HP High-End Firewalls System Management and Maintenance Command Reference Part number: 5998-2663 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Ping, tracert, and system debugging commands······································································································· 1 System maintenance commands ······································································································································ 1 ping ············································································································································································ 1 ping ipv
move ······································································································································································· 46 pwd ········································································································································································· 47 rename·························································································································································
info-center logfile enable ······································································································································ 94 info-center logfile frequency ································································································································· 94 info-center logfile overwrite-protection ················································································································ 95 info-center logfile size-qu
ntp-service unicast-peer ······································································································································· 136 ntp-service unicast-server ···································································································································· 137 RMON configuration commands ··························································································································· 139 display rmon alarm ·······
ssh server rekey-interval ······································································································································ 195 ssh user ································································································································································· 195 SSH2.
dir ·········································································································································································· 230 disconnect ···························································································································································· 231 display ftp client configuration··························································································································· 232 f
Ping, tracert, and system debugging commands System maintenance commands ping Syntax ping [ ip ] [ -a source-ip | -c count | -f | -h ttl | -i interface-type interface-number | -m interval | -n | -p pad | -q | -r | -s packet-size | -t timeout | -tos tos | -v | -vpn-instance vpn-instance-name } ] * host View Any view Default level 0: Visit level Parameters ip: Supports IPv4 protocol. If this keyword is not provided, IPv4 is also supported.
0x0000002f repeatedly to make the total length of the packet meet the requirements of the device. By default, the padded value starts from 0x01 up to 0xff, where another round starts again if necessary, like 0x010203…feff01…. -q: Displays only statistics. If this keyword is not specified, the system displays all information. -r: Records routing information. If this keyword is not provided, routes are not recorded.
Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms --- 1.1.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/41/205 ms The output shows the following: • The destination was reachable. • All ICMP echo requests sent by the source got responses. • The minimum time, average time, and maximum time for the packet's roundtrip time are 1 ms, 41 ms, and 205 ms respectively. # Verify whether the device with an IP address of 1.1.2.
1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=4 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=5 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 --- 1.1.2.
Field Description ICMP reply received from the device whose IP address is 1.1.2.2. If no reply is received during the timeout period, "Request time out" will be displayed. • bytes—indicates the number of data bytes in the ICMP reply. Reply from 1.1.2.2 : bytes=56 Sequence=1 ttl=255 time=1 ms • Sequence—indicates the packet sequence, used to determine whether a segment is lost, disordered or repeated. • ttl—indicates the TTL value in the ICMP reply. • time—indicates the response time.
-s packet-size: Specifies length (in bytes) of an ICMPv6 echo request, which ranges from 20 to 8100 and defaults to 56. -t timeout: Specifies the timeout value (in milliseconds) of an ICMPv6 echo reply, which ranges from 0 to 65535 and defaults to 2000. host: IPv6 address or host name of the destination, which is a string of 1 to 46 characters. -i interface-type interface-number: Specifies an outbound interface by its type and number.
Reply from 2001::1 bytes=56 Sequence=2 hop limit=64 time = 26 ms Reply from 2001::1 bytes=56 Sequence=3 hop limit=64 time = 20 ms Reply from 2001::1 bytes=56 Sequence=4 hop limit=64 time = 4 ms Reply from 2001::1 bytes=56 Sequence=5 hop limit=64 time = 16 ms --- 2001::2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
host: IP address or host name (a string of 1 to 255 characters) of the destination. Description Use tracert to trace the path the packets traverse from source to destination. After having identified network failure with the ping command, use the tracert command to determine the failed node(s). Output from the tracert command includes IP addresses of all the Layer 3 devices the packets traverse from source to destination. If a device times out, asterisks (* * *) are displayed.
Field Description ICMP timeout packets on an MPLS network, carry MPLS label information: • Label—Label value that is used to identify a forwarding equivalence class (FEC) MPLS Label=100048 Exp=0 TTL=1 S=1 • Exp—Reserved, usually used for class of service (CoS). • TTL—TTL value • S—MPLS supports multiple levels of labels. Value 1 indicates that the label is at the bottom of the label stack, and value 0 indicates that the label is not at the bottom of the label stack.
To abort the tracert operation during the execution of the command, press Ctrl+C. Examples # View the path the packets traverse from source to destination with IPv6 address 2001::1. system-view [Sysname] ip ttl-expires enable [Sysname] ip unreachables enable [Sysname] tracert ipv6 2001::1 traceroute to 2001::1 30 hops max,60 bytes packet, press CTRL_C to break 2001::1 3 ms <1 ms 19 ms # View the path the packets traverse from source to destination with IPv6 address 2001::1 in VPN 1.
Output of debugging commands is memory intensive. To guarantee system performance, enable debugging only for modules that are in an exceptional condition. Use the debugging, terminal debugging and terminal monitor commands first to display detailed debugging information on the terminal. For more information about the terminal debugging and terminal monitor commands, see "Information center configuration commands. Related commands: display debugging. Examples # Enable IP packet debugging.
IP performance optimization configuration commands display fib Syntax display fib [ vpn-instance vpn-instance-name ] [ acl acl-number | ip-prefix ip-prefix-name ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters vpn-instance vpn-instance-name: Displays the FIB entries of the specified VPN. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
10.2.0.0/16 10.2.1.1 U GE0/1 10.2.1.1/32 127.0.0.1 UH InLoop0 Null Null Invalid Invalid 127.0.0.0/8 127.0.0.1 U InLoop0 Null Invalid 127.0.0.1/32 127.0.0.1 UH InLoop0 Null Invalid # Display FIB information matching ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.2.0.0 0.0.255.
Field Description Nexthop Next hop address Flags of routes: Flag • • • • • • • U—Usable route G—Gateway route H—Host route B—Blackhole route D—Dynamic route S—Static route R—Relay route OutInterface Outbound interface InnerLabel Inner label Token Label switched path (LSP) index number display fib ip-address Syntax display fib [ vpn-instance vpn-instance-name ] ip-address [ mask | mask-length ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level
If no mask or mask length is specified, the FIB entry that matches the destination IP address and has the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the specified destination IP address will be displayed. Examples # Display the FIB entries that match the destination IP address of 10.2.1.1. display fib 10.2.1.
mask requests 0 mask replies 0 time exceeded 0 Output:echo 10 destination unreachable 0 source quench 0 redirects 0 echo reply 5 parameter problem 0 timestamp 0 information reply 0 mask replies 0 mask requests 0 time exceeded 0 Table 4 Command output Field Description bad formats Number of input wrong format packets bad checksum Number of input wrong checksum packets echo Number of input/output echo packets destination unreachable Number of input/output destination unreachable p
Examples # Display the current forwarding mode and the forwarding mode used for the next system startup. [Sysname] display ip forwarding mode Current forwarding mode is per-packet. Next forwarding mode is per-flow after reboot. display ip socket Syntax display ip socket [ socktype sock-type ] [ task-id socket-id ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters socktype sock-type: Displays the socket information of this type.
socket option = SO_ACCEPTCONN SO_REUSEPORT, socket state = SS_PRIV SS_NBIO Task = ROUT(69), socketid = 10, Proto = 6, LA = 0.0.0.0:179, FA = 192.168.1.45:0, sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, socket option = SO_ACCEPTCONN SO_REUSEADDR SO_REUSEPORT SO_SENDVPNID(0), socket state = SS_PRIV SS_ASYNC Task = VTYD(38), socketid = 4, Proto = 6, LA = 192.168.1.40:23, FA = 192.168.1.
sndbuf = 9216, rcvbuf = 0, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM, socket state = SS_PRIV Task = RDSO(56), socketid = 2, Proto = 17, LA = 0.0.0.0:1812, FA = 0.0.0.0:0, sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, socket option = SO_UDPCHECKSUM, socket state = SS_PRIV SOCK_RAW: Task = ROUT(69), socketid = 8, Proto = 89, LA = 0.0.0.0, FA = 0.0.0.
Field Description socketid Socket ID Proto Protocol number of the socket, indicating the protocol type that IP carries LA Local address and local port number FA Remote address and remote port number sndbuf Sending buffer size of the socket, in bytes rcvbuf Receiving buffer size of the socket, in bytes sb_cc Current data size in the sending buffer (It is available only for TCP that can buffer data) rb_cc Data size currently in the receiving buffer socket option Socket option socket state
Fragment:input 0 output 0 dropped 0 fragmented 0 couldn't fragment 0 0 timeouts Reassembling:sum 0 Table 6 Command output Field Input: Output: Fragment: Reassembling: Description sum Total number of packets received local Total number of packets with destination being local bad protocol Total number of unknown protocol packets bad format Total number of packets with incorrect format bad checksum Total number of packets with incorrect checksum bad options Total number of packets
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display tcp statistics to display statistics of TCP traffic. Related commands: display tcp status and reset tcp statistics. Examples # Display statistics of TCP traffic.
Field Sent packets: Description checksum error Number of checksum error packets received offset error Number of offset error packets received short error Number of received packets with length being too small duplicate packets Number of completely duplicate packets received partially duplicate packets Number of partially duplicate packets received out-of-order packets Number of out-of-order packets received packets of data after window Number of packets outside the receiving window packets r
display udp statistics Syntax display udp statistics [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Field Sent packets: Description not delivered, input socket full Number of packets not delivered to an upper layer due to a full socket cache input packets missing pcb cache Number of packets without matching protocol control block (PCB) cache Total Total number of UDP packets sent ip forward-broadcast Syntax ip forward-broadcast [ acl acl-number ] undo ip forward-broadcast View Interface view Default level 2: System level Parameters acl acl-number: Access control list number, in the range of 200
Default level 2: System level Parameters None Description Use ip forward-broadcast to enable the firewall to receive directed broadcasts. Use undo ip forward-broadcast to disable the firewall from receiving directed broadcasts. Examples # Enable the firewall to receive directed broadcasts.
Default level 2: System level Parameters None Description Use ip redirects enable to enable sending of ICMP redirection packets. Use undo ip redirects to disable sending of ICMP redirection packets. This feature is disabled by default. Examples # Enable sending of ICMP redirect packets.
View System view Default level 2: System level Parameters None Description Use ip unreachables enable to enable sending of ICMP destination unreachable packets. Use the undo ip unreachables command to disable sending of ICMP destination unreachable packets. Sending ICMP destination unreachable packets is disabled by default. Examples # Enable sending of ICMP destination unreachable packets.
Default level 2: System level Parameters None Description Use reset tcp statistics to clear statistics of TCP traffic. Related commands: display tcp statistics. Examples # Clear statistics of TCP traffic. reset tcp statistics reset udp statistics Syntax reset udp statistics View User view Default level 2: System level Parameters None Description Use reset udp statistics to clear statistics of UDP traffic. Examples # Clear statistics of UDP traffic.
