HP A3100 v2 Switch Series Fundamentals Configuration Guide HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B) HP A3100-16 v2 EI Switch (JD319B) HP A3100-24 v2 EI Switch (JD320B) HP A3100-8-PoE v2 EI Switch (JD311B) HP A3100-16-PoE v2 EI Switch (JD312B) HP A3100-24-PoE v2 EI Switch (JD313B) Part number: 5998-1963 Software version: Release 5103 Document version: 6W100-20110909
Legal and notice information © Copyright 2011 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents CLI configuration ·························································································································································· 1 What is CLI? ······································································································································································1 Entering the CLI ·································································································································
Telnet login authentication modes ······················································································································· 37 Configuring none authentication for Telnet login ······························································································ 38 Configuring password authentication for Telnet login ······················································································ 39 Configuring scheme authentication for Telnet login ··············
FTP operation ························································································································································· 85 Configuring the FTP client ············································································································································· 86 Establishing an FTP connection···························································································································· 86 Operating t
Setting configuration rollback ·····································································································································108 Configuration rollback ········································································································································108 Configuration task list ·········································································································································109 Configuring para
Diagnosing transceiver modules························································································································137 Displaying and maintaining device management configuration ············································································137 Automatic configuration ········································································································································· 140 Automatic configuration overview···················
CLI configuration What is CLI? The command line interface (CLI) enables you to interact with your device by typing text commands. At the CLI, you can instruct your device to perform a given task by typing a text command and then pressing Enter. Compared with a graphical user interface (GUI) where you can use a mouse to perform configuration, the CLI allows you to input more information in one command line.
Convention Description [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. [ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. { x | y | ...
CLI views adopt a hierarchical structure. See Figure 3. • After logging in to the switch, you are in user view. The user view prompt is . In user view, you can perform display, debugging, and file management operations, set the system time, restart your device, and perform FTP and Telnet operations. • You can enter system view from user view. In system view, you can configure parameters such as daylight saving time, banners, and short-cut keys.
To do… Use the command… Return to the parent view from the current view quit Remarks Required Available in any view. NOTE: • The quit command in user view stops the current connection between the terminal and the device. • In public key code view, use the public-key-code end command to return to the parent view (public key view). In public key view, use the peer-public-key end command to return to system view.
<1-4094> VLAN interface [sysname] interface vlan-interface 1 ? [sysname] interface vlan-interface 1 The string indicates that the command is a complete command, and can be executed by pressing Enter. Type an incomplete character string followed by ?. The CLI displays all commands starting with the typed character(s). 3.
• To set the configuration file for next startup, type st s. You can also press Tab to have an incomplete keyword automatically completed. Configuring command aliases The command alias function allows you to replace the first keyword of a command with your preferred keyword. For example, if you configure show as the replacement for the display keyword, then to execute the display xx command, you can input the command alias show xx.
NOTE: By default, the Ctrl+G, Ctrl+L and Ctrl+O hotkeys are associated with pre-defined commands as defined below, the Ctrl+T and Ctrl+U hotkeys are not. • Ctrl+G corresponds to the display current-configuration command. • Ctrl+L corresponds to the display ip routing-table command. • Ctrl+O corresponds to the undo debugging all command. Table 3 Hotkeys reserved by the system Hotkey Function Ctrl+A Moves the cursor to the beginning of the current line. Ctrl+B Moves the cursor one character to the left.
NOTE: The hotkeys in Table 3 are defined by the switch. If the same hotkeys are defined by the terminal software that you use to interact with the switch, the hotkeys defined by the terminal software take effect. Redisplaying input but not submitted commands If your command input is interrupted by output system information, you can use this feature to redisplay the commands input previously but not submitted.
Accessing history commands Follow a step below to access history commands: To do… Use the key/command… Result Display history commands display history-command Displays valid history commands you used Display the previous history command Up arrow key or Ctrl+P Displays the previous history command, if any Display the next history command Down arrow key or Ctrl+N Displays the next history command, if any NOTE: You can use arrow keys to access history commands in Windows 200X and XP Terminal or Tel
Controlling the CLI display Multi-screen display Controlling multi-screen display If the output information spans multiple screens, each screen pauses after it is displayed. Perform one of the following operations to proceed. Action Function Press Space Displays the next screen. Press Enter Displays the next line. Press Ctrl+C Stops the display and the command execution. Press Displays the previous page. Press Displays the next page.
When the system displays the output information in multiple screens, use /, - or + plus a regular expression to filter subsequent output information. / equals the keyword begin, - equals the keyword exclude, and + equals the keyword include. • The following definitions apply to the begin, exclude, and include keywords: • begin: Displays the first line that matches the specified regular expression and all lines that follow.
Character Meaning Remarks \index Repeats the character string specified by the index. A character string refers to the string within () before \. index refers to the sequence number (starting from 1 from left to right) of the character group before \. If only one character group appears before \, index can only be 1; if n character groups appear before index, index can be any integer from 1 to n. For example, (string)\1 repeats string, and a matching string must contain stringstring.
user privilege level 3 # return 2. Example of using the exclude keyword # Display the non-direct routes in the routing table (the output depends on the current configuration). display ip routing-table | exclude Direct Routing Tables: Public Destination/Mask Proto 1.1.1.0/24 Static 60 3. Pre Cost NextHop Interface 0 192.168.0.
Level Privilege Description Involves commands that influence the basic operation of the system and commands for configuring system support modules. 3 Manage By default, commands at this level involve the configuration commands of file system, FTP, TFTP, Xmodem download, user management, level setting, and parameter settings within a system (which are not defined by any protocols or RFCs).
system-view [Sysname] user-interface vty 1 [Sysname-ui-vty1] authentication-mode scheme [Sysname-ui-vty1] quit [Sysname] local-user test [Sysname-luser-test] password cipher 12345678 [Sysname-luser-test] service-type telnet When users telnet to the switch through VTY 1, they need to input username test and password 12345678. After passing authentication, the users can only use level 0 commands.
