HP A3100-24 User's Manual
Contents
1. Required Use either approach The direction configuration approach is for SNMPv1 or SNMPv2c The community name configured on the NMS should be consistent with the username configured on the agent The indirect configuration approach is for SNMPv3 NOTE The device supports the following SNMP versions SNMPv1 SNMPv2c and SNMPv3 For more information about SNMP see the Network Management and Monitoring Configuration Guide NMS login example In this example iMC is used as the NMS 1 Configuration on the device Assign IP address of device Make sure the device and the NMS can reach each other Configuration steps are omitted Enter system view lt Sysname gt system view Enable the SNMP agent Sysname snmp agent Configure an SNMP group Sysname snmp agent group v3 managev3group read view test write view test Add a user to the SNMP group Sysname snmp agent usm user v3 managev3user managev3group 2 Configuration on the NMS On the PC start the browser In the address bar enter http 192 168 20 107 8080 imc where 192 168 20 107 is the IP address of the iMC Figure 31 iMC login page Login indows Internet Explorer DR http 192 168 20 107 8080 imc login jsf The Intelligent Management Center IMC is the new generation network operations and management platform of HP It is designed to help network administrators2. 40 Configuring scheme authentication for Telnet login Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure scheme authentication for Telnet login To do Use the command Remarks Enter system view system view Required Enable Telnet telnet server enable By default the Telnet service is disabled Enter one or multiple VTY user user interface vty firstnumber interface views lastnumber Required Whether local RADIUS or HWTACACS authentication is authentication mode scheme adopted depends on the configured AAA scheme Specify the scheme authentication mode By default local authentication is adopted 41 To do Enable command authorization Use the command command authorization 42 Remarks Optional By default command authorization is not enabled By default the command level depends on the user privilege level A user is authorized a command level not higher than the user privilege level With command authorization enabled the command level for a login user is determined by both the user privilege level and AAA authorization If a user execute
3. Software upgrade methods You can upgrade both Boot ROM and system software at the Boot menu or at the command line interface CLI The following sections cover how to upgrade them at the CLI For instructions about how to upgrade them at the Boot menu see the installation manual of your switch Upgrading at the CLI falls into the following categories Upgrade method Upgrade object Description Upgrading the Boot ROM e You need to reboot the whole system to upgrade the program through a system Boot ROM image software of a switch reboot e This causes running service interruption during the 115 Upgrade method Upgrade object Description Upgrading system software upgrade process and is not recommended t through a system reboot eN e Hotfix is a fast cost effective method to repair software defects of a switch e Compared with software version upgrade hotfix can upgrade the software without interrupting the running services of the switch It can repair the software defects of the current version without rebooting the switch Soure pgr age Ry System software installing hotfixes e The patch files match the switch model and software version If they are not matched the hotfixing operation fails Upgrading the Boot ROM program through a system reboot Follow these steps to upgrade Boot ROM To do Use the command Remarks Enter system view system view Optional Enable the validity check f
4. Configuring the FTP server Configuring FTP server operating parameters The FTP server uses one of the following modes to update a file when you upload the file use the put command to the FTP server In fast mode the FTP server starts writing data to the storage medium after a file is transferred to the memory This prevents the existing file on the FTP server from being corrupted in the event that anomaly such as a power failure occurs during a file transfer In normal mode the FTP server writes data to the storage medium while receiving data This means that any anomaly such as a power failure during file transfer might result in file corruption on the FTP server This mode however consumes less memory space than the fast mode Follow these steps to configure the FTP server To do Use the command Remarks Enter system view system view Required Enable the FTP server ftp server enable Disabled by default To do Use the command Remarks Optional ftp server ad acl number By default no ACL is used to control FTP clients access to the switch Use an ACL to control FTP clients access to the switch Optional 30 minutes by default Within the idle timeout time if there is Configure the idle timeout timer ftp timeout minutes Ker information interdction beiween the FTP server and client the connection between them is terminated tthe fil t for the FTP Optional Sethe Me upa
5. Device Configuration Remarks If the remote FTP server supports anonymous FTP the device can log in to it directly if not the device must obtain the FTP username and password first to log in to the remote FTP server Use the ftp command to establish the Device FTP client evice FTP client connection to the remote FTP server Enable FTP server on the PC and PC FTP server configure the username password user privilege level and so on When the device serves as the FTP server you need to perform the following configuration 85 Table 9 Configuration when the device serves as the FTP server Device Configuration Remarks Disabled by default Enable the FTP server function You can use the display ftp server command to view the FTP server configuration on the device Configure the username password and authorized Device FTP directory for an FTP user server Configure authentication and The device does not support anonymous FTP for security authorization reasons You must set a valid username and password By default authenticated users can access the root directory of the device Configure the FTP server Parameters such as the FTP connection timeout time operating parameters PC FTP client Use the FTP client program to log You can log in to the FTP server only after you input the in to the FTP server correct FTP username and password A CAUTION e Make sure that the FTP
6. Reboot the switch reboot slot slotnumber The slot keyword specifies the ID of a switch The switch ID can only be 1 Available in user view AN CAUTION e You must save the file to be used at the next switch boot in the root directory of the switch You can copy or move a file to change the path of it to the root directory e To execute the boot loader command successfully save the file to be used at the next device boot in the storage media s root directory on the switch Software upgrade by installing hotfixes Hotfix can repair software defects of the current version without rebooting the device protecting the running services of the device from being interrupted Basic concepts in hotfix Patch and patch file A patch also called patch unit is a package used to fix software defects Patches are usually released as patch files A patch file may contain one or more patches for different defects After loaded from the storage medium to the memory patch area each patch is assigned a unique number which starts from 1 for identification management and operation For example if a patch file has three patch units they are numbered as 1 2 and 3 respectively Incremental patch An incremental patch means that the patch is dependent on the previous patch units For example if a patch file has three patch units patch 3 can be run only after patch 1 and 2 take effect You cannot run patch 3 separately
7. To do Use the command Remarks Terminate the connection to the FTP server Optional f ie li disconnect without exiting FTP client view Equal to the close command Optional Terminate the connection to the FTP server dose without exiting FTP client view Equal to the disconnect command Optional Terminate the connection to the FTP server bye and return te serview y Equal to the quit command in FTP client view Optional quit Available in FTP client view equal to the bye command Terminate the connection to the FTP server and return to user view FTP client configuration example Network requirements e As shown in Figure 37 use the device as an FTP client and the PC as the FTP server Their IP addresses are 10 2 1 1 16 and 10 1 1 1 16 respectively The device and PC can reach each other e The device downloads a system software image file from the PC for device upgrade and uploads the configuration file to the PC for backup e OnthePC an FTP user account has been created for the FTP client with the username abc and the password pwd Figure 37 Network diagram for FTPing a system software image file from an FTP server FTP server FTP client 10 1 1 1 16 Internet Device PC Configuration procedure A CAUTION If the available memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved i e ur command to del
8. e ASCII mode Transfers files as text such as txt bat and cfg files TFTP operation NOTE Only the TFTP client service is available with your device at present Figure 39 TFTP configuration diagram TFTP client TFTP server lt p gt Internet rey Device PC Before using TFTP the administrator needs to configure IP addresses for the TFTP client and server and make sure that there is a reachable route between the TFTP client and server When the device serves as the TFTP client you need to perform the following configuration 96 Table 10 Configuration when the device serves as the TFTP client Device Configuration Remarks e Configure the IP address and routing function and ensure that the route between the device and the TFTP Device TFTP client server is available evice clien e Use the tftp command to establish a connection to the remote TFTP server to upload download files to from the TFTP server Enable TFTP server on the PC and configure the TFTP PG eiae working directory 7 Configuring the TFTP client When a device acts as a TFTP client you can upload a file on the device to a TFTP server or download a file from the TFTP server to the local device You can use either of the following methods to download a file e Normal download The device writes the obtained file to the storage medium directly In this way if you download a remote file using a filename destination filename
9. 5 6 7 8 Remarks Optional By default the data bits of the console port is 8 Data bits is the number of bits representing one character The setting depends on the contexts to be transmitted For example you can set it to 7 if standard ASCII characters are to be sent and set it to 8 if extended ASCII characters are to be sent Define a shortcut key for enabling a terminal session activation key character Optional By default you can press Enter to enable a terminal session Define a shortcut key for terminating tasks escape key default character Optional By default you can press Ctrl C to terminate a task Contigure the flow control mode flow control hardware none software Optional By default the value is none Configure the type of terminal display terminal type ansi vt100 Optional By default the terminal display type is ANSI The device supports two types of terminal display ANSI and VT100 HP recommends that you set the display type of both the device and the client to VT100 If the device and the client use different display types for example hyper terminal or Telnet terminal or both are set to ANSI when the total number of characters of the edited command line exceeds 80 an anomaly such as cursor corruption or abnormal display of the terminal display may occur on the client Configure the user privilege level for login
10. devices and the specific configurations of each device need to be performed in other ways For example the configuration file can enable Telnet and create a local user on devices so that the 142 administrator can Telnet to each device to perform specific configurations for example configure the IP address of each interface e f devices use different configuration files you need to configure static address pools to ensure that each device can get a fixed IP address and a specific configuration file With this method the administrator does not need to perform any other configuration for the devices NOTE To configure static address pools you must obtain client IDs To obtain a device s client ID use the display dhep server ip in use command to display address binding information on the DHCP server after the device obtains its IP address through DHCP Obtaining the configuration file from the TFTP server File types A device can obtain the following files from the TFTP server during automatic configuration e The configuration file specified by the Option 67 or file field in the DHCP response e The host name file named network cfg which stores mappings between IP addresses and host names For example the host name file can include the following ip host hostil 101 101 101 101 ip host host2 101 101 101 102 ip host client1 101 101 101 103 ip host client2 101 101 101 104 A CAUTION e There must be a space before
11. local user authorization attribute level level Optional By default the command level is O Required Specify the service type for the q localiser service type ssh By default no service type is specified Return to system view quit E Create an SSH user and specify the authentication mode for the SSH user ssh user username service type stelnet authentication type password any password publickey publickey assign publickey keyname Required By default no SSH user exists and no authentication mode is specified Configure common settings for VTY user interfaces Optional See Configuring common settings for VTY user interfaces optional NOTE This chapter describes how to configure an SSH client by using password authentication For more information about SSH and how to configure an SSH client by using publickey see the Security Configuration Guide After you enable command authorization or command accounting you need to perform the following configuration to make the function take effect e Create a HWTACACS scheme and specify the IP address of the authorization server and other authorization parameters 50 e Reference the created HWTACACS scheme in the ISP domain For more information see the Security Configuration Guide When users adopt the scheme mode to log in to the device the level of the commands that the users can access depends on the user
12. 2007 8 8 2 01 01 2007 date time clock datetime 3 00 2007 1 1 Original system clock at z CLOC zone offset outside the one elas S daylight saving time clock summer time ss 02 00 00 zonetime Sat range one off 1 00 01 01 2005 Original system clock 2007 1 1 1 00 zone offset OAR 2 3 0r 3 2 Original system clock Zone offset outside the clock timezone daylight saving time range Original system clock Zone offset summer offset zone time add 1 clock summer time ss one off 1 00 2005 1 1 1 00 2005 8 8 2 System clock configured 04 00 00 ss Sat 01 01 2005 1 2 3o0r1 3 2 date time zone offset outside the daylight saving time range date time zone offset clock datetime 1 00 2007 1 1 clock timezone zone time add 1 clock summer time ss one off 1499 2008 1 1 1 00 2008 8 8 2 02 00 00 zone time Mon 01 01 2007 date time zone offset outside the daylight saving time range date time zone offset clock datetime 1 00 2007 1 1 clock timezone zone time add 1 clock summer time ss 04 00 00 ss Mon 01 01 2007 2 3 lor 3 2 1 one off 1 00 summer offset 2007 1 1 1 00 2007 8 8 2 clock timezone date time outside the daylight saving time range date time 128 zone time add 1 clock summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 clock datetime 1 00 2007 1 1 01 00 00 zone time Mon 01 01 2007 Command Effective system time Configuration
13. Currently released patches are all incremental patches 117 Common patch and temporary patch e Common patches are those formally released through the version release flow e Temporary patches are those not formally released through the version release flow but temporarily provided to solve the emergent problems Common patches always include the functions of the previous temporary patches so as to replace them The patch type only affects the patch loading process The system deletes all of the temporary patches before it loads the common patch Patch status Each patch has its status which can be switched only by commands The relationship between patch state changes and command actions is shown in Figure 42 The patch can be in the state of IDLE DEACTIVE ACTIVE and RUNNING Load run temporarily confirm running stop running delete install and uninstall represent operations corresponding to commands of patch load patch active patch run patch deactive patch delete patch install and undo patch install For example if you execute the patch active command for the patches in the DEACTIVE state the patches turn to the ACTIVE state Figure 42 Relationship between patch state changes and command actions Load 5 IDLE DEACTIVE Delete Stop running Activate Delete Delete RUNNING k Confirm running ACTIVE IDLE Install Do you want to continue running Install patches after reboot Y N n Do you want
14. EE RE EE EE 100 Displaying directory information ee EER EE EER EE EE ER EE EER EE EER ee EER ee EE Ee ee EE Ee ee EE Ee ee ee Ee ee EE Ee ee ee Ee ee ee Reese ee 101 Displaying the current working directory EE EE EE EA AE 101 Changing the current working directory EE EE EE EE EE EE 101 ers EEN EE ET TT TT TT ET TE te 101 Removing a EL LEES TT TT TT TT EG 101 Performing file operations EE AE EE OE 101 Displaying file information ee EER EER EE EER EE EE ER EE EE EER ee EE ER ee DEER ee EE ER ee EE Ee ee ee Ee ee EE Ee ee ee ER ee ee Ee ee ee Ee ee ee Ee ee ee ee ees 102 Displaying the contents of a File ree EER EE EER EE EER EE EE ER EE EE EER ee SEE ER ee EE EER ee EE EER ee ee EER ee ee ER ee ee ER ee ee Re ee EER ee ee ee 102 Renaming UIE 102 Copying KUIER 102 Moving RUE 102 Deleting UIE 102 Restoring a file from the recycle EE 103 Emptying the recycle ME 103 Performing batch operations seek EER RR SEER ge ER RR RRKgeER RR RR ege ERK ERRKRee ERK K KEER RR ee RR ee RR ee RR eeR RR Kees 103 Performing storage medium operations AA EA EE EE 104 Managing the space of a storage TEE 104 Setting prompt EE 104 Example for file operations 5 eerrrrreeeeeeeeeR RR RR eeEEERRRRR RR eEEERRRRRRRReeEERRRRRRRRReeEERRRRRRRReeEERRRRRRRReeERRRRRRRRe ee ERRRRRRR RR ee 104 Configuration file management TELER EE EE EL EE EE OE EA Ee Er 106 Configuration EST TE 106 Types of configuration EE RE EE EE 106 Format and content of a configuration ES 106 Coexistence
15. an FIP connecliOn sersreettteeetteee ete eeteeeteseeeeeeeeenseeaeeeeeeeeessseeeeseeesesseeeessseeeseessueeesseeeeeseeessseeeeeeesaeeeeseeees 86 Operating the directories ON an FIP Servercessssttttttteettseeteeteeseeeeeeeeesesseeeeeseeesssesseeesseeeeessseesesseeeenssseeesseeeeeeeseeeeeess 87 Operating the files EEUE ET EE 88 Using another username to log IN to an FIP Server csssrrrctsssttsetesettesssseeeeeeeeessssseeeeseeeesssseeesseeeeseseeeesseeeesseeeeeeess 89 Maintaining and debugging an FIP connecliOn eee 89 EENS EE EE EE TE TT 89 FTP client configuration example AR OS ER DE E ES EG EE EE E DE OG 90 Configuring the FTP server ccrrsscccsssssessssseessseeeessseeeesssessesssesseessesscessessssssessessesscessesssesesscesesecessesesessesssessesesenseseneeaesesenes 91 Configuring FTP server operating parameters ssssssssssssssssssssssssssssssssssssssssssssssssssnsssnsnnnssnnnssnnnsnsnsnnnnnnansnnannnennn 91 Configuring authentication and authorization on the FIP server ees EE EE EER EE EER ee Ee Ee EER ee ee Ee ee ee ee 92 FTP server configuration example EA OR EE EE OE EE OE OE EED 93 Displaying and maintaining AE 95 TFTP configuration P E E DE E E E T E E a E T 96 AE ee 96 Introduction to EE 96 ETE TT 96 Configuring the NE EE EE TE TT TT TT 97 Displaying and maintaining the TFTP EE E 98 TFTP client configuration example AE AR 98 File management EE OR OE OE Ee OO N Ee E T 100 Managing ER 100 EA ee 100 Performing directory operations EE EE
16. and the reset commands which clear specified information One time commands that are executed are never saved Displaying and maintaining CLI To do Use the command Remarks display command alias begin exclude include Available in any view regular expression Display defined command aliases and the corresponding commands display clipboard begin Display the clipboard information exclude include Available in any view regular expression 20 Login methods Login methods You can log in to the switch by using the following methods Table 7 Login methods Login method Default state Logging in By default you can log in to a device through the console port the through the console port authentication mode is None no username or password required and the user privilege level is 3 Logging in through CLI login By default you cannot log in to a device through Telnet To do so log in to the device through the console port and complete the following configuration Enable the Telnet function Configure the IP address of the VLAN interface and make sure that your device and the Telnet client can reach each other by default the device does not have an IP address Configure the authentication mode of VTY login users password by default Configure the user privilege level of VTY login users 0 by default Logging in through SSH By default you cannot log
17. between interface IP addresses as well as the effect of interface statuses You can configure the source address by configuring the source interface or source IP address The primary IP address configured on the source interface is the source address of the transmitted packets Follow these steps to configure the TFTP client To do Use the command Remarks Enter system view system view Optional Use an ACL to control the device s ifip server l ipus Tad aeliumber By default no ACL is used to access to TFTP servers control the device s access to TFTP servers 97 To do Use the command Remarks Optional Configure the source address of trp client Source intertacs A device uses the source the TETP client interfacetype interface number ip address determined by the source ip address matched route to communicate with the TFTP server by default Return to user view quit tftp server address get put sget source filename Download or upload a file in an destination filename source Optional IPv4 network interface interface type Available in user view interface number ip source ip address tftp ipv6 iftp ipv server i interface type interface number get put source file destination file Download or upload a file in an Optional IPv network Available in user view NOTE e If no primary IP address is configured on the source interface no TFTP connecti
18. contained herein Contents CLI configuration E OE a E E E T ede j Wharo eg e EE ee Ee EE OE EE E E S A E 1 TEE estratte tre eraraeeeraraeserarn esarete tt 1 Command BE LET 1 EER acommand EO OE N LE ae 2 CLI view description REELE T ES EE E EE EE NE E EE EL E E EE AE oe 2 Entering system ME ee eeeeeeeeeee ee eeeeeeeseee ee eeeeeeeeeee ee eeeeeeeeeeee ee eeeseeeeseeeeeeeeeees 3 Exiting ET EE 3 Returning RT ET ee eeeeeeeeeen ee eeeeeeeeeee ee eeeeeeesese ee eeeeeeeeee ee eeeeeeeeeee ee eeeeeeeeeeee ee eeeeees 4 Using the CLI online help sssssssssssssssssseeeessesssssseeeesssuusssnnsseesssusssnnnsseesssusssnnnseeeessuusnnnnseeessssunsnnnnnesenssnnansnsessenssee 4 Typing YT Le 5 Editing command dT 5 Typing incomplete keywords tesla dele vias ables Ee tunes be EE Ee EE EE ss ee EE Ee Ge Ee be EE Ee RE Ee Pe ee 5 Configuring command Aliases cc ettteetetetetetseeeeetaeeeeesaeeeessseseeeseseeessessesseseesseseesseseessseseeesssseeeseseceseseesseeasensgeas 6 Configuring CLI hotkeys TE EE ceases ss RE OO ER OE ce 6 Redisplaying input but not submitted COMMANAS rrr teettetettteetettsteteeesestesaeseeesaeseecsaeseeeseeseeesseseeeesssenesssenseeeeenes 8 Checking command line LT 8 TEEL 8 Accessing history ELE 9 Configuring the history buffer size svssssssessssssseeeessesssssnseeesssuusssnnneeesssusssnnnneeesssuusnnnnnseesssunnnnnseesnssuuannnnesses 9 Controlling the CLI display EE EE EL ea tavesiaessesees 10 Multi screen display EE EE EE EO EE EE AE E
19. example System time eLlock timezone zone time add 1 date time in the daylight saving time range but g ge clock summer time ss date time summer offsef he off 1 00 23 30 00 zone time Mon outside the summer time 2008 1 1 1 00 12 31 2007 range 2008 8 8 2 date time summer offset Clock datetime 1 30 2008 1 1 clock timezone Both date time and zone time add 1 date time summer offsef clock summer time ss in the daylight saving time one off 1 00 03 00 00 ss Tue j 2008 1 1 1 00 01 01 2008 range 2008 8 8 2 date time clock datetime 3 00 2008 1 1 Configuration procedure Follow these steps to change the system time To do Use the command Remarks j Optional Set the system time and date clock datetime time date Available in user view Enter system view system view Optional clock timezone zone name add Set the time zone minus zone offset Universal time coordinated UTC time zone by default Set a non recurring scheme clock summer time zone name one off start time start date end time end date add time Optional Use either command Set a daylight saving time scheme By default daylight saving time is disabled and the UTC time zone applies Set a recurring scheme clock summer time zone name repeating start time start date end time end date add time Enabling displaying the copyright statement The device by default displays the copyright statement
20. from response to commands and save the configuration To verify your configuration enter AT amp V to show the configuration results NOTE The configuration commands and the output for different modems may be different For more information see your modem s user guide Launch a terminal emulation utility such as HyperTerminal in Windows XP Windows 2000 and create a new connection the telephone number is the number of the modem connected to the device NOTE On Windows 2003 Server operating system you need to add the HyperTerminal program first and then log in to and manage the device as described in this document On Windows 2008 Server Windows 7 Windows Vista or some other operating system you need to obtain a third party terminal control program first and follow that program s user guide or online help to log in to the device Dial the destination number on the PC to establish a connection with the device as shown in Figure 20 through Figure 22 53 Figure 20 Connection description Connection Description Figure 21 Enter the phone number Connect To 82882285 Rockwell 33 6 DPF External PnP pK Cancel Figure 22 Dial the number Dal Ceres 54 Step6 Character string CONNECT9600 is displayed on the terminal Then a prompt appears when you press Enter Figure 23 Configuration page System is starting User interface aux is available P
21. in any view include regular expression Display information about system software display patch information Display the patch information begin exclude include Available in any view regular expression Software upgrade configuration examples Scheduled upgrade configuration example Network requirement e As shown in Figure 47 the current software version is soft version1 for Device Upgrade the software version of Device to soft version2 and configuration file to new config at a time when few services are processed for example at 3 am through remote operations e The latest application soft version2 bin and the latest configuration file new config cfg are both saved in the aaa directory of the FTP server e The IP address of Device is 1 1 1 1 24 the IP address of the FTP server is 2 2 2 2 24 and Device and FTP server can reach each other e A user can log in to Device via Telnet and the user and Device can reach each other Figure 47 Network diagram for scheduled upgrade FTP Server 2 2 2 2 24 Internet Telnet Device Meat 1 1 1 1 24 Configuration procedure 1 Configure the FTP server configurations may vary with different types of servers e Setthe access parameters for the FTP client including enabling the FTP server function setting the FTP username to aaa and password to hello and setting the user to have access to the flash aaa directory lt FTP Server gt system v
22. in to the device through the console port you are prompted to press Enter A prompt such as lt HP gt appears after you press Enter as shown in Figure 9 Figure 9 Configuration page User interface aux is available Press ENTER to get started lt HP gt _ Configuring password authentication for console login Configuration prerequisites You have logged in to the device 29 By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure password authentication for console login To do Use the command Remarks Enter system view system view r interf x first Enter AUX user interface view ne erface aux firstnumber lastnumber Required Configure the authentication mode as local password authentication authentication mode password By default you can log in to the device through the console port without authentication and have user privilege level 3 after login Set the local password set authentication password cipher simple password Required By default no local password is set Configure common settings for AUX user interface view Optional See Configuring common settings for console login optional When
23. is available on only PoE capable models of the A3100 v2 El Switch Series Display the operating state of fans display fan fan id begin exclude include regular expression Available in any view This command is available on only PoE capable models of the A3100 v2 El Switch Series Display memory usage statistics display memory slot slotnumber cpu cpu number begin exclude include regular expression Available in any view Display the power state display power power id begin exclude include regular expression Available in any view Display RPS state information display rps rps id begin exclude include regular expression Available in any view This feature is available on only A3100 24 PoE v2 El Switch JD313B and A3100 16 PoE v2 El Switch JD3 12B models Display the mode of the last reboot display reboot type slot slotnumber begin exclude include regular expression Available in any view Display the configuration of the job configured by using the schedule job command display schedule job begin exclude include regular expression 138 Available in any view To do Use the command Remarks display schedule reboot begin 2 f Available in any view exclude include regular expression Display the device reboot setting Display the configura
24. j i and specify its access right ae ees by ole SNM groups write view notify view configured notify view ad aclnumber 74 To do Use the command snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode 3des aes128 des56 Add a user to the SNMP group priv password ad acl number Remarks Required If the cipher keyword is specified both auth password and priv password are cipher text passwords Follow these steps to configure SNMPv1 and SNMPv2c settings To do Use the command Remarks Enter system view system view Optional Disabled by default Enable SNMP agent snmp agent You can enable SNMP agent with this command or any commond that begins with snmp agent Create or update MIB view information snmp agent mib view excluded included view name oid tree mask mask value Optional By default the MIB view name is ViewDefault and OID is 1 Configure an snmp agent community read write Directly SNMP community name ad community acl number mib view view name Coatigure snmp agent group v1 SNMP NMS l v2c groupname accesstiahi Configure an read view read view g SNMP group write view write view Indirectly notify view notify view ad acl number Addaisertodhe snmp agent usm user v1 v2c username group name SME group acl acl number
25. make sure the device and the NMS can reach each other by default your device does not have an IP address e Configure SNMP basic parameters User interface overview User interface also called line allows you to manage and monitor sessions between the terminal and device when you log in to the device through the console port directly or through Telnet or SSH One user interface corresponds to one user interface view where you can configure a set of parameters such as whether to authenticate users at login whether to redirect the requests to another device and the user privilege level after login When the user logs in through a user interface the parameters set for the user interface apply The system supports the following CLI configuration methods e local configuration via the console port e local Remote configuration through Telnet or SSH The methods correspond to the following user interfaces e AUX user interface Used to manage and monitor user that log in via the Console port The type of the Console port is EIA TIA 232 DCE e VTY virtual type terminal user interface Used to manage and monitor users that log in via VTY A VTY port used for Telnet or SSH access Users and user interfaces Only one user can use a user interface at a time The configuration made in a user interface view applies to any login user For example if user A uses the console port to log in the configuration in the AUX user inte