Description Use tcp mss to configure the TCP MSS. Use undo tcp mss to restore the default. By default, the TCP MSS is 1460 bytes. As the default MTU on an interface is 1500 bytes, and there are link layer cost and IP packet header, so the recommended TCP MSS is about 1200 bytes. Examples # Set the TCP MSS to 300 bytes on GigabitEthernet 0/1.
View System view Default level 2: System level Parameters time-value: Length of the TCP finwait timer in seconds, in the range of 76 to 3600. Description Use tcp timer fin-timeout to configure the length of the TCP finwait timer. Use undo tcp timer fin-timeout to restore the default. By default, the length of the TCP finwait timer is 675 seconds.
tcp window Syntax tcp window window-size undo tcp window View System view Default level 2: System level Parameters window-size: Size of the send/receive buffer in KB, in the range of 1 to 32. Description Use tcp window to configure the size of the TCP send/receive buffer. Use undo tcp window to restore the default. The size of the TCP send/receive buffer is 8 KB by default. Related commands: tcp timer fin-timeout and tcp timer syn-timeout.
File management commands NOTE: • In the following examples, the current working directory is the root directory of the storage medium on the device. • For the qualified filename formats, see System Management and Maintenance Configuration Guide. cd Syntax cd { directory | .. | / } View User view Default level 3: Manage level Parameters directory: Name of the target directory, in the format of [drive:/]path.
copy Syntax copy fileurl-source fileurl-dest View User view Default level 3: Manage level Parameters fileurl-source: Name of the source file. fileurl-dest: Name of the target file or folder. Description Use copy to copy a file. If you specify a target folder, the system will copy the file to the specified folder and use the name of the source file as the file name. Examples # Copy file testcfg.cfg in the current folder and save it as testbackup.cfg. copy testcfg.cfg testbackup.
To verify the integrity of a file, calculate the digest of the file and compare the result with that from an authorized source, for example, the digest of the file advertised on HP Web pages. Examples # Calculate the digest of file cc.cfg. crypto-digest sha256 cc.cfg Computing digest... SHA256 digest(cc.
dir Syntax dir [ /all ] [ file-url | /all-filesystems ] View User view Default level 3: Manage level Parameters /all: Displays all files and folders in the current directory, including hidden files, hidden folders, files moved from the current directory to the recycle bin. Files in the recycle bin are enclosed in square brackets [ ]. file-url: Displays the specified file. Asterisks (*) are acceptable as wildcards. For example, to display files with the .
Field Description h Indicates that the file or directory is hidden. [] Indicates that the file is in the recycle bin. display nandflash file-location Syntax display nandflash file-location filename [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters filename: File name. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Table 10 Command output Field Description Logic Chunk Serial number of the logical pages. Physical Page Serial number of the physical pages. chunk(0) 1234 The first logical page of this file corresponds to the 1234th physical page on the device. display nandflash badblock-location Syntax display nandflash badblock-location [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression.
Table 11 Command output Field Description No Serial number of the bad blocks Physical block Serial number of the physical pages with bad blocks 3200 block(s) total, 3 block(s) bad. Total number of blocks and bad blocks in the NAND flash memory display nandflash page-data Syntax display nandflash page-data page-value [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters page-value: Serial number of a physical page.
filename: test.cfg display nandflash page-data 1236 0000: 0D 0A 23 0D 0A 20 76 65 72 73 69 6F 6E 20 35 2E ..#.. version 5. 0010: 32 30 2C 20 41 6C 70 68 61 20 31 30 31 31 0D 0A 20, Alpha 1011.. 0020: 23 0D 0A 20 73 79 73 6E 61 6D 65 20 48 33 43 0D #.. sysname HP. 0030: 0A 23 0D 0A 20 70 61 73 73 77 6F 72 64 2D 63 6F .#.. password-co … execute Syntax execute filename View System view Default level 2: System level Parameters filename: Name of a batch file with a .bat extension.
Default level 3: Manage level Parameters device: Name of the storage medium to be partitioned. It cannot be the name of a partition. partition-number: Number of partitions, in the range of 1 to 4. Extended partitioning is not supported. Description Use fdisk to partition a storage medium. If partition-number is specified, the storage medium is divided into the specified number of partitions; otherwise, partitioning is performed in an interactive way.
fdisk cfa: The capacity of cfa: : 256M bytes Partition 1 (32MB~224MB, 256MB, CTRL+C to quit, Enter to use all space left): // Specify the size of the first partition as 128 MB (press Enter after entering 128). Partition 2 (32MB~96MB, 128MB, CTRL+C to quit, Enter to use all space left): // Specify the size of the second partition as 31 MB (press Enter after entering 31). The partition size should be greater than or equal to 32MB.
Examples # Set the file operation prompt mode to alert. system-view [Sysname] file prompt alert fixdisk Syntax fixdisk device View User view Default level 3: Manage level Parameters device: Storage medium name. Description Use fixdisk to restore the space of a storage medium when it becomes unavailable because of some abnormal operation. Examples # Restore the space of the flash. fixdisk flash0: Fixdisk flash0: may take some time to complete... %Fixdisk flash0: completed.
Description Use format to format a storage medium. To format a partitioned storage medium, you must format each partition by using this command. CAUTION: Formatting a storage medium results in loss of all the files on the storage medium and these files cannot be restored. In particular, if a startup configuration file exists on a storage medium, formatting the storage medium results in loss of the startup configuration file.
To use this command to create a folder, the specified directory must exist. For example, to create folder flash0:/test/mytest, the test folder must exist. Otherwise, you will fail to create the mytest folder. Examples # Create a folder named test in the current directory. mkdir test .... %Created dir flash0:/test # Create folder test/subtest in the current directory. mkdir test/subtest ....
more testcfg.cfg # version 5.20, Beta 1201, Standard # sysname Sysname # vlan 2 # return move Syntax move fileurl-source fileurl-dest View User view Default level 3: Manage level Parameters fileurl-source: Name of the source file. fileurl-dest: Name of the target file or folder. Description Use move to move a file. If you specify a target folder, the system will move the source file to the specified folder, with the file name unchanged.
pwd Syntax pwd View User view Default level 3: Manage level Parameters None Description Use pwd to display the current path. Examples # Display the current path. pwd flash0: rename Syntax rename fileurl-source fileurl-dest View User view Default level 3: Manage level Parameters fileurl-source: Name of the source file or folder. fileurl-dest: Name of the target file or folder. Description Use rename to rename a file or folder. The target file name must be unique in the current path.
View User view Default level 3: Manage level Parameters /force: Deletes all files in the recycle bin, including files that cannot be deleted by the command without the /force keyword. Description Use reset recycle-bin to permanently delete the files in the recycle bin in the current directory. If a file is corrupted, you may not be able to delete the file using the reset recycle-bin command. Use the reset recycle-bin /force command to delete the corrupted file in the recycle bin forcibly.
dir /all Directory of flash0:/ 0 -rwh 896 Feb 17 2011 14:20:02 private-data.txt 1 -rw- 25535 Feb 17 2011 14:20:02 system.xml 2 -rw- 1780 Feb 17 2011 14:20:04 startup.cfg 3 -rw- 14617560 Feb 15 2011 15:23:29 main.bin 4 drw- - Jan 06 2011 14:46:09 domain1 5 -rw- 891 Jan 06 2011 14:46:18 default_ca.cer 6 -rw- 1411 Jan 06 2011 14:46:18 default_local.
Description Use rmdir to remove a folder. The folder must be an empty one. If not, you need to delete all files and subfolders under it with the delete command. After you execute the rmdir command successfully, the files in the recycle bin in the folder will be automatically deleted. Examples # Remove folder mydir. rmdir mydir Rmdir flash0:/mydir?[Y/N]:y %Removed directory flash0:/mydir.
..... %Undeleted file flash0:/test/b.cfg.
Software upgrade commands IMPORTANT: The FIPS mode is available only for the firewall modules. For more information about FIPS, see Access Control Configuration Guide. boot-loader Syntax boot-loader file file-url { main | backup } View User view Default level 3: Manage level Parameters file file-url: Specifies a file name, a string of 1 to 63 characters. If you enter a relative path here, the system automatically converts it to an absolute path.
This command will set the boot file. Continue? [Y/N]:y The specified file will be used as the main boot file at the next reboot on slot 0! bootrom Syntax bootrom { backup | read | restore | update file file-url } [ all | part ] View User view Default level 3: Manage level Parameters read: Reads Boot ROM, or in other words, copies the Boot ROM codes from the normal partition of the Boot ROM memory to the Flash as the backup, which will be used to restore Boot ROM when the Boot ROM memory is broken.
Read extended bootrom completed! Read bootrom completed! Please check the file! After the Boot ROM image is read, you will find that files extendbtm.bin and basicbtm.bin are generated on the storage media of the device. dir Directory of flash0:/ 0 drw- - Jul 07 2009 21:09:12 logfile 1 -rw- 15074620 Aug 08 2008 13:03:44 test.bin 2 -rw- 139 Sep 24 2008 06:51:38 system.xml 3 -rw- 524288 Aug 13 2008 17:07:18 extendbtm.bin 4 -rw- 524288 Aug 13 2008 17:07:18 basicbtm.
Update bootrom success! bootrom-update security-check enable Syntax bootrom-update security-check enable undo bootrom-update security-check enable View System view Default level 2: System level Parameters None Description Use bootrom-update security-check enable to enable the validity check function. Use undo bootrom-update security-check enable to disable the validity check function. By default, the validity check function is enabled at the time of upgrading Boot ROM.
Description Use display boot-loader to display information of the system software. Related commands: boot-loader. Examples # Display the file adopted for the current and next boot of the device. display boot-loader The boot file used at this reboot:flash:/test.bin attribute: main The boot file used at the next reboot:flash:/test.bin attribute: main The boot file used at the next reboot:flash:/test.
display patch information The location of patches: flash0: Slot Version Temporary Common Current Active Running Start-Address ---------------------------------------------------------------------0 HFW004 0 1 1 0 1 0x310bd74 Table 13 Command output Field Description The location of patches Patch file location. Slot Meaningless. Version Patch version. The following three digits, if any, represent the patch number. (The patch number can be read after the patch is loaded.
Examples # Activate patch 3 and all the loaded DEACTIVE patches before patch 3. system-view [Sysname] patch active 3 # Activate all the loaded patches. system-view [Sysname] patch active patch deactive Syntax patch deactive [ patch-number ] View System view Default level 3: Manage level Parameters patch-number: Sequence number of a patch. Description Use patch deactive to stop running patches and the system will run at the original software version.