To do… Use the command… Remarks Enter system view system-view — Enter user interface view user-interface { first-num1 [ last-num1 ] | { aux | vty } first-num2 [ last-num2 ] } — Optional Configure the authentication mode for any user that uses the current user interface to log in to the switch authentication-mode { none | password } By default, the authentication mode for VTY user interfaces is password, and no authentication is needed for AUX login users.
display commands. The switching operation is effective for the current login. After the user logs back in, the user privilege restores to the original level. • To avoid problems, HP recommends that administrators log in to the switch by using a lower privilege level and view switch operating parameters. To maintain the switch, administrators can temporarily switch to a higher level.
To do… Use the command… Configure the password for user privilege level switch super password [ level user-level ] { simple | cipher } password Remarks Required if the authentication mode is set to local. By default, no privilege level switch password is configured. CAUTION: • If no user privilege level is specified when you configure the password for switching the user privilege level with the super password command, the user privilege level defaults to 3.
User interface authentication mode User privilege level switch authentication mode Information input for the first authentication mode Information input after the authentication mode changes local Local user privilege level switch password — local scheme Local user privilege level switch password Password for privilege level switch (configured on the AAA server). The system uses the username used for logging in as the privilege level switch username.
CAUTION: HP recommends that you use the default command level or modify the command level under the guidance of professional staff. An improper change of the command level may bring inconvenience to your maintenance and operation, or even potential security problems. Saving the current configuration On the device, you can input the save command in any view to save all of the submitted and executed commands into the configuration file. Commands saved in the configuration file can survive a reboot.
Login methods Login methods You can log in to the switch by using the following methods. Table 7 Login methods Login method Default state Logging in through the console port By default, you can log in to a device through the console port, the authentication mode is None (no username or password required), and the user privilege level is 3. By default, you cannot log in to a device through Telnet.
Login method Default state By default, you cannot log in to a device through a network management system (NMS). To do so, log in to the device through the console port, and complete the following configuration: NMS login • Configure the IP address of the VLAN interface, and make sure the device and the NMS can reach each other (by default, your device does not have an IP address.). • Configure SNMP basic parameters.
VTY user interfaces. You can use the display user-interface command without any parameters to view supported user interfaces and their absolute numbers. Relative numbering Relative numbering allows you to specify a user interface or a group of user interfaces of a specific type. The number format is “user interface type + number”. The following rules of relative numbering apply: • AUX user interfaces are numbered from 0 in the ascending order, with a step of 1.
CLI login Overview The CLI enables you to interact with a device by typing text commands. At the CLI, you can instruct your device to perform a given task by typing a text command and then pressing Enter to submit it to your device. Compared with a GUI, where you can use a mouse to perform configuration, the CLI allows you to input more information in one command line. You can log in to the device at the CLI through the console port, Telnet, SSH, or modem.
The port properties of the hyper terminal must be the same as the default settings of the console port shown in the following table. Setting Default Bits per second 9,600 bps Flow control None Parity None Stop bits 1 Data bits 8 Login procedure Step1 Use the console cable shipped with the device to connect the PC and the device. Plug the DB-9 connector of the console cable into the serial port of the PC, and plug the RJ-45 connector into the console port of your device.
Figure 5 Connection description Figure 6 Specify the serial port used to establish the connection 26
Figure 7 Set the properties of the serial port Step3 Turn on the device. You are prompted to press Enter if the device successfully completes the power-on self test (POST). A prompt such as appears after you press Enter, as shown in Figure 8. Figure 8 Configuration page Step4 Execute commands to configure the device or check the running status of the device. To get help, type ?.
• none—Requires no username and password at the next login through the console port. This mode is insecure. • password—Requires password authentication at the next login through the console port. Keep your password. • scheme—Requires username and password authentication at the next login through the console port. Authentication falls into local authentication and remote authentication. To use local authentication, configure a local user and related parameters.
By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.
By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.
Configuring scheme authentication for console login Configuration prerequisites You have logged in to the device. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.
To do… Use the command… Remarks Optional • By default, command accounting is disabled. The accounting server does not record the commands executed by users. • Command accounting allows the Enable command accounting HWTACACS server to record all the commands executed by users, regardless of command execution results. This helps control and monitor user operations on the device.
To do… Use the command… Remarks Required Specify the service type for the local user service-type terminal Configure common settings for AUX user interface view — By default, no service type is specified. Optional See “Configuring common settings for console login (optional).
Figure 11 Configuration page Configuring common settings for console login (optional) Follow these steps to configure common settings for console port login To do… Use the command… Remarks Enter system view system-view — Enable display of copyright information copyright-info enable Enter AUX user interface view user-interface aux first-number [ last-number ] Configure AUX user interface view properties Optional Enabled by default.
To do… Use the command… Remarks Optional By default, the data bits of the console port is 8. Configure the data bits databits { 5 | 6 | 7 | 8 } Define a shortcut key for enabling a terminal session activation-key character Data bits is the number of bits representing one character. The setting depends on the contexts to be transmitted. For example, you can set it to 7 if standard ASCII characters are to be sent, and set it to 8 if extended ASCII characters are to be sent.
To do… Use the command… Remarks Optional Set the idle-timeout timer idle-timeout minutes [ seconds ] The default idle-timeout is 10 minutes. The system automatically terminates the user’s connection if no information interaction occurs between the device and the user within the idle-timeout time. Setting idle-timeout to 0 disables the timer. CAUTION: The common settings configured for console login take effect immediately.
