HP Unified Wired-WLAN Products Fundamentals Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified Wired-WLAN Module Part number: 5998-4783 Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/7500 20G Module) Document version: 6W101-20140418
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Using the CLI ································································································································································ 1 Command conventions ····················································································································································· 1 Using the undo form of a command ·························································································································
Configuring the SSH server on the device ·········································································································· 37 Using the device to log in to an SSH server ······································································································· 39 Displaying and maintaining CLI login ························································································································· 39 Logging in to the Web interface ···············
Prerequisites ···································································································································································· 72 Using the device as a TFTP client ································································································································· 72 Displaying and maintaining the TFTP client ················································································································ 73 TFTP
Displaying and maintaining software upgrade ·········································································································· 95 Software upgrade examples ········································································································································· 95 Upgrading the system software ··························································································································· 96 Installing patches ···············
Websites······························································································································································· 126 Conventions ·································································································································································· 127 Index ··························································································································································
Using the CLI At the command-line interface (CLI), you can enter text commands to configure, manage, and monitor your device. Figure 1 CLI example You can log in to the CLI in a variety of ways. For example, you can log in through the console port, or using Telnet or SSH. For more information about login methods, see "Logging in to the CLI." Command conventions Command conventions help you understand the syntax of commands. Commands in product manuals comply with the conventions listed in Table 1.
Figure 2 Understanding command-line parameters For example, to set the system time to 10:30:20, February 23, 2010, enter the following command line at the CLI and press Enter: clock datetime 10:30:20 2/23/2010 Using the undo form of a command Most configuration commands have an undo form for canceling a configuration, restoring the default, or disabling a feature.
Figure 3 CLI view hierarchy Entering system view from user view Task Command Enter system view from user view. system-view Returning to the upper-level view from any view Task Command Return to the upper-level view from any view. quit Executing the quit command in user view terminates your connection to the device. In public key code view, use the public-key-code end command to return to the upper-level view (public key view).
Accessing the CLI online help The CLI online help is context sensitive. You can enter a question mark at any prompt or in any position of a command to display all available options. To access the CLI online help, use one of the following methods: • Enter a question mark at a view prompt to display the first keyword of every command available in the view.
Entering a command When you enter a command, you can use keys or hotkeys to edit the command line, or use abbreviated keywords or keyword aliases. Editing a command line Use the keys listed in Table 2 or the hotkeys listed in Table 3 to edit a command line. Table 2 Command line editing keys Key Function Common keys If the edit buffer is not full, pressing a common key inserts the character at the position of the cursor and moves the cursor to the right.
Configuring and using command keyword aliases The command keyword alias function allows you to replace the first keyword of a non-undo command or the second keyword of an undo command with your preferred keyword when you execute the command. For example, if you configure show as the alias for the display keyword, you can enter show in place of display to execute a display command.
Step Command Remarks Optional. 3. display hotkey [ | { begin | exclude | include } regular-expression ] Display hotkeys. Available in any view. See Table 3 for hotkeys reserved by the system. The hotkeys in Table 3 are defined by the device. If a hotkey is also defined by the terminal software that you are using to interact with the device, the definition of the terminal software takes effect. Table 3 System-reserved hotkeys Hotkey Function Ctrl+A Moves the cursor to the beginning of a line.
output such as logs. If you have not entered anything, the system does not display the command-line prompt after the output. To enable redisplaying entered-but-not-submitted commands: Step 1. Enter system view. 2. Enable redisplaying entered-but-not-submitted commands. Command Remarks system-view N/A By default, this feature is disabled. info-center synchronous For more information about this command, see Network Management and Monitoring Command Reference.
By default, the command history buffer can save up to 10 commands for each user. To set the capacity of the command history buffer for the current user interface, use the history-command max-size command. Viewing history commands You can use arrow keys to access history commands in Windows 200x and Windows XP Terminal or Telnet. In Windows 9x HyperTerminal, the arrow keys are invalid, and you must use Ctrl+P and Ctrl+N instead.
Keys Function Ctrl+C Stops the display and cancels the command execution. Displays the previous page. Displays the next page. To display all output at one time and refresh the screen continuously until the final screen is displayed: Task Disable pausing between screens of output for the current session. Command Remarks screen-length disable The default for a session depends on the setting of the screen-length command in user interface view.
Character Meaning Examples + Matches the preceding character or character group one or multiple times "zo+" matches "zo" and "zoo", but not "z". | Matches the preceding or succeeding character string "def|int" only matches a character string containing "def" or "int". _ If it is at the beginning or the end of a regular expression, it equals ^ or $. In other cases, it equals comma, space, round bracket, or curly bracket.
Character Meaning Examples \Bcharacter Matches a string containing character, and no space is allowed before character. "\Bt" matches "t" in "install", but not "t" in "big top". character1\w Matches character1character2. character2 must be a number, letter, or underline, and \w equals [A-Za-z0-9_]. "v\w" matches "vlan" ("v" is character1 and "l" is character2) and "service" ( "i" is character2). \W Equals \b.
Table 7 Command levels and user privilege levels Level 0 Privilege Default set of commands Visit Includes commands for network diagnosis and commands for accessing an external device. Upon device restart, the commands at this level are restored to the default settings. Commands at this level include ping, tracert, telnet and ssh2. 1 Monitor Includes commands for system maintenance and service fault diagnosis. Commands at this level are not saved after being configured.