Parameters patch-number: Sequence number of a patch. Description Use patch delete to delete patches and all the patches after the specified patch. If you execute the command with specifying the sequence number of a patch, all the patches (including the specified patch) after the specified patch will be deleted. If you execute the command without specifying the sequence number of a patch, all the patches will be deleted.
• Entering n or N: All the specified patches are installed and turn to the ACTIVE state from IDLE. This equals execution of the commands patch location, patch load and patch active. The patches turn to the DEACTIVE state after system reboot. Before executing the command, save patch files to the specified directory.
patch location Syntax patch location patch-location View System view Default level 3: Manage level Parameters patch-location: Specifies the patch file location, a string of 1 to 64 characters. Description Use patch location to configure the patch file location. By default, the patch file location is flash:. The patch files must be saved in the root directory of a storage medium.
This command is applicable to patches in the ACTIVE state only. If the running of a patch is confirmed, after the system reboots, the patch will still be effective. Examples # Confirm the running of patch 3 and all the ACTIVE patches before patch 3. system-view [Sysname] patch run 3 # Confirm the running of all the ACTIVE patches.
Configuration file management commands IMPORTANT: The FIPS mode is available only for the firewall modules. For more information about FIPS, see Access Control Configuration Guide. archive configuration Syntax archive configuration View User view Default level 3: Manage level Parameters None Description Use archive configuration to save the running configuration manually.
Parameters minutes: Specifies the interval for automatically saving the running configuration, in minutes. The value ranges from 10 to 525,600 (365 days). Description Use archive configuration interval to enable the automatic saving of the running configuration and set the interval. Use undo archive configuration interval to restore the default. By default, the system does not automatically save the running configuration.
Description Use archive configuration location to configure the path and filename prefix for saving configuration files. Use undo archive configuration location to restore the default. By default, the path and filename prefix for saving configuration files are not configured, and the system does not save the configuration file periodically. Before the running configuration is saved either manually or automatically, the file path and filename prefix must be configured.
number of the existing configuration files is larger than or equal to the newly configured upper limit, the system deletes the oldest n files when the next file is saved, where n = the current number - the newly configured number + 1, for example: if the number of configuration files that have been saved is 7, and the newly configured upper limit is 4, when there is a new configuration file to be saved, the system deletes 4 oldest files, where 4 = 7-4+1.
After the above operation, the device backs up file test.cfg to TFTP server 2.2.2.2, where the file is saved as 192-168-1-26.cfg. configuration encrypt Syntax configuration encrypt { private-key | public-key } undo configuration encrypt View System view Default level 3: Manage level Parameters private-key: Encrypts a configuration file with a private key. The encrypted configuration file can only be decrypted and recognized by the local device.
When this command is executed, the running configuration rolls back to the configuration state based on the specified configuration file (filename). The configuration file specified with the configuration replace file filename command can only be a configuration file in simple text. Otherwise, errors may occur in configuration rollback. Examples # Roll back from the running configuration to a previous configuration state based on a saved configuration file my_archive_1.cfg.
Next archive file to be saved: my_archive_4.cfg Table 14 Command output Field Description Location Absolute path of the saved configuration files. Filename prefix Filename prefix of the saved configuration files. Archive interval in minutes Filename Configuration file saving interval, in minutes. If the automatic saving is disabled, this field is not displayed. Filename of the saved configuration files, with path excluded.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display current-configuration to display the running configuration of the device. A parameter is not displayed if it adopts the default setting. If the validated parameter is changed, although you have configured it, the validated parameter is displayed. For example, IP address 11.11.11.11 24 has been configured on a Loopback interface.
Description Use display default-configuration to display the factory defaults of the device. The command displays all commands to be executed when the device boots with the factory defaults. Related commands: display current-configuration and display saved-configuration. Examples # Display the factory defaults of the device.
# sysname Sysname # domain default enable system # telnet server enable # multicast routing-enable # vlan 1 # vlan 999 # domain system access-limit disable state active idle-cut disable self-service-url disable # interface NULL0 # ---- More ---- The configurations are displayed in the order of global, port, and user interface. The More prompt indicates that there are more line that the screen can display.
21: # 22: interface NULL0 23: # ---- More ---- The More prompt indicates that there are more line that the screen can display. Pressing Enter displays the next line; pressing Space displays the next screen; pressing Ctrl+C or any other key exits the display. display startup Syntax display startup [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
display this Syntax display this [ by-linenum ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters by-linenum: Displays the number of each line. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
[Sysname-ui-vty0] display this # user-interface con 0 user-interface vty 0 history-command max-size 256 user-interface vty 1 4 # return reset saved-configuration Syntax reset saved-configuration View User view Default level 3: Manage level Parameters None Description Use reset saved-configuration to delete the startup configuration file. Delete the startup configuration file if it does not match the software version or has been corrupted. Use this command with caution.
Parameters src-addr: IP address or name of a TFTP server. The address cannot be an IPv6 address. src-filename: Filename of the configuration file to be downloaded from the specified server. Description Use restore startup-configuration to download a configuration file from the specified TFTP server to the device and specify it as the startup configuration file for the next system startup. This command is not supported in FIPS mode because the FIPS mode does not support TFTP.
Examples # Save the running configuration file to the specified directory, but do not specify the configuration file as the startup configuration file to be used at the next startup. save test.cfg The current configuration will be saved to flash0:/test.cfg. Continue? [Y/N]:y Now saving current configuration to the device. Saving configuration flash0:/test.cfg. Please wait... ............ Configuration is saved to flash successfully.
Parameters cfgfile: Configuration file name. The file must be a file with an extension .cfg stored in the root directory of the storage media. Description Use startup saved-configuration to specify a startup configuration file to be used at the next system startup. Related commands: display startup. Examples # Specify a startup configuration file to be used at the next system startup. startup saved-configuration testcfg.cfg Please wait .... ...
Information center configuration commands display channel Syntax display channel [ channel-number | channel-name ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a channel by its name, a default name or a self-defined name. For how to configure a channel name, see info-center channel name.
display channel 0 channel number:0, channel name:console MODU_ID NAME ffff0000 default ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL Y Y Y informational debugging debugging The output shows that the system is allowed to output log information with a severity from 0 to 4, trap information with a severity from 0 to 7, and debug information with a severity from 0 to 7 to the console. The information source modules are all modules (default).
include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display info-center to display information center configuration information. Examples # Display information center configuration information. display info-center Information Center:enabled Log host: 1.1.1.
Field Description Monitor: Configurations on the monitor terminal destination, including the channel number and channel name used.
Severity Value Description Corresponding keyword in commands Alert 1 Action must be taken immediately. alerts Critical 2 Critical condition. critical Error 3 Error condition. errors Warning 4 Warning condition. warnings Notice 5 Normal but significant condition. notifications Informational 6 Informational messages. informational Debug 7 Debug messages. debugging size buffersize: Specifies the number of latest log messages to be displayed, in the range of 1 to 1,024.
Field Description Channel number Channel number of the log buffer. The default channel number is 4. Channel name Channel name of the log buffer. The default channel name is logbuffer. Dropped messages Number of dropped messages. Overwritten messages Number of overwritten messages (when the buffer size is not big enough to hold all messages, the latest messages overwrite the old ones). Current messages Number of current messages.
Field Description ERROR Represents error, see Table 19 for details WARN Represents warning, see Table 19 for details NOTIF Represents notice, see Table 19 for details INFO Represents informational, see Table 19 for details DEBUG Represents debug, see Table 19 for details display logfile buffer Syntax display logfile buffer [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression.
display logfile summary Syntax display logfile summary [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
display security-logfile buffer Syntax display security-logfile buffer [ | { begin | exclude | include } regular-expression ] View User view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
View Any view Default level 1: Monitor level Parameters reverse: Displays trap entries chronologically, with the most recent entry at the top. Without this keyword, the command displays trap entries chronologically, with the oldest entry at the top. size buffersize: Specifies the number of latest trap messages to be displayed, in the range of 1 to 1,024. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Trap 1.3.6.1.4.1.2011.10.2.2.1.1.3.0.1: login from VTY #Aug 7 08:43:25:583 2009 Sysname CFGMAN/4/TRAP: 1.3.6.1.4.1.2011.10.2.4.2.1 configure changed: EventIndex=1,CommandSource=2,ConfigSource=4,ConfigDestination=2 Table 24 Command output Field Description Trapping buffer configuration and contents Indicates the current state of the trap buffer and its contents, which could be enabled or disabled.
[Sysname-GigabitEthernet0/1] undo enable log updown info-center channel name Syntax info-center channel channel-number name channel-name undo info-center channel channel-number View System view Default level 2: System level Parameters channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a channel name, which is a string of 1 to 30 characters. It must be a combination of letters and numbers, and start with a letter and is case-insensitive.
Use undo info-center console channel to restore the default console output channel. By default, the system outputs information to the console through channel 0 (console). The info-center console channel command takes effect only when the information center has been enabled with the info-center enable command. Examples # Specify the console output channel as channel 0.
Default level 2: System level Parameters None Description Use info-center format unicom to set the UNICOM format for system information sent to a log host. Use undo info-center format to restore the default. By default, the format for the system information sent to a log host is HP. System information sent to a log host has two formats: HP and UNICOM. For more information, see System Management and Maintenance Configuration Guide.
Item F1000-A-EI/S-EI F1000-E F5000 Firewall module Default value 512 65535 65535 65535 Examples # Output system information to the log buffer through channel 4, and set the log buffer size to 50. system-view [Sysname] info-center logbuffer size 50 info-center logfile enable Syntax info-center logfile enable undo info-center logfile enable View System view Default level 2: System level Parameters None Description Use info-center logfile enable to enable the log file feature.
Default level 2: System level Parameters freq-sec: Specifies the interval for saving system information to the log file, in the range of 1 to 86,400 seconds. Description Use info-center logfile frequency to configure the interval for saving system information to the log file. Use undo info-center logfile frequency to restore the default interval. The default saving interval is 86,400 seconds.
Command F1000-A-EI/S-EI F1000-E F5000 Firewall module info-center logfile overwrite-protection No Yes Yes Yes Examples # Enable log file overwrite-protection. system-view [Sysname] info-center logfile overwrite-protection info-center logfile size-quota Syntax info-center logfile size-quota size undo info-center logfile size-quota View System view Default level 2: System level Parameters size: Specifies the maximum storage space reserved for a log file, in the range of 1 to 10 MB.
