4 M9000-AI series hardware features

Item	M9000-AI-E16	M9000-AI-E8
Dimensions (H × W × D)	841.7 × 440 × 640 mm (33.14 × 17.32 × 25.20 in)	264 × 440 × 857 mm (31.38 × 17.32 × 33.74 in)
Weight	< 187.2 kg (412.70 lb)	< 87.4 kg (192.68 lb)
Switching fabric module slots	6	2
Service module slots	16	8
Available MPUs	NSQ1SUPB0 Supervisor engine module
Available switching fabric modules	NSQM5FAB16A1, type A	NSQM5FAB08A1, type A
Available service modules	· Firewall modules: ¡ NS-FWEMPA1: H3C SecPath M9000-AI-E SecBlade V next-generation firewall A module (MP) ¡ NS-FWEMPA1: H3C SecPath M9000-AD SecBlade V application delivery engine A module (MP), available only on M9000-AI-E8 devices ¡ NS-ADEEMPC0: H3C SecPath M9000-AD SecBlade V application delivery engine C module (MP) , available only on M9000-AI-E8 devices · Interface modules: ¡ NS-AFC2000EMPA1: H3C SecPath anomaly flow cleaner module, supported only by the M9000-AI-E8 ¡ NS-C300-CGQ2TG16A1: H3C SecPath M9000-AI-E 2-port 100GE fiber (QSFP28) + 16-port 10GE fiber (SFP+) interface module ¡ NS-C300-QG4TG16A1: H3C SecPath M9000-AI-E 4-port 40GE fiber (QSFP+) + 16-port 10GE interface module ¡ NS-C300-TG24A1: H3C SecPath M9000-AI-E 24-port 10GE fiber (SFP+) interface module ¡ NS-C600-CGQ6A1: H3C SecPath M9000-AI-E 24-port 100GE fiber (QSFP28) interface module ¡ NSQM5MBSHA1: H3C SecPath M9000-E interface switching A module (SH)
Available transceiver modules and their max transmission distances	· 10-GE transceiver modules: ¡ SFP-XG-SX-MM850-A, 300 m (984.25 ft) ¡ SFP-XG-LH40-SM1550, 40 km (24.86 miles) ¡ SFP-XG-LX-SM1310, 10 km (6.21 miles) · 40 GE transceiver modules: ¡ QSFP-40G-LR4-WDM1300, 10 km (6.21 miles) ¡ QSFP-40G-CSR4-MM850 300 m (984.25 ft) ¡ QSFP-40G-SR4-MM850, 100 m (328.08 ft) · 100-GE transceiver modules: ¡ QSFP-100G-SR4-MM850, 100 m (328.08 ft) ¡ QSFP-100G-LR4-WDM1300, 10 km (6.21 miles) NOTE: This table lists only the most commonly used transceiver modules and their max transmission distances. For more information about the transceiver modules and network cables, see the installation guide for the device.
Available power modules	PSR2400-54D-E: 2400 W DC power module PSR2400-54A-E: 2400 W AC power module PSR3000-54AHD-E: 3000 W AC&240V-380V high-voltage DC power module PSR3000-54A-E: 3000 W AC power module
Temperature	Operating: 0°C to 45°C (32°F to 113°F) Storage: –40°C to +70°C (–40°F to +158°F)
Humidity	Operating: 5% RH to 95% RH, non-condensing Storage: 5% RH to 95% RH, non-condensing

Software features

Table 5 M9000 series software features

Category	Remarks
Network security features	AAA services	RADIUS and HWTACACS+ support. Domain-based authentication, authorization, and accounting.
	Firewall	Packet filtering. Security zone-based access control. Time range-based access control. Advanced Stateful Packet Filter (ASPF). ICMP redirect or destination unreachable message attack detection. Tracert packet attack detection. Record route option attack detection for IP datagrams.
	Security management	Attack real-time log. Blacklist log. Session log. Binary log. Traffic statistics and analysis. Security event statistics.
	NAT	NAT address pool-based address translation. Easy IP. NAT Server. NAT ALG for multiple protocols or applications, such as FTP, DNS, QQ, MSN, H323, NBT, ILS, RTSP, SQLNET, SIP, RSH, and MGCP. NAT444.
Application security features	Application recognition	APR signature library. Port-based application recognition (PBAR). Network-based application recognition (NBAR). Application group.
	Bandwidth management	Traffic profiles. Traffic policies and traffic rules. Interface bandwidth limit. Reports and logs.
	IPS	IPS policies. IPS policy mode. IPS signatures. IPS signature actions. Reports and logs.
Load balancing features	Scheduling algorithms	Round robin algorithm. Weighted least connection algorithm. Random algorithm. Source IP address hash algorithm. Destination IP address hash algorithm. Source IP address and port hash algorithm.
	Sticky entries	Source IP-based sticky entries. Destination IP-based sticky entries. Source port and IP-based sticky entries. Destination port and IP-based sticky entries. Sticky entries generated based on the source port and IP and the destination port and IP. HTTP header-based sticky entries. HTTP cookie-based sticky entries. HTTP content-based sticky entries. HTTP URL-based sticky entries. SSL session ID-based sticky entries.
	Health monitoring	ICMP. TCP. HTTP. FTP.
VPN features	IPsec and IKE	Support for AH and ESP. Support for manual or IKE automatic security association establishment. ESP support for DES, 3DES, and AES encryption algorithms. Support for MD5 and SHA-1 authentication algorithms. Support for IKE main mode and aggressive mode. Support for DPD. Support for NAT traversal.
	L2TP	Support for the L2TP protocol.
	GRE	GRE tunneling.
Network protocols	LAN protocols	Ethernet_II. VLAN.
	IP services	ARP. Static DNS. IP unnumbered. DHCP relay. DHCP server. DHCP client.
	IP routing	Static routing. RIPv1 and RIPv2. OSPF. BGP. Routing policies. Policy-based routing.
IPv6 features	IPv6 basics	Protocol processing. Ethernet link layer implementation. ICMPv6. IPv6 address management. PMTU. Socket. IPv6 TCP. IPv6 UDP. IPv6 RawIP. IPv6 ping. IPv6 DNS. IPv6 tracert. IPv6 Telnet. IPv6 FIB. DHCPv6 client. DHCPv6 server. DHCPv6 relay.
	IPv6 routing and multicast	RIPng. OSPFv3. BGP4+. Static routing. Policy-based routing. PIM-SM. PIM-DM.
	IPv6 security	Network Address Translation-Protocol Translation (NAT-PT). IPv6 packet filtering. RADIUS.
High availability features	VRRP	Support for VRRP to improve the link availability of gateways.
	Stateful failover	Session hot backup. Asymmetric path.
	IRF	Support for IRF. IRF virtualizes multiple physical devices at the same layer into one virtual fabric to provide data center class availability and scalability. IRF virtualization technology offers processing power, interaction, unified management, and uninterrupted maintenance of multiple devices.
Configuration management features	CLI-based configuration	Support for local configuration through the console port. Support for local or remote configuration through Telnet or SSH. Support for command authorization to control access to commands and ensure that only authorized users can configure the device. Support for debugging features to troubleshoot network failures. Support for tools to diagnose the status and connectivity of the network, such as ping and tracert. Support for Telnet commands to Telnet to and manage other network devices. Support for FTP server or client to upload or download files such as configuration files and application files. Support for TFTP to upload or download files. Support for logging features. Support for file system management. Support for user line configuration and multiple authentication and authorization methods for users that log in to the device through user lines.
	SNMP-based configuration	Support for standard SNMPv3. Compatible with SNMPv2c and SNMPv1.
	NTP	Support for NTP clock synchronization.

Appendix B Fixed security vulnerabilities

Fixed security vulnerabilities in F9071P0922

None.

Fixed security vulnerabilities in F9071P0921 and earlier versions

· [HSVD-201709-002] CVE-2019-3855: An attacker can exploit this vulnerability to execute unauthorized operations.

· [HSVD-201903-017] CVE-2019-3855: An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way packets are read from the server. libssh2 is a client-side C library implementing the SSH2 protocol. A remote attacker who compromises an SSH server may be able to execute code on the client system when a user connects to the server.

· [HSVD-201904-001] TCP/IP SYN + FIN packet filtering vulnerability: A remote host does not discard TCP SYN packets with the FIN flag set. An attacker might bypass the firewall, depending on the type of firewall used.

· [HSVD-201902-001] A remote host can exploit the TCP timestamp vulnerability to obtain the online time.

· [HSVD-201901-016] CVE-2019-0548: A Linux kernel vulnerability that can cause information revealing.

· [JavaScript library vulnerability]: Internal IP addresses in destination URLs might be revealed.

· [CVE-2020-10188]: utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.