This section includes these topics: • Telnet login authentication modes • Configuring none authentication for Telnet login • Configuring password authentication for Telnet login • Configuring scheme authentication for Telnet login • Configuring common settings for VTY user interfaces (optional) • Configuring the device to log in to a Telnet server as a Telnet client Telnet login authentication modes Three authentication modes are available for Telnet login: none, password, and scheme.
Authentication mode Configuration Remarks Configure the authentication scheme Configure a RADIUS/HWTACAC S scheme Remote AAA authentication Scheme Configure the AAA scheme used by the domain For more information, see “Configuring scheme authentication for Telnet login.
To do… Use the command… Remarks Optional Configure common settings for VTY user interfaces — See “Configuring common settings for VTY user interfaces (optional).” When you log in to the device through Telnet again: • You enter the VTY user interface, as shown in Figure 13. • If “All user interfaces are used, please try later!” is displayed, it means the current login users exceed the maximum number. Please try later.
To do… Use the command… Remarks Enter one or multiple VTY user interface views user-interface vty first-number [ last-number ] — Required Specify the password authentication mode authentication-mode password Set the local password set authentication password { cipher | simple } password Configure the user privilege level for login users user privilege level level By default, authentication mode for VTY user interfaces is password. Required By default, no local password is set.
Configuring scheme authentication for Telnet login Configuration prerequisites You have logged in to the device. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.
To do… Use the command… Remarks Optional • By default, command authorization is not enabled. • By default, the command level Enable command authorization command authorization depends on the user privilege level. A user is authorized a command level not higher than the user privilege level. With command authorization enabled, the command level for a login user is determined by both the user privilege level and AAA authorization.
To do… Use the command… Remarks Optional • By default, command accounting is disabled. The accounting server does not record the commands executed by users. • Command accounting allows Enable command accounting the HWTACACS server to record all executed commands that are supported by the device, regardless of the command execution result. This helps control and monitor user operations on the device.
To do… Use the command… Remarks Specify the command level of the local user authorization-attribute level level Optional Specify the service type for the local user service-type Telnet By default, no service type is specified. Exit to system view quit — Configure common settings for VTY user interfaces — By default, the command level is 0. Required Optional See “Configuring common settings for VTY user interfaces (optional).
Figure 15 Configuration page Configuring common settings for VTY user interfaces (optional) Follow these steps to configure common settings for VTY user interfaces: To do… Use the command… Remarks Enter system view system-view — Enable display of copyright information copyright-info enable Enter one or multiple VTY user interface views user-interface vty first-number [ last-number ] User interface configuration shell Enable the terminal service Optional Enabled by default.
To do… Use the command… Remarks Optional Set the maximum number of lines on the next screen screen-length screen-length Set the size of history command buffer history-command max-size value By default, the next screen displays 24 lines. A value of 0 disables the function. Optional By default, the buffer saves 10 history commands. Optional The default idle-timeout is 10 minutes for all user interfaces.
By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.” Figure 16 Log in to another device from the current device NOTE: If the Telnet client port and the Telnet server port that connect them are not in the same subnet, make sure that the two devices can reach each other.
Object Requirements SSH server Configure the IP address of the VLAN interface, and make sure the SSH server and client can reach each other. Configure the authentication mode and other settings. SSH client Run the SSH client program. Obtain the IP address of the VLAN interface on the server. By default, the device is enabled with the SSH server and client functions. • On a device that serves as the SSH client, you can log in to an SSH server to perform operations on the server.
To do… Enable the current user interface to support SSH Use the command… Remarks Optional protocol inbound { all | ssh } By default, Telnet and SSH are supported. Optional • By default, command authorization is not enabled. • By default, command level for a Enable command authorization login user depends on the user privilege level. The user is authorized the command with the default level not higher than the user privilege level.
To do… Configure the authentication mode Use the command… Remarks Optional Enter the default ISP domain view domain domain-name By default, the AAA scheme is local. Apply the specified AAA scheme to the domain authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } If you specify the local AAA scheme, perform the configuration concerning local user as well.
• Reference the created HWTACACS scheme in the ISP domain. For more information, see the Security Configuration Guide. When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme. • When the AAA scheme is local, the user privilege level is defined by the authorization-attribute level level command.
Logging in through modems Introduction The administrator can use two modems to remotely maintain a switch through its Console port over the Public Switched Telephone Network (PSTN) when the IP network connection is broken.
Step2 Configuration on the administrator side The PC and the modem are correctly connected, the modem is connected to a telephone cable, and the telephone number of the remote modem connected to the console port of the remote switch is obtained. NOTE: Note the following device settings: • The baud rate of the Console port is lower than the transmission rate of the modem. Otherwise, packets may be lost. • The parity check mode, stop bits, and data bits of the console port adopt the default settings.
Figure 20 Connection description Figure 21 Enter the phone number Figure 22 Dial the number 54
Step6 Character string CONNECT9600 is displayed on the terminal. Then a prompt appears when you press Enter. Figure 23 Configuration page Step7 If the authentication mode is password, a prompt (for example, HP) appears when you type the configured password on the remote terminal. Then you can configure or manage the router. To get help, type ?. Step8 Execute commands to configure the device or check the running status of the device. To get help, type ?.
and password on the remote authentication server. For more information about authentication modes and parameters, see the Security Configuration Guide. Keep your username and password. The following table lists modem login configurations for different authentication modes: Authentication mode None Password Configuration Remarks Configure not to authenticate users For more information, see “Configuring none authentication for modem login.
To do… Use the command… Remarks Enter system view system-view — Enter one or more AUX user interface views user-interface aux first-number [ last-number ] — Required Specify the none authentication mode authentication-mode none Configure common settings for VTY user interfaces — By default, users that log in through the console port are not authenticated. Optional See “Configuring common settings for VTY user interfaces (optional).