26. of multiple configuration ET 107 Startup with the configuration ER 107 Saving the running configuration seerste seeks ER RR Reg eek RR E RR RR gee RR RR E Rek RR ERRRRReE RR RR Ke tsentre eek RR gee ee RR 107 BR NE EE 107 Modes in saving the configuration EE EE ASEE EA NEEME ESNEA SKEE ES EEEE 107 Setting configuration RE 108 Configuration rollback eers RRRRRRR EE RRRRRRRRRRRE Ee geRRRRRRRRRRReeeRRRRRRRRREeeeeeRRRRRRRRREeeeeRRRRRRRRRE Ee eeeRRRReER 108 Configuration ERA 109 Configuring parameters for saving the running configuration suleasduadssssuaseussdsasssssuesstsssueteesssuetsessveeteersseesseress 109 Enabling automatic saving of the running configuration EE ESETE NEEESE 110 Manually saving the running configuration reeeeeeeeeekekeeeeeeeee ee RR RRRRRRRRRRRRRRR EER eeeeRRRRRRRRRRRRRRRRR PERE eeeeeeeeRR 110 Setting configuration RE 111 Specifying a startup configuration file to be used at the next system startup reer ees EER EER EER eek eek een eers 111 Backing up the startup configuration ER 112 Deleting a startup configuration ER 112 Restoring a startup configuration ER 113 Displaying and maintaining a configuration ER 113 Software vpgrade configuration EE OE OE EE ER E 115 Switch software KT eeeeeeeereeeerseeeerseeerseeerseersseeerseeerseeenseeesrseeerseeensesenreseerseeersseenseeeereeeerseeersseenseeenseeeeeseeseeenseeeeene 115 Software upgrade methods sssssssssssseeeesnusssssseeeessussssssssesssuussssnssessssussnsnssesessiusssnanseessss
27. privilege level defined in the AAA scheme e When the AAA scheme is local the user privilege level is defined by the authorization attribute level level command e When the AAA scheme is RADIUS or HWTACACS the user privilege level is configured on the RADIUS or HWTACACS server e For more information about AAA RADIUS and HWTACACS see the Security Configuration Guide Configuring the SSH client to log in to the SSH server Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Figure 18 Log in to another device from the current device Ky KZ ae aS PC SSH client SSH server NOTE If the SSH client and the SSH server are not in the same subnet make sure that the two devices can reach each other Configuration procedure Follow these steps to configure the SSH client to log in to the SSH server To do Use the command Remarks Required server is the IPv4 address or host Log in to an IPv4 SSH server ssh2 server name of the server Available in user view Required Log in to an Pv SSH server ssh2 ipv server server is the IPy6 address or host name of the server Available in user view NOTE You can configure other settings for the SSH clie
28. see the features Security Configuration Guide e For more information about SSL see the Security Configuration Guide Required By default the HTTPS service is not associated with any SSL server policy e If you disable the HTTPS service the system automatically de associates the HTTPS Associate the HTTPS service ip https ssl server policy service from the SSL service policy Before with an SSL server policy policy name re enabling the HTTPS service associate the HTTPS service with an SSL server policy first e Any changes to the SSL server policy associated with the HTTP service that is enabled do not take effect Required Disabled by default Enabling the HTTPS service triggers an SSL handshake negotiation process During the process if the local certificate of the device exists the SSL negotiation succeeds and the HTTPS service can be started normally If no local certificate exists a certificate application process will be triggered by the SSL negotiation Because the application process takes much time the SSL negotiation often fails and the HTTPS service cannot be started normally In that case you need to execute the ip https enable command multiple times to start the HTTPS service Enable the HTTPS service ip https enable 68 To do Associate the HTTPS service with a certificate attribute based access control policy Use the command ip https certificate access control policy po
29. server and other authorization parameters For more information see the Security Configuration Guide e Reference the created HWTACACS scheme in the ISP domain For more information see the Security Configuration Guide After you enable command accounting you need to perform the following configuration to make the function take effect e Create a HWTACACS scheme and specify the IP address of the accounting server and other accounting parameters For more information see the Security Configuration Guide e Reference the created HWTACACS scheme in the ISP domain For more information see the Security Configuration Guide When users adopt the scheme mode to log in to the device the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme e When the AAA scheme is local the user privilege level is defined by the authorization attribute level level command e When the AAA scheme is RADIUS or HWTACACS the user privilege level is configured on the RADIUS or HWTACACS server For more information about AAA RADIUS and HWTACACS see the Security Configuration Guide When you log in to the device through Telnet again e You are required to enter the login username and password A prompt such as lt HP gt appears after you enter the correct username for example admin and password and press Enter as shown in Figure 15 e After you enter the correct username and password if the devi
30. string containing any character among 1 6 and A 1 36A matches a string containing any character among 1 2 3 6 and A is a hyphen can be matched as a common character only when it is put at the beginning of characters within the brackets for example string There is no such limit on A character group It is usually used with or For example 123A means a character group 123A 408 12 matches 40812 or 408121212 But it does not match 408 11 Character Meaning Remarks Repeats the character string specitied by the index A character string refers to the string within before index refers to the sequence number starting from 1 For example string 1 repeats string and a matching string must contain stringstring string 1 string2 2 repeats string2 and a index from left to right of the character matching string must contain string I string2string 2 group before N If only one character string 1 string2 1 2 repeats string and string2 group appears before N index can respectively and a matching string must contain only be 1 if n character groups string I string 2string I string2 appear before index index can be any integer from 1 to n For example 16A means to match a string containing any character except 1 6 or A and the X Matches a single character not matching string can also contain 1 6 or A but d contained within
31. that exists in the directory the device deletes the original file and then saves the new one If file download fails due to network disconnection or other reasons the original system file will never recover because it has been deleted e Secure download The device saves the obtained file to its memory and does not write it to the storage medium until the whole file is obtained If you download a remote file using a filename destination filename that exists in the directory the original file is not overwritten If file download fails due to network disconnection or other reasons the original file still exists This mode is more secure but consumes more memory HP recommends that you use the secure mode or if you use the normal mode specify a filename not existing in the current directory as the target filename when downloading the system software image file or the startup configuration file Before using the tftp command to establish a TFTP connection you can perform source address binding Source address binding means configuring an IP address on a stable interface such as a loopback interface and then using this IP address as the source IP address of a TFTP connection The source address binding function simplifies the configuration of ACL rules and security policies You only need to specify the source or destination address argument in an ACL rule as the address to filter inbound and outbound packets on the device ignoring the difference
32. the brackets cannot contain these three characters only For example 16A matches abc and m16 but not 1 16 or 16A aia Matches a character string starting For example lt do matches word domain and with string string doa ANS Matches a character string ending For example do gt matches word undo and with string string abcdo Matches character 1 character2 sa RE wih being character can be any character ee bcharacter2 character1 and a being character2 but it does except number letter or underline match 2a or ba and b equals A Za z0 9_ pa ene ae Matches a string containing For example NB matches t in install but not Bcharacter character and no space is allowed before character Y in big top character 1 w Matches character 1 character2 character2 must be a number letter or underline and w equals A Za z0 9_ For example v w matches vlan with v being character and being character2 v w also matches service with i being character2 g For example Wa matches a with bein P g W Equals b character and a being character2 but does not match 2a or ba Escape character If a special AN ES N coe are For example NN matches a string containing N character listed in this table follows mas a
33. the ftp client source or ftp command this source address is used to communicate with an FTP server 86 e f you use the ftp client source command and the ftp command to specify a source address respectively the source address specified with the ftp command is used to communicate with an FTP server e The source address specified with the ftp client source command is valid for all FTP connections and the source address specified with the ftp command is valid only for the current FTP connection Follow these steps to establish an IPv4 FTP connection To do Use the command Remarks Enter system view system view Optional A switch uses the IP address of the interface determined by Configure the source address of ftp client source interface interface type the matched route as the the FTP client interface number ip source ip address source IP address to communicate with the FTP server by default Exit to system view quit ftp server address service port Log in to the remote FTP server source interface interface type Use either approach directly in user view interface number ip source podares 11 The ftp command is available in user view and the open ftp command is available in FTP client view Log in to the remote FTP server indirectly in FTP client view open server address service port NOTE e If there is not a primary IP address configured on the speci
34. the running configuration Automatic saving of the running configuration occupies system resources and frequent saving can greatly affect system performance If the system configuration does not change frequently disable automatic saving of the running configuration and save it manually In addition automatic saving of the running configuration is performed periodically while manual saving can be used to immediately save the running configuration Before performing a complicated configuration manually save the running configuration so that the switch can revert to the previous state if the configuration fails Follow the step below to manually save the running configuration 110 To do Use the command Remarks Manually save the running 3 Required fi archive configuration contiguration Available in user view NOTE Specify the path and filename prefix of a save configuration file before you manually save the running configuration otherwise the operation fails Setting configuration rollback Follow these steps to set configuration rollback To do Use the command Remarks Enter system view system view Set configuration rollback configuration replace file filename Required A CAUTION Configuration rollback may fail if one of the following situations is present if a command cannot be rolled back the system skips it and processes the next one e The complete undo form of a command is no
35. user view Configuring the detection timer Some protocols might shut down ports under specific circumstances For example MSTP shuts down a BPDU guard enabled port when the port receives a BPDU Then the device starts the detection timer If the port is still down when the detection timer expires the port quits the shutdown status and resume its actual physical status Follow these steps to configure the detection timer To do Use the command Remarks Enter system view system view Optional Configure the detection timer shutdown interval time The detection interval is 30 seconds by default Configuring temperature alarm thresholds available only on the A3100 v2 El You can set the temperature alarm thresholds to monitor the temperature of a device The temperature alarm thresholds include lower temperature limit warning temperature threshold and temperature alarming threshold When the device temperature drops below the lower limit or reaches the warning threshold the device logs the event and outputs a log message and a trap When the device temperature reaches the alarming threshold the device constantly outputs log and tap messages to the configuration terminal and lights the temperature alarm LED on the device panel Follow these steps to configure temperature alarm thresholds To do Use the command Remarks Enter system view system view E 135 To do Use the command Remarks Optiona
36. username and password on the AAA server For more information see the Security Configuration Guide Create a local user and enter local user view local user user name Required By default no local user exists Set the authentication password for the local user password cipher simple password Required Specify the command level of the local user authorization attribute level level 60 Optional By default the command level is 0 To do Use the command Remarks Required Specify the service type for j the local user service type terminal By default no service type is specified Optional Configure common settings for VT user inferf ces See Configuring common settings for VTY user interfaces optional After you enable command authorization you need to perform the following configuration to make the function take effect e Create a HWTACACS scheme and specify the IP address of the authorization server and other authorization parameters For more information see the Security Configuration Guide e Reference the created HWTACACS scheme in the ISP domain For more information see the Security Configuration Guide After you enable command accounting you need to perform the following configuration to make the function take effect e Create a HWTACACS scheme and specify the IP address of the accounting server and other accounting parameters For more inf
37. users that log in through the current user interface user privilege level level Optional By default the user privilege level for users logged in through the AUX user interface is 3 and that for users logged in through the VTY interfaces is O Follow these steps to configure the user privilege level under a user interface none or password authentication mode 15 To do Use the command Remarks Enter system view system view user interface 1 first num 1 Enter user interface view lastnum1 aux vty firstnum 2 last num2 Optional oer oek mode ahaa none Y defaut Re auhenicaton user interface to log in to the switch password acne Ed de ad g In to tne swilc password and no authentication is needed for AUX login users Optional By default the user privilege level for users logged in through the AUX user interface is 3 and that for users logged in through the VTY interfaces is O Configure the privilege level of users logged in through the current user privilege level level user interface Example of configuring a user privilege level under a user interface Authenticate users logged in to the switch through Telnet verify their password and specify their user privilege level as 2 lt Sysname gt system view Sysname user interface vty 0 15 Sysname ui vty0 15 authentication mode password Sysname ui vty0 15 set authentication password cipher 123 Sysna
38. validated configurations of the switch Display the running configuration display saved configuration file saved on the storage media of by linenum begin exclude Available in any view the switch include regular expression 113 To do Use the command Remarks Display the configuration files used at this and the next system startup display startup begin exclude include Available in any view regular expression Display the valid configuration under the current view display this by linenum begin exclude include Available in any view regular expression 114 Software upgrade configuration Switch software overview Switch software includes the Boot ROM and the system software images After powered on the device runs the Boot ROM image initializes the hardware and displays the hardware information Then the device runs the system software image which provides drivers and adaption for hardware and implements service features The Boot ROM and system software images are required for the startup and running of a device Figure 41 Relationship between the Boot ROM program and the system software images Select the Reboot option to Start je reboot the device y Boot ROM runs Y Enter Boot menu to Press Ctrl B upgrade Boot ROM or system software No Run system software image Enter CLI
39. 005 8 8 2 system time does not by summer offset change After you disable the daylight saving setting the system time automatically decreases by summer offset lock j 13 datetime outside the 26077 o daylight saving time clock summer time ss 01 00 00 UTC Mon range one off 1 00 01 01 2007 date time 2006 1 1 1 00 2006 8 8 2 10 00 00 ss Mon 01 01 2007 i NOTE clock datetime 8 00 If the date time plus date time in the daylight 2007 1 1 summer offset is outside the saving time range clock summer time ss daylight saving time range off 1 00 i date time summer offset eT 1 00 the system time equals 2007 8 8 2 i date time After you disable the daylight saving setting the system time automatically decreases by summer offset 31 clock summer time ss one off 1 00 2007 1 1 1 00 01 00 00 UTC Tue date time outside the daylight saving time range date time 127 2007 8 8 2 clock datetime 1 00 2008 1 1 01 01 2008 Command Effective system time Configuration example System time 3 1 date time in the daylight saving time date time summer offset outside the daylight saving time range date time summer offset clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 clock datetime 1 30 2007 1 1 23 30 00 UTC Sun 12 31 2006 date time summer offset clock summer time ss range j one off he in the daylight saving time 2007 1 1 1 00 03 00 00 ss Mon range
40. 1 KB free lt Sysname gt delete unreserved flash back cfg 2 Configure the PC FTP Client Log in to the FTP server through FTP e gt ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none ftp 331 Password required for ftp Password 230 User logged in Download the configuration file config cfg of the device to the PC for backup ftp gt get config cfg back config cfg Upload the configuration file newest bin to the device ftp gt put newest bin ftp gt bye NOTE e You can take the same steps to upgrade configuration file with FTP When upgrading the configuration file with FTP put the new file in the storage medium s root directory e After you finish transferring Boot ROM through FTP you must execute the bootrom update command to upgrade Boot ROM 3 Upgrade the device Specify newest bin as the main system software image file for next startup lt Sysname gt boot loader file newest bin main Reboot the device and the system software image file is updated at the system reboot lt Sysname gt reboot CAUTION The system software image file used for the next startup must be saved in the storage medium s root directory You can copy or move a file to the storage medium s root directory For more information about the boot loader command see the Fundamentals Command Reference 94 Displaying and maintaining FTP To do Display the configur
41. 10 100 52 Configuration procedure Create ACL 2000 and configure rule 1 to permit packets sourced from Host B and rule 2 to permit packets sourced from Host A lt Sysname gt system view Sysname acl number 2000 match order config Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 rule 2 permit source 10 110 100 46 0 Sysname acl basic 20001 quit Associate the ACL with the SNMP community and the SNMP group Sysname snmp agent community read aaa acl 2000 Sysname snmp agent group v2c groupa acl 2000 Sysname snmp agent usm user v2c usera groupa acl 2000 82 Configuring source IP based login control over web users You can log in to the web management page of the device through HTTP HTTPS to remotely manage the devices By using the ACL you can control web user access to the device Configuration preparation Before configuration determine the permitted or denied source IP addresses Configuring source IP based login control over web users Because basic ACLs match the source IP addresses of packets you can use basic ACLs to implement source IP based login control over web users Basic ACLs are numbered from 2000 to 2999 For more information about ACL see the ACL and QoS Configuration Guide Follow these steps to configure source IP based login control over web users To do Use the command Remarks Enter system view system view Create a basic ACL and enter
42. CA certificate from the certificate issuing server Device pki retrieval certificate ca domain 1 Request a local certificate from a CA through SCEP for the device Device pki request certificate domain 1 Create an SSL server policy myssl specify PKI domain 1 for the SSL server policy and enable certificate based SSL client authentication Device ssl server policy myssl Device ssl server policy myssl pki domain 1 Device ssl server policy myssl client verify enable Device ssl server policy myssl quit Create a certificate attribute group mygroup1 and configure a certificate attribute rule specifying that the Distinguished Name DN in the subject name includes the string of new ca Device pki certificate attribute group mygroupl Device pki cert attribute group mygroupl attribute 1 issuer name dn ctn new ca Device pki cert attribute group mygroupl quit Create a certificate attribute based access control policy myacp Configure a certificate attribute based access control rule specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp Device pki certificate access control policy myacp Device pki cert acp myacp rule 1 permit mygroupl Device pki cert acp myacp quit Associate the HTTPS service with SSL server policy myssl Device ip https ssl server policy myssl Associate the HTTPS service with certificate attribute based access co
43. CS or RADIUS scheme and reference the RADIUS created scheme in the ISP domain For more information see the Security Configuration Guide e Create the corresponding user and configure password on the HWTACACS or RADIUS server Performs the local f The switch authenticates a user by using the local password first If password ae etn eee eke IE no local password is set the privilege level is switched directly for authentication first local scheme es N oi the users logged in from the AUX port and remote AAA eg AAA authentication is performed on the users logged in From VTY user authentication He Performs remote AAA AAA authentication is performed first and if the remote sheme local authentication first HWTACACS or RADIUS server does not respond or AAA and then the local password authentication configuration on the switch is invalid the local password authentication is performed Follow these steps to set the authentication mode for user privilege level switch To do Use the command Remarks Enter system view system view Set the authentication mode for super authentication mode local Optional user privilege level switch scheme local by default 17 To do Use the command Remarks Required if the authentication Configure the password for user super password level user level mode is set to local privilege level switch simple cipher password By default no privileg
44. E EE 10 Filtering output Re Ee 10 Configuring user privilege and command levels teeeeererrreeeekkkkeeee RR RRRRRRR Ee eeRRRRRRRRRR Ee eeRRRRRRRRRE Ee eeeRRRRRRRRR Ee eeeeRRRRER 13 BR EE 13 Configuring a user privilege level treer EER ERK RR RR KEER RR ReER RR eRKRe ERK Ke e RR Reee RR eeee RR eeee eed 14 Switching user privilege EE 16 Modifying the level of a command eeereeeeeeeeeeeee RR RRRRRRR ERK RRRRRRRE EE RRRRRRRRRRRE Ee eeRRRRRRRRRR Ee eeRRRRRRRRR Ee eeeRRRRRRReeeeg 19 TEL EE eent 20 Displaying and maintaining el 20 Login EER ER 21 Login EE 21 User interface ST OO Ee 22 Users and user RE EE 22 Numbering user interfaces eeeeeeeeeererrerereeeeerseeerseeerrereerereerseeerseeenseeenrseerseeenseeenrsseenseeenseeenseeenreeeenseeenseeensereereeeeneene 22 CL loginnssssssssssssssessssssssssnssessseeccsesssssnunssanscseecssesssnssusssssssesecssssssssunssssscssceeeessssssunssasscseceenssassssnunassssssseceessansasaasaessssseee 24 at er ET EE ER EE EE OR RE EE 24 Logging in through the console EE 24 BR NE EE 24 Configuration requirements EE epi cues eneseseteuesevesenseeces epecesenevessseceuescresensdeues eves eseseseoesece 24 Login procedure ES E OE EER E a T a T 25 Console login authentication modes EER EE EER EE EER EE SEER Ee EE EER ee SEE ER ee EE EER ee EER ee ee EER ee ee ER ee ee Ee ee ee Ee ee ee ee 27 Configuring none authentication for console login srr tetettsestsessnetiiiseteeeeeeeeeeeesnnnnnnnnnnnseeeeeeeeeeeeennnen 28 Configuring pass
45. HP A3100 v2 Switch Series Fundamentals Contiguration Guide HP A3100 8 v2 SI Switch JG221A HP A3100 16 v2 SI Switch JG222A HP A3100 24 v2 SI Switch JG223A HP A3100 8 v2 El Switch JD318B HP A3100 16 v2 El Switch JD319B HP A3100 24 v2 El Switch JD320B HP A3100 8 PoE v2 El Switch JD311B HP A3100 16 PoE v2 El Switch JD3128B HP A3100 24 PoE v2 El Switch JD313B Part number 5998 1963 Software version Release 5103 Document version 6W 100 20110909 Legal and notice information Copyright 2011 Hewlett Packard Development Company L P No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett Packard Development Company L P The information contained herein is subject to change without notice HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions
46. OTE For more information about the user interface and history command max size commands see the chapter Logging in to the switch commands Controlling the CLI display Multi screen display Controlling multi screen display If the output information spans multiple screens each screen pauses after it is displayed Perform one of the following operations to proceed Action Function Press Space Displays the next screen Press Enter Displays the next line Press Ctrl C Stops the display and the command execution Press lt PageUp gt Displays the previous page Press lt PageDown gt Displays the next page By default each screen displays up to 24 lines To change the maximum number of lines displayed on the next screen use the screen length command For more information about the sereen length command see the chapter Logging in to the switch commands Disabling multi screen display You can use the following command to disable the multiscreen display function All of the output information will be displayed at one time and the screen will refresh continuously until the last screen is displayed To do Use the command Remarks Required By default a login user uses the settings of the screen length command The default settings of the screen length command are multiple screen display is enabled screen length disable and up to 24 lines are displayed on the next screen Disable the
47. P server lIs remotefile localfile Optional Change the working directory of the remote FTP EE Optional server Exit the current working directory and return to an f upper level directory of the remote FTP server alp Spiona Display the working directory that is being pid Opiional accessed Create a directory on the remote FTP server mkdir directory Optional Remove the specitied working directory on the diedie Optional remote FTP server Operating the files on an FTP server After the switch serving as the FTP client has established a connection with an FTP server you can upload a file to or download a file from the FTP server under the authorized directory of the FTP server by following these steps For information about establishing an FTP connection see Establishing an FTP connection 1 Use the dir or Is command to display the directory and the location of the file on the FTP server 2 Delete useless files for effective use of the storage space 3 Set the file transfer mode FTP transmits files in two modes ASCII and binary ASCII mode transfers files as text Binary mode transfers files as raw data 4 Use the led command to display the local working directory of the FTP client You can upload the file under this directory or save the downloaded file under this directory 5 Upload or download the file Follow these steps to operate the files on an FTP server To do Use the command Remarks Optional Dis
48. The fast saving mode is suitable for environments where the power supply is stable The safe mode is preferred in environments where a stable power supply is unavailable or remote maintenance is involved Follow these steps to save the current configuration To do Use the command Remarks Save the current configuration to the specified file but the configuration file will not be set as the file for the next startup Required save file url Save the current configuration to Use either command the root directory of the storage medium and specify the file as the startup configuration file to be used at the next system startup save safely backup main Available in any view force NOTE e The configuration file must have the cfg extension e The execution of the save safely and save safely main commands has the same effect The system will save the current configuration and specify the configuration file as the main startup configuration file to be used at the next system startup e During the execution of the save backup main command the startup configuration file to be used at the next system startup may be lost if the switch reboots or the power supply fails The switch will boot with the null configuration and after the switch reboots you will need to re specify a startup configuration file for the next system startup see Specifying a startup configuration file to be used at the
49. You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure none authentication for modem login 56 To do Use the command Remarks Enter system view system view Enter one or more AUX user user interface aux firstnumber interface views lastnumber Required Specify the none authentication a ihentication mode none By default users that log in through mode the console port are not authenticated Optional Configure common settings for VTY See Configuring common settings user interfaces for VTY user interfaces optional When you log in to the device through modems after the configuration you are prompted to press Enter A prompt such as lt HP gt appears after you press Enter as shown in Figure 24 Figure 24 Configuration page User interface aux is available Press ENTER to get started lt HP gt _ Configuring password authentication for modem login Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with
50. ace through which automatic configuration is performed and the configuration made by executing the ip host commands in the host name file For more information about the ip host command see the Layer 3 P Services Command Reference The temporary configuration is removed by executing the undo commands e For more information about DHCP see the Layer 3 P Services Configuration Guide Principles for selecting an address pool on the DHCP server The DHCP server selects IP addresses and other network configuration parameters from an address pool for clients DHCP supports the following types of address pools e Dynamic address pool A dynamic address pool contains a range of IP addresses and other parameters that the DHCP server dynamically assigns to clients e Static address pool A static address pool contains the binding of an IP address and a MAC address or a client ID The DHCP server assigns the IP address of the binding and specific configuration parameters to a requesting client whose MAC address or ID is contained in the binding In this way the client can get a fixed IP address Select address pools by using one of the following methods e If devices use the same configuration file you can configure a dynamic address pool on the DHCP server to assign IP addresses and the same configuration parameters for example configuration file name to the devices The configuration file can only contain common configurations of the