· [Web JavaScript vulnerability]: A medium-risk vulnerability found during Web vulnerability scanning.

· [Web CSRF vulnerability]: An CSRF vulnerability was found on the SSL VPN Web login interface.

· [HTTP method vulnerability]: An attacker can use the OPTIONS method to determine the HTTP methods allowed by each directory.

· [CRLF injection vulnerability]: This vulnerability can be exploited when an HTTP request contains a user-configured domain in the cookies or the request is GET /enterdomain.cgi?domain=%0d%0aSomeCustomInjectedHeader:%0d%0aset-cookie:iamyy HTTP1/1.

· [CNVD-2019-38485] CVE-2019-1547: An attacker can exploit this vulnerability to obtain sensitive information.

· [CNVD-2019-38486] CVE-2019-1563: In situations where an attacker receives automated notification of the success or failure of a decryption attempt, an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key.

· [CNVD-2017-00450] CVE-2016-7056: A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

· [CNVD-2018-06539] CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack.

· [CNVD-2019-05906] CVE-2019-1559: An attacker can exploit this vulnerability to bypass access controls and obtain sensitive information.

· [CNVD-2018-09649] CVE-2018-0737: An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.

· [CNVD-2018-12153] CVE-2018-0732: An attacker can exploit this vulnerability to launch a DoS attack.

· [CVE-2018-5407]: This vulnerability is related to OpenSSL. An attacker can exploit this vulnerability to obtain sensitive information and launch more attacks.

· [X-Frame-Options vulnerability]: A missing X-Frame-Options header can cause a clickjacking attack.

· [CVE-2014-3566]: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, also known as the "POODLE" issue.

· [CVE-2021-23841/CVE-2021-23840/CVE-2020-1971]: This vulnerability is related to OpenSSL. The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp that compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly and NULL pointer dereference might occur when both GENERAL_NAMEs contain an EDIPARTYNAME.

Appendix C Upgrading software

Overview

This chapter describes types of software and how to upgrade software for H3C SecPath M9000-AI from the CLI and BootWare menu.

Software types

The following software types are available:

· BootWare image—A .btw file that contains a basic segment and an extended segment. The basic segment is the minimum code that bootstraps the system. The extended segment enables hardware initialization and provides system management menus. When the device cannot start up correctly, you can use these menus to load software and the startup configuration file or manage files.

· Comware image—Includes the following image subcategories:

¡ Boot image—A .bin file that contains the Linux operating system kernel. It provides process management, memory management, file system management, and the emergency shell.

¡ System image—A .bin file that contains the Comware kernel and basic software features, including device management, interface management, configuration management, and routing.

¡ Feature image—A .bin file that contains advanced software features for users to purchase as needed.

¡ Patch image—A .bin file irregularly released to fix software bugs without rebooting the device. A patch image does not add new features.

The BootWare image, boot image, and system image are required for the system to operate. These images might be released separately or as a whole in one .ipe package file. If an .ipe file is used, the system decompresses the file automatically to load the software images.

Comware image redundancy

You can specify two sets of startup Comware software images: one main and one backup. The system always attempts to start up with the main images. If any main image does not exist or is invalid, the system tries the backup images.

Upgrade methods

Upgrading method	Software types	Remarks
Upgrading from the CLI without using ISSU	· BootWare image · Comware images (excluding patches)	This method is disruptive. You must reboot the entire device to complete the upgrade.
Installing patches	Patch images	Patches repair software defects without requiring a reboot or causing service outage. Patches do not add new features to software images.
Performing an ISSU	Comware images	The ISSU method upgrades software without causing service outage when hardware redundancy is available. For more information about ISSU, see the fundamentals configuration guide for the M9000-AI security gateways.
Upgrading from the BootWare menu	· BootWare image · Comware images	Use this method when the device cannot start up correctly. IMPORTANT: Use this method only when you do not have any other choices. This method increases the service downtime because it requires you to upgrade the member devices one by one.

Upgrade restrictions and guidelines

When you upgrade software, follow these restrictions and guidelines:

· Typically, you do not need to upgrade LPUs and switching fabric modules separately from MPUs. LPUs and switching fabric modules automatically upgrade when you upgrade the active MPU in standalone mode. To upgrade the BootWare image of an LPU or switching fabric module separately from MPUs, contact H3C Support.

· You must upgrade service modules separately from MPUs because they use independent BootWare and Comware images. The upgrade procedure is the same except that you must follow these guidelines:

¡ If CPU 1 is in absent state, you must connect to the console port on the service module or Telnet to the service module for an upgrade. To install patches for the service module's switching unit, you must use the CLI of the active MPU in standalone mode.

¡ Store upgrade images to the root directory of a storage medium on the service module.

· You can use the boot-loader file ipe-filename all main command to upgrade all firewall modules whose CPUs (CPU 1) are in normal state. To upgrade a firewall module whose CPU 1 is in absent state, you must Telnet to the firewall module or log in to the firewall module through its console port.

NOTE:

This document uses the output on an M9000-AI-E8 device as an example to describe software upgrade procedures.

Upgrading from the CLI without using ISSU

Unless otherwise specified, the term "MPU" in this section refers to the active MPU when the device is operating in standalone mode and the global active MPU when the device is operating in IRF mode. The term "service module" refers to any service module when the device is operating in standalone mode and any service module on the master when the device is operating in IRF mode.

NOTE:

M9000-AI-E multiservice security gateways support IRF. You can establish an IRF fabric with these gateways to virtualize them into one device in IRF mode.

Preparing for the upgrade

Configuring a zone pair and assigning an IP address to M-GigabitEthernet 0/0/0

Configure a source security zone and the IP address of M-GigabitEthernet 0/0/0, and configure a zone pair for the configured source security zone and destination security zone Local. For more information about configuring security zones and zone pairs, see H3C SecPath M9000-AI Multi Service Security Gateway Fundamentals Configuration Guide.

In this example, the following factory default settings are used:

· M-GigabitEthernet 0/0/0 uses IP address 192.168.0.1/24 and belongs to security zone Management and VPN instance management.

· A zone pair exists with source security zone Management and destination security zone Local.

Verifying that the free storage space is sufficient for the upgrade file

1. Telnet to the device or log in to the device from the console port. (Details not shown.)

2. Display device information.

M9000-AI-E8:

< Sysname > dis dev

Slot No. Brd Type Brd Status Subslot Sft Ver Patch Ver

0 NONE Absent 0 NONE None

1 NONE Absent 0 NONE None

2 NSQM5MBSHA1 Normal 0 M9000-AI-E8-9001P2411 None

NS-C300-CGQ2TG16A1 1 NONE

NONE Absent 2 NONE

3 NSQM5MBSHA1 Normal 0 M9000-AI-E8-9001P2411 None

CPU1 Normal 1 M9000-AI-E8-9001P2411

CPU2 Normal 1 M9000-AI-E8-9001P2411

NONE Absent 2 NONE

4 NSQM5SUP08A1 Master 0 M9000-AI-E8-9001P2411 None

5 NSQM5SUP08A1 Standby 0 M9000-AI-E8-9001P2411 None

6 NSQM5FAB08A1 Normal 0 NONE None

7 NSQM5FAB08A1 Normal 0 NONE None

M9000-AI-E16:

<Sysname> display device

Slot No. Brd Type Brd Status Subslot Sft Ver Patch Ver

0 NONE Absent 0 NONE None

1 NONE Absent 0 NONE None

2 NSQM5MBSHA1 Normal 0 M9000-AI-E16-9001P2411 None

NS-C300-QG4TG16A1 1 NONE

CPU3 Normal 2 M9000-AI-E16-9001P2411

CPU4 Normal 2 M9000-AI-E16-9001P2411

3 NSQM5MBSHA1 Normal 0 M9000-AI-E16-9001P2411 None

NS-C300-QG4TG16A1 1 NONE

CPU3 Normal 2 M9000-AI-E16-9001P2411

CPU4 Normal 2 M9000-AI-E16-9001P2411

4 NONE Absent 0 NONE None

5 NONE Absent 0 NONE None

6 NONE Absent 0 NONE None

7 NONE Absent 0 NONE None

8 NONE Absent 0 NONE None

9 NSQM5SUP16A1 Master 0 M9000-AI-E16-9001P2411 None

10 NSQM5FAB16A1 Normal 0 M9000-AI-E16-9001P2411 None

11 NSQM5FAB16A1 Normal 0 M9000-AI-E16-9001P2411 None

The output shows that the device has one MPU in slot 9 and two firewall modules in subslot 2 of slots 2 and 3.

3. Verify that the MPUs and service modules have sufficient free storage space for the upgrade images:

If CPU 1 of the firewall module is in normal state, you can use the dir slotx.y#flash:/ command to verify that the firewall module has sufficient storage space. The x represents the slot number of the firewall module, and the y represents the CPU number of a subcard. If the subcard is located in the first subslot, the value for y is 1 or 2. If the subcard is located in the second subslot, the value for y is 3 or 4.