To do… Use the command… Remarks Enter system view system-view — Enter one or more AUX user interface views user-interface aux first-number [ last-number ] — Specify the password authentication mode authentication-mode password Set the local password set authentication password { cipher | simple } password Required By default, the authentication mode is none for modem users Required By default, no local password is set.
Configuration procedure Follow these steps to configure scheme authentication for modem login: To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface view user-interface aux first-number [ last-number ] — Required Specify the scheme authentication mode authentication-mode scheme Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme.
To do… Use the command… Remarks Optional • By default, command accounting is disabled. The accounting server does not record the commands executed by users. • Command accounting allows the Enable command accounting HWTACACS server to record all executed commands that are supported by the device, regardless of the command execution result. This helps control and monitor user operations on the device.
To do… Use the command… Remarks Required Specify the service type for the local user service-type terminal Configure common settings for VTY user interfaces — By default, no service type is specified. Optional See “Configuring common settings for VTY user interfaces (optional).
Figure 26 Configuration page Configuring common settings for modem login (optional) Follow these steps to configure common settings for modem login: To do… Use the command… Remarks Enter system view system-view — Enable display of copyright information copyright-info enable Enter one or more AUX user interface views user-interface aux first-number [ last-number ] Optional Enabled by default.
To do… Use the command… Remarks Optional By default, the data bits is 8. Configure the data bits databits { 5 | 6 | 7 | 8 } Define a shortcut key for starting a session activation-key character Data bits is the number of bits representing one character. The setting depends on the contexts to be transmitted. For example, you can set it to 7 if standard ASCII characters are to be sent, and set it to 8 if extended ASCII characters are to be sent.
To do… Use the command… Remarks Optional Set the idle-timeout timer idle-timeout minutes [ seconds ] The default idle-timeout is 10 minutes. The system automatically terminates the user’s connection if no information interaction occurs between the device and the user within the idle-timeout time. Setting idle-timeout to 0 disables the timer. CAUTION: • The common settings configured for console login take effect immediately.
To do… Use the command… Remarks Available in user view Release a specified user interface free user-interface { num1 | { aux | vty } num2 } Multiple users can log in to the system to simultaneously configure the device. In some circumstances, when the administrator wants to make configurations without interruption from the users that have logged in through other user interfaces, the administrator can execute the command to release the connections established on the specified user interfaces.
Web login Web login overview The device provides a built-in web server that enables you to log in to the web interface of the device from a PC. Web login is disabled by default.
To do… Use the command… Remarks Optional Configure the HTTP service port number 80 by default. ip http port port-number If you execute the command multiple times, the last one takes effect. Optional Associate the HTTP service with an ACL By default, the HTTP service is not associated with any ACL. ip http acl acl-number Associating the HTTP service with an ACL enables the device to allow only clients permitted by the ACL to access the device.
To do… Use the command… Remarks Required By default, PKI and SSL are not configured. Configure PKI and SSL related features • For more information about PKI, see the — Security Configuration Guide. • For more information about SSL, see the Security Configuration Guide. Required By default, the HTTPS service is not associated with any SSL server policy.
To do… Use the command… Remarks Optional By default, the HTTPS service is not associated with any certificate-based attribute access control policy. • Associating the HTTPS service with a Associate the HTTPS service with a certificate attribute-based access control policy certificate-based attribute access control policy enables the device to control the access rights of clients.
Displaying and maintaining web login To do… Use the command… Remarks Display information about web users display web users [ | { begin | exclude | include } regular-expression ] Available in any view Display HTTP state information display ip http [ | { begin | exclude | include } regular-expression ] Available in any view Display HTTPS state information display ip https [ | { begin | exclude | include } regular-expression ] Available in any view Web login example HTTP login example Network requi
Figure 28 Web login page # Type the user name, password, verify code, select English, and click Login. The homepage appears. After login, you can configure device settings through the web interface. HTTPS login example Network requirements As shown in Figure 29, to prevent unauthorized users from accessing the Device, configure HTTPS login as follows: • Configure the Device as the HTTPS server, and request a certificate for it. • The Host acts as the HTTPS client. Request a certificate for it.
Configuration procedure 1. Configure the device that acts as the HTTPS server # Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the entity as ssl.security.com. system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as http://10.1.2.
# Enable the HTTPS service. [Device] ip https enable # Create a local user named usera, set the password to 123 for the user, and specify the Telnet service type for the local user. [Device] local-user usera [Device-luser-usera] password simple 123 [Device-luser-usera] service-type telnet 2. Configure the host that acts as the HTTPS client On the host, run the IE browser. In the address bar, enter http://10.1.2.2/certsrv and request a certificate for the host as prompted. 3.
NMS login NMS login overview An NMS runs the SNMP client software. It offers a user-friendly interface to facilitate network management. An agent is a program that resides in the device. It receives and handles requests from the NMS. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the NMS. The NMS and agents exchange information through the SNMP protocol. The device supports multiple NMS programs, such as iMC and CAMS. By default, you cannot log in to the device through NMS.
To do… Use the command… Add a user to the SNMP group snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | des56 } priv-password ] ] [ acl acl-number ] Remarks Required If the cipher keyword is specified, both auth-password and priv-password are cipher text passwords.
# Enter system view. system-view # Enable the SNMP agent. [Sysname] snmp-agent # Configure an SNMP group. [Sysname] snmp-agent group v3 managev3group read-view test write-view test # Add a user to the SNMP group. [Sysname] snmp-agent usm-user v3 managev3user managev3group 2. Configuration on the NMS On the PC, start the browser. In the address bar, enter http://192.168.20.107:8080/imc, where 192.168.20.107 is the IP address of the iMC.