Step 5. Configure the authentication mode for SSH users as password. Command Remarks For more information, see Security Configuration Guide. This step is required only for SSH users who must provide their usernames and passwords for authentication. User either approach. • To use local authentication: a. Use the local-user command to create a local user and enter local user view. 6. b. Use the level keyword in the authorization-attribute command to configure the user privilege level.
Step 4. 5. Enable the scheme authentication mode. Configure the user privilege level. Command Remarks authentication-mode scheme By default, the authentication mode for VTY and AUX users is password, and no authentication is required for console users. user privilege level level By default, the user privilege level is 3 for users logged in through the console user interface and 0 for users logged in through the other user interfaces.
[Sysname-ui-vty0-4] authentication-mode none [Sysname-ui-vty0-4] user privilege level 1 # Display the commands a Telnet user can use after login. Because the user privilege level is 1, a Telnet user can use additional commands.
Configuring the authentication parameters for user privilege level switching A user can switch to a lower privilege level without authentication, but must provide the correct authentication information (if any) to switch to a higher privilege level. Table 8 shows the privilege level switching authentication modes supported by the device.
If local-only authentication is used, a console user interface user can switch to a higher privilege level, even if the privilege level has not been assigned a password. Console user interface users include users logged in through the console port and users logged in through the AUX port used as the console port. Switching to a higher user privilege level Before you switch to a higher user privilege level, obtain the required authentication information as described in Table 9.
User interface authentication mode User privilege level switching authentication mode Information required for the first authentication mode Information required for the second authentication mode scheme local Password for privilege level switching configured on the AAA server. The system uses the login username as the privilege level switching username. Password configured on the device with the super password command for the privilege level.
Login overview This chapter describes the available login methods and their configuration procedures. Login methods at a glance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. Telnet, HTTP, and SNMP are not supported in FIPS mode.
CLI user interfaces The device uses user interfaces (also called "lines") to control CLI logins and monitor CLI sessions. You can configure access control settings, including authentication, user privilege, and login redirect on user interfaces. After users are logged in, their actions must be compliant with the settings on the user interfaces assigned to them. Users are assigned different user interfaces, depending on their login methods, as shown in Table 11.
Logging in to the CLI You can access the CLI through the console port, Telnet, or SSH. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. Telnet is not supported in FIPS mode.
4. Launch the terminal emulation program and configure the communication properties on the PC. Figure 5 through Figure 7 show the configuration procedure on Windows XP HyperTerminal. Make sure the port settings are the same as those listed in Table 12. On Windows Server 2003, add the HyperTerminal program first, and then log in to and manage the device as described in this document.
Figure 7 Setting the properties of the serial port 5. Power on the device and press Enter at the prompt. 6. At the default user view prompt , enter commands to configure the device or view the running status of the device. To get help, enter ?. Configuring console login control settings The following authentication modes are available for controlling console logins: • None—Requires no authentication. This mode is insecure, and is not supported in FIPS mode.
Authentication mode Configuration tasks Reference Enable scheme authentication on the console user interface. Configure local or remote authentication settings. To configure local authentication: Scheme 1. Configure a local user and specify the password on the device. 2. Configure the device to use local authentication. To configure remote authentication: 1. Configure the RADIUS or HWTACACS scheme on the device. 2. Configure the username and password on the AAA server. 3.
Step Command Remarks 4. Set a password. set authentication password [ hash ] { cipher | simple } password By default, no password is set. 5. Configure common settings for console login. See "Configuring common console user interface settings (optional)." Optional. The next time you attempt to log in through the console port, you must provide the configured login password.
Step Command Remarks Optional. 4. Enable command authorization. command authorization By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. Optional. 5. Enable command accounting. command accounting 6. Exit to system view. quit By default, command accounting is disabled. The accounting server does not record the commands executed by users. N/A Optional. 7. Apply an AAA authentication scheme to the intended domain. a.
After the configuration is complete, change the terminal settings on the configuration terminal and make sure they are the same as the settings on the device. To configure common settings for a console user interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter console user interface view. user-interface console 0 N/A 3. Set the baud rate. speed speed-value By default, the baud rate is 9600 bps. 4. Specify the parity check mode.
Step Command 11. Set the maximum number of lines to be displayed on a screen. screen-length screen-length 12. Set the size of command history buffer. history-command max-size value 13. Set the idle-timeout timer. idle-timeout minutes [ seconds ] Remarks By default, a screen displays 24 lines at most. A value of 0 disables pausing between screens of output. By default, the buffer saves 10 history commands at most. The default idle-timeout is 10 minutes.
• None—Requires no authentication. This mode is insecure. • Password—Requires a password for accessing the CLI. If your password was lost, log in to the device through the console port to re-set the password. • Scheme—Uses the AAA module to provide local or remote authentication. You must provide a username and password for accessing the CLI. If the password configured in the local user database was lost, log in to the device through the console port and re-set the password.
Step Command Remarks 4. Enable none authentication mode. authentication-mode none By default, password authentication is enabled for VTY user interfaces. 5. Configure the command level for login users on the current user interfaces. user privilege level level By default, the default command level is 0 for VTY user interfaces. Configure common settings for the VTY user interfaces. See "Configuring common VTY user interface settings (optional)." Optional. 6.
Step Command Remarks 5. Set a password. set authentication password [ [ hash ] { cipher | simple } password ] By default, no password is set. 6. Configure the user privilege level for login users. user privilege level level The default level is 0. 7. Configure common settings for VTY user interfaces. See "Configuring common VTY user interface settings (optional)." Optional.
• To make the command authorization or command accounting function take effect, apply an HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters. • If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the device.
Step Command Remarks local-user user-name N/A 10. Set a password. password [ [ hash ] { cipher | simple } password ] By default, no password is set. 11. Specify the command level of the local user. authorization-attribute level level 12. Specify Telnet service for the local user. service-type telnet By default, no service type is specified. 13. Exit to system view. quit N/A 14. Configure common settings for VTY user interfaces. See "Configuring common VTY user interface settings (optional).
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter one or multiple VTY user interface views. user-interface vty first-number [ last-number ] N/A 3. Enable the terminal service. shell Optional. By default, terminal service is enabled. Optional. 4. 5. 6. 7. 8. Enable the user interfaces to support Telnet, SSH, or both of them. protocol inbound { all | ssh | telnet } Define a shortcut key for terminating tasks. escape-key { default | character } Optional.
Figure 12 Telnetting from the device to a Telnet server To use the device to log in to a Telnet server: Step Command Remarks N/A 1. Enter system view. system-view 2. Specify the source IPv4 address or source interface for outgoing Telnet packets. telnet client source { interface interface-type interface-number | ip ip-address } By default, no source IPv4 address or source interface is specified. The device automatically selects a source IPv4 address. 3. Exit to user view. quit N/A Optional.
Device role SSH client Requirements If a host operates as an SSH client, run the SSH client program on the host. Obtain the IP address of the Layer 3 interface on the server. To control SSH access to the device operating as an SSH server, configure authentication and user privilege level for SSH users. By default, password authentication is adopted for SSH login, but no login password is configured. To allow SSH access to the device after you enable the SSH server, you must configure a password.
Step Command Remarks Optional. 6. Enable the user interfaces to support Telnet, SSH, or both. protocol inbound { all | ssh | telnet } In non-FIPS mode, Telnet and SSH are supported by default. In FIPS mode, SSH is supported by default, and the telnet keyword is not supported. Optional. 7. Enable command authorization. command authorization By default, command authorization is disabled. The commands available for a user only depend on the user privilege level. Optional. 8.
Step Command Remarks 17. Configure common settings for VTY user interfaces. See "Configuring common VTY user interface settings (optional)." Optional. Using the device to log in to an SSH server You can use the device as an SSH client to log in to an SSH server. If the server is located in a different subnet than the device, make sure the two devices have routes to reach each other.
Task Command Remarks Available in user view. Multiple users can log in to the device to simultaneously configure the device. When necessary, you can execute this command to release some connections. Release a user interface. free user-interface { num1 | { aux | console | vty } num2 } You cannot use this command to release the connection you are using. Support for the aux keyword depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products.
Logging in to the Web interface The device provides one or more built-in Web servers for you to configure the device and its cards through a Web browser. See Table 17. Table 17 Web interfaces Hardware 11900/10500/7500 20G Unified Wired-WLAN Module Web interfaces Provides only one Web server. Using the login parameters provided or configured in this chapter, you log in to the Web interface of the AC module. Provides two Web servers: one by the access controller engine and one by the switching engine.
Table 18 Basic Web login configuration requirements Object Requirements Assign an IP address to a Layer 3 interface. Configure routes to make sure the interface and the PC can reach each other. Device Perform either or both of the following tasks: • Configuring HTTP login • Configuring HTTPS login Install a Web browser. PC Obtain the IP address of the device's Layer 3 interface. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements.
Step Command Remarks authorization-attribute level level No command level is configured for the local user. 10. Specify the Telnet service type for the local user. service-type web By default, no service type is configured for the local user. 11. Exit to system view. quit N/A Specify the command level of the local user. 9. 12. Create a VLAN interface and enter its view. interface vlan-interface vlan-interface-id 13. Assign an IP address and subnet mask to the interface.
Step Command Remarks By default, HTTPS is disabled. 3. Enable the HTTPS service. ip https enable Enabling the HTTPS service triggers an SSL handshake negotiation process. During the process, if the local certificate of the device exists, the SSL negotiation succeeds, and the HTTPS service can be started properly. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation.
Step Command Remarks Optional. By default, a user must enter the correct username and password to log in through HTTPS. When the auto mode is enabled: • If the user's PKI certificate is correct 7. Specify the authentication mode for users trying to log in to the device through HTTPS. web https-authorization mode { auto | manual } and not expired, the CN field in the certificate is used as the username to perform AAA authentication.
Task Command Remarks Display HTTP state information. display ip http [ | { begin | exclude | include } regular-expression ] Available in any view. Display HTTPS state information. display ip https [ | { begin | exclude | include } regular-expression ] Available in any view. Web login configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models.
# Create VLAN 200. system-view [AC] vlan 200 [AC-vlan200] quit # Configure the interface connected to the switch as a trunk interface to allow all VLANs' traffic. [AC] interface ten-gigabitethernet1/0/1 [AC-Ten-GigabitEthernet1/0/1] port link-type trunk [AC-Ten-GigabitEthernet1/0/1] port trunk permit vlan all # Assign IP address 192.168.1.58/24 to VLAN-interface 200. [AC] interface vlan-interface 200 [AC-VLAN-interface200] ip address 192.168.1.58 255.255.255.