<H3C>dir

Directory of flash: (YAFFS2)

0 drw- - Dec 04 2019 13:57:32 diagfile

1 -rw- 735 Dec 04 2019 13:58:01 hostkey

2 drw- - Dec 04 2019 13:58:01 lb

3 -rw- 111720 Dec 04 2019 14:18:12 lbispinfo_v1.5.tp

4 drw- - Dec 04 2019 13:57:39 license

5 drw- - Dec 04 2019 13:58:32 logfile

6 -rw- 15880192 Dec 04 2019 13:49:49 M9000E-CMW710-SYSTEM-R9001P2411.bin

7 -rw- 161265664 Dec 04 2019 13:53:08 m9000e-cmw710-system-R9001P2411.bin

8 drw- - Dec 04 2019 13:58:00 pki

9 drw- - Dec 04 2019 13:57:33 seclog

10 -rw- 591 Dec 04 2019 13:58:01 serverkey

11 drw- - Dec 04 2019 13:57:53 versionInfo

1048576 KB total (873984 KB free)

4. If the free storage space is not sufficient, delete unused files:

# Delete unused files from the MPU.

<Sysname> delete /unreserved flash:/test.cfg

The file cannot be restored. Delete flash:/test.cfg?[Y/N]:y

Deleting the file permanently will take a long time. Please wait...

Deleting file flash:/test.cfg... Done.

NOTE:

To delete a file permanently, use the delete /unreserved file-url command. If you use the delete file-url command, the file is moved to the recycle bin and still occupies the storage space. To release the storage space, you must execute the reset recycle-bin command in the file's original directory.

Transferring the upgrade file to the device

IMPORTANT:

You must store the upgrade file to the root directory of the MPU's storage medium.

The device can function as the TFTP client, FTP client, or FTP server. This procedure uses the device as an FTP client to download files from an FTP server. For more information about FTP and TFTP configuration and operations, see H3C SecPath M9000-AI Multi Service Security Gateway Fundamentals Configuration Guide.

To download the upgrade software files from the FTP server:

1. Run the FTP server program on the PC. Set the username, password, and working directory, and save the upgrade file to the directory. (Details not shown.)

2. Verify that the device and the FTP server can ping each other. (Details not shown.)

3. Download the MPU’s upgrade file to the MPU:

# Log in to the FTP server.

<Sysname> ftp 192.168.96.4

Press CTRL+C to abort.

Connected to 192.168.96.4 (192.168.96.4).

220 3Com 3CDaemon FTP Server Version 2.0

User (192.168.96.4:(none)): admin

331 User name ok, need password

Password:123456

230 User logged in

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

# Set the file transfer mode to binary.

ftp> binary

200 Type set to I

# Download the upgrade file M9000E.ipe to the root directory of a storage medium on the MPU.

ftp> get M9000E.ipe

227 Entering Passive Mode (192,168,96,4,6,173)

125 Using existing data connection

226 Closing data connection; File transfer successful.

226 Transfer finished successfully.

96260096 bytes received in 191.335 seconds (491.31 Kbytes/s)

ftp> bye

221 Service closing control connection

Upgrading the BootWare image

This procedure uses M9000E_v1.58.btw to upgrade the BootWare image. Make sure the BootWare image has been stored in the root directory of the storage medium of both the active and standby MPUs.

# Specify the BootWare image for the MPU in slot 4.

<Sysname> bootrom update file flash:/M9000E_v1.58.btw slot 0

This command will update the Boot ROM file on the specified board(s), Continue? [Y/N]:y

Now updating the Boot ROM, please wait........... ...........Done

# To prevent configuration loss at reboot, save the running configuration.

<Sysname> save

# Reboot the device to complete the upgrade.

<Sysname> reboot

Start to check configuration with next startup configuration file, please wait.........DONE!

Current configuration may be lost after the reboot, save current configuration? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

This command will reboot the device. Continue? [Y/N]:y

Now rebooting, please wait...

Upgrading the Comware images

This procedure uses M9000E.ipe and M9000E_fw4.ipe to upgrade the Comware images.

# Specify the M9000E.ipe file as the main startup file for the MPUs.

<Sysname> boot-loader file flash:/M9000E.ipe all main

Verifying the file flash:/M9000E.ipe on slot 9.............Done.

H3C SecPath M9000-AI-E16 images in IPE:

M9000E-CMW710-SYSTEM-R9001P2411.bin

This command will set the main startup software images. Please do not reboot any MPU during the upgrade. Continue? [Y/N]:y

Add images to slot 9.

Decompressing file M9000E-CMW710-SYSTEM-R9001P2411.bin to flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin....................Done.

Decompressing file M9000E-CMW710-SYSTEM-R9001P2411.bin to flash:/M9000E-CMW710-SYS

TEM-R9001P2411.bin................................................................................................................................................

................................................Done.

Verifying the file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin on slot 9...Done.

Verifying the file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin on slot 9............Done.

The images that have passed all examinations will be used as the main startup software images at the next reboot on slot 9.

Decompression completed.

Do you want to delete flash:/M9000E.ipe now? [Y/N]:

# Specify the M9000E_fw4.ipe file as the main startup file for all firewall modules.

<Sysname> boot-loader file flash:/M9000e_fw.ipe all main

Verifying the file flash:/M9000e_fw.ipe on slot 9............Done.

Blade5fw images in IPE:

BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin

BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin

This command will set the main startup software images. Please do not reboot any MPU during the upgrade. Continue? [Y/N]:y

Add images to slot 9.

Decompressing file BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin to flash:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin.........Done.

Decompressing file BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin to flash:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin........................................................................................................................................................................................Done.

Loading................................Done.

Loading.....................................................................................................................................................Done.

Verifying the file flash:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin on slot 2.3...Done.

Verifying the file flash:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin on slot 2.3...............Done.

The images that have passed all examinations will be used as the main startup software images at the next reboot on slot 2.3.

Verifying the file flash:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin on slot 2.4...Done.

Verifying the file flash:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin on slot 2.4.............Done.

The images that have passed all examinations will be used as the main startup software images at the next reboot on slot 2.4.

Verifying the file flash:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin on slot 3.3...Done.

Verifying the file flash:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin on slot 3.3...............Done.

The images that have passed all examinations will be used as the main startup software images at the next reboot on slot 3.3.

Verifying the file flash:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin on slot 3.4...Done.

Verifying the file flash:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin on slot 3.4...............Done.

The images that have passed all examinations will be used as the main startup software images at the next reboot on slot 3.4.

Specify the startup software image files for Blade5fw to load from the parent device? [Y/N]:y

The images that have passed all examinations will be used as the load software image files for Blade5fw.

Decompression completed.

Do you want to delete flash:/M9000e_fw.ipe now? [Y/N]:

For more information about the boot-loader command, see H3C SecPath M9000-AI Multi Service Security Gateway Fundamentals Command Reference.

# To prevent configuration loss at reboot, save the running configuration.

<Sysname> save

# Reboot the device.

<Sysname> reboot

Installing patches

This procedure uses the patch image file M9000E-CMW710-SYSTEM-R9141P19H01.bin.

# Verify the patch status of the device.

<Sysname> display install active

# If the device has patches on any slots, uninstall the patches. (Details not shown.)

NOTE:

· To uninstall patches from the active MPU, LPUs, or service modules' switching units, specify the slot number of the active MPU.

· To uninstall patches from the standby MPU, specify the slot number of the standby MPU.

# Install the patch image on the MPU.

<Sysname> install activate patch flash:/ flash:/M9000E-CMW710-SYSTEM-R9001P2411H01.bin slot 9

NOTE:

A patch image is automatically installed on LPUs and service modules' switching units when you install it on the active MPU.

# For the patches to run after a reboot, commit the installed patches.

<Sysname> install commit

# Verify that the patch image has been installed on all cards except for service modules' security engines.

<Sysname> display install active

Active packages on slot 2:

flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin

flash:/M9000E-CMW710-SYSTEM-R9001P2411H01.bin //Patches have been installed on the base card

Active packages on slot 2.3:

flash:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin

flash:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin

Active packages on slot 2.4:

sda0:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin

sda0:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin

Active packages on slot 3:

flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin

flash:/M9000E-CMW710-SYSTEM-R9001P2411H01.bin //Patches have been installed on the base card

Active packages on slot 3.3:

flash:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin

flash:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin

Active packages on slot 3.4:

flash:/BLADE4FWM9000-E-CMW710-BOOT-R9001P2411.bin

flash:/BLADE4FWM9000-E-CMW710-SYSTEM-R9001P2411.bin

Active packages on slot 9:

flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin

flash:/M9000E-CMW710-SYSTEM-R9001P2411H01.bin //Patches have been installed on the MPU

Active packages on slot 10:

flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin

flash:/M9000E-CMW710-SYSTEM-R9001P2411.binH01 /Patches have been installed on the switching fabric module

Active packages on slot 11:

flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin

flash:/M9000E-CMW710-SYSTEM-R9001P2411.binH01 /Patches have been installed on the switching fabric module

Upgrading Comware images from BootWare menus

To upgrade Comware images from BootWare menus, use one of the following methods:

· Using TFTP to upgrade BootWare through the management Ethernet port

· Using FTP to upgrade BootWare through the management Ethernet port

· Using Xmodem to upgrade software images from the console port

For more information about BootWare menus, see "Appendix D Using BootWare menus."