View System view Default level 2: System level Parameters dir-name: Specifies a directory by its name, a string of 1 to 64 characters. Description Use info-center logfile switch-directory to specify the directory where a log file is saved. The specified directory must have been created. By default, a log file is saved in the logfile directory under the root directory of the storage device. This command is used for log file backup or transition and it cannot survive a system restart.
port port-number: Specifies the port number of the log host, in the range of 1 to 65535. The default value is 514. It must be the same as the value configured on the log host. Otherwise, the log host cannot receive system information. channel: Specifies the channel through which system information is output to the log host. channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a channel by its name, a default name or a self-defined name.
Parameters interface-type interface-number: Specifies the egress interface for log information by the interface type and interface number. Description Use info-center loghost source to specify the source IP address for output log information. Use undo info-center loghost source to restore the default. By default, the source IP address of output log information is the primary IP address of the matching route's egress interface.
Parameters channel-number: Specifies a channel by its number in the range of 0 to 9. channel-name: Specifies a channel by its name, a default name or a self-defined name. For how to configure a channel name, see info-center channel name. Description Use info-center monitor channel to configure the monitor channel. The system uses this channel to output information to the monitor. Use undo info-center monitor channel to restore the default monitor output channel.
system-view [Sysname] info-center security-logfile alarm-threshold 90 info-center security-logfile enable Syntax info-center security-logfile enable undo info-center security-logfile enable View System view Default level 2: System level Parameters None Description Use info-center security-logfile enable to enable the saving of the security logs into the security log file. Use undo info-center security-logfile enable to restore the default.
Use undo info-center security-logfile frequency to restore the default interval. Related commands: info-center security-logfile enable. Examples # Save security logs to the security log file every 600 seconds.
Description Use info-center security-logfile switch-directory to configure the directory where the security log file is saved. By default, the security log file is saved in the seclog directory under the root directory of the storage medium. For a device that has been partitioned, the directory to save a log file varies with devices and is usually the seclog directory in the second partition of the storage medium. The specified directory must have been created.
Examples # Output system information to the SNMP module through channel 6.
If you use the module-name argument to set the output rule for a module without specifying the debug, log, and trap keywords, the default settings for the module are as follows: the output of log and trap information is enabled, with severity being informational; the output of debugging information is disabled, with severity being debug.
[Sysname] info-center source vlan channel snmpagent log level emergencies state on info-center synchronous Syntax info-center synchronous undo info-center synchronous View System view Default level 2: System level Parameters None Description Use info-center synchronous to enable synchronous information output. Use undo info-center synchronous to disable the synchronous information output. By default, synchronous information output is disabled.
The current configuration will be written to the device. Are you sure? [Y/N]: At this time, the system receives the log information. It displays the log information first and then displays [Y/N]. %May 21 14:33:19:425 2007 Sysname SHELL/4/LOGIN: VTY login from 192.168.1.44 [Y/N]: Enter Y or N to complete your input.
Parameters debugging: Sets the time stamp format for debug information. log: Sets the time stamp format for log information. trap: Sets the time stamp format for trap information. boot: Set the time stamp format as xxxxxx.yyyyyy, where xxxxxx is the most significant 32 bits (in milliseconds) and yyyyyy is the least significant 32 bits. For example, 0.21990989 equals Jun 25 14:09:26:881 2007. The boot time shows the time since system startup.
At this time, if you execute the shutdown command on GigabitEthernet 0/1 that is in UP state, the log information generated is as follows: % Sysname IFNET/4/LINK UPDOWN: GigabitEthernet0/1: link status is DOWN info-center timestamp loghost Syntax info-center timestamp loghost { date | iso | no-year-date | none } undo info-center timestamp loghost View System view Default level 2: System level Parameters date: Set the time stamp format as "Mmm dd hh:mm:ss:ms yyyy".
Parameters size buffersize: Specifies the maximum number of trap messages that can be stored in the trap buffer, in the range of 0 to 1,024. The default value is 256. channel-number: Specifies a channel by its number, in the range of 0 to 9. channel-name: Specifies a channel by its name, a default name or a self-defined name. For how to configure a channel name, see info-center channel name.
Command F1000-A-EI/S-EI F1000-E F5000 Firewall module logfile save No Yes Yes Yes Examples #Save logs in the log file buffer into the log file. logfile save reset logbuffer Syntax reset logbuffer View User view Default level 3: Manage level Parameters None Description Use reset logbuffer to reset the log buffer contents. Examples # Clear the log buffer.
security-logfile save Syntax security-logfile save View User view Default level 2: System level Parameters None Description Use security-logfile save to manually save security logs from the security log file buffer into the security log file. By default, the system automatically saves logs from the log buffer to the log file at the interval configured by the info-center logfile frequency command. The directory for the log file can be specified using the info-center logfile switch-directory command.
Description Use terminal debugging to enable the display of debugging information on the current terminal. Use undo terminal debugging to disable the display of debugging information on the current terminal. By default, the display of debugging information on the current terminal is disabled.
terminal monitor Syntax terminal monitor undo terminal monitor View User view Default level 1: Monitor level Parameters None Description Use terminal monitor to enable the monitoring of system information on the current terminal. Use undo terminal monitor to disable the monitoring of system information on the current terminal. By default, monitoring of the system information on the console is enabled and that on the monitor terminal is disabled.
Use undo terminal trapping to disable the display of trap information on the current terminal. By default, the display of trap information on the current terminal is enabled. To view the trap information, you need to execute the terminal monitor and terminal trapping commands, and then enable information center (enabled by default). The configuration of this command is only valid for the current connection between the terminal and the device.
Log management configuration commands display userlog export Syntax display userlog export [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Table 26 Command output Field Description flow Configuration and statistics about flow logs. No userlog export is enabled Flow logs are not sent to the log server at present. It may be because exporting flow logs to the log server is not configured, or flow logs are sent to the information center. (Support for this field depends on the device model.) Export Version 1 logs to log server Export flow log packets of version 1.0 to the log server.
Default level 2: System level Parameters None Description Use reset userlog flow logbuffer to clear flow logs in the cache. Flow logs are saved in the cache before being exported to the information center or log server. This command results in loss of log information. Use this command with caution. Examples # Clear flow logs in the cache.
is the same with that of the currently effective configuration, but other information of the two configurations is different, then the new configuration will overwrite the previous one. Related commands: userlog flow export host ipv6. Examples # Export flow logs to the log server with IP address 1.2.3.6, and port number 2000. system-view [Sysname] userlog flow export host 1.2.3.
userlog flow export source-ip Syntax userlog flow export source-ip ip-address undo userlog flow export source-ip View System view Default level 2: System level Parameters ip-address: Specifies the source IP address for a flow logging packet. Description Use userlog flow export source-ip to configure the source IP address of flow logging packets. Use undo userlog flow export source-ip to restore the default.
Examples # Set the flow logging version to 3.0. system-view [Sysname] userlog flow export version 3 userlog flow syslog Syntax userlog flow syslog undo userlog flow syslog View System view Default level 2: System level Parameters None Description Use userlog flow syslog to export flow logs to the information center. Use undo userlog flow syslog to restore the default. By default, flow logs are exported to the log server. The two export approaches of flow logs are mutually exclusive.
NTP configuration commands display ntp-service sessions Syntax display ntp-service sessions [ verbose ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters verbose: Displays detailed information about all NTP sessions. If you do not specify this keyword, only brief information about the NTP sessions is displayed. |: Filters command output by specifying a regular expression.
Field Description Reference clock ID of the clock source If the reference clock is the local clock, the value of this field is related to the value of the stra field: 1. { reference { 2. When the value of the stra field is 0 or 1, this field will be "LOCL". When the stra field has another value, this field will be the IP address of the local clock. If the reference clock is the clock of another device on the network, the value of this field will be the IP address of that device.
xmttime: 10:56:22.442 UTC Aug 7 2009(CE2686D6.71464DC2) filter delay : 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filter offset: 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filter disper: 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 reference clock status: working abnormally timecode: Total associations : 1 Table 28 Command output Field Description clock source IP address of the clock source clock stratum Stratum level of the clock source, which determines the clock precision.
Field Description local poll Poll interval of the local device, in seconds. The value displayed is a power of 2. For example, if the displayed value is 6, the poll interval of the local device is 26, or 64 seconds. Operation mode of the peer device: peer mode • • • • • • • • unspec—The mode is unspecified. active—Active mode. passive—Passive mode. client—Client mode. server—Server mode. bdcast—Broadcast server mode. control—Control query mode. private—Private message mode.
Field Description Status of the reference clock: reference clock status • working normally • working abnormally timecode Time code Total associations Total number of associations When a device is operating in NTP broadcast/multicast server mode, using the display ntp-service sessions command on the device does not display the NTP session information corresponding to the broadcast/multicast server, but the sessions are counted in the total number of associations.
Table 29 Command output Field Description Clock status • Synchronized—The system clock has been synchronized. • Unsynchronized—The system clock has not been synchronized. Clock stratum Stratum level of the system clock Status of the system clock, including Reference clock ID When the system clock is synchronized to a remote time server, this field indicates the address of the remote time server.
Description Use display ntp-service trace to display the brief information about each NTP server along the NTP server chain from the local device back to the primary reference source. The display ntp-service trace command takes effect only when the local device and all the devices on the NTP server chain can reach one another. Otherwise, this command is unable to display all the NTP servers on the NTP chain due to timeout.
query: Permits control query. This level of right permits the peer devices to perform control query to the NTP service on the local device but does not permit a peer device to synchronize its clock to that of the local device. server: Permits server access and query. This level of right permits the peer devices to perform synchronization and control query to the local device but does not permit the local device to synchronize its clock to that of a peer device. synchronization: Permits server access only.
Description Use ntp-service authentication enable to enable NTP authentication. Use undo ntp-service authentication enable to disable NTP authentication. By default, NTP authentication is disabled. Related commands: ntp-service authentication-keyid and ntp-service reliable authentication-keyid. Examples # Enable NTP authentication.
system-view [Sysname] ntp-service authentication enable [Sysname] ntp-service authentication-keyid 10 authentication-mode md5 BetterKey ntp-service broadcast-client Syntax ntp-service broadcast-client undo ntp-service broadcast-client View Interface view Default level 3: Manage level Parameters None Description Use ntp-service broadcast-client to configure the device to operatein the NTP broadcast client mode and use the current interface to receive NTP broadcast packets.
Description Use ntp-service broadcast-server to configure the device to operate in the NTP broadcast server mode and use the current interface to send NTP broadcast packets. Use undo ntp-service broadcast-server to remove the configuration. By default, the device does not operate in any NTP operation mode. Examples # Configure the device to operate in broadcast server mode and send NTP broadcast messages on GigabitEthernet 0/1, using key 4 for encryption, and set the NTP version to 3.