51. al password login 37 Authentication i Configuration Remarks Configure the authentication scheme Remote AAA authentication mode Scheme Select an authenticati on scheme Configure a RADIUS HWTACAC S scheme Configure the AAA scheme used by the domain For more information see Configuring scheme authentication for Telnet login Configure the username and password on the AAA server Local authentication Configure the authentication username and password Configure the AAA scheme used by the domain as local Configuring none authentication for Telnet login Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure none authentication for Telnet login To do Use the command Remarks Enter system view system view Required Enable Telnet telnet server enable By default the Telnet service is disenabled Enter one or multiple VTY user user interface vty firs number interface views last number Required Specify the none authentication mode authentication mode none By default authentication mode for VTY user inter
52. alemede or ne ftp update fast normal p server Normal update is used by default Quit to user view quit Manually release the FTP Optional connection established with the free ftp user username specified username Available in user view Configuring authentication and authorization on the FTP server To allow an FTP user to access certain directories on the FTP server you must create an account for the user authorizing access to the directories and associating the username and password with the account The following configuration is used when the FTP server authenticates and authorizes a local FTP user If the FTP server needs to authenticate a remote FTP user you must configure authentication authorization and accounting AAA policy instead of the local user For detailed configuration see the Security Command Reference In local authentication the switch checks the input username and password against those configured on the switch In remote authentication the switch sends the input username and password to the remote authentication server which then checks whether they are consistent with those configured on the switch Follow these steps to configure authentication and authorization for FTP server To do Use the command Remarks Enter system view system view Reguired Create a local user and enter its EE N No local user exists by default and view the system does not support FTP anonymous use
53. and become DEACTIVE after system reboot For the seven patches in Figure 44 if you activate the first five patches their states change from DEACTIVE to ACTIVE At this time the patch states in the system are as shown in Figure 45 The patches that are in the ACTIVE state are in the DEACTIVE state after system reboot 119 Figure 45 Patches are activated Patch 1 ACTIVE Patch 2 ACTIVE Patch 3 ACTIVE Patch 4 ACTIVE Patch 5 ACTIVE Patch 6 DEACTIVE Memory pale ares Patch 7 DEACTIVE Patch 8 IDLE RUNNING state After you confirm the ACTIVE patches are running the patch state becomes RUNNING and they are placed in the RUNNING state after system reboot For the five patches in Figure 45 if you confirm the first three patches are running their states change from ACTIVE to RUNNING At this time the patch states of the system are as shown in Figure 46 The patches that are in the RUNNING state are still in the RUNNING state after system reboot Figure 46 Patches are running Patch 1 RUNNING Patch 2 RUNNING Patch 3 RUNNING Patch 4 ACTIVE Patch 5 ACTIVE Patch 6 DEACTIVE Memory palan are Patch 7 DEACTIVE Patch 8 IDLE Configuration prerequisites Patches are released per switch model Before patching the system you need to save the appropriate patch files to the switch s storage media using FTP or TFTP When saving the patc
54. ands saved in the history command buffer are in the same format in which you typed the commands If you type an incomplete command the command saved in the history command buffer is also incomplete e If you execute the same command repeatedly the switch saves only the earliest record However if you execute the same command in different formats the system saves them as different commands For example if you execute the display cu command repeatedly the system saves only one command in the history command buffer If you execute the command in the format of display cu and display current configuration respectively the system saves them as two separate commands e By default the CLI can save up to 10 commands for each user To set the capacity of the history command buffer for the current user interface use the history command max size command For more information about the history command max size command see the chapter Logging in to the switch commands Configuring the history buffer size Follow these steps to configure the history buffer size To do Use the command Remarks Enter system view system view user interface first num 1 Enter user interface view lastnum1 aux vty firstnum 2 lastnum2 Set the maximum number of Optional history command max size commands that can be saved in the ele By default the history buffer can history buffer save up to 10 commands N
55. ape key default character Optional By default you can press Ctrl C to terminate a task Configure the type of terminal display terminal type ansi vt100 45 Optional By default the terminal display type is ANSI To do Set the maximum number of lines on the next screen Use the command screen length screen length Remarks Optional By default the next screen displays 24 lines A value of O disables the function Set the size of history command buffer history command max size value Optional By default the buffer saves 10 history commands Set the idle timeout timer idle timeout minutes seconds Optional The default idletimeout is 10 minutes for all user interfaces The system automatically terminates the user s connection if no information interaction occurs between the device and the user in timeout time Setting idle timeout to O disables the timer Specify a command to be automatically executed when a user logs in to the current user interface auto execute command command Optional By default command auto execution is disabled The system automatically executes the specified command when a user logs in to the user interface and tears down the user connection after the command is executed If the command triggers another task the system does not tear down the user connection until the task is completed A Te
56. arks Available in user view Multiple users can log in to the system to simultaneously configure the device In some circumstances when the administrator wants to make configurations without interruption from the users that have logged in through other user interfaces the administrator can execute the command to release the connections established on the specified user interfaces free user interface num aux vty num2 Release a specified user interface You cannot use this command to release the connection that you are using Available in user view Lock the current user interface lock By default the current user interface is not locked Send messages to the specified send all num1 aux vty f Available in user view user interfaces num2 65 Web login Web login overview The device provides a built in web server that enables you to log in to the web interface of the device from a PC Web login is disabled by default To enable web login log in to the device via the console port and perform the following configuration e Enable HTTP or HTTPS service e Configure the IP address of the VLAN interface e Configure a username and password The device supports the following web login methods e HTTP login The Hypertext Transfer Protocol HTTP is used for transferring web page information across the Internet It is an application layer protocol in the TCP IP protocol suite The
57. ation of the FTP client Use the command Remarks display ftp client configuration begin exclude include regular expression Available in any view Display the configuration of the FTP server display ftp server begin exclude include regular expression Available in any view Display detailed information about logged in FTP users display ftp user begin exclude include regular expression Available in any view 95 TFTP configuration TFIP overview Introduction to TFTP The Trivial File Transfer Protocol TFTP provides functions similar to those provided by FTP but it is less complex than FTP in interactive access interface and authentication It is more suitable in environments where complex interaction is not needed between client and server TFTP uses the UDP port 69 for data transmission For more information about TFTP basic operation see RFC 1350 In TFTP file transfer is initiated by the client e Ina normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server e Ina normal file uploading process the client sends a write request to the TFTP server sends data to the server and receives the acknowledgement from the server TFTP transfers files in the following modes e Binary mode Transfers files as raw data such as app bin and btm files
58. before the login banner e Login banner appears only when password or scheme login authentication has been configured e Incoming banner appears for Modem dial in users and the shell banner appears for users that use any other access method to access the CLI Message input modes The system supports single line input mode and multiple line input mode for configuring a banner 1 Single line input In single line input mode all banner information comes after the command keywords in the same line The start and end characters of the input text must be the same but are not part of the banner information In this case the input text together with the command keywords cannot exceed 510 characters 2 Multiple line input In multiple line input mode all the banner information is input in multiple lines by pressing the Enter key In this case up to 2000 characters can be input Multi line input mode can be achieved in the following methods e Method Press the Enter key directly after the command keywords type the banner information and end with the character The Enter and characters are not part of the banner information e Method II Type a character after the command keywords at the first line and then press the Enter key Type the banner information and end with the character you type at the first line The character at the first line and the end character are not part of the banner information e Method III Type multi
59. ce prompts you to enter another password of the specified type you will be authenticated for the second time In other words to pass authentication you must enter a correct password as prompted e If All user interfaces are used please try later is displayed it means the current login users exceed the maximum number Please try later 44 Figure 15 Configuration page cs Telnet 192 168 0 58 Copyright Cc 2616 2611 Hewlett Packard Development Company Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Login authentication Username admin Password KHP gt Configuring common settings for VTY user interfaces optional Follow these steps to configure common settings for VTY user interfaces To do Use the command Remarks Enter system view system view Enable display of copyright Optional information copyright info enable Enabled by default Enter one or multiple VTY user interface views user interface vty firs number lastnumber User Enable the terminal interface service shell Optional Enabled by default configuration Enable the current user interface s to support either Telnet SSH or both of them protocol inbound all ssh telnet Optional By default both protocols are supported The configuration takes effect next time you log in Define a shortcut key for terminating tasks esc
60. ches Servers Custom View Desktops E M Network View My Network View Others Unmanaged Unknown Normal Warning Minor Major Critical ao 241 A 10 362 A 222 Copyright 2010 Hewlett Packard Development Company L P and its licensors Log in to the iMC and configure SNMP settings for the iMC to find the device After the device is found you can manage and maintain the device through the iMC For example you can query device information or configure device parameters The SNMP settings on the iMC must be the same as those configured on the device If not the device cannot be found or managed by the iMC See the iMC manuals for more information Click Help in the upper right corner of each configuration page to get corresponding help information 77 User login control User login control methods The device provides the following login control methods Login Through Login control methods ACL used Configuring source IP based login control over Telnet Basic ACL users Telnet Configuring source and destination IP based login Advanced ACL control over Telnet users Configuring source MAC based login control over Ethernet frame header ACL Telnet users Configuring source IP based login control over NMS NMS users Basic ACL Web Configuring source IP based login control over web Basic ACL users Configuring login control over Telnet users Configuration pre
61. command will not run if you fail to make a confirmation within 30 seconds or enter N to cancel the operation Verifying and diagnosing transceiver modules Verifying transceiver modules You can verify the genuineness of a transceiver module in the following ways e Display the key parameters of a transceiver module including its transceiver type connector type central wavelength of the transmit laser transfer distance and vendor name 136 e Display its electronic label The electronic label is a profile of the transceiver module and contains the permanent configuration including the serial number manufacturing date and vendor name The data is written to the storage component during debugging or testing Perform the following commands in any view to verity transceiver modules To do Use the command display transceiver interface interface type Display key parameters of transceiver modules _ interface number begin exclude include regular expression display transceiver manuinfo interface interface type interface number begin exclude include regular expression Display transceiver modules electronic label information NOTE The display transceiver manuinfo command cannot display information for some transceiver modules Diagnosing transceiver modules The device provides the alarm function and digital diagnosis function for transceiver modules When a transceiver mod
62. configuration command e Ctrl L corresponds to the display ip routing table command e _Ctrl O corresponds to the undo debugging all command Table 3 Hotkeys reserved by the system Hotkey Function Ctrl A Moves the cursor to the beginning of the current line Ctrl B Moves the cursor one character to the left Ctrl C Stops performing a command Ctrl D Deletes the character at the current cursor position Ctrl E Moves the cursor to the end of the current line Ctrl F Moves the cursor one character to the right Ctrl H Deletes the character to the left of the cursor Ctrl K Terminates an outgoing connection Ctrl N Displays the next command in the history command buffer Ctrl P Displays the previous command in the history command buffer Ctrl R Redisplays the current line information Ctrl V Pastes the content in the clipboard Deletes all the characters in a continuous string to the left of the Ctrl W cursor Ctrl X Deletes all characters to the left of the cursor Ctrl Y Deletes all characters to the right of the cursor Ctrl Z Exits to user view Ctrl Terminates an incoming connection or a redirect connection Moves the cursor to the leading character of the continuous string to Esc B the left Deletes all the characters of the continuous string at the current Esc D as cursor position and to the right of the cursor Esc F Moves the cursor to the front of the next
63. configuration max commands The saved configuration files are cleared e The value of the e number argument is determined by memory space Set a comparatively small value for the file number argument if the available memory space is small Enabling automatic saving of the running configuration You can configure the system to save the running configuration at a specified interval and use the display archive configuration command to view the filenames and save time of the saved configuration files This enables you to easily roll back the current configuration to a previous configuration state Configure an automatic save interval based on the storage media s performance and the frequency of configuration modification using the following guidelines If the configuration of the switch does not change frequently manually save the running configuration as needed Save the running configuration manually or configure automatic saving with an interval longer than 1 440 minutes 24 hours Follow these steps to enable automatic saving of the running configuration To do Use the command Remarks Enter system view system view Enge i BE ie ot archive configuration interval Optional the running configuration and set mies ik faul the interval Disabled by default NOTE The path and filename prefix for saving configuration files must be specified before you configure the automatic saving period Manually saving
64. connection oriented Transport Control Protocol TCP is adopted at the transport layer The device supports HTTP 1 0 e HTTPS login The Secure HTTP HTTPS refers to the HTTP protocol that supports the Security Socket Layer SSL protocol HTTPS uses SSL to encrypt the data exchanged between the HTTPS client and the server to ensure data security and integrity You can define a certificate attribute based access control policy to allow legal clients to access the device securely and to prohibit illegal clients The following table shows the configuration requirements of web login Object Requirements Configure the IP address of the VLAN interface Make sure the device and the PC can reach each other Device Configuring HTTP login Required to use one approach Configuring HTTPS login Install a web browser PC Obtain the IP address of the VLAN interface of the device Configuring HTTP login Follow these steps to configure HTTP login To do Use the command Remarks Enter system view system view Required Enable the HTTP service ip http enable Enabled by default 66 To do Configure the HTTP service port number Use the command ip http port portnumber Remarks Optional 80 by default If you execute the command multiple times the last one takes effect Associate the HTTP service with an ACL ip http acl ac number Optional By default the HTTP service is not associat
65. continuous string to the right Moves the cursor down by one line available before you press Esc N Enter Esc P Moves the cursor up by one line available before you press Enter Esc lt Specifies the cursor as the beginning of the clipboard Esc gt Specifies the cursor as the ending of the clipboard NOTE The hotkeys in Table 3 are defined by the switch If the same hotkeys are defined by the terminal software that you use to interact with the switch the hotkeys defined by the terminal software take effect Redisplaying input but not submitted commands If your command input is interrupted by output system information you can use this feature to redisplay the commands input previously but not submitted Follow these steps to enable redisplaying of commands previously input but not submitted To do Use the command Remarks Enter system view system view i i i Required Enable redisplaying of input but EE ER q not submitted commands Disabled by default NOTE e f you have no input at the command line prompt and the system outputs system information such as logs the system will not display the command line prompt after the output e If the system outputs system information when you are typing interactive information not YES NO for confirmation the system does not redisplay the prompt information but a line break after the output and then display what you have typed e For more information about th
66. d Specify the view in which the commands in the job run view view name You can specify only one view for a job The job executes all commands in the specified view Add commands to the job Configure a command to run ata specific time and date time fime id at time date command command Configure a command to run ata specific time time fime id one off repeating at time month date month day week day week daylist command command Configure a command to run after a delay time time id one off repeating delay time command command Required Use any of the commands NOTE Changing the system time does not affect the execution time of the job set by the time at command or the time delay command Disabling Boot ROM access By default anyone can press Ctrl B during startup to enter the Boot menu and configure the Boot ROM To protect the system you can disable Boot ROM access so the users can access only the CLI You can also set a Boot ROM password the first time you access the Boot menu to protect the Boot ROM 134 To view Boot ROM accessibility status use the display startup command For more information about the display startup command see the Fundamentals Command Reference Follow the step below to disable Boot ROM access To do Use the command Remarks Required undo startup bootrom access By default Boot ROM access is Disable Boot ROM access enable enabled Available in
67. d quit current view Available in any view NOTE e The quit command in user view stops the current connection between the terminal and the device e In public key code view use the public key code end command to return to the parent view public key view In public key view use the peer public key end command to return to system view Returning to user view This feature allows you to return to user view from any other view without using the quit command repeatedly You can also press Ctrl Z to return to user view from the current view Follow the step below to exit to user view To do Use the command Remarks Required Return to user view return Available in any view except user view Using the CLI online help Type a question mark to obtain online help See the following examples 1 Type in any view to display all commands available in this view as well as brief descriptions of the commands For example lt sysname gt User view commands archive Specify archive settings backup Backup next startup configuration file to TFTP server boot loader Set boot loader bootrom Update read backup restore bootrom cd Change current directory Omitted 2 Type part of a command and a separated by a space If is at the keyword position the CLI displays all possible keywords with a brief description for each keyword For example lt sysname gt terminal debugging Send debug information
68. datetime time date command by using Table as a reference Figure 2 Read command line parameters clock datetime time date sae oes Ba EI Italic Arguments Replace them with actual values at the CLI Boldface Keywords Following this example you can type the following command line at the CLI of your device and press Enter to set the device system time to 10 o clock 30 minutes 20 seconds February 23 2010 lt sysname gt clock datetime 10 30 20 2 23 2010 More complicated commands can be understood using Table as a reference Undo form of a command The undo form of a command restores the default disables a function or removes a configuration Almost all configuration commands have an undo form For example the info center enable command enables the information center and the undo info center enable command disables the information center CLI view description Commands are grouped into different classes by function To use a command you must enter the class view of the command CLI views adopt a hierarchical structure See Figure 3 After logging in to the switch you are in user view The user view prompt is lt device name gt In user view you can perform display debugging and file management operations set the system time restart your device and perform FTP and Telnet operations You can enter system view from user view In system view you can configure parameters such as daylight savi
69. device If command accounting is enabled and command authorization is not enabled every executed command is recorded on the HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands are recorded on the HWTACACS server Exit to system view quit 49 To do Enter the default ISP domain view Use the command domain domain name Apply the specified AAA scheme to the Configure the domain authentication default hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local authentication mode Exit to system view quit Remarks Optional By default the AAA scheme is local If you specify the local AAA scheme perform the configuration concerning local user as well If you specify an existing scheme by providing the radius scheme name argument perform the following configuration as well e For RADIUS and HWTACACS configuration see the Security Configuration Guide e Configure the username and password on the AAA server For more information see the Security Configuration Guide Create a local user and enter local user view local user user name Required By default no local user exists Set the local password password cipher simple password Required By default no local password is set Specify the command level of the
70. device via the console port and configure the IP address of VLAN 1 of the device VLAN 1 is the default VLAN lt Sysname gt system view Sysname interface vlan interface 1 Sysname VLAN interfacel ip address 192 168 20 66 255 255 255 0 Sysname VLAN interfacel quit Create a local user named admin and set the password to admin for the user Specify the Telnet service type for the local user and set the command level to 3 for this user Sysname local user admin Sysname luser admin service type telnet Sysname luser admin authorization attribute level 3 Sysname luser admin password simple admin 2 Configuration on the PC On the PC run the web browser Enter the IP address of the device in the address bar 192 168 20 66 in this example The web login page appears as shown in Figure 28 70 Figure 28 Web login page Web user login Windows Internet Explorer CG gt e http 192 168 20 66 ee Ers user login Web User Login User Name Password Verify Code Type the user name password verify code select English and click Login The homepage appears After login you can configure device settings through the web interface HTTPS login example Network requirements As shown in Figure 29 to prevent unauthorized users from accessing the Device configure HTTPS login as follows e Configure the Device as the HTTPS server and request a certificate for it e The H
71. e DHCP server assigns an IP address and other configuration parameters such as the configuration file name TFTP server IP address and DNS server IP address to the device e TFTP server Saves files needed in automatic configuration such as the host name file and the configuration file e DNS server resolves between IP addresses and host names In some cases the device resolves its IP address to the host name through the DNS server and then uses the host name to request the configuration file with the same name hostname cfg from the TFTP server If the device gets the domain name of the TFTP server from the DHCP response the device can also resolve the domain name of the TFTP server to the IP address of the TFTP server through the DNS server If the DHCP server TFTP server DNS server and the device are not in the same network segment you need to configure the DHCP relay agent on the gateway 140 How automatic configuration works Automatic configuration works in the following manner 1 During startup the device sets the first up interface if up Layer 2 Ethernet interfaces are available the VLAN interface of the default VLAN of the Ethernet interfaces is selected as the first up interface as the DHCP client to request parameters from the DHCP server such as an IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device sends a TFTP reques
72. e EE EER Re EE EER ee ee EER ee ee EER ee ee EER ee ee EER ee ee ER ee ee Ee ees ee 55 Configuring none authentication for modem login eers EEeeR RR RR RR RR RR RR EEEERRRRRRRRRRRRRRRReRRR ee Ee eeRRRRRR 56 Configuring password authentication for modem login ER EE 57 Configuring scheme authentication for modem login rrrrreeeeeeeeEk RR RR RR RR RR EE EER RRRRRRRRRRRRRRRRRe ee EE EER RR RR 58 Configuring common settings for modem login optional EE AE EE EE EE 62 Displaying and maintaining CLI login RA E E E EE a T 64 ETE 66 Web login overview ssssssssssssessessssseessusssssessusssseessusssssesssussasesssussssseesssssaneessnsasesssssnaneessnnaseessnnaseceessennasessee 66 Configuring HTTP login lt sssssssssssssessessssseessusssseessssssseessusssseessassssessiussssesssnsssesessanssnsessnnsseessnnsaneenansaseesens 66 ETE 67 Displaying and maintaining web login ES 70 Web login example EE EE DE ED ED EE EE OE ED EE EE EE ED EE EE EE EE ers 70 HTTP login example sssssssssssssssessssseesssssssseessssssseessusssseeessssssseessunsssseessnssseessnsasseesunsnsseessnnasseesnsseesnnanna 70 HTTPS login example vvs sssssssssessssseeseesssseeesssssneessusssseesssssssneessunsssseessunsnseessunsnseesssassaseessunnaseeessnnssesssenn 71 MEE 74 NMS login overview sssssssessssseesssssseesssssseeessusssseessusssseeessssssseessunssseessuasnsneessunnaneessnnasssessunsasesunnssnsneesnnnases 74 Configuring NMS login EO EE OE EE ED EE EE EE EE EE EE esc 74 TEEL 75 User login EE 78 U
73. e GENE NA matches a string containing and b the specific meaning of the character is removed matches a string containing b Example of filtering output information 1 Example of using the begin keyword Display the configuration from the line containing user interface to the last line in the current configuration the output information depends on the current configuration lt Sysname gt display current configuration user interface aux 0 user interface vty 0 15 authentication mode none 12 begin user interface user privilege level 3 return 2 Example of using the exclude keyword Display the non direct routes in the routing table the output depends on the current configuration lt Sysname gt display ip routing table exclude Direct Routing Tables Public Destination Mask Proto Pre Cost NextHop Interface 1 1 1 0 24 Static 60 0 192 168 0 0 Vlanl 3 Example of using the include keyword Display the route entries that contain Vlan in the routing table the output depends on the current configuration lt Sysname gt display ip routing table include Vlan Routing Tables Public Destination Mask Proto Pre Cost NextHop Interface 192 168 1 0 24 Direct 0 0 192 168 1 42 Vlan999 Contiguring user privilege and command levels Introduction To avoid unauthorized access the switch defines user privilege levels and command levels User privilege levels corr
74. e Ona device that serves as the SSH client you can log in to an SSH server to perform operations on the server e Ona device that serves as the SSH server you can configure the authentication mode and user level for SSH users By default password authentication is adopted for SSH login but no login password is configured so you cannot log in to the device through SSH by default Before you can log in to the device through SSH you need to log in to the device through the console port and configure the authentication mode user level and common settings This section includes these topics e Configuring the SSH server e Configuring the SSH client to log in to the SSH server Configuring the SSH server Configuration prerequisites You have logged in to the device and want to log in to the device through SSH in the future By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure the device that serves as an SSH server To do Use the command Remarks Enter system view system view E Required Create local key pair s public key local create dsa rsa By default no local key pair s are created Required Enable SSH server ssh server enable By default SSH server is d