NOTE:

The device does not come with FTP or TFTP server software. Prepare the software yourself.

Preparing for the upgrade

1. Connect the configuration terminal to the MPU's console port.

2. Connect the MPU's management Ethernet port to the TFTP or FTP file server.

The TFTP or FTP server can be co-located with the configuration terminal (typically, a PC). For more information about network setup, see the M9000-AI gateway installation guide.

3. Prepare the upgrade file:

¡ If you are using TFTP, store the upgrade file on the TFTP server, and specify the directory.

¡ If you are using FTP, store the upgrade file on the FTP server, and specify the directory, FTP username, and password.

4. Run the terminal emulation program on the configuration terminal.

5. Power on the device, and then press Ctrl+B within 5 seconds at prompt to access the EXTEND-BOOTWARE menu (see "Using the EXTENDED-BOOTWARE menu").

Using TFTP to upgrade software images through the management Ethernet port

1. Enter 3 in the EXTEND-BOOTWARE menu to access the Ethernet submenu.

==========================<Enter Ethernet SubMenu>==========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================

Enter your choice(0-4):

2. Enter 4 in the Ethernet submenu to configure the network settings.

NOTE:

To use the existing setting for a field, press Enter without modifying the setting.

======================<ETHERNET PARAMETER SET>==============================

|Note: '.' = Clear field. |

| '-' = Go to previous field. |

| Ctrl+D = Quit. |

============================================================================

Protocol (FTP or TFTP):tftp

Load File Name :M9000E.ipe

Target File Name :M9000E.ipe

Server IP Address :192.168.96.4

Local IP Address :192.168.212.33

Subnet Mask :255.255.255.0

Gateway IP Address :192.168.212.254

Table 6 Network parameter fields and shortcut keys

Field	Description
'.' = Clear field	Press a dot (.) and then press Enter to clear the setting for a field.
'-' = Go to previous field	Press a hyphen (-) and then press Enter to return to the previous field.
Ctrl+D = Quit	Press Ctrl+D to exit the ETHERNET PARAMETER SET menu.
Protocol (FTP or TFTP)	Set the file transfer protocol to TFTP.
Load File Name	Set the name of the file to be downloaded.
Target File Name	Set a file name for saving the file on the device. The target file name must have the same extension as the source file. By default, the target file name is the same as the source file name.
Server IP Address	Set the IP address of the TFTP server.
Local IP Address	Set the IP address of the Ethernet interface that connects to the TFTP server.
Subnet Mask	Set the IP address mask.
Gateway IP Address	Set a gateway IP address if the device is on a different network than the server.

After you finish setting the TFTP parameters, the system returns to the Ethernet submenu.

==========================<Enter Ethernet SubMenu>==========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================

Enter your choice(0-4):

3. Enter 2 or 3 in the Ethernet submenu to upgrade the main or backup software images. For example, enter 2 to upgrade the main software images. You cannot select 1. If you select 1, interface modules and switching fabric modules will fail to start up.

Loading.....................................................................

............................................................................

.........................Done!

96260096 bytes downloaded!

Image file M9000E-CMW710-SYSTEM-R9001P2411.bin is self-decompressing...

Saving file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin ........................Done.

Image file M9000E-CMW710-SYSTEM-R9001P2411.bin is self-decompressing...

Saving file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin ...........................

.................................................................. ....Done. .

==========================<Enter Ethernet SubMenu>==========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================

Enter your choice(0-4):

Enter 0 in the Ethernet submenu to return to the EXTEND-BOOTWARE menu.

4. Enter 0 in the Ethernet submenu to return to the EXTEND-BOOTWARE menu.

5. Enter 1 in the EXTEND-BOOTWARE menu to run the new Comware images.

Using FTP to upgrade software images through the management Ethernet port

1. Enter 3 in the EXTEND-BOOTWARE menu to access the Ethernet submenu.

==========================<Enter Ethernet SubMenu>==========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================

Enter your choice(0-4):

2. Enter 4 in the Ethernet submenu to configure the network settings.

NOTE:

To use the existing setting for a field, press Enter without modifying the setting.

======================<ETHERNET PARAMETER SET>==============================

|Note: '.' = Clear field. |

| '-' = Go to previous field. |

| Ctrl+D = Quit. |

============================================================================

Protocol (FTP or TFTP):ftp

Load File Name :M9000E.ipe

Target File Name :M9000E.ipe

Server IP Address :192.168.96.4

Local IP Address :192.168.212.33

Subnet Mask :255.255.255.0

Gateway IP Address :192.168.212.254

FTP User Name :admin

FTP User Password :123456

Table 7 Network parameter fields and shortcut keys

Field	Description
'.' = Clear field	Press a dot (.) and then press Enter to clear the setting for a field.
'-' = Go to previous field	Press a hyphen (-) and then press Enter to return to the previous field.
Ctrl+D = Quit	Press Ctrl+D to exit the ETHERNET PARAMETER SET menu.
Protocol (FTP or TFTP)	Set the file transfer protocol to FTP.
Load File Name	Set the name of the file to be downloaded.
Target File Name	Set a file name for saving the file on the device. The target file name must have the same extension as the source file. By default, the target file name is the same as the source file name.
Server IP Address	Set the IP address of the FTP or TFTP server.
Local IP Address	Set the IP address of the Ethernet interface that connects to the TFTP or FTP server.
Subnet Mask	Set the IP address mask.
Gateway IP Address	Set a gateway IP address if the device is on a different network than the server.
FTP User Name	Set the username for accessing the FTP server. This username must be the same as the username configured on the FTP server.
FTP User Password	Set the password for accessing the FTP server. This password must be the same as the password configured on the FTP server.

After you finish setting the FTP parameters, the system returns to the Ethernet submenu.

==========================<Enter Ethernet SubMenu>==========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================

Enter your choice(0-4):

3. Enter 2 or 3 in the Ethernet submenu to upgrade the main or backup software images. For example, enter 2 to upgrade the main software images.

Loading.....................................................................

............................................................................

.........................Done!

96260096 bytes downloaded!

Image file M9000E-CMW710-SYSTEM-R9001P2411.bin is self-decompressing...

Saving file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin ........................Done.

Image file M9000E-CMW710-SYSTEM-R9001P2411.bin is self-decompressing...

Saving file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin ...........................

........................ ........................ ................. ....Done.

==========================<Enter Ethernet SubMenu>==========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================

Enter your choice(0-4):

4. Enter 0 in the Ethernet submenu to return to the EXTEND-BOOTWARE menu.

5. Enter 1 in the EXTEND-BOOTWARE menu to run the new Comware images.

Using Xmodem to upgrade software images from the console port

1. Connect a PC to the console port on the device and download the software images (typically an .ipe file) to the PC.

2. Run a terminal emulation program on the PC, start the device, and then enter the EXTEND-BOOTWARE menu. For information about how to enter the EXTEND-BOOTWARE menu, see "Accessing the EXTENDED-BOOTWARE menu."

3. Enter 2 in the EXTEND-BOOTWARE menu to access the Ethernet serial submenu.

===========================<Enter Serial SubMenu>===========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Serial Interface Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

4. Enter 4 in the Ethernet serial submenu to change the serial interface parameters.

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default)* |

|<2> 19200 |

|<3> 38400 |

|<4> 57600 |

|<5> 115200 |

|<0> Exit |

============================================================================

Enter your choice(0-5):2

5. Select the download baud rate as needed, for example, enter 2 to select the 19200 bps download baud rate.

Baudrate has been changed to 19200 bps.

Please change the terminal's baudrate to 19200 bps, press ENTER when ready.

NOTE:

If you select the 9600 bps download baud rate, you do not need to change the baud rate of the terminal program and can proceed to step 11 directly.