Default level 3: Manage level Parameters number: Maximum number of dynamic NTP sessions that are allowed to be established, which ranges from 0 to 100. Description Use ntp-service max-dynamic-sessions to set the maximum number of dynamic NTP sessions that are allowed to be established locally. Use undo ntp-service max-dynamic-sessions to restore the maximum number of dynamic NTP sessions to the system default. By default, the number is 100.
Examples # Configure the device to operate in the multicast client mode and receive NTP multicast messages on GigabitEthernet 0/1, and set the multicast address to 224.0.1.1. system-view [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] ntp-service multicast-client 224.0.1.
undo ntp-service refclock-master [ ip-address ] View System view Default level 3: Manage level Parameters ip-address: IP address of the local clock, which is 127.127.1.u, where u is the NTP process ID that ranges from 0 to 3. If you do not specify ip-address, it defaults to 127.127.1.0. stratum: Stratum level of the local clock, which ranges from 1 to 15 and defaults to 8. Description Use ntp-service refclock-master to configure the local clock as a reference source for other devices.
system-view [Sysname] ntp-service authentication enable [Sysname] ntp-service authentication-keyid 37 authentication-mode md5 BetterKey # Specify this key as a trusted key.
Parameters vpn-instance vpn-instance-name: Specifies the VPN to which the symmetric-passive peer belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the symmetric-passive peer is on the public network, do not specify this option. peer-name: Host name of the symmetric-passive peer, which is a string of 1 to 20 characters. authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the peer, where keyid ranges from 1 to 4294967295.
Parameters vpn-instance vpn-instance-name: Specifies the VPN to which the NTP server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the NTP server is on the public network, do not specify this option. server-name: Host name of the NTP server, which is a string of 1 to 20 characters. authentication-keyid keyid: Specifies the key ID to be used for sending NTP messages to the NTP server, where keyid ranges from 1 to 4294967295.
RMON configuration commands display rmon alarm Syntax display rmon alarm [ entry-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters entry-number: Index of an RMON alarm entry, which ranges from 1 to 65535. If no entry is specified, the configuration of all alarm entries is displayed. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Table 31 Command output Field Description Status of the alarm entry entry-number created by the owner is status. • entry-number—Alarm entry, corresponding to the MIB node alarmIndex. • owner—Entry owner, corresponding to the MIB node alarmOwner. AlarmEntry entry-number owned by owner is status • status—Entry status, corresponding to the MIB node alarmStatus. { VALID—The entry is valid. { UNDERCREATION—The entry is invalid.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display rmon event to display the configuration of the specified or all RMON event entries. Displayed information includes event index, event owner, event description, action triggered by the event (such as sending log or trap messages), and last time the event occurred (the elapsed time since system initialization/startup) in seconds. Related commands: rmon event.
Default level 1: Monitor level Parameters entry-number: Index of an event entry, which ranges from 1 to 65535. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
This example shows that event 1 generated two logs. display rmon history Syntax display rmon history [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
dropevents : 0 , octets : 834 packets : 8 , broadcast packets : 1 multicast packets : 6 , CRC alignment errors : 0 undersize packets : 0 , oversize packets : 0 fragments : 0 , jabbers : 0 collisions : 0 , utilization : 0 Sampled values of record 3 : dropevents : 0 , octets : 1001 packets : 9 , broadcast packets : 1 multicast packets : 7 , CRC alignment errors : 0 undersize packets : 0 , oversize packets : 0 fragments : 0 , jabbers : 0 collisions : 0 , utilization : 0
Field Description octets Number of octets received during the sampling period, corresponding to the MIB node etherHistoryOctets. packets Number of packets received during the sampling period, corresponding to the MIB node etherHistoryPkts. broadcastpackets Number of broadcasts received during the sampling period, corresponding to the MIB node etherHistoryBroadcastPkts. multicastpackets Number of multicasts received during the sampling period, corresponding to the MIB node etherHistoryMulticastPkts.
Description Use display rmon prialarm to display the configuration of the specified or all private alarm entries. Related commands: rmon prialarm. Examples # Display the configuration of all private alarm entries. display rmon prialarm PrialarmEntry 1 owned by user1 is VALID. Samples type : absolute Variable formula : (.1.3.6.1.2.1.16.1.1.1.6.1*100/.1.3.6.1.2.1.16.1.1.1.5.1) Description : ifUtilization.
display rmon statistics Syntax display rmon statistics [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Field Description Entry status: • VALID—The entry is valid. • UNDERCREATION—The entry is invalid. VALID The display rmon command can display invalid entries, but the display current-configuration and display this commands do not display their settings. Status value is stored in the MIB node etherStatsStatus. Interface Interface on which statistics are gathered, which corresponds to the MIB node etherStatsDataSource.
Field Description Incoming-packet statistics by packet length for the statistical period: • 64—Number of 64-byte packets. The value is stored in the MIB node etherStatsPkts64Octets. • 65-127—Number of 65- to 127-byte packets. The value is stored in the MIB node etherStatsPkts65to127Octets. Packets received according to length: 64 : 0 128-255 : 0 , 65-127 : 0 256-511: 0 , 512-1023: 0 , 1024-1518: 0 , • 128-255—Number of 128- to 255-byte packets.
represents the index of the event triggered when the rising threshold is reached. event-entry1 ranges from 0 to 65,535. If 0 is specified, the alarm does not trigger any event. falling-threshold threshold-value2 event-entry2: Sets the falling threshold, where threshold-value2 represents the falling threshold, in the range –2,147,483,648 to +2,147,483,647 and event-entry2 represents the index of the event triggered when the falling threshold is reached. event-entry2 ranges from 1 to 65,535.
parameter 1.3.6.1.2.1.16.1.1.1.4.1, where 1 indicates the serial number of the interface statistics entry. Therefore, if you execute the rmon statistics 5 command, you can use etherStatsOctets.5 to replace the parameter. This example enables the RMON agent to do the following: • Samples and monitors interface GigabitEthernet 0/1. • Obtains the incoming-packet count in its absolute value. If the total number of incoming bytes reaches 5000, the system logs the event.
Related commands: display rmon event, rmon alarm, and rmon prialarm. Examples # Create event 10 in the RMON event table. system-view [Sysname] rmon event 10 log owner user1 rmon history Syntax rmon history entry-number buckets number interval sampling-interval [ owner text ] undo rmon history entry-number View Ethernet interface view Default level 2: System level Parameters entry-number: History control entry index, which ranges 1 to 65535.
rmon prialarm Syntax rmon prialarm entry-number prialarm-formula prialarm-des sampling-interval { absolute | changeratio | delta } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 entrytype { forever | cycle cycle-period } [ owner text ] undo rmon prialarm entry-number View System view Default level 2: System level Parameters entry-number: Index of a private alarm entry, which ranges from 1 to 65535.
You cannot create an entry that has the same alarm variable formula (prialarm-formula), sampling type (absolute changeratio or delta), rising threshold (threshold-value1), and falling threshold (threshold-value2) as an existing private alarm entry. You can create up to 50 private alarm entries. The system handles private alarm entries as follows: 1. Samples the private alarm variables in the private alarm formula at the specified sampling interval. 2.
rmon statistics Syntax rmon statistics entry-number [ owner text ] undo rmon statistics entry-number View Ethernet interface view Default level 2: System level Parameters entry-number: Index of statistics entry, which ranges from 1 to 65535. owner text: Owner of the entry, a string of case-sensitive 1 to 127 characters that can contain spaces. Description Use rmon statistics to create an entry in the RMON statistics table.
SNMP configuration commands IMPORTANT: The FIPS mode is available only for the firewall modules. For more information about FIPS, see Access Control Configuration Guide. display snmp-agent community Syntax display snmp-agent community [ read | write ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters read: Displays information about SNMP read-only communities. write: Displays information about SNMP read and write communities.
Community name: userv1 Group name: testv1 Storage-type: nonVolatile Table 37 Command output Field Description Community name Displays the community name created by using the snmp-agent community command or the username created by using the snmp-agent usm-user { v1 | v2c } command. SNMP group name: • If the community is created by using the snmp-agent community command, the Group name group name is the same as the community name.
Description Use display snmp-agent group to display information for the SNMPv3 agent group, including group name, security model, MIB view, storage type, and so on. Absence of the group-name parameter indicates that information for all groups is displayed. Examples # Display the information of all SNMP agent groups.
exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display snmp-agent local-engineid to display the local SNMP agent engine ID. SNMP engine ID identifies an SNMP entity uniquely within an SNMP domain. SNMP engine is an indispensable part of an SNMP entity.
Subtree mask: Storage-type: nonVolatile View Type:included View status:active View name:ViewDefault MIB Subtree:snmpUsmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpVacmMIB Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active View name:ViewDefault MIB Subtree:snmpModules.18 Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active The ViewDefault is the default MIB view.
View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Field Description Messages which used a SNMP community name not known Number of messages that had a community name not configured on the SNMP agent. Messages which represented an illegal operation for the community supplied Number of messages carrying an operation that the community has no right to perform. ASN.1 or BER errors in the process of decoding Number of messages that had ASN.1 or BER errors during decoding. Messages passed from the SNMP entity Number of messages sent by the SNMP agent.
Parameters contact: Displays the contact information of the current network administrator. location: Displays the location information of the current device. version: Displays the version of the current SNMP agent. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow.
Description Use display snmp-agent trap queue to display basic information about the trap queue, including trap queue name, queue length and the number of traps in the queue currently. Related commands: snmp-agent trap life and snmp-agent trap queue-size. Examples # Display the current configuration and usage of the trap queue.
standard trap enable bgp trap disable configuration trap disable flash trap disable ospf trap disable pim trap disable system trap disable vrrp trap disable Enable traps: 1; Disable traps: 7 If a module can generate traps, its trap function status is enable; if not, disable. You can enable or disable the trap function for a module at the command line interface (CLI).
Engine ID: 800063A203000FE240A1A6 Storage-type: nonVolatile UserStatus: active User name: userv3code Group name: groupv3code Engine ID: 800063A203000FE240A1A6 Storage-type: nonVolatile UserStatus: active Table 42 Command output Field Description User name SNMP user name. Group name SNMP group name. Engine ID Engine ID for an SNMP entity. Storage type: • volatile • nonvolatile Storage-type • permanent • readOnly • other See Table 37 for details. UserStatus SNMP user status.
For an interface to generate linkUp/linkDown traps when its state changes, you must also enable the linkUp/linkDown trap function globally by using the enable snmp trap updown command. Related commands: snmp-agent target-host and snmp-agent trap enable. Examples # Enable port GigabitEthernet 0/1 to send linkUp/linkDown SNMP traps in the community public. system-view [Sysname] snmp-agent trap enable [Sysname] snmp-agent target-host trap address udp-domain 10.1.1.
snmp-agent calculate-password plain-password mode sha { local-engineid | specified-engineid engineid } View System view Default level 3: Manage level Parameters plain-password: Specifies a plaintext authentication or privacy key. mode: Specifies authentication and privacy algorithms. Select a mode option, depending on the authentication and privacy algorithm you are configuring with the snmp-agent usm-user v3 command.
The converted key is valid only under the specified engine ID. In FIPS mode, SHA authentication is available but 3DES encryption is not available. Related commands: snmp-agent usm-user v3. Examples # Use local engine ID to convert the plaintext key authkey to an encrypted key for MD5 authentication.
To make sure that the MIB objects are accessible only to a specific NMS, use a basic ACL to identify the source IP address of the NMS. To set the range of the MIB objects available for the community, use a MIB view. In FIPS mode, this command is not available and only SNMPv3 settings can be configured. Related commands: snmp-agent mib-view.
snmp-agent group Syntax SNMPv1 and SNMPv2c for non-FIPS mode: snmp-agent group { v1 | v2c } group-name [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl acl-number ] undo snmp-agent group { v1 | v2c } group-name SNMPv3 for non-FIPS mode: snmp-agent group v3 group-name [ authentication | privacy ] [ read-view view-name ] [ write-view view-name ] [ notify-view view-name ] [ acl acl-number ] undo snmp-agent group v3 group-name [ authentication | privacy ] SNMPv3 for FIPS mode: sn
Description Use snmp-agent group to configure an SNMP group and specify its access right. Use undo snmp-agent group to delete an SNMP group. By default, SNMP groups configured by the no-authentication-no-privacy security model. snmp-agent group v3 command use a An SNMP group defines security model, access right, and so on. A user in this SNMP group has all these public properties. In FIPS mode, only SNMPv3 settings can be configured. Related commands: snmp-agent mib-view and snmp-agent usm-user.
Examples # Configure the local engine ID as 123456789A. system-view [Sysname] snmp-agent local-engineid 123456789A snmp-agent log Syntax snmp-agent log { all | get-operation | set-operation } undo snmp-agent log { all | get-operation | set-operation } View System view Default level 3: Manage level Parameters all: Enables logging of SNMP GET and SET operations. get-operation: Enables logging of SNMP GET operation. set-operation: Enables logging of SNMP SET operation.
Default level 3: Manage level Parameters excluded: Denies access to any nodes in the specified MIB subtree. included: Permits access to the nodes in the specified MIB subtree. view-name: Specify a view name, which is a string of 1 to 32 characters. oid-tree: Specifies a MIB subtree by its root node's OID, such as 1.4.5.3.1, or object name, such as system. An OID is made up of a series of integers. It marks the position of a node in the MIB tree and uniquely identifies a MIB object.
snmp-agent packet max-size Syntax snmp-agent packet max-size byte-count undo snmp-agent packet max-size View System view Default level 3: Manage level Parameters byte-count: Maximum number of bytes of an SNMP packet that can be received or sent by an agent, which ranges from 484 to 17,940 and defaults to 1,500 bytes. Description Use snmp-agent packet max-size to set the Maximum size (in bytes) of SNMP packets that the SNMP agent can receive or send.
location sys-location: A string of 1 to 200 characters that describes the location of the device. The system location information is a management variable under the system branch as defined in RFC 1213-MIB, identifying the location of the managed object. version: The SNMP version in use. • all: Specifies SNMPv1, SNMPv2c, and SNMPv3. • v1: SNMPv1. • v2c: SNMPv2c. • v3: SNMPv3.
View System view Default level 3: Manage level Parameters trap: Specifies a target host for receiving the traps sent by the device. address: Specifies a target host for receiving the traps sent by the device. udp-domain: Specifies UDP as the transport protocol. ip-address: Specifies the IPv4 address or name of the target host. The host name is a string of 1 to 255 characters. ipv6 ipv6-address: Specifies the IPv6 address of the trap target host.
Examples # Configure the SNMP agent to send SNMPv1 traps to 10.1.1.1 in the community public. system-view [Sysname] snmp-agent trap enable standard [Sysname] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname public # Configure the SNMP agent to send SNMPv3 traps to 10.1.1.1 and set the username to v3test. system-view [Sysname] snmp-agent trap enable standard [Sysname] snmp-agent target-host trap address udp-domain 10.1.1.
• iftxretransmit: Traps for the interface to receive and forward packets. • lsdbapproachoverflow: Traps for LSDB to be overflowed. • lsdboverflow: Traps for LSDB overflow. • maxagelsa: Traps for LSA max age. • nbrstatechange: Traps for neighbor state change. • originatelsa: Traps for local LSA generation. • vifcfgerror: Traps for virtual interface configuration error. • virifauthfail: Traps for virtual interface authentication failure.
Use undo snmp-agent trap enable to disable the trap function globally. By default, only the trap function of the voice module is disabled; and the trap function of other modules is enabled. After you globally enable a trap function for a module, whether the module generates traps also depends on the configuration of the module. For more information, see the sections for each module.
Trap 1.3.6.1.6.3.1.1.5.4: Interface 983555 is Up, ifAdminStatus is 1, ifOperStatus is 1, ifDescr is GigabitEthernet0/1, ifType is 6 • A standard linkDown trap is in the following format: #Apr 24 11:47:35:224 2008 Sysname IFNET/4/INTERFACE UPDOWN: Trap 1.3.6.1.6.3.1.1.5.3: Interface 983555 is Down, ifAdminStatus is 2, ifOperStatus is 2 • An extended linkDown trap is in the following format: #Apr 24 11:42:54:314 2008 AR29.46 IFNET/4/INTERFACE UPDOWN: Trap 1.3.6.1.6.3.1.1.5.
snmp-agent trap queue-size Syntax snmp-agent trap queue-size size undo snmp-agent trap queue-size View System view Default level 3: Manage level Parameters size: Number of traps that can be stored in the trap sending queue, which ranges from 1 to 1,000. Description Use snmp-agent trap queue-size to set the size of the trap sending queue. Use undo snmp-agent trap queue-size to restore the default queue size. By default, up to 100 traps can be stored in the trap sending queue.
Use undo snmp-agent trap source to restore the default. By default, SNMP chooses the IP address of an interface to be the source IP address of the trap. Upon the execution of this command, the system uses the primary IP address of the specified interface as the source IP address of the traps, and the NMS uses this IP address to uniquely identify the agent. Even if the agent sends out traps through different interfaces, the NMS uses this IP address to filter all traps sent from the agent.
{ v1 | v2c } command. To display the SNMPv1 and SNMPv2c communities created in this way, use the display snmp-agent community command. The snmp-agent usm-user { v1 | v2c } command enables managing SNMPv1 and SNMPv2c users in the same way as managing SNMPv3 users. It does not affect the way of configuring SNMPv1 and SNMPv2c communities on the NMS. Related commands: snmp-agent community, snmp-agent group, and snmp-agent usm-user v3.
Default level 3: Manage level Parameters user-name: User name, a case-sensitive string of 1 to 32 characters. group-name: Group name, a case-sensitive string of 1 to 32 characters. cipher: Specifies that auth-password and priv-password are encrypted keys, which can be calculated by using the snmp-agent calculate-password command. authentication-mode: Specifies an authentication algorithm. MD5 is faster than SHA, while SHA provides a higher security than MD5.
Each SNMP user belongs to an SNMP group. Before creating a user, create an SNMP group first. Otherwise, the user can be created successfully but does not take effect. An SNMP group may contain multiple users. It defines SNMP objects accessible to the group of users in the MIB view and specifies whether to enable authentication and privacy functions. The authentication and encryption algorithms are defined when a user is created.
To access the SNMP agent, specifically, the default view (ViewDefault) in this example, the NMS must use the protocol SNMPv3, username testUser, authentication algorithm MD5, authentication key authkey, privacy algorithm DES, and privacy key prikey. # Add a user testUser to the SNMPv3 group testGroup with the cipher keyword specified.
RSH configuration commands rsh Syntax rsh host [ user username ] command remote-command View User view Default level 0: Visit level Parameters host: IP address or host name of the remote host, a string of 1 to 20 characters. user username: Specifies the username for remote login, which is a string of 1 to 20 characters. If you specify no username, the system name of the firewall, which can be set by using the sysname command, applies. command remote-command: Specifies the command to be executed remotely.
2003-06-21 10:51 192,512 wrshdnt.cpl 2001-12-09 16:41 38,991 wrshdnt.hlp 2001-12-09 16:26 1,740 wrshdnt.cnt 2003-06-22 11:14 452,230 wrshdnt.htm 2003-06-23 18:18 2003-06-23 18:18 2003-06-22 11:13 2001-09-02 15:41 2003-06-21 10:32 2004-01-02 15:54 196,608 wrshdsp.exe 2004-01-02 15:54 102,400 wrshdnt.exe 2001-07-30 18:05 766 wrshdnt.ico 2004-07-13 09:10 4,803 wrshdnt_header.htm 178 wrshdnt_filelist.xml 156,472 wrshdnt.pdf 49,152 wrshdrdr.exe 69,632 wrshdrun.exe 3,253 INSTALL.
SSH2.0 configuration commands IMPORTANT: The FIPS mode is available only for the firewall modules. For more information about FIPS, see Access Control Configuration Guide. SSH2.0 server configuration commands display ssh server Syntax display ssh server { session | status } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters session: Displays the session information of the SSH server. status: Displays the status information of the SSH server.
SSH server key generating interval : 0 hour(s) SSH Authentication retries : 3 time(s) SFTP Server: Disable SFTP Server Idle-Timeout: 10 minute(s) Table 43 Command output Field Description SSH Server Whether the SSH server function is enabled SSH protocol version SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.0.
Parameters username: SSH username, a string of 1 to 80 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Parameters times: Maximum number of authentication attempts, in the range 1 to 5. Description Use ssh server authentication-retries to set the maximum number of SSH connection authentication attempts. Use undo ssh server authentication-retries to restore the default. By default, the maximum number of SSH connection authentication attempts is 3. This configuration takes effect only for the users trying to log in after the configuration.
ssh server compatible-ssh1x enable Syntax ssh server compatible-ssh1x enable undo ssh server compatible-ssh1x View System view Default level 3: Manage level Parameters None Description Use ssh server compatible-ssh1x to enable the SSH server to support SSH1 clients. Use undo ssh server compatible-ssh1x to disable the SSH server from supporting SSH1 clients. By default, the SSH server supports SSH1 clients.
Examples # Enable SSH server. system-view [Sysname] ssh server enable ssh server rekey-interval Syntax ssh server rekey-interval hours undo ssh server rekey-interval View System view Default level 3: Manage level Parameters hours: Server key pair update interval in hours, in the range 1 to 24. Description Use ssh server rekey-interval to set the interval for updating the RSA server key. Use undo ssh server rekey-interval to restore the default.
ssh user username service-type { all | sftp } authentication-type { password | password-publickey assign publickey keyname work-directory directory-name } undo ssh user username View System view Default level 3: Manage level Parameters username: SSH username, a case-sensitive string of 1 to 80 characters. service-type: Specifies the service type of an SSH user, which can be one of the following: • all: Specifies both secure Telnet and secure FTP. • sftp: Specifies the service type as secure FTP.
You can change the authentication method and public key of an SSH user when the user is communicating with the SSH server. However, your changes take effect only after the user logs out and logs in again. If an SFTP user has been assigned a public key, it is necessary to set a working folder for the user. The working folder of an SFTP user depends on the user authentication method. For a user using only password authentication, the working folder is the AAA authorized one.
Examples # Display the source IP address or source interface of the SSH client. display ssh client source The source IP address you specified is 192.168.0.1 display ssh server-info Syntax display ssh server-info [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
ssh client authentication server Syntax ssh client authentication server server assign publickey keyname undo ssh client authentication server server assign publickey View System view Default level 2: System level Parameters server: IP address or name of the server, a string of 1 to 80 characters. assign publickey keyname: Specifies the name of the host public key of the server, a string of 1 to 64 characters.
Description Use ssh client first-time enable to enable the first-time authentication function. Use the undo ssh client first-time command to disable the function. By default, the function is enabled. With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client.
ssh client source Syntax ssh client source { ip ip-address | interface interface-type interface-number } undo ssh client source View System view Default level 3: Manage level Parameters ip ip-address: Specifies a source IPv4 address. interface interface-type interface-number: Specifies a source interface by its type and number. Description Use ssh client source to specify the source IPv4 address or source interface of the SSH client. Use undo ssh client source to remove the configuration.
Parameters server: IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters. port-number: Port number of the server, in the range 0 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the VPN that the server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa.
Preferred algorithm In non-FIPS mode In FIPS mode Server-to-client preferred HMAC algorithm sha1-96 sha1-96 Examples # Log in to remote SSH2.0 server 10.214.50.51, using the following algorithms: • Preferred key exchange algorithm: DH-group1 • Preferred encryption algorithm from server to client: AES128 • Preferred HMAC algorithm from client to server: MD5 • Preferred HMAC algorithm from server to client: SHA1-96 ssh2 10.214.50.
• md5: HMAC algorithm hmac-md5. • md5-96: HMAC algorithm hmac-md5-96. • sha1: HMAC algorithm hmac-sha1. • sha1-96: HMAC algorithm hmac-sha1-96. prefer-kex: Preferred key exchange algorithm, default to dh-group-exchange. • dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1. • dh-group1: Key exchange algorithm diffie-hellman-group1-sha1. • dh-group14: Key exchange algorithm diffie-hellman-group14-sha1.
SFTP server configuration commands sftp server enable Syntax sftp server enable undo sftp server enable View System view Default level 3: Manage level Parameters None Description Use sftp server enable to enable SFTP server. Use undo sftp server enable to disable SFTP server. By default, SFTP server is disabled. Related commands: display ssh server. Examples # Enable SFTP server.
Related commands: display ssh server. Examples # Set the idle timeout period for SFTP user connections to 500 minutes. system-view [Sysname] sftp server idle-timeout 500 SFTP client configuration commands bye Syntax bye View SFTP client view Default level 3: Manage level Parameters None Description Use bye to terminate the connection with a remote SFTP server and return to user view. This command functions as the exit and quit commands.
Description Use cd to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path. You can use the cd .. command to return to the upper-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1.
Description Use delete to delete files from a server. This command functions as the remove command. Examples # Delete file temp.c from the server. sftp-client> delete temp.c The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time. Please wait...
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 display sftp client source Syntax display sftp client source [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
This command functions as the bye and quit commands. Examples # Terminate the connection with the remote SFTP server. sftp-client> exit Bye Connection closed. get Syntax get remote-file [ local-file ] View SFTP client view Default level 3: Manage level Parameters remote-file: Name of a file on the remote SFTP server. local-file: Name for the local file. Description Use get to download a file from a remote SFTP server and save it locally.
Description Use help to display a list of all commands or the help information of an SFTP client command. With neither the argument nor the keyword specified, the command displays a list of all commands. Examples # Display the help information of the get command. sftp-client> help get get remote-path [local-path] Download file.
mkdir Syntax mkdir remote-path View SFTP client view Default level 3: Manage level Parameters remote-path: Name for the directory on a remote SFTP server. Description Use mkdir to create a directory on a remote SFTP server. Examples # Create a directory named test on the remote SFTP server. sftp-client> mkdir test New directory created put Syntax put local-file [ remote-file ] View SFTP client view Default level 3: Manage level Parameters local-file: Name of a local file.
pwd Syntax pwd View SFTP client view Default level 3: Manage level Parameters None Description Use pwd to display the current working directory of a remote SFTP server. Examples # Display the current working directory of the remote SFTP server. sftp-client> pwd / quit Syntax quit View SFTP client view Default level 3: Manage level Parameters None Description Use quit to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and exit commands.
View SFTP client view Default level 3: Manage level Parameters remote-file&<1-10>: Names of files on an SFTP server. &<1-10> means that you can provide up to 10 filenames, which are separated by space. Description Use remove to delete files from a remote server. This command functions as the delete command. Examples # Delete file temp.c from the server. sftp-client> remove temp.c The following files will be deleted: /temp.c Are you sure to delete it? [Y/N]:y This operation might take a long time.
rmdir Syntax rmdir remote-path&<1-10> View SFTP client view Default level 3: Manage level Parameters remote-path&<1-10>: Names of directories on the remote SFTP server. &<1-10> means that you can provide up to 10 directory names that are separated by space. Description Use rmdir to delete the specified directories from an SFTP server. Examples # On the SFTP server, delete directory temp1 in the current directory.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128. • 3des: Encryption algorithm 3des-cbc. • aes128: Encryption algorithm aes128-cbc. • aes256: Encryption algorithm aes256-cbc. • des: Encryption algorithm des-cbc. prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1-96. • md5: HMAC algorithm hmac-md5. • md5-96: HMAC algorithm hmac-md5-96. • sha1: HMAC algorithm hmac-sha1. • sha1-96: HMAC algorithm hmac-sha1-96.
sftp 10.1.1.2 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 Input Username: sftp client ipv6 source Syntax sftp client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number } undo sftp client ipv6 source View System view Default level 3: Manage level Parameters ipv6 ipv6-address: Specifies a source IPv6 address. interface interface-type interface-number: Specifies a source interface by its type and number.
Description Use sftp client source to specify the source IPv4 address or interface of an SFTP client. Use undo sftp client source to remove the configuration. By default, an SFTP client uses the IP address of the interface specified by the route of the device to access the SFTP server. Related commands: display sftp client source. Examples # Specify the source IP address of the SFTP client as 192.168.0.1. system-view [Sysname] sftp client source ip 192.168.0.
• md5-96: HMAC algorithm hmac-md5-96. • sha1: HMAC algorithm hmac-sha1. • sha1-96: HMAC algorithm hmac-sha1-96. prefer-kex: Preferred key exchange algorithm, defaulted to dh-group-exchange. • dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1. • dh-group1: Key exchange algorithm diffie-hellman-group1-sha1. • dh-group14: Key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128.
FTP configuration commands FTP configuration commands are not supported in FIPS mode. FTP server configuration commands display ftp-server Syntax display ftp-server [ | { begin | exclude | include } regular-expression ] View Any view Default level 3: Manage level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
Field Description Timeout value (in minute) Allowed idle time of an FTP connection. If there is no packet exchange between the FTP server and client during this period, the FTP connection will be disconnected. File update method of the FTP server: Put Method • fast • normal display ftp-user Syntax display ftp-user [ | { begin | exclude | include } regular-expression ] View Any view Default level 3: Manage level Parameters |: Filters command output by specifying a regular expression.
Field Description HostIP IP address of the currently logged-in user Port Port which the currently logged-in user is using Idle Duration time of the current FTP connection, in minutes HomeDir Authorized path of the present logged-in user free ftp user Syntax free ftp user username View User view Default level 3: Manage level Parameters username: Username. You can use the display ftp-user command to view FTP login user information.
Use undo ftp server acl to restore the default. By default, no ACL is used to control FTP clients' access to the FTP server. An ACL enables the FTP server to permit the FTP requests from specific FTP clients. This configuration only filters the FTP connections to be established, and has no effect on the established FTP connections and operations. If you execute the command multiple times, the last specified ACL takes effect. Examples # Associate the FTP service with ACL 2001 to allow only the client 1.1.1.
View System view Default level 3: Manage level Parameters minute: Idle-timeout timer in minutes, in the range of 1 to 35791. Description Use ftp timeout to set the idle-timeout timer. Use undo ftp timeout to restore the default. By default, the FTP idle time is 30 minutes. If the idle time of an FTP connection exceeds the FTP timeout value, the FTP server breaks the connection to save resources. Examples # Set the idle-timeout timer to 36 minutes.
FTP client configuration commands Before executing FTP client configuration commands, make sure you have made proper authority configurations for users on the FTP server. Authorized operations include view the files under the current directory, read/download the specified files, create directory/upload files, and rename/remove files). The prompt information in the following examples varies with FTP server types.
Parameters None Description Use binary to set the file transfer mode to binary (flow) mode. By default, the transfer mode is ASCII mode. Related commands: ascii. Examples # Set the file transfer mode to binary. [ftp] binary 200 Type set to I. bye Syntax bye View FTP client view Default level 3: Manage level Parameters None Description Use bye to disconnect from the remote FTP server and return to user view.
Parameters directory: Name of the target directory, in the format of [drive:][/]path, where drive represents the storage medium name, typically flash or cf. If no drive information is provided, the argument represents a folder or subfolder in the current directory. For more information about the drive and path arguments, see Getting Started Guide. ..: Returns to an upper directory. The execution of the cd .. command equals the execution of the cdup command.
200 CDUP command successful. [ftp] pwd 257 "/ftp" is current directory. close Syntax close View FTP client view Default level 3: Manage level Parameters None Description Use close to terminate the connection to the FTP server, but remain in FTP client view. This command is equal to the disconnect command. Examples # Terminate the connection to the FTP server and remain in FTP client view. [ftp] close 221 Server closing.
Examples # The firewall serves as the FTP client. Enable FTP client debugging and use the active mode to download file sample.file from the current directory of the FTP server. terminal monitor terminal debugging ftp 192.168.1.46 Trying 192.168.1.46 ... Press CTRL+K to abort Connected to 192.168.1.46. 220 FTP service ready. User(192.168.1.46:(none)):ftp 331 Password required for ftp. Password: 230 User logged in.
View FTP client view Default level 3: Manage level Parameters remotefile: File name. Description Use delete to permanently delete a specified file on the remote FTP server. To perform this operation, you must have delete permissions on the FTP server. Examples # Delete file temp.c. [ftp] delete temp.c 250 DELE command successful.
227 Entering Passive Mode (192,168,1,46,5,68). 125 ASCII mode data connection already open, transfer starting for /*. drwxrwxrwx 1 noone nogroup -rwxrwxrwx 1 noone nogroup 0 Aug 08 2006 logfile -rwxrwxrwx 1 noone nogroup 4001 Dec 08 2007 config.cfg -rwxrwxrwx 1 noone nogroup 3608 Jun 13 2007 startup.cfg drwxrwxrwx 1 noone nogroup 0 Dec 03 -rwxrwxrwx 1 noone nogroup 299 Oct 15 20471748 May 11 10:21 test.bin 2007 test 2007 key.pub 226 Transfer complete.
display ftp client configuration Syntax display ftp client configuration [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
vpn-instance vpn-instance-name: Specifies the VPN that the FTP server belongs to. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the FTP server is on the public network, do not specify this option. source { interface interface-type interface-number | ip source-ip-address } ]: Specifies the source address used to establish an FTP connection. • interface interface-type interface-number: Specifies the source interface by its type and number.
ip source-ip-address: Specifies the source IP address of packets sent to an FTP server, which is one of the IP addresses of the device. Description Use ftp client source to specify the source IP address of packets sent to an FTP server. Use undo ftp client source to restore the default. By default, the source IP address is the IP address of the output interface of the route to the server is used as the source IP address.
vpn-instance vpn-instance-name: Specifies the VPN that the FTP server belongs to. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the FTP server is on the public network, do not specify this option. Description Use ftp ipv6 to log in to the FTP server and enter FTP client view. • This command applies to IPv6 networks only. • If you use this command without specifying any parameters, you will simply enter the FTP client view without logging in to an FTP server.
localfile: File name used after a file is downloaded and saved locally. If this argument is not specified, the local file uses the name of the source file on the FTP server by default. Description Use get to download a file from a remote FTP server and save it. Examples # Download file testcfg.cfg and save it as aa.cfg. [ftp] get testcfg.cfg aa.cfg 227 Entering Passive Mode (192,168,1,50,17,163). 125 ASCII mode data connection already open, transfer starting for /testcfg.cfg. .....226 Transfer complete.
Parameters remotefile: Filename or directory on the remote FTP server. localfile: Name of a local file used to save the displayed information. Description Use ls to view the information of all the files and subdirectories in the current directory of the remote FTP server. The file names and subdirectory names are displayed. Use ls remotefile to view the information of a specified file or subdirectory.
mkdir Syntax mkdir directory View FTP client view Default level 3: Manage level Parameters directory: Name of the directory to be created. Description Use mkdir to create a subdirectory in the current directory on the remote FTP server. You can do this only if you have permissions on the FTP server. Examples # Create subdirectory mytest on the current directory of the remote FTP server. [ftp] mkdir mytest 257 "/mytest" new directory created.
Trying 192.168.1.50 ... Press CTRL+K to abort Connected to 192.168.1.50. 220 FTP service ready. User(192.168.1.50:(none)):aa 331 Password required for aa. Password: 230 User logged in. [ftp] open ipv6 Syntax open ipv6 server-address [ service-port ] [ -i interface-type interface-number ] View FTP client view Default level 3: Manage level Parameters server-address: IP address or host name of the remote FTP server. service-port: Port number of the remote FTP server, in the range of 0 to 65535.
passive Syntax passive undo passive View FTP client view Default level 3: Manage level Parameters None Description Use passive to set the data transmission mode to passive. Use undo passive to set the data transmission mode to active. The default transmission mode is passive. Data transmission modes fall into the passive mode and the active mode. The active mode specifies the server to initiate connection requests. The passive mode specifies the client to initiate connection requests.
After a file is uploaded, it will be saved under the user's authorized directory, which can be set with the authorization-attribute command on the remote server. Examples # Upload source file cc.txt to the remote FTP server and save it as dd.txt. [ftp] put cc.txt dd.txt 227 Entering Passive Mode (192,168,1,50,17,169). 125 ASCII mode data connection already open, transfer starting for /dd.txt. 226 Transfer complete. FTP: 9 byte(s) sent in 0.112 second(s), 80.00 byte(s)/sec.
Description Use quit to disconnect the FTP client from the remote FTP server and exit to user view. Examples # Disconnect from the remote FTP server and exit to user view. [ftp] quit 221 Server closing. remotehelp Syntax remotehelp [ protocol-command ] View FTP client view Default level 3: Manage level Parameters protocol-command: FTP command. Description Use remotehelp to display the help information of FTP-related commands supported by the remote FTP server.
Field Description PASS Password CWD Change the current working directory CDUP Change to parent directory SMNT* File structure setting QUIT Quit REIN* Re-initialization PORT Port number PASV Passive mode TYPE Request type STRU* File structure MODE* Transmission mode RETR Download a file STOR Upload a file STOU* Store unique APPE* Appended file ALLO* Allocation space REST* Restart RNFR* Rename the source RNTO* Rename the destination ABOR* Abort the transmission DELE
Field Description Syntax: USER . Syntax of the user command: user (keyword) + space + username rmdir Syntax rmdir directory View FTP client view Default level 3: Manage level Parameters directory: Directory name on the remote FTP server. Description Use rmdir to remove a specified directory from the FTP server. Only authorized users are allowed to use this command. Delete all files and subdirectories under a directory before you delete the directory.
Description Use user to relog in to the currently accessed FTP server with another username. Before using this command, you must configure the corresponding username and password on the FTP server or the login will fail and the FTP connection will close. Examples # User ftp1 has logged in to the FTP server. Use username ftp2 to log in to the current FTP server. (Suppose username ftp2 and password 123123123123 have been configured on the FTP server).
FTP: verbose is off [ftp] get startup.cfg bb.cfg FTP: 3608 byte(s) received in 0.052 second(s), 69.00K byte(s)/sec. [ftp] # Enable display of detailed prompt information. and perform a Get operation. [ftp] verbose FTP: verbose is on [ftp] get startup.cfg aa.cfg 227 Entering Passive Mode (192,168,1,46,5,85). 125 ASCII mode data connection already open, transfer starting for /startup.cfg. 226 Transfer complete. FTP: 3608 byte(s) received in 0.193 second(s), 18.00K byte(s)/sec.
TFTP configuration commands TFTP configuration commands are not supported in FIPS mode. TFTP client configuration commands display tftp client configuration Syntax display tftp client configuration [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Getting Started Guide.
View System view Default level 3: Manage level Parameters ipv6: References an IPv6 ACL. If it is not specified, an IPv4 ACL is referenced. acl-number: Number of a basic ACL, in the range of 2000 to 2999. Description Use tftp-server acl to use an ACL to control the TFTP client's access to a specific TFTP server. Use undo tftp-server acl to restore the default. By default, no ACL is used to control the TFTP client's access to a TFTP server.
put: Uploads a file. sget: Downloads a file in secure mode. source-filename: Source file name. destination-filename: Destination file name. vpn-instance vpn-instance-name: Specifies the VPN where the TFTP server belongs. The vpn-instance-name argument is a case sensitive string of 1 to 31 characters. If the TFTP server is on the public network, do not specify this option. source: Configures parameters for source address binding.
View System view Default level 2: System level Parameters interface interface-type interface-number: Specifies the source interface for establishing TFTP connections. The primary IP address of the source interface is used as the source IP address of packets sent to a TFTP server. If the source interface has no primary IP address specified, no TFTP connection can be established.
Parameters tftp-ipv6-server: IPv6 address or host name (a string of 1 to 46 characters) of a TFTP server. -i interface-type interface-number: Specifies the source interface by its type and number. This parameter can be used only when the TFTP server address is a link local address and the specified egress interface has a link local address. For the configuration of a link local address, see Network Management Configuration Guide. get: Downloads a file. put: Uploads a file. source-file: Source filename.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFGHILMNOPQRSTUVW display boot-loader,55 A display channel,79 archive configuration,63 display current-configuration,69 archive configuration interval,63 display debugging,11 archive configuration location,64 display default-configuration,70 archive configuration max,65 display fib,12 ascii,225 display fib ip-address,14 B display ftp client configuration,232 backup startup-configuration,66 display ftp-server,220 binary,225 display ftp-user,221 boot-loader,52 display icmp statis
display snmp-agent local-engineid,158 I display snmp-agent mib-view,159 info-center channel name,91 display snmp-agent statistics,160 info-center console channel,91 display snmp-agent sys-info,162 info-center enable,92 display snmp-agent trap queue,163 info-center format unicom,92 display snmp-agent trap-list,164 info-center logbuffer,93 display snmp-agent usm-user,165 info-center logfile enable,94 display ssh client source,197 info-center logfile frequency,94 display ssh server,190 info-ce
reset ip statistics,28 N reset logbuffer,111 ntp-service access,128 reset recycle-bin,47 ntp-service authentication enable,129 reset saved-configuration,75 ntp-service authentication-keyid,130 reset tcp statistics,28 ntp-service broadcast-client,131 reset trapbuffer,111 ntp-service broadcast-server,131 reset udp statistics,29 ntp-service in-interface disable,132 reset userlog flow export,117 ntp-service max-dynamic-sessions,132 reset userlog flow logbuffer,117 ntp-service multicast-client,1
terminal logging,113 snmp-agent usm-user v3,184 ssh client authentication server,199 terminal monitor,114 ssh client first-time enable,199 terminal trapping,114 ssh client ipv6 source,200 tftp,248 ssh client source,201 tftp client source,249 ssh server authentication-retries,192 tftp ipv6,250 ssh server authentication-timeout,193 tftp-server acl,247 ssh server compatible-ssh1x enable,194 tracert,7 ssh server enable,194 tracert ipv6,9 ssh server rekey-interval,195 U ssh user,195 undelete,