75. e for the current login After the user logs back in the user privilege restores to the original level e To avoid problems HP recommends that administrators log in to the switch by using a lower privilege level and view switch operating parameters To maintain the switch administrators can temporarily switch to a higher level If the administrators need to leave or need to ask someone else to temporarily manage the switch they can switch to a lower privilege level to restrict the operation by others Setting the authentication mode for user privilege level switch e A user can switch to a privilege level equal to or lower than the current one unconditionally and is not required to input a password if any e For security a user is required to input the password if any to switch to a higher privilege level The authentication falls into one of the following four categories ass Meaning Description The switch authenticates a user by using the privilege level switch local Local password password input by the user authentication When this mode is applied you need to set the password for privilege level switch with the super password command The switch sends the username and password for privilege level switch to the HWTACACS or RADIUS server for remote authentication Remote AAA When this mode is applied you need to perform the following authentication i y configurations scheme through i HWTACACS or e Configure HWTACA
76. e info center synchronous command see the Nefwork Management ana Monitoring Configuration Guide Checking command line errors If a command contains syntax errors the CLI reports error information Table 4 Common command line errors Error information Cause IAI Unrecognized command found at position The command was not found Incomplete command found at position Incomplete command Ambiguous command found at position Ambiguous command Too many parameters Too many parameters Wrong parameter found at position Wrong parameters Using command history The CLI automatically saves the commands recently used in the history command buffer You can access these commands and execute them again Accessing history commands Follow a step below to access history commands To do Use the key command Result Displays valid history commands you Display history commands display history command used Display the previous history Displays the previous history command if Up arrow key or Ctrl P command any Display the next history Down arrow key or Ctrl N Displays the next history command if any command NOTE You can use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet However the up and down arrow keys are invalid in Windows 9X HyperTerminal because they are defined differently You can use Ctrl P or Ctrl N instead e The comm
77. e level local switch password configured on the switch ae Username and password for Local user privilege level a local scheme le password privilege level switch configured none password P on the AAA server Username and password for scheme ie privilege level switch Username and password for Local user privilege level switch scheme local privilege level switch 18 password r privil level User interface User privilege leve te switch Information input for the authentication ME ea authentication first authentication mode mode mode Local user privilege level Information input after the authentication mode changes local switch password Password for privilege level switch configured on the AAA Local user privilege level server The system uses the local scheme switch password username used for logging in as the privilege level switch username Password for privilege level scheme switch configured on the AAA server The system uses the username used for logging in as the privilege level switch username scheme Password for privilege level switch configured on the AAA server The system uses the username used for logging in as the privilege level switch username scheme local Local user privilege level switch password A CAUTION user privilege level a higher user privilege level configuration When the authentication
78. e level switch password is configured A CAUTION e If no user privilege level is specified when you configure the password for switching the user privilege level with the super password command the user privilege level defaults to 3 cipher keyword which saves the password in cipher text Specifying the simple keyword saves the password in plain text which is less secure than specifying the If the user logs in from the AUX user interface the console port the user can switch the privilege level to a higher level even if the authentication mode is local and no password for user privilege level switch is configured Switching the user privilege level Follow the step to switch the user privilege level To do Use the command Switch the user privilege level super level Remarks Required When logging in to the switch a user has a user privilege level which depends on user interface or authentication user level Available in user view When you switch the user privilege level the information you need to provide varies with combinations of the user interface authentication mode and the super authentication mode Table 6 Information input for user privilege level switch User interface User privilege level ee switch Information input for the Information input after the authentication si si sig ei authentication first authentication mode authentication mode changes mode Local user privileg
79. e the command whose keyword partially matches your input input the complete keyword When you input a character string that partially matches multiple aliases the system gives you prompts e If you press Tab after you input an alias keyword the original format of the keyword is displayed e You can replace only the first keyword of a non undo command instead of the complete command You can replace only the second keyword of undo commands Follow these steps to configure command aliases To do Use the command Enter system view system view Remarks Enable the command alias function command alias enable Required Disabled by default which means you cannot configure command aliases command alias mapping cmdkey Configure a command alias alias Required Not configured by default Configuring CLI hotkeys Follow these steps to configure CLI hotkeys To do Use the command Enter system view system view Remarks hotkey CTRL_G CTRL Optional The Ctrl G Ctrl L and Ctrl O Confi CLI hok CTRL O CTRL_T CTRL U oe Mii ed T ad hotkeys are specified at the CLI by default Display hotkeys display hotkey Available in any view See Table 3 for hotkeys reserved by the system NOTE By default the Ctrl G Ctrl L and Ctrl O hotkeys are associated with pre defined commands as defined below the Ctrl T and Ctrl U hotkeys are not e Ctrl G corresponds to the display current
80. ed Enable Telnet telnet server enable By default the Telnet service is disenabled 39 To do Use the command Remarks Enter one or multiple VTY user user interface vty firstnumber interface views lastnumber Required Specify the password authentication mode By default authentication mode for VTY user interfaces is password authentication mode password Required set authentication password cipher i Set the local password simple password By default no local password is set Configure the user privilege level bes Required for lodi user privilege level level or login users O by default Optional Configure common settings for gt See Configuring common VTY user interfaces settings for VTY user interfaces optional When you log in to the device through Telnet again e You are required to enter the login password A prompt such as lt HP gt appears after you enter the correct password and press Enter as shown in Figure 14 e If All user interfaces are used please try later is displayed it means the number of current concurrent login users exceed the maximum Please try later Figure 14 Configuration page c Telnet 192 168 0 58 x Copyright lt c 2616 2611 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Login authentication Password KHP gt
81. ed with any ACL Associating the HTTP service with an ACL enables the device to allow only clients permitted by the ACL to access the device Create a local user and enter local user view local user user name Required By default no local user is configured Configure a password for the local user password cipher simple password Required By default no password is configured for the local user Specify the command level of the local user authorization attribute level level Required No command level is configured for the local user Specify the Telnet service type for the local user service type telnet Required By default no service type is configured for the local user Exit to system view quit Create a VLAN interface and enter its view interface vlan interface vlan interface id Required If the VLAN interface already exists the command enters its view Assign an IP address and subnet mask to the VLAN interface ip address ip address mask mask length Configuring HTTPS login Follow these steps to configure HTTPS login To do Enter system view Use the command system view Remarks Required By default no IP address is assigned to the VLAN interface To do Use the command Remarks Required By default PKI and SSL are not configured Configure PKI and SSL related e For more information about PKI
82. ee ee EER ee ee EER ee EE EER ee EE ER e ee EE Ee ee ee ee ee ee 141 Work flow of automatic configuration EO E RE EE 141 Using DHCP to obtain an IP address and other configuration information s sssssssesssseseeeeseseeseestesnees 142 Obtaining the configuration file from the TFTP server trees esse ese EER ee EER ee EE EER ee DEE ER ee EE EER ee EER ee ee Ee ee ee Ee ee ee ee 143 Executing the configuration ER 145 Support and other resOUrCes etseeeeeeereeesereeeresssesseeeesssseseeeenssssseereerereessseeeersssessseeensssseeeenenseesseeeereeressseeeeesssseeseeeeesseee 146 Contacting al esse esseeeeeseeeeseeenees 146 MERE VEEL TT TT EG 146 TERE EE 146 DER Ee 146 AE EE EE KETSE PESEVEVEVEVEVESEPEVEVENEKE OK VE EVE OKOK Ers rEvEsEPEOErE E 146 er Ee 147 BEE E LE OE errr er ree er eee 149 CLI configuration What is CLI The command line interface CLI enables you to interact with your device by typing text commands At the CLI you can instruct your device to perform a given task by typing a text command and then pressing Enter Compared with a graphical user interface GUI where you can use a mouse to perform configuration the CLI allows you to input more information in one command line Figure 1 CLI example User interface aux is available Press ENTER to get started lt HP gt system view ae View return to User View with Ctrl Z Entering the CLI HP devices provide multiple methods for entering the CLI such as through the c
83. eleting a startup configuration file You can delete a startup configuration file at the CLI On a switch that has main and backup startup configuration files you can choose to delete the main the backup or both If the switch has only one startup configuration to be used at the next startup the system only sets the startup configuration file to NULL You may need to delete a startup configuration file to be used at the next startup for one of the following reasons e After you upgrade system software the existing startup configuration files do not match the new system software e Startup configuration files are corrupted often caused by loading a wrong configuration file With startup configuration files deleted the switch uses null configuration at the next startup Follow the step below to delete a startup configuration file to be used at the next startup 112 To do Use the command Remarks Delete a startup configuration file to be used at the next startup from the storage media reset saved configuration backup Required main Available in user view CAUTION This command permanently deletes startup configuration files to be used at the next startup from the switch Use the command with caution Restoring a startup configuration file The restore function allows you to copy a configuration file from a TFTP server to the switch and specify the file as the startup configuration file to be used at t
84. equired directory j Available in user view Changing the current working directory To do Use the command Remarks i Required Change the current working ddeil q directory Available in user view Creating a directory To do Use the command Remarks ME Reguired Create a directory mkdir directory Available in user view Removing a directory To do Use the command Remarks ad Reguired Remove a directory rmdir directory Available in user view NOTE e The directory to be removed must be empty meaning that before you remove a directory you must delete all the files and the subdirectory in this directory For file deletion see the delete command for subdirectory deletion see the rmdir command The rmdir command automatically deletes the files in the recycle bin in the current directory Performing file operations You can display the specified directory or file information display file contents rename copy move remove restore and delete files 101 NOTE You can create a file by copying downloading or using the save command Displaying file information To do Display file or directory information Use the command dir all file ur Displaying the contents of a file To do Display the contents of a file Renaming a file To do Rename a file Copying a file To do Copy a file Moving a file To do Move a file Del
85. er Optional Contigure By default the baud rate is 9600 AUX user Configure the bps interface baud rate speed speed value properties Transmission rate is the number of bits that the device transmits to the terminal per second Optional parity even none odd By default the parity check mode is none which means no check bit Configure the parity check mode Optional By default the stop bits of the console port is 1 Configure the stop i stopbits 1 1 5 2 Stop bits are the last bits transmitted its in data transmission to unequivocally indicate the end of a character The more the bits are the slower the transmission is 62 To do Configure the data bits Use the command databits 5 6 7 8 Remarks Optional By default the data bits is 8 Data bits is the number of bits representing one character The setting depends on the contexts to be transmitted For example you can set it to 7 if standard ASCII characters are to be sent and set it to 8 if extended ASCII characters are to be sent Define a shortcut key for starting a session activation key character Optional By default you can press Enter to start a session Define a shortcut key for terminating tasks escape key default character Optional By default you can press Ctrl C to terminate a task Contigure the flow control mode flow control hardware none so
86. er ip Required Contigure the device to log in toa ipaddress Use either command Telnet server as a Telnet client telnet ipv remote host i Available in user view interface type interface number port number Optional Specify the source IPv4 address or telnet client source interface By no source IPv4 address or source interface for sending Telnet interface type interface number ip source interface is specified The packets ip address source Pv4 address is selected by routing Logging in through SSH Introduction Secure Shell SSH offers an approach to log into a remote device securely By providing encryption and strong authentication it protects devices against attacks such as IP spoofing and plain text password interception The device supports SSH and you can log in to the device through SSH to remotely manage and maintain the device as shown in Figure 17 Figure 17 SSH login diagram IP network SSH client SSH server The following table shows the configuration requirements of SSH login 47 Object Requirements Contigure the IP address of the VLAN interface and make sure the SSH server SSH server and client can reach each other Configure the authentication mode and other settings Run the SSH client program SSH client Obtain the IP address of the VLAN interface on the server By default the device is enabled with the SSH server and client functions
87. er local user view e For local authentication if you Use either approach Configure the rise e Use the level keyword in the do ine oe the user user privilege authorization attribute die a e user level by using command to configure the user privilege level is O AAA privilege level e For remote authentication if authentication sing remote you do not configure the user parameters authentication l 7 privilege level the user RADIUS Configure the user privilege level privilege level depends on the HWTACACS on the authentication server default configuration of the a authentication server authentications Example of configuring a user privilege level by using AAA authentication parameters You are required to authenticate the users that Telnet to the switch through VTY 1 verify their username and password and specify the user privilege level as 3 14 lt Sysname gt system view Sysname Sysname ui vtyl1 Sysname ui vtyl quit Sysname local user test Sysname luser test Sysname luser test user interface vty 1 authentication mode scheme password cipher 12345678 service type telnet When users telnet to the switch through VTY 1 they need to input username test and password 12345678 After passing authentication the users can only use level O commands If the users want to use commands level O 1 2 and 3 commands the following configuration is required Sysname luser test authoriza
88. espond to command levels When a user at a specific privilege level logs in the user can only use commands at that level or lower levels All the commands are categorized into four levels visit monitor system and manage and are identified from low to high respectively by 0 through 3 Table 5 describes the command levels Table 5 Default command levels Level Privilege Description Involves commands for network diagnosis and accessing an external device n Command configuration at this level cannot survive a device restart Upon device 0 Visit restart the commands at this level will be restored to the default settings Commands at this level include ping tracert telnet and ssh2 Involves commands for system maintenance and service fault diagnosis Commands at this level are not allowed to be saved after being configured After 1 Monitor the switch is restarted the commands at this level will be restored to the default settings Commands at this level include debugging terminal refresh reset and send Involves service configuration commands such as routing configuration 3 r commands and commands for configuring services at different network levels stem By default commands at this level include all configuration commands except for those at the manage level 13 Level Privilege Description Involves commands that influence the basic operation of the system and commands for configuring system suppor
89. ete the files not in use and then perform the following operations Log in to the server through FTP lt Sysname gt ftp 10 1 1 1 Trying 10 1 1 1 Connected to 10 1 1 1 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User 10 1 1 1 none abc 331 Give me your password please Password 90 230 Logged in successfully Set the file transfer mode to binary to transmit system software image file ftp binary 200 Type set to I Download the system software image file newest bin from the PC to the device ftp get newest bin Upload the configuration file config cfg of the device to the server for backup ftp ascii ftp put config cfg back config cfg 227 Entering Passive Mode 10 1 1 1 4 2 125 ASCII mode data connection already open transfer starting for config cfg 226 Transfer complete FTP 3494 byte s sent in 5 646 second s 618 00 byte s sec ftp bye Specify newest bin as the main system software image file for next startup lt Sysname gt boot loader file newest bin main Reboot the device and the system software image file is updated at the system reboot lt Sysname gt reboot A CAUTION The system software image file for next startup must be saved in the storage medium s root directory You can copy or move a file to the storage medium s root directory For more information about the boot loader command see the fundamentals Command Reference
90. eting a file To do Move a file to the recycle bin or delete it permanently Use the command more file url Use the command rename fileurl source fileurldest Use the command copy fileurl source fileurl dest Use the command move fileurl source fileurldest Use the command delete unreserved file url 102 Remarks Required Available in user view Remarks Required Only text files can be displayed Available in user view Remarks Required Available in user view Remarks Required Available in user view Remarks Required Available in user view Remarks Required Available in user view AN CAUTION e The files in the recycle bin still occupy storage space To delete a file in the recycle bin execute the reset recycle bin command in the directory to which the file originally belongs HP recommends you to empty the recycle bin periodically with the reset recycle bin command to save storage space e The delete unreserved fi e ur command deletes a file permanently and the action cannot be undone Executing this command equals executing the delete fi e ur command and then the reset recycle bin command in the same directory Restoring a file from the recycle bin To do Use the command Remarks Required Restore a file from the recycle bin undelete file ur Available in user view Emptying the recycle bin To do Use the command Remarks Optional If the
91. f a line Auser stings Ending sign string appears only at For example regular expression user only the end of a line matches a string ending with user not userA Matches any single character such as a single character a special For example s matches as and bs character and a blank Matches the preceding character or P h f P g ol For example zo matches z and zoo character group zero or multiple i group P zo matches zo and zozo imes Matches the preceding character or P g For example zo matches zo and zoo but P character group one or multiple ip times not z Matches the preceding or succeeding character string For example def int only matches a character string containing def or int If it is at the beginning or the end of a regular expression it equals or In other cases it equals comma space round bracket or curly bracket For example a_b matches a b or a b ab only matches a line starting with ab ab_ only matches a line ending with ab Connects two values the smaller one before it and the bigger one after it to indicate a range together with For example 1 9 means 1 to 9 inclusive a h means a to h inclusive Matches a single character contained within the brackets For example 16A matches a
92. faces is password Configure the command level for login users on the current user interfaces user privilege level level Required By default the default command level is O for VTY user interfaces 38 To do Use the command Remarks Optional Configure common settings for VTY user interfaces See Configuring common settings for VTY user interfaces optional When you log in to the device through Telnet again e You enter the VTY user interface as shown in Figure 13 e If All user interfaces are used please try later is displayed it means the current login users exceed the maximum number Please try later Figure 13 Configuration page cv Telnet 192 168 0 58 Copyright lt c 2618 2611 Hewlett Packard Development Company L P Without the owner s prior written consent no decompiling or reverse engineering shall be allowed Configuring password authentication for Telnet login Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure password authentication for Telnet login To do Use the command Remarks Enter system view system view Reguir
93. fied source interface you cannot establish an FTP connection e f you use the ftp client source command to configure a source interface and then use it to configure a source IP address the source IP address overwrites the source interface and vice versa Follow these steps to establish an IPv FTP connection To do Use the command Remarks ftp ipv6 server address Log in to the remote FTP server service port source ipv directly in user view source ipv6 address i Use either approach interface type interface number The ftp ipv command is available in user view and the open ipv command is available in FTP client ftp ipv Log in to the remote FTP server open ipv server address view indirectly in FTP client view PS E service port i interface type interface number Operating the directories on an FTP server After the switch serving as the FTP client has established a connection with an FTP server you can create or delete folders under the authorized directory of the FTP server For more information about establishing an FTP connection see Establishing an FTP connection 87 Follow these steps to operate the directories on an FTP server To do Use the command Remarks Display detailed information about a directory or file on the remote FTP server dir remotefile localfile Optional Query a directory or file on the remote FT
94. figuration requirements 58 Configuration procedure Follow these steps to configure scheme authentication for modem login To do Use the command Remarks Enter system view system view Enter AUX user interface user interface aux firstnumber view last number Required Whether local RADIUS or HWTACACS authentication is authentication mode scheme adopted depends on the configured AAA scheme By default the authentication mode is none for modem users Specify the scheme authentication mode Optional e By default command authorization is not enabled e By default command level for a login user depends on the user privilege level The user is authorized the command with the default level not higher than the user privilege level With the command authorization configured the command level for a login user is determined by both the user privilege level and command authorization AAA authorization If a user executes a command of the corresponding command level the authorization server checks whether the command is authorized If yes the command can be executed Enable command authorization e Before enabling command authorization configure the AAA authorization server After you enable command authorization only commands authorized by the AAA authorization server can be executed 59 To do Enable command accounting Use the command command accounting Rema
95. file ends with a return 106 Coexistence of multiple configuration files The switch can save multiple configuration files on its storage media You can save the configurations used in different networking environments as different configuration files When the switch moves between networking environments specify the configuration file as the startup configuration file of the switch and then restart the switch Multiple configuration files allow the switch to adapt to a network rapidly saving the configuration workload A switch starts up using only one configuration file However you can specify two startup configuration files main startup configuration file and backup startup configuration file as needed when the switch has main and backup configuration files The switch starts up using the main startup configuration file If the main startup configuration file is corrupted or lost the switches starts up using the backup startup configuration file Switches supporting main and backup startup configuration files are more secure and reliable At a moment the switch has at most one main startup configuration file and one backup startup configuration file You can specify neither of the two files displayed as NULL You can specify main and backup startup configuration files using one of the following methods e Specify them when saving the running configuration For more information see Saving the running configuration e Speci
96. fter obtaining the configuration file the device removes the temporary configuration and executes the configuration file If no configuration file is obtained the device removes the temporary configuration and starts up with factory defaults NOTE The configuration file is deleted after executed Save the configuration by using the save command Otherwise the device has to perform automatic configuration again after reboot For more information about the save command see the Fundamentals Command Reference 145 Support and other resources Contacting HP For worldwide technical support information see the HP support website Before contacting HP collect the following information e Product model names and numbers e Technical support registration number if applicable e Product serial numbers e Error messages e Operating system type and revision level e Detailed questions Subscription service HP recommends that you register your product at the Subscriber s Choice for Business website http www hp com go wwalerts After registering you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals e For related documentation navigate to the Networking section and select a ne
97. ftware Optional By default the value is none Configure the type of terminal display terminal type ansi vt100 Optional By default the terminal display type is ANSI The device supports two types of terminal display ANSI and VT100 HP recommends that you set the display type of both the device and the client to VT100 If the device and the client use different display types for example hyper terminal or Telnet terminal or both are set to ANSI when the total number of characters of the edited command line exceeds 80 an anomaly such as cursor corruption or abnormal display of the terminal display may occur on the client Configure the user RE Optional privilege level for user privilege level level login users 3 by default Optional Set the maximum number of lines on the next screen screen length screen length By default the next screen displays 24 lines at most A value of O disables the function Set the size of the history command buffer history command max size value 63 Optional By default the buffer saves 10 history commands at most To do Set the idle timeout timer Use the command idle timeout minutes seconds Remarks Optional The default idle timeout is 10 minutes The system automatically terminates the user s connection if no information interaction occurs between the device and the user within the idle timeo
98. fy them when specifying the startup configuration file For more information see Specifying a startup configuration file to be used at the next system startup Startup with the configuration file The switch takes the following steps when it starts up 1 Ifthe main startup configuration file you specified exists the switch starts up with this configuration file 2 If the main startup configuration file you specified does not exist but the backup startup configuration file exists the switch starts up with the backup startup configuration file 3 If neither the main nor the backup startup configuration file exists the switch starts up with null configuration Saving the running configuration Introduction To make configuration changes take effect at the next startup of the switch save the running configuration to the startup configuration file to be used at the next startup before the switch reboots Modes in saving the configuration e Fast saving mode This is the mode when you use the save command without the safely keyword The mode saves the file more quickly but is likely to lose the existing configuration file if the switch reboots or the power fails during the process e Safe mode This is the mode when you use the save command with the safely keyword The mode saves the file more slowly but can retain the configuration file in the switch even if the switch reboots or the power fails during the process 107
99. g cfg 2 drw Feb 16 2006 15 20 27 test 3 rw 184108 Feb 16 2006 15 30 20 aaa bin 14986 KB total 2521 KB free Create a new folder mytest in the test directory lt Sysname gt cd test lt Sysname gt mkdir mytest Created dir flash test mytest Display the current working directory lt Sysname gt pwd flash test Display the files and the subdirectories in the test directory lt Sysname gt dir Directory of flash test 0 drw Feb 16 2006 15 28 14 mytest 14986 KB total 2519 KB free Return to the upper directory lt Sysname gt cd Display the current working directory lt Sysname gt pwd flash 105 Configuration file management Configuration file overview A configuration file contains a set of commands You can save the current configuration to a configuration file so that the configuration can take effect after a switch reboot In addition you can conveniently view the configuration information or upload and download the configuration file to from another switch to configure switches in batches Types of configuration The switch maintains the following types of configurations factory defaults startup configuration and running configuration Factory defaults Switches are shipped with some basic settings which are called factory defaults These default settings ensure that a switch can start up and run normally when it has no configuration file or the configuration file