6. Select Call > Disconnect in the terminal program window to disconnect the terminal from the switch.

Disconnecting the terminal from the switch

7. Select File > Properties, and in the Properties dialog box, click Configure.

Properties dialog box

8. Select 19200 from the Bits per second list, use the default values for other parameters, and then click OK.

9. Select Call > Call to reestablish the connection.

Reestablishing the connection

10. Press Enter. The following information is displayed:

The current baudrate is 19200 bps

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default) |

|<2> 19200* |

|<3> 38400 |

|<4> 57600 |

|<5> 115200 |

|<0> Exit |

============================================================================

Enter your choice(0-5):

NOTE:

If you download software images by changing the serial interface baud rate, be sure to restore the baud rate of the terminal to 9600 bps in time after the upgrade. This will help avoid terminal display issues when the device is powered on or restarted.

11. Enter 0 to return to the serial submenu.

===========================<Enter Serial SubMenu>===========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Serial Interface Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

12. Enter 2 or 3 to select to upgrade the main or backup image file, for example, select 2 to upgrade the main image file.

Please Start To Transfer File, Press <Ctrl+C> To Exit.

Waiting ...CCCCC

13. Select Transfer > Send File in the terminal window. In the dialog box that opens, click Browse to select the file to download, select Xmodem from the Protocol list, and then click Send.

After the file is downloaded, the following information is generated on the terminal:

Download successfully!

31911808 bytes downloaded!

Image file M9000-CMW710-BOOT-D9109.bin is self-decompressing....

Input the file name: M9000-CMW710-BOOT-D9109.bin

Save file ...........................................Done

Image file M9000-CMW710-System-D9109.bin is self-decompressing....

Input the file name: M9000-CMW710-System-D9109.bin

Save file ...........................................Done

===========================<Enter Serial SubMenu>===========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Serial Interface Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

14. Enter 0 to return to the BootWare menu and then enter 1 to reboot the system.

IMPORTANT:

· After the system restarts, adjust the baud rate of the terminal to 9600 bps. For the adjustment method, see steps 6 to 10. If the download baud rate is selected as 9600 bps, you do not need to change the baud rate of the terminal.

· The software image files are large. Upgrading the files from the console port is relatively slow. As a best practice, use the management Ethernet port to upgrade the software image files.

Upgrading BootWare from BootWare menus

To upgrade the BootWare image from BootWare menus, use one of the following methods:

· Using TFTP to upgrade BootWare through the management Ethernet port

· Using FTP to upgrade BootWare through the management Ethernet port

· Using Xmodem to upgrade BootWare from the console port

For more information about BootWare menus, see "Appendix D Using BootWare menus."

NOTE:

The device does not come with FTP or TFTP software. Prepare the software yourself.

Preparing for the upgrade

1. Connect the MPU's console port to the configuration terminal.

2. Connect the MPU's management Ethernet port to the TFTP or FTP file server.

The TFTP or FTP server can be co-located with the configuration terminal (typically, a PC). For more information about network setup, see the M9000-AI gateway installation guide.

3. Prepare the upgrade file:

¡ If you are using TFTP, store the upgrade file on the TFTP server, and specify the file directory.

¡ If you are using FTP, store the upgrade file on the FTP server, and specify the file directory, FTP username, and password.

4. Run the terminal emulation program on the configuration terminal.

5. Power on the device, and then press Ctrl+B within 5 seconds at prompt to access the EXTEND-BOOTWARE menu (see "Using the EXTENDED-BOOTWARE menu").

Using TFTP to upgrade BootWare through the management Ethernet port

1. Enter 7 in the BootWare menu to access the BootWare Operation submenu.

=========================<BootWare Operation Menu>==========================

|Note:the operating device is flash |

|<1> Backup Full BootWare |

|<2> Restore Full BootWare |

|<3> Update BootWare By Serial |

|<4> Update BootWare By Ethernet |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

2. Enter 4 in the BootWare Operation submenu to enter the Ethernet submenu.

===================<BOOTWARE OPERATION ETHERNET SUB-MENU>===================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

3. Enter 4 in the Ethernet submenu to configure the network settings.

NOTE:

To use the existing setting for a field, press Enter without modifying the setting.

==========================<ETHERNET PARAMETER SET>==========================

|Note: '.' = Clear field. |

| '-' = Go to previous field. |

| Ctrl+D = Quit. |

============================================================================

Protocol (FTP or TFTP):tftp

Load File Name : M9000e_2119.btw

Target File Name : M9000e_2119.btw

Server IP Address :192.168.96.4

Local IP Address :192.168.212.33

Subnet Mask :255.255.255.0

Gateway IP Address :192.168.212.254

For more information about the fields, see Table 6.

After you finish setting the TFTP parameters, the system returns to the BOOTWARE OPERATION ETHERNET submenu.

===================<BOOTWARE OPERATION ETHERNET SUB-MENU>===================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

4. Choose an option from options 1 to 3. For example, enter 1 to upgrade the entire BootWare image.

Loading..............Done.

575308 bytes downloaded!

Updating Basic BootWare? [Y/N]

5. Enter Y to upgrade the basic BootWare segment.

Updating Basic BootWare........Done.

Updating Extended BootWare? [Y/N]

6. Enter Y to upgrade the extended BootWare segment.

Updating Extended BootWare.........Done!

===================<BOOTWARE OPERATION ETHERNET SUB-MENU>===================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

7. Enter 0 to return to the BootWare Operation menu.

8. Enter 0 in the BootWare Operation menu to return to the EXTEND-BOOTWARE menu.

9. Enter 0 in the EXTEND-BOOTWARE menu to reboot the system.

Using FTP to upgrade BootWare through the management Ethernet port

1. Enter 7 in the BootWare menu to access the BootWare Operation submenu.

=========================<BootWare Operation Menu>==========================

|Note:the operating device is flash |

|<1> Backup Full BootWare |

|<2> Restore Full BootWare |

|<3> Update BootWare By Serial |

|<4> Update BootWare By Ethernet |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

2. Enter 4 in the BootWare Operation submenu to enter the Ethernet submenu.

===================<BOOTWARE OPERATION ETHERNET SUB-MENU>===================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

3. Enter 4 in the Ethernet submenu to configure the network settings.

NOTE:

To use the existing setting for a field, press Enter without modifying the setting.

==========================<ETHERNET PARAMETER SET>==========================

|Note: '.' = Clear field. |

| '-' = Go to previous field. |

| Ctrl+D = Quit. |

============================================================================

Protocol (FTP or TFTP) :ftp

Load File Name :M9000e_2119.btw

Target File Name :M9000e_2119.btw

Server IP Address :192.168.96.4

Local IP Address :192.168.212.33

Subnet Mask :255.255.255.0

Gateway IP Address :192.168.212.254

FTP User Name :admin

FTP User Password :******

For more information about the fields, see Table 6.

After you finish setting the FTP parameters, the system returns to the BOOTWARE OPERATION ETHERNET submenu.

===================<BOOTWARE OPERATION ETHERNET SUB-MENU>===================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

4. Choose an option from options 1 to 3. For example, enter 1 to upgrade the entire BootWare image.

Loading.......Done.

575308 bytes downloaded!

Updating Basic BootWare? [Y/N]

5. Enter Y to upgrade the basic BootWare segment.

Updating Basic BootWare........Done.

Updating Extended BootWare? [Y/N]

6. Enter Y to upgrade the extended BootWare segment.

Updating Extended BootWare.........Done.

===================<BOOTWARE OPERATION ETHERNET SUB-MENU>===================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

7. Enter 0 to return to the BootWare Operation menu.

8. Enter 0 in the BootWare Operation menu to return to the EXTEND-BOOTWARE menu.

9. Enter 0 in the EXTEND-BOOTWARE menu to reboot the system.

Using Xmodem to upgrade BootWare from the console port

1. Connect a PC to the console port on the device and download the software image (typically a .btw file) to the PC.

3. Enter 7 in the EXTEND-BOOTWARE menu to access the BootWare Operation submenu.

=========================<BootWare Operation Menu>==========================

|Note:the operating device is flash |

|<1> Backup Full BootWare |

|<2> Restore Full BootWare |

|<3> Update BootWare By Serial |

|<4> Update BootWare By Ethernet |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

4. Enter 3 in the BootWare Operation submenu to enter the update BootWare by serial submenu.

===================<BOOTWARE OPERATION ETHERNET SUB-MENU>===================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

5. Enter 4 to modify the serial interface baud rate.

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default)* |

|<2> 19200 |

|<3> 38400 |

|<4> 57600 |

|<5> 115200 |

|<0> Exit |

============================================================================

Enter your choice(0-5):2

6. Select the download baud rate as needed, for example, enter 2 to select the 19200 bps download baud rate.

Baudrate has been changed to 19200 bps.

Please change the terminal's baudrate to 19200 bps, press ENTER when ready.

NOTE:

If you select the 9600 bps download baud rate, you do not need to change the baud rate of the terminal program and can proceed to step 11 directly.