Figure 17 Network diagram AC 10.1.1.1/24 10.1.1.2/24 10.1.2.1/24 10.1.2.2/24 Host CA Configuration procedure In this example, the CA is named new-ca, runs Windows Server, and is installed with the SCEP add-on. Before performing the following configuration, make sure that the AC, host, and CA can reach each other. 1. Configure the AC (the HTTPS server): # Configure a PKI entity, and set the common name to http-server1 and the FQDN to ssl.security.com.
[AC] pki certificate attribute-group mygroup1 [AC-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca [AC-pki-cert-attribute-group-mygroup1] quit # Create a certificate attribute-based access control policy myacp. Configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp.
Logging in through SNMP You can run SNMP on an NMS to access the device MIB and perform GET and SET operations to manage and monitor the device. The device supports SNMPv1, SNMPv2c, and SNMPv3, and can work with various network management software products, including IMC. For more information about SNMP, see Network Management and Monitoring Configuration Guide. By default, SNMP access is disabled. To enable SNMP access, log in to the device through any other method, and configure SNMP login.
Step Command Remarks Optional. By default, the SNMP agent is disabled. 2. 3. 4. You can enable SNMP agent with any command that begins with snmp-agent, except for the snmp-agent calculate-password command. Enable the SNMP agent. snmp-agent Configure an SNMP group and specify its access right.
Step Command Remarks • (Approach 1) Specify the SNMP NMS access right directly by configuring an SNMP community: snmp-agent community { read | write } community-name [ mib-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * • (Approach 2) Configure an SNMP 4. Configure the SNMP access right. group and add a user to the SNMP group: a.
Configuration procedure 1. Configure the AC: # Assign an IP address to the AC. Make sure the AC and the NMS can reach each other. (Details not shown.) # Enter system view. system-view # Enable the SNMP agent. [AC] snmp-agent # Configure an SNMP group. [AC] snmp-agent group v3 managev3group # Add a user to the SNMP group. [AC] snmp-agent usm-user v3 managev3user managev3group 2. Configure the NMS: Make sure the NMS has the same SNMP settings, including the username, as the device.
Controlling user logins Use ACLs to prevent unauthorized logins. For more information about ACLs, see ACL and QoS Configuration Guide. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. Telnet and HTTP are not supported in FIPS mode.
Configuring source IP-based Telnet login control Step Command Remarks 1. Enter system view. system-view N/A 2. Create a basic ACL and enter its view, or enter the view of an existing basic ACL. acl [ ipv6 ] number acl-number [ name name ] [ match-order { config | auto } ] By default, no basic ACL exists. • For IPv4 networks: rule [ rule-id ] { deny | permit } [ counting | source { sour-addr sour-wildcard | any } | time-range time-range-name ] * 3. Configure an ACL rule.
Configuring source MAC-based Telnet login control Ethernet frame header ACLs apply to Telnet traffic only if the Telnet client and server are located in the same subnet. To configure source MAC-based Telnet login control: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an Ethernet frame header ACL and enter its view. acl number acl-number [ name name ] [ match-order { config | auto } ] By default, no Ethernet frame header ACL exists. 3. Configure an ACL rule.
Figure 20 Network diagram Configuration procedure # Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B and rule 2 to permit packets sourced from Host A. system-view [AC] acl number 2000 match-order config [AC-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [AC-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [AC-acl-basic-2000] quit # Reference ACL 2000 on user interfaces VTY 0 through VTY 4 so only Host A and Host B can Telnet to the Device.
Step Command Remarks • SNMPv1/v2c community: snmp-agent community { read | write } community-name [ mib-view view-name ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * • SNMPv1/v2c group: snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number | acl ipv6 ipv6-acl-number ] * • SNMPv3 group: 5. Apply the ACL to an SNMP community, group, or user.
Figure 21 Network diagram Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B and rule 2 to permit packets sourced from Host A. system-view [AC] acl number 2000 match-order config [AC-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [AC-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [AC-acl-basic-2000] quit # Associate the ACL with the SNMP community and the SNMP group.
Step 5. Associate the HTTP service with the ACL. 6. Associate the HTTPS service with the ACL. Command Remarks ip http acl acl-number Configure either or both of the commands. ip https acl acl-number HTTP login and HTTPS login are separate login methods. To use HTTPS login, you do not need to configure HTTP login. Logging off online Web users Task Command Remarks Log off online Web users. free web-users { all | user-id user-id | user-name user-name } Available in user interface view.
system-view [AC] acl number 2030 match-order config [AC-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [AC-acl-basic-2030] quit # Associate the ACL with the HTTP service so only the Web users on Host B can access the device.
Configuring FTP File Transfer Protocol (FTP) is an application layer protocol based on the client/server model. It is used to transfer files from one host to another over a TCP/IP network. FTP server uses TCP port 20 to transfer data and TCP port 21 to transfer control commands. For more information about FTP, see RFC 959. FTP supports the following transfer modes: • Binary mode—Used to transfer image files, such as .app, .bin, and .btm files. • ASCII mode—Used to transfer text files, such as .txt, .
Establishing an FTP connection Before you can access the FTP server, use the ftp command in user view or use the open command in FTP client view to establish a connection to the FTP server. You can use the ftp client source command to specify a source IP address or source interface for the FTP packets sent by the device. If a source interface (typically, a loopback interface) is specified, its primary IP address is used as the source IP address for the FTP packets sent by the device.