Figure 32 iMC homepage Log in to the iMC and configure SNMP settings for the iMC to find the device. After the device is found, you can manage and maintain the device through the iMC. For example, you can query device information or configure device parameters. The SNMP settings on the iMC must be the same as those configured on the device. If not, the device cannot be found or managed by the iMC. See the iMC manuals for more information.
User login control User login control methods The device provides the following login control methods.
To do… Use the command… Remarks Enter user interface view user-interface [ type ] first-number [ last-number ] — Required Use the ACL to control user login by source IP address acl [ ipv6 ] acl-number { inbound | outbound } inbound: Filters incoming Telnet packets. outbound: Filters outgoing Telnet packets.
To do… Use the command… Remarks Create an Ethernet frame header ACL and enter its view acl number acl-number [ match-order { config | auto } ] Configure rules for the ACL rule [ rule-id ] { permit | deny } rule-string Required Exit the advanced ACL view quit — Enter user interface view user-interface [ type ] first-number [ last-number ] — Use the ACL to control user login by source MAC address acl acl-number inbound Required By default, no advanced ACL exists.
[Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Configuring source IP-based login control over NMS users You can log in to the NMS to remotely manage the devices. SNMP is used for communication between the NMS and the agent that resides in the device. By using the ACL, you can control SNMP user access to the device. Configuration preparation Before configuration, determine the permitted or denied source IP addresses.
To do… Use the command… Remarks snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] Associate the user with the ACL snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode { 3des | aes128 | des56 } priv-password ] ] [ acl acl-number ] Source IP-based login control over NMS users configuration example Network requirements As shown in Figure 34, configure the device to allow only NMS users from Host A and Host B to acces
Configuring source IP-based login control over web users You can log in to the web management page of the device through HTTP/HTTPS to remotely manage the devices. By using the ACL, you can control web user access to the device. Configuration preparation Before configuration, determine the permitted or denied source IP addresses.
Source IP-based login control over web users configuration example Network requirements As shown in Figure 35, configure the device to allow only web users from Host B to access. Figure 35 Network diagram for configuring source IP-based login control Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B. system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.
FTP configuration FTP overview Introduction to FTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network. FTP uses TCP ports 20 and 21 for file transfer. Port 20 is used to transmit data, and port 21 to transmit control commands. For more information about FTP basic operations, see RFC 959. FTP transfers files in the following modes: • Binary mode: Transfers files as raw data, such as .app, .bin, and .btm files.
Table 9 Configuration when the device serves as the FTP server Device Configuration Remarks Disabled by default. Enable the FTP server function Device (FTP server) PC (FTP client) You can use the display ftp-server command to view the FTP server configuration on the device. Configure the username, password, and authorized directory for an FTP user. Configure authentication and authorization The device does not support anonymous FTP for security reasons. You must set a valid username and password.
• If you use the ftp client source command and the ftp command to specify a source address respectively, the source address specified with the ftp command is used to communicate with an FTP server. • The source address specified with the ftp client source command is valid for all FTP connections and the source address specified with the ftp command is valid only for the current FTP connection.
Follow these steps to operate the directories on an FTP server: To do… Use the command… Remarks Display detailed information about a directory or file on the remote FTP server dir [ remotefile [ localfile ] ] Optional Query a directory or file on the remote FTP server ls [ remotefile [ localfile ] ] Optional Change the working directory of the remote FTP server cd { directory | ..
To do… Use the command… Remarks Set the file transfer mode to binary binary Set the data transmission mode to passive passive Display the local working directory of the FTP client lcd Optional Upload a file to the FTP server put localfile [ remotefile ] Optional Download a file from the FTP server get remotefile [ localfile ] Optional Optional ASCII by default. Optional Passive by default.
To do… Use the command… Terminate the connection to the FTP server without exiting FTP client view disconnect Terminate the connection to the FTP server without exiting FTP client view close Remarks Optional Equal to the close command. Optional Equal to the disconnect command. Optional Terminate the connection to the FTP server and return to user view bye Terminate the connection to the FTP server and return to user view quit Equal to the quit command in FTP client view.
230 Logged in successfully # Set the file transfer mode to binary to transmit system software image file. [ftp] binary 200 Type set to I. # Download the system software image file newest.bin from the PC to the device. [ftp] get newest.bin # Upload the configuration file config.cfg of the device to the server for backup. [ftp] ascii [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /config.cfg.
To do… Use the command… Use an ACL to control FTP clients’ access to the switch ftp server acl acl-number Remarks Optional By default, no ACL is used to control FTP clients’ access to the switch. Optional 30 minutes by default.
To do… Use the command… Remarks Optional Configure user properties authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | user-role security-audit | vlan vlan-id | work-directory directory-name } * By default, the FTP/SFTP users can access the root directory of the switch, and the user level is 0. You can change the default configuration by using this command.
# Check files on your device. Remove those redundant to ensure adequate space for the system software image file to be uploaded. dir Directory of flash:/ 0 drw- - Dec 07 2005 10:00:57 filename 1 2 drw- - Jan 02 2006 14:27:51 logfile -rw- 1216 Jan 02 2006 14:28:59 config.cfg 3 -rw- 1216 Jan 02 2006 16:27:26 back.cfg 14986 KB total (2511 KB free) delete /unreserved flash:/back.cfg 2. Configure the PC (FTP Client) # Log in to the FTP server through FTP. c:\> ftp 1.1.
Displaying and maintaining FTP To do… Use the command… Remarks Display the configuration of the FTP client display ftp client configuration [ | { begin | exclude | include } regular-expression ] Available in any view Display the configuration of the FTP server display ftp-server [ | { begin | exclude | include } regular-expression ] Available in any view Display detailed information about logged-in FTP users display ftp-user [ | { begin | exclude | include } regular-expression ] Available in any
TFTP configuration TFTP overview Introduction to TFTP The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication. It is more suitable in environments where complex interaction is not needed between client and server. TFTP uses the UDP port 69 for data transmission. For more information about TFTP basic operation, see RFC 1350. In TFTP, file transfer is initiated by the client.