7. Select Call > Disconnect in the terminal program window to disconnect the terminal from the switch.

Disconnecting the terminal from the switch

8. Select File > Properties, and in the Properties dialog box, click Configure.

Properties dialog box

9. Select 19200 from the Bits per second list, use the default values for other parameters, and then click OK.

10. Select Call > Call to reestablish the connection.

Reestablishing the connection

11. Press Enter. The following information is displayed:

The current baudrate is 19200 bps

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default) |

|<2> 19200* |

|<3> 38400 |

|<4> 57600 |

|<5> 115200 |

|<0> Exit |

============================================================================

Enter your choice(0-5):

NOTE:

12. Enter 0 to return to the BootWare operation serial submenu.

====================<BOOTWARE OPERATION SERIAL SUB-MENU>====================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Serial Interface Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

13. Enter 1, 2, or 3 to select to upgrade the full, extended, or basic BootWare, for example, select 1 to upgrade the full BootWare.

Please Start To Transfer File, Press <Ctrl+C> To Exit.

Waiting ...CCCCC

14. Select Transfer > Send File in the terminal window. In the dialog box that opens, click Browse to select the file to download, select Xmodem from the Protocol list, and then click Send .

After the file is downloaded, the following information is generated on the terminal:

Download successfully!

575360 bytes downloaded!

Updating Basic BootWare? [Y/N]

15. Enter Y to upgrade the basic BootWare segment.

Updating Basic BootWare........Done.

Updating Extended BootWare? [Y/N]

16. Enter Y to upgrade the extended BootWare segment.

Updating Extended BootWare.........Done.

===================<BOOTWARE OPERATION ETHERNET SUB-MENU>===================

|<1> Update Full BootWare |

|<2> Update Extended BootWare |

|<3> Update Basic BootWare |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

17. Enter 0 to return to the BootWare operation submenu.

18. Enter 0 in the BootWare operation submenu to return to the EXTEND-BOOTWARE menu.

19. Enter 0 in the EXTEND-BOOTWARE menu to reboot the system.

IMPORTANT:

After the system restarts, adjust the baud rate of the terminal to 9600 bps. For the adjustment method, see steps 6 to 10. If the download baud rate is selected as 9600 bps, you do not need to change the terminal's baud rate.

Handling software upgrade failures

If a software upgrade fails, the system runs the old software version. To handle a software failure:

1. Check the physical ports for a loose or incorrect connection, and verify that the LEDs are reflecting the correct port status.

2. If you are using the console port for file transfer, check the HyperTerminal settings (including the baud rate and data bits) for any incorrect setting.

3. Check the file transfer settings:

¡ If Xmodem is used, make sure the terminal simulation program has the same baud rate as the console port.

¡ If TFTP is used, you must enter the same server IP addresses, file name, and working directory as those set on the TFTP server.

¡ If FTP is used, you must enter the same FTP server IP address, file name, working directory, and FTP username and password as those set on the FTP server.

4. Check the FTP or TFTP server for incorrect settings.

5. Verify that the MPU and service modules have enough storage space for the upgrade file.

6. Verify that the upgrade file is available for the device and has correct file type.

7. Verify that the BootWare image and software image are compatible. For more information, see the release notes.

Appendix D Using BootWare menus

Overview

BootWare provides a menu method to perform basic file operations, software upgrade, and system management when the Comware CLI is inaccessible because of image corruption.

BootWare is stored in each MPU's built-in flash. It has one basic segment and one extended segment. The basic segment enables the system to complete basic initialization, and the extended segment bootstraps the Comware images.

BootWare menus

Table 8 lists the menus that each segment provides and the major tasks you can perform using these menus. You can access these menus only during system startup.

Table 8 BootWare menus

BootWare segment	Menu	Tasks	Reference
Basic	BASIC-BOOTWARE	· Modify serial port parameters. · Upgrade BootWare. · Start the primary or backup BootWare extended segment.	Using the BASIC-BOOTWARE menu
Basic	BASIC ASSISTANT	Perform RAM test.	Accessing the BASIC ASSISTANT menu
Extended	EXTEND-BOOTWARE	· Upgrade Comware software. · Manage files. · Access the system when the console login password is lost. · Clear user privilege passwords.	Using the EXTENDED-BOOTWARE menu
Extended	EXTEND-ASSISTANT	· Examine system memory. · Search system memory.	Accessing the EXTEND ASSISTANT submenu

NOTE:

Availability of some menu options depends on the password recovery capability state. For more information about the feature and its relevant menu options, see "Controlling the password recovery capability."

BootWare shortcut keys

BootWare provides the shortcut keys listed in Table 9.

Table 9 BootWare shortcut keys

Shortcut keys	Prompt message	Function
Ctrl+B	access EXTENDED-BOOTWARE MENU	Accesses the EXTENDED-BOOTWARE menu while the device is starting up.
Ctrl+C	Please Start To Transfer File, Press <Ctrl+C> To Exit.	Stops the ongoing file transfer and exits the current operation interface.
Ctrl+C	Info: Press Ctrl+C to abort or return to EXTENDED ASSISTANT MENU.	Returns to the EXTENDED ASSISTANT menu. If the system is outputting the result of an operation, this shortcut key combination aborts the display first.
Ctrl+D	Press Ctrl+D to access BASIC-BOOTWARE MENU	Accesses the BASIC-BOOTWARE menu while the device is starting up.
Ctrl+D	Ctrl+D = Quit	Exits the parameter settings menu.
Ctrl+E	Memory Test(press Ctrl+C to skip it,press Ctrl+E to ECHO INFO)	Prints information during the memory test.
Ctrl+F	Ctrl+F: Format File System	Formats the current storage medium.
Ctrl+T	Press Ctrl+T to start memory test	Performs a memory test.
Ctrl+U	Access BASIC ASSISTANT MENU	Accesses the BASIC ASSISTANT menu from the BASIC-BOOTWARE menu.
Ctrl+Z	Ctrl+Z: Access EXTENDED ASSISTANT MENU	Accesses the EXTENDED ASSISTANT menu from the EXTENDED-BOOTWARE menu.

Using the BASIC-BOOTWARE menu

Accessing the BASIC-BOOTWARE menu

1. Power on the device.

2. Press Ctrl+D within 4 seconds after the "Press Ctrl+D to access BASIC-BOOTWARE MENU" prompt message appears. If you fail to do this within the time limit, the system starts to run the extended BootWare segment.

======================<BASIC-BOOTWARE MENU(Ver 1.19)>=======================

|<1> Modify Serial Interface Parameter |

|<2> Update Extended BootWare |

|<3> Update Full BootWare |

|<4> Boot Extended BootWare |

|<5> Boot Backup Extended BootWare |

|<0> Reboot |

============================================================================

Ctrl+U: Access BASIC ASSISTANT MENU

Enter your choice(0-5):

Table 10 BASIC-BOOTWARE menu options

Option	Task	Reference
<1> Modify Serial Interface Parameter	Change the baud rate of the console port. Perform this task before downloading an image through the console port for software upgrade.	Modifying serial port parameters
<2> Update Extended BootWare	Upgrade the extended BootWare segment. If the extended segment is corrupt, choose this option to repair it.	Upgrading the extended BootWare segment
<3> Update Full BootWare	Upgrade the entire BootWare, including the basic segment and the extended segment.	Upgrading the entire BootWare
<4> Boot Extended BootWare	Run the primary extended BootWare segment.	Running the primary extended BootWare segment
<5> Boot Backup Extend BootWare	Run the backup extended BootWare segment.	Running the backup extended BootWare segment
<0> Reboot	Reboot the device.	N/A
Ctrl+U: Access BASIC ASSISTANT MENU	Press Ctrl+U to access the BASIC ASSISTANT menu.	Accessing the BASIC ASSISTANT menu

Modifying serial port parameters

To change the baud rate of the console port:

1. Enter 1 in the BASIC-BOOTWARE menu.

Enter your choice(0-5): 1

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default)* |

|<2> 19200 |

|<3> 38400 |

|<4> 57600 |

|<5> 115200 |

|<0> Exit |

============================================================================

Enter your choice(0-5):

2. Enter the number that represents the baud rate you want to choose. For example, enter 5 to set the baud rate to 115200 bps.

NOTE:

Baud rate change is a one-time operation. The baud rate will restore to the default (9600 bps) at reboot. To set up a console session with the device after a reboot, you must change the baud rate of the configuration terminal back to 9600 bps.

Upgrading the extended BootWare segment

Enter 2 in the BASIC-BOOTWARE menu.

Enter your choice(0-5): 2

Please Start To Transfer File, Press <Ctrl+C> To Exit.

Waiting ...CCC

Upgrading the entire BootWare

Enter 3 in the BASIC-BOOTWARE menu.