Managing directories on the FTP server After the device establishes a connection to an FTP server, you can create or delete folders in the authorized directory on the FTP server. To manage the directories on the FTP server: Task Command Display detailed information about a directory or file on the FTP server. dir [ remotefile [ localfile ] ] Query a directory or file on the FTP server. ls [ remotefile [ localfile ] ] Change the working directory on the FTP server. cd { directory | ..
Task Command Remarks Set the FTP operation mode to passive. passive By default, passive mode is used. Display the local working directory of the FTP client. lcd N/A Upload a file to the FTP server. put localfile [ remotefile ] N/A Download a file from the FTP server.
FTP client configuration example This configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
125 BINARY mode data connection already open, transfer starting for /newest.bin. 226 Transfer complete. FTP: 23951480 byte(s) received in 95.399 second(s), 251.00K byte(s)/sec. # Set the file transfer mode to ASCII, and upload the configuration file config.cfg from the AC to the PC for backup. [ftp] ascii [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /config.cfg. 226 Transfer complete.
Normal mode—Writes data to the local file while receiving data. If a problem, such as a power failure, occurs during file transfer, the existing file on the FTP server is corrupted. However, this mode consumes less memory space than fast mode. • To configure basic parameters for the FTP server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the FTP server. ftp server enable By default, the FTP server is disabled. 3. Use an ACL to control FTP access to the server.
Step Command Remarks 3. Set a password for the user account. password [ [ hash ] { cipher | simple } password ] N/A 4. Assign FTP service to the user account. service-type ftp By default, no service type is specified. If the FTP service is specified, the root directory of the device is by default used. Configure authorization attributes.
system-view [AC] local-user abc [AC-luser-abc] password simple abc [AC-luser-abc] authorization-attribute level 3 [AC-luser-abc] authorization-attribute work-directory flash:/ [AC-luser-abc] service-type ftp [AC-luser-abc] quit # Enable the FTP server. [AC] ftp server enable [AC] quit # Examine the storage space and delete unused files for more free space. dir Directory of cfa0:/ 0 -rw- 59114496 Jun 29 2020 01:28:34 main.
NOTE: After you finish transferring the Boot ROM image through FTP, execute the bootrom update command to upgrade Boot ROM. 3. Upgrade the AC: # If the system software image file used for the next startup or the startup configuration file is not saved in the Flash root directory, copy or move the file to the Flash root directory. (Details not shown.) # Specify newest.bin as the main system software image file for the next startup. boot-loader file newest.
Configuring TFTP Trivial File Transfer Protocol (TFTP) is a simplified version of FTP for file transfer over secure reliable networks. TFTP uses UDP port 69 for connection establishment and data transmission. In contrast to TCP-based FTP, TFTP does not require authentication or complex message exchanges, and is easier to deploy. TFTP supports the following transfer modes: • Binary mode—Used to transfer image files, such as .app, .bin, and .btm files. • ASCII mode—Used to transfer text files, such as .
You can use the tftp client source command to specify a source IP address or source interface for the TFTP packets sent by the device. If a source interface (typically, a loopback interface) is specified, its primary IP address is used as the source IP address for the TFTP packets. The source interface and source IP address settings overwrite each other. The tftp client source command setting applies to all TFTP sessions.
TFTP client configuration example This configuration example was created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
Managing the file system This chapter describes how to manage the device's file system, including the storage media, directories, and files. Your device might have a Flash, a CF card, or both, depending on your device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. File name formats When you specify a file, enter the file name in one of the formats shown in Table 19.
You can display directory and file information, display file contents, rename, copy, move, remove, restore, and delete files, and calculate file digests. The copy operation enables you to create a file. You can also create a file by performing the download operation or using the save command. Displaying file information Perform this task in user view. Task Command Display file or directory information.
Deleting/restoring a file You can delete a file permanently or move it to the recycle bin. A file moved to the recycle bin can be restored, but a permanently deleted file cannot. A file in the recycle bin occupies storage space. To release the occupied space, execute the reset recycle-bin command in the directory that holds the file. To save storage space, periodically empty the recycle bin with the reset recycle-bin command.
Task Command Display directory or file information. dir [ /all ] [ file-url | /all-filesystems ] Displaying the current working directory Perform this task in user view. Task Command Display the current working directory. pwd Changing the current working directory Perform this task in user view. Task Command Change the current working directory. cd { directory | .. | / } Creating a directory Perform this task in user view. Task Command Create a directory.
If part of a storage medium is inaccessible, use the fixdisk command to examine the medium for any damage and repair the medium. To manage the space of a storage medium, perform one of the following tasks in user view: Task Command Remarks Repair a storage medium. fixdisk device N/A Format a storage medium. format device [ FAT16 | FAT32 ] FAT16 and FAT32 are not applicable to the Flash memory. Performing batch operations A batch file comprises a set of executable commands.
0 -rw- 59114496 Jun 29 2012 01:28:34 main.bin 1 3 drw- - Apr 07 2012 08:30:10 logfile -rw- 2162 Aug 27 2012 02:08:48 startup.cfg 4 -rw- 349 Jun 24 2012 07:17:20 system.xml 5 drw- - Jan 21 2011 14:11:52 test 1021808 KB total (819536 KB free) File system type of cfa0: FAT16 # Create new folder mytest in the test directory. cd test mkdir mytest %Created dir cfa0:/test/mytest. # Display the current working directory.
Managing configuration files You can use the CLI or the BootWare menus to manage configuration files. This chapter only describes managing configuration files from the CLI. Overview A configuration file saves configurations as a set of text commands. You can save the running configuration to a configuration file so the configuration takes effect after you reboot the device. You can also back up the configuration file on to a host and download the file to the device as needed.
Configuration file content organization and format IMPORTANT: To run on the device, a configuration file must meet the content and format requirements of the device. To ensure a successful configuration loading at startup, use a configuration file created on the device. If you edit the configuration file, make sure all edits are compliant with the requirements of the device. A configuration file must meet the following requirements: • All commands are saved in their complete form.
Enabling configuration encryption Configuration encryption enables the device to automatically encrypt a startup configuration file when saving the running configuration to it. This function provides the following methods: • Private key method—Only the current device can decrypt the encrypted configuration file. • Public key method—Any device that supports the configuration encryption function can decrypt the encrypted configuration file.
Task Save the running configuration to a configuration file and specify the file as the next-startup configuration file. Command Remarks save [ safely ] [ force ] If the force keyword is specified, the command saves the configuration to the next-startup configuration file that has been specified. If the force keyword is not specified, you can choose to re-specify a next-startup configuration file as instructed by the system.
You have read and write permissions. • To back up the next-startup configuration file to a TFTP server: Step Command Verify that the next-startup configuration file has been specified in user view. 1. 2. 3. Remarks Optional. display startup If no next-startup configuration file has been specified, the backup operation will fail. Optional. Verify that the specified configuration file exists on the device.
• After you upgrade system software, the file does not match the new system software. • The file is corrupted or not fully compatible with the device. After the file is deleted, the device uses factory defaults at the next startup. Perform the following task in user view: Task Command Delete the next-startup configuration file. reset saved-configuration Displaying and maintaining configuration files Task Command Remarks Display the running configuration.
Upgrading software Upgrading software includes upgrading the BootWare (called "bootrom" in CLI) and system software. Each time the device is powered on, it runs the BootWare image to initialize hardware and display hardware information, and then runs the system software image (called the "boot file" in software code) so you can access the software features, as shown in Figure 28. When you upgrade software, you do not need to upgrade the AC and its APs separately.
Upgrading method Upgrading the software Installing hotfixes Upgrading from the BootWare menus Software types Remarks • BootWare image • System software image (excluding patches) System software image • BootWare image • System software image This method is disruptive. You must reboot the entire device to complete the upgrade. Hotfixes repair software defects without requiring a reboot or service interruption. Hotfixes do not add new features to system software images.
Installing hotfixes Hotfixes (called "patches" in this document) repair software defects without requiring a system reboot. Basic concepts This section describes the basic patch concepts. Patch, patch file, and patch package file A patch fixes certain software defects. A patch file contains one or more patches. After being loaded from the storage medium to the patch memory area, each patch is assigned a unique number, which starts from 1.
Figure 29 Impact of patch manipulation commands on patch state IDLE state Patches that have not been loaded are in IDLE state. You cannot install or run these patches. As shown in Figure 30, the patch memory area can load up to eight patches. The patch memory area supports up to 200 patches. Figure 30 Patches that are not loaded to the patch memory area DEACTIVE state Patches in DEACTIVE state have been loaded to the patch memory area but have not yet run in the system.
Figure 31 Patch states in the patch memory area after a patch file is loaded ACTIVE state Patches in ACTIVE state run temporarily in the system and become DEACTIVE at a reboot. For example, for the seven patches in Figure 31, if you activate the first five patches, their states change from DEACTIVE to ACTIVE. Figure 32 shows the patch states in the system. The patches that are in ACTIVE state change to the DEACTIVE state at a reboot.
Figure 33 Patches in RUNNING state Patch installation task list Task Remarks Installing patches: Use either method. • Installing and running a patch in one step • Installing a patch step by step Step-by-step patch installation allows you to control the patch status. Uninstalling a patch step by step Optional.
Step 1. Enter system view. Command Remarks system-view N/A • patch-location: Specifies the directory where the patch file is located. 2. Install patches in one step. patch install { patch-location | file patch-package } • file patch-package: Specifies a patch package file name. In FIPS mode, the patch file or patch package file must pass authenticity verification before this command can be executed.
Loading a patch file You must load the correct patch file before performing any patch installation operations. If you install a patch from a patch file, the system loads the patch file from the patch file location, which is the root directory of the storage medium. If you install a patch from a patch package, the system finds the correct patch file in the patch package file and loads the patch file.
Stopping running patches When you stop running a patch, the patch state becomes DEACTIVE, and the system runs the way it did before the patch was installed. To stop running patches: Step Command 1. Enter system view. system-view 2. Stop running patches. patch deactive [ patch-number ] Removing patches from the patch memory area After being removed from the patch memory area, a patch is still retained in IDLE state in the storage medium. The system runs the way it did before the patch was installed.
Upgrading the system software Network requirement As shown in Figure 34, the current system software version of the AC is soft-version1. The latest system software image soft-version2.bin and the latest configuration file new-config.cfg are both saved in the aaa directory of the FTP server. The AC and the FTP server can reach each other. You can log in to the AC through Telnet. Upgrade the software version of the AC to soft-version2 and configuration file to new-config during an off-peak period.
Connected to 2.2.2.2. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(2.2.2.2:(none)):aaa 331 Give me your password, please Password: 230 Logged in successfully [ftp] # Download auto-update.txt from the FTP server. [ftp] ascii [ftp] get auto-update.txt # Download new-config.cfg from the FTP server. [ftp]get new-config.cfg # Download soft-version2.bin from the FTP server. [ftp] binary [ftp] get soft-version2.bin [ftp] bye # Change the file extension of auto-update.txt to .
2. Configure the AC: # Use the save command to save the running configuration. (Details not shown.) # Examine the storage medium on the AC for space insufficiency. If the free space is not sufficient for the patches, delete unused files. (Details not shown.) # Load the patch file patch_mpu.bin from the TFTP server to the root directory of the device's storage medium. tftp 2.2.2.2 get patch_mpu.bin # Install the patches. system-view [AC] patch install cfa0: Patches will be installed.
Dealing with password loss CAUTION: Dealing with console login password loss and user privilege level password loss from BootWare menus is disruptive. How to deal with console login password loss and user privilege level password loss depends on the state of password recovery capability (see Figure 36).
Disabling password recovery capability Password recovery capability controls console user access to the device configuration and SDRAM from BootWare menus. If password recovery capability is enabled, a console user can access the device configuration without authentication to reconfigure new passwords. If password recovery capability is disabled, a console user must restore the factory-default configuration before configuring new passwords.
CPLD Version : 005 PCB Version : Ver.B BootWare Validating... Press Ctrl+B to enter extended boot menu.. 2. Press Enter to access the EXTEND-BOOTWARE menu. The output displays the EXTEND-BOOTWARE menu, including the state of password recovery capability. Password recovery capability is enabled. Note: The current operating device is cfa0 Enter < Storage Device Operation > to select device.
|<9> Storage Device Operation | |<0> Reboot | ============================================================================ Ctrl+Z: Access EXTEND-ASSISTANT MENU Ctrl+F: Format File System Enter your choice(0-9): 6 After the configuration skipping flag is set successfully, the following message appears: Flag Set Success. 2. When the EXTEND-BOOTWARE menu appears again, enter 0 to reboot the device. The device starts up with empty configuration. 3.
|<9> Storage Device Operation | |<0> Reboot | ============================================================================ Ctrl+Z: Access EXTEND-ASSISTANT MENU Ctrl+F: Format File System Enter your choice(0-9): 8 The device deletes the user privilege level password configuration commands from the next-startup configuration file. After the operation is completed, the following message appears: Clear Super Password Success! 2. When the EXTEND-BOOTWARE menu appears again, enter 0 to reboot the device.
deleted, and the system will start up with factory defaults, Are you sure to continue?[Y/N]Y Setting...Done. 3. When the EXTEND-BOOTWARE menu appears again, enter 0 to reboot the device. The device starts up with the factory-default configuration. 4. Configure a new console login password (see "Configure a new console login password.") or new user privilege level passwords (see "Configure new passwords for user privilege levels."). 5. For the settings to take effect at reboot, save the configuration.
Managing licenses Registering a feature Some software features must be separately registered before they can work. To register a feature, purchase a license for the feature. You can use the display license command to view the current registration state of a feature. For more information about license registration, see HP Unified Wired-WLAN Products License Registration and Activation Guide. Configuration procedure To register a feature in user view: Task Command Register a feature in user view.
Managing the device Overview Device management includes monitoring the operating status of devices and configuring their running parameters. The configuration tasks in this document are order independent. You can perform these tasks in any order. Storage media include Flash and CF card. Different devices support different storage media. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. Flash and CF card are used in the examples throughout this chapter.
Table 20 System time configuration results Command Effective system time Configuration example System time 1 date-time clock datetime 1:00 2007/1/1 01:00:00 UTC Mon 01/01/2007. 2 Original system time ± zone-offset clock timezone zone-time add 1 02:00:00 zone-time Sat 01/01/2005.
Command Effective system time Configuration example System time date-time clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 01:00:00 UTC Tue 01/01/2008.
Command Effective system time Configuration example date-time in the daylight saving time range, but date-time – summer-offset outside the summer-time range: clock timezone zone-time add 1 date-time – summer-offset clock datetime 1:30 2008/1/1 Both date-time and date-time – summer-offset in the daylight saving time range: date-time clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 System time 23:30:00 zone-time Mon 12/31/2007.
To enable displaying the copyright statement: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable displaying the copyright statement. copyright-info enable Enabled by default. Configuring banners Banners are messages that the system displays during user login. The system supports the following banners: • Legal banner—Appears after the copyright or license statement. To continue login, the user must enter Y or press Enter. To quit the process, the user must enter N.
[System] header shell A Please input banner content, and quit with the character 'A'. Have a nice day. Please input the password.A { Method 3—After you type the last keyword, type the start delimiter and part of the banner and press Enter. At the system prompt, enter the rest of the banner and end the last line with a delimiter that is the same as the start delimiter. For example, you can configure the banner "Have a nice day. Please input the password.
• reboot—The device automatically reboots to recover from the error condition. • maintain—The device stays in the error condition so you can collect complete data, including error messages, for diagnosis. In this approach, you must manually reboot the device. To configure the exception handling method: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the exception handling method for the system.
To schedule a device reboot, execute one of the following commands in user view: Task Command Remarks • Schedule a reboot to occur at a specific time and date: schedule reboot at hh:mm [ date ] Schedule a reboot. • Schedule a reboot to occur Use either command. The scheduled reboot function is disabled by default. after a delay: schedule reboot delay { hh:mm | mm } Changing any clock setting can cancel the reboot schedule.
Configuration guidelines • To have a job successfully run a command, make sure the specified view and command are valid. The system does not verify their validity. • After job execution, the configuration interface, view, and user status that you have before job execution restores even if the job ran a command to change the user interface (for example, telnet, ftp, and ssh2), the view (for example, system-view and quit), or the user status (for example, super).
Step Command Remarks • Configure a command to run at a specific time and date: time time-id at time date command command • Configure a command to run at a specific time: time time-id { one-off | repeating } at time [ month-date month-day | week-day week-daylist ] command command Add commands to the job. 4. Use any of the commands. Changing a clock setting does not affect the schedule set by using the time at or time delay command.
Step 2. Command Configure temperature thresholds for a card. Remarks temperature-limit slot slot-number { inflow | hotspot } sensor-number lowerlimit warninglimit [ alarmlimit ] By default, the temperature thresholds for a card vary with devices. For more information, see About the Command References for HP Unified Wired-WLAN Products. The warning and alarming thresholds must be higher than the lower temperature threshold. The alarming threshold must be higher than the warning threshold.
Monitoring an NMS-connected interface Typically, the device does not send notifications to its NMS when the IP address of an interface changes. If the IP address of the interface used by the device to communicate with the NMS changes, the NMS will be unable to communicate with the device unless the new management IP address of the device is updated manually or the device is re-added with the new IP address to the NMS database.
To clear unused 16-bit interface indexes, execute one of the following commands in user view: Task Command Clear unused 16-bit interface indexes. reset unused porttag Displaying and maintaining device management For diagnosis or troubleshooting, you can use separate display commands to collect running status data module by module, or use the display diagnostic-information command to bulk collect running data for multiple modules.
Task Command Remarks Display RPS state information. display rps [ rps-id ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the mode of the last reboot. display reboot-type [ | { begin | exclude | include } regular-expression ] Available in any view. Display the configuration of the job configured by using the schedule job command. display schedule job [ | { begin | exclude | include } regular-expression ] Available in any view. Display the reboot schedule.
Automatic configuration Automatic configuration enables a device without any configuration file to automatically obtain and execute a configuration file during startup. Automatic configuration simplifies network configuration, facilitates centralized management, and reduces maintenance workload. To implement automatic configuration, the network administrator saves configuration files on a server and a device automatically obtains and executes a specific configuration file.
How automatic configuration operates 1. During startup, the device sets the first interface in up state as the DHCP client to request parameters from the DHCP server, such as an IP address and name of a TFTP server, IP address of a DNS server, and the configuration file name. If there are Layer 2 Ethernet interfaces in up state, the VLAN interface of the default VLAN of the Ethernet interfaces is selected as the first up interface.
Using DHCP to obtain an IP address and other configuration information Address acquisition process As mentioned in "How automatic configuration operates," a device sets the first up interface as the DHCP client during startup. The DHCP client broadcasts a DHCP request, where the Option 55 field specifies the information the client wants to obtain from the DHCP server such as the configuration file name, domain name and IP address of the TFTP server, and DNS server IP address.
To configure static address pools, you must obtain corresponding client IDs. To obtain a device's client ID, use the display dhcp server ip-in-use command to display address binding information on the DHCP server after the device obtains its IP address through DHCP. Obtaining the configuration file from the TFTP server A device can obtain the following files from the TFTP server during automatic configuration: • The configuration file specified by the Option 67 or file field in the DHCP response.
Obtaining the configuration file Figure 39 Obtaining the configuration file A device obtains its configuration file by using the following work flow: • If the DHCP response contains the configuration file name, the device requests the specified configuration file from the TFTP server. • If not, the device tries to get its host name from the host name file obtained from the TFTP server. If it fails, the device resolves its IP address to the host name through DNS server.
• If the IP address and the domain name of the TFTP server are not contained in the DHCP response or they are illegitimate, the device broadcasts a TFTP request. After broadcasting a TFTP request, the device selects the TFTP server that responds first to obtain the configuration file. If the requested configuration file does not exist on the TFTP server, the request operation fails, and the device removes the temporary configuration and starts up with factory defaults.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFHILMNOPRSTUW Disabling password recovery capability,100 A Displaying and maintaining CLI,19 Accessing the CLI online help,4 Displaying and maintaining CLI login,39 B Displaying and maintaining configuration files,86 Displaying and maintaining device management,118 Backing up the next-startup configuration file to a TFTP server,84 Displaying and maintaining FTP,71 C Displaying and maintaining licenses,105 Displaying and maintaining software upgrade,95 Changing the system time,106 Disp
Saving the running configuration,82 M Scheduling jobs,113 Managing directories,77 Setting the file system operation mode,79 Managing files,75 Setting the port status detection timer,115 Managing storage media,78 Software upgrade examples,95 Monitoring an NMS-connected interface,117 Software upgrade methods,87 N Specifying a configuration file for the next startup,84 NMS login example,52 T O TFTP client configuration example,74 Overview,81 Typical automatic configuration network,120 Overvi