100. h files note that the following rules apply e The patch files match the switch model and software version If they are not matched the hotfix operation fails e Name a patch file properly Otherwise the system cannot locate the patch file and the hottixing operation fails The name is in the format of patch_PATCH FLAG suffix bin The PATCH FLAG is pre defined and support for the PATCH FLAG depends on switch model The first three characters of the version item using the display patch information command represent the PATCH FLAG suffix The system searches the root directory of the storage medium Flash by default for patch files based 120 on the PATCH FLAG If there is a match the system loads patches to or installs them on the memory patch area The following table describes the default patch name for the switch series PATCH FLAG Default patch name PATCH 311 patch 311 bin One step patch installation To install patches in one step use the patch install command After you execute the command the system displays the message Do you want to continue running patches after reboot Y N Entering y or Y All of the specified patches are installed and turn to the RUNNING state from IDLE This equals execution of the commands patch location patch load patch active and patch run The patches remain RUNNING after system reboot Entering n or N All of the specified patches are installed and turn to the ACTIVE state from IDLE T
101. he ampersand amp sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Window names button names field names and menu items are in bold text For Boldface example the New User window appears click OK gt Multi level menus are separated by angle brackets For example File gt Create gt Folder Symbols Convention Description A An alert that calls attention to important information that if not understood or followed can WARNING result in personal injury An alert that calls attention to important information that if not understood or followed can A caution result in data loss data corruption or damage to hardware or software O IMPORTANT An alert that calls attention to essential information NOTE An alert that contains additional or supplementary information Q TIP An alert that provides helpful information Network topology icons 2 S EI Represents a generic network device such as a router switch or firewall 147 j Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features AE Port numbering in examples The port numbers in this document a
102. he next startup Follow the step below to restore a startup configuration file to be used at the next startup To do Use the command Remarks Restore a startup configuration file restore startup configuration from Required to be used at the next startup src addr src filename Available in user view NOTE e The restore operation restores the main startup configuration file e Before restoring a configuration file ensure that the server is reachable the server is enabled with TFTP service and the client has read and write permission After execution of the command use the display startup command in user view to verify that the filename of the configuration file to be used at the next system startup is the same with that specified by the filename argument Displaying and maintaining a configuration file To do Use the command Remarks display archive configuration begin exclude include Available in any view regular expression Display the information about configuration rollback display default configuration begin exclude include Available in any view regular expression Display the factory defaults of the switch display current configuration configuration configuration interface interface type interface number exclude Available in any view modules by linenum begin exclude include regular expression Display the current
103. he user status for example super e The jobs run in the background without displaying any messages except log trap and debugging messages e In the modular approach o Every job can have only one view and up to 10 commands If you specify multiple views the one specified the last takes effect o Input a view name in its complete form Most commonly used view names include monitor for user view system for system view and Vlan interfacex for VLAN interface view o The time ID time id must be unique in a job If two time and command bindings have the same time ID the one configured last takes effect 133 Scheduling a job in the non modular approach Perform one of the following commands in user view to schedule a job To do Schedule a job to run a command at a specific time Use the command schedule job at time date view view command Schedule a job to run a command after a delay schedule job delay time view view command Scheduling a job in the modular approach Follow these steps to configure a scheduled job Remarks Required Use either command NOTE If you change the system time by using the clock datetime clock summer time or clock timezone command atter you configure a scheduled job the job configuration becomes invalid automatically To do Use the command Remarks Enter system view system view Create a job and enter job view job job name Required Require
104. his equals execution of the commands patch location patch load and patch active The patches turn to the DEACTIVE state after system reboot Follow these steps to install the patches in one step To do Use the command Remarks Enter system view system view Install the patches in one step patch install patch location Required NOTE e The patch matches the switch type and software version e To uninstall all patches in one operation use the undo patch install command which has the same effect as Step by step patch uninstallation Step by step patch installation Follow these steps to load a patch file To do Use the command Remarks Enter system view system view Optional Configure the patch file location patch location patch location flash by default Load the patch file on from the storage medium to the specified patch load slot slotnumber Required memory patch area 121 To do Activate the specified patches Use the command patch active patch number slot slotnumber Remarks Reguired e After you activate a patch the patch takes effect and is in the test run stage After the switch is reset or rebooted the patch becomes invalid e Ifyou find that an ACTIVE patch is of some problem reboot the switch to deactivate the patch so as to avoid a series of running faults resulting from patch error Confirm the running of the specitied patches patch run
105. iew FTP Server ftp server enable 123 FTP Server local user aaa FTP Server luser aaa password cipher hello FTP Server luser aaa service type ftp FTP Server luser aaa authorization attribute work directory flash aaa e Use text editor on the FTP server to edit batch file auto update txt The following is the content of the batch file return startup saved configuration new config cfg boot loader file soft version2 bin slot 1 main reboot 2 Configure Device Log in to the FTP server The prompt may vary with servers lt Device gt ftp 2 2 2 2 Trying 2 2 2 2 Press CTRL K to abort Connected to 2 2 2 2 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User 2 2 2 2 none aaa 331 Give me your password please Password 230 Logged in successfully ftp Download file auto update txt on the FTP server ftp ascii ftp get auto update txt Download file new config cfg on the FTP server ftp get new config cfg Download file soft version2 bin on the FTP server ftp binary ftp get soft version2 bin ftp bye lt Device gt Change the extension of file auto update txt to bat lt Device gt rename auto update txt auto update bat To ensure correctness of the file use the more command to view the content of the file Execute the scheduled automatic execution function to enable Device to be automatically upgraded at 3 am lt Device gt system view De
106. iguration file from the TFTP server e If not the device tries to get its host name from the host name file obtained from the TFTP server If it fails the device resolves its IP address to the host name through DNS server Once the device gets its host name it requests the configuration file with the same name from the TFTP server e If all the operations fail the device requests the default configuration file from the TFTP server TFTP request sending mode The device selects to unicast or broadcast a TFTP request by using the following workflow e Ifa legitimate TFTP server IP address is contained in the DHCP response the device unicasts a TFTP request to the TFTP server e If not the device resolves the TFTP server domain name contained in the DHCP response to the IP address through the DNS server If successful the device unicasts a TFTP request to the TFTP server if not the device broadcasts a TFTP request e Ifthe IP address and the domain name of the TFTP server are not contained in the DHCP response or they are illegitimate the device broadcasts a TFTP request 144 NOTE After broadcasting a TFTP request the device selects the TFTP server that responds first to obtain the configuration file If the requested configuration file does not exist on the TFTP server the request operation fails and the device removes the temporary configuration and starts up with factory defaults Executing the configuration file A
107. iguration replace file command performs the following actions e Preserves all commands present in both the replacement configuration file and the running configuration Removes commands from the running configuration that are not present in the replacement configuration file e Applies the commands from the replacement configuration file that are not present in the running configuration e Applies the commands from the replacement configuration file that have different configurations in the running configuration Configuration task list Complete these tasks to configure the configuration rollback Task Remarks ee for saving the running Required Enabling automatic saving of the running configuration Required Manually saving the running configuration Use either approach Setting configuration rollback Required Configuring parameters for saving the running configuration Before the running configuration is saved manually or automatically the file path and filename prefix must be configured After that the system saves the running configuration with the specified filename filename prefix_serial number cfg to the specified path The filename of a saved configuration file is like 20080620archive 1 cfg or 20080620archive_2 cfg The saved configuration files are numbered automatically from 1 to 1 000 with an increment of 1 If the serial number reaches 1 000 it restarts from 1 If you change the path or filename pref
108. in e Configuring common settings for console login optional Configuration requirements The following table shows the configuration requirements for console port login Object Requirements Device No configuration requirement Run the hyper terminal program Terminal Configure the hyper terminal attributes 24 The port properties of the hyper terminal must be the same as the default settings of the console port shown in the following table Setting Default Bits per second 9 600 bps Flow control None Parity None Stop bits 1 Data bits 8 Login procedure Step1 Step2 Use the console cable shipped with the device to connect the PC and the device Plug the DB 9 connector of the console cable into the serial port of the PC and plug the RJ 45 connector into the console port of your device Figure 4 Connect the device and PC through a console cable N RS 232 Console D Host Switch WARNING Identify interfaces to avoid connection errors NOTE The serial port of a PC does not support hot swap so do not plug or unplug the console cable into or from the PC when your device is powered on To connect the PC to the device first plug the DB 9 connector of the console cable into the PC and then plug the RJ 45 connector of the console cable into your device To disconnect the PC from the device first unplug the RJ 45 connector and then the DB 9 connector Launch a terminal emulation
109. in to a device through SSH To do so log in to the device through the console port and complete the following configuration Enable the SSH function and configure SSH attributes Configure the IP address of the VLAN interface and make sure that your device and the SSH client can reach each other by default your device does not have an IP address Configure the authentication mode of VTY login users as scheme password by default Configure the user privilege level of VTY login users 0 by default Logging in through modems By default you can log in to a device through modems The default user privilege level of modem login users is 3 Web login By default you cannot log in to a device through web To do so log in to the device through the console port and complete the following configuration Configure the IP address of the VLAN interface by default your device does not have an IP address Configure a username and password for web login not configured by default Configure the user privilege level for web login not configured by default Configure the Telnet service type for web login not configured by default 21 Login method Default state By default you cannot log in to a device through a network management system NMS To do so log in to the device through the console port and complete the following configuration NMS login e Configure the IP address of the VLAN interface and
110. include regular expression 137 To do Display the system time and date Use the command display clock begin exclude include regular expression Remarks Available in any view Display or save operating statistics for multiple feature modules display diagnostic information begin exclude include regular expression Available in any view Display CPU usage statistics display cpu usage slot slof number cpu cpu number begin exclude include regular expression display cpu usage entry number offset verbose slot slotnumber begin exclude include regular expression Available in any view Display historical CPU usage statistics in charts display cpu usage history task task id slot slotnumber cpu cpu number begin exclude include regular expression Available in any view Display hardware information display device slot slotnumber subslot subslot number verbose begin exclude include regular expression Available in any view Display the electronic label data for the device display device manuinfo begin exclude include regular expression Available in any view Display device temperature statistics display environment slot slot number begin exclude include regular expression Available in any view This command
111. ining the TFTP client 98 Displaying and maintaining web login 70 E Enabling displaying the copyright statement 129 Entering the CLI Example for file operations 104 F FTP overview 85 H How automatic configuration works 141 L Logging in through modems 52 Logging in through SSH 47 Logging in through Telnet 36 Logging in through the console port 24 Login methods 21 M Managing files 100 N NMS login example 75 NMS login overview 74 O Overview 24 P Performing batch operations 103 Performing directory operations 100 Performing file operations 101 Performing storage medium operations 104 Rebooting the device 132 Related information 146 Restoring a startup configuration file 113 S Saving the current configuration 20 Saving the running configuration 107 Scheduling jobs 133 Setting configuration rollback 108 Setting prompt modes 104 Software upgrade by installing hotfixes 117 Software upgrade configuration examples 123 Software upgrade methods 115 Specifying a startup configuration file to be used at the next system startup 111 Switch software overview 115 T TFTP client configuration example 98 TFTP overview 96 Typical automatic configuration network 140 150 Typing commands 5 U Undo form of a command 2 Upgrading system software through a system reboot 117 Upgrading the Boot ROM program through a system reboot 116 User interface overview 22 User
112. ion domain Configure the For more information see Scheme Select an username and Configuring scheme authentication password on the authentication for console scheme AAA server login Configure the authentication username and Local password authentication Configure the AAA scheme used by the domain as local NOTE A newly configured authentication mode does not take effect unless you exit and enter the CLI again Configuration prerequisites You have logged in to the device 28 Configuring none authentication for console login By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure none authentication for console login To do Use the command Remarks Enter system view system view user interface aux firstnumber Enter AUX user interface view lastnumber Reguired By default you can log in to fhe authentication mode none device through the console port without authentication and have user privilege level 3 after login Specify the none authentication mode Optional Configure common settings for AUX user interface view See Configuring common settings for console login optional After the configuration the next time you log
113. is damaged Startup configuration Use startup configuration for initialization when the switch boots If this file does not exist the system boots using null configuration Null configuration is the factory default configuration which may differ from the default settings for commands The factory default configuration may vary with switch models View the startup configuration using either of the following methods e Use the display startup command to view the currently using configuration file and use the more command to view the content of the configuration file e After the reboot of the switch and before configuring the switch use the display current configuration command to view the startup configuration Running configuration The running configuration is stored in the temporary storage media of the switch and will be removed if not saved when the switch reboots Use the display current configuration command to view the current validated configuration of the switch Format and content of a configuration file A configuration file is saved as a text file the following rules apply e Only non default configuration settings are saved e Commands in a configuration file are listed in sections by views usually in the order of system view interface view routing protocol view and user interface view Sections are separated with one or multiple blank lines or comment lines that start with a pound sign e A configuration
114. isabled Enter one or more VTY user user interface vty firs number _ interface views lastnumber Required Specify the scheme authentication a a m d authentication mode scheme By default authentication mode for VTY user interfaces is password 48 To do Use the command Remarks Optional protocol inbound all ssh By default Telnet and SSH are supported Enable the current user interface to support SSH Optional e By default command authorization is not enabled e By default command level for a login user depends on the user privilege level The user is authorized the command with the default level not higher than the user privilege level With the command authorization configured the command level for a login user is determined by both the user privilege level and AAA authorization If a user executes a command of the corresponding command level the authorization server checks whether the command is authorized If yes the command can be executed Enable command authorization command authorization Optional e By default command accounting is disabled The accounting server does not record the commands executed by users e Command accounting allows the HWTACACS server to record all executed commands that are supported by the device regardless of the command execution result This Enable command accounting command accounting helps control and monitor user operations on the
115. its view or enter the view of an existing basic ACL acl ipv number acl number Required match order config auto By default no basic ACL exists rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Create rules for this ACL Required Exit the basic ACL view quit Associate the HTTP service with the ACL ip http acl acl number Required to use one command Associate the HTTPS service with the ACL ip https acl acl number Logging off online web users Follow the step to log off online web users To do Use the command Remarks Required free web users all user id Log off online web users f user id user name user name Execute the command in user interface view 83 Source IP based login control over web users configuration example Network requirements As shown in Figure 35 configure the device to allow only web users from Host B to access Figure 35 Network diagram for configuring source IP based login control Host A 10 110 100 46 IP network Device Host B 10 110 100 52 Configuration procedure Create ACL 2000 and configure rule 1 to permit packets sourced from Host B lt Sysname gt system view Sysname acl number 2030 match order config Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Associate the ACL with the HTTP service so that only web users from Hos
116. ix or reboot the switch the saved file serial number restarts from 1 and the system recounts the saved configuration files If you change the path of the saved configuration files the files in the original path become common configuration files and are not processed as saved configuration files and are not displayed when you view saved configuration files The number of saved configuration files has an upper limit After the maximum number of files is saved the system deletes the oldest files when the next configuration file is saved Follow these steps to configure parameters for saving the running configuration To do Use the command Remarks Enter system view system view Required By default the path and filename for saving configuration files are not configured and the system does not save the configuration file at a specified interval Configure the path and filename archive configuration location prefix for saving configuration directory filename prefix files filename prefix 109 To do Use the command Remarks oet hi EE hambar archive configuration max Optional configuration files that can be DAN file number The default number is 5 NOTE e If the undo archive configuration location command is executed the running configuration cannot be saved either manually or automatically and the configuration is restored to the default by executing the archive configuration interval and archive
117. l By default e The lower temperature limit is 5 C 41 F e The warning temperature threshold is Configure temperaturealarm temperature limit slot slot number 70 C 158 F e P inflow sensor number lowerlimit e The Alarming temperature threshold warninglimit alarmlimit is 80 C 176 F The warning and alarming thresholds must be higher than the lower temperature limit The alarming threshold must be higher than the warning threshold NOTE This feature is available only on PoE capable models of the A3100 v2 El Switch Series Clearing idle 16 bit interface indexes The device must maintain persistent 16 bit interface indexes and keep one interface index match one interface name for network management After deleting a logical interface the device retains its 16 bit interface index so the same index can be assigned to the interface at interface re creation To avoid index depletion causing interface creation failures you can clear all 16 bit indexes that have been assigned but not in use The operation does not affect the interface indexes of the interfaces that have been created but the indexes assigned to re recreated interfaces might change Follow the step below to clear idle 16 bit interface indexes To do Use the command Remarks Required Clear idle 16 bit interface indexes reset unused porttag Available in user view NOTE A confirmation is required when you execute this command The
118. le or power off the device and then power it on so the system can reboot with the backup system software image file Rebooting the device immediately at the CLI Perform the following command in user view to reboot the device To do Use the command Remarks Required Reboot the device immediately reboot slot slotnumber The slotnumber argument must be 1 Scheduling a device reboot Perform one of the following commands in user view to schedule a device reboot To do Use the command Remarks Schedule a reboot to occur at a seile ebook ar am dale Required specitic time and date Use either command The scheduled reboot function is Schedule a reboot to occur after a schedule reboot delay hh mm disabled by default delay mm The two commands overwrite each other NOTE e The system displays the alert REBOOT IN ONE MINUTE one minute before the reboot e For data security if you are performing file operations at the reboot time the system does not reboot 132 Scheduling jobs You can schedule a job to automatically run a command or a set of commands without administrative interference The commands in a job are polled every minute When the scheduled time for a command is reached the job automatically executes the command If a confirmation is required while the command is running the system automatically inputs Y or Yes If characters are required the system automatically in
119. le 11 In the first column of this table 1 represents the clock datetime command 2 represents the clock timezone command and 3 represents the clock summer time command To verify the system time setting use the display clock command This table assumes that the original system time is 2005 1 1 1 00 00 Table 11 System time configuration results Command Effective system time Configuration example System time 1 datetime clock datetime 1 00 01 00 00 UTC Mon 2007 1 1 01 01 2007 2 Original system time clock timezone 02 00 00 zone time Sat zone offset zone time add 1 01 01 2005 126 Command Effective system time Configuration example System time clock datetime 2 00 2007 2 2 03 00 00 zone time Fri 1 2 tetime zone offset i EE ZONE ONEE clock timezone 02 02 2007 zone time add 1 clock timezone 2 1 datetime zone time add 1 03 00 00 zone time Sat clock datetime 3 00 03 03 2007 2007 3 3 The original system time outside the daylight saving time range clock summer time ss one off 1 00 01 00 00 UTC Sat The system time does not 2006 1 1 1 00 01 01 2005 change until it falls into 2006 8 8 2 the daylight saving time range 03 00 00 ss Sat 01 01 2005 3 NOTE The original system time i ine yong ina ae ve es plus summer offset is in the daylight saving time clock summer time ss j oe one off 00 30 beyond the daylight saving 2005 1 1 1 00 time range the original The system time increases 2
120. le for Telnet login none password and scheme none Requires no username and password at the next login through Telnet This mode is insecure password Requires password authentication at the next login through Telnet Keep your password If you lose your password log in to the device through the console port to view or modify the password scheme Requires username and password authentication at the next login through Telnet Authentication falls into local authentication and remote authentication To use local authentication configure a local user and related parameters To use remote authentication configure the username and password on the remote authentication server For more information about authentication modes and parameters see the Security Configuration Guide Keep your username and password If you lose your local authentication password log in to the device through the console port to view or modify the password If you lose your remote authentication password contact the administrator The following table lists Telnet login configurations for different authentication modes Authentication a ect Configuration Remarks mode For more information see u fi None Configure not to authenticate users i a ie authentication for Telnet login Configure to authenticate users by using the local For more information see Based password Configuring password authentication for Telnet Set the loc
121. lephone cable that works properly Authentication configuration has been completed on the remote switch Login procedure Step1 Set up a configuration environment as shown in Figure 19 connect the serial port of the PC and the console port of the device to a modem respectively Figure 19 Set up a configuration terminal Telephone Telephone ort PC Modem Modem Device 52 Step2 Step3 Step4 Step5 Configuration on the administrator side The PC and the modem are correctly connected the modem is connected to a telephone cable and the telephone number of the remote modem connected to the console port of the remote switch is obtained NOTE Note the following device settings e The baud rate of the Console port is lower than the transmission rate of the modem Otherwise packets may be lost e The parity check mode stop bits and data bits of the console port adopt the default settings Perform the following configurations on the modem that is directly connected to the device T amp F EEEEEEEEEEEEEEEEEEEE ER Restore the factory defaults TSF EEEBEERSRHLDELELEEL EE Configure auto answer on first ring TED SEEEEEEEEEEEEEEEEEEEEER Ignore data Terminal Ready signals SS SSS SS SS SSS ER Disable local flow control SRL 00 Fn Ignore Data Flow Control signals SSO 0 Force DSR to remain on yD DD bp Db a x O TEOL amp EW Disable the modem
122. licy name Remarks Optional By default the HTTPS service is not associated with any certificate based attribute access control policy e Associating the HTTPS service with a certificate based attribute access control policy enables the device to control the access rights of clients e You must configure the client verify enable command in the associated SSL server policy If not no clients can log in to the device e The associated SSL server policy must contain at least one permit rule Otherwise no clients can log in to the device e For more information about certificate attribute based access control policies see the Security Configuration Guide Contigure the port number of the HTTPS service ip https port port number Optional 443 by default Associate the HTTPS service with an ACL ip https acl acl number Required By default the HTTPS service is not associated with any ACL Associating the HTTPS service with an ACL enables the device to allow only clients permitted by the ACL to access the device Create a local user and enter local user view local user user name Required By default no local user is configured Configure a password for the local user password cipher simple password Required By default no password is configured for the local user Specify the command level of the local user authorization attribute level level Required By defa
123. lnet command is usually specified to enable the user to automatically Telnet to the specified device A CAUTION e The auto execute command command may disable you from configuring the system through the user interface to which the command is applied Use it with caution e Before executing the auto execute command command and saving the configuration by using the save command make sure that you can access the device through VTY and AUX user interfaces so that you can remove the configuration if a problem occurs Configuring the device to log in to a Telnet server as a Telnet client Configuration prerequisites You have logged in to the device 46 By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Figure 16 Log in to another device from the current device N 3 A PC Telnet client Telnet server NOTE If the Telnet client port and the Telnet server port that connect them are not in the same subnet make sure that the two devices can reach each other Configuration procedure Follow the step below to configure the device to log in to a Telnet server as a Telnet client To do Use the command Remarks telnet remote host service port source interface interface type interface numb