Enter your choice(0-5): 3

Please Start To Transfer File, Press <Ctrl+C> To Exit.

Waiting ...CCC

Running the primary extended BootWare segment

Enter 4 in the BASIC-BOOTWARE menu.

Enter your choice(0-5): 4

Booting Normal Extended BootWare.

The Extended BootWare is self-decompressing.............Done!

****************************************************************************

* *

* BootWare, Version 1.32 *

* *

****************************************************************************

Compiled Date : Jun 18 2013

CPU Type : XXXX

CPU Clock Speed : 1200MHz

Memory Type : DDR3 SDRAM

Memory Size : 8192MB

Memory Speed : 667MHz

BootWare Size : 1536KB

Flash Size : 500MB

BASIC CPLD Version : 3.0

EXTENDED CPLD Version : 3.0

PCB Version : Ver.A

BootWare Validating...

Press Ctrl+B to access EXTENDED-BOOTWARE MENU...

Password recovery capability is enabled.

Note: The current operating device is flash

Enter < Storage Device Operation > to select device.

Running the backup extended BootWare segment

Enter 5 in the BASIC-BOOTWARE menu.

For information about backing up the extended BootWare segment, see "Accessing the BootWare Operation submenu."

Enter your choice(0-5): 5

Booting Backup Extended BootWare.

The Extended BootWare is self-decompressing............................Done!

Accessing the BASIC ASSISTANT menu

Press Ctrl+U in the BASIC-BOOTWARE menu.

===========================<BASIC-ASSISTANT MENU>===========================

|<1> RAM Test |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-1):

Table 11 BASIC ASSISTANT menu options

Option	Description
<1> RAM Test	Test the memory.
<2> Exit To Main Menu	Return to the BASIC-BOOTWARE menu.

Testing the memory

IMPORTANT:

To avoid unexpected exceptions, perform this task under the guidance of H3C Support.

To test the memory, use one of the following methods:

· In the BASIC-BOOTWARE menu, press Ctrl+T within 4 seconds after the "Press Ctrl+T to start memory test" prompt message appears.

· In the BASIC-BOOTWARE menu, press Ctrl+U to access the BASIC ASSISTANT menu.

Using the EXTENDED-BOOTWARE menu

Accessing the EXTENDED-BOOTWARE menu

1. Power on the device.

2. Press Ctrl+B within 5 seconds after the "Press Ctrl+B to access EXTENDED-BOOTWARE MENU..." prompt message appears. If you fail to do this within the time limit, the system starts up.

Password recovery capability is enabled.

Note: The current operating device is flash

Enter < Storage Device Operation > to select device.

3. Press Enter to access the EXTENDED-BOOTWARE menu.

===========================<EXTENDED-BOOTWARE MENU>=========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Restore to Factory Default Configuration |

|<6> Skip Current System Configuration |

|<7> BootWare Operation Menu |

|<8> Skip Authentication for Console Login |

|<9> Storage Device Operation |

|<0> Reboot |

============================================================================

Ctrl+Z: Access EXTENDED ASSISTANT MENU

Ctrl+F: Format File System

Enter your choice(0-9):

Availability of some options in this menu depends on the password recovery capability state (displayed on top of the EXTEND-BOOTWARE menu). For more information about the feature, see "Controlling the password recovery capability."

Table 12 EXTENDED-BOOTWARE menu options

Option	Tasks	Reference
<1> Boot System	Run the Comware software without rebooting the device. Choose this option after completing operations in the EXTENDED-BOOTWARE menu.	N/A
<2> Enter Serial SubMenu	Accessing the serial submenu. From the serial submenu, you can use Xmodem to upgrade software images and BootWare.	Accessing the Serial submenu
<3> Enter Ethernet SubMenu	Use FTP or TFTP to upgrade Comware images through the management Ethernet port.	Accessing the Ethernet submenu
<4> File Control	· Display files on the current storage medium. · Set a Comware image file as the main or backup startup software image file. · Delete files to release storage space.	Managing files
<5> Restore to Factory Default Configuration	Restore the factory-default configuration. This option is available only if password recovery capability is disabled.	Restoring the factory-default configuration
<6> Skip Current System Configuration	Start the device with the factory-default configuration without loading any configuration file. This option is available only if password recovery capability is enabled.	Skipping the configuration file
<7> BootWare Operation Menu	Back up, recover, and upgrade the BootWare image.	Accessing the BootWare Operation submenu
<8> Skip Authentication for Console Login	Skip console login authentication. This option is available only if password recovery capability is enabled. This is a one-time operation and takes effect only for the first system boot or reboot after you choose this option.	Skipping console login authentication
<9> Storage Device Operation	Set the storage medium from which the device will start up. Set the storage medium where file operations are performed. This storage medium is referred to as the "current storage medium."	Managing storage media
Ctrl+F: Format File System	Format the file system.	Formatting the file system
Ctrl+Z: Access EXTENDED ASSISTANT MENU	Access the EXTENDED ASSISTANT menu.	Accessing the EXTEND ASSISTANT submenu
<0> Reboot	Reboot the device.	N/A

NOTE:

For more information about the password recovery capability (password-recovery enable command), see H3C SecPath M9000-AI Mult service Security Gateway Command References.

Controlling the password recovery capability

Password recovery capability controls console user access to the device configuration from BootWare menus. This feature decides the method to handle a password loss situation.

· If password recovery capability is enabled, a console user can handle a password loss situation as follows:

¡ If the console login password is lost, the user can skip console login authentication, and then access the CLI to configure a new password.

¡ If a user role password is lost, the user can skip the configuration file, and then access the CLI to configure a new password.

· If password recovery capability is disabled, console users must restore the factory-default configuration before they can configure new passwords.

To enhance system security, disable password recovery capability.

To enable or disable password recovery capability:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable or disabled password recovery capability.	· Enable the feature: password-recovery enable · Disable the feature: undo password-recovery enable	By default, password recovery capability is enabled.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable or disabled password recovery capability.

· Enable the feature:
password-recovery enable

· Disable the feature:
undo password-recovery enable

By default, password recovery capability is enabled.

Running Comware images

Enter 1 in the EXTEND-BOOTWARE menu.

Enter your choice(0-9): 1

Loading the main image files...

Loading file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin...........................

............................................................................

............Done.

Loading file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin.............................

.......................................................................Done.

Image file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin is self-decompressing.........

....................................................................Done.

System image is starting...

Line con0 is available.

Press ENTER to get started.

Accessing the Serial submenu

Enter 2 in the EXTEND-BOOTWARE menu.

Enter your choice(0-9): 2

===========================<Enter Serial SubMenu>===========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Serial Interface Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

Table 13 Serial submenu options

Option	Tasks
<1> Download Image Program To SDRAM And Run	Load and run Comware images in SDRAM. This option is available only if password recovery capability is enabled.
<2> Update Main Image File	Download Comware images to the current storage medium as the main images (the file attribute is set to M). As a result, the M file attribute of the original main images is removed.
<3> Update Backup Image File	Download Comware images to the current storage medium as backup images (the file attribute is set to B). As a result, the B file attribute of the original backup images is removed.
<4> Modify Serial Interface Parameter	Change the baud rate of the console port. The baud rate change is a one-time operation. The baud rate will restore to the default (9600 bps) at reboot. To set up a console session with the device after a reboot, you must change the baud rate setting on the configuration terminal to 9600 bps.
<0> Exit To Main Menu	Return to the EXTENDED-BOOTWARE menu.

NOTE:

To set the current storage medium, see "Managing storage media."

Accessing the Ethernet submenu

You can upgrade the Comware software through the management Ethernet port from the Ethernet submenu and configure file transfer settings.

1. Enter 3 in the EXTENDED-BOOTWARE menu and press Enter to access the Ethernet submenu.

Enter your choice(0-9):3

==========================<Enter Ethernet SubMenu>==========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================

Enter your choice(0-4):

Table 14 Ethernet submenu options

Option	Description
<1> Download Image Program To SDRAM And Run	Load and run software images in SDRAM. If password recovery capability is enabled, this option is not available.
<2> Update Main Image File	Download software images to the current storage medium as main images (the file attribute is set to M). As a result, the M file attribute of the original main images is removed.
<3> Update Backup Image File	Download software images to the current storage medium as backup images (the file attribute is set to B). As a result, the B file attribute of the original backup images is removed.
<4> Modify Ethernet Parameter	Configure FTP or TFTP file transfer settings.
<0> Exit To Main Menu	Return to the EXTENDED-BOOTWARE menu.