Table 10 Configuration when the device serves as the TFTP client Device Configuration Remarks • Configure the IP address and routing function, and Device (TFTP client) ensure that the route between the device and the TFTP server is available. • Use the tftp command to establish a connection to the — remote TFTP server to upload/download files to/from the TFTP server PC (TFTP server) Enable TFTP server on the PC, and configure the TFTP working directory.
To do… Use the command… Remarks Optional Configure the source address of the TFTP client tftp client source { interface interface-type interface-number | ip source-ip-address } A device uses the source address determined by the matched route to communicate with the TFTP server by default.
Configuration procedure 1. Configure the PC (TFTP Server), the configuration procedure is omitted. • On the PC, enable the TFTP server • Configure a TFTP working directory 2. Configure the device (TFTP Client) CAUTION: If the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations. # Enter system view.
File management Managing files Files such as host software and configuration files that are necessary for the operation of the device are saved in the storage media of the device. You can manage files on your device through these operations: Performing directory operations, Performing file operations, Performing batch operations, Performing storage medium operations, Setting prompt modes, Setting prompt modes, Setting prompt modes, Setting prompt modes, and Setting prompt modes.
Displaying directory information To do… Use the command… Display directory or file information dir [ /all ] [ file-url ] Remarks Required Available in user view Displaying the current working directory To do… Use the command… Display the current working directory pwd Remarks Required Available in user view Changing the current working directory To do… Use the command… Change the current working directory cd { directory | ..
NOTE: You can create a file by copying, downloading or using the save command. Displaying file information To do… Use the command… Display file or directory information dir [ /all ] [ file-url ] Remarks Required Available in user view Displaying the contents of a file To do… Use the command… Remarks Required Display the contents of a file more file-url Only text files can be displayed.
CAUTION: • The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, execute the reset recycle-bin command in the directory to which the file originally belongs. HP recommends you to empty the recycle bin periodically with the reset recycle-bin command to save storage space. • The delete /unreserved file-url command deletes a file permanently and the action cannot be undone.
Performing storage medium operations Managing the space of a storage medium When the space of a storage medium becomes inaccessible due to abnormal operations, you can use the fixdisk command to restore it. The execution of the format command formats the storage medium, and all the data on the storage medium is deleted.
1 -rw- 1218 Feb 16 2006 11:46:19 config.cfg 2 3 drw- - Feb 16 2006 15:20:27 test -rw- 184108 Feb 16 2006 15:30:20 aaa.bin 14986 KB total (2521 KB free) # Create a new folder mytest in the test directory. cd test mkdir mytest %Created dir flash:/test/mytest. # Display the current working directory. pwd flash:/test # Display the files and the subdirectories in the test directory.
Configuration file management Configuration file overview A configuration file contains a set of commands. You can save the current configuration to a configuration file so that the configuration can take effect after a switch reboot. In addition, you can conveniently view the configuration information, or upload and download the configuration file to/from another switch to configure switches in batches.
Coexistence of multiple configuration files The switch can save multiple configuration files on its storage media. You can save the configurations used in different networking environments as different configuration files. When the switch moves between networking environments, specify the configuration file as the startup configuration file of the switch and then restart the switch. Multiple configuration files allow the switch to adapt to a network rapidly, saving the configuration workload.
The fast saving mode is suitable for environments where the power supply is stable. The safe mode is preferred in environments where a stable power supply is unavailable or remote maintenance is involved.
When you enter the configuration replace file command, the system compares the running configuration and the specified replacement configuration file. The configuration replace file command performs the following actions: • Preserves all commands present in both the replacement configuration file and the running configuration. • Removes commands from the running configuration that are not present in the replacement configuration file.
To do… Use the command… Remarks Set the maximum number of configuration files that can be saved archive configuration max file-number Optional The default number is 5. NOTE: • If the undo archive configuration location command is executed, the running configuration cannot be saved either manually or automatically, and the configuration is restored to the default by executing the archive configuration interval and archive configuration max commands. The saved configuration files are cleared.
To do… Use the command… Manually save the running configuration archive configuration Remarks Required Available in user view NOTE: Specify the path and filename prefix of a save configuration file before you manually save the running configuration; otherwise, the operation fails.
To do… Use the command… Remarks Specify a startup configuration file to be used at the next startup startup saved-configuration cfgfile [ backup | main ] Required Available in user view CAUTION: A configuration file must use .cfg as its extension name and the startup configuration file must be saved in the storage media’s root directory.
To do… Use the command… Remarks Delete a startup configuration file to be used at the next startup from the storage media reset saved-configuration [ backup | main ] Required Available in user view CAUTION: This command permanently deletes startup configuration files to be used at the next startup from the switch. Use the command with caution.
To do… Use the command… Remarks Display the configuration files used at this and the next system startup display startup [ | { begin | exclude | include } regular-expression ] Available in any view Display the valid configuration under the current view display this [ by-linenum ] [ | { begin | exclude | include } regular-expression ] Available in any view 114
Software upgrade configuration Switch software overview Switch software includes the Boot ROM and the system software images. After powered on, the device runs the Boot ROM image, initializes the hardware, and displays the hardware information. Then the device runs the system software image, which provides drivers and adaption for hardware, and implements service features. The Boot ROM and system software images are required for the startup and running of a device.
Upgrade method Upgrade object Upgrading system software through a system reboot System software Description upgrade process, and is not recommended. • Hotfix is a fast, cost-effective method to repair software defects of a switch. • Compared with software version upgrade, hotfix can Software upgrade by installing hotfixes System software upgrade the software without interrupting the running services of the switch.
Upgrading system software through a system reboot Follow these steps to upgrade system software through a system reboot: To do… Use the command… Required Save the system software image to the root directory of the Flash of the switch by using FTP, TFTP, or other approaches.
Common patch and temporary patch • Common patches are those formally released through the version release flow. • Temporary patches are those not formally released through the version release flow, but temporarily provided to solve the emergent problems. Common patches always include the functions of the previous temporary patches so as to replace them. The patch type only affects the patch loading process. The system deletes all of the temporary patches before it loads the common patch.
Figure 43 Patches are not loaded to the memory patch area Patch 1 IDLE Patch 2 IDLE Patch 3 IDLE Patch 4 IDLE Patch 5 IDLE Memory patch area Patch 6 IDLE Patch 7 IDLE Patch 8 IDLE NOTE: The memory patch area supports up to 200 patches. DEACTIVE state Patches in the DEACTIVE state have been loaded to the memory patch area but have not run in the system yet. Suppose that the patch file to be loaded has seven patches.
Figure 45 Patches are activated Patch 1 ACTIVE Patch 2 ACTIVE Patch 3 ACTIVE Patch 4 ACTIVE Patch 5 ACTIVE Patch 6 DEACTIVE Memory patch area Patch 7 DEACTIVE Patch 8 IDLE RUNNING state After you confirm the ACTIVE patches are running, the patch state becomes RUNNING and they are placed in the RUNNING state after system reboot. For the five patches in Figure 45, if you confirm the first three patches are running, their states change from ACTIVE to RUNNING.
on the PATCH-FLAG. If there is a match, the system loads patches to or installs them on the memory patch area. The following table describes the default patch name for the switch series. PATCH-FLAG Default patch name PATCH-311 patch_311.bin One-step patch installation To install patches in one step, use the patch install command.
To do… Use the command… Remarks Required • After you activate a patch, the Activate the specified patches patch active patch-number slot slot-number patch takes effect and is in the test-run stage. After the switch is reset or rebooted, the patch becomes invalid. • If you find that an ACTIVE patch is of some problem, reboot the switch to deactivate the patch, so as to avoid a series of running faults resulting from patch error.
Displaying and maintaining the software upgrade To do… Use the command… Remarks Display information about system software display boot-loader [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view Display the patch information display patch information [ | { begin | exclude | include } regular-expression ] Available in any view Software upgrade configuration examples Scheduled upgrade configuration example Network requirement • As shown in Figure 47, the
[FTP-Server] local-user aaa [FTP-Server-luser-aaa] password cipher hello [FTP-Server-luser-aaa] service-type ftp [FTP-Server-luser-aaa] authorization-attribute work-directory flash:/aaa • Use text editor on the FTP server to edit batch file auto-update.txt. The following is the content of the batch file: return startup saved-configuration new-config.cfg boot-loader file soft-version2.bin slot 1 main reboot 2. Configure Device # Log in to the FTP server (The prompt may vary with servers.
Hotfix configuration example Network requirements • As shown in Figure 48, the software running on Device is having problems, and a hotfix is needed. • The patch file patch_311.bin is saved on the TFTP server. • The IP address of Device is 1.1.1.1/24, and IP address of TFTP Server is 2.2.2.2/24. Device and TFTP server can reach each other. Figure 48 Network diagram of hotfix configuration Configuration procedure 1. Configure TFTP Server.
Device management Device management includes monitoring the operating status of devices and configuring their running parameters. NOTE: The configuration tasks in this document are order independent. You can perform these tasks in any order. Configuring the device name A device name identifies a device in a network and works as the user view prompt at the CLI. For example, if the device name is Sysname, the user view prompt is .
Command 1, 2 2, 1 Effective system time date-time ± zone-offset Configuration example clock datetime 2:00 2007/2/2 clock timezone zone-time add 1 clock timezone zone-time add 1 date-time clock datetime 3:00 2007/3/3 The original system time outside the daylight saving time range: The system time does not change until it falls into the daylight saving time range.
Command 3, 1 (date-time in the daylight saving time range) Effective system time Configuration example System time date-time – summer-offset outside the daylight saving time range: clock summer-time ss one-off 1:00 1:00 2007/1/1 2007/8/8 2 23:30:00 UTC Sun 12/31/2006 date-time – summer-offset clock datetime 1:30 2007/1/1 date-time – summer-offset in the daylight saving time range: clock summer-time ss one-off 1:00 1:00 2007/1/1 2007/8/8 2 date-time clock datetime 3:00 2007/1/1 Original system
Command Effective system time Configuration example date-time in the daylight saving time range, but date-time – summer-offset outside the summer-time range: clock timezone zone-time add 1 date-time – summer-offset clock datetime 1:30 2008/1/1 Both date-time and date-time – summer-offset in the daylight saving time range: date-time clock summer-time ss one-off 1:00 1:00 2008/1/1 2008/8/8 2 System time 23:30:00 zone-time Mon 12/31/2007 clock timezone zone-time add 1 clock summer-time ss one-off 1:
To do… Use the command… Remarks Enter system view system-view — Enable displaying the copyright statement copyright-info enable Optional Enabled by default. Configuring banners Introduction to banners Banners are messages that the system displays when a user connects to the device to perform login authentication, and start interactive configuration.
Configuration procedure Follow these steps to configure a banner: To do… Use the command… Remarks Enter system view system-view — Configure the incoming banner header incoming text Optional Configure the login banner header login text Optional Configure the legal banner header legal text Optional Configure the shell banner header shell text Optional Configure the MOTD banner header motd text Optional Banner configuration examples # Configure the shell banner as Welcome to HP!.
Rebooting the device You can reboot the device in one of the following ways to recover from an error condition: • Reboot the device immediately at the CLI. • At the CLI, schedule a reboot to occur at a specific time and date or after a delay. • Power off and then re-power on the device. This method might cause data loss and hardware damage, and is the least preferred method. Reboot at the CLI enables easy remote device maintenance. CAUTION: • A reboot can interrupt network services.
Scheduling jobs You can schedule a job to automatically run a command or a set of commands without administrative interference. The commands in a job are polled every minute. When the scheduled time for a command is reached, the job automatically executes the command. If a confirmation is required while the command is running, the system automatically inputs Y or Yes.
Scheduling a job in the non-modular approach Perform one of the following commands in user view to schedule a job: To do… Use the command… Remarks Schedule a job to run a command at a specific time schedule job at time [ date ] view view command Use either command. schedule job delay time view view command If you change the system time by using the clock datetime, clock summer-time, or clock timezone command after you configure a scheduled job, the job configuration becomes invalid automatically.
To view Boot ROM accessibility status, use the display startup command. For more information about the display startup command, see the Fundamentals Command Reference. Follow the step below to disable Boot ROM access: To do… Use the command… Remarks Required Disable Boot ROM access undo startup bootrom-access enable By default, Boot ROM access is enabled. Available in user view. Configuring the detection timer Some protocols might shut down ports under specific circumstances.
To do… Use the command… Remarks Optional By default : • The lower temperature limit is 5°C (41°F). • The warning temperature threshold is Configure temperature alarm thresholds temperature-limit slot slot-number inflow sensor-number lowerlimit warninglimit [ alarmlimit ] 70°C (158°F). • The Alarming temperature threshold is 80°C (176°F). The warning and alarming thresholds must be higher than the lower temperature limit. The alarming threshold must be higher than the warning threshold.
• Display its electronic label. The electronic label is a profile of the transceiver module and contains the permanent configuration including the serial number, manufacturing date, and vendor name. The data is written to the storage component during debugging or testing.
To do… Use the command… Remarks Display the system time and date display clock [ | { begin | exclude | include } regular-expression ] Available in any view Display or save operating statistics for multiple feature modules display diagnostic-information [ | { begin | exclude | include } regular-expression ] Available in any view Display CPU usage statistics display cpu-usage [ slot slot-number [ cpu cpu-number ] ] [ | { begin | exclude | include } regular-expression ] display cpu-usage entry-number
To do… Use the command… Remarks Display the device reboot setting display schedule reboot [ | { begin | exclude | include } regular-expression ] Available in any view Display the configuration of jobs configured by using the job command display job [ job-name ] [ | { begin | exclude | include } regular-expression ] Available in any view Display the exception handling method display system-failure [ | { begin | exclude | include } regular-expression ] Available in any view Display the device soft
Automatic configuration Automatic configuration overview Automatic configuration enables a device without any configuration file to automatically obtain and execute a configuration file during startup. Automatic configuration simplifies network configuration, facilitates centralized management, and reduces maintenance workload. To implement automatic configuration, the network administrator saves configuration files on a server and a device automatically obtains and executes a specific configuration file.
How automatic configuration works Automatic configuration works in the following manner: 1. During startup, the device sets the first up interface (if up Layer 2 Ethernet interfaces are available, the VLAN interface of the default VLAN of the Ethernet interfaces is selected as the first up interface.) as the DHCP client to request parameters from the DHCP server, such as an IP address and name of a TFTP server, IP address of a DNS server, and the configuration file name. 2.
Using DHCP to obtain an IP address and other configuration information Address acquisition process As mentioned before, a device sets the first up interface as the DHCP client during startup. The DHCP client broadcasts a DHCP request, where the Option 55 field specifies the information that the client wants to obtain from the DHCP server such as the configuration file name, domain name and IP address of the TFTP server, and DNS server IP address.
administrator can Telnet to each device to perform specific configurations (for example, configure the IP address of each interface). • If devices use different configuration files, you need to configure static address pools to ensure that each device can get a fixed IP address and a specific configuration file. With this method, the administrator does not need to perform any other configuration for the devices. NOTE: To configure static address pools, you must obtain client IDs.
Obtaining the configuration file Figure 51 Obtain the configuration file Is the configuration file contained in the DHCP response? Yes No No Obtain the network intermediate file Yes Yes Search the domain name corresponding to the IP address in the network intermediate file No Resolve an IP address to a domain name through DNS No Yes Yes Obtain the configuration file corresponding to the domain name No Yes No Obtain the default configuration file No Remove the temporary configurations and execut
NOTE: After broadcasting a TFTP request, the device selects the TFTP server that responds first to obtain the configuration file. If the requested configuration file does not exist on the TFTP server, the request operation fails, and the device removes the temporary configuration and starts up with factory defaults. Executing the configuration file After obtaining the configuration file, the device removes the temporary configuration and executes the configuration file.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFHLMNOPRSTUVW Displaying and maintaining CLI login,64 A Automatic configuration overview,140 Displaying and maintaining device management configuration,137 B Displaying and maintaining FTP,95 Backing up the startup configuration file,112 Displaying and maintaining the software upgrade,123 Displaying and maintaining the TFTP client,98 C Displaying and maintaining web login,70 Changing the system time,126 E Checking command-line errors,8 Enabling displaying the copyright statement,129
Rebooting the device,132 Typing commands,5 Related information,146 U Restoring a startup configuration file,113 Undo form of a command,2 S Upgrading system software through a system reboot,117 Saving the current configuration,20 Upgrading the Boot ROM program through a system reboot,116 Saving the running configuration,107 Scheduling jobs,133 User interface overview,22 Setting configuration rollback,108 User login control methods,78 Setting prompt modes,104 Using command history,8 Software u