124. lnet client Telnet server The following table shows the configuration requirements of Telnet login Object Requirements Configure the IP address of the VLAN interface and make sure the Telnet Telnet server server and client can reach each other Configure the authentication mode and other settings Run the Telnet client program Telnet client Obtain the IP address of the VLAN interface on the server By default the device is enabled with the Telnet server and client functions e Ona device that serves as the Telnet client you can log in to a Telnet server to perform operations on the server e Ona device that serves as the Telnet server you can configure the authentication mode and user privilege level for Telnet users By default you cannot log in to the device through Telnet Before you can Telnet to the device you need to log in to the device through the console port enable Telnet server and configure the authentication mode user privilege level and common settings 36 This section includes these topics Telnet Telnet login authentication modes Configuring none authentication for Telnet login Configuring password authentication for Telnet login Configuring scheme authentication for Telnet login Configuring common settings for VTY user interfaces optional Configuring the device to log in to a Telnet server as a Telnet client login authentication modes Three authentication modes are availab
125. login control methods 78 Using command history 8 Using the CLI online help 4 Vv Verifying and diagnosing transceiver modules 136 Ww Web login example 70 Web login overview 66 What is CLI 1
126. manage applications resources and users on a unified platform with ease Designed as an open service oriented architecture SOA and adopting a modular structure iMC allows customers to pick up functional components as needed from a component pool Operator admin to create business specific solutions and implement end to end management This helps network administrators handle management tasks efficiently with ease in increasingly Password eseeee complex network environments Login Activate Your license is a trial version and it will expire on April 28 2011 Please click the Activate link in the Login pane to re activate the license before the expiration date 7 httpvwww hp com Copyright 2010 Hewlett Packard Development Company L P and its licensors Please use IE 6 SP1 Firefox 3 0 or later Optimal resolution 1024 x 768 Type the username and password and then click Login The iMC homepage appears as shown in Figure 32 76 Figure 32 iMC homepage HP Intelligent Management Center Windows Internet Explorer ier nttp 192 168 20 107 6080 ime fault default jsf vlei we Ew Intelligent Management Center Intelligent Management Center Badmin Help About 3 Logout My Shortcut Home Resource Service Alarm Report System diy Go Advanced Device View Network o 1 2 3 4 5 6 IP View Emm ee ii se 172 1 0 0 16 1 a we 172 1 0 0 24 2 Routers Swit
127. me ui vty0 15 user privilege level 2 By default Telnet users can use level O commands after passing authentication After the configuration above is completed when users log in to the switch through Telnet they need to input password 123 and then they can use level O 1 and 2 commands NOTE e For more information about user interfaces see the chapter Logging in to the switch configuration For more information about the user interface authentication mode and user privilege level commands see the chapter Logging in to the switch commands e For more information about AAA authentication see the Security Configuration Guide For more information about the local user and authorization attribute commands see the Security Command Reference e For more information about SSH see the Security Configuration Guide Switching user privilege level Introduction Users can switch to a different user privilege level temporarily without logging out and terminating the current connection After the privilege level switch users can continue to configure the switch without the need to logging back in but the commands that they can execute have changed For example if the current user privilege level is 3 the user can configure system parameters After switching to user privilege level O the user can only execute simple commands like ping and tracert and only a few 16 display commands The switching operation is effectiv
128. mode is set to local configure the local password before switching to a higher When the authentication mode is set to scheme configure AAA related parameters before switching to The privilege level switch fails after three consecutive unsuccessful password attempts For more information about user interface authentication see the chapter Logging in to the switch Modifying the level of a command All the commands in a view default to different levels The administrator can change the default level of a command to a different level as needed Follow these steps to modify the command level To do Use the command Enter system view system view Remarks Configure the command level ina command privilege level level view Required specitied view view command See Table 5 for the default settings A CAUTION HP recommends that you use the default command level or modify the command level under the guidance of professional staff An improper change of the command level may bring inconvenience to your maintenance and operation or even potential security problems Saving the current configuration On the device you can input the save command in any view to save all of the submitted and executed commands into the configuration file Commands saved in the configuration file can survive a reboot The save command does not take effect on one time commands such as display commands which display specified information
129. multi screen display function This command is executed in user view and takes effect for the current user only When the user re logs into the switch the default configuration is restored Filtering output information Introduction You can use regular expressions in display commands to filter output information The following methods are available for filtering output information e Input the begin exclude or include keyword plus a regular expression in the display command to filter the output information e When the system displays the output information in multiple screens use or plus a regular expression to filter subsequent output information equals the keyword begin equals the keyword exclude and equals the keyword include The following definitions apply to the begin exclude and include keywords e begin Displays the first line that matches the specified regular expression and all lines that follow e exclude Displays all lines that do not match the specified regular expression e include Displays all lines that match the specified regular expression A regular expression is a case sensitive string of 1 to 256 characters It supports the following special characters Character Meaning Remarks ee et For example regular expression user only ERG Starting sign string appears only at ees sa n string rae f matches a string beginning with user not the beginning o
130. n domain name authentication default Apply th ppy ne hwtacacs scheme specified AAA hwtacacs scheme name local scheme to the A HOE local none radius scheme omain f radius scheme name local Configure the authentica tion mode Exit to system view quit Optional By default the AAA scheme is local If you specify the local AAA scheme you need to perform local user configuration If you specify an existing scheme by providing the radius scheme name argument perform the following configuration as well e For RADIUS and HWTACACS configuration see the Security Configuration Guide e Configure the username and password on the AAA server For more information about AAA see the Security Configuration Guide Create a local user and enter local user view local user user name Required By default no local user exists Set the authentication password for the local user password cipher simple password Required Specify the command level of the local user authorization attribute level level 32 Optional By default the command level is 0 To do Use the command Remarks Required Specify the service type for the j local user service type terminal By default no service type is specified Optional Configure common settings for AUN user interface view See Configuring common settings for console login optional Afte
131. next system startup Setting contiguration rollback Configuration rollback Configuration rollback allows you to revert to a previous configuration state based on a specified configuration file The specified configuration file must be a valid cfg file generated by using either the backup function manually or automatically or the save command or if a configuration file is generated by another switch the configuration file must comply with the format of the configuration file on the current switch HP recommends that you use the configuration file that is generated by using the backup function manually or automatically Configuration rollback can be applied in the following situations e Running configuration error Rolling back the running configuration to a correct one is needed e The application environment has changed and the switch has to run in a configuration state based on a previous configuration file without being rebooted Before setting configuration rollback perform the following steps 1 Specify the filename prefix and path for saving the running configuration 2 Save the running configuration with the specified filename filename prefix serial number to the specified path The running configuration can be saved automatically or manually 108 When you enter the configuration replace file command the system compares the running configuration and the specified replacement configuration file The conf
132. ng time banners and short cut keys From system view you can enter different function views For example enter interface view to configure interface parameters create a VLAN and enter its view enter user interface view to configure login user attributes create a local user and enter local user view to configure the password and level of the local user NOTE Enter in any view to display all the commands that can be executed in this view Figure 3 Command line views Interface view VLAN view System User view g Interface view User view gt Local user view Entering system view When you log in to the device you automatically enter user view where lt Device name gt is displayed You can perform limited operations in user view for example display operations file operations and Telnet operations To perform further configuration on the device enter system view Follow the step below to enter system view To do Use the command Remarks Required Enter system view system view j j j Available in user view Exiting the current view The CLI is divided into different command views Each view has a set of specific commands and defines the effective scope of the commands The commands available to you at any given time depend on the view you are in Follow the step below to exit the current view 3 To do Use the command Remarks Return to the parent view from the Require
133. ns Enter system view lt Sysname gt system view Download system software image file newest bin from the PC lt Sysname gt tftp 1 2 1 1 get newest bin Upload a configuration file config cfg to the TFTP server lt Sysname gt tftp 1 2 1 1 put config cfg configback cfg Specify newest bin as the main system software image file for the next startup lt Sysname gt boot loader file newest bin bbb bin main Reboot the device and the system software image file is upgraded lt Sysname gt reboot A CAUTION The system software image file used for the next startup must be saved in the storage medium s root directory of the You can copy or move a file to the root directory of the storage medium For more information about the boot loader command see the Fundamentals Command Reference 99 File management Managing files Files such as host software and configuration files that are necessary for the operation of the device are saved in the storage media of the device You can manage files on your device through these operations Performing directory operations Performing file operations Performing batch operations Performing storage medium operations Setting prompt modes Setting prompt modes Setting prompt modes Setting prompt modes and Setting prompt modes Filename formats When you specify a file you must enter the filename in one of the following formats Filename formats Format De
134. nt Their IP addresses are 1 2 1 1 16 and 1 1 1 1 16 respectively The device and PC can reach each other e PC keeps the updated system software image file of the device Use FTP to upgrade the device and back up the configuration file e Set the username to ftp and the password to pwd for the FTP client to log in to the FTP server Figure 38 Upgrading using the FTP server FTP client 1 2 1 1 16 PC Configuration procedure FTP server Internet Device 1 Configure the device FTP Server Create an FTP user account ftp set its password to pwd and the user privilege level to level 3 the manage level Allow user ftp to access the root directory of the flash and specify ftp to use FTP lt Sysname gt system view Sysname luser ftp Sysname luser ftp Sysname luser ftp Sysname luser ftp Sysname luser ftp Enable FTP server Sysname quit Sysname local user ftp password simple pwd authorization attribute level 3 authorization attribute work directory flash service type ftp quit Sysname ftp server enable 93 Check files on your device Remove those redundant to ensure adequate space for the system software image file to be uploaded lt Sysname gt dir Directory of flash 0 drw Dec 07 2005 10 00 57 filename 1 drw Jan 02 2006 14 27 51 logfile 2 rw 1216 Jan 02 2006 14 28 59 config cfg 3 rw 1216 Jan 02 2006 16 27 26 back cfg 14986 KB total 251
135. nt to work with the SSH server For more information see the Security Configuration Guide 51 Logging in through modems Introduction The administrator can use two modems to remotely maintain a switch through its Console port over the Public Switched Telephone Network PSTN when the IP network connection is broken This section includes these topics e Configuration requirements e Login procedure e Modem login authentication modes e Configuring none authentication for modem login e Configuring password authentication for modem login e Configuring scheme authentication for modem login e Configuring common settings for modem login optional Configuration requirements By default no authentication is needed when you log in through modems and the default user privilege level is 3 To use this method perform necessary configurations on both the device side and administrator side The following table shows the remote login configuration requirements through the console port by using modem dial in Object Requirement The PC is correctly connected to the modem Administrator side The modem is connected to a telephone cable that works properly The telephone number of the remote modem connected to the console port of the remote switch is obtained The console port is correctly connected to the modem Configurations have been configured on the modem Device side The modem is connected to a te
136. ntigure the authentic ation mode Exit to system view quit Optional By default the AAA scheme is local If you specify the local AAA scheme perform the configuration concerning local user as well If you specify an existing scheme by providing the radius scheme name argument perform the following configuration as well e For RADIUS and HWTACACS configuration see the Security Configuration Guide e Configure the username and password on the AAA server For more information see the Security Configuration Guide Create a local user and enter local user view local user user name By default no local user exists Set the local password password cipher simple password 43 Reguired By default no local password is set To do Use the command Remarks Specify the command level of the authorization attribute level Optional local user level By default the command level is 0 r Required Specify the service type for the local service type Telnet user ype elne By default no service type is specitied Exit to system view quit Optional Configure common settings for VTY RE ap AN See Configuring common settings for VTY user interfaces optional After you enable command authorization you need to perform the following configuration to make the function take effect e Create a HWTACACS scheme and specify the IP address of the authorization
137. ntrol policy myacp Device ip https certificate access control policy myacp 72 Enable the HTTPS service Device ip https enable Create a local user named usera set the password to 123 for the user and specify the Telnet service type for the local user Device local user usera Device luser usera password simple 123 Device luser usera service type telnet 2 Configure the host that acts as the HTTPS client On the host run the IE browser In the address bar enter http 10 1 2 2 certsrv and request a certificate for the host as prompted 3 Verify the configuration Enter https 10 1 1 1 in the address bar and select the certificate issued by new ca Then the web login page of the Device appears On the login page type the username usera and password 123 to enter the web management page NOTE e To log in to the web interface through HTTPS enter the URL address starting with https To log in to the web interface through HTTP enter the URL address starting with http e For more information about PKI configuration commands see the Security Command Reference e For more information about the public key local create rsa command see the Security Command Reference e For more information about SSL configuration commands see the Security Command Reference 73 NMS login NMS login overview An NMS runs the SNMP client software It offers a user friendly interface to facilitate netw
138. obtain an IP address and other contiguration information Address acquisition process As mentioned before a device sets the first up interface as the DHCP client during startup The DHCP client broadcasts a DHCP request where the Option 55 field specifies the information that the client wants to obtain from the DHCP server such as the configuration file name domain name and IP address of the TFTP server and DNS server IP address After receiving the DHCP response from the DHCP server the device obtains the IP address and resolves the following fields in the DHCP response e Option 67 or the file field that specifies the configuration file name If Option 67 contains the configuration file name the device does not resolve the file field If not the device resolves the file field e Option 66 that specifies the TFTP server domain name e Option 150 that specifies the TFTP server IP address e Option 6 that specifies the DNS server IP address If no response is received from the DHCP server the device removes the temporary configuration and starts up with factory defaults NOTE e The configuration file name is saved in the Option 67 or file field of the DHCP response The device first resolves the Option 67 field If this field contains the configuration file name the device does not resolve the file field If not it resolves the file field e The temporary configuration contains two parts the configuration made on the interf
139. on can be established e If you use the ftp client source command to first configure the source interface and then the source IP address of the packets of the TFTP client the new source IP address will overwrite the current one and vice versa Displaying and maintaining the TFTP client To do Use the command Remarks Display the configuration of the display Hip cient configurohoa Maa dient begin exclude include Available in any view regular expression TFTP client configuration example Network requirements e As shown in Figure 40 use a PC as the TFTP server and the device as the TFTP client Their IP addresses are 1 2 1 1 16 and 1 1 1 1 16 respectively The device and PC can reach each other e The device downloads a system software image file from PC for upgrading and uploads a configuration file named config cfg to PC for backup Figure 40 Smooth upgrading using the TFTP client function TFTP client TFTP server 1 1 1 1 16 1 2 1 1 16 f Internet ue Device PC 98 Configuration procedure 1 Configure the PC TFTP Server the configuration procedure is omitted e On the PC enable the TFTP server e Configure a TFTP working directory 2 Configure the device TFTP Client A CAUTION If the available memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved i e ur command to delete the files not in use and then perform the following operatio
140. onsole port through Telnet or through SSH For more information see the chapter Logging in to the switch configuration Command conventions Command conventions help you understand command meanings Commands in HP product manuals comply with the conventions listed in Table 1 Table 1 Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Convention Description Square brackets enclose syntax choices keywords or arguments that are optional Braces enclose a set of required syntax choices separated by vertical bars from Vey Tse which you select one eed Square brackets enclose a set of optional syntax choices separated by vertical pee bars from which you select one or none bele Asterisk marked braces enclose a set of required syntax choices separated by Yie vertical bars from which you select at least one iyan Asterisk marked square brackets enclose optional syntax choices separated by Yle vertical bars from which you select one choice multiple choices or none eee The argument or keyword and argument combination before the ampersand amp sign can be entered 1 to n times A line that starts with a pound sign is comments NOTE The keywords of HP command lines are case insensitive Figure 2 shows how to read the clock
141. original directory of the file to be deleted is not the current working directory this command is required Enter the original working directory of the file to be deleted oi draden ae 7 Available in user view Delete the file in the current ER bn Loree Required directory and in the recycle bin Y Available in user view Performing batch operations A batch file is a set of executable commands Executing a batch file is the same as executing the commands in the batch file one by one Before executing a batch file edit the batch file on your PC and then download the batch file to the device If the suffix of the file is not bat use the rename command to change the suffix to bat Follow these steps to execute a batch file To do Use the command Remarks Enter system view system view Execute a batch file execute filename Required AN CAUTION Executing a batch file does not guarantee successful execution of every command in the batch file If a command has error settings or the conditions for executing the command are not satisfied this command fails to be executed and the system skips to the next command 103 Performing storage medium operations Managing the space of a storage medium When the space of a storage medium becomes inaccessible due to abnormal operations you can use the fixdisk command to restore it The execution of the format command formats the storage medium and all the data on
142. ork management An agent is a program that resides in the device It receives and handles requests from the NMS An NMS is a manager in an SNMP enabled network whereas agents are managed by the NMS The NMS and agents exchange information through the SNMP protocol The device supports multiple NMS programs such as iMC and CAMS By default you cannot log in to the device through NMS To enable NMS login log in to the device via the console port and make the configuration changes described in the following table The following table shows the configuration requirements of NMS login Object Requirements Configure the IP address of the VLAN interface Device Make sure the device and the NMS can reach each other Configure SNMP settings NMS Contigure the NMS For more information see your NMS manual Configuring NMS login Connect the Ethernet port of the PC to an Ethernet port of VLAN 1 of the device as shown in Figure 30 Make sure the PC and VLAN 1 interface can reach each other Figure 30 Network diagram for configuring NMS login IP network lt gt De PC Device Follow these steps to configure SNMPv3 settings To do Use the command Remarks Enter system view system view Optional Disabled by default Enable SNMP agent snmp agent You can enable SNMP agent with this command or any command that begins with snmp agent snmp agent group v3 group name ot Required Configure an SNMP group EE e
143. ormation see the Security Configuration Guide e Reference the created HWTACACS scheme in the ISP domain For more information see the Security Configuration Guide When users adopt the scheme mode to log in to the device the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme e When the AAA scheme is local the user privilege level is defined by the authorization attribute level level command e When the AAA scheme is RADIUS or HWTACACS the user privilege level is configured on the RADIUS or HWTACACS server For more information about AAA RADIUS and HWTACACS see the Security Configuration Guide When you log in to the device through modems after the configuration you are prompted to enter a login username and password A prompt such as lt HP gt appears after you input the password and username and press Enter as shown in Figure 26 61 Figure 26 Configuration page User interface aux is available Please press ENTER Login authentication Username admin Password Configuring common settings for modem login optional Follow these steps to configure common settings for modem login To do Use the command Remarks Enter system view system view i i Optional Enable display otespyright copyright info enable j information Enabled by default Enter one or more AUX user user interface aux firstnumber _ interface views lastnumb
144. ost acts as the HTTPS client Request a certificate for it In this example Windows Server acts as the CA Install Simple Certificate Enrollment Protocol SCEP add on on the CA The name of the CA that issues certificates to the Device and Host is new ca Before performing the following configuration make sure that the Device Host and CA can reach each other Figure 29 Network diagram for configuring HTTPS login Device 10 1 1 1 24 10 1 2 1 24 Host CA 71 Configuration procedure 1 Configure the device that acts as the HTTPS server Configure a PKI entity configure the common name of the entity as http server1 and the FQDN of the entity as ssl security com lt Device gt system view Device pki entity en Device pki entity en common name http serverl Device pki entity en fqdn ssl security com Device pki entity en quit Create a PKI domain specify the trusted CA as new ca the URL of the server for certificate request as http 10 1 2 2 certsrv mscep mscep dll authority for certificate request as RA and the entity for certificate request as en Device pki domain 1 Device pki domain 1 ca identifier new ca Device pki domain 1 certificate request url http 10 1 2 2 certsrv mscep mscep dll Device pki domain 1 certificate request from ra Device pki domain 1 certificate request entity en Device pki domain 1 quit Create RSA local key pairs Device public key loc al create rsa Retrieve the
145. ow these steps to configure source MAC based login control over Telnet users To do Enter system view Use the command system view 79 Remarks To do Use the command Remarks Required Create an Ethernet frame header acl number acl number E ACL and enter its view match order config auto By eas no advanced ACL exists Configure rules for the ACL rine esel perd any Required rule string Exit the advanced ACL view quit OE TEEN user interface type firstnumber lastnumber Required Use the ACL to control user login j 3 by source MAC address acl acl number inbound inbound Filters incoming Telnet packets NOTE The above configuration does not take effect if the Telnet client and server are not in the same subnet Source MAC based login control configuration example Network requirements As shown in Figure 33 configure an ACL on the Device to permit only incoming Telnet packets sourced from Host A and Host B Figure 33 Network diagram for configuring source MAC based login control Host A 10 110 100 46 IP network Device Host B 10 110 100 52 Configuration procedure Configure basic ACL 2000 and configure rule 1 to permit packets sourced from Host B and rule 2 to permit packets sourced from Host A lt Sysname gt system view Sysname acl number 2000 match order config Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sy
146. paich number slot slot number Required After you confirm the running of a patch the patch state becomes RUNNING and the patch is in the normal running stage After the switch is reset or rebooted the patch is still valid NOTE e Set the file transfer mode to binary mode before using FTP or TFTP to upload download patch files to from the Flash of the switch Otherwise patch file cannot be parsed properly e This operation is applicable to patches in the ACTIVE state only Step by step patch uninstallation Follow these steps to stop running patches To do Enter system view Use the command system view Remarks Stop running the specified patches patch deactive patch number slot slotnumber Reguired When you stop running a patch the patch state becomes DEACTIVE and the system runs in the way before it is installed with the patch Delete the specified patches from the memory patch area patch delete patch number slot slotnumber Reguired Deleting patches only removes fhe patches from the memory patch area and does not delete them from the storage medium The patches turn to the IDLE state after this operation After a patch is deleted the system runs in the way it did before the patch was installed 122 Displaying and maintaining the software upgrade To do Use the command Remarks display boot loader slot slotnumber begin exclude Available
147. paration Before configuration determine the permitted or denied source IP addresses source MAC addresses and destination IP addresses Configuring source IP based login control over Telnet users Because basic ACLs match the source IP addresses of packets you can use basic ACLs to implement source IP based login control over Telnet users Basic ACLs are numbered from 2000 to 2999 For more information about ACL see the ACL and QoS Configuration Guide Follow these steps to configure source IP based login control over Telnet users To do Use the command Remarks Enter system view system view Create a basic ACL and enter its view or enter the view of an existing basic ACL acl ipv number acl number Required match order config auto By default no basic ACL exists rule rule id permit deny source sour addr sour wildcard any time range time name fragment logging Configure rules for this ACL Required Exit the basic ACL view quit 78 To do Use the command Remarks ee See ee user interface type firstnumber lastnumber Required inbound Filters incoming Telnet Use the ACL to control user login packets by source IP address acl ipv6 acl number inbound outbound outbound Filters outgoing Telnet packets Configuring source and destination IP based login control over Telnet users Because advanced ACls can match both sou
148. play detailed information The Is command displays the name of a about a directory or file on the dir remotefile localfile directory or file only while the dir remote FTP server command displays detailed information such as the file size and creation time Optional The Is command displays the name of a Is remotefile localfile directory or file only while the dir command displays detailed information such as the file size and creation time Query a directory or file on the remote FTP server Delete the specified file on the remote FTP server permanently delete remotefile Optional Set the file transfer mode to m Optional ascii ASCII ASCII by default 88 To do Use the command Remarks Set the file transfer mode to Optional binary binary ASCII by default Set the data transmission mode Optional i passive to passive Passive by default Display the local working directory of the FTP client led Oprienal Upload a file to the FTP server put localfile remotefile Optional Downoad c iie irom the FIP get remotefile localfile Optional server Using another username to log in to an FTP server After the switch serving as the FTP client has established a connection with the FTP server you can use another username to log in to the FTP server For more information about establishing an FTP connection see Establishing an FTP connection This feature allows you
149. ple characters after the command keywords at the first line with the first and last characters being different and then press the Enter key Type the banner information and end with the first character you type at the first line The first input character at the first line and the end character are not part of the banner information 130 Configuration procedure Follow these steps to configure a banner To do Use the command Remarks Enter system view system view Configure the incoming banner header incoming text Optional Configure the login banner header login text Optional Configure the legal banner header legal text Optional Configure the shell banner header shell text Optional Configure the MOTD banner header motd fext Optional Banner configuration examples Configure the shell banner as Welcome to HP e Single ine input mode lt System gt system view System header shell SWelcome to HP e Multiple line input mode method lt System gt system view System header shell Please input banner content and quit with the character Welcome to HP e Multiple line input mode method Il lt System gt system view System header shell W Please input banner content and quit with the character W Welcome to HP Configuring the exception handling method You can configure the device to handle system exceptions in one of the following methods e reboot The device a
150. program such as HyperTerminal in Windows XP Windows 2000 The following takes Windows XP s HyperTerminal as an example Select a serial port to be connected to the device and set terminal parameters as follows set Bits per second to 9600 Data bits to 8 Parity to None Stop bits to 1 and Flow control to None as shown in Figure 5 through Figure 7 NOTE On Windows 2003 Server operating system you need to add the HyperTerminal program first and then log in to and manage the device as described in this document On Windows 2008 Server Windows 7 Windows Vista or some other operating system you need to obtain a third party terminal control program first and follow the user guide or online help of that program to log in to the device 25 Figure 5 Connection description Connection Description Figure 6 Specify the serial port used to establish the connection Connect To 26 Figure 7 Set the properties of the serial port COM1 Properties Step3 Turn on the device You are prompted to press Enter if the device successfully completes the power on self test POST A prompt such as lt HP gt appears after you press Enter as shown in Figure 8 Figure 8 Configuration page De H Da e System is starting User interface aux is available Press ENTER to get started lt HP gt Step4 Execute commands to configure the device or check the running status of the device To ge
151. prompted to enter a login username and password A prompt such as lt HP gt appears after you input the password and username and press Enter as shown in Figure 11 33 Figure 11 Configuration page User interface aux is available Please press ENTER Login authentication Username admin Password Configuring common settings for console login optional Follow these steps to configure common settings for console port login To do Use the command Remarks Enter system view system view i i Optional Enable display ohespyright copyright info enable j information Enabled by default r interf x first Enter AUX user interface view user interface aux firstnumber lastnumber Optional Sonde By default the transmission rate is AUX user Configure the 9600 bps interface baud rate speed speed value j view Transmission rate is the number of properties bits that the device transmits to the terminal per second Configure the Optional arity even none odd parity check mode panty none by default Optional By default the stop bits of the console port is 1 Configure the stop bit stopbits 1 1 5 2 Stop bits are the last bits transmitted its in data transmission to unequivocally indicate the end of a character The more the bits are the slower the transmission is 34 To do Configure the data bits Use the command databits
152. puts a default character string or inputs an empty character string when there is no default character string Job configuration approaches You can configure jobs in a non modular or modular approach Use the non modular approach for a one time command execution and use non modular approach for complex maintenance work Table 12 A comparison of non modular and modular approaches Comparison N Scheduling a job in the non modular Scheduling a job in the modular approach approach Configuration method Configure all elements in one command Separate job view and time settings C Itiple jobs b an multiple jobs be No Yes configured C job h ltipl an a job have multiple o Yes commands User view represented by shell system All views monitor represents user Supported views EP y sy P view view Supported commands Commands in user view and system view Commands in any view C job b tedl an a job be repeatedly Yes executed Can a job b d to th an a job be saved to the Yes configuration file Configuration guidelines e To have a job successfully run a command check that the specified view and command are valid The system does not verify their validity e The configuration interface view and user status that you have before job execution restores even if the job has run a command that changes the user interface for example telnet ftp and ssh2 the view for example system view and quit or t
153. r access password simple cipher password Required Assign a password to the user Required By default the system does not support anonymous FTP access Assign the FTP service to the user service type ftp and does not assign any service If the FTP service is assigned the root directory of the switch is used by default 92 To do Use the command Remarks authorization attribute ad Optional acl number callback number By default the FTP SFTP users can callback number idle cut minute access the root directory of the Configure user properties level level user profile switch and the user level is O You profile name user role can change the default security audit vlan vian id configuration by using this work directory directory name command NOTE e For more information about the local user password service type ftp and authorization attribute commands see the Security Command Reference e When the switch serves as the FTP server if the client is to perform the write operations such as upload delete and create on the device s file system the FTP login users must be level 3 users if the client is to perform other operations such as the read operation the switch has no restriction on the user level of the FTP login users FTP server configuration example Network requirements e As shown in Figure 38 use the device as an FTP server and the PC as the FTP clie
154. r you enable command authorization you need to perform the following configuration to make the function take effect e Create a HWTACACS scheme and specify the IP address of the authorization server and other authorization parameters For more information about AAA see the Security Configuration Guide e Reference the created HWTACACS scheme in the ISP domain For more information about AAA see the Security Configuration Guide After you enable command accounting you need to perform the following configuration to make the function take effect e Create a HWTACACS scheme and specify the IP address of the accounting server and other accounting parameters For more information about AAA see the Security Configuration Guide e Reference the created HWTACACS scheme in the ISP domain For more information about AAA see the Security Configuration Guide When users adopt the scheme mode to log in to the device the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme e When the AAA scheme is local the user privilege level is defined by the authorization attribute level level command e When the AAA scheme is RADIUS or HWTACACS the user privilege level is configured on the RADIUS or HWTACACS server e For more information about AAA RADIUS and HWTACACS see the Security Configuration Guide When you log in to the device through the console port after the configuration you are
155. ration file to be used at the next startup To do Use the command Remarks Specify a startup configuration file startup saved configuration cfgfile Required to be used at the next startup backup main Available in user view AN CAUTION A configuration file must use cfg as its extension name and the startup configuration file must be saved in the storage media s root directory Backing up the startup configuration file The backup function allows you to copy the startup configuration file to be used at the next startup from the switch to the TFTP server The backup operation backs up the main startup configuration file to the TFTP server for switches supporting main and backup startup configuration files Follow the step below to back up the startup configuration file to be used at the next startup To do Use the command Remarks back up the startup gonfiguration backup startup configuration to Required file to be used at the next startup to dest addr dest filename Available in user view the specified TFTP server NOTE Before the backup operation e Make sure that the server is reachable and enabled with TFTP service and the client has the read and write permission Use the display startup command in user view to check whether you have specified a startup configuration file to be used at the next startup If the file is set as NULL or does not exist the backup operation fails D
156. rce and destination IP addresses of packets you can use advanced ACLs to implement source and destination IP based login control over Telnet users Advanced ACLs are numbered from 3000 to 3999 For more information about ACL see the ACL and QoS Configuration Guide Follow these steps to configure source and destination IP based login control over Telnet users To do Use the command Remarks Enter system view system view Create an advanced ACL Required and enter its view or enter ad ipv6 number acl number the view of an existing match order config auto By default no advanced ACL advanced ACL exists Configure rules for the ACL rule rule id permit deny rule string Required Exit advanced ACL view quit interf t first Ener user ae ee user interface type firs number 7 lastnumber Required Use the ACL to control user login by source and destination IP addresses inbound Filters incoming Telnet acl ipv6 acknumber inbound packets outbound outbound Filters outgoing Telnet packets Configuring source MAC based login control over Telnet users Ethernet frame header ACLs can match the source MAC addresses of packets so you can use Ethernet frame header ACLs to implement source MAC based login control over Telnet users Ethernet frame header ACLs are numbered from 4000 to 4999 For more information about ACL see the ACL and QoS Configuration Guide Foll
157. re for illustration only and might be unavailable on your device 148 Index A Automatic configuration overview 140 B Backing up the startup configuration file 112 C Changing the system time 126 Checking command line errors 8 Clearing idle 16 bit interface indexes 136 CLI view description 2 Command conventions Configuration file overview 106 Configuring banners 130 Configuring HTTP login 66 Configuring HTTPS login 67 Configuring login control over Telnet users 78 Configuring NMS login 74 Configuring source IP based login control over NMS users 8 Configuring source IP based login control over web users 83 Configuring temperature alarm thresholds available only on the A3100 v2 El 135 Configuring the detection timer 135 Configuring the device name 126 Configuring the exception handling method 131 Configuring the FTP client 86 Configuring the FTP server 1 Configuring the TFTP client 97 Configuring user privilege and command levels 13 Contacting HP 146 Controlling the CLI display 10 Conventions 147 D Deleting a startup configuration file 112 Disabling Boot ROM access 134 Displaying and maintaining a configuration file 113 Displaying and maintaining CLI 20 Displaying and maintaining CLI login 64 Displaying and maintaining device management configuration 137 Displaying and maintaining FTP 95 Displaying and maintaining the software upgrade 123 Displaying and mainta
158. remote authentication To use local authentication configure a local user and related parameters To use remote authentication configure the username 55 and password on the remote authentication server For more information about authentication modes and parameters see the Security Configuration Guide Keep your username and password The following table lists modem login configurations for different authentication modes Authentication Te Configuration Remarks mode For more information see u fi None Configure not to authenticate users oi ee de se authentication for modem login Configure to authenticate users by using the local For more information see Confiauri Password password Con iguring password authentication for modem Set the local password login Configure the authentication scheme Configure a RADIUS HWTACAC S scheme Configure the AAA Remote AAA scheme used by the authentication domain TENE Configure the a more information see Scheme a seinen aad Configuring scheme aut entic password on the AAA authentication for modem ation login server scheme Configure the authentication username and Local authentication password Configure the AAA scheme used by the domain as local NOTE Modem login authentication changes do not take effect until you exit the CLI and log in again Configuring none authentication for modem login Configuration prerequisites
159. ress ENTER to get started lt HP gt Step7 If the authentication mode is password a prompt for example HP appears when you type the configured password on the remote terminal Then you can configure or manage the router To get help type Step8 Execute commands to configure the device or check the running status of the device To get help type NOTE e To terminate the connection between the PC and device execute the ATH command on the terminal to terminate the connection between the PC and modem If you cannot execute the command on the terminal input AT and then press Enter When you are prompted OK execute the ATH command and the connection is terminated if OK is displayed You can also terminal the connection between the PC and device by clicking al on the hyper terminal window e Do not close the hyper terminal directly Otherwise the remote modem may always be online and you will fail to dial in the next time Modem login authentication modes The following authentication modes are available for modem dialin login none password and scheme e none Requires no username and password at the next login through modems This mode is insecure e password Requires password authentication at the next login through the console port Keep your password e scheme Requires username and password authentication at the next login through the console port Authentication falls into local authentication and
160. rface view applies to user A if user A logs in through VTY 1 the configuration in VTY 1 user interface view applies to user A A device can be equipped with one AUX user interface and 16 VTY user interfaces These user interfaces are not associated with specific users When a user initiates a connection request the system automatically assigns the idle user interface with the smallest number to the user based on the login method During the login the configuration in the user interface view takes effect The user interface varies depending on the login method and the login time Numbering user interfaces User interfaces can be numbered by using absolute numbering or relative numbering Absolute numbering Absolute numbering identifies a user interface or a group of different types of user interfaces The specified user interfaces are numbered from number O with a step of 1 and in the sequence of AUX and 22 VTY user interfaces You can use the display user interface command without any parameters to view supported user interfaces and their absolute numbers Relative numbering Relative numbering allows you to specify a user interface or a group of user interfaces of a specific type The number format is user interface type number The following rules of relative numbering apply e AUX user interfaces are numbered from O in the ascending order with a step of 1 e VTY user interfaces are numbered from O in the ascending order wi
161. rks Optional e By default command accounting is disabled The accounting server does not record the commands executed by users e Command accounting allows the HWTACACS server to record all executed commands that are supported by the device regardless of the command execution result This helps control and monitor user operations on the device If command accounting is enabled and command authorization is not enabled every executed command is recorded on the HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands are recorded on the HWTACACS server e Configure the AAA accounting server before enabling command accounting Exit to system view quit Enter the Optional default ISP domain domain name domain view authentication default Apply th PP ee hwtacacs scheme specified h wtacacs scheme name local local AAA scheme Configure none radius scheme to the domain the radius scheme name local authentica tion mode Return to system view quit By default the AAA scheme is local If you specify the local AAA scheme perform the configuration concerning local user as well If you specify an existing scheme by providing the radius scheme name argument perform the following configuration as well e For RADIUS and HWTACACS configuration see the Security Configuration Guide e Configure the
162. s a command of the corresponding command level the authorization server checks whether the command is authorized If yes the command can be executed Before enabling command authorization configure the AAA authorization server After you enable command authorization only commands authorized by the AAA authorization server can be executed To do Enable command accounting Use the command command accounting Remarks Optional e By default command accounting is disabled The accounting server does not record the commands executed by users e Command accounting allows the HWTACACS server to record all executed commands that are supported by the device regardless of the command execution result This helps control and monitor user operations on the device If command accounting is enabled and command authorization is not enabled every executed command is recorded on the HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands are recorded on the HWTACACS server e Configure the AAA accounting server before enabling command accounting Exit to system view quit Enter the default ISP domain view domain domain name authentication default hwtacacs scheme hwtacacs scheme name local local none radius scheme radius scheme name local Specify the AAA scheme to be applied to the domain Co
163. scription Length Example Ed Specifies a file in the current 1 to 91 a cfg indicates a file named a cfg working directory characters in the current working directory Specifies a file in the specified folder i dreon pathindictes he name 110 135 88 2 indicates a file name path file name Y P a cfg in the test folder in the current of the folder You can specify characters multiple folders indicating a file under a multi level folder working directory Specifies a file in the specified storage medium on the device drive represents the storage medium name which is usually flash or ef If there is only one drive path file storage medium on the device you 1 to 135 name do not need to provide information characters about the storage medium If multiple storage media exist on the device you must provide the related information to identity the storage medium flash test a ctg indicates a file named a cfg in the test folder in the root directory of the flash memory Performing directory operations You can create or remove a directory display the current working directory the specified directory and file information 100 Displaying directory information To do Use the command Remarks Required Display directory or file dir all file ur q information Available in user view Displaying the current working directory To do Use the command Remarks Display the current working wd R
164. ser login control TERRE 78 Configuring login control over Telnet User errie RR RRRRRR ERK RRRRRRRR EE eRRRRRRRRRRR Ee eeRRRRRRRRRE Ee eeeRRRRRRRRR Ee eeeeRRRRER 78 Configuration preparation ee 78 Configuring source IP based login control over Telnet TT 78 Configuring source and destination IP based login control over Telnet users sires eer ees ees eek ees eers 79 Configuring source MAC based login control over Telnet TE 79 Source MAC based login control configuration example EE HO EE RE OE E RE 80 Configuring source IP based login control KENT SSS 81 Configuration preparation ee 81 Configuring source IP based login control over NIYERT SE 81 Source IP based login control over NMS users configuration example EE cevecsdoecssdevdccssocveesdetetvocdes 82 Configuring source IP based login control over web TT 83 Configuration preparation ee 83 Configuring source IP based login control over web TE 83 Logging Off Online Web EO 83 Source IP based login control over web users configuration example EE deeseecsees 84 FTP configuration RE RO EET EO OE EE EE 85 AE EE cance N pane cea aca lnk daca A 85 Introduction to FTP cvrrrreresseseeesteeeeseseeeeesseeesesseeceensesesensesssensesssesesseensesssensesscensesesensesesensesesensesscensesasensesscsesasssenseeesenes 85 FTP operation ssssssssssssssssssseesssssssseeseccssssnsssseseccssssnssssseseceessnnnsssseeeessnnnasssceesssnnnassssceeesssnnunsssseeeeseessansssseesesennanasssses 85 Configuring Nar EE 86 Establishing
165. server and the FTP client can reach each other before establishing the FTP connection e When you use IE to log in to the device serving as the FTP server some FTP functions are not available This is because multiple connections are established during the login process but the device supports only one connection at a time Configuring the FTP client NOTE Only manage level users can use the ftp command to log in to an FTP server enter FTP client view and execute directory and file related commands However whether the commands can be executed successfully depends on the FTP server authorizations Establishing an FTP connection Before you can access the FTP server you must first establish a connection from the FTP client to the FTP server You can either use the ftp command to establish the connection directly or use the open command in FTP client view to establish the connection When using the ftp command you can specify the source interface such as a loopback or source IP address The primary IP address of the specified source interface or the specified source IP address is used as the source IP address of sent FTP packets The source address of the transmitted packets is selected following these rules e If no source address is specified the FTP client uses the interface s IP address determined by the matched route as the source IP address to communicate with an FTP server e If the source address is specified with
166. sname acl basic 2000 rule 2 permit source 10 110 100 46 0 Sysname acl basic 2000 quit Reference ACL 2000 in user interface view to allow Telnet users from Host A and Host B to access the Device 80 Sysname Sysname ui vty0 4 user interface vty 0 4 acl 2000 inbound Configuring source IP based login control over NMS users You can log in to the NMS to remotely manage the devices SNMP is used for communication between the NMS and the agent that resides in the device By using the ACL you can control SNMP user access to the device Configuration preparation Before configuration determine the permitted or denied source IP addresses Configuring source IP based login control over NMS users Because basic ACLs match the source IP addresses of packets you can use basic ACLs to implement source IP based login control over NMS users Basic ACLs are numbered from 2000 to 2999 For more information about ACL see the ACL and QoS Configuration Guide Follow these steps to configure source IP based login control over NMS users To do Use the command Remarks Enter system view system view Create a basic ACL and enter its gel ipv numnber ackiumbar Required view or enter the view of an existing basic ACL match order config auto By default no basic ACL exists rule rule id permit deny source sour addr sour wildcard Create rules for this ACL Required an
167. t B are allowed to access the device Sysname ip http acl 2030 84 FTP configuration FIP overview Introduction to FTP The File Transfer Protocol FTP is an application layer protocol for sharing files between server and client over a TCP IP network FTP uses TCP ports 20 and 21 for file transfer Port 20 is used to transmit data and port 21 to transmit control commands For more information about FTP basic operations see RFC 959 FTP transfers files in the following modes e Binary mode Transfers files as raw data such as app bin and btm files e ASCII mode Transfers files as text such as txt bat and cfg files FTP operation FTP adopts the client server model Your device can function either as the client or the server See Figure 36 e When the device serves as the FTP client use Telnet or an emulation program to log in to the device from the PC execute the ftp command to establish a connection from the device FTP client to the PC FTP server and then upload download files to from the server e When the device serves as the FTP server run the FTP client program on the PC to establish a connection to the FTP server and upload download files to from the server Figure 36 Network diagram for FTP lt gt Internet sre Device PC When the device serves as the FTP client you need to perform the following configuration Table 8 Configuration when the device serves as the FTP client
168. t help type Console login authentication modes The following authentication modes are available for console port login none password and scheme 27 e none Reguires no username and password at the next login through the console port This mode is Insecure e password Requires password authentication at the next login through the console port Keep your password e scheme Requires username and password authentication at the next login through the console port Authentication falls into local authentication and remote authentication To use local authentication configure a local user and related parameters To use remote authentication configure the username and password on the remote authentication server For more information about authentication modes and parameters see the Security Configuration Guide The following table lists console port login configurations for different authentication modes Authenticat Configuration Remarks ion mode For more information see u fi None Configure not to authenticate users es ER a authentication for console login Configure to authenticate users by using the local password For more information see Password Configuring password Set the local password authentication for console login Configure the authentication scheme Configure a RADIUS HWTACAC S scheme Configure the AAA Remote AAA scheme used by the authenticat
169. t modules By default commands at this level involve the configuration commands of file system FTP TFTP Xmodem download user management level setting and parameter settings within a system which are not defined by any protocols or RFCs 3 Manage Configuring a user privilege level A user privilege level can be configured by using AAA authentication parameters or under a user interface Configure user privilege level by using AAA authentication parameters If the user interface authentication mode is scheme the user privilege level of users logging into the user interface is specified in AAA authentication configuration Follow these steps to configure the user privilege level by using AAA authentication parameters To do Use the command Remarks Enter system view system view user interface firstnum Enter user interface view lastnum1 aux vty firstnum2 last num2 Required By default the authentication authentication mode scheme mode for VTY users is password and no authentication is needed for AUX login users Specify the scheme authentication mode Return to system view quit For more information about SSH Required if users use SSH to log in see the Security Configuration and username and password are Guide needed at authentication Configure the authentication mode for SSH users as password e Use the local user command to create a local user and ent
170. t supported You cannot get the actual undo form of the command by simply putting the keyword undo in front of the command so the complete undo form of the command cannot be recognized by the switch e The configuration cannot be removed such as hardware related commands e Commands in different views are dependent on each other e If the replacement configuration file is not a complete file generated by using the save or archive configuration command or the file is copied from a different type of switch the configuration cannot be rolled back Ensure that the replacement configuration file is correct and compatible with the current switch e The configuration file specified with the configuration replace file ename command can only be a configuration file in simple text Otherwise errors may occur in configuration rollback Specifying a startup configuration file to be used at the next system startup To specify a startup configuration file to be used at the next system startup use the following guidelines e Use the save command If you save the running configuration to the specified configuration file in the interactive mode the system automatically sets the file as the main startup configuration file to be used at the next system startup e Use the command dedicated to specify a startup configuration file to be used at the next startup which is described in the following table Follow the step below to specify a startup configu
171. t to obtain the configuration file from the specified TFTP server and executes the configuration file If the client cannot get such parameters it uses factory default configuration NOTE e To implement automatic configuration you need to configure the DHCP server DNS server and TFTP server but you do not need to perform any configuration on the device that performs automatic configuration e Before starting the device connect only the interface needed in automatic configuration to the network Work flow of automatic configuration Figure 50 shows the work flow of automatic configuration Figure 50 Work flow of automatic configuration Start the device with default configuration The interface obtains rameters through DHCP Yes is the TFTP server address contained in the parameters S the TFTP server domain name contained in the parameters Broadcast a TFTP request to obtain e configuration file Resolve domain name of Fails the TFTP server Succeeds nicast a TFTP request to obtain the configuration file Succeeds Remove the temporary Remove the temporary configurations and the device configurations and execute laf starts with default configuration the obtained configuration file Remove the temporary End configurations and the device eH starts with default configuration 141 Using DHCP to
172. th a step of 1 23 CLI login Overview The CLI enables you to interact with a device by typing text commands At the CLI you can instruct your device to perform a given task by typing a text command and then pressing Enter to submit it to your device Compared with a GUI where you can use a mouse to perform configuration the CLI allows you to input more information in one command line You can log in to the device at the CLI through the console port Telnet SSH or modem e By default you can log in to a device through the console port without any authentication which introduces security problems e By default you cannot log in to a device through Telnet SSH so you cannot remotely manage and maintain the device Therefore you need to perform configurations to increase device security and manageability Logging in through the console port Introduction Logging in through the console port is the most common login method and is also the first step to configure other login methods After logging in to the device through the console port you can configure other login methods By default you can log in to a device only through its console port This section includes e Configuration requirements e Login procedure e Console login authentication modes e Configuring none authentication for console login e Configuring password authentication for console login e Configuring scheme authentication for console log
173. the default configuration see Configuration requirements Configuration procedure Follow these steps to configure password authentication for modem login 57 To do Use the command Remarks Enter system view system view Enter one or more AUX user user interface aux firstnumber _ interface views lastnumber Required P Aa authentication mode password By default the authentication mode is none for modem users Required set authentication password Set the local password apher simple pasword By default no local password is set Optional Configure common settings for _ For more information see VTY user interfaces Configuring common settings for VTY user interfaces optional When you log in to the device through modems after the configuration you are prompted to enter a login password A prompt such as lt HP gt appears after you input the password and press Enter as shown in Figure 25 Figure 25 Configuration page DE 5 DA e User interface aux is available Press ENTER to get started Login authentication Password Configuring scheme authentication for modem login Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Con
174. the device EE EE TT TT 132 Rebooting the device immediately RE TEI 132 Scheduling a device reboot eers RRRRRRRRRRRRRR EER eeeeRRRRRRRRRRRRRRRRRR EE e gee eeeeeRRRRRRRRRRRRRRRRE EE eeeeeeeeeR 132 Scheduling jobs EE TR AE ER RE RE AE IS 133 Job configuration approaches EE ER 133 Configuration guidelines RR RE RE AE EREEREER 133 Scheduling a job in the non modular approach EE 134 Scheduling a job in the modular approach AA RE 134 Disabling Boot OE ESE EE EE EE TT ED 134 Configuring the detection timer sssssssssssssssssseessusssseesssssssseessusssstessusssssessusssstesssusssstessnsaseesssannantessunnasteee 135 Configuring temperature alarm thresholds available only on the A3100 v2 El rreereeeee sesse ees eek eek eek eke eek ee Reese 135 Clearing idle 16 bit interface indexes EE EE RE ER N EE 136 Verifying and diagnosing transceiver modules eers esse ee EER ee SEE ER ee SEE ER ee EE Ee ee EE ER ee EE EER ee DEER ee ee Ee ee ee EER ee ee Ee ee ee ee 136 Verifying RE Nee DT 136 Diagnosing transceiver EE NE 137 Displaying and maintaining device management configuration AE VESEVESEVENES KSrEESrES 137 Automatic configuration EA AE EE EE E AE EE EE 140 Automatic configuration OVEIVIQW lt ttttttttetetttteeteeeeeeseeeesssaeeceseeesessseeeesseeeensseeseseeeeessaseesseceesesseeeseseeesnessseessecensnesseeeses 140 Typical automatic configuration EE 140 How automatic configuration WOTkS etes ee ee eek EE EER R Re SE EER ee EE EER ee EE EER ee ee EER ee EE ER
175. the keyword ip host e The host name of a device saved in the host name file must be the same as the configuration file name of the device and can be identical with or different from that saved in the DNS server e The configuration file of a device is named hostname ctg where hostname is the host name of the device For example if the host name of a device is aaa the configuration file of the device is named aaa cfg e The default configuration file is named device cfg 143 Obtaining the configuration file Figure 51 Obtain the configuration file Is the configuration file Yes contained in the DHCP response f No No Obtain the network intermediate file J Yes Search the domain name corresponding to the IP address in the network intermediate fite Yes Resolve an IP address to a domain name through DNS No Obtain the configuration file corresponding to the domai gt Obtain the specified configuration file in the response Obtain the default configuration file No Remove the temporar Remove the temporary a p y configurations and the device configurations and execute the starts without loading the obtained configuration file configuration file Yes A device obtains its configuration file by using the following workflow e If the DHCP response contains the configuration file name the device requests the specified conf
176. the storage medium is deleted Use the following commands to manage the space of a storage medium To do Use the command Remarks Restore th fa st Optional estore the space of a storage fixdisk device p medium Available in user view Optional Format a storage medium format device Available in user view A CAUTION When you format a storage medium all the files stored on it are erased and cannot be restored If a startup configuration file exists on the storage medium formatting the storage medium results in loss of the startup configuration file Setting prompt modes The system provides the following prompt modes e dlert In this mode the system warns you about operations that may bring undesirable consequences such as file corruption or data loss e duiet In this mode the system does not prompt confirmation for any operation To prevent undesirable consequences resulting from mis operations the alert mode is preferred Follow these steps to set the operation prompt mode To do Use the command Remarks Enter system view system view Set the operation prompt mode of p Optional j file prompt alert quiet the file system prompri piger The default is alert Example for file operations Display the files and the subdirectories in the current directory lt Sysname gt dir Directory of flash 0 drw Feb 16 2006 11 45 36 logfile 104 1 rw 1218 Feb 16 2006 11 46 19 confi
177. the user privilege level With command authorization enabled the command level for a login user is determined by both the user privilege level and AAA authorization If a user executes a command of the corresponding command level the authorization server checks whether the command is authorized If yes the command can be executed Enable command authorization command authorization e Before enabling command authorization configure the AAA authorization server After you enable command authorization only commands authorized by the AAA authorization server can be executed 31 To do Enable command accounting Use the command command accounting Remarks Optional e By default command accounting is disabled The accounting server does not record the commands executed by users e Command accounting allows the HWTACACS server to record all the commands executed by users regardless of command execution results This helps control and monitor user operations on the device If command accounting is enabled and command authorization is not enabled every executed command is recorded on the HWTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands are recorded on the HWTACACS server e Configure the AAA accounting server before enabling command accounting Return to system view quit Enter the ISP domain view domai
178. tion attribute level 3 Configure the user privilege level under a user interface e _ Ifthe user interface authentication mode is scheme and SSH publickey authentication type only a username is needed for this authentication type is adopted the user privilege level of users logging into the user interface is the user interface level e If the user interface authentication mode is none or password the user privilege level of users logging into the user interface is the user interface level Follow these steps to configure the user privilege level under a user interface SSH publickey authentication type To do Configure the authentication type for SSH users as publickey Use the command For more information about SSH see the Security Configuration Guide Remarks Required if the SSH login mode is adopted and only username is needed during authentication After the configuration the authentication mode of the corresponding user interface must be set to scheme Enter system view system view Enter user interface view user interface first num 1 lastnum1 vty first num2 last num2 Configure the authentication mode for any user that uses the current user interface to log in to the switch authentication mode scheme Required By default the authentication mode for VTY users is password and no authentication is needed for AUX users Configure the privilege level for
179. tion of jobs configured by using the job command display job job name begin f Available in any view exclude include regular expression Display the exception handling display system failure begin ER Ed method exclude include regularexpression Display the device software display version update record li begin EA view version update history exclude include regular expression Clear the device software version reset version update record begin i i Available i tem vi update history exclude include regular expression vailable in system view 139 Automatic configuration Automatic configuration overview Automatic configuration enables a device without any configuration file to automatically obtain and execute a configuration file during startup Automatic configuration simplifies network configuration facilitates centralized management and reduces maintenance workload To implement automatic configuration the network administrator saves configuration files on a server and a device automatically obtains and executes a specific configuration file Typical automatic contiguration network Figure 49 Network diagram for automatic configuration DHCP server Device Gateway TFTP server DNS server As shown in Figure 49 the device implements automatic configuration with the cooperation of the following servers a DHCP server TFTP server and DNS server
180. to continue running patches after Yo reboot Y N y Uninstall RUNNING ACTIVE NOTE Information about patch states is saved in the file patchstate on the flash Do not to operate this file IDLE state Patches in the IDLE state are not loaded You cannot install or run the patches as shown in Figure 43 in this example the memory patch area can load up to eight patches 118 Figure 43 Patches are not loaded to the memory patch area Patch 1 IDLE Patch 2 IDLE Patch 3 IDLE Patch 4 IDLE Patch 5 IDLE Memory patch area Patch 6 IDLE Patch 7 IDLE Patch 8 IDLE NOTE The memory patch area supports up to 200 patches DEACTIVE state Patches in the DEACTIVE state have been loaded to the memory patch area but have not run in the system yet Suppose that the patch file to be loaded has seven patches After the seven patches successfully pass the version check and CRC check they are loaded to the memory patch area and are in the DEACTIVE state At this time the patch states in the system are as shown in Figure 44 Figure 44 A patch file is loaded to the memory patch area Patch 1 DEACTIVE Patch 2 DEACTIVE Patch 3 DEACTIVE Patch 4 DEACTIVE Patch 5 DEACTIVE Patch 6 DEACTIVE Memory patch area Patch 7 DEACTIVE Patch 8 IDLE ACTIVE state Patches in the ACTIVE state are those that have run temporarily in the system
181. to switch to different user levels without affecting the current FTP connection if you input an incorrect username or password the current connection will be terminated and you must log in again to access the FTP server Follow the step below to use another username to log in to the FTP server To do Use the command Remarks Use another username to re log in after successfully logging in to the FTP server a pes wee Spinal Maintaining and debugging an FTP connection After a switch serving as the FTP client has established a connection with the FTP server you can perform the following operations to locate and diagnose problems encountered in an FTP connection For more information about establishing an FTP connection see Establishing an FTP connection To do Use the command Remarks Display the help information of FTP related commands supported by the remotehelp protoco command Optional remote FTP server Enable information display in a detailed Optional verbose manner Enabled by default Enable FTP related debugging when the Jebu cin Optional switch acts as the FTP client MO Disabled by default Terminating an FIP connection After the switch serving as the FTP client has established a connection with the FTP server you can use any of the following commands to terminate an FTP connection For more information about establishing an FTP connection see Establishing an FTP connection 89
182. to terminal logging Send log information to terminal monitor Send information output to current terminal trapping Send trap information to terminal If is at the argument position the CLI displays a description about this argument For example lt sysname gt system view sysname interface vlan interface lt 1 4094 gt VLAN interface sysname interface vlan interface 1 lt cr gt sysname interface vlan interface 1 The string lt er gt indicates that the command is a complete command and can be executed by pressing Enter 3 Type an incomplete character string followed by The CLI displays all commands starting with the typed character s lt sysname gt b backup boot loader boot rom lt sysname gt display cl clipboard clock cluster Typing commands Editing command lines Table 2 Editing functions Key Function If the edit buffer is not full pressing a common key inserts the character at the k Common keys position of the cursor and moves the cursor to the right Deletes the character to the left of the cursor and moves the cursor back one Back lee ashi character Left arrow key or Ctrl B The cursor moves one character space to the left Right arrow key or Ctrl F The cursor moves one character space to the right If you press Tab after entering part of a keyword the system automatically completes the keyword e If there is a unique match the system substitutes the complete ke
183. tworking category e For a complete list of acronyms and their definitions see HP A Series Acronyms Websites e HP com http www hp com e HP Networking http www hp com go networking e HP manuals http www hp com support manuals e HP download drivers and software http www hp com support downloads e HP software depot http www software hp com e HP Education http www hp com learn 146 Conventions This section describes the conventions used in this documentation set Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional els Braces enclose a set of required syntax choices separated by vertical bars from which you select one Square brackets enclose a set of optional syntax choices separated by vertical bars from IS ed which you select one or none Asterisk marked braces enclose a set of required syntax choices separated by vertical led ss N bars from which you select at least one Asterisk marked square brackets enclose optional syntax choices separated by vertical el yl ed q ptional sy p y Yes bars from which you select one choice multiple choices or none gelas The argument or keyword and argument combination before t
184. ule fails or inappropriately work you can check for alarms present on the transceiver module to identify the fault source or examine the key parameters monitored by the digital diagnosis function including the temperature voltage laser bias current TX power and RX power Perform the following commands in any view to diagnose transceiver modules To do Use the command display transceiver alarm interface interface type Display alarms present on transceiver modules interface number begin exclude include regular expression Display the present measured values of the display transceiver diagnosis interface interface type digital diagnosis parameters for pluggable interface number begin exclude include transceivers regular expression NOTE The display transceiver diagnosis command cannot display information for some transceiver modules Displaying and maintaining device management contiguration For diagnosis or troubleshooting you can use separate display commands to collect running status data module by module or use the display diagnostic information command to bulk collect running data for multiple modules The display diagnostic information command equals this set of commands display clock display version display device and display current configuration To do Use the command Remarks Display system version display version begin exclude Malem anyview information
185. ult no command level is configured for the local user Specify the Telnet service type for the local user service type telnet Required By default no service type is configured for the local user Exit to system view quit Create a VLAN interface and enter its view interface vlan interface vlan interlace id Required If the VLAN interface already exists the command enters its view Assign an IP address and subnet mask to the VLAN interface ip address ip address mask mask length 69 Required By default no IP address is assigned to the VLAN interface Displaying and maintaining web login To do Display information about web users Use the command display web users begin exclude include regular expression Remarks Available in any view Display HTTP state information display ip http begin exclude include regular expression Available in any view Display HTTPS state information display ip https begin exclude include regular expression Available in any view Web login example HTTP login example Network requirements As shown in Figure 27 the PC is connected to the device over an IP network The IP address of the Device is 192 168 20 66 24 Figure 27 Network diagram for configuring HTTP login IP network PC Device Configuration procedure 1 Configuration on the device Log in to the
186. unction bootrom update security check By default the validity check when upgrading Boot ROM enable function is enabled at the time of upgrading Boot ROM Return to user view quit Required Save the Boot ROM image to the root directory of the Flash of the switch by using FTP TFTP or other approaches For more information about FTP or TFTP see the chapters FTP configuration and TFTP configuration bootrom update file file url slot Required Upgrade Boot ROM on the switch i slotnumber list Available in user view The slot keyword specifies the ID of Reboot the switch reboot slot slotnumber a switch The ID can only be 1 Available in user view A CAUTION To execute the bootrom command successfully save the Boot ROM image in the storage media s root directory on the switch 116 Upgrading system software through a system reboot Follow these steps to upgrade system software through a system reboot To do Save the system software image to the root directory of the Flash of the switch by using FTP TFTP or other approaches Use the command Remarks Required For more information about FTP or TFTP see the chapters FTP configuration and TFTP configuration Specify system software image to be used at the next boot of the switch boot loader file file url slot slotnumber main backup Required Available in user view
187. users user privilege level level Optional By default the default command level is 3 for the AUX user interface Set the maximum number of lines on the next screen screen length screen length Optional By default the next screen displays 24 lines A value of O disables the function Set the size of history command buffer history command max size value 35 Optional By default the buffer saves 10 history commands at most To do Use the command Remarks Optional The default idle timeout is 10 minutes The system automatically terminates the user s connection if idle timeout minutes seconds no information interaction occurs between the device and the user within the idle timeout time Set the idle timeout timer Setting idle timeout to O disables the timer A CAUTION The common settings configured for console login take effect immediately If you configure the common settings after you log in through the console port the current connection may be interrupted so you must use another login method After you configure common settings for console login you need to modify the settings on the terminal to make them consistent with those on the device Logging in through Telnet Introduction The device supports Telnet You can Telnet to the device to remotely manage and maintain it as shown in Figure 12 Figure 12 Telnet login IP network Te
188. usnnnneseesssuunnsseestes 115 Upgrading the Boot ROM program through a system PQ DOOF re reeetreeeteteeeetteeeeeseeseesseseseseseseneseseseseseeesseeeseeeseees 116 Upgrading system software through a system ER 117 Software vpgrade by installing hotfixes srrrceeesseeeeeseeeessseeeeessescsesseseessseseesssessesseseesssesesssseseesssesseessseseseseseeseessenseeesenes 117 Basic concepts in N EE 117 TE TE 118 Configuration prerequisites Ee 120 One step patch BESETE 121 Step by step patch TEE ETE 121 Step by step patch TIETE EE 122 Displaying and maintaining the software upgrade EE 123 Software vpgrade configuration examples MR HE EE EE kekere rere rereke ree 123 Scheduled vpgrade configuration example ES EE EE EE Ee 123 Hotfix configuration example EA AE AA E S 125 DEE TEE EE EG 126 Configuring ESE TE ER 126 Changing the system HIE see ees EE ER Re EE EE EER ee ee EE EER Re ee ee EE EER ee ee EE EER ee ee EE EE EER ee ee EE EER ee ee ee ER ee ee ee ee ee 126 Configuration guidelines TE RE EA RA EE EE eens 126 Configuration procedure RES EE thes ees eles eves EE EE EE eles ther EE EE ED EE EE EE EE 129 Enabling displaying the copyright ETE 129 es EE EE EE ET ET TE 130 Introduction to banners TE 130 Configuration procedure ER RE ER RE EE iss sisi 131 Banner configuration examples Se eee tere eee eee eee EE EDE EED EE EDE ee eee eee 131 Configuring the exception handling methods RR RRRRRRR RR RRRRRRRRRRRRRRRRRRR EER eeeeRRRRRRRRRRRRRRRRE EE ees 131 Rebooting
189. ut time Setting idle timeout to O disables the timer A CAUTION e The common settings configured for console login take effect immediately If you configure the common settings after you log in through the console port the current connection may be interrupted To avoid this problem use another login method After you configure the common settings for console login you will need to modify the settings on the terminal to make them consistent with those on the device e The baud rate of the console port must be lower than the transmission rate of the modem Otherwise packets may be lost Displaying and maintaining CLI login To do Display the source IP address interface specified for Telnet packets Use the command display telnet client configuration begin exclude include regular expression Remarks Available in any view Display information about the user interfaces that are being used display users begin exclude include regular expression Available in any view Displays information about all user interfaces that the device supports display users all begin exclude include regular expression Available in any view Display user interface information display user interface num aux vty num2 summary begin exclude include regular expression Available in any view 64 To do Use the command Rem
190. utomatically reboots to recover from the error condition e maintain The device stays in the error condition so you can collect complete data including error messages for diagnosis In this approach you must manually reboot the device Follow these steps to configure the exception handling method To do Use the command Remarks Enter system view system view Optional Configure the exception handling ra AE EA method system tailure maintain reboot By default the system reboots when an exception occurs 131 Rebooting the device You can reboot the device in one of the following ways to recover from an error condition e Reboot the device immediately at the CLI e At the CLI schedule a reboot to occur at a specific time and date or after a delay e Power off and then re power on the device This method might cause data loss and hardware damage and is the least preferred method Reboot at the CLI enables easy remote device maintenance A CAUTION e A reboot can interrupt network services e To avoid data loss use the save command to save the current configuration before a reboot e Use the display startup and display boot loader commands to check that you have correctly set the startup configuration file and the main system software image file If the main system software image file has been corrupted or does not exist the device cannot reboot You must re specify a main system software image fi
191. vice job autoupdate Device job autoupdate view system view Device job autoupdate time 1 one off at 03 00 command execute auto update bat To check if the upgrade is successful after Device reboots use the display version command 124 Hotfix configuration example Network requirements e As shown in Figure 48 the software running on Device is having problems and a hotfix is needed e The patch file patch_311 bin is saved on the TFTP server e The IP address of Device is 1 1 1 1 24 and IP address of TFTP Server is 2 2 2 2 24 Device and TFTP server can reach each other Figure 48 Network diagram of hotfix configuration TFTP server TFTP client aie Internet Device Configuration procedure 1 Configure TFTP Server The configuration varies depending on server type and the configuration procedure is omitted e Enable the TFTP server function e Save the patch file patch 311 bin to the directory of the TFTP server 2 Configure Device AN CAUTION Make sure the free Flash space of Device is large enough to store the patch file Before upgrading the software use the save command to save the current system configuration The configuration procedure is omitted Load the patch file patch_311 bin from the TFTP server to the root directory of Device storage media lt Device gt tftp 2 2 2 2 get patch 311 bin Install the patch lt Device gt system view Device patch install flash Patches
192. when a Telnet or SSH user logs in or when a console user quits user view You can disable or enable the function as needed The following is a sample copyright statement KKEKK KKK KKK KKK KKK KKK KKK KK KKK KKK KKK KKK KEK KKK KKK KEK KKK KKK KKK KKK KKK KKK KKK K KK K KOK KOK RR Copyright c 2010 2011 Hewlett Packard Development Company L P bs Without the owner s prior written consent x no decompiling or reverse engineering shall be allowed KKK KOK KKK KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK OK KKK KK KK Follow these steps to enable displaying the copyright statement 129 To do Use the command Remarks Enter system view system view Optional Enable displaying the copyright copyrightinfo enable Pp statement Enabled by default Configuring banners Introduction to banners Banners are messages that the system displays when a user connects to the device to perform login authentication and start interactive configuration Banner types You can configure the following types of banners e legal banner appears after the system displays the copyright or license statement for a user attempting to log in To continue authentication or login the user must enter Y or press Enter To quit the process the user must enter N Y and N are case insensitive e Message of the Day MOTD banner displays the greeting message and appears after the legal banner and
193. will be installed Continue Y N y Do you want to continue running patches after reboot Y N y Installing patches Installation completed and patches will continue to run after reboot 125 Device management Device management includes monitoring the operating status of devices and configuring their running parameters NOTE The configuration tasks in this document are order independent You can perform these tasks in any order Contiguring the device name A device name identifies a device in a network and works as the user view prompt at the CLI For example if the device name is Sysname the user view prompt is lt Sysname gt Follow these steps to configure the device name To do Use the command Remarks Enter system view system view Optional Configure the device name sysname sysname The default device name is HP Changing the system time You must synchronize your device with a trusted time source by using NTP or changing the system time before you run it on the network Network management depends on an accurate system time setting because the timestamps of system messages and logs use the system time In a small sized network you can manually set the system time of each device Configuration guidelines You can change the system time by configuring the relative time time zone and daylight saving time The configuration result depends on their configuration order see Tab
194. word authentication for console login EE 29 Configuring scheme authentication for console login zeer RR RR EER RR RR E EER RRR RR EE ERRRRRRReeee EER 31 Configuring common settings for console login optional EE 34 Logging in through EE 36 BURE EE 36 Telnet login authentication modes vrrrrrreeeetteetetsteteetsteeessseseessaesceeseeseesseeseeessssesesseseessesesensesecenaeseensesesensesesensesesenes 37 Configuring none authentication for Telnet login reer EEEEEEE RR RR RR RR RR RR EER ERERRRRRRRRRRRRRRRRee ee ee e EER ReRRR 38 Configuring password authentication for Telnet login seer eeeee RR RR EER ERK RR gee EER RR RR RR gee EER RR RR Reg eeeeR 39 Configuring scheme authentication for Telnet login reer EEEEe RR RR RR RR RR EER EE RERRRRRRRRRRRRRRRRee ee E EER RRR RR 4 Configuring common settings for VTY user interfaces optional EE 45 Configuring the device to log in to a Telnet server as a Telnet dlient EER EER EER EER EE EER ee EE ee 46 Logging in through SEE 47 BR EE 47 Configuring the SSH servercrrrcrrrsssssessrreeeessseecessseseessseecessesceeseseesssessessesesssseseessesesessesessssesesessesseesseseeensessseseesones 48 Configuring the SSH client to log in to the SSH Server eeeeeereeeereererseeeerserersererseeeessseersererserenseeenrseeerseeenserenseeennee 5 Logging in through EE ER ees 52 BR NE EE 52 Configuration requirements ee 52 Login procedure AA EE OE rene 52 Modem login authentication modes ee EER EER EE EER EE EE EER EES EE ER e
195. y time range time name fragment logging Exit the basic ACL view quit snmp agent community read Required Associate this SNMP community with the ACL write community name acl acl number mib view view name Associate the SNMP group with the ACL snmp agent group v1 v2c group name read view read view write view write view notify view notify view ad acl number snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number 81 You can associate the ACL when creating the community the SNMP group and the user For more information about SNMP see the Network Management and Monitoring Configuration Guide To do Use the command Remarks snmp agent usm user v1 v2c username group name ad acl number snmp agent usm user v3 Associate the user with the ACL username group name cipher authentication mode md5 sha auth password privacy mode 3des aes128 des56 priv password ad acl number Source IP based login control over NMS users configuration example Network requirements As shown in Figure 34 configure the device to allow only NMS users from Host A and Host B to access Figure 34 Network diagram for configuring source IP based login control over NMS users Host A 10 110 100 46 IP network Device Host B 10 1
196. you log in to the device through the console port after configuration you are prompted to enter a login password A prompt such as lt HP gt appears after you input the password and press Enter as shown in Figure 10 Figure 10 Configuration page Press ENTER to get started Login authentication Password User interface aux is available 30 Configuring scheme authentication for console login Configuration prerequisites You have logged in to the device By default you can log in to the device through the console port without authentication and have user privilege level 3 after login For information about logging in to the device with the default configuration see Configuration requirements Configuration procedure Follow these steps to configure scheme authentication for console login To do Use the command Remarks Enter system view system view a i user interface aux firstnumb Enter AUX user interface view si last number Required Whether local RADIUS or HWTACACS authentication is Specify the scheme it adopted depends on the configured authentication mode auihentication mode scheme AAA scheme By default users that log in through the console port are not authenticated Optional e By default command authorization is not enabled e By default the command level depends on the user privilege level A user is authorized a command level not higher than
197. yword for Tab the incomplete one and displays it in the next line a e If there is more than one match you can press Tab repeatedly to cycle through all the keywords starting with the character string that you typed e If there is no match the system does not modify the incomplete keyword and displays it again in the next line Typing incomplete keywords You can input a command comprising incomplete keywords that uniquely identify the complete command In user view for example commands starting with an s include startup saved configuration and system view e To enter system view type sy e To set the configuration file for next startup type st s You can also press Tab to have an incomplete keyword automatically completed Configuring command aliases The command alias function allows you to replace the first keyword of a command with your preferred keyword For example if you configure show as the replacement for the display keyword then to execute the display xx command you can input the command alias show xx Note the following guidelines when configuring a command alias e You can define and use a command alias but the command is not restored in its alias format e When you define a command alias the cmdkey and alias arguments must be in their complete form e When you input an incomplete keyword that partially matches both a defined alias and the keyword of a command the alias takes precedence To execut
Download Pdf Manuals
Related Search