2. Enter 4 in the Ethernet submenu to configure file transfer settings on the MPU.

Enter your choice(0-4):4

======================<ETHERNET PARAMETER SET>=============================

|Note: '.' = Clear field. |

| '-' = Go to previous field. |

| Ctrl+D = Quit. |

===========================================================================

Protocol (FTP or TFTP) :ftp

Load File Name :M9000E.ipe

Target File Name :M9000E.ipe

Server IP Address :192.168.96.4

Local IP Address :192.168.212.33

Subnet Mask :255.255.255.0

Gateway IP Address :192.168.212.254

FTP User Name :admin

FTP User Password :******

Table 15 Setting Ethernet parameters for file transfer

Field	Description
'.' = Clear field	Press the dot (.), and then press Enter to clear the setting for a field.
'-' = Go to previous field	Press the hyphen (-), and then press Enter to return to the previous field.
Ctrl+D = Quit	Press Ctrl + D to exit the Ethernet parameter settings menu.
Protocol (FTP or TFTP)	Set the file transfer protocol to FTP or TFTP.
Load File Name	Set the name of the file to be downloaded.
Target File Name	Set a file name for saving the file in the current storage medium on the device. By default, the target file name is the same as the source file name.
Server IP Address	Set the IP address of the FTP or TFTP server.
Local IP Address	Set the IP address of the device.
Subnet Mask	Set the IP address mask.
Gateway IP Address	Set a gateway IP address if the device is on a different network than the server.
FTP User Name	Set the username for accessing the FTP server. This username must be the same as configured on the FTP server. This field is not available for TFTP.
FTP User Password	Set the password for accessing the FTP server. This password must be the same as configured on the FTP server. This field is not available for TFTP.

Managing files

You can display all files, set the attribute for a file, and delete a file from the File Control submenu.

Enter 4 in the EXTEND-BOOTWARE menu and then press Enter to access the File Control submenu.

Enter your choice(0-9):4

===============================<File CONTROL>===============================

|Note:the operating device is flash |

|<1> Display All File(s) |

|<2> Set Image File type |

|<3> Set Bin File type |

|<4> Delete File |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

Table 16 File Control submenu options

Option	Description
<1> Display All File(s)	Display all files.
<2> Set Image File type	Set the attribute for a software image file.
<3> Set Bin File type	Set the attribute for a .bin file.
<4> Delete File	Delete a file.
<0> Exit To Main Menu	Return to the EXTEND-BOOTWARE menu.

Displaying all files

Enter 1 in the File Control submenu.

Enter your choice(0-4):1

Display all file(s) in flash:

'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED

============================================================================

|NO. Size(B) Time Type Name |

|1 129912 May/21/2015 15:44:18 N/A flash:/dpi/av/predefined/av_sigp|

|ack_curr.dat |

|2 87160 May/21/2015 15:44:14 N/A flash:/dpi/apr/predefined/apr_si|

|gpack_curr.dat |

|3 149240 May/21/2015 15:44:17 N/A flash:/dpi/ips/predefined/ips_si|

|gpack_curr.dat |

|4 36152 May/21/2015 15:44:17 N/A flash:/dpi/uflt/predefined/uflt_|

|sigpack_curr.dat |

|5 2398 Oct/17/2014 17:37:37 N/A flash:/pki/https-server.p12 |

|6 7884 Jul/23/2015 15:21:45 N/A flash:/test.cfg |

|7 119071 Jul/23/2015 15:21:46 N/A flash:/test.mdb |

|8 0 Jul/13/2015 14:04:01 N/A flash:/.trash/.trashinfo |

|9 591 Jan/08/2015 10:04:48 N/A flash:/serverkey |

|10 13373440 Jul/23/2015 11:08:08 M flash:/M9000-CMW710-BOOT-D9118P0|

|2.bin |

|11 223 Apr/16/2015 16:28:29 N/A flash:/ecdsakey |

|12 0 Jun/11/2015 18:33:38 N/A flash:/lauth.dat |

|13 155168 Jul/23/2015 17:07:13 N/A flash:/logfile/logfile.log |

|14 943 Jul/13/2015 13:49:52 N/A flash:/license/.did |

|15 963 Jun/23/2015 17:20:35 N/A flash:/license/history/DeviceID_|

|20150623172035.did |

|16 963 Jun/23/2015 17:20:36 N/A flash:/license/210235A1ABX13C000|

|010.did |

|17 735 Jan/08/2015 10:04:48 N/A flash:/hostkey |

|18 7379 Jul/23/2015 17:07:10 N/A flash:/startup.cfg |

|19 116562 Jul/23/2015 17:07:10 N/A flash:/startup.mdb |

|20 642452 Jul/23/2015 11:02:25 N/A flash:/m9000_v1.32.btw |

|21 125688832 Jul/23/2015 11:10:59 M flash:/M9000-CMW710-SYSTEM-D9118|

|P02.bin |

|22 16 Jul/23/2015 08:49:34 N/A flash:/versionInfo/versionCtl.da|

|t |

|23 536 Jul/23/2015 08:49:34 N/A flash:/versionInfo/version7.dat |

|24 536 Jul/13/2015 16:02:37 N/A flash:/versionInfo/version6.dat |

|25 536 Jul/13/2015 14:36:48 N/A flash:/versionInfo/version5.dat |

|26 536 Jul/13/2015 13:50:00 N/A flash:/versionInfo/version4.dat |

|27 536 Jul/13/2015 10:52:53 N/A flash:/versionInfo/version3.dat |

|28 536 Jul/09/2015 17:35:34 N/A flash:/versionInfo/version2.dat |

|29 536 Jul/08/2015 18:42:52 N/A flash:/versionInfo/version1.dat |

|30 536 Jun/23/2015 17:20:45 N/A flash:/versionInfo/version0.dat |

|31 536 May/21/2015 15:44:21 N/A flash:/versionInfo/version9.dat |

|32 536 Apr/14/2015 16:46:49 N/A flash:/versionInfo/version8.dat |

|33 5212160 Jul/23/2015 15:11:08 N/A flash:/BLADE4FWM9000-CMW710-BOOT|

|-D9118P01.bin |

|34 1650 Jul/23/2015 17:07:10 N/A flash:/ifindex.dat |

|35 53959680 Jul/23/2015 15:12:21 N/A flash:/BLADE4FWM9000-CMW710-SYST|

|EM-D9118P01.bin |

|36 384 Jul/23/2015 15:48:39 N/A flash:/.moduleimagemain.data |

|37 698368 Jul/22/2015 19:18:08 N/A flash:/8042sec4f21915_v1.01.btw |

============================================================================

Setting the attribute for software images

1. Enter 2 in the File Control submenu.

===============================<File CONTROL>===============================

|Note:the operating device is flash |

|<1> Display All File(s) |

|<2> Set Image File type |

|<3> Set Bin File type |

|<4> Delete File |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):2

'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED

============================================================================

|NO. Size(B) Time Type Name |

|1 119947264 Feb/27/2013 15:08:22 N/A flash:/M9000E.ipe |

|0 Exit |

2. Enter the numbers of the files you are working with. For example, enter 1.

Enter file No.:1

Modify the file attribute:

============================================================================

|<1>+Main |

|<2>+Backup |

|<0> Exit |

============================================================================

Enter your choice(0-2):

3. Enter a number in the range of 0 to 2 to add or delete a file attribute for the files. For example, enter 1 to assign the M attribute to the files.

Enter your choice(0-2):1

This operation may take several minutes. Please wait....

Image file M9000E-CMW710-SYSTEM-R9001P2411.bin is self-decompressing...

Saving file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin .............................

......................Done.

Image file M9000E-CMW710-SYSTEM-R9001P2411.bin is self-decompressing...

Saving file flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin ...........................

............................................................................

.....................................................................Done.

Set the file attribute success!

Setting the attribute for .bin files

Enter 3 in the File Control submenu.

Enter your choice(0-4): 3

'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED

============================================================================

|NO. Size(B) Time Type Name |

|1 13241344 Jan/09/2014 06:46:34 M flash:/m9000-cmw710-boot-D9118P0|

|2.bin |

|2 83011584 Jan/09/2014 06:48:11 M flash:/m9000-cmw710-system-D9118|

|P02.bin |

|0 Exit |

============================================================================

Note:Select .bin files. One but only one boot image and system image must be included.

Enter file No.(Allows multiple selection):1

Enter another file No.(0-Finish choice):2

Enter another file No.(0-Finish choice):0 //To finish selecting another file, enter 0.

You have selected:

flash:/M9000E-CMW710-SYSTEM-R9001P2411.bin

Modify the file attribute:

============================================================================

|<1>+Main |

|<2>+Backup |

|<0> Exit |

============================================================================

Enter your choice(0-2):1

This operation may take several minutes. Please wait....

Set the file attribute success!

Deleting a file

1. Enter 4 in the File Control submenu.

Enter your choice(0-4):4

Deleting the file in flash: